On 2025/07/25 7:05, Tetsuo Handa wrote: >>> But I can't be convinced that above change is sufficient, for if I do >>> >>> + static u8 serial; >>> + if (inode->i_ino < HFS_FIRSTUSER_CNID && ((1U << inode->i_ino) & bad_cnid_list)) >>> + inode->i_ino = (serial++) % 16; >> >> I don't see the point in flags introduction. It makes logic very complicated. > > The point of this change is to excecise inode->i_ino for all values between 0 and 15. > Some of values between 0 and 15 must be valid as inode->i_ino , doesn't these? Then, Background: I assume that the value of rec->dir.DirID comes from the hfs filesystem image in the reproducer (i.e. memfd file associated with /dev/loop0 ). But since I don't know the offset to modify the value if I want the reproducer to pass rec->dir.DirID == 1...15 instead of rec->dir.DirID == 0, I am modifying inode->i_ino here when rec->dir.DirID == 0. > >> >>> >>> instead of >>> >>> + if (inode->i_ino < HFS_FIRSTUSER_CNID && ((1U << inode->i_ino) & bad_cnid_list)) >>> + make_bad_inode(inode); >>> >>> , the reproducer still hits BUG() for 0, 1, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 and 15 >>> because hfs_write_inode() handles only 2, 3 and 4. >>> >> >> How can we go into hfs_write_inode() if we created the bad inode for invalid >> inode ID? How is it possible? Calling make_bad_inode() for some of values between 0...15 at hfs_read_inode() will prevent that inode from going into hfs_write_inode(). But regarding the values between 0...15 which were not calling make_bad_inode() at hfs_read_inode() will not prevent that inode from going into hfs_write_inode(). Since hfs_write_inode() calls BUG() for values 0...15 except 2...4, any values between 0...15 except 2...4 which were not calling make_bad_inode() at hfs_read_inode() will hit BUG(). If we don't remove BUG(), the values which hfs_read_inode() does not need to call make_bad_inode() will be limited to only 2...4. And since you say that hfs_read_inode() should call make_bad_inode() for 3...4, the only value hfs_read_inode() can accept (from the point of view of avoid hitting BUG() in hfs_write_inode()) will be 2. > > are all of 0, 1, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 and 15 invalid value for hfs_read_inode() ? > > If all of 0, 1, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 and 15 are invalid value for hfs_read_inode(), > and 3 and 4 are also invalid value for hfs_read_inode(), hfs_read_inode() would accept only 2. > Something is crazily wrong. > > Can we really filter some of values between 0 and 15 at hfs_read_inode() ? > Can the attempt to filter some of values between 0 and 15 at hfs_read_inode() make sense, without the attempt to remove BUG() from hfs_write_inode() ? I think that we need to remove BUG() from hfs_write_inode(), even if you try to filter at hfs_read_inode().
