loop2: detected capacity change from 0 to 64
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
CPU: 2 PID: 6108 Comm: syz-executor.2 Not tainted 6.10.0-rc3-syzkaller-00044-g2ccbdf43d5e7 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:hfs_find_init+0x74/0x220 fs/hfs/bfind.c:21
Code: c1 ea 03 80 3c 02 00 0f 85 a4 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 53 01 00 00 8b 43 40 be c0 0c
RSP: 0018:ffffc900037d7490 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000c001000
RDX: 0000000000000008 RSI: ffffffff826dc495 RDI: ffffc900037d7508
RBP: ffffc900037d74f0 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000000 R11: 000000000000000a R12: 0000000000000004
R13: 0000000000000040 R14: ffff88802a79814a R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88802c200000(0063) knlGS:00000000f5e8eb40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f5e8f000 CR3: 0000000000a20000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 hfs_ext_read_extent+0x19c/0x9e0 fs/hfs/extent.c:200
 hfs_get_block+0x55f/0x830 fs/hfs/extent.c:366
 block_read_full_folio+0x38f/0xa70 fs/buffer.c:2407
 filemap_read_folio+0xe5/0x2c0 mm/filemap.c:2355
 do_read_cache_folio+0x203/0x540 mm/filemap.c:3788
 do_read_cache_page mm/filemap.c:3854 [inline]
 read_cache_page+0x5b/0x160 mm/filemap.c:3863
 read_mapping_page include/linux/pagemap.h:896 [inline]
 hfs_btree_open+0x662/0x1050 fs/hfs/btree.c:78
 hfs_mdb_get+0x15df/0x2000 fs/hfs/mdb.c:199
 hfs_fill_super+0xb1b/0x1860 fs/hfs/super.c:406
 mount_bdev+0x1e3/0x2d0 fs/super.c:1659
 legacy_get_tree+0x109/0x220 fs/fs_context.c:662
 vfs_get_tree+0x8f/0x380 fs/super.c:1780
 do_new_mount fs/namespace.c:3352 [inline]
 path_mount+0x6e1/0x1f10 fs/namespace.c:3679
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount fs/namespace.c:3875 [inline]
 __ia32_sys_mount+0x295/0x320 fs/namespace.c:3875
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf729c579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f5e8e400 EFLAGS: 00000292 ORIG_RAX: 0000000000000015
RAX: ffffffffffffffda RBX: 00000000f5e8e460 RCX: 0000000020000080
RDX: 0000000020000180 RSI: 0000000000000000 RDI: 00000000f5e8e4a0
RBP: 00000000f5e8e460 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:hfs_find_init+0x74/0x220 fs/hfs/bfind.c:21
Code: c1 ea 03 80 3c 02 00 0f 85 a4 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 53 01 00 00 8b 43 40 be c0 0c
RSP: 0018:ffffc900037d7490 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000c001000
RDX: 0000000000000008 RSI: ffffffff826dc495 RDI: ffffc900037d7508
RBP: ffffc900037d74f0 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000000 R11: 000000000000000a R12: 0000000000000004
R13: 0000000000000040 R14: ffff88802a79814a R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88802c300000(0063) knlGS:00000000f5e8eb40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000056547410f338 CR3: 0000000000a20000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	c1 ea 03             	shr    $0x3,%edx
   3:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   7:	0f 85 a4 01 00 00    	jne    0x1b1
   d:	4c 8d 6b 40          	lea    0x40(%rbx),%r13
  11:	48 c7 45 18 00 00 00 	movq   $0x0,0x18(%rbp)
  18:	00
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	4c 89 ea             	mov    %r13,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	74 08                	je     0x3a
  32:	3c 03                	cmp    $0x3,%al
  34:	0f 8e 53 01 00 00    	jle    0x18d
  3a:	8b 43 40             	mov    0x40(%rbx),%eax
  3d:	be                   	.byte 0xbe
  3e:	c0                   	.byte 0xc0
  3f:	0c                   	.byte 0xc