From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Mon, 13 Apr 2026 23:50:38 +0000 (-0700)
Subject: Merge tag 'hfs-v7.1-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/vdubeyko/hfs
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4d9981429aa61c31e67371ac09e7dbba6b59de14;p=thirdparty%2Fkernel%2Flinux.git

Merge tag 'hfs-v7.1-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/vdubeyko/hfs

Pull hfsplus updates from Viacheslav Dubeyko:
 "This contains several fixes of syzbot reported issues and HFS+ fixes
  of xfstests failures.

   - Fix a syzbot reported issue of a KMSAN uninit-value in
     hfsplus_strcasecmp().

     The root cause was that hfs_brec_read() doesn't validate that the
     on-disk record size matches the expected size for the record type
     being read. The fix introduced hfsplus_brec_read_cat() wrapper that
     validates the record size based on the type field and returns -EIO
     if size doesn't match (Deepanshu Kartikey)

   - Fix a syzbot reported issue of processing corrupted HFS+ images
     where the b-tree allocation bitmap indicates that the header node
     (Node 0) is free. Node 0 must always be allocated. Violating this
     invariant leads to allocator corruption, which cascades into kernel
     panics or undefined behavior.

     Prevent trusting a corrupted allocator state by adding a validation
     check during hfs_btree_open(). If corruption is detected, print a
     warning identifying the specific corrupted tree and force the
     filesystem to mount read-only (SB_RDONLY).

     This prevents kernel panics from corrupted images while enabling
     data recovery (Shardul Bankar)

   - Fix a potential deadlock in hfsplus_fill_super().

     hfsplus_fill_super() calls hfs_find_init() to initialize a search
     structure, which acquires tree->tree_lock. If the subsequent call
     to hfsplus_cat_build_key() fails, the function jumps to the
     out_put_root error label without releasing the lock.

     Fix this by adding the missing hfs_find_exit(&fd) call before
     jumping to the out_put_root error label. This ensures that
     tree->tree_lock is properly released on the error path (Zilin Guan)

   - Update a files ctime after rename in hfsplus_rename() (Yangtao Li)

  The rest of the patches introduce the HFS+ fixes for the case of
  generic/348, generic/728, generic/533, generic/523, and generic/642
  test-cases of xfstests suite"

* tag 'hfs-v7.1-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/vdubeyko/hfs:
  hfsplus: fix generic/642 failure
  hfsplus: rework logic of map nodes creation in xattr b-tree
  hfsplus: fix logic of alloc/free b-tree node
  hfsplus: fix error processing issue in hfs_bmap_free()
  hfsplus: fix potential race conditions in b-tree functionality
  hfsplus: extract hidden directory search into a helper function
  hfsplus: fix held lock freed on hfsplus_fill_super()
  hfsplus: fix generic/523 test-case failure
  hfsplus: validate b-tree node 0 bitmap at mount time
  hfsplus: refactor b-tree map page access and add node-type validation
  hfsplus: fix to update ctime after rename
  hfsplus: fix generic/533 test-case failure
  hfsplus: set ctime after setxattr and removexattr
  hfsplus: fix uninit-value by validating catalog record size
  hfsplus: fix potential Allocation File corruption after fsync
---

4d9981429aa61c31e67371ac09e7dbba6b59de14
diff --cc fs/hfsplus/attributes.c
index 174cd13106ad6,fa87496409c9b..7c2e589d45538
--- a/fs/hfsplus/attributes.c
+++ b/fs/hfsplus/attributes.c
@@@ -174,6 -183,9 +183,9 @@@ int hfsplus_attr_exists(struct inode *i
  	struct super_block *sb = inode->i_sb;
  	struct hfs_find_data fd;
  
 -	hfs_dbg("name %s, ino %ld\n",
++	hfs_dbg("name %s, ino %llu\n",
+ 		name ? name : NULL, inode->i_ino);
+ 
  	if (!HFSPLUS_SB(sb)->attr_tree)
  		return 0;
  
diff --cc fs/hfsplus/dir.c
index 054f6da460334,8ad73378ed644..47194370c2c5e
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@@ -478,6 -478,9 +478,9 @@@ static int hfsplus_symlink(struct mnt_i
  	if (!inode)
  		goto out;
  
 -	hfs_dbg("dir->i_ino %lu, inode->i_ino %lu\n",
++	hfs_dbg("dir->i_ino %llu, inode->i_ino %llu\n",
+ 		dir->i_ino, inode->i_ino);
+ 
  	res = page_symlink(inode, symname, strlen(symname) + 1);
  	if (res)
  		goto out_err;
@@@ -526,6 -529,9 +529,9 @@@ static int hfsplus_mknod(struct mnt_idm
  	if (!inode)
  		goto out;
  
 -	hfs_dbg("dir->i_ino %lu, inode->i_ino %lu\n",
++	hfs_dbg("dir->i_ino %llu, inode->i_ino %llu\n",
+ 		dir->i_ino, inode->i_ino);
+ 
  	if (S_ISBLK(mode) || S_ISCHR(mode) || S_ISFIFO(mode) || S_ISSOCK(mode))
  		init_special_inode(inode, mode, rdev);
  
diff --cc fs/hfsplus/inode.c
index 02be32dc6833d,e8f359d69328d..d05891ec492e3
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@@ -709,6 -720,15 +720,15 @@@ int hfsplus_cat_write_inode(struct inod
  					 sizeof(struct hfsplus_cat_file));
  	}
  
+ 	res = hfs_btree_write(tree);
+ 	if (res) {
 -		pr_err("b-tree write err: %d, ino %lu\n",
++		pr_err("b-tree write err: %d, ino %llu\n",
+ 		       res, inode->i_ino);
+ 		goto out;
+ 	}
+ 
+ 	set_bit(HFSPLUS_I_CAT_DIRTY,
+ 		&HFSPLUS_I(HFSPLUS_CAT_TREE_I(inode->i_sb))->flags);
  	set_bit(HFSPLUS_I_CAT_DIRTY, &HFSPLUS_I(inode)->flags);
  out:
  	hfs_find_exit(&fd);
diff --cc fs/hfsplus/super.c
index b3917249c206c,44635f92ada91..40a0feda716bf
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@@ -153,10 -153,13 +153,13 @@@ static int hfsplus_system_write_inode(s
  	}
  	hfsplus_inode_write_fork(inode, fork);
  	if (tree) {
+ 		mutex_lock_nested(&tree->tree_lock,
+ 				  hfsplus_btree_lock_class(tree));
  		int err = hfs_btree_write(tree);
+ 		mutex_unlock(&tree->tree_lock);
  
  		if (err) {
 -			pr_err("b-tree write err: %d, ino %lu\n",
 +			pr_err("b-tree write err: %d, ino %llu\n",
  			       err, inode->i_ino);
  			return err;
  		}