syzbot


KASAN: slab-out-of-bounds Read in hfsplus_uni2asc

Status: upstream: reported C repro on 2022/11/28 10:02
Subsystems: hfs
[Documentation on labels]
Reported-by: syzbot+076d963e115823c4b9be@syzkaller.appspotmail.com
First crash: 550d, last: 4d00h
Cause bisection: failed (error log, bisect log)
  
Discussions (14)
Title Replies (including bot) Last reply
[syzbot] Monthly hfs report (May 2024) 0 (1) 2024/05/13 21:13
[syzbot] Monthly hfs report (Apr 2024) 0 (1) 2024/04/12 13:18
[syzbot] Monthly hfs report (Mar 2024) 0 (1) 2024/03/12 09:29
[syzbot] Monthly hfs report (Feb 2024) 0 (1) 2024/02/09 21:02
[syzbot] Monthly hfs report (Jan 2024) 0 (1) 2024/01/10 09:16
[syzbot] Monthly hfs report (Dec 2023) 0 (1) 2023/12/06 10:05
[syzbot] Monthly hfs report (Oct 2023) 0 (1) 2023/10/04 13:13
[syzbot] Monthly hfs report (Aug 2023) 0 (1) 2023/08/30 09:53
[syzbot] Monthly hfs report (Jul 2023) 0 (1) 2023/07/30 13:17
[syzbot] Monthly hfs report (Jun 2023) 0 (1) 2023/06/29 08:55
[syzbot] Monthly hfs report (May 2023) 0 (1) 2023/05/30 08:18
[syzbot] Monthly hfs report (Apr 2023) 0 (1) 2023/04/27 13:32
[PATCH] hfsplus: fix OOB of hfsplus_unistr in hfsplus_uni2asc() 3 (3) 2022/12/01 12:14
[syzbot] KASAN: slab-out-of-bounds Read in hfsplus_uni2asc 0 (1) 2022/11/28 10:02
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc origin:upstream C error 252 18d 441d 0/3 upstream: reported C repro on 2023/03/16 05:02
linux-4.19 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc hfsplus C error 2 526d 550d 0/1 upstream: reported C repro on 2022/11/27 08:50
linux-4.14 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc C 1 455d 543d 0/1 upstream: reported C repro on 2022/12/04 03:32
linux-6.1 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc origin:upstream C 126 18d 438d 0/3 upstream: reported C repro on 2023/03/19 19:39
Last patch testing requests (10)
Created Duration User Patch Repo Result
2024/03/02 20:40 21m retest repro upstream OK log
2024/03/02 20:40 23m retest repro upstream OK log
2024/03/02 18:35 22m retest repro linux-next error OK
2024/03/02 18:35 22m retest repro linux-next error OK
2024/03/02 17:22 23m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2024/03/02 17:22 25m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2024/03/02 15:28 23m retest repro upstream OK log
2024/03/02 15:28 23m retest repro upstream OK log
2024/03/02 15:28 23m retest repro upstream OK log
2024/03/02 15:28 31m retest repro upstream OK log

Sample crash report:
         option from the mount to silence this warning.
=======================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a40c by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Not tainted 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a40e by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 2 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a410 by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 4 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a412 by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 6 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a414 by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 8 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a416 by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 10 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a418 by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 12 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                            ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a41a by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 14 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                            ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a41c by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 16 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                            ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a41e by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 18 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                            ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a420 by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 20 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a422 by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 22 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a424 by task syz-executor209/5090

CPU: 1 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 24 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400
 do_sys_open fs/open.c:1421 [inline]
 __do_sys_openat fs/open.c:1437 [inline]
 __se_sys_openat fs/open.c:1432 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1432
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a426 by task syz-executor209/5090

CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G    B              6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
 hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
 </TASK>

Allocated by task 5090:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:3966 [inline]
 __kmalloc+0x1f9/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
 hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
 iterate_dir+0x295/0x9e0 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801d31a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 26 bytes to the right of
 allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
 __alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2175 [inline]
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2391
 ___slab_alloc+0x66d/0x1790 mm/slub.c:3525
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 __do_kmalloc_node mm/slub.c:3965 [inline]
 __kmalloc+0x3b4/0x440 mm/slub.c:3979
 kmalloc include/linux/slab.h:632 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
 sk_alloc+0x36/0xb90 net/core/sock.c:2133
 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
 netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
 __sock_create+0x331/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
 __put_partials+0x14c/0x170 mm/slub.c:2906
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
 getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8f/0xe0 fs/namei.c:218
 do_sys_openat2+0x104/0x1e0 fs/open.c:1400

Crashes (1110):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/21 07:04 upstream 977b1ef51866 af24b050 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-badwrites-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/03/20 18:26 upstream fe46a7dd189e 5b7d42ae .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/03/16 06:11 upstream fe46a7dd189e d615901c .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/03/14 00:42 upstream 61387b8dcf1d f919f202 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/03/05 22:13 upstream 90d35da658da f39a7eed .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-selinux-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/05/02 11:36 upstream 0106679839f7 3ba885bc .config console log report syz C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-qemu-upstream KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/03/08 06:39 upstream 135288b73cef cf82cde1 .config console log report syz C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-qemu-upstream KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/10/22 12:19 linux-next 2030579113a1 361b23dc .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/07/26 22:33 linux-next 0ba5d0720577 41fe1bae .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/05/26 15:05 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c a10a183e .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/03/31 15:20 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 6baf5069 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/03/20 18:28 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 5b7d42ae .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/03/14 00:37 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 f919f202 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/12/16 01:57 upstream 3f7168591ebf 3222d10c .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/12/09 10:03 upstream f2e8a57ee903 28b24332 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-selinux-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/12/02 04:24 upstream 815fb87b7530 f819d6f7 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/09/24 08:24 upstream 3aba70aed91f 0b6a67ac .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/08/23 14:46 upstream 89bf6209cad6 b81ca3f6 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/07/14 18:10 upstream 4b810bf037e5 d624500f .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-badwrites-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/07/11 03:08 upstream 3f01e9fed845 d47e94ee .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/06/18 05:16 upstream 1b29d271614a f3921d4d .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/06/15 20:47 upstream b6dad5178cea 757d26ed .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-selinux-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2022/12/12 21:59 upstream 830b3c68c1fb 67be1ae7 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2022/11/27 15:17 upstream faf68e3523c2 f4470a7b .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/12/10 11:37 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci d46efae31672 28b24332 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2023/07/11 11:20 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e40939bbfc68 f8780940 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/05/26 19:06 upstream c13320499ba0 a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/05/11 07:09 upstream f4345f05c0df f7c35481 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/05/07 10:23 upstream dccb07f2914c fa7a5cf0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/05/06 04:25 upstream b9158815de52 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/05/04 23:37 upstream 7367539ad4b0 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/29 21:48 upstream b947cc5bf6d7 f10afd69 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/28 17:57 upstream 2c8159388952 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/27 23:34 upstream 5d12ed4bea43 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/20 15:57 upstream 13a2e429f644 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/15 10:58 upstream fe46a7dd189e c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/13 21:25 upstream fe46a7dd189e c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/26 16:16 upstream c942a0cd3603 3f914d6b .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/21 12:25 upstream 977b1ef51866 af24b050 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/20 18:03 upstream 13a2e429f644 af24b050 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 16:06 upstream ed30a4a51bb1 36c961ad .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/05/13 03:37 linux-next 75fa778d74b7 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/23 12:00 linux-next 7b4f2bc91c15 21339d7b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/05/24 03:36 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c 8f98448e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/05/13 06:09 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/27 20:16 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/23 01:34 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 21339d7b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 19:54 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 21339d7b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 16:23 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 14:13 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 13:12 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 11:53 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 10:35 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 08:37 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 06:24 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 03:35 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 03:35 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 02:24 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 01:23 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/22 00:06 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/21 22:55 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/21 19:10 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/21 14:40 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/21 10:59 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/21 08:22 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/21 03:57 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/21 02:27 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/20 20:43 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/20 19:31 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/20 17:55 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/04/20 12:06 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in hfsplus_uni2asc
2024/05/26 04:31 upstream 614da38e2f7a a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in hfsplus_uni2asc
2024/05/21 03:00 upstream 614da38e2f7a c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in hfsplus_uni2asc
2024/05/20 14:33 upstream 614da38e2f7a c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in hfsplus_uni2asc
2024/05/07 05:03 upstream ee5b455b0ada c035c6de .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in hfsplus_uni2asc
2024/05/07 03:29 upstream ee5b455b0ada c035c6de .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in hfsplus_uni2asc
2024/04/28 23:53 upstream 2c8159388952 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in hfsplus_uni2asc
2024/04/27 07:13 upstream 5eb4573ea63d 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in hfsplus_uni2asc
2024/04/26 23:00 upstream c942a0cd3603 059e9963 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in hfsplus_uni2asc
2024/04/26 02:05 upstream e33c4963bf53 8bdc0f22 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in hfsplus_uni2asc
2024/04/25 12:28 upstream e88c4cfcb7b8 8bdc0f22 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-root KMSAN: uninit-value in hfsplus_uni2asc
2024/05/12 00:54 upstream cf87f46fd34d 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in hfsplus_uni2asc
2024/04/29 05:51 upstream e67572cd2204 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386-root KMSAN: uninit-value in hfsplus_uni2asc
2023/12/06 09:58 upstream bee0e7762ad2 f819d6f7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386 KMSAN: uninit-value in hfsplus_uni2asc
2023/08/03 15:45 upstream ec351c8f2e62 39a91c18 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386 KMSAN: uninit-value in hfsplus_cat_case_cmp_key
2023/07/31 17:20 upstream 5d0c230f1de8 2a0d0f29 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386 KMSAN: uninit-value in hfs_find_1st_rec_by_cnid
2023/06/13 08:46 https://github.com/google/kmsan.git master 2741f1b02117 749afb64 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kmsan-gce-386 KMSAN: uninit-value in hfsplus_strcasecmp
* Struck through repros no longer work on HEAD.