f39300149ccc starts bisection 2025-01-14 19:32:26.565810247 +0800 CST m=+33.212679098
bisecting cause commit starting from f443e374ae131c168a065ea1748feac6b2e76613
building syzkaller on HEAD
ensuring issue is reproducible on original commit f443e374ae131c168a065ea1748feac6b2e76613

testing commit f443e374ae131c168a065ea1748feac6b2e76613 gcc
compiler: gcc (Ubuntu 11.4.0-2ubuntu1~20.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34
kernel signature: 2fe65d429f7adb0bf624183caa87657b65b9e45e4ada4b3b5209d266642bdecf
all runs: crashed: general protection fault in hfs_find_init
representative crash: general protection fault in hfs_find_init, types: [UNKNOWN]
check whether we can drop unnecessary instrumentation
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit f443e374ae131c168a065ea1748feac6b2e76613 gcc
compiler: gcc (Ubuntu 11.4.0-2ubuntu1~20.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34
kernel signature: f26053ded52fc6722b87928eed6738df0057536f4e61eaa3c30ff28db2ee9859
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [UNKNOWN]
the bug reproduces without the instrumentation
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
kconfig minimization: base=4514 full=4514 leaves diff=0
split chunks (needed=false): <0>
split chunk #0 of len 0 into 3 parts
disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
picked [v5.16 v5.15 v5.14 v5.12 v5.10 v5.8 v5.6 v5.4 v5.1 v4.19] out of 19 release tags
testing release v5.16
testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9 gcc
compiler: gcc (Ubuntu 11.4.0-2ubuntu1~20.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34
kernel signature: df98e2a42a6e02e1dddcf195c69339134c28887db9abc8a2bc79708c301a319c
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [UNKNOWN]
testing release v5.15
testing commit 8bb7eca972ad531c9b149c0a51ab43a417385813 gcc
compiler: gcc-10.1.0 (Ubuntu 10.5.0-1ubuntu1~20.04) 10.5.0, GNU ld (GNU Binutils for Ubuntu) 2.34
kernel signature: 08deff4e372525d4f6a355047707bd5187d35e979fcbc3604579bc180d34b23f
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [UNKNOWN]
testing release v5.14
testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f gcc
compiler: gcc-10.1.0 (Ubuntu 10.5.0-1ubuntu1~20.04) 10.5.0, GNU ld (GNU Binutils for Ubuntu) 2.34
kernel signature: 13757e68663c5d0ef4b0116b7eef6658f00f95e4c64d2e9977f83e6cd0beb92d
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [UNKNOWN]
testing release v5.12
testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 gcc
compiler: gcc-10.1.0 (Ubuntu 10.5.0-1ubuntu1~20.04) 10.5.0, GNU ld (GNU Binutils for Ubuntu) 2.34
kernel signature: aba06a7c6abb29ce47e6e7be772585b1199a0c74a5f60c0f58696d59b134ff96
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [UNKNOWN]
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 gcc
compiler: gcc-10.1.0 (Ubuntu 10.5.0-1ubuntu1~20.04) 10.5.0, GNU ld (GNU Binutils for Ubuntu) 2.34
kernel signature: 7f4873787d237c93d54cd0e14a983c7bfddcde7ef65567d7f6303cea1fad4af0
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [UNKNOWN]
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c gcc
compiler: gcc-8.1.0 (Ubuntu 8.4.0-3ubuntu2) 8.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34
kernel signature: 927dfdc0b3b845de2d55b49905f8b314891ccacda74163d179dc5cca80be558b
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [UNKNOWN]
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 gcc
compiler: gcc version 8.4.0 (Ubuntu 8.4.0-3ubuntu2)
kernel signature: b7284678907360dc5bace939cce80eb32407f40c9f3504f7ebbe9926ec9c789c
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [UNKNOWN]
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 gcc
compiler: gcc version 8.4.0 (Ubuntu 8.4.0-3ubuntu2)
kernel signature: fc5b7a7bfde55ae138599703db8b493fb597c33539c6c5f3e0281905cfbc05ca
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [UNKNOWN]
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd gcc
compiler: gcc version 8.4.0 (Ubuntu 8.4.0-3ubuntu2)
kernel signature: 2744d0f74fdc04fce84fd16ff707c5ff0c9eb3bbbd74cdc48d8d7fee8e490410
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [UNKNOWN]
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d gcc
compiler: gcc version 8.4.0 (Ubuntu 8.4.0-3ubuntu2)
kernel signature: ecb444a87e66c58ceef97bbe85ec803c27721358d42399d7f0bb2b121c1aac34
run #0: OK
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [UNKNOWN]
crash still not fixed/happens on the oldest tested release
revisions tested: 12, total time: 1h2m41.502879314s (build: 40m40.463690063s, test: 9m25.250531343s)
oldest tested release already had the bug or it had kernel test errors
commit msg: Linux 4.19
crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init
BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
PGD 524f7a067 P4D 51fd0a067 PUD 521d30067 PMD 0 
Oops: 0000 [#1] SMP NOPTI
CPU: 0 PID: 1327 Comm: syz-executor188 Not tainted 4.19.0-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:hfs_find_init+0x1d/0x60 fs/hfs/bfind.c:21
Code: fe ff ff ff eb 8d 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 41 54 49 89 f4 53 48 89 fb 48 89 7e 10 48 c7 46 18 00 00 00 00 <8b> 47 40 be c0 00 60 00 8d 7c 00 04 e8 c2 cc eb ff 48 85 c0 74 23
RSP: 0018:ffa000000476b9d8 EFLAGS: 00010202
RAX: ff1000052517fc00 RBX: 0000000000000000 RCX: 0000000000000004
RDX: 0000000000000000 RSI: ffa000000476b9f8 RDI: 0000000000000000
RBP: ffa000000476b9e8 R08: 0000000000000002 R09: 0000000000000001
R10: ffa000000476ba58 R11: 0000000000000002 R12: ffa000000476b9f8
R13: 0000000000000000 R14: ff1000051fd60000 R15: 0000000000000004
FS:  00007fcf10900880(0000) GS:ff1000052ba00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 0000000520fdc005 CR4: 0000000000761ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 hfs_ext_read_extent+0x59/0x1a0 fs/hfs/extent.c:196
 hfs_get_block+0x160/0x230 fs/hfs/extent.c:360
 block_read_full_page+0xde/0x310 fs/buffer.c:2247
 hfs_readpage+0x17/0x20 fs/hfs/inode.c:38
 do_read_cache_page+0x155/0x2f0 mm/filemap.c:2805
 read_cache_page+0x14/0x20 mm/filemap.c:2893
 read_mapping_page include/linux/pagemap.h:402 [inline]
 hfs_btree_open+0x149/0x330 fs/hfs/btree.c:78
 hfs_mdb_get+0x4b7/0x5bf fs/hfs/mdb.c:193
 hfs_fill_super+0x343/0x5e0 fs/hfs/super.c:413
 mount_bdev+0x194/0x1c0 fs/super.c:1158
 hfs_mount+0x14/0x20 fs/hfs/super.c:463
 mount_fs+0x3c/0x15b fs/super.c:1261
 vfs_kern_mount.part.11+0x58/0x150 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2457 [inline]
 do_mount+0x212/0xde0 fs/namespace.c:2787
 ksys_mount+0xbd/0xe0 fs/namespace.c:3003
 __do_sys_mount fs/namespace.c:3017 [inline]
 __se_sys_mount fs/namespace.c:3014 [inline]
 __x64_sys_mount+0x24/0x30 fs/namespace.c:3014
 do_syscall_64+0x52/0x130 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fcf0fe5b9ce
Code: 83 c4 08 5b 5d c3 66 0f 1f 44 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe16b6e418 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fcf10900840 RCX: 00007fcf0fe5b9ce
RDX: 0000000020000000 RSI: 00000000200000c0 RDI: 00007ffe16b6e430
RBP: 00007ffe16b6e430 R08: 00007ffe16b6e470 R09: 0000000000000250
R10: 0000000000018689 R11: 0000000000000286 R12: 00007ffe16b6e470
R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
CR2: 0000000000000040
---[ end trace 33ca680dc377fe73 ]---
RIP: 0010:hfs_find_init+0x1d/0x60 fs/hfs/bfind.c:21
Code: fe ff ff ff eb 8d 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 41 54 49 89 f4 53 48 89 fb 48 89 7e 10 48 c7 46 18 00 00 00 00 <8b> 47 40 be c0 00 60 00 8d 7c 00 04 e8 c2 cc eb ff 48 85 c0 74 23
RSP: 0018:ffa000000476b9d8 EFLAGS: 00010202
RAX: ff1000052517fc00 RBX: 0000000000000000 RCX: 0000000000000004
RDX: 0000000000000000 RSI: ffa000000476b9f8 RDI: 0000000000000000
RBP: ffa000000476b9e8 R08: 0000000000000002 R09: 0000000000000001
R10: ffa000000476ba58 R11: 0000000000000002 R12: ffa000000476b9f8
R13: 0000000000000000 R14: ff1000051fd60000 R15: 0000000000000004
FS:  00007fcf10900880(0000) GS:ff1000052ba00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 0000000520fdc005 CR4: 0000000000761ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess), 4 bytes skipped:
   0:	eb 8d                	jmp    0xffffff8f
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	f3 0f 1e fa          	endbr64
   d:	55                   	push   %rbp
   e:	48 89 e5             	mov    %rsp,%rbp
  11:	41 54                	push   %r12
  13:	49 89 f4             	mov    %rsi,%r12
  16:	53                   	push   %rbx
  17:	48 89 fb             	mov    %rdi,%rbx
  1a:	48 89 7e 10          	mov    %rdi,0x10(%rsi)
  1e:	48 c7 46 18 00 00 00 	movq   $0x0,0x18(%rsi)
  25:	00
* 26:	8b 47 40             	mov    0x40(%rdi),%eax <-- trapping instruction
  29:	be c0 00 60 00       	mov    $0x6000c0,%esi
  2e:	8d 7c 00 04          	lea    0x4(%rax,%rax,1),%edi
  32:	e8 c2 cc eb ff       	callq  0xffebccf9
  37:	48 85 c0             	test   %rax,%rax
  3a:	74 23                	je     0x5f