[syzbot] [xfs?] KASAN: use-after-free Read in hpfs_bplus_lookup
4 views
Skip to first unread message
syzbot
Jan 16, 2026, 4:04:28 PM (7 days ago) Jan 16
to c...@kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, mik...@artax.karlin.mff.cuni.cz, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b71e635feefc Merge tag 'cgroup-for-6.19-rc5-fixes' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10efa99a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7b058fb1d7dbe6b1
dashboard link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10cd15fa580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=152a4052580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/40abbbbc34a8/disk-b71e635f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/74edfb8073f7/vmlinux-b71e635f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3b5198043bfa/bzImage-b71e635f.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/7f1692afbc9c/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1609599a580000)
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/d09b0f5dc58e/mount_2.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8debf4...@syzkaller.appspotmail.com
hpfs: filesystem error: invalid number of hotfixes: 2066844986, used: 2066844985; already mounted read-only
hpfs: filesystem error: improperly stopped
hpfs: filesystem error: warning: spare dnodes used, try chkdsk
hpfs: You really don't want any checks? You are crazy...
hpfs: hpfs_map_sector(): read error
hpfs: code page support is disabled
hpfs: filesystem error: map_dirent: not a directory
hpfs: hpfs_map_4sectors(): unaligned read
hpfs: filesystem error: unable to find root dir
==================================================================
BUG: KASAN: use-after-free in hpfs_bplus_lookup+0x4dc/0x860 fs/hpfs/anode.c:38
Read of size 4 at addr ffff888052abe004 by task syz.0.27/6198
CPU: 1 UID: 0 PID: 6198 Comm: syz.0.27 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
hpfs_bplus_lookup+0x4dc/0x860 fs/hpfs/anode.c:38
hpfs_bmap+0x22a/0x4d0 fs/hpfs/file.c:54
hpfs_get_block+0xa8/0x6e0 fs/hpfs/file.c:87
do_mpage_readpage+0x822/0x1990 fs/mpage.c:222
mpage_readahead+0x3b0/0x790 fs/mpage.c:371
read_pages+0x17a/0x580 mm/readahead.c:163
page_cache_ra_unbounded+0x68b/0x8c0 mm/readahead.c:302
filemap_get_pages+0x446/0x1ee0 mm/filemap.c:2690
filemap_read+0x3f9/0x11a0 mm/filemap.c:2800
__kernel_read+0x4d8/0x970 fs/read_write.c:530
integrity_kernel_read+0x89/0xd0 security/integrity/iint.c:28
ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:480 [inline]
ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline]
ima_calc_file_hash+0x86a/0x1700 security/integrity/ima/ima_crypto.c:568
ima_collect_measurement+0x42e/0x900 security/integrity/ima/ima_api.c:293
process_measurement+0x112a/0x1a80 security/integrity/ima/ima_main.c:406
ima_file_check+0xd9/0x130 security/integrity/ima/ima_main.c:663
security_file_post_open+0xbb/0x290 security/security.c:2652
do_open fs/namei.c:4639 [inline]
path_openat+0x3472/0x3df0 fs/namei.c:4796
do_filp_open+0x1fa/0x410 fs/namei.c:4823
do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb59539f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff3ac53cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fb5955f5fa0 RCX: 00007fb59539f749
RDX: 0000000000000000 RSI: 0000200000004280 RDI: ffffffffffffff9c
RBP: 00007fb595423f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb5955f5fa0 R14: 00007fb5955f5fa0 R15: 0000000000000004
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fb58c615 pfn:0x52abe
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 ffffea00014aafc8 ffff8880b8842d30 0000000000000000
raw: 00000007fb58c615 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6198, tgid 6198 (syz.0.27), ts 130045840131, free_ts 130049000115
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
folio_alloc_mpol_noprof mm/mempolicy.c:2505 [inline]
vma_alloc_folio_noprof+0xe4/0x280 mm/mempolicy.c:2540
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:5165 [inline]
do_anonymous_page mm/memory.c:5222 [inline]
do_pte_missing+0x86a/0x27a0 mm/memory.c:4399
handle_pte_fault mm/memory.c:6273 [inline]
__handle_mm_fault mm/memory.c:6411 [inline]
handle_mm_fault+0xcc1/0x1330 mm/memory.c:6580
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x71/0xd0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 6198 tgid 6198 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
free_unref_folios+0xc28/0x1810 mm/page_alloc.c:3000
folios_put_refs+0x569/0x670 mm/swap.c:1002
free_pages_and_swap_cache+0x4be/0x520 mm/swap_state.c:358
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
vms_clear_ptes+0x42b/0x530 mm/vma.c:1238
vms_complete_munmap_vmas+0x206/0x8a0 mm/vma.c:1280
do_vmi_align_munmap+0x372/0x450 mm/vma.c:1539
do_vmi_munmap+0x253/0x2e0 mm/vma.c:1587
__vm_munmap+0x207/0x380 mm/vma.c:3203
__do_sys_munmap mm/mmap.c:1077 [inline]
__se_sys_munmap mm/mmap.c:1074 [inline]
__x64_sys_munmap+0x60/0x70 mm/mmap.c:1074
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888052abdf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888052abdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888052abe000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888052abe080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888052abe100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: b71e635feefc Merge tag 'cgroup-for-6.19-rc5-fixes' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10efa99a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7b058fb1d7dbe6b1
dashboard link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10cd15fa580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=152a4052580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/40abbbbc34a8/disk-b71e635f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/74edfb8073f7/vmlinux-b71e635f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3b5198043bfa/bzImage-b71e635f.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/7f1692afbc9c/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1609599a580000)
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/d09b0f5dc58e/mount_2.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8debf4...@syzkaller.appspotmail.com
hpfs: filesystem error: invalid number of hotfixes: 2066844986, used: 2066844985; already mounted read-only
hpfs: filesystem error: improperly stopped
hpfs: filesystem error: warning: spare dnodes used, try chkdsk
hpfs: You really don't want any checks? You are crazy...
hpfs: hpfs_map_sector(): read error
hpfs: code page support is disabled
hpfs: filesystem error: map_dirent: not a directory
hpfs: hpfs_map_4sectors(): unaligned read
hpfs: filesystem error: unable to find root dir
==================================================================
BUG: KASAN: use-after-free in hpfs_bplus_lookup+0x4dc/0x860 fs/hpfs/anode.c:38
Read of size 4 at addr ffff888052abe004 by task syz.0.27/6198
CPU: 1 UID: 0 PID: 6198 Comm: syz.0.27 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
hpfs_bplus_lookup+0x4dc/0x860 fs/hpfs/anode.c:38
hpfs_bmap+0x22a/0x4d0 fs/hpfs/file.c:54
hpfs_get_block+0xa8/0x6e0 fs/hpfs/file.c:87
do_mpage_readpage+0x822/0x1990 fs/mpage.c:222
mpage_readahead+0x3b0/0x790 fs/mpage.c:371
read_pages+0x17a/0x580 mm/readahead.c:163
page_cache_ra_unbounded+0x68b/0x8c0 mm/readahead.c:302
filemap_get_pages+0x446/0x1ee0 mm/filemap.c:2690
filemap_read+0x3f9/0x11a0 mm/filemap.c:2800
__kernel_read+0x4d8/0x970 fs/read_write.c:530
integrity_kernel_read+0x89/0xd0 security/integrity/iint.c:28
ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:480 [inline]
ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline]
ima_calc_file_hash+0x86a/0x1700 security/integrity/ima/ima_crypto.c:568
ima_collect_measurement+0x42e/0x900 security/integrity/ima/ima_api.c:293
process_measurement+0x112a/0x1a80 security/integrity/ima/ima_main.c:406
ima_file_check+0xd9/0x130 security/integrity/ima/ima_main.c:663
security_file_post_open+0xbb/0x290 security/security.c:2652
do_open fs/namei.c:4639 [inline]
path_openat+0x3472/0x3df0 fs/namei.c:4796
do_filp_open+0x1fa/0x410 fs/namei.c:4823
do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb59539f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff3ac53cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fb5955f5fa0 RCX: 00007fb59539f749
RDX: 0000000000000000 RSI: 0000200000004280 RDI: ffffffffffffff9c
RBP: 00007fb595423f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb5955f5fa0 R14: 00007fb5955f5fa0 R15: 0000000000000004
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fb58c615 pfn:0x52abe
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 ffffea00014aafc8 ffff8880b8842d30 0000000000000000
raw: 00000007fb58c615 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6198, tgid 6198 (syz.0.27), ts 130045840131, free_ts 130049000115
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
folio_alloc_mpol_noprof mm/mempolicy.c:2505 [inline]
vma_alloc_folio_noprof+0xe4/0x280 mm/mempolicy.c:2540
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:5165 [inline]
do_anonymous_page mm/memory.c:5222 [inline]
do_pte_missing+0x86a/0x27a0 mm/memory.c:4399
handle_pte_fault mm/memory.c:6273 [inline]
__handle_mm_fault mm/memory.c:6411 [inline]
handle_mm_fault+0xcc1/0x1330 mm/memory.c:6580
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x71/0xd0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 6198 tgid 6198 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
free_unref_folios+0xc28/0x1810 mm/page_alloc.c:3000
folios_put_refs+0x569/0x670 mm/swap.c:1002
free_pages_and_swap_cache+0x4be/0x520 mm/swap_state.c:358
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
vms_clear_ptes+0x42b/0x530 mm/vma.c:1238
vms_complete_munmap_vmas+0x206/0x8a0 mm/vma.c:1280
do_vmi_align_munmap+0x372/0x450 mm/vma.c:1539
do_vmi_munmap+0x253/0x2e0 mm/vma.c:1587
__vm_munmap+0x207/0x380 mm/vma.c:3203
__do_sys_munmap mm/mmap.c:1077 [inline]
__se_sys_munmap mm/mmap.c:1074 [inline]
__x64_sys_munmap+0x60/0x70 mm/mmap.c:1074
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888052abdf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888052abdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888052abe000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888052abe080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888052abe100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jan 16, 2026, 9:32:24 PM (7 days ago) Jan 16
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] hpfs: add buffer bounds validation in hpfs_bplus_lookup
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When traversing the B+ tree in a corrupted HPFS filesystem, the btree
pointer obtained from GET_BTREE_PTR() may point outside the mapped
buffer's bounds if the on-disk data structures are malformed. This
leads to a use-after-free when accessing btree->u.external[i] as the
memory may have been freed and reallocated.
Additionally, a corrupted n_used_nodes value can cause out-of-bounds
array access when iterating through btree->u.internal[] or
btree->u.external[] arrays.
Add validation to ensure:
1. The btree pointer stays within the mapped buffer boundaries
2. The n_used_nodes value is within reasonable limits
This prevents KASAN-detected use-after-free when processing malicious
HPFS filesystem images.
Reported-by: syzbot+8debf4...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/hpfs/anode.c | XX insertions(+), X deletions(-)
diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index XXXXXXX..YYYYYYY 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -XX,6 +XX,16 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
brelse(bh);
if (!(anode = hpfs_map_anode(s
---
fs/hpfs/anode.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 71 insertions(+), 3 deletions(-)
diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index a4f5321eafae..826e2142223b 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -19,25 +19,87 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
struct anode *anode;
int i;
int c1, c2 = 0;
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: ENTRY btree=%px bh=%px sec=%u\n",
+ btree, bh, sec);
+
go_down:
if (hpfs_sb(s)->sb_chk) if (hpfs_stop_cycles(s, a, &c1, &c2, "hpfs_bplus_lookup")) return -1;
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: go_down - btree=%px bh=%px internal=%d n_used_nodes=%u\n",
+ btree, bh, bp_internal(btree), btree->n_used_nodes);
+
if (bp_internal(btree)) {
- for (i = 0; i < btree->n_used_nodes; i++)
+ printk(KERN_DEBUG "hpfs_bplus_lookup: Processing INTERNAL node\n");
+ for (i = 0; i < btree->n_used_nodes; i++) {
+ printk(KERN_DEBUG "hpfs_bplus_lookup: internal[%d] file_secno=%u looking_for=%u\n",
+ i, le32_to_cpu(btree->u.internal[i].file_secno), sec);
+
if (le32_to_cpu(btree->u.internal[i].file_secno) > sec) {
a = le32_to_cpu(btree->u.internal[i].down);
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: Found match, going down to anode=%08x\n", a);
+ printk(KERN_DEBUG "hpfs_bplus_lookup: BEFORE brelse - bh=%px btree=%px\n", bh, btree);
+
brelse(bh);
- if (!(anode = hpfs_map_anode(s, a, &bh))) return -1;
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: AFTER brelse - calling hpfs_map_anode\n");
+
+ if (!(anode = hpfs_map_anode(s, a, &bh))) {
+ printk(KERN_ERR "hpfs_bplus_lookup: hpfs_map_anode FAILED for anode=%08x\n", a);
+ return -1;
+ }
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: hpfs_map_anode SUCCESS - new_bh=%px anode=%px\n", bh, anode);
+
btree = GET_BTREE_PTR(&anode->btree);
+ /* Validate btree pointer is within buffer bounds */
+ if ((unsigned long)btree < (unsigned long)bh->b_data ||
+ (unsigned long)btree + sizeof(*btree) > (unsigned long)bh->b_data + bh->b_size) {
+ printk(KERN_ERR "hpfs_bplus_lookup: INVALID btree pointer! btree=%px buf_start=%px buf_end=%px\n",
+ btree, bh->b_data, (void *)((unsigned long)bh->b_data + bh->b_size));
+ brelse(bh);
+ return -1;
+ }
+
+ /* Validate n_used_nodes is reasonable */
+ if (btree->n_used_nodes > 100) { /* Adjust based on actual max */
+ printk(KERN_ERR "hpfs_bplus_lookup: SUSPICIOUS n_used_nodes=%u (too large)\n",
+ btree->n_used_nodes);
+ brelse(bh);
+ return -1;
+ }
+ printk(KERN_DEBUG "hpfs_bplus_lookup: NEW btree=%px (from anode->btree)\n", btree);
+
goto go_down;
}
+ }
hpfs_error(s, "sector %08x not found in internal anode %08x", sec, a);
brelse(bh);
return -1;
}
- for (i = 0; i < btree->n_used_nodes; i++)
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: Processing EXTERNAL node - btree=%px bh=%px n_used_nodes=%u\n",
+ btree, bh, btree->n_used_nodes);
+
+ /* Add bounds checking */
+ printk(KERN_DEBUG "hpfs_bplus_lookup: Buffer bounds - bh->b_data=%px size=%zu btree=%px\n",
+ bh->b_data, bh->b_size, btree);
+
+ for (i = 0; i < btree->n_used_nodes; i++) {
+ printk(KERN_DEBUG "hpfs_bplus_lookup: external[%d] - accessing btree->u.external[%d] at %px\n",
+ i, i, &btree->u.external[i]);
+
+ /* This is line 38 - the crash point */
+ printk(KERN_DEBUG "hpfs_bplus_lookup: external[%d] - reading file_secno from %px\n",
+ i, &btree->u.external[i].file_secno);
+
if (le32_to_cpu(btree->u.external[i].file_secno) <= sec &&
le32_to_cpu(btree->u.external[i].file_secno) + le32_to_cpu(btree->u.external[i].length) > sec) {
a = le32_to_cpu(btree->u.external[i].disk_secno) + sec - le32_to_cpu(btree->u.external[i].file_secno);
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: FOUND external match - disk_secno=%u\n", a);
+
if (hpfs_sb(s)->sb_chk) if (hpfs_chk_sectors(s, a, 1, "data")) {
brelse(bh);
return -1;
@@ -49,10 +111,16 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
hpfs_inode->i_n_secs = le32_to_cpu(btree->u.external[i].length);
}
brelse(bh);
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: EXIT SUCCESS - returning %u\n", a);
return a;
}
+ }
+
hpfs_error(s, "sector %08x not found in external anode %08x", sec, a);
brelse(bh);
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: EXIT FAILURE\n");
return -1;
}
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] hpfs: add buffer bounds validation in hpfs_bplus_lookup
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When traversing the B+ tree in a corrupted HPFS filesystem, the btree
pointer obtained from GET_BTREE_PTR() may point outside the mapped
buffer's bounds if the on-disk data structures are malformed. This
leads to a use-after-free when accessing btree->u.external[i] as the
memory may have been freed and reallocated.
Additionally, a corrupted n_used_nodes value can cause out-of-bounds
array access when iterating through btree->u.internal[] or
btree->u.external[] arrays.
Add validation to ensure:
1. The btree pointer stays within the mapped buffer boundaries
2. The n_used_nodes value is within reasonable limits
This prevents KASAN-detected use-after-free when processing malicious
HPFS filesystem images.
Reported-by: syzbot+8debf4...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/hpfs/anode.c | XX insertions(+), X deletions(-)
diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index XXXXXXX..YYYYYYY 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -XX,6 +XX,16 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
brelse(bh);
if (!(anode = hpfs_map_anode(s
---
fs/hpfs/anode.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 71 insertions(+), 3 deletions(-)
diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index a4f5321eafae..826e2142223b 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -19,25 +19,87 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
struct anode *anode;
int i;
int c1, c2 = 0;
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: ENTRY btree=%px bh=%px sec=%u\n",
+ btree, bh, sec);
+
go_down:
if (hpfs_sb(s)->sb_chk) if (hpfs_stop_cycles(s, a, &c1, &c2, "hpfs_bplus_lookup")) return -1;
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: go_down - btree=%px bh=%px internal=%d n_used_nodes=%u\n",
+ btree, bh, bp_internal(btree), btree->n_used_nodes);
+
if (bp_internal(btree)) {
- for (i = 0; i < btree->n_used_nodes; i++)
+ printk(KERN_DEBUG "hpfs_bplus_lookup: Processing INTERNAL node\n");
+ for (i = 0; i < btree->n_used_nodes; i++) {
+ printk(KERN_DEBUG "hpfs_bplus_lookup: internal[%d] file_secno=%u looking_for=%u\n",
+ i, le32_to_cpu(btree->u.internal[i].file_secno), sec);
+
if (le32_to_cpu(btree->u.internal[i].file_secno) > sec) {
a = le32_to_cpu(btree->u.internal[i].down);
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: Found match, going down to anode=%08x\n", a);
+ printk(KERN_DEBUG "hpfs_bplus_lookup: BEFORE brelse - bh=%px btree=%px\n", bh, btree);
+
brelse(bh);
- if (!(anode = hpfs_map_anode(s, a, &bh))) return -1;
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: AFTER brelse - calling hpfs_map_anode\n");
+
+ if (!(anode = hpfs_map_anode(s, a, &bh))) {
+ printk(KERN_ERR "hpfs_bplus_lookup: hpfs_map_anode FAILED for anode=%08x\n", a);
+ return -1;
+ }
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: hpfs_map_anode SUCCESS - new_bh=%px anode=%px\n", bh, anode);
+
btree = GET_BTREE_PTR(&anode->btree);
+ /* Validate btree pointer is within buffer bounds */
+ if ((unsigned long)btree < (unsigned long)bh->b_data ||
+ (unsigned long)btree + sizeof(*btree) > (unsigned long)bh->b_data + bh->b_size) {
+ printk(KERN_ERR "hpfs_bplus_lookup: INVALID btree pointer! btree=%px buf_start=%px buf_end=%px\n",
+ btree, bh->b_data, (void *)((unsigned long)bh->b_data + bh->b_size));
+ brelse(bh);
+ return -1;
+ }
+
+ /* Validate n_used_nodes is reasonable */
+ if (btree->n_used_nodes > 100) { /* Adjust based on actual max */
+ printk(KERN_ERR "hpfs_bplus_lookup: SUSPICIOUS n_used_nodes=%u (too large)\n",
+ btree->n_used_nodes);
+ brelse(bh);
+ return -1;
+ }
+ printk(KERN_DEBUG "hpfs_bplus_lookup: NEW btree=%px (from anode->btree)\n", btree);
+
goto go_down;
}
+ }
hpfs_error(s, "sector %08x not found in internal anode %08x", sec, a);
brelse(bh);
return -1;
}
- for (i = 0; i < btree->n_used_nodes; i++)
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: Processing EXTERNAL node - btree=%px bh=%px n_used_nodes=%u\n",
+ btree, bh, btree->n_used_nodes);
+
+ /* Add bounds checking */
+ printk(KERN_DEBUG "hpfs_bplus_lookup: Buffer bounds - bh->b_data=%px size=%zu btree=%px\n",
+ bh->b_data, bh->b_size, btree);
+
+ for (i = 0; i < btree->n_used_nodes; i++) {
+ printk(KERN_DEBUG "hpfs_bplus_lookup: external[%d] - accessing btree->u.external[%d] at %px\n",
+ i, i, &btree->u.external[i]);
+
+ /* This is line 38 - the crash point */
+ printk(KERN_DEBUG "hpfs_bplus_lookup: external[%d] - reading file_secno from %px\n",
+ i, &btree->u.external[i].file_secno);
+
if (le32_to_cpu(btree->u.external[i].file_secno) <= sec &&
le32_to_cpu(btree->u.external[i].file_secno) + le32_to_cpu(btree->u.external[i].length) > sec) {
a = le32_to_cpu(btree->u.external[i].disk_secno) + sec - le32_to_cpu(btree->u.external[i].file_secno);
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: FOUND external match - disk_secno=%u\n", a);
+
if (hpfs_sb(s)->sb_chk) if (hpfs_chk_sectors(s, a, 1, "data")) {
brelse(bh);
return -1;
@@ -49,10 +111,16 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
hpfs_inode->i_n_secs = le32_to_cpu(btree->u.external[i].length);
}
brelse(bh);
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: EXIT SUCCESS - returning %u\n", a);
return a;
}
+ }
+
hpfs_error(s, "sector %08x not found in external anode %08x", sec, a);
brelse(bh);
+
+ printk(KERN_DEBUG "hpfs_bplus_lookup: EXIT FAILURE\n");
return -1;
}
--
2.43.0
syzbot
Jan 16, 2026, 9:40:03 PM (7 days ago) Jan 16
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file fs/hpfs/anode.c
patch: **** missing line number at line 4: @@ -XX,6 +XX,16 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
Tested on:
commit: 39d33893 Merge tag 'drm-fixes-2026-01-16' of https://g..
git tree: upstream
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file fs/hpfs/anode.c
patch: **** missing line number at line 4: @@ -XX,6 +XX,16 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
Tested on:
commit: 39d33893 Merge tag 'drm-fixes-2026-01-16' of https://g..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=7b058fb1d7dbe6b1
dashboard link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=15ee23fa580000
dashboard link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
compiler:
syzbot
Jan 16, 2026, 10:45:34 PM (7 days ago) Jan 16
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] hpfs: add buffer bounds validation in hpfs_bplus_lookup
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When traversing the B+ tree in a corrupted HPFS filesystem, the btree
pointer obtained from GET_BTREE_PTR() may point outside the mapped
buffer's bounds if the on-disk data structures are malformed. This
leads to a use-after-free when accessing btree->u.external[i] as the
memory may have been freed and reallocated.
Additionally, a corrupted n_used_nodes value can cause out-of-bounds
array access when iterating through btree->u.internal[] or
btree->u.external[] arrays.
Add validation to ensure:
1. The btree pointer stays within the mapped buffer boundaries
2. The n_used_nodes value is within reasonable limits
This prevents KASAN-detected use-after-free when processing malicious
HPFS filesystem images.
Reported-by: syzbot+8debf4...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
---
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] hpfs: add buffer bounds validation in hpfs_bplus_lookup
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When traversing the B+ tree in a corrupted HPFS filesystem, the btree
pointer obtained from GET_BTREE_PTR() may point outside the mapped
buffer's bounds if the on-disk data structures are malformed. This
leads to a use-after-free when accessing btree->u.external[i] as the
memory may have been freed and reallocated.
Additionally, a corrupted n_used_nodes value can cause out-of-bounds
array access when iterating through btree->u.internal[] or
btree->u.external[] arrays.
Add validation to ensure:
1. The btree pointer stays within the mapped buffer boundaries
2. The n_used_nodes value is within reasonable limits
This prevents KASAN-detected use-after-free when processing malicious
HPFS filesystem images.
Reported-by: syzbot+8debf4...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
fs/hpfs/anode.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index a4f5321eafae..7324ec22941a 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -28,6 +28,18 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
brelse(bh);
if (!(anode = hpfs_map_anode(s, a, &bh))) return -1;
btree = GET_BTREE_PTR(&anode->btree);
+ if ((void *)btree < (void *)bh->b_data ||
+ (void *)btree + sizeof(*btree) > (void *)bh->b_data + bh->b_size) {
+ hpfs_error(s, "btree pointer out of bounds");
+ brelse(bh);
+ return -1;
+ }
+
+ if (btree->n_used_nodes > 60) {
+ return -1;
+ }
+
+ hpfs_error(s, "n_used_nodes=%u is suspiciously large", btree->n_used_nodes);
+ brelse(bh);
+ return -1;
+ }
goto go_down;
+ return -1;
+ }
}
hpfs_error(s, "sector %08x not found in internal anode %08x", sec, a);
--
hpfs_error(s, "sector %08x not found in internal anode %08x", sec, a);
2.43.0
syzbot
Jan 16, 2026, 11:14:05 PM (7 days ago) Jan 16
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in hpfs_bplus_lookup
hpfs: filesystem error: warning: spare dnodes used, try chkdsk
hpfs: You really don't want any checks? You are crazy...
hpfs: hpfs_map_sector(): read error
hpfs: code page support is disabled
hpfs: filesystem error: map_dirent: not a directory
hpfs: hpfs_map_4sectors(): unaligned read
hpfs: filesystem error: unable to find root dir
==================================================================
BUG: KASAN: use-after-free in hpfs_bplus_lookup+0x58c/0x9b0 fs/hpfs/anode.c:50
Read of size 4 at addr ffff8880521e8004 by task syz.0.17/6571
CPU: 1 UID: 0 PID: 6571 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
kasan_report+0x117/0x150 mm/kasan/report.c:595
hpfs_bplus_lookup+0x58c/0x9b0 fs/hpfs/anode.c:50
hpfs_bmap+0x230/0x4e0 fs/hpfs/file.c:54
hpfs_get_block+0xa8/0x6e0 fs/hpfs/file.c:87
do_mpage_readpage+0x801/0x1980 fs/mpage.c:222
mpage_readahead+0x407/0x830 fs/mpage.c:371
read_pages+0x193/0x5a0 mm/readahead.c:163
page_cache_ra_unbounded+0x68a/0x8c0 mm/readahead.c:302
filemap_get_pages+0x47c/0x1e60 mm/filemap.c:2690
filemap_read+0x44a/0x1240 mm/filemap.c:2800
__kernel_read+0x50d/0x9c0 fs/read_write.c:530
ima_collect_measurement+0x491/0x930 security/integrity/ima/ima_api.c:293
process_measurement+0x12ec/0x1cc0 security/integrity/ima/ima_main.c:406
ima_file_check+0xdf/0x130 security/integrity/ima/ima_main.c:663
security_file_post_open+0xb3/0x260 security/security.c:2652
do_open fs/namei.c:4639 [inline]
path_openat+0x350e/0x3e70 fs/namei.c:4796
do_filp_open+0x22d/0x490 fs/namei.c:4823
do_sys_openat2+0x12f/0x220 fs/open.c:1430
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fad6901aef9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fad6867e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fad69285fa0 RCX: 00007fad6901aef9
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 ffffea0001487748 ffffea0001487a48 0000000000000000
raw: 000000000000024d 0000000000000000 00000000ffffffff 0000000000000000
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
prep_new_page mm/page_alloc.c:1892 [inline]
get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3945
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
folio_alloc_mpol_noprof+0x39/0xe0 mm/mempolicy.c:2505
shmem_alloc_folio mm/shmem.c:1890 [inline]
shmem_alloc_and_add_folio mm/shmem.c:1932 [inline]
shmem_get_folio_gfp+0x644/0x1a80 mm/shmem.c:2556
shmem_get_folio mm/shmem.c:2662 [inline]
shmem_write_begin+0x166/0x320 mm/shmem.c:3315
generic_perform_write+0x2af/0x8b0 mm/filemap.c:4314
shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3490
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x629/0xba0 fs/read_write.c:686
ksys_write+0x156/0x270 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 6498 tgid 6498 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1433 [inline]
free_unref_folios+0xc13/0x17f0 mm/page_alloc.c:3030
folios_put_refs+0x56f/0x680 mm/swap.c:1002
folio_batch_release include/linux/pagevec.h:101 [inline]
shmem_undo_range+0x529/0x1570 mm/shmem.c:1137
shmem_truncate_range mm/shmem.c:1249 [inline]
shmem_evict_inode+0x240/0x9e0 mm/shmem.c:1379
evict+0x61e/0xb10 fs/inode.c:837
__dentry_kill+0x209/0x660 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
__fput+0x6a0/0xa80 fs/file_table.c:476
task_work_run+0x1d9/0x270 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x2b7/0xf80 arch/x86/entry/syscall_64.c:100
ffff8880521e7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880521e8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880521e8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880521e8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
console output: https://syzkaller.appspot.com/x/log.txt?x=138c939a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c33bf4a3a0c7a4f1
dashboard link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1371239a580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in hpfs_bplus_lookup
hpfs: filesystem error: warning: spare dnodes used, try chkdsk
hpfs: You really don't want any checks? You are crazy...
hpfs: hpfs_map_sector(): read error
hpfs: code page support is disabled
hpfs: filesystem error: map_dirent: not a directory
hpfs: hpfs_map_4sectors(): unaligned read
hpfs: filesystem error: unable to find root dir
==================================================================
Read of size 4 at addr ffff8880521e8004 by task syz.0.17/6571
CPU: 1 UID: 0 PID: 6571 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
kasan_report+0x117/0x150 mm/kasan/report.c:595
hpfs_bplus_lookup+0x58c/0x9b0 fs/hpfs/anode.c:50
hpfs_bmap+0x230/0x4e0 fs/hpfs/file.c:54
hpfs_get_block+0xa8/0x6e0 fs/hpfs/file.c:87
do_mpage_readpage+0x801/0x1980 fs/mpage.c:222
mpage_readahead+0x407/0x830 fs/mpage.c:371
read_pages+0x193/0x5a0 mm/readahead.c:163
page_cache_ra_unbounded+0x68a/0x8c0 mm/readahead.c:302
filemap_get_pages+0x47c/0x1e60 mm/filemap.c:2690
filemap_read+0x44a/0x1240 mm/filemap.c:2800
__kernel_read+0x50d/0x9c0 fs/read_write.c:530
integrity_kernel_read+0x89/0xd0 security/integrity/iint.c:28
ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:480 [inline]
ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline]
ima_calc_file_hash+0x12cf/0x1800 security/integrity/ima/ima_crypto.c:568
ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:480 [inline]
ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline]
ima_collect_measurement+0x491/0x930 security/integrity/ima/ima_api.c:293
process_measurement+0x12ec/0x1cc0 security/integrity/ima/ima_main.c:406
ima_file_check+0xdf/0x130 security/integrity/ima/ima_main.c:663
security_file_post_open+0xb3/0x260 security/security.c:2652
do_open fs/namei.c:4639 [inline]
path_openat+0x350e/0x3e70 fs/namei.c:4796
do_filp_open+0x22d/0x490 fs/namei.c:4823
do_sys_openat2+0x12f/0x220 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fad6901aef9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fad6867e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fad69285fa0 RCX: 00007fad6901aef9
RDX: 0000000000000000 RSI: 0000200000004280 RDI: ffffffffffffff9c
RBP: 00007fad690afee0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fad69286038 R14: 00007fad69285fa0 R15: 00007ffc492fd528
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x24d pfn:0x521e8
The buggy address belongs to the physical page:
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 ffffea0001487748 ffffea0001487a48 0000000000000000
raw: 000000000000024d 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 6571, tgid 6570 (syz.0.17), ts 163321665268, free_ts 163796733751
page_owner tracks the page as freed
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
prep_new_page mm/page_alloc.c:1892 [inline]
get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3945
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
folio_alloc_mpol_noprof+0x39/0xe0 mm/mempolicy.c:2505
shmem_alloc_folio mm/shmem.c:1890 [inline]
shmem_alloc_and_add_folio mm/shmem.c:1932 [inline]
shmem_get_folio_gfp+0x644/0x1a80 mm/shmem.c:2556
shmem_get_folio mm/shmem.c:2662 [inline]
shmem_write_begin+0x166/0x320 mm/shmem.c:3315
generic_perform_write+0x2af/0x8b0 mm/filemap.c:4314
shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3490
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x629/0xba0 fs/read_write.c:686
ksys_write+0x156/0x270 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 6498 tgid 6498 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1433 [inline]
free_unref_folios+0xc13/0x17f0 mm/page_alloc.c:3030
folios_put_refs+0x56f/0x680 mm/swap.c:1002
folio_batch_release include/linux/pagevec.h:101 [inline]
shmem_undo_range+0x529/0x1570 mm/shmem.c:1137
shmem_truncate_range mm/shmem.c:1249 [inline]
shmem_evict_inode+0x240/0x9e0 mm/shmem.c:1379
evict+0x61e/0xb10 fs/inode.c:837
__dentry_kill+0x209/0x660 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
__fput+0x6a0/0xa80 fs/file_table.c:476
task_work_run+0x1d9/0x270 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x2b7/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880521e7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff8880521e7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880521e8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880521e8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880521e8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
console output: https://syzkaller.appspot.com/x/log.txt?x=138c939a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c33bf4a3a0c7a4f1
dashboard link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1371239a580000
syzbot
Jan 16, 2026, 11:38:44 PM (7 days ago) Jan 16
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] hpfs: add debug logging to hpfs_bplus_lookup
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
This is a debug patch to understand the use-after-free issue reported
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
by syzbot. It adds extensive logging to track:
- Buffer head addresses and lifecycle
- btree pointer values and offsets
- Array access patterns before crashes
- Internal vs external node processing
This will help identify exactly where and why the use-after-free occurs.
NOT FOR MERGE - DEBUG ONLY
Reported-by: syzbot+8debf4...@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb"
---
fs/hpfs/anode.c | 39 ++++++++++++++++++++++++++++++++++++---
1 file changed, 36 insertions(+), 3 deletions(-)
diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index a4f5321eafae..e55d0f5fd782 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -19,25 +19,57 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
struct anode *anode;
int i;
int c1, c2 = 0;
+
+ printk(KERN_EMERG "=== BPLUS_LOOKUP ENTRY: btree=%px bh=%px bh->b_data=%px sec=%u ===\n",
int i;
int c1, c2 = 0;
+
+ btree, bh, bh->b_data, sec);
go_down:
+ printk(KERN_EMERG "=== go_down: btree=%px bh=%px n_used_nodes=%u internal=%d ===\n",
+ btree, bh, btree->n_used_nodes, bp_internal(btree));
+
if (hpfs_sb(s)->sb_chk) if (hpfs_stop_cycles(s, a, &c1, &c2, "hpfs_bplus_lookup")) return -1;
if (bp_internal(btree)) {
- for (i = 0; i < btree->n_used_nodes; i++)
+ printk(KERN_EMERG "=== Processing INTERNAL node, n_used_nodes=%u ===\n", btree->n_used_nodes);
- for (i = 0; i < btree->n_used_nodes; i++)
+ for (i = 0; i < btree->n_used_nodes; i++) {
+ printk(KERN_EMERG "=== internal[%d]: accessing %px ===\n", i, &btree->u.internal[i]);
if (le32_to_cpu(btree->u.internal[i].file_secno) > sec) {
a = le32_to_cpu(btree->u.internal[i].down);
+ printk(KERN_EMERG "=== Found match, going to anode=%08x ===\n", a);
a = le32_to_cpu(btree->u.internal[i].down);
+ printk(KERN_EMERG "=== RELEASING bh=%px ===\n", bh);
+
brelse(bh);
- if (!(anode = hpfs_map_anode(s, a, &bh))) return -1;
+ printk(KERN_EMERG "=== Calling hpfs_map_anode for %08x ===\n", a);
+
+ if (!(anode = hpfs_map_anode(s, a, &bh))){
+ printk(KERN_EMERG "=== hpfs_map_anode FAILED ===\n");
+ return -1;
+ }
+ printk(KERN_EMERG "=== hpfs_map_anode SUCCESS: anode=%px new_bh=%px new_bh->b_data=%px ===\n",
+ anode, bh, bh->b_data);
+
btree = GET_BTREE_PTR(&anode->btree);
+
+ printk(KERN_EMERG "=== NEW btree=%px (offset from b_data: %ld) ===\n",
+
+ btree, (long)((void *)btree - (void *)bh->b_data));
+ printk(KERN_EMERG "=== Validation passed, jumping to go_down ===\n");
goto go_down;
}
+ }
hpfs_error(s, "sector %08x not found in internal anode %08x", sec, a);
brelse(bh);
return -1;
}
- for (i = 0; i < btree->n_used_nodes; i++)
+
+ printk(KERN_EMERG "=== Processing EXTERNAL node, n_used_nodes=%u ===\n", btree->n_used_nodes);
return -1;
}
- for (i = 0; i < btree->n_used_nodes; i++)
+
+ printk(KERN_EMERG "=== btree=%px bh=%px bh->b_data=%px bh->b_size=%zu ===\n",
+ btree, bh, bh->b_data, bh->b_size);
+ for (i = 0; i < btree->n_used_nodes; i++) {
+ printk(KERN_EMERG "=== external[%d]: about to access %px ===\n", i, &btree->u.external[i]);
+ printk(KERN_EMERG "=== CRASH WILL HAPPEN ON NEXT LINE IF UAF ===\n");
if (le32_to_cpu(btree->u.external[i].file_secno) <= sec &&
le32_to_cpu(btree->u.external[i].file_secno) + le32_to_cpu(btree->u.external[i].length) > sec) {
a = le32_to_cpu(btree->u.external[i].disk_secno) + sec - le32_to_cpu(btree->u.external[i].file_secno);
+
+ printk(KERN_EMERG "=== Found external match, returning %u ===\n", a);
le32_to_cpu(btree->u.external[i].file_secno) + le32_to_cpu(btree->u.external[i].length) > sec) {
a = le32_to_cpu(btree->u.external[i].disk_secno) + sec - le32_to_cpu(btree->u.external[i].file_secno);
+
if (hpfs_sb(s)->sb_chk) if (hpfs_chk_sectors(s, a, 1, "data")) {
brelse(bh);
return -1;
@@ -51,6 +83,7 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
brelse(bh);
return -1;
brelse(bh);
return a;
}
+ }
hpfs_error(s, "sector %08x not found in external anode %08x", sec, a);
brelse(bh);
return -1;
--
2.43.0
syzbot
Jan 16, 2026, 11:56:03 PM (6 days ago) Jan 16
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in hpfs_bplus_lookup
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in hpfs_bplus_lookup
=== CRASH WILL HAPPEN ON NEXT LINE IF UAF ===
=== external[120]: about to access ffff8880545bffe0 ===
=== CRASH WILL HAPPEN ON NEXT LINE IF UAF ===
=== external[121]: about to access ffff8880545bffec ===
=== CRASH WILL HAPPEN ON NEXT LINE IF UAF ===
=== external[122]: about to access ffff8880545bfff8 ===
=== CRASH WILL HAPPEN ON NEXT LINE IF UAF ===
=== external[123]: about to access ffff8880545c0004 ===
=== CRASH WILL HAPPEN ON NEXT LINE IF UAF ===
==================================================================
BUG: KASAN: use-after-free in hpfs_bplus_lookup+0x7d5/0xbd0 fs/hpfs/anode.c:68
Read of size 4 at addr ffff8880545c0004 by task syz.0.21/6731
CPU: 1 UID: 0 PID: 6731 Comm: syz.0.21 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
hpfs_bplus_lookup+0x7d5/0xbd0 fs/hpfs/anode.c:68
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007feb159fe028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007feb16605fa0 RCX: 00007feb1639aef9
RDX: 0000000000000000 RSI: 0000200000004280 RDI: ffffffffffffff9c
RBP: 00007feb1642fee0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007feb16606038 R14: 00007feb16605fa0 R15: 00007fff6450b218
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xb10 pfn:0x545c0
The buggy address belongs to the physical page:
flags: 0x80000000000000(node=0|zone=1)
page_type: f0(buddy)
raw: 0080000000000000 ffff88813fffc380 ffffea0001525008 0000000000000000
raw: 0000000000000b10 0000000000000006 00000000f0000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 6731, tgid 6730 (syz.0.21), ts 168496747643, free_ts 169044969619
page_owner tracks the page as freed
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
prep_new_page mm/page_alloc.c:1892 [inline]
get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3945
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
folio_alloc_mpol_noprof+0x39/0xe0 mm/mempolicy.c:2505
shmem_alloc_folio mm/shmem.c:1890 [inline]
shmem_alloc_and_add_folio mm/shmem.c:1932 [inline]
shmem_get_folio_gfp+0x644/0x1a80 mm/shmem.c:2556
shmem_get_folio mm/shmem.c:2662 [inline]
shmem_write_begin+0x166/0x320 mm/shmem.c:3315
generic_perform_write+0x2af/0x8b0 mm/filemap.c:4314
shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3490
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x629/0xba0 fs/read_write.c:686
ksys_write+0x156/0x270 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 6731 tgid 6730 stack trace:
post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
prep_new_page mm/page_alloc.c:1892 [inline]
get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3945
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
folio_alloc_mpol_noprof+0x39/0xe0 mm/mempolicy.c:2505
shmem_alloc_folio mm/shmem.c:1890 [inline]
shmem_alloc_and_add_folio mm/shmem.c:1932 [inline]
shmem_get_folio_gfp+0x644/0x1a80 mm/shmem.c:2556
shmem_get_folio mm/shmem.c:2662 [inline]
shmem_write_begin+0x166/0x320 mm/shmem.c:3315
generic_perform_write+0x2af/0x8b0 mm/filemap.c:4314
shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3490
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x629/0xba0 fs/read_write.c:686
ksys_write+0x156/0x270 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1433 [inline]
free_unref_folios+0xc13/0x17f0 mm/page_alloc.c:3030
folios_put_refs+0x56f/0x680 mm/swap.c:1002
folio_batch_release include/linux/pagevec.h:101 [inline]
shmem_undo_range+0x529/0x1570 mm/shmem.c:1137
shmem_truncate_range mm/shmem.c:1249 [inline]
shmem_evict_inode+0x240/0x9e0 mm/shmem.c:1379
evict+0x61e/0xb10 fs/inode.c:837
__dentry_kill+0x209/0x660 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
__fput+0x6a0/0xa80 fs/file_table.c:476
task_work_run+0x1d9/0x270 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x2b7/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880545bff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
free_pages_prepare mm/page_alloc.c:1433 [inline]
free_unref_folios+0xc13/0x17f0 mm/page_alloc.c:3030
folios_put_refs+0x56f/0x680 mm/swap.c:1002
folio_batch_release include/linux/pagevec.h:101 [inline]
shmem_undo_range+0x529/0x1570 mm/shmem.c:1137
shmem_truncate_range mm/shmem.c:1249 [inline]
shmem_evict_inode+0x240/0x9e0 mm/shmem.c:1379
evict+0x61e/0xb10 fs/inode.c:837
__dentry_kill+0x209/0x660 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
__fput+0x6a0/0xa80 fs/file_table.c:476
task_work_run+0x1d9/0x270 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x2b7/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880545bff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880545c0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880545c0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880545c0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: 39d33893 Merge tag 'drm-fixes-2026-01-16' of https://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f523fa580000
Tested on:
commit: 39d33893 Merge tag 'drm-fixes-2026-01-16' of https://g..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=c33bf4a3a0c7a4f1
dashboard link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1365239a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syzbot
Jan 17, 2026, 12:05:20 AM (6 days ago) Jan 17
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] hpfs: add array bounds validation in hpfs_bplus_lookup
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When traversing a corrupted HPFS filesystem, the n_used_nodes field in
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
the btree header can contain a value larger than what fits in the
allocated buffer. This causes out-of-bounds array access when iterating
through btree->u.internal[] or btree->u.external[] arrays, leading to
a KASAN-detected use-after-free.
Validate that n_used_nodes does not exceed the maximum number of nodes
that can fit in the buffer before accessing the arrays.
Reported-by: syzbot+8debf4...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
1 file changed, 23 insertions(+)
diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index a4f5321eafae..6e1b43f5c9cf 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -21,6 +22,31 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
int c1, c2 = 0;
go_down:
if (hpfs_sb(s)->sb_chk) if (hpfs_stop_cycles(s, a, &c1, &c2, "hpfs_bplus_lookup")) return -1;
+
+ if (bp_internal(btree)) {
+ unsigned int max_internal_nodes;
+
+ max_internal_nodes = (bh->b_size - ((char *)btree->u.internal - (char *)bh->b_data))
+ / sizeof(btree->u.internal[0]);
+ if (btree->n_used_nodes > max_internal_nodes) {
+ hpfs_error(s, "btree->n_used_nodes = %u, but max for internal node is %u",
+ btree->n_used_nodes, max_internal_nodes);
+ brelse(bh);
+ return -1;
+ }
+ } else {
+ unsigned int max_external_nodes;
+
+ max_external_nodes = (bh->b_size - ((char *)btree->u.external - (char *)bh->b_data))
+ / sizeof(btree->u.external[0]);
+ if (btree->n_used_nodes > max_external_nodes) {
+ hpfs_error(s, "btree->n_used_nodes = %u, but max for external node is %u",
+ btree->n_used_nodes, max_external_nodes);
+ brelse(bh);
+ return -1;
+ }
+ }
+
+ }
+ }
if (bp_internal(btree)) {
for (i = 0; i < btree->n_used_nodes; i++)
if (le32_to_cpu(btree->u.internal[i].file_secno) > sec) {
--
2.43.0
syzbot
Jan 17, 2026, 12:35:06 AM (6 days ago) Jan 17
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+8debf4...@syzkaller.appspotmail.com
Tested-by: syzbot+8debf4...@syzkaller.appspotmail.com
Tested on:
commit: d3eeb99b Merge tag 'block-6.19-20260116' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=109d239a580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+8debf4...@syzkaller.appspotmail.com
Tested-by: syzbot+8debf4...@syzkaller.appspotmail.com
Tested on:
commit: d3eeb99b Merge tag 'block-6.19-20260116' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=109d239a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c33bf4a3a0c7a4f1
dashboard link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1142939a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Note: testing is done by a robot and is best-effort only.
Christoph Hellwig
Jan 19, 2026, 1:36:58 AM (4 days ago) Jan 19
to syzbot, c...@kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, mik...@artax.karlin.mff.cuni.cz, syzkall...@googlegroups.com
Any idea why this Ccs the xfs list?
---end quoted text---
Aleksandr Nogikh
Jan 19, 2026, 3:35:33 AM (4 days ago) Jan 19
to Christoph Hellwig, syzbot, c...@kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, mik...@artax.karlin.mff.cuni.cz, syzkall...@googlegroups.com
On Mon, Jan 19, 2026 at 7:36 AM Christoph Hellwig <h...@infradead.org> wrote:
>
> Any idea why this Ccs the xfs list?
Somehow, the reproducers first mount xfs and only then hpfs, so syzbot
>
> Any idea why this Ccs the xfs list?
also tagged the xfs list.
Reply all
Reply to author
Forward
0 new messages