[syzbot] kernel BUG in hfs_write_inode

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 65762d97e6fa Merge branch 'for-next/perf' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14e324e3880000
kernel config: https://syzkaller.appspot.com/x/.config?x=56d0c7c3a2304e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10983553880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13315ebb880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/52f702197b30/disk-65762d97.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/72189c2789ce/vmlinux-65762d97.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ec0349196c98/Image-65762d97.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6bfea2266b7f/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+97e301...@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/hfs/inode.c:446!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 347 Comm: kworker/u4:3 Not tainted 6.1.0-rc6-syzkaller-32653-g65762d97e6fa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
Workqueue: writeback wb_workfn (flush-7:0)
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : hfs_write_inode+0x44c/0x450 fs/hfs/inode.c:446
lr : hfs_write_inode+0x44c/0x450 fs/hfs/inode.c:446
sp : ffff800012f9b960
x29: ffff800012f9ba10 x28: ffff0000cb9013e0 x27: ffff0000cb901358
x26: 0000000000000021 x25: 0000000000000007 x24: ffff0000cb9013e0
x23: 0000000000000003 x22: 0000000000000000 x21: ffff800012f9b9a0
x20: 0000000000000000 x19: ffff0000cb901358 x18: 00000000000000c0
x17: ffff80000dda8198 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000004 x12: ffff80000d51b008
x11: ff80800008903460 x10: 0000000000000000 x9 : ffff800008903460
x8 : ffff0000c4048000 x7 : ffff80000862d114 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000001 x1 : ffff80000d51afe0 x0 : 0000000000000000
Call trace:
hfs_write_inode+0x44c/0x450 fs/hfs/inode.c:446
write_inode fs/fs-writeback.c:1440 [inline]
__writeback_single_inode+0x240/0x2e4 fs/fs-writeback.c:1652
writeback_sb_inodes+0x3e4/0x85c fs/fs-writeback.c:1870
wb_writeback+0x198/0x328 fs/fs-writeback.c:2044
wb_do_writeback+0xc8/0x384 fs/fs-writeback.c:2187
wb_workfn+0x70/0x15c fs/fs-writeback.c:2227
process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
worker_thread+0x340/0x610 kernel/workqueue.c:2436
kthread+0x12c/0x158 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863
Code: d4210000 17ffff98 94ddff99 97e6893f (d4210000)
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Alex Sebastian]

There is no problem in 5.11.0-rc1.When hfs mounted, the sb->next_id readed from mdb->drNxtCNID is 16. But using disk image of this bug to test, I found the sb->next_id is 0. 

So, the i_ino number of first created  inode is 0 which causes the problem. The first used cnid must be 16, which defined as HFS_FIRSTUSER_CNID.

I don't know why it is 0. I will test hfs driver using 6.10-rc1.

[Alex Sebastian]

This is the problem of test environment. I puff the compressed hfs file `mounted_in_repo`, the four bytes starts from 1054 is "00 00 00 00". This means that cnid is not initialized to HFS_FIRSTUSER_CNID.

[George Anthony Vernon]

On Fri, Nov 25, 2022 at 01:45:41AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 65762d97e6fa Merge branch 'for-next/perf' into for-kernelci
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=14e324e3880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=56d0c7c3a2304e8f
> dashboard link: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: arm64
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10983553880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13315ebb880000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/52f702197b30/disk-65762d97.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/72189c2789ce/vmlinux-65762d97.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/ec0349196c98/Image-65762d97.gz.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/6bfea2266b7f/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+97e301...@syzkaller.appspotmail.com
>

I simplified the reproducer previously while working on a patch for this bug and found it no longer reproduces on mainline. I just want to sanity check this by testing mainline with syzbot's repro:

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.17

Thanks,

George

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in hfs_write_inode

------------[ cut here ]------------
kernel BUG at fs/hfs/inode.c:444!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 1438 Comm: kworker/u8:9 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025

Workqueue: writeback wb_workfn (flush-7:0)

RIP: 0010:hfs_write_inode+0x7c8/0x7d0 fs/hfs/inode.c:444
Code: c1 40 c2 05 99 80 e1 07 80 c1 03 38 c1 0f 8c 7d fe ff ff 48 c7 c7 40 c2 05 99 e8 e3 dc 8c ff e9 6c fe ff ff e8 a9 96 2d ff 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9000534f180 EFLAGS: 00010293
RAX: ffffffff8290d517 RBX: ffff8880323301c8 RCX: ffff88802787d940
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000534f310 R08: ffff88802787d940 R09: 0000000000000003
R10: 0000000000000100 R11: 0000000000000004 R12: dffffc0000000000
R13: 1ffff92000a69e34 R14: ffff888032330188 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881269bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff2f4ecb000 CR3: 0000000036660000 CR4: 00000000003526f0
Call Trace:
<TASK>
write_inode fs/fs-writeback.c:1525 [inline]
__writeback_single_inode+0x6f1/0x1000 fs/fs-writeback.c:1745
writeback_sb_inodes+0x6b7/0xf60 fs/fs-writeback.c:1976
wb_writeback+0x43b/0xaf0 fs/fs-writeback.c:2156
wb_do_writeback fs/fs-writeback.c:2303 [inline]
wb_workfn+0x40e/0xf00 fs/fs-writeback.c:2343
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:

---[ end trace 0000000000000000 ]---

RIP: 0010:hfs_write_inode+0x7c8/0x7d0 fs/hfs/inode.c:444
Code: c1 40 c2 05 99 80 e1 07 80 c1 03 38 c1 0f 8c 7d fe ff ff 48 c7 c7 40 c2 05 99 e8 e3 dc 8c ff e9 6c fe ff ff e8 a9 96 2d ff 90 <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc9000534f180 EFLAGS: 00010293
RAX: ffffffff8290d517 RBX: ffff8880323301c8 RCX: ffff88802787d940
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000534f310 R08: ffff88802787d940 R09: 0000000000000003
R10: 0000000000000100 R11: 0000000000000004 R12: dffffc0000000000
R13: 1ffff92000a69e34 R14: ffff888032330188 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881269bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff2f4ecb000 CR3: 0000000036660000 CR4: 00000000003526f0


Tested on:

commit: e5f0a698 Linux 6.17
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.17
console output: https://syzkaller.appspot.com/x/log.txt?x=13b28458580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5b21423ca3f0a96
dashboard link: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Note: no patches were applied.

[George Anthony Vernon]

On Thu, Oct 02, 2025 at 09:31:03AM -0700, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> kernel BUG in hfs_write_inode
>
> ------------[ cut here ]------------
> kernel BUG at fs/hfs/inode.c:444!

Attaching a patch since I'm failing to reproduce locally on mainline.

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+97e301...@syzkaller.appspotmail.com
Tested-by: syzbot+97e301...@syzkaller.appspotmail.com

Tested on:

commit: e5f0a698 Linux 6.17
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.17

console output: https://syzkaller.appspot.com/x/log.txt?x=160acee2580000

kernel config: https://syzkaller.appspot.com/x/.config?x=f5b21423ca3f0a96
dashboard link: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=11089334580000

Note: testing is done by a robot and is best-effort only.

[George Anthony Vernon]

#syz test

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+97e301...@syzkaller.appspotmail.com
Tested-by: syzbot+97e301...@syzkaller.appspotmail.com

Tested on:

commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1472aa7c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e9442f6915cec8b7

dashboard link: https://syzkaller.appspot.com/bug?extid=97e301b4b82ae803d21b
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=13c8d942580000