From: Greg KH <gregkh@linuxfoundation.org>
To: "driz2t@qq.com" <driz2t@qq.com>
Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"slava@dubeyko.com" <slava@dubeyko.com>,
"sashal@kernel.org" <sashal@kernel.org>,
"syzbot+7c669e7491fdbacd64b2@syzkaller.appspotmail.com"
<syzbot+7c669e7491fdbacd64b2@syzkaller.appspotmail.com>
Subject: Re: [PATCH 6.1.y] hfs: fix general protection fault in hfs_find_init()
Date: Sun, 29 Mar 2026 08:16:14 +0200 [thread overview]
Message-ID: <2026032940-rectify-pamphlet-6298@gregkh> (raw)
In-Reply-To: <tencent_2352D6EE52D5CF390269BCB1DAD1FD9B2105@qq.com>
On Sun, Mar 29, 2026 at 05:49:18AM +0000, driz2t@qq.com wrote:
> PATCH] This is a backport for 6.1.y.
Odd text, but also:
>
> [ Upstream commit 736a0516a16268995f4898eded49bfef077af709 ]
>
> The hfs_find_init() method can trigger a crash if tree pointer is NULL.
>
> hfs_fill_super() calls hfs_mdb_get(), which tries to construct Extents
> Tree and Catalog Tree. However, hfs_btree_open() calls read_mapping_page(),
> which calls hfs_get_block(), and that in turn calls hfs_ext_read_extent().
>
> The problem is that hfs_find_init() tries to use
> HFS_SB(inode->i_sb)->ext_tree before it has been initialized. It will
> only be initialized after hfs_btree_open() finishes.
>
> Fix this by checking the tree pointer in hfs_find_init() and reworking
> hfs_btree_open() to read the b-tree header directly from the volume.
> Replace read_mapping_page() with filemap_grab_folio(), then use sb_bread()
> to extract the b-tree header content and copy it into the folio.
>
> Reported-by: Wenzhi Wang <wenzhi.wang@uwaterloo.ca>
> Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
> Cc: Yangtao Li <frank.li@vivo.com>
> Cc: linux-fsdevel@vger.kernel.org
> Link: https://lore.kernel.org/r/20250710213657.108285-1-slava@dubeyko.com
> Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
> Signed-off-by: Changjian Liu <driz2t@qq.com>
> ---
> fs/hfs/bfind.c | 3 +++
> fs/hfs/btree.c | 33 +++++++++++++++++++++++----------
> fs/hfs/extent.c | 2 +-
> fs/hfs/hfs_fs.h | 1 +
> 4 files changed, 28 insertions(+), 11 deletions(-)
>
> diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
> index 6d37b4c75903..1b1cbb589f82 100644
> --- a/fs/hfs/bfind.c
> +++ b/fs/hfs/bfind.c
> @@ -16,6 +16,9 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
> {
> void *ptr;
>
> +if (!tree || !fd)
> + return -EINVAL;
> +
> fd->tree = tree;
> fd->bnode = NULL;
> ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
Your patch is completly corrupted and can not be applied :(
please fix your email client to work properly when sending patches.
thanks,
greg k-h
prev parent reply other threads:[~2026-03-29 6:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-29 5:49 [PATCH 6.1.y] hfs: fix general protection fault in hfs_find_init() driz2t
2026-03-29 6:16 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026032940-rectify-pamphlet-6298@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=driz2t@qq.com \
--cc=sashal@kernel.org \
--cc=slava@dubeyko.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+7c669e7491fdbacd64b2@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox