[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.77' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.513199] hfsplus: request for non-existent node 184549376 in B*Tree [ 26.519980] hfsplus: request for non-existent node 184549376 in B*Tree [ 26.530078] ================================================================== [ 26.537560] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x18c/0x1a0 [ 26.544730] Read of size 8 at addr ffff8880ac250fb8 by task syz-executor155/7946 [ 26.552238] [ 26.553851] CPU: 1 PID: 7946 Comm: syz-executor155 Not tainted 4.14.300-syzkaller #0 [ 26.561703] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 26.571029] Call Trace: [ 26.573591] dump_stack+0x1b2/0x281 [ 26.578027] print_address_description.cold+0x54/0x1d3 [ 26.583384] kasan_report_error.cold+0x8a/0x191 [ 26.588044] ? hfsplus_bnode_read+0x18c/0x1a0 [ 26.592521] __asan_report_load8_noabort+0x68/0x70 [ 26.597427] ? memmove+0x40/0x50 [ 26.600770] ? hfsplus_bnode_read+0x18c/0x1a0 [ 26.605238] hfsplus_bnode_read+0x18c/0x1a0 [ 26.609534] hfsplus_bnode_dump+0x255/0x310 [ 26.613831] ? hfsplus_bnode_move+0x9a0/0x9a0 [ 26.618299] ? hfsplus_bnode_write_u16+0x70/0x90 [ 26.623029] ? hfsplus_bnode_move+0x1d/0x9a0 [ 26.627525] hfsplus_brec_remove+0x384/0x480 [ 26.631920] __hfsplus_delete_attr+0x1eb/0x310 [ 26.636485] ? hfsplus_find_exit+0xc0/0xc0 [ 26.640696] ? hfsplus_part_find+0xae0/0xae0 [ 26.645083] hfsplus_delete_all_attrs+0x12c/0x3a0 [ 26.649903] ? hfsplus_delete_attr+0x260/0x260 [ 26.654468] ? __mark_inode_dirty+0xa9b/0xf40 [ 26.658941] hfsplus_delete_cat+0x765/0xd70 [ 26.663236] ? hfsplus_unlink+0x112/0x6b0 [ 26.667363] ? hfsplus_create_cat+0x10d0/0x10d0 [ 26.672009] ? hfsplus_unlink+0x112/0x6b0 [ 26.676135] ? trace_hardirqs_on+0x10/0x10 [ 26.680347] hfsplus_unlink+0x1d6/0x6b0 [ 26.684296] ? hfsplus_symlink+0x2a0/0x2a0 [ 26.688507] ? lock_acquire+0x170/0x3f0 [ 26.692459] ? vfs_unlink+0xc0/0x470 [ 26.696149] vfs_unlink+0x230/0x470 [ 26.699752] do_unlinkat+0x30c/0x5c0 [ 26.703441] ? do_rmdir+0x3c0/0x3c0 [ 26.707045] ? _raw_spin_unlock_irq+0x5a/0x80 [ 26.711510] ? task_work_run+0xfd/0x190 [ 26.715461] ? do_syscall_64+0x4c/0x640 [ 26.719411] ? SyS_unlinkat+0x70/0x70 [ 26.723185] do_syscall_64+0x1d5/0x640 [ 26.727050] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 26.732215] [ 26.733815] Allocated by task 7946: [ 26.737416] kasan_kmalloc+0xeb/0x160 [ 26.741189] __kmalloc+0x15a/0x400 [ 26.744702] __hfs_bnode_create+0xe7/0x950 [ 26.748909] hfsplus_bnode_find+0x2cb/0x9e0 [ 26.753202] hfsplus_brec_find+0x265/0x460 [ 26.757408] hfsplus_delete_all_attrs+0x2b6/0x3a0 [ 26.762221] hfsplus_delete_cat+0x765/0xd70 [ 26.766512] hfsplus_unlink+0x1d6/0x6b0 [ 26.770458] vfs_unlink+0x230/0x470 [ 26.774057] do_unlinkat+0x30c/0x5c0 [ 26.777776] do_syscall_64+0x1d5/0x640 [ 26.781638] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 26.786799] [ 26.788398] Freed by task 1: [ 26.791391] kasan_slab_free+0xc3/0x1a0 [ 26.795342] kfree+0xc9/0x250 [ 26.798441] kernfs_release_file+0xcc/0x160 [ 26.802733] kernfs_fop_release+0x136/0x180 [ 26.807028] __fput+0x25f/0x7a0 [ 26.810279] task_work_run+0x11f/0x190 [ 26.814137] exit_to_usermode_loop+0x1ad/0x200 [ 26.818689] do_syscall_64+0x4a3/0x640 [ 26.822549] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 26.827706] [ 26.829310] The buggy address belongs to the object at ffff8880ac250f00 [ 26.829310] which belongs to the cache kmalloc-192 of size 192 [ 26.841943] The buggy address is located 184 bytes inside of [ 26.841943] 192-byte region [ffff8880ac250f00, ffff8880ac250fc0) [ 26.853788] The buggy address belongs to the page: [ 26.858690] page:ffffea0002b09400 count:1 mapcount:0 mapping:ffff8880ac250000 index:0xffff8880ac250900 [ 26.868104] flags: 0xfff00000000100(slab) [ 26.872228] raw: 00fff00000000100 ffff8880ac250000 ffff8880ac250900 0000000100000009 [ 26.880084] raw: ffff88813fe64138 ffffea0002b1ca20 ffff88813fe74040 0000000000000000 [ 26.887932] page dumped because: kasan: bad access detected [ 26.893611] [ 26.895211] Memory state around the buggy address: [ 26.900113] ffff8880ac250e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.907444] ffff8880ac250f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.914776] >ffff8880ac250f80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.922104] ^ [ 26.927264] ffff8880ac251000: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb [ 26.934594] ffff8880ac251080: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 26.941928] ================================================================== [ 26.949264] Disabling lock debugging due to kernel taint [ 26.956974] Kernel panic - not syncing: panic_on_warn set ... [ 26.956974] [ 26.964349] CPU: 0 PID: 7946 Comm: syz-executor155 Tainted: G B 4.14.300-syzkaller #0 [ 26.973429] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 26.982765] Call Trace: [ 26.985326] dump_stack+0x1b2/0x281 [ 26.988930] panic+0x1f9/0x42d [ 26.992098] ? add_taint.cold+0x16/0x16 [ 26.996044] ? ___preempt_schedule+0x16/0x18 [ 27.000425] kasan_end_report+0x43/0x49 [ 27.004370] kasan_report_error.cold+0xa7/0x191 [ 27.009013] ? hfsplus_bnode_read+0x18c/0x1a0 [ 27.013478] __asan_report_load8_noabort+0x68/0x70 [ 27.018379] ? memmove+0x40/0x50 [ 27.021716] ? hfsplus_bnode_read+0x18c/0x1a0 [ 27.026182] hfsplus_bnode_read+0x18c/0x1a0 [ 27.030477] hfsplus_bnode_dump+0x255/0x310 [ 27.034773] ? hfsplus_bnode_move+0x9a0/0x9a0 [ 27.039239] ? hfsplus_bnode_write_u16+0x70/0x90 [ 27.043970] ? hfsplus_bnode_move+0x1d/0x9a0 [ 27.048352] hfsplus_brec_remove+0x384/0x480 [ 27.052733] __hfsplus_delete_attr+0x1eb/0x310 [ 27.057285] ? hfsplus_find_exit+0xc0/0xc0 [ 27.061489] ? hfsplus_part_find+0xae0/0xae0 [ 27.065874] hfsplus_delete_all_attrs+0x12c/0x3a0 [ 27.070690] ? hfsplus_delete_attr+0x260/0x260 [ 27.075245] ? __mark_inode_dirty+0xa9b/0xf40 [ 27.079714] hfsplus_delete_cat+0x765/0xd70 [ 27.084006] ? hfsplus_unlink+0x112/0x6b0 [ 27.088128] ? hfsplus_create_cat+0x10d0/0x10d0 [ 27.092771] ? hfsplus_unlink+0x112/0x6b0 [ 27.096894] ? trace_hardirqs_on+0x10/0x10 [ 27.101123] hfsplus_unlink+0x1d6/0x6b0 [ 27.105073] ? hfsplus_symlink+0x2a0/0x2a0 [ 27.109280] ? lock_acquire+0x170/0x3f0 [ 27.113225] ? vfs_unlink+0xc0/0x470 [ 27.116910] vfs_unlink+0x230/0x470 [ 27.120511] do_unlinkat+0x30c/0x5c0 [ 27.124197] ? do_rmdir+0x3c0/0x3c0 [ 27.127798] ? _raw_spin_unlock_irq+0x5a/0x80 [ 27.132264] ? task_work_run+0xfd/0x190 [ 27.136210] ? do_syscall_64+0x4c/0x640 [ 27.140157] ? SyS_unlinkat+0x70/0x70 [ 27.143931] do_syscall_64+0x1d5/0x640 [ 27.147796] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.153036] Kernel Offset: disabled [ 27.156640] Rebooting in 86400 seconds..