program: r0 = syz_open_procfs(0x0, &(0x7f0000000140)='setgroups\x00') close(r0) syz_mount_image$hfsplus(&(0x7f0000000000), &(0x7f0000000400)='./file3\x00', 0xa08802, &(0x7f0000000040)=ANY=[@ANYRES32=0x0, @ANYRESDEC, @ANYRESDEC], 0x1, 0x693, &(0x7f0000000ec0)="$eJzs3c1rHOcdB/DvrFay1gVHSWwnLYGKGNJSU1uycFqVQtweig+hBBcaCr0IW46F106QlaKE0qrv1x7yB6QHHQq9tNC7IYWe2h4KoTfRQwkUekkvurnM7Ky0trTKrixprebzMbPzzDyv89uZZzS7mA3wqXX1fJr3U+Tq+VdXy+2N9bn2xvrciTq7naRMN5JmZ5XiblJ8kFxJZ8lny511+aJfP+8tzV/78OONjzpbzXqpyjf2qjeYtXrJdJKxer3T+L7au963vd19vV4vbO0pto6wDNi5buBg1B7ssDZM9ce8boEnQdG5b+4wlZxMMln/HZB6dmgc7egO3lCzHAAAABxTT21mM6s5NepxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwHFSpDVWrTpLo5ueTtH9/f+Jel/q9LXGiMf8OO6PegAAAAAAAAAAcAA+v5nNrOZUkr+X2w863+y/WL2erl4/k7dzL4tZzoWsZiErWclyZpNM9TQ0sbqwsrI8O0DNS7vWvLS/8f9+f9UAAAAAAAAA4P/NT3O1+v4fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeGEUy1llVy+lueiqNZpLJJBNlubXkb930MVHstvP+0Y8DAAAAHsvkPuo8tZnNrOZUd/tBUT3zn62elyfzdu5mJUtZSTuLuVE/Q5dP/Y2N9bn2xvrcnY31uarj7z/o6LTzjf8MNYyqxXQ+e9i95+erEq3czFK150KuV4O5kUZVs/R8PZ6t5eFOflKOqfVKbcCR3ajXZWe/7vcpwkFoDFthqqo0vhWRmXpsZUNP7x2JT3x3mnv2NJvG1ic/p/foqXtIxZAxP9mtl+SXj8T8lX/99nsDNnMItiLRSBWJSz1n39mN9bmx9I158oU//u71W+27t2/dvHf+0E6jo/LoOTHXE4nn9j77nvBINIcsP1NF4szW9tV8K9/J+UzntSxnKT/IQlaymHpmzEJ9PpevUz1RSnZE6spDW6990kgm6velM4sOMqbpnKhSC3mxqnsqSynyZm5kMS9X/y5lNl/J5VzOfM87fKbvO1wdWzXTNoa76s99MduX+q/KmXqwesmfBy04vM4ttYzr0z1x7Z1zp6q83j3bUXpmgPvRkHNj83N1ouzjZ/u5bRyaRyMx2xOJZ/eOxG+qa+Ne++7t5VsLb/Vpf+2R7ZfGt9O/OMw789DK8+WZTNYzycNnR5n37NYs83C8JupvXDp5jR15Z6q8ouheqd/e5UotIz5flT67a0uXqrznduaN1SP/xz978h76eytv/mU08QRgSCe/dHKi9e/WX1vvt37eutV6dfKbJ7564oWJjP9p/GvNmbGXGi8Uf8j7+dH28z8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAALB/99559/ZCu724vHui0T/rYBNF/UM+/co008oRDOMoE0Wy1n4wdrAtZ/THNUCi+yOCj9vO61eeiMM51omxJPWeHyfb50/9FnV+Ce27/x3ZDAUclosrd966eO+dd7+8dGfhjcU3Fu+OX748PzN/+eW5izeX2osznddRjxI4DNt/D4x6JAAAAAAAAAAAAMCgjuJ/GvR0Nz3CQwUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACOqavn0xxPkdmZCzPl9sb6XLtcuuntks0kjUZS/DApPkiupLNkqqe5ol8/7y3NX/vw442Ptttqdss39qo3mLV6yXSSsXq9w8T+2rver72BFVtHWAbsXDdwMGr/CwAA//8xgggQ") setxattr$trusted_overlay_upper(&(0x7f0000000280)='./file1\x00', &(0x7f0000000240), &(0x7f0000001400)=ANY=[], 0x841, 0x0) (async) setxattr$trusted_overlay_upper(&(0x7f0000000280)='./file1\x00', &(0x7f0000000240), &(0x7f0000001400)=ANY=[], 0x841, 0x0) lremovexattr(&(0x7f0000000240)='./file1\x00', &(0x7f00000000c0)=@known='trusted.overlay.upper\x00') syz_mount_image$squashfs(&(0x7f00000001c0), &(0x7f0000000300)='./file0\x00', 0x0, &(0x7f00000002c0)=ANY=[@ANYBLOB='\b'], 0x0, 0x1a3, &(0x7f0000000000)="$eJzs0L9rE2Ecx/H397nLjwpVTsUhgg1YPC9Uk0vVwSk4RciBg4tg0JDGppig6WWwpYUuUpBq/wWdKrioUCcRBefiIDjouXSTZigO4iCRuzzNP9HnBXef+3655wffdtgLM8C//ZUmFRIWR/mCYANTMuopNcp3uv6lc3MUXNP1hs6XOnPh0vL9RqfTWsxfzePAq9S4IfA76Y3/Cd9wSjEQKsi3/ZVmQ+4GDCt01VyAU6PwFKtOz3tGzp7k5B0shu4G1xU9cWtwrNjvPiyGS8sXFrqN+dZ8C8qzV0qXSqXL5eK9hU6rtI14T0TxnFW8gEzAhLdKqs7jHfsIM4J4bRVZUhiQrrO5Y50/OxPPZ48hwkd3QOaH3c6rm5wjextnmyonhBdYAdM1JhQ2yUFV5IZ6K7791f6TUmTXLOti80Fnbv2Wkr/prYrsZcXfJeX6lAs+sw7kOM4n1iOmI6oRWxG7P5mS9/GIDuZqr8Xv17o6zRlI86jR7y/6afgsbkA5fhyYTLZTyb0c+KDX6OD7wYdhGIZhGIZhGIZxCPwPAAD//+WXY0A=") getsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000200)={0x0, 0x2}, &(0x7f0000000340)=0x8) (async) getsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000200)={0x0, 0x2}, &(0x7f0000000340)=0x8) socket$packet(0x11, 0x2, 0x300) (async) r2 = socket$packet(0x11, 0x2, 0x300) setsockopt$packet_tx_ring(r2, 0x107, 0x5, &(0x7f00000000c0)=@req3={0x8000, 0x6, 0x8000, 0x6}, 0x1c) mmap(&(0x7f0000000000/0x2000)=nil, 0x30000, 0x2, 0x11, r2, 0x0) socket$kcm(0x2, 0x1, 0x0) (async) socket$kcm(0x2, 0x1, 0x0) getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f0000000440)={r1, @in={{0x2, 0x4e20, @broadcast}}, 0x3, 0xf71b, 0x3, 0xf3b, 0x40, 0x6, 0xb5}, &(0x7f0000000380)=0x9c) [ 70.270064][ T4667] Bluetooth: hci0: command tx timeout [ 70.335471][ T5321] loop0: detected capacity change from 0 to 1024 [ 70.402202][ T5321] hfsplus: request for non-existent node 211 in B*Tree [ 70.404566][ T5321] hfsplus: request for non-existent node 211 in B*Tree [ 70.407594][ T5322] ================================================================== [ 70.410506][ T5322] BUG: KASAN: wild-memory-access in hfsplus_bnode_dump+0x403/0xbb0 [ 70.413427][ T5322] Read of size 2 at addr 000508800000103e by task syz.0.0/5322 [ 70.416194][ T5322] [ 70.417085][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-08291-g805ba04cb7cc #0 [ 70.417098][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 70.417105][ T5322] Call Trace: [ 70.417111][ T5322] [ 70.417116][ T5322] dump_stack_lvl+0x241/0x360 [ 70.417133][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10 [ 70.417143][ T5322] ? __pfx__printk+0x10/0x10 [ 70.417159][ T5322] ? _printk+0xd5/0x120 [ 70.417173][ T5322] print_report+0xe8/0x550 [ 70.417189][ T5322] ? __virt_addr_valid+0x58/0x530 [ 70.417204][ T5322] ? hfsplus_bnode_dump+0x403/0xbb0 [ 70.417220][ T5322] kasan_report+0x143/0x180 [ 70.417235][ T5322] ? hfsplus_bnode_dump+0x403/0xbb0 [ 70.417249][ T5322] ? hfsplus_bnode_dump+0x403/0xbb0 [ 70.417263][ T5322] kasan_check_range+0x282/0x290 [ 70.417272][ T5322] ? hfsplus_bnode_dump+0x403/0xbb0 [ 70.417286][ T5322] __asan_memcpy+0x29/0x70 [ 70.417299][ T5322] hfsplus_bnode_dump+0x403/0xbb0 [ 70.417315][ T5322] ? __pfx_hfsplus_bnode_dump+0x10/0x10 [ 70.417328][ T5322] ? hfsplus_bnode_write_u16+0x9b/0xf0 [ 70.417342][ T5322] ? __pfx_hfsplus_bnode_write_u16+0x10/0x10 [ 70.417355][ T5322] ? rcu_is_watching+0x15/0xb0 [ 70.417365][ T5322] ? hfsplus_bnode_move+0x2da/0x910 [ 70.417379][ T5322] ? __mark_inode_dirty+0x3db/0xe90 [ 70.417392][ T5322] hfsplus_brec_remove+0x42c/0x4f0 [ 70.417405][ T5322] __hfsplus_delete_attr+0x275/0x450 [ 70.417418][ T5322] ? __pfx___hfsplus_delete_attr+0x10/0x10 [ 70.417428][ T5322] ? hfsplus_find_init+0x85/0x1c0 [ 70.417439][ T5322] hfsplus_delete_attr+0x353/0x4b0 [ 70.417451][ T5322] ? __pfx_hfsplus_delete_attr+0x10/0x10 [ 70.417462][ T5322] ? hfsplus_find_init+0x85/0x1c0 [ 70.417472][ T5322] ? hfsplus_find_init+0x14a/0x1c0 [ 70.417482][ T5322] __hfsplus_setxattr+0x801/0x22d0 [ 70.417494][ T5322] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 70.417509][ T5322] ? _raw_spin_unlock_irqrestore+0x8f/0x140 [ 70.417561][ T5322] ? lockdep_hardirqs_on+0x99/0x150 [ 70.417597][ T5322] ? __pfx___hfsplus_setxattr+0x10/0x10 [ 70.417607][ T5322] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 70.417620][ T5322] ? stack_depot_save_flags+0x7b4/0x940 [ 70.417645][ T5322] ? __kasan_kmalloc+0x98/0xb0 [ 70.417659][ T5322] ? __kmalloc_cache_noprof+0x243/0x390 [ 70.417670][ T5322] ? hfsplus_setxattr+0x68/0xe0 [ 70.417680][ T5322] hfsplus_setxattr+0xb0/0xe0 [ 70.417690][ T5322] hfsplus_trusted_setxattr+0x40/0x60 [ 70.417702][ T5322] ? __pfx_hfsplus_trusted_setxattr+0x10/0x10 [ 70.417714][ T5322] __vfs_removexattr+0x42a/0x460 [ 70.417725][ T5322] __vfs_removexattr_locked+0x206/0x450 [ 70.417736][ T5322] vfs_removexattr+0x103/0x2b0 [ 70.417746][ T5322] ? __pfx_rcu_read_lock_any_held+0x10/0x10 [ 70.417757][ T5322] ? __pfx_vfs_removexattr+0x10/0x10 [ 70.417769][ T5322] path_removexattrat+0x32e/0x670 [ 70.417783][ T5322] ? __pfx_path_removexattrat+0x10/0x10 [ 70.417794][ T5322] ? do_futex+0x392/0x560 [ 70.417812][ T5322] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 70.417826][ T5322] ? do_syscall_64+0x100/0x230 [ 70.417839][ T5322] __x64_sys_lremovexattr+0x65/0x80 [ 70.417850][ T5322] do_syscall_64+0xf3/0x230 [ 70.417863][ T5322] ? clear_bhb_loop+0x35/0x90 [ 70.417878][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.417892][ T5322] RIP: 0033:0x7f927e58cda9 [ 70.417902][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 70.417911][ T5322] RSP: 002b:00007f927f339038 EFLAGS: 00000246 ORIG_RAX: 00000000000000c6 [ 70.417923][ T5322] RAX: ffffffffffffffda RBX: 00007f927e7a6080 RCX: 00007f927e58cda9 [ 70.417930][ T5322] RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000020000240 [ 70.417936][ T5322] RBP: 00007f927e60e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 70.417942][ T5322] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.417948][ T5322] R13: 0000000000000000 R14: 00007f927e7a6080 R15: 00007fffe52777c8 [ 70.417957][ T5322] [ 70.417967][ T5322] ================================================================== [ 70.575936][ T5322] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 70.578439][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-08291-g805ba04cb7cc #0 [ 70.581917][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 70.585721][ T5322] Call Trace: [ 70.586956][ T5322] [ 70.588040][ T5322] dump_stack_lvl+0x241/0x360 [ 70.589910][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10 [ 70.591786][ T5322] ? __pfx__printk+0x10/0x10 [ 70.593589][ T5322] ? preempt_schedule+0xe1/0xf0 [ 70.595379][ T5322] ? vscnprintf+0x5d/0x90 [ 70.596934][ T5322] panic+0x349/0x880 [ 70.598395][ T5322] ? check_panic_on_warn+0x21/0xb0 [ 70.600280][ T5322] ? __pfx_panic+0x10/0x10 [ 70.601919][ T5322] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 70.604136][ T5322] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 70.606527][ T5322] ? print_report+0xe8/0x550 [ 70.608214][ T5322] check_panic_on_warn+0x86/0xb0 [ 70.610044][ T5322] ? hfsplus_bnode_dump+0x403/0xbb0 [ 70.611879][ T5322] end_report+0x77/0x160 [ 70.613470][ T5322] kasan_report+0x154/0x180 [ 70.615080][ T5322] ? hfsplus_bnode_dump+0x403/0xbb0 [ 70.616920][ T5322] ? hfsplus_bnode_dump+0x403/0xbb0 [ 70.618767][ T5322] kasan_check_range+0x282/0x290 [ 70.620563][ T5322] ? hfsplus_bnode_dump+0x403/0xbb0 [ 70.622408][ T5322] __asan_memcpy+0x29/0x70 [ 70.624013][ T5322] hfsplus_bnode_dump+0x403/0xbb0 [ 70.625832][ T5322] ? __pfx_hfsplus_bnode_dump+0x10/0x10 [ 70.627814][ T5322] ? hfsplus_bnode_write_u16+0x9b/0xf0 [ 70.629955][ T5322] ? __pfx_hfsplus_bnode_write_u16+0x10/0x10 [ 70.631966][ T5322] ? rcu_is_watching+0x15/0xb0 [ 70.633700][ T5322] ? hfsplus_bnode_move+0x2da/0x910 [ 70.635611][ T5322] ? __mark_inode_dirty+0x3db/0xe90 [ 70.637516][ T5322] hfsplus_brec_remove+0x42c/0x4f0 [ 70.639507][ T5322] __hfsplus_delete_attr+0x275/0x450 [ 70.641446][ T5322] ? __pfx___hfsplus_delete_attr+0x10/0x10 [ 70.643542][ T5322] ? hfsplus_find_init+0x85/0x1c0 [ 70.645200][ T5322] hfsplus_delete_attr+0x353/0x4b0 [ 70.646898][ T5322] ? __pfx_hfsplus_delete_attr+0x10/0x10 [ 70.648944][ T5322] ? hfsplus_find_init+0x85/0x1c0 [ 70.650757][ T5322] ? hfsplus_find_init+0x14a/0x1c0 [ 70.652559][ T5322] __hfsplus_setxattr+0x801/0x22d0 [ 70.654414][ T5322] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 70.656694][ T5322] ? _raw_spin_unlock_irqrestore+0x8f/0x140 [ 70.658693][ T5322] ? lockdep_hardirqs_on+0x99/0x150 [ 70.660546][ T5322] ? __pfx___hfsplus_setxattr+0x10/0x10 [ 70.662479][ T5322] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 70.664519][ T5322] ? stack_depot_save_flags+0x7b4/0x940 [ 70.666569][ T5322] ? __kasan_kmalloc+0x98/0xb0 [ 70.668428][ T5322] ? __kmalloc_cache_noprof+0x243/0x390 [ 70.670586][ T5322] ? hfsplus_setxattr+0x68/0xe0 [ 70.672252][ T5322] hfsplus_setxattr+0xb0/0xe0 [ 70.673963][ T5322] hfsplus_trusted_setxattr+0x40/0x60 [ 70.675918][ T5322] ? __pfx_hfsplus_trusted_setxattr+0x10/0x10 [ 70.678104][ T5322] __vfs_removexattr+0x42a/0x460 [ 70.679974][ T5322] __vfs_removexattr_locked+0x206/0x450 [ 70.681979][ T5322] vfs_removexattr+0x103/0x2b0 [ 70.683755][ T5322] ? __pfx_rcu_read_lock_any_held+0x10/0x10 [ 70.685840][ T5322] ? __pfx_vfs_removexattr+0x10/0x10 [ 70.687988][ T5322] path_removexattrat+0x32e/0x670 [ 70.690089][ T5322] ? __pfx_path_removexattrat+0x10/0x10 [ 70.692115][ T5322] ? do_futex+0x392/0x560 [ 70.693958][ T5322] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 70.696804][ T5322] ? do_syscall_64+0x100/0x230 [ 70.698834][ T5322] __x64_sys_lremovexattr+0x65/0x80 [ 70.700768][ T5322] do_syscall_64+0xf3/0x230 [ 70.702460][ T5322] ? clear_bhb_loop+0x35/0x90 [ 70.704389][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.706515][ T5322] RIP: 0033:0x7f927e58cda9 [ 70.708239][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 70.715160][ T5322] RSP: 002b:00007f927f339038 EFLAGS: 00000246 ORIG_RAX: 00000000000000c6 [ 70.718333][ T5322] RAX: ffffffffffffffda RBX: 00007f927e7a6080 RCX: 00007f927e58cda9 [ 70.721337][ T5322] RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000020000240 [ 70.724262][ T5322] RBP: 00007f927e60e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 70.727189][ T5322] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.730205][ T5322] R13: 0000000000000000 R14: 00007f927e7a6080 R15: 00007fffe52777c8 [ 70.733207][ T5322] [ 70.734580][ T5322] Kernel Offset: disabled [ 70.736094][ T5322] Rebooting in 86400 seconds..