./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4025005577 <...> Warning: Permanently added '10.128.1.173' (ED25519) to the list of known hosts. execve("./syz-executor4025005577", ["./syz-executor4025005577"], 0x7ffe94e366a0 /* 10 vars */) = 0 brk(NULL) = 0x555572bde000 brk(0x555572bded00) = 0x555572bded00 arch_prctl(ARCH_SET_FS, 0x555572bde380) = 0 set_tid_address(0x555572bde650) = 5840 set_robust_list(0x555572bde660, 24) = 0 rseq(0x555572bdeca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor4025005577", 4096) = 28 getrandom("\x89\x82\x9a\x56\x52\x58\xdd\xb4", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555572bded00 brk(0x555572bffd00) = 0x555572bffd00 brk(0x555572c00000) = 0x555572c00000 mprotect(0x7faa1f3d3000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5841 attached [pid 5841] set_robust_list(0x555572bde660, 24) = 0 [pid 5841] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5840] <... clone resumed>, child_tidptr=0x555572bde650) = 5841 [pid 5841] <... prctl resumed>) = 0 [pid 5841] setpgid(0, 0) = 0 [pid 5841] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5841] write(3, "1000", 4) = 4 [pid 5841] close(3) = 0 executing program [pid 5841] write(1, "executing program\n", 18) = 18 [pid 5841] memfd_create("syzkaller", 0) = 3 [pid 5841] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7faa16e00000 [pid 5841] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 32768) = 32768 [pid 5841] munmap(0x7faa16e00000, 138412032) = 0 [pid 5841] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5841] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5841] close(3) = 0 [pid 5841] close(4) = 0 [pid 5841] mkdir("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 0777) = 0 [pid 5841] mount("/dev/loop0", "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "hfs", MS_DIRSYNC|MS_NODIRATIME|MS_POSIXACL|MS_I_VERSION|MS_LAZYTIME, "") = 0 [pid 5841] openat(AT_FDCWD, "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", O_RDONLY|O_DIRECTORY) = 3 [pid 5841] chdir("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") = 0 [ 92.710625][ T5841] loop0: detected capacity change from 0 to 64 [pid 5841] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) [ 92.778844][ T5841] ================================================================== [ 92.787407][ T5841] BUG: KASAN: out-of-bounds in hfs_bnode_move+0xea/0x130 [ 92.794468][ T5841] Read of size 18446744073709486080 at addr ffff8880119a1400 by task syz-executor402/5841 [ 92.804451][ T5841] [ 92.806795][ T5841] CPU: 0 UID: 0 PID: 5841 Comm: syz-executor402 Not tainted 6.16.0-rc7-syzkaller-00018-g01a412d06bc5 #0 PREEMPT(full) [ 92.806814][ T5841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 92.806828][ T5841] Call Trace: [ 92.806837][ T5841] [ 92.806844][ T5841] dump_stack_lvl+0x189/0x250 [ 92.806864][ T5841] ? __kasan_check_byte+0x12/0x40 [ 92.806880][ T5841] ? __pfx_dump_stack_lvl+0x10/0x10 [ 92.806896][ T5841] ? lock_release+0x4b/0x3e0 [ 92.806912][ T5841] ? __virt_addr_valid+0x4a5/0x5c0 [ 92.806931][ T5841] print_report+0xca/0x230 [ 92.806954][ T5841] ? hfs_bnode_move+0xea/0x130 [ 92.806972][ T5841] kasan_report+0x118/0x150 [ 92.806988][ T5841] ? hfs_bnode_move+0xea/0x130 [ 92.807008][ T5841] ? hfs_bnode_move+0xea/0x130 [ 92.807026][ T5841] kasan_check_range+0x2b0/0x2c0 [ 92.807042][ T5841] ? hfs_bnode_move+0xea/0x130 [ 92.807060][ T5841] __asan_memmove+0x29/0x70 [ 92.807086][ T5841] hfs_bnode_move+0xea/0x130 [ 92.807106][ T5841] hfs_brec_remove+0x467/0x550 [ 92.807132][ T5841] hfs_cat_move+0x6fb/0x960 [ 92.807156][ T5841] ? __pfx_hfs_cat_move+0x10/0x10 [ 92.807179][ T5841] ? seqcount_lockdep_reader_access+0x122/0x1c0 [ 92.807197][ T5841] ? lockdep_hardirqs_on+0x9c/0x150 [ 92.807219][ T5841] ? __lock_acquire+0xab9/0xd20 [ 92.807240][ T5841] hfs_rename+0x1dc/0x2d0 [ 92.807262][ T5841] ? __pfx_hfs_rename+0x10/0x10 [ 92.807284][ T5841] vfs_rename+0xb99/0xec0 [ 92.807303][ T5841] ? __pfx_vfs_rename+0x10/0x10 [ 92.807319][ T5841] ? d_alloc+0x144/0x190 [ 92.807338][ T5841] ? bpf_lsm_path_rename+0x9/0x20 [ 92.807361][ T5841] ? security_path_rename+0x17d/0x490 [ 92.807385][ T5841] do_renameat2+0x878/0xc50 [ 92.807407][ T5841] ? __pfx_do_renameat2+0x10/0x10 [ 92.807425][ T5841] ? strncpy_from_user+0x150/0x290 [ 92.807451][ T5841] ? getname_flags+0x1e5/0x540 [ 92.807476][ T5841] __x64_sys_rename+0x82/0x90 [ 92.807497][ T5841] do_syscall_64+0xfa/0x3b0 [ 92.807520][ T5841] ? lockdep_hardirqs_on+0x9c/0x150 [ 92.807540][ T5841] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.807560][ T5841] ? clear_bhb_loop+0x60/0xb0 [ 92.807581][ T5841] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.807602][ T5841] RIP: 0033:0x7faa1f35fb19 [ 92.807625][ T5841] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 92.807644][ T5841] RSP: 002b:00007fff43d73da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052 [ 92.807667][ T5841] RAX: ffffffffffffffda RBX: 00007faa1f3a80e0 RCX: 00007faa1f35fb19 [ 92.807680][ T5841] RDX: 0000000000000000 RSI: 0000200000000780 RDI: 00002000000003c0 [ 92.807690][ T5841] RBP: 0000000000000000 R08: 00000000000002ca R09: 0000555572bdf4c0 [ 92.807699][ T5841] R10: 00007fff43d73c70 R11: 0000000000000246 R12: 00007fff43d73dd0 [ 92.807709][ T5841] R13: 00007fff43d73ff8 R14: 431bde82d7b634db R15: 00007faa1f3a803b [ 92.807726][ T5841] [ 92.807732][ T5841] [ 93.094830][ T5841] The buggy address belongs to the physical page: [ 93.101261][ T5841] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x55dd42fc8 pfn:0x119a1 [ 93.110730][ T5841] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 93.117863][ T5841] raw: 00fff00000000000 ffffea0000466888 ffffea0000466808 0000000000000000 [ 93.126457][ T5841] raw: 000000055dd42fc8 0000000000000000 00000000ffffffff 0000000000000000 [ 93.135047][ T5841] page dumped because: kasan: bad access detected [ 93.141470][ T5841] page_owner tracks the page as freed [ 93.146845][ T5841] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 5828, tgid 5828 (sshd-session), ts 86462488120, free_ts 86804583188 [ 93.166083][ T5841] post_alloc_hook+0x240/0x2a0 [ 93.170907][ T5841] get_page_from_freelist+0x21d5/0x22b0 [ 93.176493][ T5841] __alloc_frozen_pages_noprof+0x181/0x370 [ 93.182326][ T5841] alloc_pages_mpol+0x232/0x4a0 [ 93.187195][ T5841] vma_alloc_folio_noprof+0xe4/0x200 [ 93.192520][ T5841] folio_prealloc+0x30/0x180 [ 93.197134][ T5841] __handle_mm_fault+0x2c88/0x5620 [ 93.202277][ T5841] handle_mm_fault+0x2d5/0x7f0 [ 93.207068][ T5841] do_user_addr_fault+0xa81/0x1390 [ 93.212209][ T5841] exc_page_fault+0x76/0xf0 [ 93.216735][ T5841] asm_exc_page_fault+0x26/0x30 [ 93.221690][ T5841] page last free pid 5828 tgid 5828 stack trace: [ 93.228083][ T5841] free_unref_folios+0xcd2/0x1570 [ 93.233132][ T5841] folios_put_refs+0x559/0x640 [ 93.238020][ T5841] free_pages_and_swap_cache+0x277/0x520 [ 93.243675][ T5841] tlb_flush_mmu+0x3a0/0x680 [ 93.248290][ T5841] tlb_finish_mmu+0xc3/0x1d0 [ 93.252900][ T5841] exit_mmap+0x44c/0xb50 [ 93.257152][ T5841] __mmput+0x118/0x410 [ 93.261250][ T5841] exit_mm+0x1da/0x2c0 [ 93.265358][ T5841] do_exit+0x648/0x22e0 [ 93.269543][ T5841] do_group_exit+0x21c/0x2d0 [ 93.274546][ T5841] __x64_sys_exit_group+0x3f/0x40 [ 93.279602][ T5841] x64_sys_call+0x21ba/0x21c0 [ 93.284308][ T5841] do_syscall_64+0xfa/0x3b0 [ 93.288837][ T5841] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.294749][ T5841] [ 93.297083][ T5841] Memory state around the buggy address: [ 93.302803][ T5841] ffff8880119a1300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 93.310997][ T5841] ffff8880119a1380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 93.319166][ T5841] >ffff8880119a1400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 93.327244][ T5841] ^ [ 93.331317][ T5841] ffff8880119a1480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 93.339475][ T5841] ffff8880119a1500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 93.347549][ T5841] ================================================================== [ 93.356672][ T5841] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 93.363931][ T5841] CPU: 1 UID: 0 PID: 5841 Comm: syz-executor402 Not tainted 6.16.0-rc7-syzkaller-00018-g01a412d06bc5 #0 PREEMPT(full) [ 93.376482][ T5841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 93.386728][ T5841] Call Trace: [ 93.390026][ T5841] [ 93.392967][ T5841] dump_stack_lvl+0x99/0x250 [ 93.397582][ T5841] ? __asan_memcpy+0x40/0x70 [ 93.402186][ T5841] ? __pfx_dump_stack_lvl+0x10/0x10 [ 93.407390][ T5841] ? __pfx__printk+0x10/0x10 [ 93.412005][ T5841] panic+0x2db/0x790 [ 93.415927][ T5841] ? __pfx_panic+0x10/0x10 [ 93.420366][ T5841] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 93.426278][ T5841] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 93.432808][ T5841] ? print_memory_metadata+0x314/0x400 [ 93.438378][ T5841] ? hfs_bnode_move+0xea/0x130 [ 93.443154][ T5841] check_panic_on_warn+0x89/0xb0 [ 93.448102][ T5841] ? hfs_bnode_move+0xea/0x130 [ 93.452874][ T5841] end_report+0x78/0x160 [ 93.457128][ T5841] kasan_report+0x129/0x150 [ 93.461636][ T5841] ? hfs_bnode_move+0xea/0x130 [ 93.466513][ T5841] ? hfs_bnode_move+0xea/0x130 [ 93.471402][ T5841] kasan_check_range+0x2b0/0x2c0 [ 93.476354][ T5841] ? hfs_bnode_move+0xea/0x130 [ 93.481129][ T5841] __asan_memmove+0x29/0x70 [ 93.485643][ T5841] hfs_bnode_move+0xea/0x130 [ 93.490245][ T5841] hfs_brec_remove+0x467/0x550 [ 93.495109][ T5841] hfs_cat_move+0x6fb/0x960 [ 93.499624][ T5841] ? __pfx_hfs_cat_move+0x10/0x10 [ 93.504661][ T5841] ? seqcount_lockdep_reader_access+0x122/0x1c0 [ 93.510917][ T5841] ? lockdep_hardirqs_on+0x9c/0x150 [ 93.516126][ T5841] ? __lock_acquire+0xab9/0xd20 [ 93.521002][ T5841] hfs_rename+0x1dc/0x2d0 [ 93.525443][ T5841] ? __pfx_hfs_rename+0x10/0x10 [ 93.530302][ T5841] vfs_rename+0xb99/0xec0 [ 93.534753][ T5841] ? __pfx_vfs_rename+0x10/0x10 [ 93.539611][ T5841] ? d_alloc+0x144/0x190 [ 93.543878][ T5841] ? bpf_lsm_path_rename+0x9/0x20 [ 93.548935][ T5841] ? security_path_rename+0x17d/0x490 [ 93.554321][ T5841] do_renameat2+0x878/0xc50 [ 93.558842][ T5841] ? __pfx_do_renameat2+0x10/0x10 [ 93.563894][ T5841] ? strncpy_from_user+0x150/0x290 [ 93.569049][ T5841] ? getname_flags+0x1e5/0x540 [ 93.573823][ T5841] __x64_sys_rename+0x82/0x90 [ 93.578592][ T5841] do_syscall_64+0xfa/0x3b0 [ 93.583098][ T5841] ? lockdep_hardirqs_on+0x9c/0x150 [ 93.588320][ T5841] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.594560][ T5841] ? clear_bhb_loop+0x60/0xb0 [ 93.599244][ T5841] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.605136][ T5841] RIP: 0033:0x7faa1f35fb19 [ 93.609553][ T5841] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 93.629363][ T5841] RSP: 002b:00007fff43d73da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052 [ 93.637803][ T5841] RAX: ffffffffffffffda RBX: 00007faa1f3a80e0 RCX: 00007faa1f35fb19 [ 93.646138][ T5841] RDX: 0000000000000000 RSI: 0000200000000780 RDI: 00002000000003c0 [ 93.654122][ T5841] RBP: 0000000000000000 R08: 00000000000002ca R09: 0000555572bdf4c0 [ 93.662118][ T5841] R10: 00007fff43d73c70 R11: 0000000000000246 R12: 00007fff43d73dd0 [ 93.670097][ T5841] R13: 00007fff43d73ff8 R14: 431bde82d7b634db R15: 00007faa1f3a803b [ 93.678089][ T5841] [ 93.681445][ T5841] Kernel Offset: disabled [ 93.685786][ T5841] Rebooting in 86400 seconds..