[syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    155a3c003e55 Merge tag 'for-6.16/dm-fixes-2' of git://git...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=166d6382580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14b20d8c580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16ebe58c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8b4489a1d2de/disk-155a3c00.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1c498d4c0c85/vmlinux-155a3c00.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ea8acdf1d890/bzImage-155a3c00.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e47f2d7541be/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com

hpfs: filesystem error: warning: spare dnodes used, try chkdsk
hpfs: You really don't want any checks? You are crazy...
hpfs: hpfs_map_sector(): read error
hpfs: code page support is disabled
==================================================================
BUG: KASAN: use-after-free in strcmp+0x6f/0xc0 lib/string.c:283
Read of size 1 at addr ffff8880116728a6 by task syz-executor411/6741

CPU: 1 UID: 0 PID: 6741 Comm: syz-executor411 Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 strcmp+0x6f/0xc0 lib/string.c:283
 hpfs_get_ea+0x114/0xdb0 fs/hpfs/ea.c:139
 hpfs_read_inode+0x19d/0x1010 fs/hpfs/inode.c:63
 hpfs_fill_super+0x12bd/0x2070 fs/hpfs/super.c:654
 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1681
 vfs_get_tree+0x92/0x2b0 fs/super.c:1804
 do_new_mount+0x24a/0xa40 fs/namespace.c:3902
 do_mount fs/namespace.c:4239 [inline]
 __do_sys_mount fs/namespace.c:4450 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4427
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f718b86112a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffee99fcba8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffee99fcbc0 RCX: 00007f718b86112a
RDX: 0000200000009e80 RSI: 0000200000009ec0 RDI: 00007ffee99fcbc0
RBP: 0000200000009ec0 R08: 00007ffee99fcc00 R09: 0000000000009dfd
R10: 0000000000000041 R11: 0000000000000286 R12: 0000200000009e80
R13: 0000000000000004 R14: 0000000000000003 R15: 00007ffee99fcc00
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11672
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001ff38c8 ffffea0001ff3908 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5213, tgid 5213 (udevd), ts 38150701195, free_ts 195740390996
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 folio_alloc_mpol_noprof+0x39/0x70 mm/mempolicy.c:2438
 shmem_alloc_folio mm/shmem.c:1851 [inline]
 shmem_alloc_and_add_folio+0x447/0xf60 mm/shmem.c:1890
 shmem_get_folio_gfp+0x59d/0x1660 mm/shmem.c:2536
 shmem_get_folio mm/shmem.c:2642 [inline]
 shmem_write_begin+0xf7/0x2b0 mm/shmem.c:3292
 generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
 shmem_file_write_iter+0xf8/0x120 mm/shmem.c:3467
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x54b/0xa90 fs/read_write.c:686
 ksys_write+0x145/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 6740 tgid 6740 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 free_unref_folios+0xcd2/0x1570 mm/page_alloc.c:2763
 folios_put_refs+0x559/0x640 mm/swap.c:992
 folio_batch_release include/linux/pagevec.h:101 [inline]
 shmem_undo_range+0x49e/0x14b0 mm/shmem.c:1125
 shmem_truncate_range mm/shmem.c:1237 [inline]
 shmem_evict_inode+0x272/0xa70 mm/shmem.c:1365
 evict+0x501/0x9c0 fs/inode.c:810
 __dentry_kill+0x209/0x660 fs/dcache.c:669
 shrink_kill+0xa9/0x2c0 fs/dcache.c:1114
 shrink_dentry_list+0x2e0/0x5e0 fs/dcache.c:1141
 shrink_dcache_parent+0xa1/0x2c0 fs/dcache.c:-1
 do_one_tree+0x23/0xe0 fs/dcache.c:1604
 shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1621
 generic_shutdown_super+0x67/0x2c0 fs/super.c:621
 kill_anon_super fs/super.c:1282 [inline]
 kill_litter_super+0x76/0xb0 fs/super.c:1292
 deactivate_locked_super+0xbc/0x130 fs/super.c:474
 cleanup_mnt+0x425/0x4c0 fs/namespace.c:1417
 task_work_run+0x1d4/0x260 kernel/task_work.c:227

Memory state around the buggy address:
 ffff888011672780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888011672800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888011672880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                               ^
 ffff888011672900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888011672980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: Private message regarding: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea
Author: kapoorarnav43@gmail.com

#syz test 
From: Arnav Kapoor <kapoorarnav43@gmail.com>
Date: Fri, 18 Jul 2025 12:00:00 +0000
Subject: [PATCH] hpfs: fix use-after-free in hpfs_get_ea

Fix a use-after-free vulnerability in hpfs_get_ea() where corrupted
extended attribute data could cause strcmp() to access freed memory.

The issue occurs in the EA iteration loop where next_ea() can produce
invalid pointers due to insufficient validation of ea->namelen and
the calculated next EA position. This can lead to accessing memory
that has been freed or is outside valid boundaries.

Add proper bounds checking to ensure:
1. EA namelen is reasonable (< 256)
2. EA structure doesn't exceed the EA area bounds  
3. next_ea() result stays within valid EA boundaries

Reported-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Arnav Kapoor <kapoorarnav43@gmail.com>
---
 fs/hpfs/ea.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/fs/hpfs/ea.c b/fs/hpfs/ea.c
index 123456789abc..abcdef123456 100644
--- a/fs/hpfs/ea.c
+++ b/fs/hpfs/ea.c
@@ -135,8 +135,29 @@ char *hpfs_get_ea(struct super_block *s, struct fnode 
*fnode, char *key, int *s
  secno a;
  struct extended_attribute *ea;
  struct extended_attribute *ea_end = fnode_end_ea(fnode);
- for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea))
+ for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea)) {
+ /* Validate EA structure bounds */
+ if ((char *)ea + sizeof(*ea) > (char *)ea_end) {
+ hpfs_error(s, "EA structure exceeds bounds");
+ return NULL;
+ }
+ 
+ /* Validate namelen to prevent overflow */
+ if (ea->namelen >= 256) {
+ hpfs_error(s, "EA namelen too large: %d", ea->namelen);
+ return NULL;
+ }
+ 
+ /* Ensure name field is within bounds */
+ if ((char *)ea + 5 + ea->namelen > (char *)ea_end) {
+ hpfs_error(s, "EA name field exceeds bounds");
+ return NULL;
+ }
+ 
+ /* Validate next_ea() result will be within bounds */
+ if (next_ea(ea) > ea_end) {
+ hpfs_error(s, "next EA exceeds bounds");
+ return NULL;
+ }
+ 
  if (!strcmp(ea->name, key)) {
  if (ea_indirect(ea))
  return get_indirect_ea(s, ea_in_anode(ea), ea_sec(ea), *size = 
ea_len(ea));
@@ -147,6 +168,7 @@ char *hpfs_get_ea(struct super_block *s, struct fnode 
*fnode, char *key, int *s
  memcpy(ret, ea_data(ea), ea_valuelen(ea));
  ret[ea_valuelen(ea)] = 0;
  return ret;
+ }
  }
  a = le32_to_cpu(fnode->ea_secno);
  len = le32_to_cpu(fnode->ea_size_l);



On Friday, 18 July 2025 at 00:44:34 UTC+5:30 syzbot wrote:

Hello, 

syzbot found the following issue on: 

HEAD commit: 155a3c003e55 Merge tag 'for-6.16/dm-fixes-2' of git://git... 
git tree: upstream 
console+strace: https://syzkaller.appspot.com/x/log.txt?x=166d6382580000 
kernel config: https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22 
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844 
compiler: Debian clang version 20.1.7 
(++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 
20.1.7 
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b20d8c580000 
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16ebe58c580000 

Downloadable assets: 
disk image: 
https://storage.googleapis.com/syzbot-assets/8b4489a1d2de/disk-155a3c00.raw.xz 
vmlinux: 
https://storage.googleapis.com/syzbot-assets/1c498d4c0c85/vmlinux-155a3c00.xz 
kernel image: 
https://storage.googleapis.com/syzbot-assets/ea8acdf1d890/bzImage-155a3c00.xz 
mounted in repro: 
https://storage.googleapis.com/syzbot-assets/e47f2d7541be/mount_0.gz 

IMPORTANT: if you fix the issue, please add the following tag to the 
commit: 
Reported-by: syzbot+fa88eb...@syzkaller.appspotmail.com 

hpfs: filesystem error: warning: spare dnodes used, try chkdsk 
hpfs: You really don't want any checks? You are crazy... 
hpfs: hpfs_map_sector(): read error 
hpfs: code page support is disabled 
================================================================== 
BUG: KASAN: use-after-free in strcmp+0x6f/0xc0 lib/string.c:283 
Read of size 1 at addr ffff8880116728a6 by task syz-executor411/6741 

CPU: 1 UID: 0 PID: 6741 Comm: syz-executor411 Not tainted 
6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS 
Google 05/07/2025 
Call Trace: 
<TASK> 
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 
print_address_description mm/kasan/report.c:378 [inline] 
print_report+0xca/0x230 mm/kasan/report.c:480 
kasan_report+0x118/0x150 mm/kasan/report.c:593 
strcmp+0x6f/0xc0 lib/string.c:283 
hpfs_get_ea+0x114/0xdb0 fs/hpfs/ea.c:139 
hpfs_read_inode+0x19d/0x1010 fs/hpfs/inode.c:63 
hpfs_fill_super+0x12bd/0x2070 fs/hpfs/super.c:654 
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1681 
vfs_get_tree+0x92/0x2b0 fs/super.c:1804 
do_new_mount+0x24a/0xa40 fs/namespace.c:3902 
do_mount fs/namespace.c:4239 [inline] 
__do_sys_mount fs/namespace.c:4450 [inline] 
__se_sys_mount+0x317/0x410 fs/namespace.c:4427 
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] 
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 
entry_SYSCALL_64_after_hwframe+0x77/0x7f 
RIP: 0033:0x7f718b86112a 
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 
00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff 
ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 
RSP: 002b:00007ffee99fcba8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 
RAX: ffffffffffffffda RBX: 00007ffee99fcbc0 RCX: 00007f718b86112a 
RDX: 0000200000009e80 RSI: 0000200000009ec0 RDI: 00007ffee99fcbc0 
RBP: 0000200000009ec0 R08: 00007ffee99fcc00 R09: 0000000000009dfd 
R10: 0000000000000041 R11: 0000000000000286 R12: 0000200000009e80 
R13: 0000000000000004 R14: 0000000000000003 R15: 00007ffee99fcc00 
</TASK> 

The buggy address belongs to the physical page: 
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11672 
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) 
raw: 00fff00000000000 ffffea0001ff38c8 ffffea0001ff3908 0000000000000000 
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 
page dumped because: kasan: bad access detected 
page_owner tracks the page as freed 
page last allocated via order 0, migratetype Movable, gfp_mask 
0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5213, tgid 5213 (udevd), ts 
38150701195, free_ts 195740390996 
set_page_owner include/linux/page_owner.h:32 [inline] 
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704 
prep_new_page mm/page_alloc.c:1712 [inline] 
get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3669 
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959 
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419 
folio_alloc_mpol_noprof+0x39/0x70 mm/mempolicy.c:2438 
shmem_alloc_folio mm/shmem.c:1851 [inline] 
shmem_alloc_and_add_folio+0x447/0xf60 mm/shmem.c:1890 
shmem_get_folio_gfp+0x59d/0x1660 mm/shmem.c:2536 
shmem_get_folio mm/shmem.c:2642 [inline] 
shmem_write_begin+0xf7/0x2b0 mm/shmem.c:3292 
generic_perform_write+0x2c7/0x910 mm/filemap.c:4112 
shmem_file_write_iter+0xf8/0x120 mm/shmem.c:3467 
new_sync_write fs/read_write.c:593 [inline] 
vfs_write+0x54b/0xa90 fs/read_write.c:686 
ksys_write+0x145/0x250 fs/read_write.c:738 
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] 
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 
entry_SYSCALL_64_after_hwframe+0x77/0x7f 
page last free pid 6740 tgid 6740 stack trace: 
reset_page_owner include/linux/page_owner.h:25 [inline] 
free_pages_prepare mm/page_alloc.c:1248 [inline] 
free_unref_folios+0xcd2/0x1570 mm/page_alloc.c:2763 
folios_put_refs+0x559/0x640 mm/swap.c:992 
folio_batch_release include/linux/pagevec.h:101 [inline] 
shmem_undo_range+0x49e/0x14b0 mm/shmem.c:1125 
shmem_truncate_range mm/shmem.c:1237 [inline] 
shmem_evict_inode+0x272/0xa70 mm/shmem.c:1365 
evict+0x501/0x9c0 fs/inode.c:810 
__dentry_kill+0x209/0x660 fs/dcache.c:669 
shrink_kill+0xa9/0x2c0 fs/dcache.c:1114 
shrink_dentry_list+0x2e0/0x5e0 fs/dcache.c:1141 
shrink_dcache_parent+0xa1/0x2c0 fs/dcache.c:-1 
do_one_tree+0x23/0xe0 fs/dcache.c:1604 
shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1621 
generic_shutdown_super+0x67/0x2c0 fs/super.c:621 
kill_anon_super fs/super.c:1282 [inline] 
kill_litter_super+0x76/0xb0 fs/super.c:1292 
deactivate_locked_super+0xbc/0x130 fs/super.c:474 
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1417 
task_work_run+0x1d4/0x260 kernel/task_work.c:227 

Memory state around the buggy address: 
ffff888011672780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ffff888011672800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
>ffff888011672880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
^ 
ffff888011672900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ffff888011672980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
================================================================== 


--- 
This report is generated by a bot. It may contain errors. 
See https://goo.gl/tpsmEJ for more information about syzbot. 
syzbot engineers can be reached at syzk...@googlegroups.com. 

syzbot will keep track of this issue. See: 
https://goo.gl/tpsmEJ#status for how to communicate with syzbot. 

If the report is already addressed, let syzbot know by replying with: 
#syz fix: exact-commit-title 

If you want syzbot to run the reproducer, reply with: 
#syz test: git://repo/address.git branch-or-commit-hash 
If you attach or paste a git patch, syzbot will apply it before testing. 

If you want to overwrite report's subsystems, reply with: 
#syz set subsystems: new-subsystem 
(See the list of subsystem names on the web dashboard) 

If the report is a duplicate of another one, reply with: 
#syz dup: exact-subject-of-another-report 

If you want to undo deduplication, reply with: 
#syz undup 

Re: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/hpfs/ea.c
patch: **** malformed patch at line 36:   if (ea_indirect(ea))




Tested on:

commit:         6832a931 Merge tag 'net-6.16-rc7' of git://git.kernel...
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=129db382580000

Forwarded: Private message regarding: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea
Author: kapoorarnav43@gmail.com

#syz test 

From: Arnav Kapoor <kapoorarnav43@gmail.com>
Date: Fri, 18 Jul 2025 12:00:00 +0000
Subject: [PATCH] hpfs: fix use-after-free in hpfs_get_ea

Fix a use-after-free vulnerability in hpfs_get_ea() where corrupted
extended attribute data could cause strcmp() to access freed memory.

The issue occurs in the EA iteration loop where next_ea() can produce
invalid pointers due to insufficient validation of ea->namelen and
the calculated next EA position. This can lead to accessing memory
that has been freed or is outside valid boundaries.

Add proper bounds checking to ensure:
1. EA namelen is reasonable (< 256)
2. EA structure doesn't exceed the EA area bounds  
3. next_ea() result stays within valid EA boundaries

Reported-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Arnav Kapoor <kapoorarnav43@gmail.com>
---
 fs/hpfs/ea.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/fs/hpfs/ea.c b/fs/hpfs/ea.c
index 102ba18e561f..7e6e43010fec 100644
--- a/fs/hpfs/ea.c
+++ b/fs/hpfs/ea.c
@@ -135,7 +135,31 @@ char *hpfs_get_ea(struct super_block *s, struct fnode 
*fnode, char *key, int *si
  secno a;
  struct extended_attribute *ea;
  struct extended_attribute *ea_end = fnode_end_ea(fnode);
- for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea))
+ for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea)) {
+ /* Validate EA structure bounds */
+ if ((char *)ea + sizeof(*ea) > (char *)ea_end) {
+ hpfs_error(s, "EA structure exceeds bounds");
+ return NULL;
+ }
+ 
+ /* Validate namelen to prevent overflow */
+ if (ea->namelen >= 256) {
+ hpfs_error(s, "EA namelen too large: %d", ea->namelen);
+ return NULL;
+ }
+ 
+ /* Ensure name field is within bounds */
+ if ((char *)ea + 5 + ea->namelen > (char *)ea_end) {
+ hpfs_error(s, "EA name field exceeds bounds");
+ return NULL;
+ }
+ 
+ /* Validate next_ea() result will be within bounds */
+ if (next_ea(ea) > ea_end) {
+ hpfs_error(s, "next EA exceeds bounds");
+ return NULL;
+ }
+ 
  if (!strcmp(ea->name, key)) {
  if (ea_indirect(ea))
  return get_indirect_ea(s, ea_in_anode(ea), ea_sec(ea), *size = 
ea_len(ea));
@@ -147,6 +171,7 @@ char *hpfs_get_ea(struct super_block *s, struct fnode 
*fnode, char *key, int *si
  ret[ea_valuelen(ea)] = 0;
  return ret;
  }
+ }
  a = le32_to_cpu(fnode->ea_secno);
  len = le32_to_cpu(fnode->ea_size_l);
  ano = fnode_in_anode(fnode);


On Friday, 18 July 2025 at 18:10:08 UTC+5:30 syzbot wrote:

Hello, 

syzbot tried to test the proposed patch but the build/boot failed: 

failed to apply patch: 
checking file fs/hpfs/ea.c 
patch: **** malformed patch at line 36: if (ea_indirect(ea)) 




Tested on: 

commit: 6832a931 Merge tag 'net-6.16-rc7' of git://git.kernel... 
git tree: upstream 
kernel config: https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22 
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844 
compiler: 
patch: https://syzkaller.appspot.com/x/patch.diff?x=129db382580000 

Re: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in hpfs_get_ea

hpfs: filesystem error: warning: spare dnodes used, try chkdsk
hpfs: You really don't want any checks? You are crazy...
hpfs: hpfs_map_sector(): read error
hpfs: code page support is disabled
==================================================================
BUG: KASAN: use-after-free in hpfs_get_ea+0x1f7/0xca0 fs/hpfs/ea.c:146
Read of size 1 at addr ffff8880719ea8a3 by task syz.0.16/6612

CPU: 0 UID: 0 PID: 6612 Comm: syz.0.16 Not tainted 6.16.0-rc6-syzkaller-00121-g6832a9317eee-dirty #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 hpfs_get_ea+0x1f7/0xca0 fs/hpfs/ea.c:146
 hpfs_read_inode+0x19d/0x1010 fs/hpfs/inode.c:63
 hpfs_fill_super+0x12bd/0x2070 fs/hpfs/super.c:654
 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1681
 vfs_get_tree+0x8f/0x2b0 fs/super.c:1804
 do_new_mount+0x24a/0xa40 fs/namespace.c:3902
 do_mount fs/namespace.c:4239 [inline]
 __do_sys_mount fs/namespace.c:4450 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4427
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb45e3900ca
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb45f2c9e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fb45f2c9ef0 RCX: 00007fb45e3900ca
RDX: 0000200000009e80 RSI: 0000200000009ec0 RDI: 00007fb45f2c9eb0
RBP: 0000200000009e80 R08: 00007fb45f2c9ef0 R09: 0000000000000041
R10: 0000000000000041 R11: 0000000000000246 R12: 0000200000009ec0
R13: 00007fb45f2c9eb0 R14: 0000000000009e02 R15: 0000200000009fc0
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fdaad200 pfn:0x719ea
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c67988 ffffea0001c61d88 0000000000000000
raw: 00000007fdaad200 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6566, tgid 6566 (sed), ts 134996856935, free_ts 135030622689
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 folio_alloc_mpol_noprof mm/mempolicy.c:2438 [inline]
 vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2473
 folio_prealloc+0x30/0x180 mm/memory.c:-1
 alloc_anon_folio mm/memory.c:5014 [inline]
 do_anonymous_page mm/memory.c:5071 [inline]
 do_pte_missing mm/memory.c:4249 [inline]
 handle_pte_fault mm/memory.c:6069 [inline]
 __handle_mm_fault+0x2c88/0x5620 mm/memory.c:6212
 handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6381
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 6566 tgid 6566 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 free_unref_folios+0xcd2/0x1570 mm/page_alloc.c:2763
 folios_put_refs+0x559/0x640 mm/swap.c:992
 free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:264
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
 tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
 tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
 exit_mmap+0x44c/0xb50 mm/mmap.c:1297
 __mmput+0x118/0x410 kernel/fork.c:1121
 exit_mm+0x1da/0x2c0 kernel/exit.c:581
 do_exit+0x648/0x22e0 kernel/exit.c:952
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1105
 __do_sys_exit_group kernel/exit.c:1116 [inline]
 __se_sys_exit_group kernel/exit.c:1114 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1114
 x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff8880719ea780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880719ea800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880719ea880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                               ^
 ffff8880719ea900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880719ea980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


Tested on:

commit:         6832a931 Merge tag 'net-6.16-rc7' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=155f38f0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1644fd8c580000

Forwarded: Private message regarding: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea
Author: kapoorarnav43@gmail.com

#syz test

Subject: [PATCH] hpfs: fix use-after-free in hpfs_get_ea

Fix a use-after-free vulnerability in hpfs_get_ea() where corrupted
extended attribute data could cause strcmp() to access freed memory.

The issue occurs in both EA iteration loops where next_ea() can produce
invalid pointers due to insufficient validation of ea->namelen and the
calculated next EA position. This can lead to accessing memory that has
been freed or is outside valid boundaries.

The vulnerability manifests when strcmp(ea->name, key) is called with
ea pointing to corrupted memory. Add comprehensive bounds checking:

1. First loop (fnode EA area): Validate EA structure, namelen bounds,
   name field boundaries, and next_ea() results before strcmp()
2. Second loop (external EA): Validate namelen and buffer bounds after
   reading EA data from disk before strcmp()

This addresses both the original crash at line 139 and prevents the
secondary crash that would occur at the external EA strcmp() call.

Reported-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Arnav Kapoor <kapoorarnav43@gmail.com>

---
 fs/hpfs/ea.c | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/fs/hpfs/ea.c b/fs/hpfs/ea.c
index 102ba18e561f..ab1234567890 100644
--- a/fs/hpfs/ea.c
+++ b/fs/hpfs/ea.c
@@ -135,7 +135,31 @@ char *hpfs_get_ea(struct super_block *s, struct fnode 
*fnode, char *key, int *si
  secno a;
  struct extended_attribute *ea;
  struct extended_attribute *ea_end = fnode_end_ea(fnode);
- for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea))
+ for (ea = fnode_ea(fnode); ea < ea_end; ea = next_ea(ea)) {
+ /* Validate EA structure bounds */
+ if ((char *)ea + sizeof(*ea) > (char *)ea_end) {
+ hpfs_error(s, "EA structure exceeds bounds");
+ return NULL;
+ }
+
+ /* Validate namelen to prevent overflow */
+ if (ea->namelen >= 256) {
+ hpfs_error(s, "EA namelen too large: %d", ea->namelen);
+ return NULL;
+ }
+
+ /* Ensure name field is within bounds */
+ if ((char *)ea + 5 + ea->namelen > (char *)ea_end) {
+ hpfs_error(s, "EA name field exceeds bounds");
+ return NULL;
+ }
+
+ /* Validate next_ea() result will be within bounds */
+ if (next_ea(ea) > ea_end) {
+ hpfs_error(s, "next EA exceeds bounds");
+ return NULL;
+ }
+
  if (!strcmp(ea->name, key)) {
  if (ea_indirect(ea))
  return get_indirect_ea(s, ea_in_anode(ea), ea_sec(ea), *size = 
ea_len(ea));
@@ -147,6 +171,7 @@ char *hpfs_get_ea(struct super_block *s, struct fnode 
*fnode, char *key, int *si
  ret[ea_valuelen(ea)] = 0;
  return ret;
  }
+ }
  a = le32_to_cpu(fnode->ea_secno);
  len = le32_to_cpu(fnode->ea_size_l);
  ano = fnode_in_anode(fnode);
@@ -162,6 +187,14 @@ char *hpfs_get_ea(struct super_block *s, struct fnode 
*fnode, char *key, int *si
  if (hpfs_ea_read(s, a, ano, pos, 4, ex)) return NULL;
  if (hpfs_ea_read(s, a, ano, pos + 4, ea->namelen + 1 + (ea_indirect(ea) ? 
8 : 0), ex + 4))
  return NULL;
+
+ /* Validate namelen after reading EA data from disk */
+ if (ea->namelen >= 256) {
+ hpfs_error(s, "EA namelen too large in external EA: %d", ea->namelen);
+ return NULL;
+ }
+
+ /* Ensure name field doesn't exceed buffer bounds */
+ if (ea->namelen + 1 > sizeof(ex) - 4) {
+ hpfs_error(s, "EA name exceeds buffer in external EA");
+ return NULL;
+ }
+
  if (!strcmp(ea->name, key)) {
  if (ea_indirect(ea))
  return get_indirect_ea(s, ea_in_anode(ea), ea_sec(ea), *size = 
ea_len(ea));
-- 
2.34.1


On Friday, 18 July 2025 at 18:57:03 UTC+5:30 syzbot wrote:

Hello, 

syzbot has tested the proposed patch but the reproducer is still triggering 
an issue: 
KASAN: use-after-free Read in hpfs_get_ea 

hpfs: filesystem error: warning: spare dnodes used, try chkdsk 
hpfs: You really don't want any checks? You are crazy... 
hpfs: hpfs_map_sector(): read error 
hpfs: code page support is disabled 
================================================================== 
BUG: KASAN: use-after-free in hpfs_get_ea+0x1f7/0xca0 fs/hpfs/ea.c:146 
Read of size 1 at addr ffff8880719ea8a3 by task syz.0.16/6612 

CPU: 0 UID: 0 PID: 6612 Comm: syz.0.16 Not tainted 
6.16.0-rc6-syzkaller-00121-g6832a9317eee-dirty #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS 
Google 05/07/2025 
Call Trace: 
<TASK> 
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 
print_address_description mm/kasan/report.c:378 [inline] 
print_report+0xca/0x230 mm/kasan/report.c:480 
kasan_report+0x118/0x150 mm/kasan/report.c:593 
hpfs_get_ea+0x1f7/0xca0 fs/hpfs/ea.c:146 
hpfs_read_inode+0x19d/0x1010 fs/hpfs/inode.c:63 
hpfs_fill_super+0x12bd/0x2070 fs/hpfs/super.c:654 
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1681 
vfs_get_tree+0x8f/0x2b0 fs/super.c:1804 
do_new_mount+0x24a/0xa40 fs/namespace.c:3902 
do_mount fs/namespace.c:4239 [inline] 
__do_sys_mount fs/namespace.c:4450 [inline] 
__se_sys_mount+0x317/0x410 fs/namespace.c:4427 
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] 
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 
entry_SYSCALL_64_after_hwframe+0x77/0x7f 
RIP: 0033:0x7fb45e3900ca 
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 
00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff 
ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 
RSP: 002b:00007fb45f2c9e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 
RAX: ffffffffffffffda RBX: 00007fb45f2c9ef0 RCX: 00007fb45e3900ca 
RDX: 0000200000009e80 RSI: 0000200000009ec0 RDI: 00007fb45f2c9eb0 
RBP: 0000200000009e80 R08: 00007fb45f2c9ef0 R09: 0000000000000041 
R10: 0000000000000041 R11: 0000000000000246 R12: 0000200000009ec0 
R13: 00007fb45f2c9eb0 R14: 0000000000009e02 R15: 0000200000009fc0 
</TASK> 

The buggy address belongs to the physical page: 
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fdaad200 
pfn:0x719ea 
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) 
raw: 00fff00000000000 ffffea0001c67988 ffffea0001c61d88 0000000000000000 
raw: 00000007fdaad200 0000000000000000 00000000ffffffff 0000000000000000 
page dumped because: kasan: bad access detected 
page_owner tracks the page as freed 
page last allocated via order 0, migratetype Movable, gfp_mask 
0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6566, tgid 6566 
(sed), ts 134996856935, free_ts 135030622689 
set_page_owner include/linux/page_owner.h:32 [inline] 
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704 
prep_new_page mm/page_alloc.c:1712 [inline] 
get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3669 
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959 
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419 
folio_alloc_mpol_noprof mm/mempolicy.c:2438 [inline] 
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2473 
folio_prealloc+0x30/0x180 mm/memory.c:-1 
alloc_anon_folio mm/memory.c:5014 [inline] 
do_anonymous_page mm/memory.c:5071 [inline] 
do_pte_missing mm/memory.c:4249 [inline] 
handle_pte_fault mm/memory.c:6069 [inline] 
__handle_mm_fault+0x2c88/0x5620 mm/memory.c:6212 
handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6381 
do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336 
handle_page_fault arch/x86/mm/fault.c:1476 [inline] 
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532 
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 
page last free pid 6566 tgid 6566 stack trace: 
reset_page_owner include/linux/page_owner.h:25 [inline] 
free_pages_prepare mm/page_alloc.c:1248 [inline] 
free_unref_folios+0xcd2/0x1570 mm/page_alloc.c:2763 
folios_put_refs+0x559/0x640 mm/swap.c:992 
free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:264 
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] 
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] 
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline] 
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404 
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497 
exit_mmap+0x44c/0xb50 mm/mmap.c:1297 
__mmput+0x118/0x410 kernel/fork.c:1121 
exit_mm+0x1da/0x2c0 kernel/exit.c:581 
do_exit+0x648/0x22e0 kernel/exit.c:952 
do_group_exit+0x21c/0x2d0 kernel/exit.c:1105 
__do_sys_exit_group kernel/exit.c:1116 [inline] 
__se_sys_exit_group kernel/exit.c:1114 [inline] 
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1114 
x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232 
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] 
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 
entry_SYSCALL_64_after_hwframe+0x77/0x7f 

Memory state around the buggy address: 
ffff8880719ea780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ffff8880719ea800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
>ffff8880719ea880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
^ 
ffff8880719ea900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ffff8880719ea980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
================================================================== 


Tested on: 

commit: 6832a931 Merge tag 'net-6.16-rc7' of git://git.kernel... 
git tree: upstream 
console output: https://syzkaller.appspot.com/x/log.txt?x=155f38f0580000 
kernel config: https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22 
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844 
compiler: Debian clang version 20.1.7 
(++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 
20.1.7 
patch: https://syzkaller.appspot.com/x/patch.diff?x=1644fd8c580000 

Re: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/hpfs/ea.c
Hunk #1 succeeded at 135 with fuzz 1.
patch: **** malformed patch at line 61: + }




Tested on:

commit:         414aaef1 Merge tag 'riscv-for-linus-6.16-rc7' of git:/..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1165038c580000

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz-test

Re: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in hpfs_get_ea

hpfs: filesystem error: improperly stopped
hpfs: filesystem error: warning: spare dnodes used, try chkdsk
hpfs: You really don't want any checks? You are crazy...
hpfs: hpfs_map_sector(): read error
hpfs: code page support is disabled
==================================================================
BUG: KASAN: use-after-free in hpfs_get_ea+0x1e4/0xcb0 fs/hpfs/ea.c:140
Read of size 1 at addr ffff888066cc98a3 by task syz.0.17/6635

CPU: 0 UID: 0 PID: 6635 Comm: syz.0.17 Not tainted 6.16.0-rc6-syzkaller-00253-g4871b7cb27f4-dirty #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 hpfs_get_ea+0x1e4/0xcb0 fs/hpfs/ea.c:140
 hpfs_read_inode+0x19d/0x1010 fs/hpfs/inode.c:63
 hpfs_fill_super+0x12bd/0x2070 fs/hpfs/super.c:654
 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1681
 vfs_get_tree+0x8f/0x2b0 fs/super.c:1804
 do_new_mount+0x24a/0xa40 fs/namespace.c:3902
 do_mount fs/namespace.c:4239 [inline]
 __do_sys_mount fs/namespace.c:4450 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4427
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f962d1900ca
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f962df7fe68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f962df7fef0 RCX: 00007f962d1900ca
RDX: 0000200000009e80 RSI: 0000200000009ec0 RDI: 00007f962df7feb0
RBP: 0000200000009e80 R08: 00007f962df7fef0 R09: 0000000000000041
R10: 0000000000000041 R11: 0000000000000246 R12: 0000200000009ec0
R13: 00007f962df7feb0 R14: 0000000000009e02 R15: 0000200000009fc0
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x3 pfn:0x66cc9
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001a32348 ffffea0001c6d988 0000000000000000
raw: 0000000000000003 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 6622, tgid 6622 (sed), ts 137283206252, free_ts 137322824885
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 folio_alloc_mpol_noprof mm/mempolicy.c:2438 [inline]
 vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2473
 folio_prealloc+0x30/0x180 mm/memory.c:-1
 do_cow_fault mm/memory.c:5614 [inline]
 do_fault mm/memory.c:5726 [inline]
 do_pte_missing mm/memory.c:4251 [inline]
 handle_pte_fault mm/memory.c:6069 [inline]
 __handle_mm_fault+0x183f/0x5620 mm/memory.c:6212
 handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6381
 do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 6622 tgid 6622 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 free_unref_folios+0xcd2/0x1570 mm/page_alloc.c:2763
 folios_put_refs+0x559/0x640 mm/swap.c:992
 free_pages_and_swap_cache+0x4be/0x520 mm/swap_state.c:267
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
 tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
 tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
 exit_mmap+0x44c/0xb50 mm/mmap.c:1297
 __mmput+0x118/0x410 kernel/fork.c:1121
 exit_mm+0x1da/0x2c0 kernel/exit.c:581
 do_exit+0x648/0x22e0 kernel/exit.c:952
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1105
 __do_sys_exit_group kernel/exit.c:1116 [inline]
 __se_sys_exit_group kernel/exit.c:1114 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1114
 x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888066cc9780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888066cc9800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888066cc9880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                               ^
 ffff888066cc9900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888066cc9980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


Tested on:

commit:         4871b7cb Merge tag 'v6.16-rc6-smb3-client-fixes' of gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11773d8c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13473d8c580000

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz-test

Re: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/hpfs/ea.c:139:54: error: no member named 'ea_off' in 'struct fnode'
fs/hpfs/ea.c:139:70: error: no member named 'ea_size' in 'struct fnode'
fs/hpfs/ea.c:140:41: error: no member named 'name_len' in 'struct extended_attribute'; did you mean 'namelen'?
fs/hpfs/ea.c:143:57: error: no member named 'ea_off' in 'struct fnode'
fs/hpfs/ea.c:143:73: error: no member named 'ea_size' in 'struct fnode'
fs/hpfs/ea.c:146:17: error: no member named 'name_len' in 'struct extended_attribute'; did you mean 'namelen'?
fs/hpfs/ea.c:149:56: error: no member named 'ea_off' in 'struct fnode'
fs/hpfs/ea.c:149:72: error: no member named 'ea_size' in 'struct fnode'
fs/hpfs/ea.c:152:11: error: no member named 'name_len' in 'struct extended_attribute'
fs/hpfs/ea.c:152:23: error: use of undeclared identifier 'aname'
fs/hpfs/ea.c:152:55: error: use of undeclared identifier 'aname'
fs/hpfs/ea.c:153:12: error: no member named 'type' in 'struct extended_attribute'
fs/hpfs/ea.c:154:27: error: no member named 'size' in 'struct extended_attribute'
fs/hpfs/ea.c:154:6: error: use of undeclared identifier 'buffer'
fs/hpfs/ea.c:155:11: error: use of undeclared identifier 'buffer'
fs/hpfs/ea.c:156:13: error: incompatible integer to pointer conversion returning 'int' from a function with result type 'char *' [-Wint-conversion]
fs/hpfs/ea.c:157:50: error: no member named 'size' in 'struct extended_attribute'


Tested on:

commit:         f4a40a42 Merge tag 'efi-fixes-for-v6.16-2' of git://gi..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13b084f0580000

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz-test

Re: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in hpfs_get_ea

hpfs: filesystem error: invalid number of hotfixes: 2066844986, used: 2066844985; already mounted read-only
hpfs: filesystem error: improperly stopped
hpfs: filesystem error: warning: spare dnodes used, try chkdsk
hpfs: You really don't want any checks? You are crazy...
hpfs: hpfs_map_sector(): read error
hpfs: code page support is disabled
==================================================================
BUG: KASAN: use-after-free in hpfs_get_ea+0x1ee/0xc90 fs/hpfs/ea.c:144
Read of size 1 at addr ffff88806051d8a3 by task syz.0.16/6564

CPU: 1 UID: 0 PID: 6564 Comm: syz.0.16 Not tainted 6.16.0-rc6-syzkaller-00281-gf4a40a4282f4-dirty #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 hpfs_get_ea+0x1ee/0xc90 fs/hpfs/ea.c:144
 hpfs_read_inode+0x19d/0x1010 fs/hpfs/inode.c:63
 hpfs_fill_super+0x12bd/0x2070 fs/hpfs/super.c:654
 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1681
 vfs_get_tree+0x8f/0x2b0 fs/super.c:1804
 do_new_mount+0x24a/0xa40 fs/namespace.c:3902
 do_mount fs/namespace.c:4239 [inline]
 __do_sys_mount fs/namespace.c:4450 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4427
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2b0bb900ca
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2b0ca8de68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f2b0ca8def0 RCX: 00007f2b0bb900ca
RDX: 0000200000009e80 RSI: 0000200000009ec0 RDI: 00007f2b0ca8deb0
RBP: 0000200000009e80 R08: 00007f2b0ca8def0 R09: 0000000000000041
R10: 0000000000000041 R11: 0000000000000246 R12: 0000200000009ec0
R13: 00007f2b0ca8deb0 R14: 0000000000009e02 R15: 0000200000009fc0
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x6051d
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00017f91c8 ffffea0001814508 0000000000000000
raw: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 6526, tgid 6526 (sed), ts 155457290558, free_ts 155502026680
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 folio_alloc_mpol_noprof mm/mempolicy.c:2438 [inline]
 vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2473
 folio_prealloc+0x30/0x180 mm/memory.c:-1
 wp_page_copy mm/memory.c:3569 [inline]
 do_wp_page+0x1231/0x5800 mm/memory.c:4030
 handle_pte_fault mm/memory.c:6085 [inline]
 __handle_mm_fault+0x1144/0x5620 mm/memory.c:6212
 handle_mm_fault+0x2d5/0x7f0 mm/memory.c:6381
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 6526 tgid 6526 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 free_unref_folios+0xcd2/0x1570 mm/page_alloc.c:2763
 folios_put_refs+0x559/0x640 mm/swap.c:992
 free_pages_and_swap_cache+0x4be/0x520 mm/swap_state.c:267
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
 tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
 tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
 exit_mmap+0x44c/0xb50 mm/mmap.c:1297
 __mmput+0x118/0x410 kernel/fork.c:1121
 exit_mm+0x1da/0x2c0 kernel/exit.c:581
 do_exit+0x648/0x22e0 kernel/exit.c:952
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1105
 __do_sys_exit_group kernel/exit.c:1116 [inline]
 __se_sys_exit_group kernel/exit.c:1114 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1114
 x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88806051d780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88806051d800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88806051d880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                               ^
 ffff88806051d900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88806051d980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


Tested on:

commit:         f4a40a42 Merge tag 'efi-fixes-for-v6.16-2' of git://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=116f8b82580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16e5b7d4580000

Re: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com
Tested-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com

Tested on:

commit:         f4a40a42 Merge tag 'efi-fixes-for-v6.16-2' of git://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12314b82580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f09d04131ef56b22
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17c0538c580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[Tetsuo Handa]

#syz test

diff --git a/fs/hpfs/Kconfig b/fs/hpfs/Kconfig
index ac1e9318e65a..d3dfbe76be8a 100644
--- a/fs/hpfs/Kconfig
+++ b/fs/hpfs/Kconfig
@@ -15,3 +15,14 @@ config HPFS_FS
 
 	  To compile this file system support as a module, choose M here: the
 	  module will be called hpfs.  If unsure, say N.
+
+config HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
+	bool "Allow no-error-check mode for maximum speed"
+	depends on HPFS_FS
+	default n
+	help
+	  This option enables check=none mount option. If check=none is
+	  specified, users can expect maximum speed at the cost of minimum
+	  robustness. Sane users should not specify check=none option, for e.g.
+	  use-after-free bug will happen when the filesystem is corrupted or
+	  crafted.
diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
index 42b779b4d87f..558093b2beab 100644
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -285,7 +285,9 @@ static const struct constant_table hpfs_param_case[] = {
 };
 
 static const struct constant_table hpfs_param_check[] = {
+#ifdef CONFIG_HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
 	{"none",	0},
+#endif
 	{"normal",	1},
 	{"strict",	2},
 	{}

Re: [syzbot] [fs?] KASAN: use-after-free Read in hpfs_get_ea

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com
Tested-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com

Tested on:

commit:         3a866087 Linux 6.18-rc1
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d2bb34580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=858c39e0498e4460
dashboard link: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12cb467c580000

Note: testing is done by a robot and is best-effort only.

[PATCH] hpfs: make check=none mount option excludable

[Tetsuo Handa]

syzbot is reporting use-after-free read problem when a crafted HPFS image
was mounted with "check=none" option.

The "check=none" option is intended for only users who want maximum speed
and use the filesystem only on trusted input. But fuzzers are for using
the filesystem on untrusted input.

Mikulas Patocka (the HPFS maintainer) thinks that there is no need to add
some middle ground where "check=none" would check some structures and won't
check others. Therefore, to make sure that fuzzers and careful users do not
by error specify "check=none" at runtime, make "check=none" being
excludable at build time.

Reported-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
Link: https://lkml.kernel.org/r/9ca81125-1c7b-ddaf-09ea-638bc5712632@redhat.com
Tested-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 fs/hpfs/Kconfig | 11 +++++++++++
 fs/hpfs/super.c |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/fs/hpfs/Kconfig b/fs/hpfs/Kconfig
index ac1e9318e65a..d3dfbe76be8a 100644
--- a/fs/hpfs/Kconfig
+++ b/fs/hpfs/Kconfig
@@ -15,3 +15,14 @@ config HPFS_FS
 
 	  To compile this file system support as a module, choose M here: the
 	  module will be called hpfs.  If unsure, say N.
+
+config HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
+	bool "Allow no-error-check mode for maximum speed"
+	depends on HPFS_FS
+	default n
+	help
+	  This option enables check=none mount option. If check=none is
+	  specified, users can expect maximum speed at the cost of minimum
+	  robustness. Sane users should not specify check=none option, for e.g.
+	  use-after-free bug will happen when the filesystem is corrupted or
+	  crafted.
diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
index 8ab85e7ac91e..656b1ae01812 100644
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -285,7 +285,9 @@ static const struct constant_table hpfs_param_case[] = {
 };
 
 static const struct constant_table hpfs_param_check[] = {
+#ifdef CONFIG_HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
 	{"none",	0},
+#endif
 	{"normal",	1},
 	{"strict",	2},
 	{}
-- 
2.47.3

Re: [PATCH] hpfs: make check=none mount option excludable

[Mikulas Patocka]

On Tue, 14 Oct 2025, Tetsuo Handa wrote:

> syzbot is reporting use-after-free read problem when a crafted HPFS image
> was mounted with "check=none" option.
> 
> The "check=none" option is intended for only users who want maximum speed
> and use the filesystem only on trusted input. But fuzzers are for using
> the filesystem on untrusted input.
> 
> Mikulas Patocka (the HPFS maintainer) thinks that there is no need to add
> some middle ground where "check=none" would check some structures and won't
> check others. Therefore, to make sure that fuzzers and careful users do not
> by error specify "check=none" at runtime, make "check=none" being
> excludable at build time.

Hi

Would it be possible to change syzbot to not use the "check=none" option?

Mikulas

> Reported-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
> Link: https://lkml.kernel.org/r/9ca81125-1c7b-ddaf-09ea-638bc5712632@redhat.com
> Tested-by: syzbot+fa88eb476e42878f2844@syzkaller.appspotmail.com
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
>  fs/hpfs/Kconfig | 11 +++++++++++
>  fs/hpfs/super.c |  2 ++
>  2 files changed, 13 insertions(+)
> 
> diff --git a/fs/hpfs/Kconfig b/fs/hpfs/Kconfig
> index ac1e9318e65a..d3dfbe76be8a 100644
> --- a/fs/hpfs/Kconfig
> +++ b/fs/hpfs/Kconfig
> @@ -15,3 +15,14 @@ config HPFS_FS
>  
>  	  To compile this file system support as a module, choose M here: the
>  	  module will be called hpfs.  If unsure, say N.
> +
> +config HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
> +	bool "Allow no-error-check mode for maximum speed"
> +	depends on HPFS_FS
> +	default n
> +	help
> +	  This option enables check=none mount option. If check=none is
> +	  specified, users can expect maximum speed at the cost of minimum
> +	  robustness. Sane users should not specify check=none option, for e.g.
> +	  use-after-free bug will happen when the filesystem is corrupted or
> +	  crafted.
> diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
> index 8ab85e7ac91e..656b1ae01812 100644
> --- a/fs/hpfs/super.c
> +++ b/fs/hpfs/super.c
> @@ -285,7 +285,9 @@ static const struct constant_table hpfs_param_case[] = {
>  };
>  
>  static const struct constant_table hpfs_param_check[] = {
> +#ifdef CONFIG_HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
>  	{"none",	0},
> +#endif
>  	{"normal",	1},
>  	{"strict",	2},
>  	{}
> -- 
> 2.47.3
> 
> 
>