Re: [PATCH v7] hfs: validate record ID against requested CNID in hfs_cat_find_brec()

[Tetsuo Handa]

On 2026/05/16 6:10, Viacheslav Dubeyko wrote:
> On Thu, 2026-05-14 at 16:34 +0900, Tetsuo Handa wrote:
>> syzbot is reporting that BUG() in hfs_write_inode() fires upon unmount
>> operation when the inode number of the record retrieved as a result of
>> hfs_cat_find_brec(HFS_ROOT_CNID) is not HFS_ROOT_CNID, for
>> commit b905bafdea21 ("hfs: Sanity check the root record") checked
>> the record size and the record type but did not check the inode number.
>>
>> Initially, Viacheslav Dubeyko was assuming that we can fix this problem
>> by adding validation to hfs_read_inode(), and George Anthony Vernon is
>> proposing a patch that adds validation to hfs_read_inode().
>>
> 
> We can fix the problem in by adding validation to hfs_read_inode().

No, we can't. We can't fix a logical error that hfs_fill_super() by error
accepts an inode which is not the root inode, by adding validation to
hfs_read_inode().

> 
>> While I am not against adding validation to hfs_read_inode(), treating
>> an inode which is not the root inode as if the root inode is a logical
>> error which should be rejected regardless of whether we hit BUG() or not.
>> And we confirmed that we can't fix this logical error by adding validation
>> to hfs_read_inode().
>>
> 
> We haven't confirmed it. The issue can be fixed by adding validation to
> hfs_read_inode().

We already confirmed it, you forgot it.
https://lkml.kernel.org/r/b7318588-33b2-4dc6-9469-e11da855f8ad@xxxxxxxxxxxxxxxxxxx