Re: [EXTERNAL] Re: [PATCH v2] hfs: prevent MDB and bitmap buffer_head aliasing

[Viacheslav Dubeyko]

On Fri, 2026-05-29 at 14:29 -0700, Viacheslav Dubeyko wrote:
> On Fri, 2026-05-29 at 18:34 +0800, Yue Sun wrote:
> > hfs_mdb_commit() writes the volume bitmap while HFS_SB(sb)->mdb_bh is
> > locked. A crafted image can set drVBMSt so that the bitmap block resolves
> > to the same buffer_head as the MDB. When writeback later calls
> > lock_buffer() for that bitmap block, the task tries to lock mdb_bh again
> > and self-deadlocks in __lock_buffer().
> > 
> > Reject images whose volume bitmap starts at or before the MDB during
> > mount. Also guard the bitmap writeback path itself: if the bitmap block
> > would resolve to mdb_bh, force the filesystem read-only and stop bitmap
> > writeback before taking the buffer lock. This keeps the deadlock fix in
> > the MDB commit path and reuses the existing bitmap size/writeback logic.
> > 
> > Reported-by: Yue Sun <samsun1006219@xxxxxxxxx>
> > Closes: https://urldefense.proofpoint.com/v2/url?u=https-3A__lore.kernel.org_all_CAEkJfYMB47v1yOWHB8q2dc8kf-3Duj-2DrLO-3D-2ByMyudwPguJ8Kd3jA-40mail.gmail.com_&d=DwIFaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=q5bIm4AXMzc8NJu1_RGmnQ2fMWKq4Y4RAkElvUgSs00&m=2ATrdgpvRdYnJfz2T53Ih3iQv6Y9wogU2Ba19prTYgchh1mh4KI7lo9TYLQnlu3X&s=S8XdWVW0SpxB05CfctrqCJtJEXqtWDfLNdtzPHIZAY8&e= 
> > Signed-off-by: Yue Sun <samsun1006219@xxxxxxxxx>
> > ---
> > Changes in v2:
> > - Add a commit-time guard before locking bitmap buffer_heads.
> > - Replace the mount-time byte-range check with a simple drVBMSt check.
> > - Reuse the existing bitmap writeback size calculation.
> > 
> >  fs/hfs/mdb.c | 10 ++++++++++
> >  1 file changed, 10 insertions(+)
> > 
> > diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
> > index a97cea35ca2e..53cd137892b5 100644
> > --- a/fs/hfs/mdb.c
> > +++ b/fs/hfs/mdb.c
> > @@ -185,6 +185,11 @@ int hfs_mdb_get(struct super_block *sb)
> >  		sb->s_flags |= SB_RDONLY;
> >  	}
> >  
> > +	if (be16_to_cpu(mdb->drVBMSt) <= HFS_MDB_BLK) {
> 
> Technically speaking, if we are trying to check the overlapping of volume bitmap
> with the main MDB record, then we need to check the overlapping with alternative
> MDB record, and with Catalog File and Extents Overflow File. However, it sounds
> like we are trying to add some FSCK logic here. :)
> 
> > +		pr_err("volume bitmap overlaps MDB\n");
> 
> This situation means volume corruption. It makes sense to recommend to run FSCK.
> 
> > +		return -EIO;
> 
> This code error is wrong because the read operation was OK. But we have
> corrupted volume. Even if we have overlapping of volume bitmap with MDB record,
> then we cannot reject mount operation. We must mount in READ-ONLY mode because,
> potentially, the rest of metadata could be completely OK. We simply cannot mount
> in RW mode.
> 
> > +	}
> > +
> >  	/* TRY to get the alternate (backup) MDB. */
> >  	sect = part_start + part_size - 2;
> >  	bh = sb_bread512(sb, sect, mdb2);
> > @@ -341,6 +346,11 @@ void hfs_mdb_commit(struct super_block *sb)
> >  		size = (HFS_SB(sb)->fs_ablocks + 7) / 8;
> >  		ptr = (u8 *)HFS_SB(sb)->bitmap;
> >  		while (size) {
> > +			if (unlikely(block == HFS_SB(sb)->mdb_bh->b_blocknr)) {
> > +				pr_err("volume bitmap overlaps MDB, forcing read-only\n");
> > +				sb->s_flags |= SB_RDONLY;
> > +				break;
> > +			}
> 
> At this point, we already wrote main MDB and alternative MDB to the volume.
> Theoretically, it is possible to imagine that if size of volume bitmap is big
> enough, then we could partially process the bitmap too. Probably, we need to
> check the overlapping at the beginning of the method and reject the whole
> superblock commit.
> 
> Initial issue was the deadlock. Could we implement some check that buffer_heads
> don't overlap before trying to lock? Does it make sense to you?
> 

By the way, I can see the deadlock in hfs_mdb_commit() even for completely valid
HFS volume during generic/013 test run. This issue takes place because folio
lock related issue. I remember that somebody has sent the patch related to this
issue but we haven't finished the discussion with some reasonable solution. I
think we need to rework the locking scheme:

diff --git a/fs/hfs/hfs_fs.h b/fs/hfs/hfs_fs.h
index 97e8d1f96d6d..919798eda0f8 100644
--- a/fs/hfs/hfs_fs.h
+++ b/fs/hfs/hfs_fs.h
@@ -64,6 +64,7 @@ struct hfs_inode_info {
  * The HFS-specific part of a Linux (struct super_block)
  */
 struct hfs_sb_info {
+	struct mutex mdb_lock;			/* MDB operations lock */
 	struct buffer_head *mdb_bh;		/* The hfs_buffer
 						   holding the real
 						   superblock (aka VIB
diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
index a97cea35ca2e..94497c155d29 100644
--- a/fs/hfs/mdb.c
+++ b/fs/hfs/mdb.c
@@ -291,9 +291,9 @@ void hfs_mdb_commit(struct super_block *sb)
 	if (sb_rdonly(sb))
 		return;
 
-	lock_buffer(HFS_SB(sb)->mdb_bh);
 	if (test_and_clear_bit(HFS_FLG_MDB_DIRTY, &HFS_SB(sb)->flags)) {
 		/* These parameters may have been modified, so write them back
*/
+		lock_buffer(HFS_SB(sb)->mdb_bh);
 		mdb->drLsMod = hfs_mtime();
 		mdb->drFreeBks = cpu_to_be16(HFS_SB(sb)->free_ablocks);
 		mdb->drNxtCNID =
@@ -304,6 +304,7 @@ void hfs_mdb_commit(struct super_block *sb)
 			cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)-
>file_count));
 		mdb->drDirCnt =
 			cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)-
>folder_count));
+		unlock_buffer(HFS_SB(sb)->mdb_bh);
 
 		/* write MDB to disk */
 		mark_buffer_dirty(HFS_SB(sb)->mdb_bh);
@@ -360,7 +361,6 @@ void hfs_mdb_commit(struct super_block *sb)
 			size -= len;
 		}
 	}
-	unlock_buffer(HFS_SB(sb)->mdb_bh);
 }
 
 void hfs_mdb_close(struct super_block *sb)
diff --git a/fs/hfs/super.c b/fs/hfs/super.c
index a466c401f6bb..5d4caf3ddda6 100644
--- a/fs/hfs/super.c
+++ b/fs/hfs/super.c
@@ -35,7 +35,11 @@ MODULE_LICENSE("GPL");
 static int hfs_sync_fs(struct super_block *sb, int wait)
 {
 	is_hfs_cnid_counts_valid(sb);
+
+	mutex_lock(&HFS_SB(sb)->mdb_lock);
 	hfs_mdb_commit(sb);
+	mutex_unlock(&HFS_SB(sb)->mdb_lock);
+
 	return 0;
 }
 
@@ -68,7 +72,9 @@ static void flush_mdb(struct work_struct *work)
 
 	is_hfs_cnid_counts_valid(sb);
 
+	mutex_lock(&sbi->mdb_lock);
 	hfs_mdb_commit(sb);
+	mutex_unlock(&sbi->mdb_lock);
 }
 
 void hfs_mark_mdb_dirty(struct super_block *sb)
@@ -339,9 +345,13 @@ static int hfs_fill_super(struct super_block *sb, struct
fs_context *fc)
 	sb->s_op = &hfs_super_operations;
 	sb->s_xattr = hfs_xattr_handlers;
 	sb->s_flags |= SB_NOATIME | SB_NODIRATIME;
+	mutex_init(&sbi->mdb_lock);
 	mutex_init(&sbi->bitmap_lock);
 
+	mutex_lock(&sbi->mdb_lock);
 	res = hfs_mdb_get(sb);
+	mutex_unlock(&sbi->mdb_lock);
+
 	if (res) {
 		if (!silent)
 			pr_warn("can't find a HFS filesystem on dev %s\n",

What do you think?

Thanks,
Slava.