1. Patchew
  2. linux
  3. View series

[PATCH] hfs: return -EIO instead of BUG() in hfs_write_inode()

David Maximiliano Hermitte posted 1 patch 1 day, 12 hours ago 
fs/hfs/inode.c | 1 -
1 file changed, 1 deletion(-)
[PATCH] hfs: return -EIO instead of BUG() in hfs_write_inode()
Posted by David Maximiliano Hermitte 1 day, 12 hours ago 
hfs: return -EIO instead of BUG() in hfs_write_inode()

A corrupted or otherwise malformed HFS filesystem image can reach the
default case in hfs_write_inode(). The current code calls BUG() there,
which turns an on-disk filesystem condition into a kernel crash.

Return -EIO instead. The function already has an error-return path at
that location, so this preserves the existing failure semantics while
avoiding a reachable kernel BUG.

The issue is reproducible with the public syzbot C reproducer linked
below. Before this change, the reproducer triggers a kernel BUG at
fs/hfs/inode.c with RIP in hfs_write_inode(). After this change, the
same reproducer no longer triggers kernel BUG, hfs_write_inode, KASAN,
Oops, Call Trace, or RIP evidence in the validation window.

Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
Tested-by: David Maximiliano Hermitte <davemadmaxxx@gmail.com>
Signed-off-by: David Maximiliano Hermitte <davemadmaxxx@gmail.com>
---
 fs/hfs/inode.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index 89b33a9d46d5..4192f660b64f 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -471,7 +471,6 @@ int hfs_write_inode(struct inode *inode, struct writeback_control *wbc)
 			hfs_btree_write(HFS_SB(inode->i_sb)->cat_tree);
 			return 0;
 		default:
-			BUG();
 			return -EIO;
 		}
 	}
Re: [PATCH] hfs: return -EIO instead of BUG() in hfs_write_inode()
Posted by Darrick J. Wong 1 day, 6 hours ago 
On Sat, Jun 06, 2026 at 03:58:31PM +0000, David Maximiliano Hermitte wrote:
> hfs: return -EIO instead of BUG() in hfs_write_inode()
> 
> A corrupted or otherwise malformed HFS filesystem image can reach the
> default case in hfs_write_inode(). The current code calls BUG() there,
> which turns an on-disk filesystem condition into a kernel crash.
> 
> Return -EIO instead. The function already has an error-return path at
> that location, so this preserves the existing failure semantics while
> avoiding a reachable kernel BUG.
> 
> The issue is reproducible with the public syzbot C reproducer linked
> below. Before this change, the reproducer triggers a kernel BUG at
> fs/hfs/inode.c with RIP in hfs_write_inode(). After this change, the
> same reproducer no longer triggers kernel BUG, hfs_write_inode, KASAN,
> Oops, Call Trace, or RIP evidence in the validation window.
> 
> Reported-by: syzbot+97e301b4b82ae803d21b@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
> Tested-by: David Maximiliano Hermitte <davemadmaxxx@gmail.com>
> Signed-off-by: David Maximiliano Hermitte <davemadmaxxx@gmail.com>
> ---
>  fs/hfs/inode.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
> index 89b33a9d46d5..4192f660b64f 100644
> --- a/fs/hfs/inode.c
> +++ b/fs/hfs/inode.c
> @@ -471,7 +471,6 @@ int hfs_write_inode(struct inode *inode, struct writeback_control *wbc)
>  			hfs_btree_write(HFS_SB(inode->i_sb)->cat_tree);
>  			return 0;
>  		default:
> -			BUG();
>  			return -EIO;

If it's a metadata corruption, shouldn't you return EFSCORRUPTED like
the other major filesystems?

--D

>  		}
>  	}
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.