[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.204' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 28.698199] hfsplus: request for non-existent node 393216 in B*Tree [ 28.705261] hfsplus: request for non-existent node 393216 in B*Tree [ 28.720143] ================================================================== [ 28.727806] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x18c/0x1a0 [ 28.734978] Read of size 8 at addr ffff8880abbacbb8 by task syz-executor997/8004 [ 28.742485] [ 28.744096] CPU: 1 PID: 8004 Comm: syz-executor997 Not tainted 4.14.300-syzkaller #0 [ 28.752054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 28.761390] Call Trace: [ 28.764073] dump_stack+0x1b2/0x281 [ 28.767786] print_address_description.cold+0x54/0x1d3 [ 28.773038] kasan_report_error.cold+0x8a/0x191 [ 28.777679] ? hfsplus_bnode_read+0x18c/0x1a0 [ 28.782155] __asan_report_load8_noabort+0x68/0x70 [ 28.787069] ? memmove+0x40/0x50 [ 28.790409] ? hfsplus_bnode_read+0x18c/0x1a0 [ 28.794878] hfsplus_bnode_read+0x18c/0x1a0 [ 28.799178] hfsplus_bnode_dump+0x255/0x310 [ 28.803473] ? hfsplus_bnode_move+0x9a0/0x9a0 [ 28.807940] ? hfsplus_bnode_write_u16+0x70/0x90 [ 28.812675] ? hfsplus_bnode_move+0x1d/0x9a0 [ 28.817073] hfsplus_brec_remove+0x384/0x480 [ 28.821459] __hfsplus_delete_attr+0x1eb/0x310 [ 28.826016] ? hfsplus_find_exit+0xc0/0xc0 [ 28.830225] ? hfsplus_part_find+0xae0/0xae0 [ 28.834695] hfsplus_delete_all_attrs+0x12c/0x3a0 [ 28.839531] ? hfsplus_delete_attr+0x260/0x260 [ 28.844090] ? __mark_inode_dirty+0xa9b/0xf40 [ 28.848582] hfsplus_delete_cat+0x765/0xd70 [ 28.852877] ? hfsplus_unlink+0x112/0x6b0 [ 28.857105] ? hfsplus_create_cat+0x10d0/0x10d0 [ 28.861834] ? hfsplus_unlink+0x112/0x6b0 [ 28.865959] ? trace_hardirqs_on+0x10/0x10 [ 28.870174] hfsplus_unlink+0x1d6/0x6b0 [ 28.874147] ? hfsplus_symlink+0x2a0/0x2a0 [ 28.878500] ? lock_acquire+0x170/0x3f0 [ 28.882819] ? vfs_unlink+0xc0/0x470 [ 28.886518] vfs_unlink+0x230/0x470 [ 28.890128] do_unlinkat+0x30c/0x5c0 [ 28.893821] ? do_rmdir+0x3c0/0x3c0 [ 28.897427] ? _raw_spin_unlock_irq+0x5a/0x80 [ 28.901897] ? task_work_run+0xfd/0x190 [ 28.905856] ? do_syscall_64+0x4c/0x640 [ 28.909803] ? SyS_unlinkat+0x70/0x70 [ 28.913580] do_syscall_64+0x1d5/0x640 [ 28.917479] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 28.922645] [ 28.924250] Allocated by task 8004: [ 28.927850] kasan_kmalloc+0xeb/0x160 [ 28.931623] __kmalloc+0x15a/0x400 [ 28.935138] __hfs_bnode_create+0xe7/0x950 [ 28.939345] hfsplus_bnode_find+0x2cb/0x9e0 [ 28.943656] hfsplus_brec_find+0x265/0x460 [ 28.948041] hfsplus_delete_all_attrs+0x2b6/0x3a0 [ 28.952855] hfsplus_delete_cat+0x765/0xd70 [ 28.957149] hfsplus_unlink+0x1d6/0x6b0 [ 28.961101] vfs_unlink+0x230/0x470 [ 28.964702] do_unlinkat+0x30c/0x5c0 [ 28.968394] do_syscall_64+0x1d5/0x640 [ 28.972262] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 28.977427] [ 28.979048] Freed by task 7715: [ 28.982386] kasan_slab_free+0xc3/0x1a0 [ 28.986330] kfree+0xc9/0x250 [ 28.989417] kernfs_release_file+0xcc/0x160 [ 28.993712] kernfs_fop_release+0x136/0x180 [ 28.998010] __fput+0x25f/0x7a0 [ 29.001261] task_work_run+0x11f/0x190 [ 29.005119] exit_to_usermode_loop+0x1ad/0x200 [ 29.009671] do_syscall_64+0x4a3/0x640 [ 29.013529] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.018684] [ 29.020288] The buggy address belongs to the object at ffff8880abbacb00 [ 29.020288] which belongs to the cache kmalloc-192 of size 192 [ 29.032913] The buggy address is located 184 bytes inside of [ 29.032913] 192-byte region [ffff8880abbacb00, ffff8880abbacbc0) [ 29.044928] The buggy address belongs to the page: [ 29.049831] page:ffffea0002aeeb00 count:1 mapcount:0 mapping:ffff8880abbac000 index:0xffff8880abbacf00 [ 29.059271] flags: 0xfff00000000100(slab) [ 29.063391] raw: 00fff00000000100 ffff8880abbac000 ffff8880abbacf00 000000010000000e [ 29.071244] raw: ffffea0002ae29a0 ffffea0002aec4e0 ffff88813fe74040 0000000000000000 [ 29.079181] page dumped because: kasan: bad access detected [ 29.084866] [ 29.086466] Memory state around the buggy address: [ 29.091371] ffff8880abbaca80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.098701] ffff8880abbacb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.106032] >ffff8880abbacb80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.113451] ^ [ 29.118611] ffff8880abbacc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.126042] ffff8880abbacc80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.133371] ================================================================== [ 29.140708] Disabling lock debugging due to kernel taint [ 29.149534] Kernel panic - not syncing: panic_on_warn set ... [ 29.149534] [ 29.157026] CPU: 1 PID: 8004 Comm: syz-executor997 Tainted: G B 4.14.300-syzkaller #0 [ 29.166110] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 29.175451] Call Trace: [ 29.178024] dump_stack+0x1b2/0x281 [ 29.181628] panic+0x1f9/0x42d [ 29.184802] ? add_taint.cold+0x16/0x16 [ 29.188768] ? ___preempt_schedule+0x16/0x18 [ 29.193150] kasan_end_report+0x43/0x49 [ 29.197096] kasan_report_error.cold+0xa7/0x191 [ 29.201738] ? hfsplus_bnode_read+0x18c/0x1a0 [ 29.206226] __asan_report_load8_noabort+0x68/0x70 [ 29.211125] ? memmove+0x40/0x50 [ 29.214489] ? hfsplus_bnode_read+0x18c/0x1a0 [ 29.218955] hfsplus_bnode_read+0x18c/0x1a0 [ 29.223269] hfsplus_bnode_dump+0x255/0x310 [ 29.227650] ? hfsplus_bnode_move+0x9a0/0x9a0 [ 29.232116] ? hfsplus_bnode_write_u16+0x70/0x90 [ 29.236842] ? hfsplus_bnode_move+0x1d/0x9a0 [ 29.241222] hfsplus_brec_remove+0x384/0x480 [ 29.245611] __hfsplus_delete_attr+0x1eb/0x310 [ 29.250165] ? hfsplus_find_exit+0xc0/0xc0 [ 29.254369] ? hfsplus_part_find+0xae0/0xae0 [ 29.258750] hfsplus_delete_all_attrs+0x12c/0x3a0 [ 29.263564] ? hfsplus_delete_attr+0x260/0x260 [ 29.268117] ? __mark_inode_dirty+0xa9b/0xf40 [ 29.272583] hfsplus_delete_cat+0x765/0xd70 [ 29.276874] ? hfsplus_unlink+0x112/0x6b0 [ 29.280993] ? hfsplus_create_cat+0x10d0/0x10d0 [ 29.285634] ? hfsplus_unlink+0x112/0x6b0 [ 29.289757] ? trace_hardirqs_on+0x10/0x10 [ 29.293965] hfsplus_unlink+0x1d6/0x6b0 [ 29.297937] ? hfsplus_symlink+0x2a0/0x2a0 [ 29.302142] ? lock_acquire+0x170/0x3f0 [ 29.306091] ? vfs_unlink+0xc0/0x470 [ 29.309786] vfs_unlink+0x230/0x470 [ 29.313477] do_unlinkat+0x30c/0x5c0 [ 29.317163] ? do_rmdir+0x3c0/0x3c0 [ 29.320762] ? _raw_spin_unlock_irq+0x5a/0x80 [ 29.325226] ? task_work_run+0xfd/0x190 [ 29.329440] ? do_syscall_64+0x4c/0x640 [ 29.333384] ? SyS_unlinkat+0x70/0x70 [ 29.337159] do_syscall_64+0x1d5/0x640 [ 29.341019] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.346362] Kernel Offset: disabled [ 29.349967] Rebooting in 86400 seconds..