[PATCH] f2fs: limit recovery filename logging to stored length
From: Wenjie Qi
Date: Tue Jun 30 2026 - 04:23:50 EST
F2FS stores recovery filenames as a length plus a fixed-size i_name
buffer. The buffer is not NUL-terminated, but recover_inode() and
recover_dentry() print it with %s.
For a 255-byte filename, recovery logging can read past i_name into the
following raw inode fields.
Print the name with a precision bounded by i_namelen and F2FS_NAME_LEN.
Fixes: f356fe0cba0e ("f2fs: add debug msgs in the recovery routine")
Cc: stable@xxxxxxxxxx
Assisted-by: Codex:gpt-5.5
Signed-off-by: Wenjie Qi <qiwenjie@xxxxxxxxxx>
---
fs/f2fs/recovery.c | 41 +++++++++++++++++++++++++++--------------
1 file changed, 27 insertions(+), 14 deletions(-)
diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c
index 89af8407b667..3fecfdbd5958 100644
--- a/fs/f2fs/recovery.c
+++ b/fs/f2fs/recovery.c
@@ -158,6 +158,22 @@ static int init_recovered_filename(const struct inode *dir,
return 0;
}
+static const char *recover_printable_name(struct inode *inode,
+ struct f2fs_inode *raw,
+ int *name_len)
+{
+ static const char encrypted_name[] = "<encrypted>";
+
+ if (file_enc_name(inode)) {
+ *name_len = sizeof(encrypted_name) - 1;
+ return encrypted_name;
+ }
+
+ *name_len = min_t(unsigned int, le32_to_cpu(raw->i_namelen),
+ F2FS_NAME_LEN);
+ return raw->i_name;
+}
+
static int recover_dentry(struct inode *inode, struct folio *ifolio,
struct list_head *dir_list)
{
@@ -170,7 +186,8 @@ static int recover_dentry(struct inode *inode, struct folio *ifolio,
struct inode *dir, *einode;
struct fsync_inode_entry *entry;
int err = 0;
- char *name;
+ const char *name;
+ int name_len;
entry = get_fsync_inode(dir_list, pino);
if (!entry) {
@@ -229,12 +246,9 @@ static int recover_dentry(struct inode *inode, struct folio *ifolio,
out_put:
f2fs_folio_put(folio, false);
out:
- if (file_enc_name(inode))
- name = "<encrypted>";
- else
- name = raw_inode->i_name;
- f2fs_notice(F2FS_I_SB(inode), "%s: ino = %x, name = %s, dir = %llu, err = %d",
- __func__, ino_of_node(ifolio), name,
+ name = recover_printable_name(inode, raw_inode, &name_len);
+ f2fs_notice(F2FS_I_SB(inode), "%s: ino = %x, name = %.*s, dir = %llu, err = %d",
+ __func__, ino_of_node(ifolio), name_len, name,
IS_ERR(dir) ? 0 : dir->i_ino, err);
return err;
}
@@ -282,7 +296,8 @@ static int recover_inode(struct inode *inode, struct folio *folio)
{
struct f2fs_inode *raw = F2FS_INODE(folio);
struct f2fs_inode_info *fi = F2FS_I(inode);
- char *name;
+ const char *name;
+ int name_len;
int err;
inode->i_mode = le16_to_cpu(raw->i_mode);
@@ -331,13 +346,11 @@ static int recover_inode(struct inode *inode, struct folio *folio)
f2fs_mark_inode_dirty_sync(inode, true);
- if (file_enc_name(inode))
- name = "<encrypted>";
- else
- name = F2FS_INODE(folio)->i_name;
+ name = recover_printable_name(inode, raw, &name_len);
- f2fs_notice(F2FS_I_SB(inode), "recover_inode: ino = %x, name = %s, inline = %x",
- ino_of_node(folio), name, raw->i_inline);
+ f2fs_notice(F2FS_I_SB(inode), "%s: ino = %x, name = %.*s, inline = %x",
+ __func__, ino_of_node(folio), name_len, name,
+ raw->i_inline);
return 0;
}
--
2.43.0