program:
syz_mount_image$hfsplus(&(0x7f00000000c0), &(0x7f0000000100)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', 0x3200004, &(0x7f0000000900)={[{@nls={'nls', 0x3d, 'macinuit'}}, {@gid}, {@umask={'umask', 0x3d, 0x1000}}, {@uid}, {@type={'type', 0x3d, "8cc687ef"}}, {@force}, {@nodecompose}, {@type={'type', 0x3d, "664b981f"}}]}, 0x3, 0x6b9, &(0x7f0000000240)="$eJzs3U1sHGcZB/D/bJx1Nkip26ZtQEi1GqmCRiR2ViVBQmpACOUQoQguvVqJ01jZpJXtorRCZAMUJE6cUA8cilA49IQQQionRDkjIXHh5BuHSNw45AAYzezsem1vHDuOvab9/aTJvLPv1zOP52N37GgDfGpdfD2Huyly8dSl2+X2yr12Z+Ve+2a/nGQySSOZ6K1StJLi4+RCeks+W75YD1c8bJ5X739UTLz/Ybu3NVEvVfvGVv02GdmymxwZbBxKMt0r/nvbw24ar1qqca6sjfeYikHcZcJO9hMH47a6SXetsvHI7ts/b4ED607vvrnJVHI0vbtr+T4g9dXh0VeG8dvy2tTdvzgAAABgr4z8LD/sqQd5kNs5tj/hAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwCdD0fvOwKJeGv3ydIr+9/83h75TvznmcHfpvWvV6ttPjTsQAAAAAAAAANiVFx/kQW7nWH97tah+5/9StXG8+vczeTtLmc9iTud25rKc5SxmNsnU0EDN23PLy4uzwz2rPxJY+nnKnqurq3fqnmdH9jy7Pq7uxkBH/aXBpkYAAAAAAAAA8Kn1g1xc+/0/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcBEVyqLeqluP98lQaE0mOJGkW04PmzbEG+wT8cdwBAAAAwN5r1etjxX97hdWi+sz/fPW5/0jezq0sZyHL6WQ+V6tnAb1P/Y2/dtudlXvtm+WyeeCv/XNHcVQjpvfsYfTMM1WL5wY9Luab+U5OZTqXs5iFfDdzWc58pvONqjSXIlP104uplXut9GPdHO+FdVuXN8b24lC5jO9EFUkr17JQxXY6V5r90Bt1uxNDs/2+mWyY8W6ZneK12jZzdLVel3v0s3p9MExVe354kJGZOvdlNp4ezvvm3O/wONk402wag2dQx9dmKTc3zvRYOT9ar8tc/3hvc77DR2nrM9H9abnVP/qe3zrnyRf/9qfL1xu3bly/tnTq4BxGj2njMdEeysQL28pEp8xEdxeZOLKb+J+cZp2N3lV0Z1fLl6q+x7KQb+XNXM18zmUmszmfmXwlZ9PO2aG8Prd1XqtzrbGzc+3kF+pCeU/6ydC9ad9MPqyizOvTQ3kdvtJNVXXDr6xl6ZltZKloZnSW/j4ylInP1YVyjh8O3XHGb5CJxtq1uR/ds1tn4pf/WU2y1Ll1Y/H63FvbnO/lel2etu+tvzb/6ons0M7Vu1seL8+UP6z0bhvDR0dZ92y/bt2RM1vVHR/Urb/PNZupzude3aPO1HKk5++OGqlX98LIWdpV3YmhunXvcvJmOoN3IQAcYEdfOdps3W/9pfVB60et661LR74+eX7y880c/vPEHw79pvHrxleLV/JBvp9j444UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+CZbeeffGXKczv3gAC2k84QHvjqzqp6L3SvNg7PtWhcP7O+mhnTSe3OqI+m2SLbo3x5HMVpID8DOd62RiH+aazIiqS4NXWkljEE+SGwfkC+6AvXBm+eZbZ5beefdLCzfn3ph/Y/7W2fPnXjvX/vLsnTPXFjrzM71/xx0lsBfW3gaMOxIAAAAAAAAAAABgu3bz3wn+cWl7jUdMW3THsK8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADA/6eLr+dwN0VmZ07PlNsr99qdcumX11pOJGkkKb6XFB8nF9JbMjU0XPGweV69/9EvXn7/w/baWBP99o0N/X73r9XVHe5Ft14yneRQvX60yW2Nd2VovO4OA+spBntYJuxkP3Ewbv8LAAD///zfBvQ=")
openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x42, 0x1fe)
llistxattr(&(0x7f0000000000)='./file1\x00', 0x0, 0x0)

[   73.702034][ T5321] Bluetooth: hci0: command tx timeout
[   73.756554][ T5341] loop0: detected capacity change from 0 to 1024
[   73.827701][ T5341] ==================================================================
[   73.831283][ T5341] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x680/0x1270
[   73.834791][ T5341] Read of size 2 at addr ffff88803f542218 by task syz.0.0/5341
[   73.838190][ T5341] 
[   73.839377][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full) 
[   73.839394][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   73.839403][ T5341] Call Trace:
[   73.839411][ T5341]  <TASK>
[   73.839418][ T5341]  dump_stack_lvl+0x189/0x250
[   73.839438][ T5341]  ? __virt_addr_valid+0x1c8/0x5c0
[   73.839455][ T5341]  ? rcu_is_watching+0x15/0xb0
[   73.839470][ T5341]  ? __kasan_check_byte+0x12/0x40
[   73.839485][ T5341]  ? __pfx_dump_stack_lvl+0x10/0x10
[   73.839498][ T5341]  ? rcu_is_watching+0x15/0xb0
[   73.839511][ T5341]  ? lock_release+0x4b/0x3e0
[   73.839525][ T5341]  ? __virt_addr_valid+0x1c8/0x5c0
[   73.839539][ T5341]  ? __virt_addr_valid+0x4a5/0x5c0
[   73.839554][ T5341]  print_report+0xca/0x230
[   73.839565][ T5341]  ? hfsplus_uni2asc+0x680/0x1270
[   73.839579][ T5341]  kasan_report+0x118/0x150
[   73.839600][ T5341]  ? hfsplus_uni2asc+0x680/0x1270
[   73.839616][ T5341]  hfsplus_uni2asc+0x680/0x1270
[   73.839631][ T5341]  ? hfsplus_bnode_read+0x255/0x2a0
[   73.839645][ T5341]  hfsplus_listxattr+0x58e/0xb80
[   73.839663][ T5341]  ? __pfx_hfsplus_listxattr+0x10/0x10
[   73.839680][ T5341]  ? __asan_memset+0x22/0x50
[   73.839693][ T5341]  ? path_lookupat+0x30d/0x430
[   73.839711][ T5341]  ? filename_lookup+0x3d1/0x570
[   73.839737][ T5341]  ? strncpy_from_user+0x150/0x290
[   73.839754][ T5341]  ? __pfx_hfsplus_listxattr+0x10/0x10
[   73.839770][ T5341]  listxattr+0x10a/0x2a0
[   73.839783][ T5341]  path_listxattrat+0x179/0x3a0
[   73.839796][ T5341]  ? __pfx_path_listxattrat+0x10/0x10
[   73.839807][ T5341]  ? rcu_is_watching+0x15/0xb0
[   73.839821][ T5341]  ? do_syscall_64+0xbe/0x3b0
[   73.839882][ T5341]  do_syscall_64+0xfa/0x3b0
[   73.839895][ T5341]  ? lockdep_hardirqs_on+0x9c/0x150
[   73.839908][ T5341]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   73.839921][ T5341]  ? clear_bhb_loop+0x60/0xb0
[   73.839935][ T5341]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   73.839948][ T5341] RIP: 0033:0x7f1edb78e9a9
[   73.839962][ T5341] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   73.839972][ T5341] RSP: 002b:00007f1edc684038 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3
[   73.839985][ T5341] RAX: ffffffffffffffda RBX: 00007f1edb9b5fa0 RCX: 00007f1edb78e9a9
[   73.839994][ T5341] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000
[   73.840003][ T5341] RBP: 00007f1edb810d69 R08: 0000000000000000 R09: 0000000000000000
[   73.840010][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   73.840017][ T5341] R13: 0000000000000000 R14: 00007f1edb9b5fa0 R15: 00007ffd49a96838
[   73.840029][ T5341]  </TASK>
[   73.840032][ T5341] 
[   73.959517][ T5341] Allocated by task 5341:
[   73.961554][ T5341]  kasan_save_track+0x3e/0x80
[   73.963893][ T5341]  __kasan_kmalloc+0x93/0xb0
[   73.966123][ T5341]  __kmalloc_noprof+0x27a/0x4f0
[   73.968446][ T5341]  hfsplus_find_init+0x8c/0x1d0
[   73.970656][ T5341]  hfsplus_listxattr+0x38f/0xb80
[   73.972844][ T5341]  listxattr+0x10a/0x2a0
[   73.974672][ T5341]  path_listxattrat+0x179/0x3a0
[   73.976604][ T5341]  do_syscall_64+0xfa/0x3b0
[   73.978595][ T5341]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   73.981179][ T5341] 
[   73.982267][ T5341] The buggy address belongs to the object at ffff88803f542000
[   73.982267][ T5341]  which belongs to the cache kmalloc-1k of size 1024
[   73.988097][ T5341] The buggy address is located 0 bytes to the right of
[   73.988097][ T5341]  allocated 536-byte region [ffff88803f542000, ffff88803f542218)
[   73.994036][ T5341] 
[   73.995065][ T5341] The buggy address belongs to the physical page:
[   73.997907][ T5341] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3f540
[   74.001787][ T5341] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   74.005471][ T5341] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[   74.008732][ T5341] page_type: f5(slab)
[   74.010540][ T5341] raw: 04fff00000000040 ffff88801a441dc0 ffffea0000cebf00 dead000000000004
[   74.014177][ T5341] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[   74.017887][ T5341] head: 04fff00000000040 ffff88801a441dc0 ffffea0000cebf00 dead000000000004
[   74.021589][ T5341] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[   74.025778][ T5341] head: 04fff00000000002 ffffea0000fd5001 00000000ffffffff 00000000ffffffff
[   74.030657][ T5341] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   74.035442][ T5341] page dumped because: kasan: bad access detected
[   74.038833][ T5341] page_owner tracks the page as allocated
[   74.041370][ T5341] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 24698735088, free_ts 24698453133
[   74.050018][ T5341]  post_alloc_hook+0x240/0x2a0
[   74.052019][ T5341]  get_page_from_freelist+0x21e4/0x22c0
[   74.054280][ T5341]  __alloc_frozen_pages_noprof+0x181/0x370
[   74.056583][ T5341]  alloc_pages_mpol+0x232/0x4a0
[   74.058548][ T5341]  allocate_slab+0x8a/0x3b0
[   74.060341][ T5341]  ___slab_alloc+0xbfc/0x1480
[   74.062699][ T5341]  __kmalloc_noprof+0x305/0x4f0
[   74.064999][ T5341]  ops_init+0x1eb/0x5c0
[   74.066987][ T5341]  register_pernet_operations+0x336/0x800
[   74.069743][ T5341]  register_pernet_subsys+0x28/0x40
[   74.072281][ T5341]  ip6table_nat_init+0x17/0x80
[   74.074638][ T5341]  do_one_initcall+0x233/0x820
[   74.076790][ T5341]  do_initcall_level+0x137/0x1f0
[   74.078902][ T5341]  do_initcalls+0x69/0xd0
[   74.080584][ T5341]  kernel_init_freeable+0x3d9/0x570
[   74.082772][ T5341]  kernel_init+0x1d/0x1d0
[   74.084766][ T5341] page last free pid 1 tgid 1 stack trace:
[   74.087021][ T5341]  __free_frozen_pages+0xc71/0xe70
[   74.089292][ T5341]  stack_depot_save_flags+0x445/0x900
[   74.092015][ T5341]  kasan_save_track+0x4f/0x80
[   74.094125][ T5341]  __kasan_slab_alloc+0x6c/0x80
[   74.096111][ T5341]  kmem_cache_alloc_node_noprof+0x1bb/0x3c0
[   74.098889][ T5341]  __alloc_skb+0x112/0x2d0
[   74.100746][ T5341]  genl_ctrl_event+0x11a/0xa80
[   74.102594][ T5341]  genl_register_family+0x12a8/0x16e0
[   74.104902][ T5341]  ila_init+0x39/0xa0
[   74.106606][ T5341]  do_one_initcall+0x233/0x820
[   74.108904][ T5341]  do_initcall_level+0x137/0x1f0
[   74.111026][ T5341]  do_initcalls+0x69/0xd0
[   74.112968][ T5341]  kernel_init_freeable+0x3d9/0x570
[   74.115302][ T5341]  kernel_init+0x1d/0x1d0
[   74.117206][ T5341]  ret_from_fork+0x3fc/0x770
[   74.119112][ T5341]  ret_from_fork_asm+0x1a/0x30
[   74.121174][ T5341] 
[   74.122226][ T5341] Memory state around the buggy address:
[   74.124566][ T5341]  ffff88803f542100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   74.128119][ T5341]  ffff88803f542180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   74.131712][ T5341] >ffff88803f542200: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   74.135124][ T5341]                             ^
[   74.137288][ T5341]  ffff88803f542280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   74.140640][ T5341]  ffff88803f542300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   74.144172][ T5341] ==================================================================
[   74.161561][ T5341] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   74.163963][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full) 
[   74.167904][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   74.172124][ T5341] Call Trace:
[   74.173584][ T5341]  <TASK>
[   74.174920][ T5341]  dump_stack_lvl+0x99/0x250
[   74.176998][ T5341]  ? __asan_memcpy+0x40/0x70
[   74.179030][ T5341]  ? __pfx_dump_stack_lvl+0x10/0x10
[   74.181232][ T5341]  ? __pfx__printk+0x10/0x10
[   74.183092][ T5341]  panic+0x2db/0x790
[   74.184809][ T5341]  ? __pfx_preempt_schedule+0x10/0x10
[   74.187128][ T5341]  ? __pfx_panic+0x10/0x10
[   74.189132][ T5341]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   74.191472][ T5341]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   74.194243][ T5341]  ? hfsplus_uni2asc+0x680/0x1270
[   74.196485][ T5341]  check_panic_on_warn+0x89/0xb0
[   74.198398][ T5341]  ? hfsplus_uni2asc+0x680/0x1270
[   74.200466][ T5341]  end_report+0x78/0x160
[   74.202390][ T5341]  kasan_report+0x129/0x150
[   74.204463][ T5341]  ? hfsplus_uni2asc+0x680/0x1270
[   74.206638][ T5341]  hfsplus_uni2asc+0x680/0x1270
[   74.208692][ T5341]  ? hfsplus_bnode_read+0x255/0x2a0
[   74.210790][ T5341]  hfsplus_listxattr+0x58e/0xb80
[   74.213084][ T5341]  ? __pfx_hfsplus_listxattr+0x10/0x10
[   74.215479][ T5341]  ? __asan_memset+0x22/0x50
[   74.217480][ T5341]  ? path_lookupat+0x30d/0x430
[   74.219638][ T5341]  ? filename_lookup+0x3d1/0x570
[   74.221870][ T5341]  ? strncpy_from_user+0x150/0x290
[   74.224198][ T5341]  ? __pfx_hfsplus_listxattr+0x10/0x10
[   74.226727][ T5341]  listxattr+0x10a/0x2a0
[   74.228740][ T5341]  path_listxattrat+0x179/0x3a0
[   74.230895][ T5341]  ? __pfx_path_listxattrat+0x10/0x10
[   74.233379][ T5341]  ? rcu_is_watching+0x15/0xb0
[   74.235431][ T5341]  ? do_syscall_64+0xbe/0x3b0
[   74.237382][ T5341]  do_syscall_64+0xfa/0x3b0
[   74.239238][ T5341]  ? lockdep_hardirqs_on+0x9c/0x150
[   74.241287][ T5341]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.243724][ T5341]  ? clear_bhb_loop+0x60/0xb0
[   74.245493][ T5341]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.247865][ T5341] RIP: 0033:0x7f1edb78e9a9
[   74.249627][ T5341] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   74.257898][ T5341] RSP: 002b:00007f1edc684038 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3
[   74.261607][ T5341] RAX: ffffffffffffffda RBX: 00007f1edb9b5fa0 RCX: 00007f1edb78e9a9
[   74.265134][ T5341] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000
[   74.268766][ T5341] RBP: 00007f1edb810d69 R08: 0000000000000000 R09: 0000000000000000
[   74.272323][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   74.275804][ T5341] R13: 0000000000000000 R14: 00007f1edb9b5fa0 R15: 00007ffd49a96838
[   74.279256][ T5341]  </TASK>
[   74.280989][ T5341] Kernel Offset: disabled
[   74.283026][ T5341] Rebooting in 86400 seconds..