fs/hfs/dir.c | 12 ++++++------ fs/hfs/hfs.h | 3 +++ fs/hfs/hfs_fs.h | 2 +- fs/hfs/inode.c | 40 ++++++++++++++++++++++++++++++++-------- fs/hfs/mdb.c | 15 ++++++++++++--- 5 files changed, 54 insertions(+), 18 deletions(-)
In a06ec283e125 next_id, folder_count, and file_count in the super block
info were expanded to 64 bits, and BUG_ONs were added to detect
overflow. This triggered an error reported by syzbot: if the MDB is
corrupted, the BUG_ON is triggered. This patch replaces this mechanism
with proper error handling and resolves the syzbot reported bug.
Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>
Reported-by: syzbot+17cc9bb6d8d69b4139f0@syzkaller.appspotmail.com
Closes: https://syzbot.org/bug?extid=17cc9bb6d8d69b4139f0
Signed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>
---
fs/hfs/dir.c | 12 ++++++------
fs/hfs/hfs.h | 3 +++
fs/hfs/hfs_fs.h | 2 +-
fs/hfs/inode.c | 40 ++++++++++++++++++++++++++++++++--------
fs/hfs/mdb.c | 15 ++++++++++++---
5 files changed, 54 insertions(+), 18 deletions(-)
diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
index 86a6b317b474..03881a91f869 100644
--- a/fs/hfs/dir.c
+++ b/fs/hfs/dir.c
@@ -196,8 +196,8 @@ static int hfs_create(struct mnt_idmap *idmap, struct inode *dir,
int res;
inode = hfs_new_inode(dir, &dentry->d_name, mode);
- if (!inode)
- return -ENOMEM;
+ if (IS_ERR(inode))
+ return PTR_ERR(inode);
res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
if (res) {
@@ -226,8 +226,8 @@ static struct dentry *hfs_mkdir(struct mnt_idmap *idmap, struct inode *dir,
int res;
inode = hfs_new_inode(dir, &dentry->d_name, S_IFDIR | mode);
- if (!inode)
- return ERR_PTR(-ENOMEM);
+ if (IS_ERR(inode))
+ return ERR_CAST(inode);
res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
if (res) {
@@ -264,9 +264,9 @@ static int hfs_remove(struct inode *dir, struct dentry *dentry)
return res;
clear_nlink(inode);
inode_set_ctime_current(inode);
- hfs_delete_inode(inode);
+ res = hfs_delete_inode(inode);
mark_inode_dirty(inode);
- return 0;
+ return res;
}
/*
diff --git a/fs/hfs/hfs.h b/fs/hfs/hfs.h
index 6f194d0768b6..4b4797ef4e50 100644
--- a/fs/hfs/hfs.h
+++ b/fs/hfs/hfs.h
@@ -287,3 +287,6 @@ struct hfs_readdir_data {
};
#endif
+
+
+#define EFSCORRUPTED EUCLEAN /* Filesystem is corrupted */
diff --git a/fs/hfs/hfs_fs.h b/fs/hfs/hfs_fs.h
index fff149af89da..21dfdde71b14 100644
--- a/fs/hfs/hfs_fs.h
+++ b/fs/hfs/hfs_fs.h
@@ -182,7 +182,7 @@ extern void hfs_inode_read_fork(struct inode *inode, struct hfs_extent *ext,
__be32 log_size, __be32 phys_size, u32 clump_size);
extern struct inode *hfs_iget(struct super_block *, struct hfs_cat_key *, hfs_cat_rec *);
extern void hfs_evict_inode(struct inode *);
-extern void hfs_delete_inode(struct inode *);
+extern int hfs_delete_inode(struct inode *);
/* attr.c */
extern const struct xattr_handler * const hfs_xattr_handlers[];
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index 9cd449913dc8..ce27d49c41e4 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -186,16 +186,22 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
s64 next_id;
s64 file_count;
s64 folder_count;
+ int err = -ENOMEM;
if (!inode)
- return NULL;
+ goto out_err;
+
+ err = -EFSCORRUPTED;
mutex_init(&HFS_I(inode)->extents_lock);
INIT_LIST_HEAD(&HFS_I(inode)->open_dir_list);
spin_lock_init(&HFS_I(inode)->open_dir_lock);
hfs_cat_build_key(sb, (btree_key *)&HFS_I(inode)->cat_key, dir->i_ino, name);
next_id = atomic64_inc_return(&HFS_SB(sb)->next_id);
- BUG_ON(next_id > U32_MAX);
+ if (next_id > U32_MAX) {
+ pr_err("next CNID exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
+ goto out_discard;
+ }
inode->i_ino = (u32)next_id;
inode->i_mode = mode;
inode->i_uid = current_fsuid();
@@ -209,7 +215,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
if (S_ISDIR(mode)) {
inode->i_size = 2;
folder_count = atomic64_inc_return(&HFS_SB(sb)->folder_count);
- BUG_ON(folder_count > U32_MAX);
+ if (folder_count > U32_MAX) {
+ pr_err("folder count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
+ goto out_discard;
+ }
if (dir->i_ino == HFS_ROOT_CNID)
HFS_SB(sb)->root_dirs++;
inode->i_op = &hfs_dir_inode_operations;
@@ -219,7 +228,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
} else if (S_ISREG(mode)) {
HFS_I(inode)->clump_blocks = HFS_SB(sb)->clumpablks;
file_count = atomic64_inc_return(&HFS_SB(sb)->file_count);
- BUG_ON(file_count > U32_MAX);
+ if (file_count > U32_MAX) {
+ pr_err("file count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
+ goto out_discard;
+ }
if (dir->i_ino == HFS_ROOT_CNID)
HFS_SB(sb)->root_files++;
inode->i_op = &hfs_file_inode_operations;
@@ -243,24 +255,35 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
hfs_mark_mdb_dirty(sb);
return inode;
+
+ out_discard:
+ iput(inode);
+ out_err:
+ return ERR_PTR(err);
}
-void hfs_delete_inode(struct inode *inode)
+int hfs_delete_inode(struct inode *inode)
{
struct super_block *sb = inode->i_sb;
hfs_dbg("ino %lu\n", inode->i_ino);
if (S_ISDIR(inode->i_mode)) {
- BUG_ON(atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX);
+ if (atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX) {
+ pr_err("folder count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
+ return -EFSCORRUPTED;
+ }
atomic64_dec(&HFS_SB(sb)->folder_count);
if (HFS_I(inode)->cat_key.ParID == cpu_to_be32(HFS_ROOT_CNID))
HFS_SB(sb)->root_dirs--;
set_bit(HFS_FLG_MDB_DIRTY, &HFS_SB(sb)->flags);
hfs_mark_mdb_dirty(sb);
- return;
+ return 0;
}
- BUG_ON(atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX);
+ if (atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX) {
+ pr_err("file count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
+ return -EFSCORRUPTED;
+ }
atomic64_dec(&HFS_SB(sb)->file_count);
if (HFS_I(inode)->cat_key.ParID == cpu_to_be32(HFS_ROOT_CNID))
HFS_SB(sb)->root_files--;
@@ -272,6 +295,7 @@ void hfs_delete_inode(struct inode *inode)
}
set_bit(HFS_FLG_MDB_DIRTY, &HFS_SB(sb)->flags);
hfs_mark_mdb_dirty(sb);
+ return 0;
}
void hfs_inode_read_fork(struct inode *inode, struct hfs_extent *ext,
diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
index 53f3fae60217..45b690ab4ba5 100644
--- a/fs/hfs/mdb.c
+++ b/fs/hfs/mdb.c
@@ -273,15 +273,24 @@ void hfs_mdb_commit(struct super_block *sb)
/* These parameters may have been modified, so write them back */
mdb->drLsMod = hfs_mtime();
mdb->drFreeBks = cpu_to_be16(HFS_SB(sb)->free_ablocks);
- BUG_ON(atomic64_read(&HFS_SB(sb)->next_id) > U32_MAX);
+ if (atomic64_read(&HFS_SB(sb)->next_id) > U32_MAX) {
+ pr_err("next CNID exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
+ return;
+ }
mdb->drNxtCNID =
cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->next_id));
mdb->drNmFls = cpu_to_be16(HFS_SB(sb)->root_files);
mdb->drNmRtDirs = cpu_to_be16(HFS_SB(sb)->root_dirs);
- BUG_ON(atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX);
+ if (atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX) {
+ pr_err("file count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
+ return;
+ }
mdb->drFilCnt =
cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->file_count));
- BUG_ON(atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX);
+ if (atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX) {
+ pr_err("folder count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
+ return;
+ }
mdb->drDirCnt =
cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->folder_count));
--
2.51.2
On Tue, 2025-11-25 at 22:13 +0100, Jori Koolstra wrote:
> In a06ec283e125 next_id, folder_count, and file_count in the super block
> info were expanded to 64 bits, and BUG_ONs were added to detect
> overflow. This triggered an error reported by syzbot: if the MDB is
> corrupted, the BUG_ON is triggered. This patch replaces this mechanism
> with proper error handling and resolves the syzbot reported bug.
>
> Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>
> Reported-by: syzbot+17cc9bb6d8d69b4139f0@syzkaller.appspotmail.com
> Closes: https://syzbot.org/bug?extid=17cc9bb6d8d69b4139f0
> Signed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>
> ---
> fs/hfs/dir.c | 12 ++++++------
> fs/hfs/hfs.h | 3 +++
> fs/hfs/hfs_fs.h | 2 +-
> fs/hfs/inode.c | 40 ++++++++++++++++++++++++++++++++--------
> fs/hfs/mdb.c | 15 ++++++++++++---
> 5 files changed, 54 insertions(+), 18 deletions(-)
>
> diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
> index 86a6b317b474..03881a91f869 100644
> --- a/fs/hfs/dir.c
> +++ b/fs/hfs/dir.c
> @@ -196,8 +196,8 @@ static int hfs_create(struct mnt_idmap *idmap, struct inode *dir,
> int res;
>
> inode = hfs_new_inode(dir, &dentry->d_name, mode);
> - if (!inode)
> - return -ENOMEM;
> + if (IS_ERR(inode))
> + return PTR_ERR(inode);
>
> res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
> if (res) {
> @@ -226,8 +226,8 @@ static struct dentry *hfs_mkdir(struct mnt_idmap *idmap, struct inode *dir,
> int res;
>
> inode = hfs_new_inode(dir, &dentry->d_name, S_IFDIR | mode);
> - if (!inode)
> - return ERR_PTR(-ENOMEM);
> + if (IS_ERR(inode))
> + return ERR_CAST(inode);
>
> res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
> if (res) {
> @@ -264,9 +264,9 @@ static int hfs_remove(struct inode *dir, struct dentry *dentry)
> return res;
> clear_nlink(inode);
> inode_set_ctime_current(inode);
> - hfs_delete_inode(inode);
> + res = hfs_delete_inode(inode);
> mark_inode_dirty(inode);
> - return 0;
> + return res;
This modification doesn't look good, frankly speaking. The hfs_delete_inode()
will return error code pretty at the beginning of execution. So, it doesn't make
sense to call mark_inode_dirty() then. However, we already did a lot of activity
before hfs_delete_inode() call:
static int hfs_remove(struct inode *dir, struct dentry *dentry)
{
struct inode *inode = d_inode(dentry);
int res;
if (S_ISDIR(inode->i_mode) && inode->i_size != 2)
return -ENOTEMPTY;
res = hfs_cat_delete(inode->i_ino, dir, &dentry->d_name);
if (res)
return res;
clear_nlink(inode);
inode_set_ctime_current(inode);
hfs_delete_inode(inode);
mark_inode_dirty(inode);
return 0;
}
So, not full executing of hfs_delete_inode() makes situation really bad.
Because, we deleted record from Catalog File but rejected of execution of
hfs_delete_inode() functionality.
I am thinking that, maybe, better course of action is to check HFS_SB(sb)-
>folder_count and HFS_SB(sb)->file_count at the beginning of hfs_remove():
static int hfs_remove(struct inode *dir, struct dentry *dentry)
{
struct inode *inode = d_inode(dentry);
int res;
if (S_ISDIR(inode->i_mode) && inode->i_size != 2)
return -ENOTEMPTY;
<<-- Check it here and return error
res = hfs_cat_delete(inode->i_ino, dir, &dentry->d_name);
if (res)
return res;
clear_nlink(inode);
inode_set_ctime_current(inode);
hfs_delete_inode(inode);
mark_inode_dirty(inode);
return 0;
}
In such case, we reject to make the removal, to return error and no activity
will happened. Let's move the check from hfs_delete_inode() to hfs_remove(). We
can ignore hfs_create() [1] and hfs_mkdir() [2] because these methods simply
processing erroneous situation.
> }
>
> /*
> diff --git a/fs/hfs/hfs.h b/fs/hfs/hfs.h
> index 6f194d0768b6..4b4797ef4e50 100644
> --- a/fs/hfs/hfs.h
> +++ b/fs/hfs/hfs.h
> @@ -287,3 +287,6 @@ struct hfs_readdir_data {
> };
>
> #endif
> +
> +
> +#define EFSCORRUPTED EUCLEAN /* Filesystem is corrupted */
I don't think that rename existing error code is good idea. Especially, because
we will not need the newly introduce error code's name. Please, see my comments
below.
> diff --git a/fs/hfs/hfs_fs.h b/fs/hfs/hfs_fs.h
> index fff149af89da..21dfdde71b14 100644
> --- a/fs/hfs/hfs_fs.h
> +++ b/fs/hfs/hfs_fs.h
> @@ -182,7 +182,7 @@ extern void hfs_inode_read_fork(struct inode *inode, struct hfs_extent *ext,
> __be32 log_size, __be32 phys_size, u32 clump_size);
> extern struct inode *hfs_iget(struct super_block *, struct hfs_cat_key *, hfs_cat_rec *);
> extern void hfs_evict_inode(struct inode *);
> -extern void hfs_delete_inode(struct inode *);
> +extern int hfs_delete_inode(struct inode *);
>
> /* attr.c */
> extern const struct xattr_handler * const hfs_xattr_handlers[];
> diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
> index 9cd449913dc8..ce27d49c41e4 100644
> --- a/fs/hfs/inode.c
> +++ b/fs/hfs/inode.c
> @@ -186,16 +186,22 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
> s64 next_id;
> s64 file_count;
> s64 folder_count;
> + int err = -ENOMEM;
>
> if (!inode)
> - return NULL;
> + goto out_err;
> +
> + err = -EFSCORRUPTED;
In 99% of cases, this logic will be called for file system internal logic when
mount was successful. So, file system volume is not corrupted. Even if we
suspect that volume is corrupted, then potential reason could be failed read (-
EIO). It needs to run FSCK tool to be sure that volume is really corrupted.
>
> mutex_init(&HFS_I(inode)->extents_lock);
> INIT_LIST_HEAD(&HFS_I(inode)->open_dir_list);
> spin_lock_init(&HFS_I(inode)->open_dir_lock);
> hfs_cat_build_key(sb, (btree_key *)&HFS_I(inode)->cat_key, dir->i_ino, name);
> next_id = atomic64_inc_return(&HFS_SB(sb)->next_id);
> - BUG_ON(next_id > U32_MAX);
> + if (next_id > U32_MAX) {
> + pr_err("next CNID exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
File system volume is not corrupted here. Because, it is only error of file
system logic. And we will not store this not correct number to the volume,
anyway. At minimum, we should protect the logic from doing this. And it doesn't
need to recommend to run FSCK tool here.
Probably, it makes sense to decrement erroneous back.
Potentially, if we have such situation, maybe, it makes sense to consider to
make file system READ-ONLY. But I am not fully sure.
> + goto out_discard;
> + }
> inode->i_ino = (u32)next_id;
> inode->i_mode = mode;
> inode->i_uid = current_fsuid();
> @@ -209,7 +215,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
> if (S_ISDIR(mode)) {
> inode->i_size = 2;
> folder_count = atomic64_inc_return(&HFS_SB(sb)->folder_count);
> - BUG_ON(folder_count > U32_MAX);
> + if (folder_count > U32_MAX) {
> + pr_err("folder count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
Ditto. File system volume is not corrupted here.
> + goto out_discard;
> + }
> if (dir->i_ino == HFS_ROOT_CNID)
> HFS_SB(sb)->root_dirs++;
> inode->i_op = &hfs_dir_inode_operations;
> @@ -219,7 +228,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
> } else if (S_ISREG(mode)) {
> HFS_I(inode)->clump_blocks = HFS_SB(sb)->clumpablks;
> file_count = atomic64_inc_return(&HFS_SB(sb)->file_count);
> - BUG_ON(file_count > U32_MAX);
> + if (file_count > U32_MAX) {
> + pr_err("file count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
Ditto. File system volume is not corrupted here.
> + goto out_discard;
> + }
> if (dir->i_ino == HFS_ROOT_CNID)
> HFS_SB(sb)->root_files++;
> inode->i_op = &hfs_file_inode_operations;
> @@ -243,24 +255,35 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
> hfs_mark_mdb_dirty(sb);
>
> return inode;
> +
> + out_discard:
> + iput(inode);
> + out_err:
> + return ERR_PTR(err);
> }
>
> -void hfs_delete_inode(struct inode *inode)
> +int hfs_delete_inode(struct inode *inode)
> {
> struct super_block *sb = inode->i_sb;
>
> hfs_dbg("ino %lu\n", inode->i_ino);
> if (S_ISDIR(inode->i_mode)) {
> - BUG_ON(atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX);
> + if (atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX) {
> + pr_err("folder count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
Ditto. File system volume is not corrupted here.
Please, see my comments above related to hfs_remove() logic.
> + return -EFSCORRUPTED;
> + }
> atomic64_dec(&HFS_SB(sb)->folder_count);
> if (HFS_I(inode)->cat_key.ParID == cpu_to_be32(HFS_ROOT_CNID))
> HFS_SB(sb)->root_dirs--;
> set_bit(HFS_FLG_MDB_DIRTY, &HFS_SB(sb)->flags);
> hfs_mark_mdb_dirty(sb);
> - return;
> + return 0;
> }
>
> - BUG_ON(atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX);
> + if (atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX) {
> + pr_err("file count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
Ditto. File system volume is not corrupted here.
Please, see my comments above related to hfs_remove() logic.
> + return -EFSCORRUPTED;
> + }
> atomic64_dec(&HFS_SB(sb)->file_count);
> if (HFS_I(inode)->cat_key.ParID == cpu_to_be32(HFS_ROOT_CNID))
> HFS_SB(sb)->root_files--;
> @@ -272,6 +295,7 @@ void hfs_delete_inode(struct inode *inode)
> }
> set_bit(HFS_FLG_MDB_DIRTY, &HFS_SB(sb)->flags);
> hfs_mark_mdb_dirty(sb);
> + return 0;
> }
>
> void hfs_inode_read_fork(struct inode *inode, struct hfs_extent *ext,
> diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
> index 53f3fae60217..45b690ab4ba5 100644
> --- a/fs/hfs/mdb.c
> +++ b/fs/hfs/mdb.c
> @@ -273,15 +273,24 @@ void hfs_mdb_commit(struct super_block *sb)
> /* These parameters may have been modified, so write them back */
> mdb->drLsMod = hfs_mtime();
> mdb->drFreeBks = cpu_to_be16(HFS_SB(sb)->free_ablocks);
> - BUG_ON(atomic64_read(&HFS_SB(sb)->next_id) > U32_MAX);
> + if (atomic64_read(&HFS_SB(sb)->next_id) > U32_MAX) {
> + pr_err("next CNID exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
Ditto. File system volume is not corrupted here yet.
Breaking logic of hfs_mdb_commit() looks like really bad idea. Especially,
because we don't return any error message. I am thinking that, probably, we need
to consider of moving the check of next_id, file_count, folder_count from
hfs_mdb_commit() into hfs_sync_fs() [3] with the goal of of converting file
system in READ-ONLY state and returning error code.
> + return;
> + }
> mdb->drNxtCNID =
> cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->next_id));
> mdb->drNmFls = cpu_to_be16(HFS_SB(sb)->root_files);
> mdb->drNmRtDirs = cpu_to_be16(HFS_SB(sb)->root_dirs);
> - BUG_ON(atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX);
> + if (atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX) {
> + pr_err("file count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
Ditto, please, see my comments above.
> + return;
> + }
> mdb->drFilCnt =
> cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->file_count));
> - BUG_ON(atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX);
> + if (atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX) {
> + pr_err("folder count exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
Ditto, please, see my comments above.
Thanks,
Slava.
> + return;
> + }
> mdb->drDirCnt =
> cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->folder_count));
>
[1] https://elixir.bootlin.com/linux/v6.18-rc6/source/fs/hfs/dir.c#L205
[2] https://elixir.bootlin.com/linux/v6.18-rc6/source/fs/hfs/dir.c#L235
[3]
https://elixir.bootlin.com/linux/v6.18-rc6/source/fs/hfs/super.c#L37
Hi Viachslav,
Thanks for your time to write such a detailed answer. Your comments are very useful
to someone like me starting out in the linux kernel. I really appreciate it.
> > @@ -264,9 +264,9 @@ static int hfs_remove(struct inode *dir, struct dentry *dentry)
> > return res;
> > clear_nlink(inode);
> > inode_set_ctime_current(inode);
> > - hfs_delete_inode(inode);
> > + res = hfs_delete_inode(inode);
> > mark_inode_dirty(inode);
> > - return 0;
> > + return res;
>
> This modification doesn't look good, frankly speaking. The hfs_delete_inode()
> will return error code pretty at the beginning of execution. So, it doesn't make
> sense to call mark_inode_dirty() then. However, we already did a lot of activity
> before hfs_delete_inode() call:
>
> static int hfs_remove(struct inode *dir, struct dentry *dentry)
> {
> struct inode *inode = d_inode(dentry);
> int res;
>
> if (S_ISDIR(inode->i_mode) && inode->i_size != 2)
> return -ENOTEMPTY;
> res = hfs_cat_delete(inode->i_ino, dir, &dentry->d_name);
> if (res)
> return res;
> clear_nlink(inode);
> inode_set_ctime_current(inode);
> hfs_delete_inode(inode);
> mark_inode_dirty(inode);
> return 0;
> }
>
> So, not full executing of hfs_delete_inode() makes situation really bad.
> Because, we deleted record from Catalog File but rejected of execution of
> hfs_delete_inode() functionality.
>
> I am thinking that, maybe, better course of action is to check HFS_SB(sb)-
> >folder_count and HFS_SB(sb)->file_count at the beginning of hfs_remove():
>
> static int hfs_remove(struct inode *dir, struct dentry *dentry)
> {
> struct inode *inode = d_inode(dentry);
> int res;
>
> if (S_ISDIR(inode->i_mode) && inode->i_size != 2)
> return -ENOTEMPTY;
>
> <<-- Check it here and return error
>
> res = hfs_cat_delete(inode->i_ino, dir, &dentry->d_name);
> if (res)
> return res;
> clear_nlink(inode);
> inode_set_ctime_current(inode);
> hfs_delete_inode(inode);
> mark_inode_dirty(inode);
> return 0;
> }
>
That sounds good. But maybe we should do the check even before the ENOTEMPTY check,
as corruption detection is perhaps more interesting than informing that the operation
cannot complete because of some other (less acute) reason.
> In such case, we reject to make the removal, to return error and no activity
> will happened. Let's move the check from hfs_delete_inode() to hfs_remove(). We
> can ignore hfs_create() [1] and hfs_mkdir() [2] because these methods simply
> processing erroneous situation.
>
One thing we can also do is what happens in ext4. We introduce an errors= mount option
which can be set to readonly, panic, or continue depending on the desired behavior in
case of serious error (like corruption). I already implemented this for minix fs, and
the patch was fine. However, the people responsible for minix felt that it was more
sensible to deprecate minix and write a FUSE driver for it. [1]
> > +#define EFSCORRUPTED EUCLEAN /* Filesystem is corrupted */
>
> I don't think that rename existing error code is good idea. Especially, because
> we will not need the newly introduce error code's name. Please, see my comments
> below.
>
For context, I took this from ext4.
> > --- a/fs/hfs/inode.c
> > +++ b/fs/hfs/inode.c
> > @@ -186,16 +186,22 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
> > s64 next_id;
> > s64 file_count;
> > s64 folder_count;
> > + int err = -ENOMEM;
> >
> > if (!inode)
> > - return NULL;
> > + goto out_err;
> > +
> > + err = -EFSCORRUPTED;
>
> In 99% of cases, this logic will be called for file system internal logic when
> mount was successful. So, file system volume is not corrupted. Even if we
> suspect that volume is corrupted, then potential reason could be failed read (-
> EIO). It needs to run FSCK tool to be sure that volume is really corrupted.
>
I get your point, maybe just warn for possible corruption?
> >
> > mutex_init(&HFS_I(inode)->extents_lock);
> > INIT_LIST_HEAD(&HFS_I(inode)->open_dir_list);
> > spin_lock_init(&HFS_I(inode)->open_dir_lock);
> > hfs_cat_build_key(sb, (btree_key *)&HFS_I(inode)->cat_key, dir->i_ino, name);
> > next_id = atomic64_inc_return(&HFS_SB(sb)->next_id);
> > - BUG_ON(next_id > U32_MAX);
> > + if (next_id > U32_MAX) {
> > + pr_err("next CNID exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
>
> File system volume is not corrupted here. Because, it is only error of file
> system logic. And we will not store this not correct number to the volume,
> anyway. At minimum, we should protect the logic from doing this. And it doesn't
> need to recommend to run FSCK tool here.
What if e.g. next_id is not U32_MAX, but some other slightly smaller value, that's still
not possible, correct? And then we find out not at mount time (at least not right now).
Maybe we should just check at mount time and when the mdb is written if the values like
file/folder_count and next_id make any sense. I think they indicate corruption even for
much smaller values than U32_MAX, but I could not really distill that.
If we have this, then the other BUG_ONs should not indicate corruption but implementation
logic issues. Correct?
>
> Probably, it makes sense to decrement erroneous back.
>
> Potentially, if we have such situation, maybe, it makes sense to consider to
> make file system READ-ONLY. But I am not fully sure.
>
See my comment above.
Thanks,
Jori.
[1] https://lkml.org/lkml/2025/10/28/1786
Hi Jori,
On Sun, 2025-11-30 at 21:34 +0100, Jori Koolstra wrote:
> Hi Viachslav,
>
> Thanks for your time to write such a detailed answer. Your comments are very useful
> to someone like me starting out in the linux kernel. I really appreciate it.
>
> > > @@ -264,9 +264,9 @@ static int hfs_remove(struct inode *dir, struct dentry *dentry)
> > > return res;
> > > clear_nlink(inode);
> > > inode_set_ctime_current(inode);
> > > - hfs_delete_inode(inode);
> > > + res = hfs_delete_inode(inode);
> > > mark_inode_dirty(inode);
> > > - return 0;
> > > + return res;
> >
> > This modification doesn't look good, frankly speaking. The hfs_delete_inode()
> > will return error code pretty at the beginning of execution. So, it doesn't make
> > sense to call mark_inode_dirty() then. However, we already did a lot of activity
> > before hfs_delete_inode() call:
> >
> > static int hfs_remove(struct inode *dir, struct dentry *dentry)
> > {
> > struct inode *inode = d_inode(dentry);
> > int res;
> >
> > if (S_ISDIR(inode->i_mode) && inode->i_size != 2)
> > return -ENOTEMPTY;
> > res = hfs_cat_delete(inode->i_ino, dir, &dentry->d_name);
> > if (res)
> > return res;
> > clear_nlink(inode);
> > inode_set_ctime_current(inode);
> > hfs_delete_inode(inode);
> > mark_inode_dirty(inode);
> > return 0;
> > }
> >
> > So, not full executing of hfs_delete_inode() makes situation really bad.
> > Because, we deleted record from Catalog File but rejected of execution of
> > hfs_delete_inode() functionality.
> >
> > I am thinking that, maybe, better course of action is to check HFS_SB(sb)-
> > > folder_count and HFS_SB(sb)->file_count at the beginning of hfs_remove():
> >
> > static int hfs_remove(struct inode *dir, struct dentry *dentry)
> > {
> > struct inode *inode = d_inode(dentry);
> > int res;
> >
> > if (S_ISDIR(inode->i_mode) && inode->i_size != 2)
> > return -ENOTEMPTY;
> >
> > <<-- Check it here and return error
> >
> > res = hfs_cat_delete(inode->i_ino, dir, &dentry->d_name);
> > if (res)
> > return res;
> > clear_nlink(inode);
> > inode_set_ctime_current(inode);
> > hfs_delete_inode(inode);
> > mark_inode_dirty(inode);
> > return 0;
> > }
> >
>
> That sounds good. But maybe we should do the check even before the ENOTEMPTY check,
> as corruption detection is perhaps more interesting than informing that the operation
> cannot complete because of some other (less acute) reason.
>
If we are not going to call hfs_cat_delete() and hfs_delete_inode(), then it
doesn't need to check folder_count or file_count. So, this is why I've suggested
to place these checks after.
Again, we could have complete mess of in-core file system's data structures
because of bugs, memory issues or anything else. But if we prevent this state
from writing to the file system's volume, then no corruption of file system
volume will happen. So, we cannot say that file system volume corrupted if we
detected incorrect values of folder_count or/and file_count before write. But we
can say that file system volume could be corrupted if we read inconsistent state
of metadata from the volume.
> > In such case, we reject to make the removal, to return error and no activity
> > will happened. Let's move the check from hfs_delete_inode() to hfs_remove(). We
> > can ignore hfs_create() [1] and hfs_mkdir() [2] because these methods simply
> > processing erroneous situation.
> >
>
> One thing we can also do is what happens in ext4. We introduce an errors= mount option
> which can be set to readonly, panic, or continue depending on the desired behavior in
> case of serious error (like corruption). I already implemented this for minix fs, and
> the patch was fine. However, the people responsible for minix felt that it was more
> sensible to deprecate minix and write a FUSE driver for it. [1]
I had impression that HFS already has it. But even if it is not so, then it
sounds like another task. Let's don't mix the different problems into one
solution. Otherwise, we will have a huge patch.
>
> > > +#define EFSCORRUPTED EUCLEAN /* Filesystem is corrupted */
> >
> > I don't think that rename existing error code is good idea. Especially, because
> > we will not need the newly introduce error code's name. Please, see my comments
> > below.
> >
>
> For context, I took this from ext4.
I still don't see corruption here. :) Please, see my remarks above.
>
> > > --- a/fs/hfs/inode.c
> > > +++ b/fs/hfs/inode.c
> > > @@ -186,16 +186,22 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
> > > s64 next_id;
> > > s64 file_count;
> > > s64 folder_count;
> > > + int err = -ENOMEM;
> > >
> > > if (!inode)
> > > - return NULL;
> > > + goto out_err;
> > > +
> > > + err = -EFSCORRUPTED;
> >
> > In 99% of cases, this logic will be called for file system internal logic when
> > mount was successful. So, file system volume is not corrupted. Even if we
> > suspect that volume is corrupted, then potential reason could be failed read (-
> > EIO). It needs to run FSCK tool to be sure that volume is really corrupted.
> >
>
> I get your point, maybe just warn for possible corruption?
We can consider this as corruption only for the case of mount operation. So, we
can share warning only if we are executing the mount operation. But
hfs_fill_super() is the right place for such warning then.
>
> > >
> > > mutex_init(&HFS_I(inode)->extents_lock);
> > > INIT_LIST_HEAD(&HFS_I(inode)->open_dir_list);
> > > spin_lock_init(&HFS_I(inode)->open_dir_lock);
> > > hfs_cat_build_key(sb, (btree_key *)&HFS_I(inode)->cat_key, dir->i_ino, name);
> > > next_id = atomic64_inc_return(&HFS_SB(sb)->next_id);
> > > - BUG_ON(next_id > U32_MAX);
> > > + if (next_id > U32_MAX) {
> > > + pr_err("next CNID exceeds limit — filesystem corrupted. It is recommended to run fsck\n");
> >
> > File system volume is not corrupted here. Because, it is only error of file
> > system logic. And we will not store this not correct number to the volume,
> > anyway. At minimum, we should protect the logic from doing this. And it doesn't
> > need to recommend to run FSCK tool here.
>
> What if e.g. next_id is not U32_MAX, but some other slightly smaller value, that's still
> not possible, correct? And then we find out not at mount time (at least not right now).
> Maybe we should just check at mount time and when the mdb is written if the values like
> file/folder_count and next_id make any sense. I think they indicate corruption even for
> much smaller values than U32_MAX, but I could not really distill that.
>
> If we have this, then the other BUG_ONs should not indicate corruption but implementation
> logic issues. Correct?
>
>
It's easy to make conclusion about inconsistent state of file/folder_count and
next_id if these values are U32_MAX. Otherwise, if it is smaller than U32_MAX
but still huge, then the check of these values correctness requires of checking
all of Catalog File's entries. Usually, we cannot afford of doing such check on
file system driver side. And this is responsibility of FSCK tool, usually.
Thanks,
Slava.
> > Probably, it makes sense to decrement erroneous back.
> >
> > Potentially, if we have such situation, maybe, it makes sense to consider to
> > make file system READ-ONLY. But I am not fully sure.
> >
>
> See my comment above.
>
> Thanks,
> Jori.
>
> [1] https://lkml.org/lkml/2025/10/28/1786
© 2016 - 2025 Red Hat, Inc.