Re: [PATCH v7] hfs: validate record ID against requested CNID in hfs_cat_find_brec()

[Viacheslav Dubeyko]

On Sat, 2026-05-16 at 15:17 +0900, Tetsuo Handa wrote:
> On 2026/05/16 6:10, Viacheslav Dubeyko wrote:
> > On Thu, 2026-05-14 at 16:34 +0900, Tetsuo Handa wrote:
> > > syzbot is reporting that BUG() in hfs_write_inode() fires upon unmount
> > > operation when the inode number of the record retrieved as a result of
> > > hfs_cat_find_brec(HFS_ROOT_CNID) is not HFS_ROOT_CNID, for
> > > commit b905bafdea21 ("hfs: Sanity check the root record") checked
> > > the record size and the record type but did not check the inode number.
> > > 
> > > Initially, Viacheslav Dubeyko was assuming that we can fix this problem
> > > by adding validation to hfs_read_inode(), and George Anthony Vernon is
> > > proposing a patch that adds validation to hfs_read_inode().
> > > 
> > 
> > We can fix the problem in by adding validation to hfs_read_inode().
> 
> No, we can't. We can't fix a logical error that hfs_fill_super() by error
> accepts an inode which is not the root inode, by adding validation to
> hfs_read_inode().
> 

We can. And I explained the way.

> > 
> > > While I am not against adding validation to hfs_read_inode(), treating
> > > an inode which is not the root inode as if the root inode is a logical
> > > error which should be rejected regardless of whether we hit BUG() or not.
> > > And we confirmed that we can't fix this logical error by adding validation
> > > to hfs_read_inode().
> > > 
> > 
> > We haven't confirmed it. The issue can be fixed by adding validation to
> > hfs_read_inode().
> 
> We already confirmed it, you forgot it.
> https://lkml.kernel.org/r/b7318588-33b2-4dc6-9469-e11da855f8ad@xxxxxxxxxxxxxxxxxxx
> 

No. we haven't confirmed it. We can do it.

Thanks,
Slava.