From: syzbot <syzbot+17cc9bb6d8d69b4139f0@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org
Subject: Forwarded:
Date: Mon, 03 Nov 2025 04:27:27 -0800 [thread overview]
Message-ID: <69089faf.050a0220.29fc44.003f.GAE@google.com> (raw)
In-Reply-To: <68f9bea1.a70a0220.3bf6c6.0032.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject:
Author: jkoolstra@xs4all.nl
#syz test
---
diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
index 86a6b317b474..ee1760305380 100644
--- a/fs/hfs/dir.c
+++ b/fs/hfs/dir.c
@@ -196,8 +196,8 @@ static int hfs_create(struct mnt_idmap *idmap, struct inode *dir,
int res;
inode = hfs_new_inode(dir, &dentry->d_name, mode);
- if (!inode)
- return -ENOMEM;
+ if (IS_ERR(inode))
+ return PTR_ERR(inode);
res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
if (res) {
@@ -226,8 +226,8 @@ static struct dentry *hfs_mkdir(struct mnt_idmap *idmap, struct inode *dir,
int res;
inode = hfs_new_inode(dir, &dentry->d_name, S_IFDIR | mode);
- if (!inode)
- return ERR_PTR(-ENOMEM);
+ if (IS_ERR(inode))
+ return ERR_CAST(inode);
res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
if (res) {
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index 9cd449913dc8..beec6fe7e801 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -186,16 +186,23 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
s64 next_id;
s64 file_count;
s64 folder_count;
+ int err = -ENOMEM;
if (!inode)
- return NULL;
+ goto out_err;
+
+ err = -ENOSPC;
mutex_init(&HFS_I(inode)->extents_lock);
INIT_LIST_HEAD(&HFS_I(inode)->open_dir_list);
spin_lock_init(&HFS_I(inode)->open_dir_lock);
hfs_cat_build_key(sb, (btree_key *)&HFS_I(inode)->cat_key, dir->i_ino, name);
next_id = atomic64_inc_return(&HFS_SB(sb)->next_id);
- BUG_ON(next_id > U32_MAX);
+ if (next_id > U32_MAX) {
+ pr_err("hfs: next file ID exceeds 32-bit limit — possible "
+ "superblock corruption");
+ goto out_discard;
+ }
inode->i_ino = (u32)next_id;
inode->i_mode = mode;
inode->i_uid = current_fsuid();
@@ -209,7 +216,11 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
if (S_ISDIR(mode)) {
inode->i_size = 2;
folder_count = atomic64_inc_return(&HFS_SB(sb)->folder_count);
- BUG_ON(folder_count > U32_MAX);
+ if (folder_count > U32_MAX) {
+ pr_err("hfs: folder count exceeds 32-bit limit — possible "
+ "superblock corruption");
+ goto out_discard;
+ }
if (dir->i_ino == HFS_ROOT_CNID)
HFS_SB(sb)->root_dirs++;
inode->i_op = &hfs_dir_inode_operations;
@@ -219,7 +230,11 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
} else if (S_ISREG(mode)) {
HFS_I(inode)->clump_blocks = HFS_SB(sb)->clumpablks;
file_count = atomic64_inc_return(&HFS_SB(sb)->file_count);
- BUG_ON(file_count > U32_MAX);
+ if (file_count > U32_MAX) {
+ pr_err("hfs: file count exceeds 32-bit limit — possible "
+ "superblock corruption");
+ goto out_discard;
+ }
if (dir->i_ino == HFS_ROOT_CNID)
HFS_SB(sb)->root_files++;
inode->i_op = &hfs_file_inode_operations;
@@ -243,6 +258,11 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
hfs_mark_mdb_dirty(sb);
return inode;
+
+ out_discard:
+ iput(inode);
+ out_err:
+ return ERR_PTR(err);
}
void hfs_delete_inode(struct inode *inode)
@@ -251,7 +271,6 @@ void hfs_delete_inode(struct inode *inode)
hfs_dbg("ino %lu\n", inode->i_ino);
if (S_ISDIR(inode->i_mode)) {
- BUG_ON(atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX);
atomic64_dec(&HFS_SB(sb)->folder_count);
if (HFS_I(inode)->cat_key.ParID == cpu_to_be32(HFS_ROOT_CNID))
HFS_SB(sb)->root_dirs--;
@@ -260,7 +279,6 @@ void hfs_delete_inode(struct inode *inode)
return;
}
- BUG_ON(atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX);
atomic64_dec(&HFS_SB(sb)->file_count);
if (HFS_I(inode)->cat_key.ParID == cpu_to_be32(HFS_ROOT_CNID))
HFS_SB(sb)->root_files--;
diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
index 53f3fae60217..1c3fb631cc8e 100644
--- a/fs/hfs/mdb.c
+++ b/fs/hfs/mdb.c
@@ -273,15 +273,12 @@ void hfs_mdb_commit(struct super_block *sb)
/* These parameters may have been modified, so write them back */
mdb->drLsMod = hfs_mtime();
mdb->drFreeBks = cpu_to_be16(HFS_SB(sb)->free_ablocks);
- BUG_ON(atomic64_read(&HFS_SB(sb)->next_id) > U32_MAX);
mdb->drNxtCNID =
cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->next_id));
mdb->drNmFls = cpu_to_be16(HFS_SB(sb)->root_files);
mdb->drNmRtDirs = cpu_to_be16(HFS_SB(sb)->root_dirs);
- BUG_ON(atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX);
mdb->drFilCnt =
cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->file_count));
- BUG_ON(atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX);
mdb->drDirCnt =
cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->folder_count));
--
2.51.1.dirty
next prev parent reply other threads:[~2025-11-03 12:27 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-23 5:35 [syzbot] [hfs?] kernel BUG in hfs_new_inode syzbot
2025-10-23 14:48 ` Forwarded: " syzbot
2025-11-02 18:07 ` Forwarded: syzbot
2025-11-02 19:22 ` Forwarded: syzbot
2025-11-03 12:27 ` syzbot [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-12-07 6:24 [syzbot] [block?] kernel BUG in bio_chain syzbot
2025-12-12 12:17 ` Forwarded: syzbot
2025-11-13 4:38 [syzbot] [input?] [usb?] memory leak in dualshock4_get_calibration_data syzbot
2025-11-15 1:12 ` Forwarded: syzbot
2025-11-15 1:44 ` Forwarded: syzbot
2025-11-13 4:26 [syzbot] [kernel?] memory leak in do_timer_create syzbot
2025-11-14 1:20 ` Forwarded: syzbot
2025-11-14 3:54 ` Forwarded: syzbot
2025-11-14 4:17 ` Forwarded: syzbot
2025-11-04 9:17 [syzbot] linux-next build error (24) syzbot
2025-12-17 13:51 ` Forwarded: syzbot
2025-11-02 23:48 [syzbot] [nbd?] KASAN: slab-use-after-free Write in recv_work (3) syzbot
2025-11-05 14:40 ` Forwarded: syzbot
2025-10-29 0:12 [syzbot] [ntfs3?] WARNING in ntfs_fill_super (2) syzbot
2025-11-02 16:40 ` Forwarded: syzbot
2025-11-03 13:28 ` Forwarded: syzbot
2025-10-24 23:10 [syzbot] [jfs?] general protection fault in inode_set_ctime_current syzbot
2025-10-27 23:06 ` Forwarded: syzbot
2025-10-28 17:25 ` Forwarded: syzbot
2025-10-28 18:02 ` Forwarded: Al Viro
2025-10-28 20:53 ` Forwarded: syzbot
2025-10-17 5:53 [syzbot] [net?] kernel BUG in set_ipsecrequest syzbot
2025-10-20 11:19 ` Forwarded: syzbot
2025-10-05 23:30 [syzbot] [ntfs3?] WARNING in indx_insert_into_buffer (3) syzbot
2025-10-07 21:52 ` Forwarded: syzbot
2025-09-17 22:55 [syzbot] [ntfs3?] KMSAN: uninit-value in ntfs_read_hdr (3) syzbot
2025-10-26 15:54 ` Forwarded: syzbot
2025-09-17 22:54 [syzbot] [bfs?] INFO: task hung in bfs_lookup (6) syzbot
2025-10-20 18:09 ` Forwarded: syzbot
2025-09-03 17:36 [syzbot] [kernel?] KASAN: slab-out-of-bounds Read in change_page_attr_set_clr syzbot
2025-09-29 7:50 ` Forwarded: syzbot
2025-08-16 3:08 [syzbot] [usb?] UBSAN: shift-out-of-bounds in ax88772_bind syzbot
2025-08-17 19:42 ` Forwarded: syzbot
2025-08-16 3:08 [syzbot] [overlayfs?] WARNING in shmem_unlink syzbot
2025-08-17 19:52 ` Forwarded: syzbot
2025-08-13 8:00 [syzbot] [sound?] linux-next test error: general protection fault in snd_seq_oss_midi_check_new_port syzbot
2025-09-01 8:48 ` Forwarded: syzbot
2025-08-07 17:05 [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2) syzbot
2025-09-17 10:45 ` Forwarded: syzbot
2025-08-04 7:18 [syzbot] [bcachefs?] UBSAN: array-index-out-of-bounds in bch2_accounting_validate syzbot
2025-08-04 22:56 ` Forwarded: syzbot
2025-08-01 7:54 [syzbot] [dri?] upstream test error: WARNING in __ww_mutex_wound syzbot
2025-09-01 8:51 ` Forwarded: syzbot
2025-07-31 9:11 [syzbot] [bcachefs?] kernel BUG in bch2_btree_repair_topology_recurse syzbot
2025-08-01 23:03 ` Forwarded: syzbot
2025-07-30 21:21 [syzbot] [bcachefs?] kernel panic: in transaction restart: transaction_restart_relock, last restarted by syzbot
2025-08-03 18:30 ` Forwarded: syzbot
2025-07-17 19:14 [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea syzbot
2025-07-19 7:57 ` Forwarded: syzbot
2025-07-20 6:54 ` Forwarded: syzbot
2025-07-20 7:29 ` Forwarded: syzbot
2025-07-14 17:53 [syzbot] [gfs2?] UBSAN: shift-out-of-bounds in gfs2_dir_read (2) syzbot
2025-07-15 14:15 ` Forwarded: syzbot
2025-07-15 14:29 ` Forwarded: syzbot
2025-07-16 6:28 ` Forwarded: syzbot
2025-07-14 17:09 [syzbot] [bluetooth?] [bcachefs?] KASAN: slab-use-after-free Read in hci_uart_write_work syzbot
2025-07-20 17:34 ` Forwarded: syzbot
2025-07-06 21:30 [syzbot] [bcachefs?] KASAN: slab-out-of-bounds Read in __bch2_alloc_to_v4 syzbot
2025-07-19 22:04 ` Forwarded: syzbot
2025-07-01 12:30 [syzbot] [fs?] linux-next test error: WARNING: suspicious RCU usage in proc_sys_compare syzbot
2025-09-01 8:49 ` Forwarded: syzbot
2025-06-24 17:02 [syzbot] [fs?] WARNING in minix_rename syzbot
2025-10-13 13:38 ` Forwarded: syzbot
2025-10-14 15:24 ` Forwarded: syzbot
2025-11-02 14:41 ` Forwarded: syzbot
2025-11-02 14:56 ` Forwarded: syzbot
2025-11-02 15:50 ` Forwarded: syzbot
2025-11-02 16:58 ` Forwarded: syzbot
2025-06-10 19:15 [syzbot] [bcachefs?] KASAN: slab-out-of-bounds Read in bch2_sb_members_v1_to_text syzbot
2025-07-20 4:06 ` Forwarded: syzbot
2025-05-31 18:28 [syzbot] [bcachefs?] WARNING in bch2_fs_journal_start syzbot
2025-07-20 17:30 ` Forwarded: syzbot
2025-05-24 1:52 [syzbot] [block?] [bcachefs?] kernel BUG in blk_mq_end_request syzbot
2025-07-20 14:44 ` Forwarded: syzbot
2025-05-12 20:55 [syzbot] [bcachefs?] possible deadlock in __bch2_folio_reservation_get (2) syzbot
2025-07-22 18:22 ` Forwarded: syzbot
2025-05-11 12:57 [syzbot] [bcachefs?] KASAN: use-after-free Read in bch2_checksum syzbot
2025-07-20 14:55 ` Forwarded: syzbot
2025-05-09 4:43 [syzbot] [jfs?] WARNING in jfs_rename syzbot
2025-10-12 16:19 ` Forwarded: syzbot
2025-10-12 17:45 ` Forwarded: syzbot
2025-04-19 8:36 [syzbot] [block?] [bcachefs?] kernel panic: KASAN: panic_on_warn set syzbot
2025-07-22 17:56 ` Forwarded: syzbot
2025-04-16 17:47 [syzbot] [bcachefs?] KMSAN: uninit-value in bch2_alloc_sectors_start_trans (2) syzbot
2025-07-23 10:59 ` Forwarded: syzbot
2025-03-30 8:27 [syzbot] [afs?] WARNING: ODEBUG bug in delete_node (3) syzbot
2025-07-24 15:32 ` Forwarded: syzbot
2025-03-25 5:16 [syzbot] [bcachefs?] INFO: task hung in __bch2_fsck_err syzbot
2025-07-20 14:42 ` Forwarded: syzbot
2025-03-16 18:05 [syzbot] [mm?] [bcachefs?] general protection fault in xas_create syzbot
2025-07-20 4:03 ` Forwarded: syzbot
2025-02-14 19:59 [syzbot] [mm?] [bcachefs?] KASAN: slab-out-of-bounds Read in folio_try_get syzbot
2025-07-20 4:04 ` Forwarded: syzbot
2025-02-12 11:52 [syzbot] [bcachefs?] kernel BUG in bch2_journal_keys_peek_max syzbot
2025-07-21 17:37 ` Forwarded: syzbot
2025-02-06 17:01 [syzbot] [mm?] [bcachefs?] UBSAN: shift-out-of-bounds in xas_reload syzbot
2025-07-20 4:05 ` Forwarded: syzbot
2025-02-04 14:07 [syzbot] [net?] general protection fault in ip6_pol_route (3) syzbot
2025-07-20 4:02 ` Forwarded: syzbot
2025-01-20 2:27 [syzbot] [bcachefs?] possible deadlock in bch2_trans_begin syzbot
2025-07-22 18:23 ` Forwarded: syzbot
2025-01-08 12:17 [syzbot] [fs?] WARNING in minix_rmdir syzbot
2025-10-14 13:36 ` Forwarded: syzbot
2025-11-02 12:47 ` Forwarded: syzbot
2024-11-29 12:12 [syzbot] [bcachefs?] kernel BUG in bch2_btree_path_peek_slot syzbot
2025-07-19 22:03 ` Forwarded: syzbot
2024-11-29 8:43 [syzbot] [bcachefs?] general protection fault in bch2_prt_vprintf syzbot
2025-07-22 16:18 ` Forwarded: syzbot
2024-11-25 13:27 [syzbot] [bcachefs?] KASAN: use-after-free Read in bch2_btree_node_read_done syzbot
2025-07-20 14:54 ` Forwarded: syzbot
2024-11-21 15:03 [syzbot] [kvm?] WARNING: locking bug in kvm_xen_set_evtchn_fast syzbot
2026-03-15 13:58 ` Forwarded: syzbot
2024-09-29 7:31 [syzbot] [bcachefs?] possible deadlock in bch2_symlink syzbot
2025-08-04 23:12 ` Forwarded: syzbot
2024-07-18 1:20 [syzbot] [bcachefs?] BUG: unable to handle kernel paging request in bch2_dirent_to_text syzbot
2025-07-21 17:30 ` Forwarded: syzbot
2024-06-15 9:58 [syzbot] [bcachefs?] INFO: task hung in __bch2_fs_stop syzbot
2025-07-23 1:56 ` Forwarded: syzbot
2024-05-31 8:43 [syzbot] [bcachefs?] INFO: task hung in bch2_copygc_stop syzbot
2025-07-23 1:17 ` Forwarded: syzbot
2024-05-17 3:31 [syzbot] [arm?] [crypto?] [bcachefs?] KASAN: slab-use-after-free Read in neon_poly1305_update syzbot
2025-07-19 22:01 ` Forwarded: syzbot
2024-05-14 10:38 [syzbot] [bcachefs?] WARNING in bch2_printbuf_make_room syzbot
2025-07-19 23:27 ` Forwarded: syzbot
2024-05-13 10:19 [syzbot] BUG: Bad rss-counter state (5) syzbot
2025-07-22 18:31 ` Forwarded: syzbot
2024-05-09 14:45 [syzbot] [gfs2?] WARNING in gfs2_ri_update (2) syzbot
2025-09-18 19:46 ` Forwarded: syzbot
2024-05-04 7:58 [syzbot] [bcachefs?] WARNING in bchfs_truncate syzbot
2025-07-23 1:21 ` Forwarded: syzbot
2024-05-03 17:32 [syzbot] [bcachefs?] INFO: task hung in __closure_sync syzbot
2025-07-23 1:18 ` Forwarded: syzbot
2022-11-25 9:45 [syzbot] kernel BUG in hfs_write_inode syzbot
2026-03-09 23:04 ` Forwarded: syzbot
2021-12-13 7:17 [syzbot] UBSAN: shift-out-of-bounds in minix_statfs syzbot
2025-11-17 18:53 ` Forwarded: syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69089faf.050a0220.29fc44.003f.GAE@google.com \
--to=syzbot+17cc9bb6d8d69b4139f0@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox