[parent not found: <aa9SERLWzDdfA9Ih@Bertha>]
[parent not found: <aQGA0rVKnoH3PDXh@Bertha>]
[parent not found: <aQGALTpEwjtSrAJD@Bertha>]
* Re: [syzbot] [hfs?] kernel BUG in hfs_write_inode
[not found] <aQGALTpEwjtSrAJD@Bertha>
@ 2025-10-29 2:47 ` syzbot
0 siblings, 0 replies; 10+ messages in thread
From: syzbot @ 2025-10-29 2:47 UTC (permalink / raw)
To: contact; +Cc: contact, linux-kernel, syzkaller-bugs
> On Thu, Oct 02, 2025 at 06:27:02PM -0700, syzbot wrote:
>> Hello,
>>
>> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>>
>> Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
>> Tested-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
>>
>> Tested on:
>>
>> commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1472aa7c580000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=e9442f6915cec8b7
>> dashboard link: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
>> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
>> patch: https://syzkaller.appspot.com/x/patch.diff?x=13c8d942580000
>>
>> Note: testing is done by a robot and is best-effort only.
>
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
want either no args or 2 args (repo, branch), got 1
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] kernel BUG in hfs_write_inode
@ 2025-10-02 16:16 George Anthony Vernon
2025-10-02 16:31 ` [syzbot] [hfs?] " syzbot
0 siblings, 1 reply; 10+ messages in thread
From: George Anthony Vernon @ 2025-10-02 16:16 UTC (permalink / raw)
To: syzbot
Cc: damien.lemoal, jlayton, linux-fsdevel, linux-kernel,
syzkaller-bugs, willy
On Fri, Nov 25, 2022 at 01:45:41AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 65762d97e6fa Merge branch 'for-next/perf' into for-kernelci
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=14e324e3880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=56d0c7c3a2304e8f
> dashboard link: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: arm64
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10983553880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13315ebb880000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/52f702197b30/disk-65762d97.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/72189c2789ce/vmlinux-65762d97.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/ec0349196c98/Image-65762d97.gz.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/6bfea2266b7f/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
>
I simplified the reproducer previously while working on a patch for this bug and found it no longer reproduces on mainline. I just want to sanity check this by testing mainline with syzbot's repro:
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.17
Thanks,
George
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [hfs?] kernel BUG in hfs_write_inode
2025-10-02 16:16 [syzbot] " George Anthony Vernon
@ 2025-10-02 16:31 ` syzbot
2025-10-02 23:55 ` George Anthony Vernon
0 siblings, 1 reply; 10+ messages in thread
From: syzbot @ 2025-10-02 16:31 UTC (permalink / raw)
To: contact, damien.lemoal, jlayton, linux-fsdevel, linux-kernel,
syzkaller-bugs, willy
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in hfs_write_inode
------------[ cut here ]------------
kernel BUG at fs/hfs/inode.c:444!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 1438 Comm: kworker/u8:9 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: writeback wb_workfn (flush-7:0)
RIP: 0010:hfs_write_inode+0x7c8/0x7d0 fs/hfs/inode.c:444
Code: c1 40 c2 05 99 80 e1 07 80 c1 03 38 c1 0f 8c 7d fe ff ff 48 c7 c7 40 c2 05 99 e8 e3 dc 8c ff e9 6c fe ff ff e8 a9 96 2d ff 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9000534f180 EFLAGS: 00010293
RAX: ffffffff8290d517 RBX: ffff8880323301c8 RCX: ffff88802787d940
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000534f310 R08: ffff88802787d940 R09: 0000000000000003
R10: 0000000000000100 R11: 0000000000000004 R12: dffffc0000000000
R13: 1ffff92000a69e34 R14: ffff888032330188 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881269bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff2f4ecb000 CR3: 0000000036660000 CR4: 00000000003526f0
Call Trace:
<TASK>
write_inode fs/fs-writeback.c:1525 [inline]
__writeback_single_inode+0x6f1/0x1000 fs/fs-writeback.c:1745
writeback_sb_inodes+0x6b7/0xf60 fs/fs-writeback.c:1976
wb_writeback+0x43b/0xaf0 fs/fs-writeback.c:2156
wb_do_writeback fs/fs-writeback.c:2303 [inline]
wb_workfn+0x40e/0xf00 fs/fs-writeback.c:2343
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:hfs_write_inode+0x7c8/0x7d0 fs/hfs/inode.c:444
Code: c1 40 c2 05 99 80 e1 07 80 c1 03 38 c1 0f 8c 7d fe ff ff 48 c7 c7 40 c2 05 99 e8 e3 dc 8c ff e9 6c fe ff ff e8 a9 96 2d ff 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9000534f180 EFLAGS: 00010293
RAX: ffffffff8290d517 RBX: ffff8880323301c8 RCX: ffff88802787d940
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000534f310 R08: ffff88802787d940 R09: 0000000000000003
R10: 0000000000000100 R11: 0000000000000004 R12: dffffc0000000000
R13: 1ffff92000a69e34 R14: ffff888032330188 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881269bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff2f4ecb000 CR3: 0000000036660000 CR4: 00000000003526f0
Tested on:
commit: e5f0a698 Linux 6.17
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.17
console output: https://syzkaller.appspot.com/x/log.txt?x=13b28458580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5b21423ca3f0a96
dashboard link: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Note: no patches were applied.
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [syzbot] [hfs?] kernel BUG in hfs_write_inode
2025-10-02 16:31 ` [syzbot] [hfs?] " syzbot
@ 2025-10-02 23:55 ` George Anthony Vernon
2025-10-03 0:18 ` syzbot
0 siblings, 1 reply; 10+ messages in thread
From: George Anthony Vernon @ 2025-10-02 23:55 UTC (permalink / raw)
To: syzbot
Cc: damien.lemoal, jlayton, linux-fsdevel, linux-kernel,
syzkaller-bugs, willy
[-- Attachment #1: Type: text/plain, Size: 437 bytes --]
On Thu, Oct 02, 2025 at 09:31:03AM -0700, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> kernel BUG in hfs_write_inode
>
> ------------[ cut here ]------------
> kernel BUG at fs/hfs/inode.c:444!
Attaching a patch since I'm failing to reproduce locally on mainline.
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.17
Thanks,
George
[-- Attachment #2: 0001-hfs-Validate-CNIDs-in-hfs_read_inode.patch --]
[-- Type: text/plain, Size: 2353 bytes --]
From 40db09869bfabf51593f9a638aff09c72d9c8f1e Mon Sep 17 00:00:00 2001
From: George Anthony Vernon <contact@gvernon.com>
Date: Fri, 3 Oct 2025 00:32:06 +0100
Subject: [PATCH] hfs: Validate CNIDs in hfs_read_inode
hfs_read_inode previously did not validate CNIDs read from disk,
thereby allowing bad inodes to be placed on the dirty list and written
back.
Validate reserved CNIDs according to Apple technical note TN1150.
Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
Signed-off-by: George Anthony Vernon <contact@gvernon.com>
---
fs/hfs/inode.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index a81ce7a740b9..ab71493cf501 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -310,6 +310,34 @@ static int hfs_test_inode(struct inode *inode, void *data)
}
}
+/*
+ * is_valid_cnid
+ *
+ * Validate the catalog number of an inode read from disk
+ */
+static bool is_valid_cnid(unsigned long cnid, s8 type)
+{
+ if (likely(cnid >= HFS_FIRSTUSER_CNID))
+ return true;
+
+ switch (cnid) {
+ case HFS_POR_CNID:
+ return type == HFS_CDR_DIR;
+ case HFS_ROOT_CNID:
+ return type == HFS_CDR_DIR;
+ case HFS_EXT_CNID:
+ return type == HFS_CDR_FIL;
+ case HFS_CAT_CNID:
+ return type == HFS_CDR_FIL;
+ case HFS_BAD_CNID:
+ return type == HFS_CDR_FIL;
+ case HFS_EXCH_CNID:
+ return type == HFS_CDR_FIL;
+ default:
+ return false;
+ }
+}
+
/*
* hfs_read_inode
*/
@@ -348,6 +376,11 @@ static int hfs_read_inode(struct inode *inode, void *data)
}
inode->i_ino = be32_to_cpu(rec->file.FlNum);
+ if (!is_valid_cnid(inode->i_ino, HFS_CDR_FIL)) {
+ printk(KERN_WARNING "hfs: rejected cnid %lu\n", inode->i_ino);
+ make_bad_inode(inode);
+ break;
+ }
inode->i_mode = S_IRUGO | S_IXUGO;
if (!(rec->file.Flags & HFS_FIL_LOCK))
inode->i_mode |= S_IWUGO;
@@ -361,6 +394,11 @@ static int hfs_read_inode(struct inode *inode, void *data)
break;
case HFS_CDR_DIR:
inode->i_ino = be32_to_cpu(rec->dir.DirID);
+ if (!is_valid_cnid(inode->i_ino, HFS_CDR_DIR)) {
+ printk(KERN_WARNING "hfs: rejected cnid %lu\n", inode->i_ino);
+ make_bad_inode(inode);
+ break;
+ }
inode->i_size = be16_to_cpu(rec->dir.Val) + 2;
HFS_I(inode)->fs_blocks = 0;
inode->i_mode = S_IFDIR | (S_IRWXUGO & ~hsb->s_dir_umask);
--
2.50.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* Re: [syzbot] [hfs?] kernel BUG in hfs_write_inode
2025-10-02 23:55 ` George Anthony Vernon
@ 2025-10-03 0:18 ` syzbot
2025-10-03 1:03 ` George Anthony Vernon
0 siblings, 1 reply; 10+ messages in thread
From: syzbot @ 2025-10-03 0:18 UTC (permalink / raw)
To: contact, damien.lemoal, jlayton, linux-fsdevel, linux-kernel,
syzkaller-bugs, willy
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
Tested-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
Tested on:
commit: e5f0a698 Linux 6.17
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.17
console output: https://syzkaller.appspot.com/x/log.txt?x=160acee2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5b21423ca3f0a96
dashboard link: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=11089334580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [hfs?] kernel BUG in hfs_write_inode
2025-10-03 0:18 ` syzbot
@ 2025-10-03 1:03 ` George Anthony Vernon
2025-10-03 1:27 ` syzbot
0 siblings, 1 reply; 10+ messages in thread
From: George Anthony Vernon @ 2025-10-03 1:03 UTC (permalink / raw)
To: syzbot
Cc: damien.lemoal, jlayton, linux-fsdevel, linux-kernel,
syzkaller-bugs, willy
[-- Attachment #1: Type: text/plain, Size: 944 bytes --]
On Thu, Oct 02, 2025 at 05:18:03PM -0700, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
> Tested-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
>
> Tested on:
>
> commit: e5f0a698 Linux 6.17
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.17
> console output: https://syzkaller.appspot.com/x/log.txt?x=160acee2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f5b21423ca3f0a96
> dashboard link: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> patch: https://syzkaller.appspot.com/x/patch.diff?x=11089334580000
>
> Note: testing is done by a robot and is best-effort only.
#syz test
[-- Attachment #2: 0001-hfs-Validate-CNIDs-in-hfs_read_inode.patch --]
[-- Type: text/plain, Size: 2490 bytes --]
From 5ff1f6bf582a643bce73f6a1c431bfe540f76b8a Mon Sep 17 00:00:00 2001
From: George Anthony Vernon <contact@gvernon.com>
Date: Fri, 3 Oct 2025 01:41:24 +0100
Subject: [PATCH] hfs: Validate CNIDs in hfs_read_inode
hfs_read_inode previously did not validate CNIDs read from disk, thereby
allowing bad inodes to be constructed and placed on the dirty list,
eventually hitting a bug on writeback.
Validate reserved CNIDs according to Apple technical note TN1150.
This issue was discussed on LKML previously:
https://lore.kernel.org/all/427fcb57-8424-4e52-9f21-7041b2c4ae5b@
I-love.SAKURA.ne.jp/T/
Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
Signed-off-by: George Anthony Vernon <contact@gvernon.com>
---
fs/hfs/inode.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index 9cd449913dc8..da6a6b32d8c2 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -321,6 +321,34 @@ static int hfs_test_inode(struct inode *inode, void *data)
}
}
+/*
+ * is_valid_cnid
+ *
+ * Validate the CNID of a catalog record read from disk
+ */
+static bool is_valid_cnid(unsigned long cnid, s8 type)
+{
+ if (likely(cnid >= HFS_FIRSTUSER_CNID))
+ return true;
+
+ switch (cnid) {
+ case HFS_POR_CNID:
+ return type == HFS_CDR_DIR;
+ case HFS_ROOT_CNID:
+ return type == HFS_CDR_DIR;
+ case HFS_EXT_CNID:
+ return type == HFS_CDR_FIL;
+ case HFS_CAT_CNID:
+ return type == HFS_CDR_FIL;
+ case HFS_BAD_CNID:
+ return type == HFS_CDR_FIL;
+ case HFS_EXCH_CNID:
+ return type == HFS_CDR_FIL;
+ default:
+ return false;
+ }
+}
+
/*
* hfs_read_inode
*/
@@ -359,6 +387,11 @@ static int hfs_read_inode(struct inode *inode, void *data)
}
inode->i_ino = be32_to_cpu(rec->file.FlNum);
+ if (!is_valid_cnid(inode->i_ino, HFS_CDR_FIL)) {
+ pr_warn("rejected cnid %lu\n", inode->i_ino);
+ make_bad_inode(inode);
+ break;
+ }
inode->i_mode = S_IRUGO | S_IXUGO;
if (!(rec->file.Flags & HFS_FIL_LOCK))
inode->i_mode |= S_IWUGO;
@@ -372,6 +405,11 @@ static int hfs_read_inode(struct inode *inode, void *data)
break;
case HFS_CDR_DIR:
inode->i_ino = be32_to_cpu(rec->dir.DirID);
+ if (!is_valid_cnid(inode->i_ino, HFS_CDR_DIR)) {
+ pr_warn("rejected cnid %lu\n", inode->i_ino);
+ make_bad_inode(inode);
+ break;
+ }
inode->i_size = be16_to_cpu(rec->dir.Val) + 2;
HFS_I(inode)->fs_blocks = 0;
inode->i_mode = S_IFDIR | (S_IRWXUGO & ~hsb->s_dir_umask);
--
2.50.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: kernel BUG in hfs_write_inode
@ 2024-11-23 11:55 Tetsuo Handa
2024-11-23 12:32 ` [syzbot] [hfs?] " syzbot
0 siblings, 1 reply; 10+ messages in thread
From: Tetsuo Handa @ 2024-11-23 11:55 UTC (permalink / raw)
To: syzbot+97e301b4b82ae803d21b, syzkaller-bugs, LKML
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.12
fs/hfs/inode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index a81ce7a740b9..794d710c3ae0 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -81,7 +81,7 @@ static bool hfs_release_folio(struct folio *folio, gfp_t mask)
tree = HFS_SB(sb)->cat_tree;
break;
default:
- BUG();
+ pr_warn("unexpected inode %lu at %s()\n", inode->i_ino, __func__);
return false;
}
@@ -305,7 +305,7 @@ static int hfs_test_inode(struct inode *inode, void *data)
case HFS_CDR_FIL:
return inode->i_ino == be32_to_cpu(rec->file.FlNum);
default:
- BUG();
+ pr_warn("unexpected type %u at %s()\n", rec->type, __func__);
return 1;
}
}
@@ -441,7 +441,7 @@ int hfs_write_inode(struct inode *inode, struct writeback_control *wbc)
hfs_btree_write(HFS_SB(inode->i_sb)->cat_tree);
return 0;
default:
- BUG();
+ pr_warn("unexpected inode %lu at %s()\n", inode->i_ino, __func__);
return -EIO;
}
}
--
2.47.0
^ permalink raw reply related [flat|nested] 10+ messages in thread
end of thread, other threads:[~2026-03-11 21:11 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <abHVInyhvToCSWjV@Bertha>
2026-03-11 21:11 ` [syzbot] [hfs?] kernel BUG in hfs_write_inode syzbot
[not found] <aa9SERLWzDdfA9Ih@Bertha>
2026-03-09 23:28 ` syzbot
[not found] <aQGA0rVKnoH3PDXh@Bertha>
2025-10-29 4:00 ` syzbot
[not found] <aQGALTpEwjtSrAJD@Bertha>
2025-10-29 2:47 ` syzbot
2025-10-02 16:16 [syzbot] " George Anthony Vernon
2025-10-02 16:31 ` [syzbot] [hfs?] " syzbot
2025-10-02 23:55 ` George Anthony Vernon
2025-10-03 0:18 ` syzbot
2025-10-03 1:03 ` George Anthony Vernon
2025-10-03 1:27 ` syzbot
-- strict thread matches above, loose matches on Subject: below --
2024-11-23 11:55 Tetsuo Handa
2024-11-23 12:32 ` [syzbot] [hfs?] " syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox