ci2 starts bisection 2025-11-09 11:10:03.463246489 +0000 UTC m=+239493.078710209 bisecting fixing commit since f89b6e15694c1e24f78d889b29a54d46e5267413 building syzkaller on f3921d4d63f97d1f1fb49a69ea85744bb7ef184b ensuring issue is reproducible on original commit f89b6e15694c1e24f78d889b29a54d46e5267413 testing commit f89b6e15694c1e24f78d889b29a54d46e5267413 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 5a66376fe568fa40823a3c0a0762f4ece1375d8fa3f8eb5c9b02beddf6e0599a all runs: crashed: BUG: unable to handle kernel paging request in hfs_find_init representative crash: BUG: unable to handle kernel paging request in hfs_find_init, types: [MEMORY_SAFETY_BUG] check whether we can drop unnecessary instrumentation disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed testing commit f89b6e15694c1e24f78d889b29a54d46e5267413 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: ae8ba5c84a562e32d3fb311849a6eed613c5559064d6cdd1fe440264fd3c9cc7 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] the bug reproduces without the instrumentation disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed kconfig minimization: base=7505 full=9690 leaves diff=1937 split chunks (needed=false): <1937> split chunk #0 of len 1937 into 5 parts testing without sub-chunk 1/5 disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed testing commit f89b6e15694c1e24f78d889b29a54d46e5267413 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: fcb226668087ce8dbba52fd09deb60ad0a72c5e2c93d9a199f355c5ce26021f5 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed testing commit f89b6e15694c1e24f78d889b29a54d46e5267413 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 9ed9d5038097af57f05cd12b95d5304b279542837549fb858f8d318e9ce83683 all runs: OK false negative chance: 0.000 testing without sub-chunk 3/5 disabling configs for [locking atomic_sleep hang memleak ubsan kasan], they are not needed testing commit f89b6e15694c1e24f78d889b29a54d46e5267413 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 5af3da56354fb464dbb2888df681704b1dae9ecab154be537c28aa391418e856 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed testing commit f89b6e15694c1e24f78d889b29a54d46e5267413 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c0e448749708c9303ea4074c5ff3c765ccf6136f8aeba8307a38cef78e20afb2 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [atomic_sleep hang memleak ubsan kasan locking], they are not needed testing commit f89b6e15694c1e24f78d889b29a54d46e5267413 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 65fe03c7afa5679f2e56458c6207d0b83a0af4114a7e64bb9fbd0090da593b6a all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped minimized to 388 configs; suspects: [6LOWPAN ACPI_VIDEO DLM DRM DRM_TTM DRM_TTM_HELPER DRM_UDL DRM_V3D DRM_VC4 DRM_VGEM DRM_VIRTIO_GPU DRM_VKMS DRM_VRAM_HELPER DUMMY DVB_AF9013 DVB_AF9033 DVB_AS102 DVB_AS102_FE DVB_B2C2_FLEXCOP DVB_B2C2_FLEXCOP_USB DVB_DIB3000MB DVB_DIB3000MC DVB_EC100 DVB_GP8PSK_FE DVB_RTL2830 DVB_RTL2832 DVB_RTL2832_SDR DVB_TEST_DRIVERS DVB_TTUSB_BUDGET DVB_TTUSB_DEC DVB_USB DVB_USB_A800 DVB_USB_AF9005 DVB_USB_AF9005_REMOTE DVB_USB_AF9015 DVB_USB_AF9035 DVB_USB_ANYSEE DVB_USB_AU6610 DVB_USB_AZ6007 DVB_USB_AZ6027 DVB_USB_CE6230 DVB_USB_CINERGY_T2 DVB_USB_CXUSB DVB_USB_DIB0700 DVB_USB_DIB3000MC DVB_USB_DIBUSB_MB DVB_USB_DIBUSB_MC DVB_USB_DIGITV DVB_USB_DTT200U DVB_USB_DTV5100 DVB_USB_DVBSKY DVB_USB_DW2102 DVB_USB_EC168 DVB_USB_GL861 DVB_USB_GP8PSK DVB_USB_LME2510 DVB_USB_M920X DVB_USB_MXL111SF DVB_USB_NOVA_T_USB2 DVB_USB_OPERA1 DVB_USB_PCTV452E DVB_USB_RTL28XXU DVB_USB_TECHNISAT_USB2 DVB_USB_TTUSB2 DVB_USB_UMT_010 DVB_USB_V2 DVB_USB_VP702X DVB_USB_VP7045 DVB_USB_ZD1301 DVB_VIDTV DVB_ZL10353 E100 ECRYPT_FS ECRYPT_FS_MESSAGING EEPROM_93CX6 EFS_FS ENCRYPTED_KEYS EQUALIZER EROFS_FS EROFS_FS_POSIX_ACL EROFS_FS_SECURITY EROFS_FS_XATTR EROFS_FS_ZIP EVM EVM_ADD_XATTRS EVM_ATTR_FSUUID EXFAT_FS EXPORTFS_BLOCK_OPS EXT3_FS_POSIX_ACL EXT3_FS_SECURITY F2FS_CHECK_FS F2FS_FAULT_INJECTION F2FS_FS F2FS_FS_COMPRESSION F2FS_FS_LZ4 F2FS_FS_LZ4HC F2FS_FS_LZO F2FS_FS_LZORLE F2FS_FS_POSIX_ACL F2FS_FS_SECURITY F2FS_FS_XATTR F2FS_FS_ZSTD F2FS_STAT_FS FB_DEFERRED_IO FB_SYS_COPYAREA FB_SYS_FILLRECT FB_SYS_FOPS FB_SYS_IMAGEBLIT FB_TILEBLITTING FB_VIRTUAL FDDI FIB_RULES FIREWIRE FIREWIRE_NET FIREWIRE_OHCI FIREWIRE_SBP2 FRAMEBUFFER_CONSOLE_ROTATION FRONTSWAP FS_DAX FS_DAX_PMD FS_ENCRYPTION FS_ENCRYPTION_ALGS FS_VERITY FS_VERITY_BUILTIN_SIGNATURES FTL FW_LOADER_COMPRESS FW_LOADER_USER_HELPER_FALLBACK GACT_PROB GCC11_NO_ARRAY_BOUNDS GET_FREE_REGION GFS2_FS GFS2_FS_LOCKING_DLM GOOGLE_COREBOOT_TABLE GOOGLE_FIRMWARE GOOGLE_MEMCONSOLE GOOGLE_MEMCONSOLE_COREBOOT GOOGLE_VPD GPIO_DLN2 GPIO_VF610 GPIO_VIPERBOARD GREENASIA_FF GREYBUS GREYBUS_BRIDGED_PHY GREYBUS_ES2 GREYBUS_HID GREYBUS_USB GTP HAVE_ARCH_USERFAULTFD_MINOR HAVE_IMA_KEXEC HDLC HDLC_CISCO HDLC_FR HDLC_PPP HDLC_RAW HDLC_RAW_ETH HDLC_X25 HDMI HFSPLUS_FS HFS_FS HIDRAW HID_ACCUTOUCH HID_ACRUX HID_ACRUX_FF HID_ALPS HID_APPLEIR HID_ASUS HID_AUREAL HID_BATTERY_STRENGTH HID_BETOP_FF HID_CMEDIA HID_CORSAIR HID_CP2112 HID_ELECOM HID_ELO HID_EMS_FF HID_GEMBIRD HID_GFRM HID_GREENASIA HID_GT683R HID_GYRATION HID_HOLTEK HID_ICADE HID_KEYTOUCH HID_KYE HID_LCPOWER HID_LED HID_LENOVO HID_LOGITECH_DJ HID_LOGITECH_HIDPP HID_MAGICMOUSE HID_MAYFLASH HID_NTI HID_NTRIG HID_ORTEK HID_PENMOUNT HID_PETALYNX HID_PICOLCD HID_PICOLCD_BACKLIGHT HID_PICOLCD_CIR HID_PICOLCD_FB HID_PICOLCD_LCD HID_PICOLCD_LEDS HID_PID HID_PLANTRONICS HID_PRIMAX HID_PRODIKEYS HID_RETRODE HID_RMI HID_ROCCAT HID_SAITEK HID_SAMSUNG HID_SENSOR_ACCEL_3D HID_SENSOR_ALS HID_SENSOR_CUSTOM_SENSOR HID_SENSOR_DEVICE_ROTATION HID_SENSOR_GYRO_3D HID_SENSOR_HUB HID_SENSOR_HUMIDITY HID_SENSOR_IIO_COMMON HID_SENSOR_IIO_TRIGGER HID_SENSOR_INCLINOMETER_3D HID_SENSOR_MAGNETOMETER_3D HID_SENSOR_PRESS HID_SENSOR_PROX HID_SENSOR_TEMP HID_SPEEDLINK HID_STEELSERIES HID_SUNPLUS HID_THINGM HID_TIVO HID_TOPSEED HID_TWINHAN HID_UCLOGIC HID_UDRAW_PS3 HID_WACOM HID_WALTOP HID_WIIMOTE HID_XINMO HID_ZYDACRON HMM_MIRROR HOLTEK_FF HOTPLUG_PCI_PCIE HPFS_FS I2C_DIOLAN_U2C I2C_DLN2 I2C_MUX_REG I2C_ROBOTFUZZ_OSIF I2C_SI4713 I2C_SLAVE_EEPROM I2C_TINY_USB I2C_VIPERBOARD IEEE802154 IEEE802154_6LOWPAN IEEE802154_ATUSB IEEE802154_DRIVERS IEEE802154_HWSIM IEEE802154_NL802154_EXPERIMENTAL IEEE802154_SOCKET IFB IMA IMA_APPRAISE IMA_APPRAISE_MODSIG IMA_DEFAULT_HASH_SHA256 IMA_LSM_RULES IMA_MEASURE_ASYMMETRIC_KEYS IMA_NG_TEMPLATE IMA_QUEUE_EARLY_BOOT_KEYS IMA_READ_POLICY IMA_WRITE_POLICY INET6_AH INET6_ESP INET6_ESPINTCP INET6_ESP_OFFLOAD INET6_IPCOMP INET6_TUNNEL INET6_XFRM_TUNNEL INET_AH INET_DCCP_DIAG INET_DIAG_DESTROY INET_ESP INET_ESPINTCP INET_ESP_OFFLOAD INET_IPCOMP INET_MPTCP_DIAG INET_RAW_DIAG INET_SCTP_DIAG INET_UDP_DIAG INET_XFRM_TUNNEL INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_ADDR_TRANS_CONFIGFS INFINIBAND_IPOIB INFINIBAND_IPOIB_CM INFINIBAND_IPOIB_DEBUG INFINIBAND_ISER INFINIBAND_ON_DEMAND_PAGING INFINIBAND_RTRS INFINIBAND_SRP INFINIBAND_USER_ACCESS INFINIBAND_USER_MAD INFINIBAND_USER_MEM INPUT_ATI_REMOTE2 INPUT_CM109 INPUT_IMS_PCU INPUT_JOYDEV INPUT_JOYSTICK INPUT_KEYSPAN_REMOTE INPUT_LEDS INPUT_MOUSEDEV INPUT_MOUSEDEV_PSAUX INPUT_POWERMATE INPUT_UINPUT INPUT_YEALINK INTEGRITY INTEGRITY_ASYMMETRIC_KEYS INTEGRITY_AUDIT INTEGRITY_SIGNATURE INTEGRITY_TRUSTED_KEYRING IP6_NF_MATCH_AH IP6_NF_MATCH_EUI64 IP6_NF_MATCH_FRAG IP6_NF_MATCH_HL IP6_NF_MATCH_IPV6HEADER IP6_NF_MATCH_MH IP6_NF_MATCH_OPTS IP6_NF_MATCH_RPFILTER IP6_NF_MATCH_RT IP6_NF_MATCH_SRH IP6_NF_RAW IP6_NF_SECURITY IP6_NF_TARGET_HL IP6_NF_TARGET_NPT IP6_NF_TARGET_SYNPROXY IPV6_FOU IPV6_FOU_TUNNEL IPV6_GRE IPV6_ILA IPV6_MIP6 IPV6_MROUTE IPV6_MROUTE_MULTIPLE_TABLES IPV6_MULTIPLE_TABLES IPV6_OPTIMISTIC_DAD IPV6_PIMSM_V2 IPV6_ROUTER_PREF IPV6_ROUTE_INFO IPV6_RPL_LWTUNNEL IPV6_SEG6_BPF IPV6_SEG6_HMAC IPV6_SEG6_LWTUNNEL IPV6_SIT_6RD IPV6_SUBTREES IPV6_TUNNEL IPV6_VTI IPVLAN IPVLAN_L3S IPVTAP IP_ADVANCED_ROUTER IP_DCCP IP_DCCP_CCID3 IP_DCCP_TFRC_LIB IP_FIB_TRIE_STATS IP_MROUTE IP_MROUTE_COMMON IP_MROUTE_MULTIPLE_TABLES IP_NF_ARPFILTER IP_NF_ARPTABLES IP_NF_ARP_MANGLE IP_NF_MATCH_AH IP_NF_MATCH_ECN IP_NF_MATCH_RPFILTER IP_NF_MATCH_TTL IP_NF_RAW IP_NF_SECURITY IP_NF_TARGET_CLUSTERIP IP_NF_TARGET_ECN IP_NF_TARGET_NETMAP IP_NF_TARGET_REDIRECT IP_NF_TARGET_SYNPROXY IP_NF_TARGET_TTL IP_PIMSM_V1 IP_PIMSM_V2 IP_PNP_RARP IP_ROUTE_CLASSID IP_ROUTE_MULTIPATH IP_ROUTE_VERBOSE IP_SCTP IP_SET IP_SET_BITMAP_IP IP_SET_BITMAP_IPMAC IP_SET_BITMAP_PORT IP_SET_HASH_IP IP_SET_HASH_IPMAC IP_SET_HASH_IPMARK IP_SET_HASH_IPPORT IP_SET_HASH_IPPORTIP IP_SET_HASH_IPPORTNET IP_SET_HASH_MAC IP_SET_HASH_NET IP_SET_HASH_NETIFACE IP_SET_HASH_NETNET IP_SET_HASH_NETPORT IP_SET_HASH_NETPORTNET IP_SET_LIST_SET IP_VS_DH IP_VS_FO IP_VS_FTP IP_VS_IPV6 IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_TCP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TTUSBIR ISDN ISDN_CAPI_MIDDLEWARE ISO9660_FS JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOLIET JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS LAPB LCD_CLASS_DEVICE MAC802154 MEDIA_RADIO_SUPPORT MEDIA_TEST_SUPPORT MFD_DLN2 MFD_VIPERBOARD MPTCP NET_IPGRE_DEMUX NFT_FWD_NETDEV NF_CONNTRACK_FTP NF_CONNTRACK_SIP NF_TABLES NF_TABLES_NETDEV PARTITION_ADVANCED RADIO_ADAPTERS RADIO_SI4713 RFKILL SND SND_SOC SOUND WAN XFRM ZONE_DEVICE] disabling configs for [locking atomic_sleep hang memleak ubsan kasan], they are not needed determining the merge base between f89b6e15694c1e24f78d889b29a54d46e5267413 and 439fc29dfd3b9c072dfff292d91cfa2f6cfb702b 830b3c68c1fb1e9176028d02ef86f3cf76aa2476/Linux 6.1 is a merge base, check if it has the bug testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: ebfc2455979dc8b8ab9d1cbd8f06691a4d5fb57e787fd546129c5c08185aa532 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init run #5: basic kernel testing failed: failed to copy syz-execprog to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_arm64/syz-execprog" "root@10.128.0.178:./syz-execprog"] run #6: basic kernel testing failed: failed to copy syz-execprog to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_arm64/syz-execprog" "root@10.128.1.250:./syz-execprog"] run #7: basic kernel testing failed: failed to copy syz-execprog to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_arm64/syz-execprog" "root@10.128.1.179:./syz-execprog"] run #8: basic kernel testing failed: failed to copy syz-execprog to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_arm64/syz-execprog" "root@10.128.1.249:./syz-execprog"] run #9: basic kernel testing failed: failed to copy syz-execprog to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_arm64/syz-execprog" "root@10.128.1.248:./syz-execprog"] representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] testing current HEAD 439fc29dfd3b9c072dfff292d91cfa2f6cfb702b testing commit 439fc29dfd3b9c072dfff292d91cfa2f6cfb702b gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: b1547553b5f22e88949858c2e5062fb358eb7d1ab190e92ec48be408cc7f75f8 all runs: OK false negative chance: 0.000 # git bisect start 439fc29dfd3b9c072dfff292d91cfa2f6cfb702b 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 Bisecting: 129634 revisions left to test after this (roughly 17 steps) [83127ecada257e27f4740dbca9644dd0e838bc36] Merge tag 'wireless-next-2024-05-08' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 83127ecada257e27f4740dbca9644dd0e838bc36 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c9cba5163b5c97c94c3ff9af1681888e2128d721db14ee34ad2721b2eee901ab all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] # git bisect good 83127ecada257e27f4740dbca9644dd0e838bc36 Bisecting: 64842 revisions left to test after this (roughly 16 steps) [08de7f9d4d39fd9aa5e747a13acc891214fa2d5f] Merge tag 'mtd/for-6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux determine whether the revision contains the guilty commit revision 83127ecada257e27f4740dbca9644dd0e838bc36 crashed and is reachable testing commit 08de7f9d4d39fd9aa5e747a13acc891214fa2d5f gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 9884ddd39af593c071bcf915f76e5e50b0fd6c21c5b041b1fbdde8613d98a771 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] # git bisect good 08de7f9d4d39fd9aa5e747a13acc891214fa2d5f Bisecting: 32418 revisions left to test after this (roughly 15 steps) [3719a04a80caf660f899a462cd8f3973bcfa676e] Merge tag 'pci-v6.16-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 3719a04a80caf660f899a462cd8f3973bcfa676e gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: f029e66bc137827b9c6eb6dba6c217b3db2f308c44637b72ba1ac1ddb140fe89 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] # git bisect good 3719a04a80caf660f899a462cd8f3973bcfa676e Bisecting: 16221 revisions left to test after this (roughly 14 steps) [c30a13538d9f8b2a60b2f6b26abe046dea10aa12] Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf determine whether the revision contains the guilty commit revision 83127ecada257e27f4740dbca9644dd0e838bc36 crashed and is reachable testing commit c30a13538d9f8b2a60b2f6b26abe046dea10aa12 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: f5a3c698e9d08c26e98694fc22901b2fdbe7afef9d0d4381003427cf4d76b6a9 all runs: OK false negative chance: 0.000 # git bisect bad c30a13538d9f8b2a60b2f6b26abe046dea10aa12 Bisecting: 8102 revisions left to test after this (roughly 13 steps) [bcb48dd3b344592cc33732de640b99264c073df1] Merge tag 'perf-core-2025-07-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit bcb48dd3b344592cc33732de640b99264c073df1 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: ac54a3b487093ceb48b2d7a1961b0b6ecc5567c1a490fbeac16984df0082087a all runs: OK false negative chance: 0.000 # git bisect bad bcb48dd3b344592cc33732de640b99264c073df1 Bisecting: 4080 revisions left to test after this (roughly 12 steps) [005b0a0c24e1628313e951516b675109a92cacfe] btrfs: send: use fallocate for hole punching with send stream v2 determine whether the revision contains the guilty commit revision 83127ecada257e27f4740dbca9644dd0e838bc36 crashed and is reachable testing commit 005b0a0c24e1628313e951516b675109a92cacfe gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 09c5b071acbe4505414b370909e0e7ea24747dc56e2b3f6611dc968f6e82d748 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] # git bisect good 005b0a0c24e1628313e951516b675109a92cacfe Bisecting: 2052 revisions left to test after this (roughly 11 steps) [86aa721820952b793a12fc6e5a01734186c0c238] Merge tag 'chrome-platform-v6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux determine whether the revision contains the guilty commit revision 3719a04a80caf660f899a462cd8f3973bcfa676e crashed and is reachable testing commit 86aa721820952b793a12fc6e5a01734186c0c238 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e9b301e6b32721a2e0c95e721464619a75c50e56901cbf622a5d5748a17c0e78 all runs: OK false negative chance: 0.000 # git bisect bad 86aa721820952b793a12fc6e5a01734186c0c238 Bisecting: 1037 revisions left to test after this (roughly 10 steps) [ae388edd4a8f0226f3ef7b102c34f78220756c3d] Merge tag 'landlock-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux determine whether the revision contains the guilty commit revision 08de7f9d4d39fd9aa5e747a13acc891214fa2d5f crashed and is reachable testing commit ae388edd4a8f0226f3ef7b102c34f78220756c3d gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: ba1aa2c68dfe75e2c27ac69ce05b15fb1e4beed85bc4f26322399a0155b5fb7b all runs: OK false negative chance: 0.000 # git bisect bad ae388edd4a8f0226f3ef7b102c34f78220756c3d Bisecting: 490 revisions left to test after this (roughly 9 steps) [7031769e102b768b3fa0c4c726faf532cb31e973] Merge tag 'vfs-6.17-rc1.mmap_prepare' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision 005b0a0c24e1628313e951516b675109a92cacfe crashed and is reachable testing commit 7031769e102b768b3fa0c4c726faf532cb31e973 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 73bd657ecacce1a1b840090fbfbb51fc26aa0a3f951652d2a83da41fb3b71840 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] # git bisect good 7031769e102b768b3fa0c4c726faf532cb31e973 Bisecting: 229 revisions left to test after this (roughly 8 steps) [6e11664f148454a127dd89e8698c3e3e80e5f62f] Merge tag 'for-6.17/block-20250728' of git://git.kernel.dk/linux determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit 6e11664f148454a127dd89e8698c3e3e80e5f62f gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 89cdffccde0a2a8ec16bdc0b727bca67fe53e47f58dbd5b23ba64a133f8b7e96 all runs: OK false negative chance: 0.000 # git bisect bad 6e11664f148454a127dd89e8698c3e3e80e5f62f Bisecting: 141 revisions left to test after this (roughly 7 steps) [e5cf61fa6e2fb9ae6339eaa892612488c966baaf] Merge tag 'v6.17-rc-smb3-server-fixes' of git://git.samba.org/ksmbd determine whether the revision contains the guilty commit revision 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 crashed and is reachable testing commit e5cf61fa6e2fb9ae6339eaa892612488c966baaf gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 0301755bba21064d2ead81b95bcaa3389de6112804c02b85f2ce0bee26f9e73d all runs: OK false negative chance: 0.000 # git bisect bad e5cf61fa6e2fb9ae6339eaa892612488c966baaf Bisecting: 59 revisions left to test after this (roughly 6 steps) [cec40a7c80e8b0ef03667708ea2660bc1a99b464] Merge tag 'vfs-6.17-rc1.integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision 7031769e102b768b3fa0c4c726faf532cb31e973 crashed and is reachable testing commit cec40a7c80e8b0ef03667708ea2660bc1a99b464 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 6ff6caeeb778f2067f7452d0e6757206af04063731628c9527b21d35573761a5 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] # git bisect good cec40a7c80e8b0ef03667708ea2660bc1a99b464 Bisecting: 25 revisions left to test after this (roughly 5 steps) [b5d760d53ac2e36825fbbb8d1f54ad9ce6138f7b] Merge tag 'vfs-6.17-rc1.iomap' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs determine whether the revision contains the guilty commit revision 3719a04a80caf660f899a462cd8f3973bcfa676e crashed and is reachable testing commit b5d760d53ac2e36825fbbb8d1f54ad9ce6138f7b gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 904ec3b605055d093c8a90876ae3ded58bb213e26207c29878e9b63bc1099e00 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] # git bisect good b5d760d53ac2e36825fbbb8d1f54ad9ce6138f7b Bisecting: 15 revisions left to test after this (roughly 4 steps) [736a0516a16268995f4898eded49bfef077af709] hfs: fix general protection fault in hfs_find_init() determine whether the revision contains the guilty commit revision 3719a04a80caf660f899a462cd8f3973bcfa676e crashed and is reachable testing commit 736a0516a16268995f4898eded49bfef077af709 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 50c61096420d7ce7c651fabe983ae28846548e4ba3f0bc4f907cb5ed5e6dbc47 all runs: OK false negative chance: 0.000 # git bisect bad 736a0516a16268995f4898eded49bfef077af709 Bisecting: 4 revisions left to test after this (roughly 2 steps) [4c6a567cb8e8e0eb7fc559e8cecbae7d83aaafbb] hfsplus: don't set REQ_SYNC for hfsplus_submit_bio() determine whether the revision contains the guilty commit revision 3719a04a80caf660f899a462cd8f3973bcfa676e crashed and is reachable testing commit 4c6a567cb8e8e0eb7fc559e8cecbae7d83aaafbb gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 824c2cf43fa43e0359e80307a90eff8595daf2d992ac753d3aa4343fda0a8f58 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] # git bisect good 4c6a567cb8e8e0eb7fc559e8cecbae7d83aaafbb Bisecting: 2 revisions left to test after this (roughly 1 step) [94458781aee6045bd3d0ad4b80b02886b9e2219b] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() determine whether the revision contains the guilty commit revision 3719a04a80caf660f899a462cd8f3973bcfa676e crashed and is reachable testing commit 94458781aee6045bd3d0ad4b80b02886b9e2219b gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 60f15348e3883d21f2d5279c2aa51f4a70f8a015b2f4aa3a9218780ec21e7c19 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] # git bisect good 94458781aee6045bd3d0ad4b80b02886b9e2219b Bisecting: 0 revisions left to test after this (roughly 1 step) [a431930c9bac518bf99d6b1da526a7f37ddee8d8] hfs: fix slab-out-of-bounds in hfs_bnode_read() determine whether the revision contains the guilty commit revision 08de7f9d4d39fd9aa5e747a13acc891214fa2d5f crashed and is reachable testing commit a431930c9bac518bf99d6b1da526a7f37ddee8d8 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: cb71295a28aa52a8c5c5c88066919d5cbdfd58a8c9cc8a2eb2e99a443c2cb24d all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init representative crash: BUG: unable to handle kernel NULL pointer dereference in hfs_find_init, types: [NULL-POINTER-DEREFERENCE] # git bisect good a431930c9bac518bf99d6b1da526a7f37ddee8d8 736a0516a16268995f4898eded49bfef077af709 is the first bad commit commit 736a0516a16268995f4898eded49bfef077af709 Author: Viacheslav Dubeyko Date: Thu Jul 10 14:36:57 2025 -0700 hfs: fix general protection fault in hfs_find_init() The hfs_find_init() method can trigger the crash if tree pointer is NULL: [ 45.746290][ T9787] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KAI [ 45.747287][ T9787] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] [ 45.748716][ T9787] CPU: 2 UID: 0 PID: 9787 Comm: repro Not tainted 6.16.0-rc3 #10 PREEMPT(full) [ 45.750250][ T9787] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 45.751983][ T9787] RIP: 0010:hfs_find_init+0x86/0x230 [ 45.752834][ T9787] Code: c1 ea 03 80 3c 02 00 0f 85 9a 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc [ 45.755574][ T9787] RSP: 0018:ffffc90015157668 EFLAGS: 00010202 [ 45.756432][ T9787] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff819a4d09 [ 45.757457][ T9787] RDX: 0000000000000008 RSI: ffffffff819acd3a RDI: ffffc900151576e8 [ 45.758282][ T9787] RBP: ffffc900151576d0 R08: 0000000000000005 R09: 0000000000000000 [ 45.758943][ T9787] R10: 0000000080000000 R11: 0000000000000001 R12: 0000000000000004 [ 45.759619][ T9787] R13: 0000000000000040 R14: ffff88802c50814a R15: 0000000000000000 [ 45.760293][ T9787] FS: 00007ffb72734540(0000) GS:ffff8880cec64000(0000) knlGS:0000000000000000 [ 45.761050][ T9787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 45.761606][ T9787] CR2: 00007f9bd8225000 CR3: 000000010979a000 CR4: 00000000000006f0 [ 45.762286][ T9787] Call Trace: [ 45.762570][ T9787] [ 45.762824][ T9787] hfs_ext_read_extent+0x190/0x9d0 [ 45.763269][ T9787] ? submit_bio_noacct_nocheck+0x2dd/0xce0 [ 45.763766][ T9787] ? __pfx_hfs_ext_read_extent+0x10/0x10 [ 45.764250][ T9787] hfs_get_block+0x55f/0x830 [ 45.764646][ T9787] block_read_full_folio+0x36d/0x850 [ 45.765105][ T9787] ? __pfx_hfs_get_block+0x10/0x10 [ 45.765541][ T9787] ? const_folio_flags+0x5b/0x100 [ 45.765972][ T9787] ? __pfx_hfs_read_folio+0x10/0x10 [ 45.766415][ T9787] filemap_read_folio+0xbe/0x290 [ 45.766840][ T9787] ? __pfx_filemap_read_folio+0x10/0x10 [ 45.767325][ T9787] ? __filemap_get_folio+0x32b/0xbf0 [ 45.767780][ T9787] do_read_cache_folio+0x263/0x5c0 [ 45.768223][ T9787] ? __pfx_hfs_read_folio+0x10/0x10 [ 45.768666][ T9787] read_cache_page+0x5b/0x160 [ 45.769070][ T9787] hfs_btree_open+0x491/0x1740 [ 45.769481][ T9787] hfs_mdb_get+0x15e2/0x1fb0 [ 45.769877][ T9787] ? __pfx_hfs_mdb_get+0x10/0x10 [ 45.770316][ T9787] ? find_held_lock+0x2b/0x80 [ 45.770731][ T9787] ? lockdep_init_map_type+0x5c/0x280 [ 45.771200][ T9787] ? lockdep_init_map_type+0x5c/0x280 [ 45.771674][ T9787] hfs_fill_super+0x38e/0x720 [ 45.772092][ T9787] ? __pfx_hfs_fill_super+0x10/0x10 [ 45.772549][ T9787] ? snprintf+0xbe/0x100 [ 45.772931][ T9787] ? __pfx_snprintf+0x10/0x10 [ 45.773350][ T9787] ? do_raw_spin_lock+0x129/0x2b0 [ 45.773796][ T9787] ? find_held_lock+0x2b/0x80 [ 45.774215][ T9787] ? set_blocksize+0x40a/0x510 [ 45.774636][ T9787] ? sb_set_blocksize+0x176/0x1d0 [ 45.775087][ T9787] ? setup_bdev_super+0x369/0x730 [ 45.775533][ T9787] get_tree_bdev_flags+0x384/0x620 [ 45.775985][ T9787] ? __pfx_hfs_fill_super+0x10/0x10 [ 45.776453][ T9787] ? __pfx_get_tree_bdev_flags+0x10/0x10 [ 45.776950][ T9787] ? bpf_lsm_capable+0x9/0x10 [ 45.777365][ T9787] ? security_capable+0x80/0x260 [ 45.777803][ T9787] vfs_get_tree+0x8e/0x340 [ 45.778203][ T9787] path_mount+0x13de/0x2010 [ 45.778604][ T9787] ? kmem_cache_free+0x2b0/0x4c0 [ 45.779052][ T9787] ? __pfx_path_mount+0x10/0x10 [ 45.779480][ T9787] ? getname_flags.part.0+0x1c5/0x550 [ 45.779954][ T9787] ? putname+0x154/0x1a0 [ 45.780335][ T9787] __x64_sys_mount+0x27b/0x300 [ 45.780758][ T9787] ? __pfx___x64_sys_mount+0x10/0x10 [ 45.781232][ T9787] do_syscall_64+0xc9/0x480 [ 45.781631][ T9787] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 45.782149][ T9787] RIP: 0033:0x7ffb7265b6ca [ 45.782539][ T9787] Code: 48 8b 0d c9 17 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 [ 45.784212][ T9787] RSP: 002b:00007ffc0c10cfb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 45.784935][ T9787] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffb7265b6ca [ 45.785626][ T9787] RDX: 0000200000000240 RSI: 0000200000000280 RDI: 00007ffc0c10d100 [ 45.786316][ T9787] RBP: 00007ffc0c10d190 R08: 00007ffc0c10d000 R09: 0000000000000000 [ 45.787011][ T9787] R10: 0000000000000048 R11: 0000000000000206 R12: 0000560246733250 [ 45.787697][ T9787] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 45.788393][ T9787] [ 45.788665][ T9787] Modules linked in: [ 45.789058][ T9787] ---[ end trace 0000000000000000 ]--- [ 45.789554][ T9787] RIP: 0010:hfs_find_init+0x86/0x230 [ 45.790028][ T9787] Code: c1 ea 03 80 3c 02 00 0f 85 9a 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc [ 45.792364][ T9787] RSP: 0018:ffffc90015157668 EFLAGS: 00010202 [ 45.793155][ T9787] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff819a4d09 [ 45.794123][ T9787] RDX: 0000000000000008 RSI: ffffffff819acd3a RDI: ffffc900151576e8 [ 45.795105][ T9787] RBP: ffffc900151576d0 R08: 0000000000000005 R09: 0000000000000000 [ 45.796135][ T9787] R10: 0000000080000000 R11: 0000000000000001 R12: 0000000000000004 [ 45.797114][ T9787] R13: 0000000000000040 R14: ffff88802c50814a R15: 0000000000000000 [ 45.798024][ T9787] FS: 00007ffb72734540(0000) GS:ffff8880cec64000(0000) knlGS:0000000000000000 [ 45.799019][ T9787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 45.799822][ T9787] CR2: 00007f9bd8225000 CR3: 000000010979a000 CR4: 00000000000006f0 [ 45.800747][ T9787] Kernel panic - not syncing: Fatal exception The hfs_fill_super() calls hfs_mdb_get() method that tries to construct Extents Tree and Catalog Tree: HFS_SB(sb)->ext_tree = hfs_btree_open(sb, HFS_EXT_CNID, hfs_ext_keycmp); if (!HFS_SB(sb)->ext_tree) { pr_err("unable to open extent tree\n"); goto out; } HFS_SB(sb)->cat_tree = hfs_btree_open(sb, HFS_CAT_CNID, hfs_cat_keycmp); if (!HFS_SB(sb)->cat_tree) { pr_err("unable to open catalog tree\n"); goto out; } However, hfs_btree_open() calls read_mapping_page() that calls hfs_get_block(). And this method calls hfs_ext_read_extent(): static int hfs_ext_read_extent(struct inode *inode, u16 block) { struct hfs_find_data fd; int res; if (block >= HFS_I(inode)->cached_start && block < HFS_I(inode)->cached_start + HFS_I(inode)->cached_blocks) return 0; res = hfs_find_init(HFS_SB(inode->i_sb)->ext_tree, &fd); if (!res) { res = __hfs_ext_cache_extent(&fd, inode, block); hfs_find_exit(&fd); } return res; } The problem here that hfs_find_init() is trying to use HFS_SB(inode->i_sb)->ext_tree that is not initialized yet. It will be initailized when hfs_btree_open() finishes the execution. The patch adds checking of tree pointer in hfs_find_init() and it reworks the logic of hfs_btree_open() by reading the b-tree's header directly from the volume. The read_mapping_page() is exchanged on filemap_grab_folio() that grab the folio from mapping. Then, sb_bread() extracts the b-tree's header content and copy it into the folio. Reported-by: Wenzhi Wang Signed-off-by: Viacheslav Dubeyko cc: John Paul Adrian Glaubitz cc: Yangtao Li cc: linux-fsdevel@vger.kernel.org Link: https://lore.kernel.org/r/20250710213657.108285-1-slava@dubeyko.com Signed-off-by: Viacheslav Dubeyko fs/hfs/bfind.c | 3 +++ fs/hfs/btree.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++----------- fs/hfs/extent.c | 2 +- fs/hfs/hfs_fs.h | 1 + 4 files changed, 51 insertions(+), 12 deletions(-) accumulated error probability: 0.00 culprit signature: 50c61096420d7ce7c651fabe983ae28846548e4ba3f0bc4f907cb5ed5e6dbc47 parent signature: cb71295a28aa52a8c5c5c88066919d5cbdfd58a8c9cc8a2eb2e99a443c2cb24d revisions tested: 26, total time: 5h59m41.667603627s (build: 2h56m41.00862801s, test: 2h38m2.673766117s) first good commit: 736a0516a16268995f4898eded49bfef077af709 hfs: fix general protection fault in hfs_find_init() recipients (to): ["slava@dubeyko.com"] recipients (cc): []