./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2906795515 <...> [ 91.214364][ T1220] cfg80211: failed to load regulatory.db Warning: Permanently added '10.128.1.27' (ED25519) to the list of known hosts. execve("./syz-executor2906795515", ["./syz-executor2906795515"], 0x7fff5bb75ff0 /* 10 vars */) = 0 brk(NULL) = 0x555579c4e000 brk(0x555579c4ed00) = 0x555579c4ed00 arch_prctl(ARCH_SET_FS, 0x555579c4e380) = 0 set_tid_address(0x555579c4e650) = 5832 set_robust_list(0x555579c4e660, 24) = 0 rseq(0x555579c4eca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2906795515", 4096) = 28 getrandom("\x94\xc7\xb5\x4c\x19\xf1\xe3\xa6", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555579c4ed00 brk(0x555579c6fd00) = 0x555579c6fd00 brk(0x555579c70000) = 0x555579c70000 mprotect(0x7f7a0c65d000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5833 attached [pid 5833] set_robust_list(0x555579c4e660, 24) = 0 [pid 5833] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5832] <... clone resumed>, child_tidptr=0x555579c4e650) = 5833 [pid 5833] <... prctl resumed>) = 0 [pid 5833] setpgid(0, 0) = 0 [pid 5833] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5833] write(3, "1000", 4) = 4 [pid 5833] close(3) = 0 [pid 5833] write(1, "executing program\n", 18executing program ) = 18 [pid 5833] memfd_create("syzkaller", 0) = 3 [pid 5833] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7a04000000 [pid 5833] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 5833] munmap(0x7f7a04000000, 138412032) = 0 [pid 5833] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5833] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5833] close(3) = 0 [pid 5833] close(4) = 0 [pid 5833] mkdir("./file1", 0777) = 0 [pid 5833] mount("/dev/loop0", "./file1", "hfsplus", MS_NOATIME|MS_NODIRATIME|MS_STRICTATIME|MS_LAZYTIME, "") = 0 [pid 5833] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [ 92.667881][ T5833] loop0: detected capacity change from 0 to 1024 [pid 5833] chdir("./file1") = 0 [pid 5833] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 92.753989][ T5833] ================================================================== [ 92.762089][ T5833] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x680/0x1270 [ 92.769849][ T5833] Read of size 2 at addr ffff888026806a18 by task syz-executor290/5833 [ 92.778073][ T5833] [ 92.780404][ T5833] CPU: 1 UID: 0 PID: 5833 Comm: syz-executor290 Not tainted 6.16.0-rc2-syzkaller-00318-g739a6c93cc75 #0 PREEMPT(full) [ 92.780425][ T5833] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 92.780435][ T5833] Call Trace: [ 92.780443][ T5833] [ 92.780450][ T5833] dump_stack_lvl+0x189/0x250 [ 92.780481][ T5833] ? __kasan_check_byte+0x12/0x40 [ 92.780500][ T5833] ? __pfx_dump_stack_lvl+0x10/0x10 [ 92.780527][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 92.780547][ T5833] ? lock_release+0x4b/0x3e0 [ 92.780574][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 92.780594][ T5833] ? __virt_addr_valid+0x4a5/0x5c0 [ 92.780613][ T5833] print_report+0xd2/0x2b0 [ 92.780637][ T5833] ? hfsplus_uni2asc+0x680/0x1270 [ 92.780653][ T5833] kasan_report+0x118/0x150 [ 92.780671][ T5833] ? hfsplus_uni2asc+0x680/0x1270 [ 92.780692][ T5833] hfsplus_uni2asc+0x680/0x1270 [ 92.780712][ T5833] ? hfsplus_bnode_read+0x255/0x2a0 [ 92.780739][ T5833] hfsplus_listxattr+0x58e/0xb80 [ 92.780758][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 92.780783][ T5833] ? __pfx_hfsplus_listxattr+0x10/0x10 [ 92.780805][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 92.780824][ T5833] ? __asan_memset+0x22/0x50 [ 92.780851][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 92.780871][ T5833] ? path_lookupat+0x30d/0x430 [ 92.780896][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 92.780916][ T5833] ? filename_lookup+0x3d1/0x570 [ 92.780953][ T5833] ? strncpy_from_user+0x150/0x290 [ 92.780973][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 92.780995][ T5833] ? __pfx_hfsplus_listxattr+0x10/0x10 [ 92.781013][ T5833] listxattr+0x10d/0x2a0 [ 92.781038][ T5833] path_listxattrat+0x179/0x3a0 [ 92.781064][ T5833] ? __pfx_path_listxattrat+0x10/0x10 [ 92.781087][ T5833] ? rcu_is_watching+0x15/0xb0 [ 92.781117][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 92.781139][ T5833] do_syscall_64+0xfa/0x3b0 [ 92.781161][ T5833] ? lockdep_hardirqs_on+0x9c/0x150 [ 92.781186][ T5833] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.781203][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 92.781223][ T5833] ? exc_page_fault+0x9f/0xf0 [ 92.781248][ T5833] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.781265][ T5833] RIP: 0033:0x7f7a0c5e9a99 [ 92.781287][ T5833] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 92.781301][ T5833] RSP: 002b:00007fff61cab798 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3 [ 92.781319][ T5833] RAX: ffffffffffffffda RBX: 0031656c69662f2e RCX: 00007f7a0c5e9a99 [ 92.781332][ T5833] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000 [ 92.781343][ T5833] RBP: 00007f7a0c65d5f0 R08: 0000000000000658 R09: 0000555579c4f4c0 [ 92.781355][ T5833] R10: 00007fff61cab660 R11: 0000000000000246 R12: 00007fff61cab7c0 [ 92.781367][ T5833] R13: 00007fff61cab9e8 R14: 431bde82d7b634db R15: 00007f7a0c63203b [ 92.781388][ T5833] [ 92.781394][ T5833] [ 93.071458][ T5833] Allocated by task 5833: [ 93.075776][ T5833] kasan_save_track+0x3e/0x80 [ 93.080460][ T5833] __kasan_kmalloc+0x93/0xb0 [ 93.085044][ T5833] __kmalloc_noprof+0x27a/0x4f0 [ 93.089887][ T5833] hfsplus_find_init+0x8c/0x1d0 [ 93.094727][ T5833] hfsplus_listxattr+0x38f/0xb80 [ 93.099659][ T5833] listxattr+0x10d/0x2a0 [ 93.103902][ T5833] path_listxattrat+0x179/0x3a0 [ 93.108751][ T5833] do_syscall_64+0xfa/0x3b0 [ 93.113245][ T5833] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.119135][ T5833] [ 93.121447][ T5833] The buggy address belongs to the object at ffff888026806800 [ 93.121447][ T5833] which belongs to the cache kmalloc-1k of size 1024 [ 93.135489][ T5833] The buggy address is located 0 bytes to the right of [ 93.135489][ T5833] allocated 536-byte region [ffff888026806800, ffff888026806a18) [ 93.149976][ T5833] [ 93.152301][ T5833] The buggy address belongs to the physical page: [ 93.158696][ T5833] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x26800 [ 93.167450][ T5833] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 93.175936][ T5833] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 93.183478][ T5833] page_type: f5(slab) [ 93.187457][ T5833] raw: 00fff00000000040 ffff88801a441dc0 ffffea00018fbc00 dead000000000002 [ 93.196032][ T5833] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 93.204632][ T5833] head: 00fff00000000040 ffff88801a441dc0 ffffea00018fbc00 dead000000000002 [ 93.213310][ T5833] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 93.221982][ T5833] head: 00fff00000000003 ffffea00009a0001 00000000ffffffff 00000000ffffffff [ 93.230653][ T5833] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 93.239312][ T5833] page dumped because: kasan: bad access detected [ 93.245713][ T5833] page_owner tracks the page as allocated [ 93.251437][ T5833] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 36, tgid 36 (kworker/u8:2), ts 9810587487, free_ts 0 [ 93.269681][ T5833] post_alloc_hook+0x240/0x2a0 [ 93.274455][ T5833] get_page_from_freelist+0x21e4/0x22c0 [ 93.280008][ T5833] __alloc_frozen_pages_noprof+0x181/0x370 [ 93.285814][ T5833] allocate_slab+0x65/0x3b0 [ 93.290318][ T5833] ___slab_alloc+0xbfc/0x1480 [ 93.294993][ T5833] __kmalloc_cache_node_noprof+0x29a/0x3d0 [ 93.300836][ T5833] blk_mq_alloc_and_init_hctx+0x181/0xd60 [ 93.306556][ T5833] __blk_mq_realloc_hw_ctxs+0x169/0x400 [ 93.312102][ T5833] blk_mq_init_allocated_queue+0x400/0x1490 [ 93.318004][ T5833] blk_mq_alloc_queue+0x197/0x290 [ 93.323034][ T5833] scsi_alloc_sdev+0x76d/0xb50 [ 93.327798][ T5833] scsi_probe_and_add_lun+0x1cb/0x4520 [ 93.333261][ T5833] __scsi_scan_target+0x1dd/0xd10 [ 93.338284][ T5833] scsi_scan_host_selected+0x372/0x690 [ 93.343740][ T5833] do_scan_async+0x124/0x760 [ 93.348327][ T5833] async_run_entry_fn+0xa8/0x3f0 [ 93.353273][ T5833] page_owner free stack trace missing [ 93.358628][ T5833] [ 93.360941][ T5833] Memory state around the buggy address: [ 93.366563][ T5833] ffff888026806900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 93.374618][ T5833] ffff888026806980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 93.382671][ T5833] >ffff888026806a00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 93.390719][ T5833] ^ [ 93.395587][ T5833] ffff888026806a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 93.403643][ T5833] ffff888026806b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 93.411699][ T5833] ================================================================== [ 93.422555][ T5833] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 93.429765][ T5833] CPU: 1 UID: 0 PID: 5833 Comm: syz-executor290 Not tainted 6.16.0-rc2-syzkaller-00318-g739a6c93cc75 #0 PREEMPT(full) [ 93.442186][ T5833] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 93.452241][ T5833] Call Trace: [ 93.455524][ T5833] [ 93.458450][ T5833] dump_stack_lvl+0x99/0x250 [ 93.463058][ T5833] ? __asan_memcpy+0x40/0x70 [ 93.467655][ T5833] ? __pfx_dump_stack_lvl+0x10/0x10 [ 93.472865][ T5833] ? __pfx__printk+0x10/0x10 [ 93.477460][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 93.483096][ T5833] panic+0x2db/0x790 [ 93.486999][ T5833] ? __pfx_preempt_schedule+0x10/0x10 [ 93.492379][ T5833] ? __pfx_panic+0x10/0x10 [ 93.496800][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 93.502435][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 93.508067][ T5833] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 93.513965][ T5833] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 93.520299][ T5833] ? hfsplus_uni2asc+0x680/0x1270 [ 93.525318][ T5833] check_panic_on_warn+0x89/0xb0 [ 93.530263][ T5833] ? hfsplus_uni2asc+0x680/0x1270 [ 93.535288][ T5833] end_report+0x78/0x160 [ 93.539614][ T5833] kasan_report+0x129/0x150 [ 93.544117][ T5833] ? hfsplus_uni2asc+0x680/0x1270 [ 93.549144][ T5833] hfsplus_uni2asc+0x680/0x1270 [ 93.553995][ T5833] ? hfsplus_bnode_read+0x255/0x2a0 [ 93.559203][ T5833] hfsplus_listxattr+0x58e/0xb80 [ 93.564140][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 93.569779][ T5833] ? __pfx_hfsplus_listxattr+0x10/0x10 [ 93.575240][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 93.580878][ T5833] ? __asan_memset+0x22/0x50 [ 93.585482][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 93.591117][ T5833] ? path_lookupat+0x30d/0x430 [ 93.595974][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 93.601610][ T5833] ? filename_lookup+0x3d1/0x570 [ 93.606570][ T5833] ? strncpy_from_user+0x150/0x290 [ 93.611678][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 93.617311][ T5833] ? __pfx_hfsplus_listxattr+0x10/0x10 [ 93.622857][ T5833] listxattr+0x10d/0x2a0 [ 93.627109][ T5833] path_listxattrat+0x179/0x3a0 [ 93.631969][ T5833] ? __pfx_path_listxattrat+0x10/0x10 [ 93.637347][ T5833] ? rcu_is_watching+0x15/0xb0 [ 93.642120][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 93.647755][ T5833] do_syscall_64+0xfa/0x3b0 [ 93.652259][ T5833] ? lockdep_hardirqs_on+0x9c/0x150 [ 93.657463][ T5833] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.663524][ T5833] ? srso_alias_return_thunk+0x5/0xfbef5 [ 93.669157][ T5833] ? exc_page_fault+0x9f/0xf0 [ 93.673840][ T5833] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.679729][ T5833] RIP: 0033:0x7f7a0c5e9a99 [ 93.684139][ T5833] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 93.703749][ T5833] RSP: 002b:00007fff61cab798 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3 [ 93.712173][ T5833] RAX: ffffffffffffffda RBX: 0031656c69662f2e RCX: 00007f7a0c5e9a99 [ 93.720151][ T5833] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000 [ 93.728125][ T5833] RBP: 00007f7a0c65d5f0 R08: 0000000000000658 R09: 0000555579c4f4c0 [ 93.736102][ T5833] R10: 00007fff61cab660 R11: 0000000000000246 R12: 00007fff61cab7c0 [ 93.744076][ T5833] R13: 00007fff61cab9e8 R14: 431bde82d7b634db R15: 00007f7a0c63203b [ 93.752059][ T5833] [ 93.755319][ T5833] Kernel Offset: disabled [ 93.759638][ T5833] Rebooting in 86400 seconds..