Extracting prog: 1m43.646711641s
Minimizing prog: 103.189µs
Simplifying prog options: 2m37.65798324s
Extracting C: 1m54.715023074s
Simplifying C: 6m23.48287491s


extracting reproducer from 30 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
detailed listing:
executing program 0:
syz_mount_image$hfs(&(0x7f0000000180), &(0x7f0000000100)='./file0\x00', 0x0, &(0x7f0000000240)=ANY=[@ANYBLOB="71756965742c636f6465706167653d69736f383835392d31352c706172743d3078303030303030300000000000000000662c00a20000000700000000ede9debf530c3cc4d04b548919aca0c2937d4da1fc31dc42fc2e3e", @ANYRESDEC=0x0, @ANYRESOCT, @ANYRES16, @ANYRES16], 0x11, 0x2d9, &(0x7f0000000580)="$eJzs3U9rE08cx/HPbNIm/TX0t/0jgsdqQS9S60W8pEgehHgQtYlQDBVtBfViFU8ievfuU/ApCF4Un4CePPkAIggrM7v5s+lmN4Zmt8H3Cyyb7Pz5TnZ2ZyZgRgD+Wdca395f/mH/GamkkvTqquRJqkplSad0uvpo72D3oN1qppTTCRybyyjMaY4k2tlrJWauxl/6Nn9ZNVcKpioIgu3vkvaLDgSFcnd/Ak+qRPezO1/NPbJ0zyfMd3jMccwa01FHj7VUdBwAgGJF478XjfO1aP7uedJGNOyfyPF/Up2iA5i6IPXswPjvVlmBsdf3f3eqv95zSzh73uuuEsepeW7o9bzCnhWbYJqsVaWLxVu4u9tuXdy53256eqF6ZCDZmvvbDLtuV0a06wlr0xRjtN0kzygXXRvmbBu2RsS/OmGNEzOfzBdz0/h6p2Zv/lcOjL1M7kr5Q1cqjH9zdImulb5NpeixUa/XvViSZVfJmaiGSEYrq8krEnV71LLiXxD4WXG6XCtDucLWXcrItRrm2l6I5drqvhqRay1Wl21NrzePrm/azBtz3azrpz6oMTD/92x8G0q9M/t3jalEB/YTD9szn1xd2ZXpHxk5DnWjFn+n9ylWhoroPU9+pT/TMORZyrnXuqMrWtp/8vReqd1uPbQHtxMOHtS6V70191JKTFPAgaf+Ozrsn6oo/CLySK5uJ8oz1AvHWqB9fmQmtndZLg08MT2hiIPG53w7UhEHOTyfULj+Rc9M+jGXgJA3N+8K138D65VNN+zbP37KPD1zQhaVGNg5dm8FVI3lX3FH//3VCm5x9Apu3DXX2fPSud5bv4OMGv0oztkQpE39LNPQV93i+38AAAAAAAAAAAAAAAAAAIBZk8d/Jyi6jQAAAAAAAAAAAAAAAAAAAAAAzLre/r/q7v+r8fb/Hf7l71K4w8sk+/+6nwMf2CjHf7sn9v8Fpu9PAAAA///15YZH")

program crashed: BUG: unable to handle kernel paging request in hfs_find_init
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
extracting C reproducer
testing compiled C program (duration=45.373048074s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in corrupted
a never seen crash title: BUG: unable to handle kernel paging request in corrupted, ignore
simplifying guilty program options
testing program (duration=45.373048074s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
detailed listing:
executing program 0:
syz_mount_image$hfs(&(0x7f0000000180), &(0x7f0000000100)='./file0\x00', 0x0, &(0x7f0000000240)=ANY=[@ANYBLOB="71756965742c636f6465706167653d69736f383835392d31352c706172743d3078303030303030300000000000000000662c00a20000000700000000ede9debf530c3cc4d04b548919aca0c2937d4da1fc31dc42fc2e3e", @ANYRESDEC=0x0, @ANYRESOCT, @ANYRES16, @ANYRES16], 0x11, 0x2d9, &(0x7f0000000580)="$eJzs3U9rE08cx/HPbNIm/TX0t/0jgsdqQS9S60W8pEgehHgQtYlQDBVtBfViFU8ievfuU/ApCF4Un4CePPkAIggrM7v5s+lmN4Zmt8H3Cyyb7Pz5TnZ2ZyZgRgD+Wdca395f/mH/GamkkvTqquRJqkplSad0uvpo72D3oN1qppTTCRybyyjMaY4k2tlrJWauxl/6Nn9ZNVcKpioIgu3vkvaLDgSFcnd/Ak+qRPezO1/NPbJ0zyfMd3jMccwa01FHj7VUdBwAgGJF478XjfO1aP7uedJGNOyfyPF/Up2iA5i6IPXswPjvVlmBsdf3f3eqv95zSzh73uuuEsepeW7o9bzCnhWbYJqsVaWLxVu4u9tuXdy53256eqF6ZCDZmvvbDLtuV0a06wlr0xRjtN0kzygXXRvmbBu2RsS/OmGNEzOfzBdz0/h6p2Zv/lcOjL1M7kr5Q1cqjH9zdImulb5NpeixUa/XvViSZVfJmaiGSEYrq8krEnV71LLiXxD4WXG6XCtDucLWXcrItRrm2l6I5drqvhqRay1Wl21NrzePrm/azBtz3azrpz6oMTD/92x8G0q9M/t3jalEB/YTD9szn1xd2ZXpHxk5DnWjFn+n9ylWhoroPU9+pT/TMORZyrnXuqMrWtp/8vReqd1uPbQHtxMOHtS6V70191JKTFPAgaf+Ozrsn6oo/CLySK5uJ8oz1AvHWqB9fmQmtndZLg08MT2hiIPG53w7UhEHOTyfULj+Rc9M+jGXgJA3N+8K138D65VNN+zbP37KPD1zQhaVGNg5dm8FVI3lX3FH//3VCm5x9Apu3DXX2fPSud5bv4OMGv0oztkQpE39LNPQV93i+38AAAAAAAAAAAAAAAAAAIBZk8d/Jyi6jQAAAAAAAAAAAAAAAAAAAAAAzLre/r/q7v+r8fb/Hf7l71K4w8sk+/+6nwMf2CjHf7sn9v8Fpu9PAAAA///15YZH")

program crashed: BUG: unable to handle kernel paging request in hfs_find_init
extracting C reproducer
testing compiled C program (duration=45.373048074s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
simplifying C reproducer
testing compiled C program (duration=45.373048074s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing compiled C program (duration=45.373048074s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing compiled C program (duration=45.373048074s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing compiled C program (duration=45.373048074s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing compiled C program (duration=45.373048074s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing compiled C program (duration=45.373048074s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
program crashed: BUG: unable to handle kernel paging request in hfs_find_init
testing program (duration=45.373048074s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
detailed listing:
executing program 0:
syz_mount_image$hfs(&(0x7f0000000180), &(0x7f0000000100)='./file0\x00', 0x0, &(0x7f0000000240)=ANY=[@ANYBLOB="71756965742c636f6465706167653d69736f383835392d31352c706172743d3078303030303030300000000000000000662c00a20000000700000000ede9debf530c3cc4d04b548919aca0c2937d4da1fc31dc42fc2e3e", @ANYRESDEC=0x0, @ANYRESOCT, @ANYRES16, @ANYRES16], 0x11, 0x2d9, &(0x7f0000000580)="$eJzs3U9rE08cx/HPbNIm/TX0t/0jgsdqQS9S60W8pEgehHgQtYlQDBVtBfViFU8ievfuU/ApCF4Un4CePPkAIggrM7v5s+lmN4Zmt8H3Cyyb7Pz5TnZ2ZyZgRgD+Wdca395f/mH/GamkkvTqquRJqkplSad0uvpo72D3oN1qppTTCRybyyjMaY4k2tlrJWauxl/6Nn9ZNVcKpioIgu3vkvaLDgSFcnd/Ak+qRPezO1/NPbJ0zyfMd3jMccwa01FHj7VUdBwAgGJF478XjfO1aP7uedJGNOyfyPF/Up2iA5i6IPXswPjvVlmBsdf3f3eqv95zSzh73uuuEsepeW7o9bzCnhWbYJqsVaWLxVu4u9tuXdy53256eqF6ZCDZmvvbDLtuV0a06wlr0xRjtN0kzygXXRvmbBu2RsS/OmGNEzOfzBdz0/h6p2Zv/lcOjL1M7kr5Q1cqjH9zdImulb5NpeixUa/XvViSZVfJmaiGSEYrq8krEnV71LLiXxD4WXG6XCtDucLWXcrItRrm2l6I5drqvhqRay1Wl21NrzePrm/azBtz3azrpz6oMTD/92x8G0q9M/t3jalEB/YTD9szn1xd2ZXpHxk5DnWjFn+n9ylWhoroPU9+pT/TMORZyrnXuqMrWtp/8vReqd1uPbQHtxMOHtS6V70191JKTFPAgaf+Ozrsn6oo/CLySK5uJ8oz1AvHWqB9fmQmtndZLg08MT2hiIPG53w7UhEHOTyfULj+Rc9M+jGXgJA3N+8K138D65VNN+zbP37KPD1zQhaVGNg5dm8FVI3lX3FH//3VCm5x9Apu3DXX2fPSud5bv4OMGv0oztkQpE39LNPQV93i+38AAAAAAAAAAAAAAAAAAIBZk8d/Jyi6jQAAAAAAAAAAAAAAAAAAAAAAzLre/r/q7v+r8fb/Hf7l71K4w8sk+/+6nwMf2CjHf7sn9v8Fpu9PAAAA///15YZH")

program crashed: BUG: unable to handle kernel paging request in hfs_find_init
validation run: crashed=true
testing program (duration=45.373048074s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
detailed listing:
executing program 0:
syz_mount_image$hfs(&(0x7f0000000180), &(0x7f0000000100)='./file0\x00', 0x0, &(0x7f0000000240)=ANY=[@ANYBLOB="71756965742c636f6465706167653d69736f383835392d31352c706172743d3078303030303030300000000000000000662c00a20000000700000000ede9debf530c3cc4d04b548919aca0c2937d4da1fc31dc42fc2e3e", @ANYRESDEC=0x0, @ANYRESOCT, @ANYRES16, @ANYRES16], 0x11, 0x2d9, &(0x7f0000000580)="$eJzs3U9rE08cx/HPbNIm/TX0t/0jgsdqQS9S60W8pEgehHgQtYlQDBVtBfViFU8ievfuU/ApCF4Un4CePPkAIggrM7v5s+lmN4Zmt8H3Cyyb7Pz5TnZ2ZyZgRgD+Wdca395f/mH/GamkkvTqquRJqkplSad0uvpo72D3oN1qppTTCRybyyjMaY4k2tlrJWauxl/6Nn9ZNVcKpioIgu3vkvaLDgSFcnd/Ak+qRPezO1/NPbJ0zyfMd3jMccwa01FHj7VUdBwAgGJF478XjfO1aP7uedJGNOyfyPF/Up2iA5i6IPXswPjvVlmBsdf3f3eqv95zSzh73uuuEsepeW7o9bzCnhWbYJqsVaWLxVu4u9tuXdy53256eqF6ZCDZmvvbDLtuV0a06wlr0xRjtN0kzygXXRvmbBu2RsS/OmGNEzOfzBdz0/h6p2Zv/lcOjL1M7kr5Q1cqjH9zdImulb5NpeixUa/XvViSZVfJmaiGSEYrq8krEnV71LLiXxD4WXG6XCtDucLWXcrItRrm2l6I5drqvhqRay1Wl21NrzePrm/azBtz3azrpz6oMTD/92x8G0q9M/t3jalEB/YTD9szn1xd2ZXpHxk5DnWjFn+n9ylWhoroPU9+pT/TMORZyrnXuqMrWtp/8vReqd1uPbQHtxMOHtS6V70191JKTFPAgaf+Ozrsn6oo/CLySK5uJ8oz1AvHWqB9fmQmtndZLg08MT2hiIPG53w7UhEHOTyfULj+Rc9M+jGXgJA3N+8K138D65VNN+zbP37KPD1zQhaVGNg5dm8FVI3lX3FH//3VCm5x9Apu3DXX2fPSud5bv4OMGv0oztkQpE39LNPQV93i+38AAAAAAAAAAAAAAAAAAIBZk8d/Jyi6jQAAAAAAAAAAAAAAAAAAAAAAzLre/r/q7v+r8fb/Hf7l71K4w8sk+/+6nwMf2CjHf7sn9v8Fpu9PAAAA///15YZH")

program crashed: BUG: unable to handle kernel paging request in hfs_find_init
validation run: crashed=true
testing program (duration=45.373048074s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfs
detailed listing:
executing program 0:
syz_mount_image$hfs(&(0x7f0000000180), &(0x7f0000000100)='./file0\x00', 0x0, &(0x7f0000000240)=ANY=[@ANYBLOB="71756965742c636f6465706167653d69736f383835392d31352c706172743d3078303030303030300000000000000000662c00a20000000700000000ede9debf530c3cc4d04b548919aca0c2937d4da1fc31dc42fc2e3e", @ANYRESDEC=0x0, @ANYRESOCT, @ANYRES16, @ANYRES16], 0x11, 0x2d9, &(0x7f0000000580)="$eJzs3U9rE08cx/HPbNIm/TX0t/0jgsdqQS9S60W8pEgehHgQtYlQDBVtBfViFU8ievfuU/ApCF4Un4CePPkAIggrM7v5s+lmN4Zmt8H3Cyyb7Pz5TnZ2ZyZgRgD+Wdca395f/mH/GamkkvTqquRJqkplSad0uvpo72D3oN1qppTTCRybyyjMaY4k2tlrJWauxl/6Nn9ZNVcKpioIgu3vkvaLDgSFcnd/Ak+qRPezO1/NPbJ0zyfMd3jMccwa01FHj7VUdBwAgGJF478XjfO1aP7uedJGNOyfyPF/Up2iA5i6IPXswPjvVlmBsdf3f3eqv95zSzh73uuuEsepeW7o9bzCnhWbYJqsVaWLxVu4u9tuXdy53256eqF6ZCDZmvvbDLtuV0a06wlr0xRjtN0kzygXXRvmbBu2RsS/OmGNEzOfzBdz0/h6p2Zv/lcOjL1M7kr5Q1cqjH9zdImulb5NpeixUa/XvViSZVfJmaiGSEYrq8krEnV71LLiXxD4WXG6XCtDucLWXcrItRrm2l6I5drqvhqRay1Wl21NrzePrm/azBtz3azrpz6oMTD/92x8G0q9M/t3jalEB/YTD9szn1xd2ZXpHxk5DnWjFn+n9ylWhoroPU9+pT/TMORZyrnXuqMrWtp/8vReqd1uPbQHtxMOHtS6V70191JKTFPAgaf+Ozrsn6oo/CLySK5uJ8oz1AvHWqB9fmQmtndZLg08MT2hiIPG53w7UhEHOTyfULj+Rc9M+jGXgJA3N+8K138D65VNN+zbP37KPD1zQhaVGNg5dm8FVI3lX3FH//3VCm5x9Apu3DXX2fPSud5bv4OMGv0oztkQpE39LNPQV93i+38AAAAAAAAAAAAAAAAAAIBZk8d/Jyi6jQAAAAAAAAAAAAAAAAAAAAAAzLre/r/q7v+r8fb/Hf7l71K4w8sk+/+6nwMf2CjHf7sn9v8Fpu9PAAAA///15YZH")

program crashed: BUG: unable to handle kernel paging request in hfs_find_init
validation run: crashed=true
reproducing took 19m35.141915017s
repro crashed as (corrupted=false):
loop0: detected capacity change from 0 to 64
Unable to handle kernel paging request at virtual address dfff800000000008
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000008] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4177 Comm: syz.0.17 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
lr : hfs_find_init+0x30/0x1c8 fs/hfs/bfind.c:16
sp : ffff80001f1d7150
x29: ffff80001f1d7150 x28: ffff700003e3ae40 x27: 0000000000000000
x26: ffff0000d8028180 x25: 0000000000000008 x24: dfff800000000000
x23: 0000000000000000 x22: ffff80001f1d7238 x21: 0000000000000040
x20: ffff80001f1d7220 x19: 0000000000000000 x18: 0000000000000000
x17: ffff800016d04000 x16: ffff8000082b6d9c x15: ffff8000167e4500
x14: ffff0000c8542540 x13: dfff800000000000 x12: 0000000000ff0100
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff800008ec1404
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff800016eadbf8 x4 : 0000000000000000 x3 : 0000000000000030
x2 : 0000000000000008 x1 : ffff80001f1d7220 x0 : ffff80001f1d7230
Call trace:
 hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
 hfs_ext_read_extent fs/hfs/extent.c:200 [inline]
 hfs_get_block+0x3d4/0x9ec fs/hfs/extent.c:366
 block_read_full_page+0x298/0xc40 fs/buffer.c:2290
 hfs_readpage+0x28/0x38 fs/hfs/inode.c:39
 do_read_cache_page+0x5f4/0x8f8 mm/filemap.c:-1
 read_cache_page+0x68/0x88 mm/filemap.c:3574
 read_mapping_page include/linux/pagemap.h:515 [inline]
 hfs_btree_open+0x404/0xe58 fs/hfs/btree.c:78
 hfs_mdb_get+0xe94/0x19ec fs/hfs/mdb.c:199
 hfs_fill_super+0xc04/0x1180 fs/hfs/super.c:406
 mount_bdev+0x264/0x358 fs/super.c:1400
 hfs_mount+0x44/0x58 fs/hfs/super.c:458
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:611
 vfs_get_tree+0x90/0x274 fs/super.c:1530
 do_new_mount+0x228/0x810 fs/namespace.c:3014
 path_mount+0x5b4/0x1000 fs/namespace.c:3344
 do_mount fs/namespace.c:3357 [inline]
 __do_sys_mount fs/namespace.c:3565 [inline]
 __se_sys_mount fs/namespace.c:3542 [inline]
 __arm64_sys_mount+0x514/0x5e4 fs/namespace.c:3542
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 97e5ee50 91010275 f90002df d343feb9 (38f86b28) 
---[ end trace 3a09ee7ad1ca4fc7 ]---
----------------
Code disassembly (best guess):
   0:	97e5ee50 	bl	0xffffffffff97b940
   4:	91010275 	add	x21, x19, #0x40
   8:	f90002df 	str	xzr, [x22]
   c:	d343feb9 	lsr	x25, x21, #3
* 10:	38f86b28 	ldrsb	w8, [x25, x24] <-- trapping instruction

final repro crashed as (corrupted=false):
loop0: detected capacity change from 0 to 64
Unable to handle kernel paging request at virtual address dfff800000000008
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000008] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4177 Comm: syz.0.17 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
lr : hfs_find_init+0x30/0x1c8 fs/hfs/bfind.c:16
sp : ffff80001f1d7150
x29: ffff80001f1d7150 x28: ffff700003e3ae40 x27: 0000000000000000
x26: ffff0000d8028180 x25: 0000000000000008 x24: dfff800000000000
x23: 0000000000000000 x22: ffff80001f1d7238 x21: 0000000000000040
x20: ffff80001f1d7220 x19: 0000000000000000 x18: 0000000000000000
x17: ffff800016d04000 x16: ffff8000082b6d9c x15: ffff8000167e4500
x14: ffff0000c8542540 x13: dfff800000000000 x12: 0000000000ff0100
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff800008ec1404
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff800016eadbf8 x4 : 0000000000000000 x3 : 0000000000000030
x2 : 0000000000000008 x1 : ffff80001f1d7220 x0 : ffff80001f1d7230
Call trace:
 hfs_find_init+0x6c/0x1c8 fs/hfs/bfind.c:21
 hfs_ext_read_extent fs/hfs/extent.c:200 [inline]
 hfs_get_block+0x3d4/0x9ec fs/hfs/extent.c:366
 block_read_full_page+0x298/0xc40 fs/buffer.c:2290
 hfs_readpage+0x28/0x38 fs/hfs/inode.c:39
 do_read_cache_page+0x5f4/0x8f8 mm/filemap.c:-1
 read_cache_page+0x68/0x88 mm/filemap.c:3574
 read_mapping_page include/linux/pagemap.h:515 [inline]
 hfs_btree_open+0x404/0xe58 fs/hfs/btree.c:78
 hfs_mdb_get+0xe94/0x19ec fs/hfs/mdb.c:199
 hfs_fill_super+0xc04/0x1180 fs/hfs/super.c:406
 mount_bdev+0x264/0x358 fs/super.c:1400
 hfs_mount+0x44/0x58 fs/hfs/super.c:458
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:611
 vfs_get_tree+0x90/0x274 fs/super.c:1530
 do_new_mount+0x228/0x810 fs/namespace.c:3014
 path_mount+0x5b4/0x1000 fs/namespace.c:3344
 do_mount fs/namespace.c:3357 [inline]
 __do_sys_mount fs/namespace.c:3565 [inline]
 __se_sys_mount fs/namespace.c:3542 [inline]
 __arm64_sys_mount+0x514/0x5e4 fs/namespace.c:3542
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 97e5ee50 91010275 f90002df d343feb9 (38f86b28) 
---[ end trace 3a09ee7ad1ca4fc7 ]---
----------------
Code disassembly (best guess):
   0:	97e5ee50 	bl	0xffffffffff97b940
   4:	91010275 	add	x21, x19, #0x40
   8:	f90002df 	str	xzr, [x22]
   c:	d343feb9 	lsr	x25, x21, #3
* 10:	38f86b28 	ldrsb	w8, [x25, x24] <-- trapping instruction