Dear Linux maintainers and reviewers:
We are reporting a Linux kernel bug titled **general protection fault in hfs_find_init**, discovered using a modified version of Syzkaller.
Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is also reproduced in the latest kernel version)
The test case and kernel config is in attach.
The report is (The full report is attached):
romfs: Mounting image 'rom 637cf1fa' through the block layer
Failed to initialize the IGMP autojoin socket (err -2)
loop3: detected capacity change from 0 to 64
loop2: detected capacity change from 0 to 32768
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
CPU: 0 UID: 0 PID: 5673 Comm: syz.3.293 Not tainted 6.12.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
BTRFS: device fsid 3a375e4e-b156-4d76-a2ad-16e198ce1409 devid 1 transid 8 /dev/loop2 (7:2) scanned by syz.2.285 (5641)
RIP: 0010:hfs_find_init+0x74/0x250 fs/hfs/bfind.c:21
Code: c1 ea 03 80 3c 02 00 0f 85 cc 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 7b 01 00 00 8b 43 40 be c0 0c
RSP: 0000:ff11000127a77508 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffa0000001ea8000
RDX: 0000000000000008 RSI: ffffffff820af265 RDI: ff11000127a77588
RBP: ff11000127a77570 R08: 0000000000000000 R09: fffffbfff102ee39
R10: 0000000000000000 R11: 1ffffffff13f9d42 R12: 0000000000000000
R13: 0000000000000040 R14: ff11000153282eca R15: ff11000127a77570
FS: 00007f27ad901700(0000) GS:ff110004ca800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fec757e3000 CR3: 000000012aeca001 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
hfs_ext_read_extent+0x190/0xa30 fs/hfs/extent.c:200
hfs_get_block+0x4a1/0x830 fs/hfs/extent.c:366
block_read_full_folio+0x314/0x8c0 fs/buffer.c:2401
filemap_read_folio+0x48/0x1e0 mm/filemap.c:2367
do_read_cache_folio+0x1d6/0x500 mm/filemap.c:3825
do_read_cache_page mm/filemap.c:3891 [inline]
read_cache_page+0x5d/0x140 mm/filemap.c:3900
read_mapping_page include/linux/pagemap.h:1005 [inline]
hfs_btree_open+0x66a/0x1690 fs/hfs/btree.c:78
hfs_mdb_get+0x14a3/0x1f30 fs/hfs/mdb.c:199
hfs_fill_super+0xb23/0x1540 fs/hfs/super.c:407
mount_bdev+0x1e6/0x2d0 fs/super.c:1693
legacy_get_tree+0x107/0x220 fs/fs_context.c:662
vfs_get_tree+0x94/0x380 fs/super.c:1814
do_new_mount fs/namespace.c:3507 [inline]
path_mount+0x6b2/0x1eb0 fs/namespace.c:3834
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount fs/namespace.c:4034 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
We are reporting a Linux kernel bug titled **general protection fault in hfs_find_init**, discovered using a modified version of Syzkaller.
Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is also reproduced in the latest kernel version)
The test case and kernel config is in attach.
The report is (The full report is attached):
romfs: Mounting image 'rom 637cf1fa' through the block layer
Failed to initialize the IGMP autojoin socket (err -2)
loop3: detected capacity change from 0 to 64
loop2: detected capacity change from 0 to 32768
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
CPU: 0 UID: 0 PID: 5673 Comm: syz.3.293 Not tainted 6.12.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
BTRFS: device fsid 3a375e4e-b156-4d76-a2ad-16e198ce1409 devid 1 transid 8 /dev/loop2 (7:2) scanned by syz.2.285 (5641)
RIP: 0010:hfs_find_init+0x74/0x250 fs/hfs/bfind.c:21
Code: c1 ea 03 80 3c 02 00 0f 85 cc 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 7b 01 00 00 8b 43 40 be c0 0c
RSP: 0000:ff11000127a77508 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffa0000001ea8000
RDX: 0000000000000008 RSI: ffffffff820af265 RDI: ff11000127a77588
RBP: ff11000127a77570 R08: 0000000000000000 R09: fffffbfff102ee39
R10: 0000000000000000 R11: 1ffffffff13f9d42 R12: 0000000000000000
R13: 0000000000000040 R14: ff11000153282eca R15: ff11000127a77570
FS: 00007f27ad901700(0000) GS:ff110004ca800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fec757e3000 CR3: 000000012aeca001 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
hfs_ext_read_extent+0x190/0xa30 fs/hfs/extent.c:200
hfs_get_block+0x4a1/0x830 fs/hfs/extent.c:366
block_read_full_folio+0x314/0x8c0 fs/buffer.c:2401
filemap_read_folio+0x48/0x1e0 mm/filemap.c:2367
do_read_cache_folio+0x1d6/0x500 mm/filemap.c:3825
do_read_cache_page mm/filemap.c:3891 [inline]
read_cache_page+0x5d/0x140 mm/filemap.c:3900
read_mapping_page include/linux/pagemap.h:1005 [inline]
hfs_btree_open+0x66a/0x1690 fs/hfs/btree.c:78
hfs_mdb_get+0x14a3/0x1f30 fs/hfs/mdb.c:199
hfs_fill_super+0xb23/0x1540 fs/hfs/super.c:407
mount_bdev+0x1e6/0x2d0 fs/super.c:1693
legacy_get_tree+0x107/0x220 fs/fs_context.c:662
vfs_get_tree+0x94/0x380 fs/super.c:1814
do_new_mount fs/namespace.c:3507 [inline]
path_mount+0x6b2/0x1eb0 fs/namespace.c:3834
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount fs/namespace.c:4034 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Attachment:
repro.c
Description: Binary data
Attachment:
report0
Description: Binary data
Attachment:
config
Description: Binary data
