Bug: general protection fault in hfs_find_init

From: Liebes Wang
Date: Wed Jan 08 2025 - 01:28:33 EST


Dear Linux maintainers and reviewers:

We are reporting a Linux kernel bug titled **general protection fault in hfs_find_init**, discovered using a modified version of Syzkaller.

Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is also reproduced in the latest kernel version)
The test case and kernel config is in attach.

The report is (The full report is attached):

romfs: Mounting image 'rom 637cf1fa' through the block layer
Failed to initialize the IGMP autojoin socket (err -2)
loop3: detected capacity change from 0 to 64
loop2: detected capacity change from 0 to 32768
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
CPU: 0 UID: 0 PID: 5673 Comm: syz.3.293 Not tainted 6.12.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
BTRFS: device fsid 3a375e4e-b156-4d76-a2ad-16e198ce1409 devid 1 transid 8 /dev/loop2 (7:2) scanned by syz.2.285 (5641)
RIP: 0010:hfs_find_init+0x74/0x250 fs/hfs/bfind.c:21
Code: c1 ea 03 80 3c 02 00 0f 85 cc 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 7b 01 00 00 8b 43 40 be c0 0c
RSP: 0000:ff11000127a77508 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffa0000001ea8000
RDX: 0000000000000008 RSI: ffffffff820af265 RDI: ff11000127a77588
RBP: ff11000127a77570 R08: 0000000000000000 R09: fffffbfff102ee39
R10: 0000000000000000 R11: 1ffffffff13f9d42 R12: 0000000000000000
R13: 0000000000000040 R14: ff11000153282eca R15: ff11000127a77570
FS:  00007f27ad901700(0000) GS:ff110004ca800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fec757e3000 CR3: 000000012aeca001 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
 <TASK>
 hfs_ext_read_extent+0x190/0xa30 fs/hfs/extent.c:200
 hfs_get_block+0x4a1/0x830 fs/hfs/extent.c:366
 block_read_full_folio+0x314/0x8c0 fs/buffer.c:2401
 filemap_read_folio+0x48/0x1e0 mm/filemap.c:2367
 do_read_cache_folio+0x1d6/0x500 mm/filemap.c:3825
 do_read_cache_page mm/filemap.c:3891 [inline]
 read_cache_page+0x5d/0x140 mm/filemap.c:3900
 read_mapping_page include/linux/pagemap.h:1005 [inline]
 hfs_btree_open+0x66a/0x1690 fs/hfs/btree.c:78
 hfs_mdb_get+0x14a3/0x1f30 fs/hfs/mdb.c:199
 hfs_fill_super+0xb23/0x1540 fs/hfs/super.c:407
 mount_bdev+0x1e6/0x2d0 fs/super.c:1693
 legacy_get_tree+0x107/0x220 fs/fs_context.c:662
 vfs_get_tree+0x94/0x380 fs/super.c:1814
 do_new_mount fs/namespace.c:3507 [inline]
 path_mount+0x6b2/0x1eb0 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount fs/namespace.c:4034 [inline]
 __x64_sys_mount+0x283/0x300 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Attachment: repro.c
Description: Binary data

Attachment: report0
Description: Binary data

Attachment: config
Description: Binary data