[syzbot] [hfs?] general protection fault in __hfsplus_setxattr

[syzbot] [hfs?] general protection fault in __hfsplus_setxattr

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d60bc1401583 Merge tag 'pwrseq-updates-for-v7.1-rc1' of gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1605b036580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=85bd86f990609a1
dashboard link: https://syzkaller.appspot.com/bug?extid=bc70a12e438dadba4fb4
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143efeba580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1769e8ce580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c962a506ef36/disk-d60bc140.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8590a2666b51/vmlinux-d60bc140.xz
kernel image: https://storage.googleapis.com/syzbot-assets/75aa1f8fc11f/bzImage-d60bc140.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e3cd44efac38/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc70a12e438dadba4fb4@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 1024
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 UID: 0 PID: 5977 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:hfsplus_create_attributes_file fs/hfsplus/xattr.c:320 [inline]
RIP: 0010:__hfsplus_setxattr+0x1c68/0x2860 fs/hfsplus/xattr.c:432
Code: 8b 36 49 83 c6 30 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 46 f8 80 ff 4d 8b 36 49 83 c6 08 4c 89 f0 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 f7 e8 29 f8 80 ff 4d 8b 36 49 8d 7e 90
RSP: 0018:ffffc90002f37420 EFLAGS: 00010212
RAX: 0000000000000001 RBX: fffff520005e6ea4 RCX: ffff88802f39db80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002f378f8 R08: ffffea00017e23f7 R09: 1ffffd40002fc47e
R10: dffffc0000000000 R11: fffff940002fc47f R12: dffffc0000000000
R13: ffff88802bb42a30 R14: 0000000000000008 R15: ffff88802bb43740
FS:  000055555c219500(0000) GS:ffff88812554b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f407bb7b000 CR3: 0000000077cf5000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 hfsplus_setxattr+0x124/0x340 fs/hfsplus/xattr.c:555
 hfsplus_trusted_setxattr+0x40/0x60 fs/hfsplus/xattr_trusted.c:30
 __vfs_setxattr+0x43c/0x480 fs/xattr.c:218
 __vfs_setxattr_noperm+0x12d/0x660 fs/xattr.c:252
 vfs_setxattr+0x163/0x360 fs/xattr.c:339
 do_setxattr fs/xattr.c:654 [inline]
 filename_setxattr+0x296/0x630 fs/xattr.c:682
 path_setxattrat+0x3eb/0x440 fs/xattr.c:726
 __do_sys_setxattr fs/xattr.c:760 [inline]
 __se_sys_setxattr fs/xattr.c:756 [inline]
 __x64_sys_setxattr+0xbc/0xe0 fs/xattr.c:756
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcafdf9c819
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd135f08f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
RAX: ffffffffffffffda RBX: 00007fcafe215fa0 RCX: 00007fcafdf9c819
RDX: 0000200000001400 RSI: 00002000000001c0 RDI: 0000200000000380
RBP: 00007fcafe032c91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000835 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcafe215fac R14: 00007fcafe215fa0 R15: 00007fcafe215fa0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:hfsplus_create_attributes_file fs/hfsplus/xattr.c:320 [inline]
RIP: 0010:__hfsplus_setxattr+0x1c68/0x2860 fs/hfsplus/xattr.c:432
Code: 8b 36 49 83 c6 30 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 46 f8 80 ff 4d 8b 36 49 83 c6 08 4c 89 f0 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 f7 e8 29 f8 80 ff 4d 8b 36 49 8d 7e 90
RSP: 0018:ffffc90002f37420 EFLAGS: 00010212
RAX: 0000000000000001 RBX: fffff520005e6ea4 RCX: ffff88802f39db80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002f378f8 R08: ffffea00017e23f7 R09: 1ffffd40002fc47e
R10: dffffc0000000000 R11: fffff940002fc47f R12: dffffc0000000000
R13: ffff88802bb42a30 R14: 0000000000000008 R15: ffff88802bb43740
FS:  000055555c219500(0000) GS:ffff88812544b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562d49fd15e0 CR3: 0000000077cf5000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
   0:	8b 36                	mov    (%rsi),%esi
   2:	49 83 c6 30          	add    $0x30,%r14
   6:	4c 89 f0             	mov    %r14,%rax
   9:	48 c1 e8 03          	shr    $0x3,%rax
   d:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1)
  12:	74 08                	je     0x1c
  14:	4c 89 f7             	mov    %r14,%rdi
  17:	e8 46 f8 80 ff       	call   0xff80f862
  1c:	4d 8b 36             	mov    (%r14),%r14
  1f:	49 83 c6 08          	add    $0x8,%r14
  23:	4c 89 f0             	mov    %r14,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	4c 89 f7             	mov    %r14,%rdi
  34:	e8 29 f8 80 ff       	call   0xff80f862
  39:	4d 8b 36             	mov    (%r14),%r14
  3c:	49 8d 7e 90          	lea    -0x70(%r14),%rdi


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [hfs?] general protection fault in __hfsplus_setxattr

[Edward Adam Davis]

#syz test

diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
index 452a1f9becb2..3e6f45b3259d 100644
--- a/fs/hfsplus/xattr.c
+++ b/fs/hfsplus/xattr.c
@@ -317,12 +317,14 @@ static int hfsplus_create_attributes_file(struct super_block *sb)
 		next_node++;
 	}
 
-	hfsplus_mark_inode_dirty(HFSPLUS_ATTR_TREE_I(sb), HFSPLUS_I_ATTR_DIRTY);
 	hfsplus_mark_inode_dirty(attr_file, HFSPLUS_I_ATTR_DIRTY);
 
 	sbi->attr_tree = hfs_btree_open(sb, HFSPLUS_ATTR_CNID);
 	if (!sbi->attr_tree)
 		pr_err("failed to load attributes file\n");
+	else
+		hfsplus_mark_inode_dirty(HFSPLUS_ATTR_TREE_I(sb),
+					 HFSPLUS_I_ATTR_DIRTY);
 
 failed_header_node_init:
 	kfree(buf);

Re: [syzbot] [hfs?] general protection fault in __hfsplus_setxattr

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

ivid-018: CEC adapter cec36 registered for HDMI input
[   24.460711][    T1] vivid-018: V4L2 capture device registered as video79
[   24.469342][    T1] vivid-018: CEC adapter cec37 registered for HDMI output 0
[   24.478449][    T1] vivid-018: V4L2 output device registered as video80
[   24.486688][    T1] vivid-018: V4L2 capture device registered as vbi36, supports raw and sliced VBI
[   24.497790][    T1] vivid-018: V4L2 output device registered as vbi37, supports raw and sliced VBI
[   24.508381][    T1] vivid-018: V4L2 capture device registered as swradio18
[   24.517861][    T1] vivid-018: V4L2 receiver device registered as radio36
[   24.526820][    T1] vivid-018: V4L2 transmitter device registered as radio37
[   24.535592][    T1] vivid-018: V4L2 metadata capture device registered as video81
[   24.544848][    T1] vivid-018: V4L2 metadata output device registered as video82
[   24.553920][    T1] vivid-018: V4L2 touch capture device registered as v4l-touch18
[   24.564329][    T1] vivid-019: using multiplanar format API
[   24.593769][    T1] vivid-019: CEC adapter cec38 registered for HDMI input
[   24.602391][    T1] vivid-019: V4L2 capture device registered as video83
[   24.611519][    T1] vivid-019: CEC adapter cec39 registered for HDMI output 0
[   24.620264][    T1] vivid-019: V4L2 output device registered as video84
[   24.629189][    T1] vivid-019: V4L2 capture device registered as vbi38, supports raw and sliced VBI
[   24.639910][    T1] vivid-019: V4L2 output device registered as vbi39, supports raw and sliced VBI
[   24.650836][    T1] vivid-019: V4L2 capture device registered as swradio19
[   24.659057][    T1] vivid-019: V4L2 receiver device registered as radio38
[   24.668627][    T1] vivid-019: V4L2 transmitter device registered as radio39
[   24.677756][    T1] vivid-019: V4L2 metadata capture device registered as video85
[   24.686876][    T1] vivid-019: V4L2 metadata output device registered as video86
[   24.696367][    T1] vivid-019: V4L2 touch capture device registered as v4l-touch19
[   24.705858][    T1] vivid-020: using single planar format API
[   24.735848][    T1] vivid-020: CEC adapter cec40 registered for HDMI input
[   24.744490][    T1] vivid-020: V4L2 capture device registered as video87
[   24.753871][    T1] vivid-020: CEC adapter cec41 registered for HDMI output 0
[   24.762879][    T1] vivid-020: V4L2 output device registered as video88
[   24.771516][    T1] vivid-020: V4L2 capture device registered as vbi40, supports raw and sliced VBI
[   24.782336][    T1] vivid-020: V4L2 output device registered as vbi41, supports raw and sliced VBI
[   24.793924][    T1] vivid-020: V4L2 capture device registered as swradio20
[   24.802845][    T1] vivid-020: V4L2 receiver device registered as radio40
[   24.812023][    T1] vivid-020: V4L2 transmitter device registered as radio41
[   24.820555][    T1] vivid-020: V4L2 metadata capture device registered as video89
[   24.829960][    T1] vivid-020: V4L2 metadata output device registered as video90
[   24.839298][    T1] vivid-020: V4L2 touch capture device registered as v4l-touch20
[   24.849176][    T1] vivid-021: using multiplanar format API
[   24.879306][    T1] vivid-021: CEC adapter cec42 registered for HDMI input
[   24.887854][    T1] vivid-021: V4L2 capture device registered as video91
[   24.896819][    T1] vivid-021: CEC adapter cec43 registered for HDMI output 0
[   24.906493][    T1] vivid-021: V4L2 output device registered as video92
[   24.915427][    T1] vivid-021: V4L2 capture device registered as vbi42, supports raw and sliced VBI
[   24.926915][    T1] vivid-021: V4L2 output device registered as vbi43, supports raw and sliced VBI
[   24.938049][    T1] vivid-021: V4L2 capture device registered as swradio21
[   24.946344][    T1] vivid-021: V4L2 receiver device registered as radio42
[   24.954886][    T1] vivid-021: V4L2 transmitter device registered as radio43
[   24.963740][    T1] vivid-021: V4L2 metadata capture device registered as video93
[   24.972690][    T1] vivid-021: V4L2 metadata output device registered as video94
[   24.982436][    T1] vivid-021: V4L2 touch capture device registered as v4l-touch21
[   24.991796][    T1] vivid-022: using single planar format API
[   25.023360][    T1] vivid-022: CEC adapter cec44 registered for HDMI input
[   25.031860][    T1] vivid-022: V4L2 capture device registered as video95
[   25.040686][    T1] vivid-022: CEC adapter cec45 registered for HDMI output 0
[   25.049376][    T1] vivid-022: V4L2 output device registered as video96
[   25.057784][    T1] vivid-022: V4L2 capture device registered as vbi44, supports raw and sliced VBI
[   25.068764][    T1] vivid-022: V4L2 output device registered as vbi45, supports raw and sliced VBI
[   25.080235][    T1] vivid-022: V4L2 capture device registered as swradio22
[   25.089507][    T1] vivid-022: V4L2 receiver device registered as radio44
[   25.098862][    T1] vivid-022: V4L2 transmitter device registered as radio45
[   25.107868][    T1] vivid-022: V4L2 metadata capture device registered as video97
[   25.117610][    T1] vivid-022: V4L2 metadata output device registered as video98
[   25.126451][    T1] vivid-022: V4L2 touch capture device registered as v4l-touch22
[   25.136447][    T1] vivid-023: using multiplanar format API
[   25.167173][    T1] vivid-023: CEC adapter cec46 registered for HDMI input
[   25.176007][    T1] vivid-023: V4L2 capture device registered as video99
[   25.185215][    T1] vivid-023: CEC adapter cec47 registered for HDMI output 0
[   25.194114][    T1] vivid-023: V4L2 output device registered as video100
[   25.202614][    T1] vivid-023: V4L2 capture device registered as vbi46, supports raw and sliced VBI
[   25.213110][    T1] vivid-023: V4L2 output device registered as vbi47, supports raw and sliced VBI
[   25.225029][    T1] vivid-023: V4L2 capture device registered as swradio23
[   25.233428][    T1] vivid-023: V4L2 receiver device registered as radio46
[   25.242024][    T1] vivid-023: V4L2 transmitter device registered as radio47
[   25.250637][    T1] vivid-023: V4L2 metadata capture device registered as video101
[   25.260336][    T1] vivid-023: V4L2 metadata output device registered as video102
[   25.269385][    T1] vivid-023: V4L2 touch capture device registered as v4l-touch23
[   25.279153][    T1] vivid-024: using single planar format API
[   25.308447][    T1] vivid-024: CEC adapter cec48 registered for HDMI input
[   25.317868][    T1] vivid-024: V4L2 capture device registered as video103
[   25.326130][    T1] vivid-024: CEC adapter cec49 registered for HDMI output 0
[   25.333599][    T1] videodev: could not get a free minor
[   25.376197][    T1] usbcore: registered new interface driver radioshark2
[   25.385210][    T1] usbcore: registered new interface driver radioshark
[   25.392833][    T1] usbcore: registered new interface driver radio-si470x
[   25.401184][    T1] usbcore: registered new interface driver radio-usb-si4713
[   25.410036][    T1] usbcore: registered new interface driver dsbr100
[   25.418033][    T1] usbcore: registered new interface driver radio-keene
[   25.425663][    T1] usbcore: registered new interface driver radio-ma901
[   25.433559][    T1] usbcore: registered new interface driver radio-mr800
[   25.441237][    T1] usbcore: registered new interface driver radio-raremono
[   25.452962][    T1] usbcore: registered new interface driver powerz
[   25.460681][    T1] usbcore: registered new interface driver pcwd_usb
[   25.474431][    T1] device-mapper: core: CONFIG_IMA_DISABLE_HTABLE is disabled. Duplicate IMA measurements will not be recorded in the IMA log.
[   25.487948][    T1] device-mapper: uevent: version 1.0.3
[   25.495214][    T1] device-mapper: ioctl: 4.50.0-ioctl (2025-04-28) initialised: dm-devel@lists.linux.dev
[   25.507610][    T1] device-mapper: multipath round-robin: version 1.2.0 loaded
[   25.515020][    T1] device-mapper: multipath queue-length: version 0.2.0 loaded
[   25.522747][    T1] device-mapper: multipath service-time: version 0.3.0 loaded
[   25.532623][    T1] Bluetooth: HCI UART driver ver 2.3
[   25.537987][    T1] Bluetooth: HCI UART protocol H4 registered
[   25.544157][    T1] Bluetooth: HCI UART protocol BCSP registered
[   25.552547][    T1] Bluetooth: HCI UART protocol LL registered
[   25.559018][    T1] Bluetooth: HCI UART protocol Three-wire (H5) registered
[   25.566418][    T1] Bluetooth: HCI UART protocol QCA registered
[   25.572559][    T1] Bluetooth: HCI UART protocol AG6XX registered
[   25.579440][    T1] Bluetooth: HCI UART protocol Marvell registered
[   25.586807][    T1] usbcore: registered new interface driver bcm203x
[   25.594495][    T1] usbcore: registered new interface driver bpa10x
[   25.602194][    T1] usbcore: registered new interface driver bfusb
[   25.609647][    T1] usbcore: registered new interface driver btusb
[   25.617171][    T1] usbcore: registered new interface driver ath3k
[   25.624527][    T1] Modular ISDN core version 1.1.29
[   25.631509][    T1] NET: Registered PF_ISDN protocol family
[   25.637898][    T1] DSP module 2.0
[   25.641488][    T1] mISDN_dsp: DSP clocks every 80 samples. This equals 1 jiffies.
[   25.658473][    T1] mISDN: Layer-1-over-IP driver Rev. 2.00
[   25.665288][    T1] 0 virtual devices registered
[   25.672228][    T1] usbcore: registered new interface driver HFC-S_USB
[   25.679284][    T1] amd_pstate: the _CPC object is not present in SBIOS or ACPI disabled
[   25.687888][    T1] VUB300 Driver rom wait states = 1C irqpoll timeout = 0400
[   25.691039][    T1] usbcore: registered new interface driver vub300
[   25.706631][    T1] usbcore: registered new interface driver ushc
[   25.725495][    T1] iscsi: registered transport (iser)
[   25.733153][    T1] SoftiWARP attached
[   25.761668][    T1] hid: raw HID events driver (C) Jiri Kosina
[   25.895880][    T1] usbcore: registered new interface driver usbhid
[   25.902812][    T1] usbhid: USB HID core driver
[   25.917852][    T1] usbcore: registered new interface driver es2_ap_driver
[   25.925535][    T1] comedi: version 0.7.76 - http://www.comedi.org
[   25.942673][    T1] comedi comedi4: comedi_test: 1000000 microvolt, 100000 microsecond waveform attached
[   25.980103][    T1] comedi comedi4: driver 'comedi_test' has successfully auto-configured 'comedi_test'.
[   25.996221][    T1] usbcore: registered new interface driver dt9812
[   26.003881][    T1] usbcore: registered new interface driver ni6501
[   26.011192][    T1] usbcore: registered new interface driver usbdux
[   26.019544][    T1] usbcore: registered new interface driver usbduxfast
[   26.027236][    T1] usbcore: registered new interface driver usbduxsigma
[   26.034964][    T1] usbcore: registered new interface driver vmk80xx
[   26.042665][    T1] greybus: registered new driver hid
[   26.049897][    T1] greybus: registered new driver gbphy
[   26.056141][    T1] gb_gbphy: registered new driver usb
[   26.062124][    T1] asus_wmi: ASUS WMI generic driver loaded
[   26.082299][    T1] gnss: GNSS driver registered with major 494
[   26.091967][    T1] usbcore: registered new interface driver gnss-usb
[   26.099740][    T1] usbcore: registered new interface driver hdm_usb
[   26.282935][    T1] usbcore: registered new interface driver snd-usb-audio
[   26.291693][    T1] usbcore: registered new interface driver snd-ua101
[   26.299785][    T1] usbcore: registered new interface driver snd-usb-usx2y
[   26.307989][    T1] usbcore: registered new interface driver snd-usb-us122l
[   26.317325][    T1] usbcore: registered new interface driver snd-usb-caiaq
[   26.325489][    T1] usbcore: registered new interface driver snd-usb-6fire
[   26.333818][    T1] usbcore: registered new interface driver snd-usb-hiface
[   26.342327][    T1] usbcore: registered new interface driver snd-bcd2000
[   26.350477][    T1] usbcore: registered new interface driver snd_usb_pod
[   26.358884][    T1] usbcore: registered new interface driver snd_usb_podhd
[   26.366969][    T1] usbcore: registered new interface driver snd_usb_toneport
[   26.375460][    T1] usbcore: registered new interface driver snd_usb_variax
[   26.389581][    T1] drop_monitor: Initializing network drop monitor service
[   26.397791][    T1] NET: Registered PF_LLC protocol family
[   26.404216][    T1] GACT probability on
[   26.408660][    T1] Mirror/redirect action on
[   26.413555][    T1] Simple TC action Loaded
[   26.424292][    T1] netem: version 1.3
[   26.428565][    T1] u32 classifier
[   26.432124][    T1]     Performance counters on
[   26.436866][    T1]     input device check on
[   26.441599][    T1]     Actions configured
[   26.449666][    T1] nf_conntrack_irc: failed to register helpers
[   26.455938][    T1] nf_conntrack_sane: failed to register helpers


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3023288941=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.26.0'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 362d1323892
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=362d1323892bfa754e670449946f45413c12bd24 -X github.com/google/syzkaller/prog.gitRevisionDate=20260414-080341"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=362d1323892bfa754e670449946f45413c12bd24 -X github.com/google/syzkaller/prog.gitRevisionDate=20260414-080341"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=362d1323892bfa754e670449946f45413c12bd24 -X github.com/google/syzkaller/prog.gitRevisionDate=20260414-080341"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"362d1323892bfa754e670449946f45413c12bd24\"
/usr/bin/ld: /tmp/ccVJtmVb.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=129384ce580000


Tested on:

commit:         5c0f43e8 Merge tag 'kernel-7.1-rc1.misc' of git://git...
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=95729ed00549063a
dashboard link: https://syzkaller.appspot.com/bug?extid=bc70a12e438dadba4fb4
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=135bfeba580000

[PATCH] hfsplus: set attributes inode dirty at correct position

[Edward Adam Davis]

Syzbot reported a null-ptr-deref in [1].
If the attributes file is not loaded during system mount, a trigger
occurs [1] when setxattr is executed in userspace.

Move the mark inode dirty operation to a point after the attr_tree has
been successfully acquired.

[1]
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Call Trace:
 hfsplus_setxattr+0x124/0x340 fs/hfsplus/xattr.c:555
 hfsplus_trusted_setxattr+0x40/0x60 fs/hfsplus/xattr_trusted.c:30
 __vfs_setxattr+0x43c/0x480 fs/xattr.c:218
 __vfs_setxattr_noperm+0x12d/0x660 fs/xattr.c:252
 vfs_setxattr+0x163/0x360 fs/xattr.c:339
 do_setxattr fs/xattr.c:654 [inline]

Reported-by: syzbot+bc70a12e438dadba4fb4@syzkaller.appspotmail.com
Fixes: ee8422d00b7c ("hfsplus: fix potential Allocation File corruption after fsync")
Closes: https://syzkaller.appspot.com/bug?extid=bc70a12e438dadba4fb4
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/hfsplus/xattr.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
index 452a1f9becb2..3e6f45b3259d 100644
--- a/fs/hfsplus/xattr.c
+++ b/fs/hfsplus/xattr.c
@@ -317,12 +317,14 @@ static int hfsplus_create_attributes_file(struct super_block *sb)
 		next_node++;
 	}
 
-	hfsplus_mark_inode_dirty(HFSPLUS_ATTR_TREE_I(sb), HFSPLUS_I_ATTR_DIRTY);
 	hfsplus_mark_inode_dirty(attr_file, HFSPLUS_I_ATTR_DIRTY);
 
 	sbi->attr_tree = hfs_btree_open(sb, HFSPLUS_ATTR_CNID);
 	if (!sbi->attr_tree)
 		pr_err("failed to load attributes file\n");
+	else
+		hfsplus_mark_inode_dirty(HFSPLUS_ATTR_TREE_I(sb),
+					 HFSPLUS_I_ATTR_DIRTY);
 
 failed_header_node_init:
 	kfree(buf);
-- 
2.43.0

Re: [PATCH] hfsplus: set attributes inode dirty at correct position

[Viacheslav Dubeyko]

On Wed, 2026-04-15 at 16:45 +0800, Edward Adam Davis wrote:
> Syzbot reported a null-ptr-deref in [1].
> If the attributes file is not loaded during system mount, a trigger
> occurs [1] when setxattr is executed in userspace.
> 
> Move the mark inode dirty operation to a point after the attr_tree has
> been successfully acquired.
> 
> [1]
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> Call Trace:
>  hfsplus_setxattr+0x124/0x340 fs/hfsplus/xattr.c:555
>  hfsplus_trusted_setxattr+0x40/0x60 fs/hfsplus/xattr_trusted.c:30
>  __vfs_setxattr+0x43c/0x480 fs/xattr.c:218
>  __vfs_setxattr_noperm+0x12d/0x660 fs/xattr.c:252
>  vfs_setxattr+0x163/0x360 fs/xattr.c:339
>  do_setxattr fs/xattr.c:654 [inline]
> 
> Reported-by: syzbot+bc70a12e438dadba4fb4@syzkaller.appspotmail.com
> Fixes: ee8422d00b7c ("hfsplus: fix potential Allocation File corruption after fsync")
> Closes: https://syzkaller.appspot.com/bug?extid=bc70a12e438dadba4fb4
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  fs/hfsplus/xattr.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
> index 452a1f9becb2..3e6f45b3259d 100644
> --- a/fs/hfsplus/xattr.c
> +++ b/fs/hfsplus/xattr.c
> @@ -317,12 +317,14 @@ static int hfsplus_create_attributes_file(struct super_block *sb)
>  		next_node++;
>  	}
>  
> -	hfsplus_mark_inode_dirty(HFSPLUS_ATTR_TREE_I(sb), HFSPLUS_I_ATTR_DIRTY);

It's really strange that xfstests didn't catch the issue. Probably, we need to
have the specialized HFS+ tests.

>  	hfsplus_mark_inode_dirty(attr_file, HFSPLUS_I_ATTR_DIRTY);
>  
>  	sbi->attr_tree = hfs_btree_open(sb, HFSPLUS_ATTR_CNID);
>  	if (!sbi->attr_tree)
>  		pr_err("failed to load attributes file\n");
> +	else
> +		hfsplus_mark_inode_dirty(HFSPLUS_ATTR_TREE_I(sb),
> +					 HFSPLUS_I_ATTR_DIRTY);

As far as I can see, HFSPLUS_ATTR_TREE_I(sb) and attr_file are the same
entities. Am I right here? :) So, we can simply remove the first
hfsplus_mark_inode_dirty(). Does it make sense?

Thanks,
Slava.

>  
>  failed_header_node_init:
>  	kfree(buf);