syzbot is reporting that BUG() in hfs_write_inode() fires when the inode number of the record retrieved as a result of hfs_cat_find_brec(HFS_ROOT_CNID) is not HFS_ROOT_CNID, for commit b905bafdea21 ("hfs: Sanity check the root record") checked the record size and the record type but did not check the inode number. Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b Signed-off-by: Tetsuo Handa --- Viacheslav Dubeyko and George Anthony Vernon are trying to fix this problem in hfs_read_inode(), but no new patch is proposed for three months ( https://lkml.kernel.org/r/20251104014738.131872-3-contact@gvernon.com ) . This problem is "one of top crashers which is wasting syzbot resources" and "a very low-hanging fruit which can be trivially avoided". I already tested this patch using linux-next tree for two weeks, and syzbot did not find problems. Therefore, while what they would propose might partially overwrap with my proposal, let's make it possible to utilize syzbot resources for finding other bugs. fs/hfs/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/hfs/super.c b/fs/hfs/super.c index 97546d6b41f4..c283fc9c5e88 100644 --- a/fs/hfs/super.c +++ b/fs/hfs/super.c @@ -361,7 +361,7 @@ static int hfs_fill_super(struct super_block *sb, struct fs_context *fc) goto bail_hfs_find; } hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength); - if (rec.type != HFS_CDR_DIR) + if (rec.type != HFS_CDR_DIR || rec.dir.DirID != cpu_to_be32(HFS_ROOT_CNID)) res = -EIO; } if (res) -- 2.53.0