romfs: Mounting image 'rom 637cf1fa' through the block layer Failed to initialize the IGMP autojoin socket (err -2) loop3: detected capacity change from 0 to 64 loop2: detected capacity change from 0 to 32768 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] CPU: 0 UID: 0 PID: 5673 Comm: syz.3.293 Not tainted 6.12.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 BTRFS: device fsid 3a375e4e-b156-4d76-a2ad-16e198ce1409 devid 1 transid 8 /dev/loop2 (7:2) scanned by syz.2.285 (5641) RIP: 0010:hfs_find_init+0x74/0x250 fs/hfs/bfind.c:21 Code: c1 ea 03 80 3c 02 00 0f 85 cc 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 7b 01 00 00 8b 43 40 be c0 0c RSP: 0000:ff11000127a77508 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffa0000001ea8000 RDX: 0000000000000008 RSI: ffffffff820af265 RDI: ff11000127a77588 RBP: ff11000127a77570 R08: 0000000000000000 R09: fffffbfff102ee39 R10: 0000000000000000 R11: 1ffffffff13f9d42 R12: 0000000000000000 R13: 0000000000000040 R14: ff11000153282eca R15: ff11000127a77570 FS: 00007f27ad901700(0000) GS:ff110004ca800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fec757e3000 CR3: 000000012aeca001 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: hfs_ext_read_extent+0x190/0xa30 fs/hfs/extent.c:200 hfs_get_block+0x4a1/0x830 fs/hfs/extent.c:366 block_read_full_folio+0x314/0x8c0 fs/buffer.c:2401 filemap_read_folio+0x48/0x1e0 mm/filemap.c:2367 do_read_cache_folio+0x1d6/0x500 mm/filemap.c:3825 do_read_cache_page mm/filemap.c:3891 [inline] read_cache_page+0x5d/0x140 mm/filemap.c:3900 read_mapping_page include/linux/pagemap.h:1005 [inline] hfs_btree_open+0x66a/0x1690 fs/hfs/btree.c:78 hfs_mdb_get+0x14a3/0x1f30 fs/hfs/mdb.c:199 hfs_fill_super+0xb23/0x1540 fs/hfs/super.c:407 mount_bdev+0x1e6/0x2d0 fs/super.c:1693 legacy_get_tree+0x107/0x220 fs/fs_context.c:662 vfs_get_tree+0x94/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3507 [inline] path_mount+0x6b2/0x1eb0 fs/namespace.c:3834 do_mount fs/namespace.c:3847 [inline] __do_sys_mount fs/namespace.c:4057 [inline] __se_sys_mount fs/namespace.c:4034 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:4034 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f27aecafdde Code: ff ff ff 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f27ad900988 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 000000000000024c RCX: 00007f27aecafdde RDX: 0000000020000240 RSI: 0000000020000280 RDI: 00007f27ad9009e0 RBP: 00007f27ad900a20 R08: 00007f27ad900a20 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000240 R13: 0000000020000280 R14: 00007f27ad9009e0 R15: 0000000020000080 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:hfs_find_init+0x74/0x250 fs/hfs/bfind.c:21 Code: c1 ea 03 80 3c 02 00 0f 85 cc 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 7b 01 00 00 8b 43 40 be c0 0c RSP: 0000:ff11000127a77508 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffa0000001ea8000 RDX: 0000000000000008 RSI: ffffffff820af265 RDI: ff11000127a77588 RBP: ff11000127a77570 R08: 0000000000000000 R09: fffffbfff102ee39 R10: 0000000000000000 R11: 1ffffffff13f9d42 R12: 0000000000000000 R13: 0000000000000040 R14: ff11000153282eca R15: ff11000127a77570 FS: 00007f27ad901700(0000) GS:ff110004ca800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fec757e3000 CR3: 000000012aeca001 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 loop4: detected capacity change from 0 to 32768 BTRFS info (device loop2): first mount of filesystem 3a375e4e-b156-4d76-a2ad-16e198ce1409 BTRFS info (device loop2): using xxhash64 (xxhash64-generic) checksum algorithm BTRFS info (device loop2): using free-space-tree bcachefs (loop4): starting version 1.7: mi_btree_bitmap opts=errors=continue,metadata_checksum=none,data_checksum=none,compression=zstd,prjquota,nojournal_transaction_names,reconstruct_alloc bcachefs (loop4): recovering from clean shutdown, journal seq 10 bcachefs (loop4): Doing compatible version upgrade from 1.7: mi_btree_bitmap to 1.13: inode_has_child_snapshots running recovery passes: check_allocations,check_inodes bcachefs (loop4): dropping and reconstructing all alloc info invalid bkey u64s 18 type inode_v3 0:1073741825:U32_MAX len 0 ver 0: (unpack error) invalid variable length fields: delete?, fixing BTRFS info (device loop2): last unmount of filesystem 3a375e4e-b156-4d76-a2ad-16e198ce1409 bcachefs (loop4): accounting_read... done bcachefs (loop4): alloc_read... done bcachefs (loop4): stripes_read... done bcachefs (loop4): snapshots_read... done bcachefs (loop4): check_allocations... btree ptr not marked in member info btree allocated bitmap u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq a22d880bb51b703b written 24 min_key POS_MIN durability: 1 ptr: 0:38:0 gen 0, fixing loop1: detected capacity change from 0 to 32768 SELinux: security_context_str_to_sid (user_u) failed with errno=-22 btree ptr not marked in member info btree allocated bitmap u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq b5d608e41b3af1cf written 24 min_key POS_MIN durability: 1 ptr: 0:41:0 gen 0, fixing btree ptr not marked in member info btree allocated bitmap u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 92b180ffcc5b04f1 written 16 min_key POS_MIN durability: 1 ptr: 0:35:0 gen 0, fixing btree ptr not marked in member info btree allocated bitmap u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 8aae33f84eb959b0 written 16 min_key POS_MIN durability: 1 ptr: 0:32:0 gen 0, fixing done bcachefs (loop4): going read-write bcachefs (loop4): journal_replay... done bcachefs (loop4): check_alloc_info... done bcachefs (loop4): check_lrus... done bcachefs (loop4): check_extents_to_backpointers... done bcachefs (loop4): check_alloc_to_lru_refs... done bcachefs (loop4): check_inodes... done bcachefs (loop4): resume_logged_ops... done bcachefs (loop4): delete_dead_inodes... done Failed to initialize the IGMP autojoin socket (err -2) loop6: detected capacity change from 0 to 262144 BTRFS: device fsid 7d22f6b8-9c5a-477d-9e45-049f0dda9b8d devid 1 transid 8 /dev/loop6 (7:6) scanned by syz.6.289 (5646) BTRFS info (device loop6): first mount of filesystem 7d22f6b8-9c5a-477d-9e45-049f0dda9b8d BTRFS info (device loop6): using crc32c (crc32c-generic) checksum algorithm BTRFS info (device loop6): using free-space-tree BTRFS warning (device loop6): checksum verify failed on logical 30437376 mirror 1 wanted 0x0c61c1ca found 0x6dfe26ee level 0 BTRFS warning (device loop6): checksum verify failed on logical 30420992 mirror 1 wanted 0x755c3ae6 found 0xbf10da2e level 0 BTRFS warning (device loop6): checksum verify failed on logical 30420992 mirror 2 wanted 0x755c3ae6 found 0xc91fd050 level 0 BTRFS warning (device loop6): failed to read fs tree: -5 BTRFS error (device loop6): open_ctree failed bcachefs (loop4): shutdown complete, journal seq 33 ---------------- Code disassembly (best guess): 0: c1 ea 03 shr $0x3,%edx 3: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 7: 0f 85 cc 01 00 00 jne 0x1d9 d: 4c 8d 6b 40 lea 0x40(%rbx),%r13 11: 48 c7 45 18 00 00 00 movq $0x0,0x18(%rbp) 18: 00 19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 20: fc ff df 23: 4c 89 ea mov %r13,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction 2e: 84 c0 test %al,%al 30: 74 08 je 0x3a 32: 3c 03 cmp $0x3,%al 34: 0f 8e 7b 01 00 00 jle 0x1b5 3a: 8b 43 40 mov 0x40(%rbx),%eax 3d: be .byte 0xbe 3e: c0 .byte 0xc0 3f: 0c .byte 0xc