Warning: Permanently added '10.128.1.200' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.931560][ T5976] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5976 'syz-executor415' [ 34.940633][ T5976] loop0: detected capacity change from 0 to 1024 [ 34.951283][ T5976] ================================================================== [ 34.952913][ T5976] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x624/0x1018 [ 34.954442][ T5976] Read of size 2 at addr ffff0000d4ca540c by task syz-executor415/5976 [ 34.956121][ T5976] [ 34.956599][ T5976] CPU: 1 PID: 5976 Comm: syz-executor415 Not tainted 6.4.0-rc7-syzkaller-ge40939bbfc68 #0 [ 34.958605][ T5976] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 [ 34.960660][ T5976] Call trace: [ 34.961331][ T5976] dump_backtrace+0x1b8/0x1e4 [ 34.962344][ T5976] show_stack+0x2c/0x44 [ 34.963244][ T5976] dump_stack_lvl+0xd0/0x124 [ 34.964199][ T5976] print_report+0x174/0x514 [ 34.965132][ T5976] kasan_report+0xd4/0x130 [ 34.966023][ T5976] __asan_report_load2_noabort+0x20/0x2c [ 34.967261][ T5976] hfsplus_uni2asc+0x624/0x1018 [ 34.968262][ T5976] hfsplus_readdir+0x7a0/0xf28 [ 34.969242][ T5976] iterate_dir+0x1f4/0x4e4 [ 34.970133][ T5976] __arm64_sys_getdents64+0x1c4/0x4a0 [ 34.971277][ T5976] invoke_syscall+0x98/0x2c0 [ 34.972238][ T5976] el0_svc_common+0x138/0x244 [ 34.973204][ T5976] do_el0_svc+0x64/0x198 [ 34.974118][ T5976] el0_svc+0x4c/0x160 [ 34.974951][ T5976] el0t_64_sync_handler+0x84/0xfc [ 34.975995][ T5976] el0t_64_sync+0x190/0x194 [ 34.976937][ T5976] [ 34.977398][ T5976] Allocated by task 5976: [ 34.978260][ T5976] kasan_set_track+0x4c/0x7c [ 34.979204][ T5976] kasan_save_alloc_info+0x24/0x30 [ 34.980232][ T5976] __kasan_kmalloc+0xac/0xc4 [ 34.981190][ T5976] __kmalloc+0xcc/0x1b8 [ 34.982022][ T5976] hfsplus_find_init+0x84/0x1bc [ 34.983044][ T5976] hfsplus_readdir+0x1c8/0xf28 [ 34.984039][ T5976] iterate_dir+0x1f4/0x4e4 [ 34.984934][ T5976] __arm64_sys_getdents64+0x1c4/0x4a0 [ 34.986019][ T5976] invoke_syscall+0x98/0x2c0 [ 34.986972][ T5976] el0_svc_common+0x138/0x244 [ 34.987946][ T5976] do_el0_svc+0x64/0x198 [ 34.988795][ T5976] el0_svc+0x4c/0x160 [ 34.989638][ T5976] el0t_64_sync_handler+0x84/0xfc [ 34.990691][ T5976] el0t_64_sync+0x190/0x194 [ 34.991614][ T5976] [ 34.992099][ T5976] Last potentially related work creation: [ 34.993269][ T5976] kasan_save_stack+0x40/0x6c [ 34.994242][ T5976] __kasan_record_aux_stack+0xcc/0xe8 [ 34.995338][ T5976] kasan_record_aux_stack_noalloc+0x14/0x20 [ 34.996579][ T5976] call_rcu+0x104/0xaf4 [ 34.997430][ T5976] netlink_release+0x12c0/0x1818 [ 34.998429][ T5976] sock_close+0xb8/0x1fc [ 34.999327][ T5976] __fput+0x30c/0x7bc [ 35.000123][ T5976] ____fput+0x20/0x30 [ 35.000948][ T5976] task_work_run+0x230/0x2e0 [ 35.001883][ T5976] do_notify_resume+0x2180/0x3c90 [ 35.002914][ T5976] el0_svc+0x94/0x160 [ 35.003724][ T5976] el0t_64_sync_handler+0x84/0xfc [ 35.004759][ T5976] el0t_64_sync+0x190/0x194 [ 35.005673][ T5976] [ 35.006134][ T5976] The buggy address belongs to the object at ffff0000d4ca5000 [ 35.006134][ T5976] which belongs to the cache kmalloc-2k of size 2048 [ 35.009016][ T5976] The buggy address is located 0 bytes to the right of [ 35.009016][ T5976] allocated 1036-byte region [ffff0000d4ca5000, ffff0000d4ca540c) [ 35.012025][ T5976] [ 35.012506][ T5976] The buggy address belongs to the physical page: [ 35.013834][ T5976] page:0000000031fd1cb0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114ca0 [ 35.015964][ T5976] head:0000000031fd1cb0 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 35.017796][ T5976] anon flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 35.019577][ T5976] page_type: 0xffffffff() [ 35.020490][ T5976] raw: 05ffc00000010200 ffff0000c0002900 0000000000000000 dead000000000001 [ 35.022294][ T5976] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 35.024067][ T5976] page dumped because: kasan: bad access detected [ 35.025384][ T5976] [ 35.025845][ T5976] Memory state around the buggy address: [ 35.026985][ T5976] ffff0000d4ca5300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.028684][ T5976] ffff0000d4ca5380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.030293][ T5976] >ffff0000d4ca5400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.031935][ T5976] ^ [ 35.032821][ T5976] ffff0000d4ca5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.034499][ T5976] ffff0000d4ca5500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.036204][ T5976] ================================================================== [ 35.039661][ T5976] Disabling lock debugging due to kernel taint