Created attachment 276901 [details] The (compressed) crafted image which causes crash - Reproduce # mkdir mnt # mount -t hfsplus 38.img mnt - Kernel message [ 135.759739] ================================================================== [ 135.765254] BUG: KASAN: null-ptr-deref in mount_fs+0x78/0x1a0 [ 135.766424] Read of size 8 at addr 0000000000000068 by task mount/1401 [ 135.768106] CPU: 1 PID: 1401 Comm: mount Not tainted 4.18.0-rc1+ #6 [ 135.768110] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 135.768116] Call Trace: [ 135.768154] dump_stack+0x7b/0xb5 [ 135.768169] kasan_report+0x10c/0x390 [ 135.768174] ? mount_fs+0x78/0x1a0 [ 135.768191] __asan_load8+0x54/0x90 [ 135.768195] mount_fs+0x78/0x1a0 [ 135.768207] ? alloc_vfsmnt+0x309/0x360 [ 135.768213] vfs_kern_mount+0x6b/0x1a0 [ 135.768218] do_mount+0x34a/0x18c0 [ 135.768244] ? lockref_put_or_lock+0xcf/0x160 [ 135.768251] ? copy_mount_string+0x20/0x20 [ 135.768262] ? memcg_kmem_put_cache+0x1b/0xa0 [ 135.768268] ? kasan_check_write+0x14/0x20 [ 135.768278] ? _copy_from_user+0x6a/0x90 [ 135.768295] ? memdup_user+0x42/0x60 [ 135.768300] ksys_mount+0x83/0xd0 [ 135.768306] __x64_sys_mount+0x67/0x80 [ 135.768330] do_syscall_64+0x78/0x170 [ 135.768347] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 135.768363] RIP: 0033:0x7fe65a36bb9a [ 135.768364] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 [ 135.768427] RSP: 002b:00007ffcfb9849e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 135.768437] RAX: ffffffffffffffda RBX: 000000000081e030 RCX: 00007fe65a36bb9a [ 135.768440] RDX: 000000000081e210 RSI: 000000000081ff30 RDI: 0000000000826ec0 [ 135.768442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000016 [ 135.768445] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000000826ec0 [ 135.768447] R13: 000000000081e210 R14: 0000000000000000 R15: 0000000000000003 [ 135.768455] ================================================================== [ 135.769932] Disabling lock debugging due to kernel taint [ 135.770929] BUG: unable to handle kernel NULL pointer dereference at 0000000000000068 [ 135.772552] PGD 80000001f20ec067 P4D 80000001f20ec067 PUD 1f20ed067 PMD 0 [ 135.773946] Oops: 0000 [#1] SMP KASAN PTI [ 135.774769] CPU: 1 PID: 1401 Comm: mount Tainted: G B 4.18.0-rc1+ #6 [ 135.776409] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 135.778307] RIP: 0010:mount_fs+0x78/0x1a0 [ 135.779126] Code: 49 8b 45 10 48 89 d9 44 89 fe 4c 89 ef e8 d0 e7 21 01 48 3d 00 f0 ff ff 49 89 c4 0f 87 a5 00 00 00 48 8d 78 68 e8 88 8f fb ff <49> 8b 5c 24 68 48 85 db 0f 84 dd 00 00 00 48 8d bb d8 00 00 00 e8 [ 135.782930] RSP: 0018:ffff8801e4c7fce0 EFLAGS: 00010296 [ 135.783984] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 135.785419] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297 [ 135.786844] RBP: ffff8801e4c7fd10 R08: ffffed003ede3ebb R09: ffffed003ede3ebb [ 135.788277] R10: 0000000000000001 R11: ffffed003ede3eba R12: 0000000000000000 [ 135.789699] R13: ffffffffaf24af00 R14: 0000000000000000 R15: 0000000000000000 [ 135.791121] FS: 00007fe65aa8b840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 135.792748] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 135.793907] CR2: 00007fd86c01e0e8 CR3: 00000001effa8000 CR4: 00000000000006e0 [ 135.795347] Call Trace: [ 135.795866] ? alloc_vfsmnt+0x309/0x360 [ 135.796664] vfs_kern_mount+0x6b/0x1a0 [ 135.797438] do_mount+0x34a/0x18c0 [ 135.798143] ? lockref_put_or_lock+0xcf/0x160 [ 135.799038] ? copy_mount_string+0x20/0x20 [ 135.799880] ? memcg_kmem_put_cache+0x1b/0xa0 [ 135.800790] ? kasan_check_write+0x14/0x20 [ 135.801632] ? _copy_from_user+0x6a/0x90 [ 135.802444] ? memdup_user+0x42/0x60 [ 135.803185] ksys_mount+0x83/0xd0 [ 135.803873] __x64_sys_mount+0x67/0x80 [ 135.804660] do_syscall_64+0x78/0x170 [ 135.805419] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 135.806446] RIP: 0033:0x7fe65a36bb9a [ 135.807182] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 [ 135.811006] RSP: 002b:00007ffcfb9849e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 135.812542] RAX: ffffffffffffffda RBX: 000000000081e030 RCX: 00007fe65a36bb9a [ 135.813977] RDX: 000000000081e210 RSI: 000000000081ff30 RDI: 0000000000826ec0 [ 135.815412] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000016 [ 135.816858] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000000826ec0 [ 135.818293] R13: 000000000081e210 R14: 0000000000000000 R15: 0000000000000003 [ 135.819739] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 135.829487] CR2: 0000000000000068 [ 135.830248] ---[ end trace 7f5a46c7478f1295 ]--- [ 135.831211] RIP: 0010:mount_fs+0x78/0x1a0 [ 135.832075] Code: 49 8b 45 10 48 89 d9 44 89 fe 4c 89 ef e8 d0 e7 21 01 48 3d 00 f0 ff ff 49 89 c4 0f 87 a5 00 00 00 48 8d 78 68 e8 88 8f fb ff <49> 8b 5c 24 68 48 85 db 0f 84 dd 00 00 00 48 8d bb d8 00 00 00 e8 [ 135.835984] RSP: 0018:ffff8801e4c7fce0 EFLAGS: 00010296 [ 135.837101] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 135.838548] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297 [ 135.839989] RBP: ffff8801e4c7fd10 R08: ffffed003ede3ebb R09: ffffed003ede3ebb [ 135.841603] R10: 0000000000000001 R11: ffffed003ede3eba R12: 0000000000000000 [ 135.843048] R13: ffffffffaf24af00 R14: 0000000000000000 R15: 0000000000000000 [ 135.844528] FS: 00007fe65aa8b840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 [ 135.846167] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 135.847334] CR2: 00007fd86c01e0e8 CR3: 00000001effa8000 CR4: 00000000000006e0 - Location https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/super.c#L1282 in mount_fs(), root = type->mount(type, flags, name, data); if (IS_ERR(root)) { error = PTR_ERR(root); goto out_free_secdata; } sb = root->d_sb; The kernel panics because of NULL value of root Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.