Extracting prog: 2m44.584313086s
Minimizing prog: 183.925µs
Simplifying prog options: 0s
Extracting C: 49.3122967s
Simplifying C: 7m51.386392572s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
detailed listing:
executing program 0:
syz_mount_image$hfs(&(0x7f0000000100), &(0x7f0000000040)='./bus\x00', 0x10, &(0x7f0000000140)=ANY=[@ANYBLOB='codepage=macgreek,part=0x0000000000000007,iocharset=cp1251,gid=', @ANYRESHEX=0x0, @ANYBLOB='\x00\x00'], 0x1, 0x2a4, &(0x7f0000002100)="$eJzs3U1rE0Ecx/Hf7KZNakvdPkjBY7XgRbH1Il4U6YvwIKI2EYqhglZQT+JZxJvgUfDmWXwDXjyJb0BPnnwBva3M7G6yrbub7UMyTf1+ICGw8/CfzGx2/oFkBeC/dXP958crv+3DSKFCSdekQFJLakg6o6XW063tze1up13VUOhq2IdRUtP8U2Zjq1NUdW/ByNZvaMa1gqGK4zj+5TsIeOfO/gKB1EzPZ3e8NfLIhuOl7wA8Mzva0TPN+o4DAOBXev0P0uv8TLotDwJpJb3sn6jr/47vADzLXf9dlhUbO7+n3aF+vucyM3s8yLLEihZLj0wqWVm7NphmUFbpYgmmHmx2O5c2HnXbgV7peipXbNE9t5OlmxkQ7XJFsAUGj73MtBvDhB3DWkn8Cwfp8d3+Q+kx38x3c8dEeq92b//XiI2dJjdTkZupqFchif9yeYtulFFaKlDRKOdcJ2fTHvTlU41RtoozEmUrak67vyDIItDbyYpa83tqJaNbLR+dq7VQWGttQK3FvbV6q3ko32yUDLvPZnIyb8wts6w/+qz13P4/sO/2iuqcmbaMK5muDHt2lpZsuJJRjfCDGmVQ30Tl0de6r6uaffL8xcN73W7n8Vi8CI9HGKN+8eGiNIK+sgVzmHay5XWkgZkjCCz/IvQ+p4d/f0I1NdRQqz48po7g4wnHQX/StXTbdzDwwe67TJL/5fKVG+6Y/eSN3D59QkX79HhQ47kWV0syoHn3fGpfGdx0eQbXVL2c69wF6XxFj193NxulcZ4QZl0/dJfv/wEAAAAAAAAAAAAAAAAAAMZNvd8DNNPSB/s5Qb+3hWlf4wQAAAAAAAAAAAAAAAAAAAAAYJwN//6/uX/1Lrn/r7unWHJHHPcv3dz/FxiNvwEAAP//6n1zCw==")

program crashed: BUG: unable to handle kernel paging request in hfs_find_init
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
extracting C reproducer
testing compiled C program (duration=1m25.728668985s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
simplifying C reproducer
testing compiled C program (duration=1m25.728668985s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing compiled C program (duration=1m25.728668985s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing compiled C program (duration=1m25.728668985s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing compiled C program (duration=1m25.728668985s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing compiled C program (duration=1m25.728668985s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing compiled C program (duration=1m25.728668985s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing compiled C program (duration=1m25.728668985s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
reproducing took 11m25.283218706s
repro crashed as (corrupted=false):
loop0: detected capacity change from 0 to 64
Unable to handle kernel paging request at virtual address dfff800000000008
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000008] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 6464 Comm: syz-executor200 Not tainted 6.14.0-syzkaller-gd6b13dbd03b7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
lr : hfs_find_init+0x30/0x1c8 fs/hfs/bfind.c:16
sp : ffff8000a5887130
x29: ffff8000a5887130 x28: ffff700014b10e3c x27: 0000000000000000
x26: ffff0000c7368180 x25: 0000000000000008 x24: dfff800000000000
x23: ffff0000c736814c x22: ffff8000a5887218 x21: 0000000000000040
x20: ffff8000a5887200 x19: 0000000000000000 x18: ffff8000a5886c20
x17: 000000000000d5a6 x16: ffff80008b7cc4c8 x15: 0000000000000007
x14: 1ffff00014b10e40 x13: 0000000000000000 x12: 0000000000000000
x11: ffff700014b10e47 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff800093ad2690 x4 : 0000000000000000 x3 : 0000000000000030
x2 : 0000000000000008 x1 : ffff8000a5887200 x0 : ffff8000a5887210
Call trace:
 hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21 (P)
 hfs_ext_read_extent fs/hfs/extent.c:200 [inline]
 hfs_get_block+0x29c/0x9e0 fs/hfs/extent.c:366
 block_read_full_folio+0x368/0x914 fs/buffer.c:2396
 hfs_read_folio+0x28/0x38 fs/hfs/inode.c:34
 filemap_read_folio+0x108/0x318 mm/filemap.c:2400
 do_read_cache_folio+0x368/0x5c0 mm/filemap.c:3884
 do_read_cache_page mm/filemap.c:3950 [inline]
 read_cache_page+0x6c/0x15c mm/filemap.c:3959
 read_mapping_page include/linux/pagemap.h:1017 [inline]
 hfs_btree_open+0x418/0xec0 fs/hfs/btree.c:78
 hfs_mdb_get+0x1074/0x1c48 fs/hfs/mdb.c:199
 hfs_fill_super+0x320/0x634 fs/hfs/super.c:337
 get_tree_bdev_flags+0x38c/0x494 fs/super.c:1636
 get_tree_bdev+0x2c/0x3c fs/super.c:1659
 hfs_get_tree+0x28/0x38 fs/hfs/super.c:388
 vfs_get_tree+0x90/0x28c fs/super.c:1814
 do_new_mount+0x278/0x900 fs/namespace.c:3560
 path_mount+0x590/0xe04 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount fs/namespace.c:4088 [inline]
 __arm64_sys_mount+0x4f4/0x5d0 fs/namespace.c:4088
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Code: 97e4433c 91010275 f90002df d343feb9 (38f86b28) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	97e4433c 	bl	0xffffffffff910cf0
   4:	91010275 	add	x21, x19, #0x40
   8:	f90002df 	str	xzr, [x22]
   c:	d343feb9 	lsr	x25, x21, #3
* 10:	38f86b28 	ldrsb	w8, [x25, x24] <-- trapping instruction

final repro crashed as (corrupted=false):
loop0: detected capacity change from 0 to 64
Unable to handle kernel paging request at virtual address dfff800000000008
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000008] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 6464 Comm: syz-executor200 Not tainted 6.14.0-syzkaller-gd6b13dbd03b7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
lr : hfs_find_init+0x30/0x1c8 fs/hfs/bfind.c:16
sp : ffff8000a5887130
x29: ffff8000a5887130 x28: ffff700014b10e3c x27: 0000000000000000
x26: ffff0000c7368180 x25: 0000000000000008 x24: dfff800000000000
x23: ffff0000c736814c x22: ffff8000a5887218 x21: 0000000000000040
x20: ffff8000a5887200 x19: 0000000000000000 x18: ffff8000a5886c20
x17: 000000000000d5a6 x16: ffff80008b7cc4c8 x15: 0000000000000007
x14: 1ffff00014b10e40 x13: 0000000000000000 x12: 0000000000000000
x11: ffff700014b10e47 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff800093ad2690 x4 : 0000000000000000 x3 : 0000000000000030
x2 : 0000000000000008 x1 : ffff8000a5887200 x0 : ffff8000a5887210
Call trace:
 hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21 (P)
 hfs_ext_read_extent fs/hfs/extent.c:200 [inline]
 hfs_get_block+0x29c/0x9e0 fs/hfs/extent.c:366
 block_read_full_folio+0x368/0x914 fs/buffer.c:2396
 hfs_read_folio+0x28/0x38 fs/hfs/inode.c:34
 filemap_read_folio+0x108/0x318 mm/filemap.c:2400
 do_read_cache_folio+0x368/0x5c0 mm/filemap.c:3884
 do_read_cache_page mm/filemap.c:3950 [inline]
 read_cache_page+0x6c/0x15c mm/filemap.c:3959
 read_mapping_page include/linux/pagemap.h:1017 [inline]
 hfs_btree_open+0x418/0xec0 fs/hfs/btree.c:78
 hfs_mdb_get+0x1074/0x1c48 fs/hfs/mdb.c:199
 hfs_fill_super+0x320/0x634 fs/hfs/super.c:337
 get_tree_bdev_flags+0x38c/0x494 fs/super.c:1636
 get_tree_bdev+0x2c/0x3c fs/super.c:1659
 hfs_get_tree+0x28/0x38 fs/hfs/super.c:388
 vfs_get_tree+0x90/0x28c fs/super.c:1814
 do_new_mount+0x278/0x900 fs/namespace.c:3560
 path_mount+0x590/0xe04 fs/namespace.c:3887
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount fs/namespace.c:4088 [inline]
 __arm64_sys_mount+0x4f4/0x5d0 fs/namespace.c:4088
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Code: 97e4433c 91010275 f90002df d343feb9 (38f86b28) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	97e4433c 	bl	0xffffffffff910cf0
   4:	91010275 	add	x21, x19, #0x40
   8:	f90002df 	str	xzr, [x22]
   c:	d343feb9 	lsr	x25, x21, #3
* 10:	38f86b28 	ldrsb	w8, [x25, x24] <-- trapping instruction