Re: [PATCH v2 1/2] hfs: Validate CNIDs in hfs_read_inode

Re: [PATCH v2 1/2] hfs: Validate CNIDs in hfs_read_inode

[Tetsuo Handa]

On 2026/01/06 19:21, Tetsuo Handa wrote:
> When can we expect next version of this patch?

I'm testing https://lkml.kernel.org/r/427fcb57-8424-4e52-9f21-7041b2c4ae5b@I-love.SAKURA.ne.jp
in linux-next.git tree since next-20260202, and syzbot did not find problems; ready to send to
linux.git tree if we need more time before getting next version of your patch.

[PATCH v6] hfs: update sanity check of the root record

[Tetsuo Handa]

syzbot is reporting that BUG() in hfs_write_inode() fires
when the inode number of the record retrieved as a result of
hfs_cat_find_brec(HFS_ROOT_CNID) is not HFS_ROOT_CNID, for
commit b905bafdea21 ("hfs: Sanity check the root record") checked
the record size and the record type but did not check the inode number.

Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
Viacheslav Dubeyko and George Anthony Vernon are trying to fix this problem
in hfs_read_inode(), but no new patch is proposed for three months
( https://lkml.kernel.org/r/20251104014738.131872-3-contact@gvernon.com ) .
This problem is "one of top crashers which is wasting syzbot resources" and
"a very low-hanging fruit which can be trivially avoided". I already tested
this patch using linux-next tree for two weeks, and syzbot did not find
problems. Therefore, while what they would propose might partially overwrap
with my proposal, let's make it possible to utilize syzbot resources for
finding other bugs.

 fs/hfs/super.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/hfs/super.c b/fs/hfs/super.c
index 97546d6b41f4..c283fc9c5e88 100644
--- a/fs/hfs/super.c
+++ b/fs/hfs/super.c
@@ -361,7 +361,7 @@ static int hfs_fill_super(struct super_block *sb, struct fs_context *fc)
 			goto bail_hfs_find;
 		}
 		hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);
-		if (rec.type != HFS_CDR_DIR)
+		if (rec.type != HFS_CDR_DIR || rec.dir.DirID != cpu_to_be32(HFS_ROOT_CNID))
 			res = -EIO;
 	}
 	if (res)
-- 
2.53.0

Re: [PATCH v6] hfs: update sanity check of the root record

[Viacheslav Dubeyko]

On Wed, 2026-02-18 at 22:28 +0900, Tetsuo Handa wrote:
> syzbot is reporting that BUG() in hfs_write_inode() fires
> when the inode number of the record retrieved as a result of
> hfs_cat_find_brec(HFS_ROOT_CNID) is not HFS_ROOT_CNID, for
> commit b905bafdea21 ("hfs: Sanity check the root record") checked
> the record size and the record type but did not check the inode number.
> 
> Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
> Closes: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_bug-3Fextid-3D97e301b4b82ae803d21b&d=DwICaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=q5bIm4AXMzc8NJu1_RGmnQ2fMWKq4Y4RAkElvUgSs00&m=q42kdxHiu3lKc6X4JayE4Pr7ImiI0vuvKj9hUsjKifFFSIrHatEHr77NAXC7wPkb&s=rEVeagMtt9eT8QCma9wS0cGKt40ov44g89y28Y_6nE4&e= 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
> Viacheslav Dubeyko and George Anthony Vernon are trying to fix this problem

If you would like to finish George Anthony Vernon's work, then you are welcome.
We have multiple issues in HFS/HFS+ code base. And I don't see any priority in
this issue. So, I don't see the point to accept not the fix but a workaround. I
am not working on this issue right now. My current priority is HFS/HFS+
xfstests/fstests issues. 

Thanks,
Slava.

> in hfs_read_inode(), but no new patch is proposed for three months
> ( https://urldefense.proofpoint.com/v2/url?u=https-3A__lkml.kernel.org_r_20251104014738.131872-2D3-2Dcontact-40gvernon.com&d=DwICaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=q5bIm4AXMzc8NJu1_RGmnQ2fMWKq4Y4RAkElvUgSs00&m=q42kdxHiu3lKc6X4JayE4Pr7ImiI0vuvKj9hUsjKifFFSIrHatEHr77NAXC7wPkb&s=5i9RKH-nHB2eIXqkCmivOMSGscBJ2MRkOerYl6Bl9zM&e=  ) .
> This problem is "one of top crashers which is wasting syzbot resources" and
> "a very low-hanging fruit which can be trivially avoided". I already tested
> this patch using linux-next tree for two weeks, and syzbot did not find
> problems. Therefore, while what they would propose might partially overwrap
> with my proposal, let's make it possible to utilize syzbot resources for
> finding other bugs.
> 
>  fs/hfs/super.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/hfs/super.c b/fs/hfs/super.c
> index 97546d6b41f4..c283fc9c5e88 100644
> --- a/fs/hfs/super.c
> +++ b/fs/hfs/super.c
> @@ -361,7 +361,7 @@ static int hfs_fill_super(struct super_block *sb, struct fs_context *fc)
>  			goto bail_hfs_find;
>  		}
>  		hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);
> -		if (rec.type != HFS_CDR_DIR)
> +		if (rec.type != HFS_CDR_DIR || rec.dir.DirID != cpu_to_be32(HFS_ROOT_CNID))
>  			res = -EIO;
>  	}
>  	if (res)

Re: [PATCH v2 1/2] hfs: Validate CNIDs in hfs_read_inode

[George Anthony Vernon]

On Wed, Feb 11, 2026 at 09:54:54PM +0900, Tetsuo Handa wrote:
> On 2026/01/06 19:21, Tetsuo Handa wrote:
> > When can we expect next version of this patch?
> 
> I'm testing https://lkml.kernel.org/r/427fcb57-8424-4e52-9f21-7041b2c4ae5b@I-love.SAKURA.ne.jp
> in linux-next.git tree since next-20260202, and syzbot did not find problems; ready to send to
> linux.git tree if we need more time before getting next version of your patch.
> 
Thanks for your patience Tetsuo, I've been focussed on work for the past
few months following a change of employer. I will review the most recent
feedback this weekend and respin the patch.

I appreciate your feedback on previous versions of the patch. It will be
good to get this bug finally closed.

Many thanks,

George