lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <696b1252.050a0220.3390f1.0004.GAE@google.com>
Date: Fri, 16 Jan 2026 20:38:42 -0800
From: syzbot <syzbot+8debf4b3f7c7391cd8eb@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] hpfs: add debug logging to hpfs_bplus_lookup

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] hpfs: add debug logging to hpfs_bplus_lookup
Author: kartikey406@...il.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


This is a debug patch to understand the use-after-free issue reported
by syzbot. It adds extensive logging to track:
- Buffer head addresses and lifecycle
- btree pointer values and offsets
- Array access patterns before crashes
- Internal vs external node processing

This will help identify exactly where and why the use-after-free occurs.

NOT FOR MERGE - DEBUG ONLY

Reported-by: syzbot+8debf4b3f7c7391cd8eb@...kaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=8debf4b3f7c7391cd8eb"
---
 fs/hpfs/anode.c | 39 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 36 insertions(+), 3 deletions(-)

diff --git a/fs/hpfs/anode.c b/fs/hpfs/anode.c
index a4f5321eafae..e55d0f5fd782 100644
--- a/fs/hpfs/anode.c
+++ b/fs/hpfs/anode.c
@@ -19,25 +19,57 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
 	struct anode *anode;
 	int i;
 	int c1, c2 = 0;
+
+	printk(KERN_EMERG "=== BPLUS_LOOKUP ENTRY: btree=%px bh=%px bh->b_data=%px sec=%u ===\n",
+	       btree, bh, bh->b_data, sec);
 	go_down:
+	printk(KERN_EMERG "=== go_down: btree=%px bh=%px n_used_nodes=%u internal=%d ===\n",
+	       btree, bh, btree->n_used_nodes, bp_internal(btree));
+
 	if (hpfs_sb(s)->sb_chk) if (hpfs_stop_cycles(s, a, &c1, &c2, "hpfs_bplus_lookup")) return -1;
 	if (bp_internal(btree)) {
-		for (i = 0; i < btree->n_used_nodes; i++)
+		printk(KERN_EMERG "=== Processing INTERNAL node, n_used_nodes=%u ===\n", btree->n_used_nodes);
+		for (i = 0; i < btree->n_used_nodes; i++) {
+			printk(KERN_EMERG "=== internal[%d]: accessing %px ===\n", i, &btree->u.internal[i]);
 			if (le32_to_cpu(btree->u.internal[i].file_secno) > sec) {
 				a = le32_to_cpu(btree->u.internal[i].down);
+				printk(KERN_EMERG "=== Found match, going to anode=%08x ===\n", a);
+				printk(KERN_EMERG "=== RELEASING bh=%px ===\n", bh);
+
 				brelse(bh);
-				if (!(anode = hpfs_map_anode(s, a, &bh))) return -1;
+				printk(KERN_EMERG "=== Calling hpfs_map_anode for %08x ===\n", a);
+
+				if (!(anode = hpfs_map_anode(s, a, &bh))){
+					printk(KERN_EMERG "=== hpfs_map_anode FAILED ===\n");
+					return -1;
+				}
+				printk(KERN_EMERG "=== hpfs_map_anode SUCCESS: anode=%px new_bh=%px new_bh->b_data=%px ===\n",
+				       anode, bh, bh->b_data);
+
 				btree = GET_BTREE_PTR(&anode->btree);
+
+				printk(KERN_EMERG "=== NEW btree=%px (offset from b_data: %ld) ===\n",
+				       btree, (long)((void *)btree - (void *)bh->b_data));
+				printk(KERN_EMERG "=== Validation passed, jumping to go_down ===\n");
 				goto go_down;
 			}
+		}
 		hpfs_error(s, "sector %08x not found in internal anode %08x", sec, a);
 		brelse(bh);
 		return -1;
 	}
-	for (i = 0; i < btree->n_used_nodes; i++)
+
+	printk(KERN_EMERG "=== Processing EXTERNAL node, n_used_nodes=%u ===\n", btree->n_used_nodes);
+	printk(KERN_EMERG "=== btree=%px bh=%px bh->b_data=%px bh->b_size=%zu ===\n",
+	       btree, bh, bh->b_data, bh->b_size);
+	for (i = 0; i < btree->n_used_nodes; i++) {
+		printk(KERN_EMERG "=== external[%d]: about to access %px ===\n", i, &btree->u.external[i]);
+		printk(KERN_EMERG "=== CRASH WILL HAPPEN ON NEXT LINE IF UAF ===\n");
 		if (le32_to_cpu(btree->u.external[i].file_secno) <= sec &&
 		    le32_to_cpu(btree->u.external[i].file_secno) + le32_to_cpu(btree->u.external[i].length) > sec) {
 			a = le32_to_cpu(btree->u.external[i].disk_secno) + sec - le32_to_cpu(btree->u.external[i].file_secno);
+
+			printk(KERN_EMERG "=== Found external match, returning %u ===\n", a);
 			if (hpfs_sb(s)->sb_chk) if (hpfs_chk_sectors(s, a, 1, "data")) {
 				brelse(bh);
 				return -1;
@@ -51,6 +83,7 @@ secno hpfs_bplus_lookup(struct super_block *s, struct inode *inode,
 			brelse(bh);
 			return a;
 		}
+	}
 	hpfs_error(s, "sector %08x not found in external anode %08x", sec, a);
 	brelse(bh);
 	return -1;
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ