Warning: Permanently added '10.128.0.91' (ECDSA) to the list of known hosts. executing program [ 37.621618][ T4307] loop0: detected capacity change from 0 to 1024 [ 37.635593][ T4307] ================================================================== [ 37.637570][ T4307] BUG: KASAN: use-after-free in hfsplus_release_folio+0x410/0x4ac [ 37.639363][ T4307] Read of size 4 at addr ffff0000d833e038 by task syz-executor954/4307 [ 37.641211][ T4307] [ 37.641752][ T4307] CPU: 0 PID: 4307 Comm: syz-executor954 Not tainted 6.1.15-syzkaller #0 [ 37.643775][ T4307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 [ 37.646069][ T4307] Call trace: [ 37.646800][ T4307] dump_backtrace+0x1c8/0x1f4 [ 37.647893][ T4307] show_stack+0x2c/0x3c [ 37.648833][ T4307] dump_stack_lvl+0x108/0x170 [ 37.650029][ T4307] print_report+0x178/0x4e0 [ 37.651111][ T4307] kasan_report+0xd4/0x130 [ 37.652045][ T4307] __asan_report_load4_noabort+0x2c/0x38 [ 37.653379][ T4307] hfsplus_release_folio+0x410/0x4ac [ 37.654606][ T4307] filemap_release_folio+0x144/0x30c [ 37.655901][ T4307] block_invalidate_folio+0x4c4/0x814 [ 37.657148][ T4307] truncate_cleanup_folio+0x180/0x4c0 [ 37.658403][ T4307] truncate_inode_pages_range+0x288/0x13b0 [ 37.659690][ T4307] truncate_inode_pages_final+0x90/0xc0 [ 37.660972][ T4307] hfsplus_evict_inode+0x2c/0xc0 [ 37.662172][ T4307] evict+0x260/0x68c [ 37.663073][ T4307] iput+0x968/0xa4c [ 37.663985][ T4307] hfsplus_put_super+0x1b0/0x2ec [ 37.665142][ T4307] generic_shutdown_super+0x130/0x2f0 [ 37.666414][ T4307] kill_block_super+0x70/0xdc [ 37.667483][ T4307] deactivate_locked_super+0xac/0x124 [ 37.668738][ T4307] deactivate_super+0xf0/0x110 [ 37.669826][ T4307] cleanup_mnt+0x394/0x41c [ 37.670900][ T4307] __cleanup_mnt+0x20/0x30 [ 37.671988][ T4307] task_work_run+0x240/0x2f0 [ 37.673027][ T4307] do_exit+0x538/0x1af8 [ 37.674037][ T4307] do_group_exit+0x194/0x22c [ 37.675103][ T4307] __wake_up_parent+0x0/0x60 [ 37.676215][ T4307] invoke_syscall+0x98/0x2c0 [ 37.677297][ T4307] el0_svc_common+0x138/0x258 [ 37.678361][ T4307] do_el0_svc+0x64/0x218 [ 37.679308][ T4307] el0_svc+0x58/0x168 [ 37.680251][ T4307] el0t_64_sync_handler+0x84/0xf0 [ 37.681475][ T4307] el0t_64_sync+0x18c/0x190 [ 37.682498][ T4307] [ 37.683041][ T4307] Allocated by task 4307: [ 37.684094][ T4307] kasan_set_track+0x4c/0x80 [ 37.685172][ T4307] kasan_save_alloc_info+0x24/0x30 [ 37.686449][ T4307] __kasan_kmalloc+0xac/0xc4 [ 37.687503][ T4307] kmalloc_trace+0x7c/0x94 [ 37.688539][ T4307] hfsplus_btree_open+0x6c/0xd00 [ 37.689716][ T4307] hfsplus_fill_super+0x910/0x166c [ 37.690918][ T4307] mount_bdev+0x26c/0x368 [ 37.691990][ T4307] hfsplus_mount+0x44/0x58 [ 37.692986][ T4307] legacy_get_tree+0xd4/0x16c [ 37.694032][ T4307] vfs_get_tree+0x90/0x274 [ 37.695106][ T4307] do_new_mount+0x25c/0x8c8 [ 37.696179][ T4307] path_mount+0x590/0xe58 [ 37.697206][ T4307] __arm64_sys_mount+0x45c/0x594 [ 37.698375][ T4307] invoke_syscall+0x98/0x2c0 [ 37.699500][ T4307] el0_svc_common+0x138/0x258 [ 37.700607][ T4307] do_el0_svc+0x64/0x218 [ 37.701569][ T4307] el0_svc+0x58/0x168 [ 37.702477][ T4307] el0t_64_sync_handler+0x84/0xf0 [ 37.703687][ T4307] el0t_64_sync+0x18c/0x190 [ 37.704748][ T4307] [ 37.705290][ T4307] Freed by task 4307: [ 37.706215][ T4307] kasan_set_track+0x4c/0x80 [ 37.707334][ T4307] kasan_save_free_info+0x38/0x5c [ 37.708468][ T4307] ____kasan_slab_free+0x144/0x20c [ 37.709670][ T4307] __kasan_slab_free+0x18/0x28 [ 37.710783][ T4307] __kmem_cache_free+0x2c0/0x500 [ 37.711970][ T4307] kfree+0x104/0x268 [ 37.712914][ T4307] hfsplus_btree_close+0x25c/0x288 [ 37.714135][ T4307] hfsplus_put_super+0x140/0x2ec [ 37.715271][ T4307] generic_shutdown_super+0x130/0x2f0 [ 37.716553][ T4307] kill_block_super+0x70/0xdc [ 37.717673][ T4307] deactivate_locked_super+0xac/0x124 [ 37.718978][ T4307] deactivate_super+0xf0/0x110 [ 37.720136][ T4307] cleanup_mnt+0x394/0x41c [ 37.721179][ T4307] __cleanup_mnt+0x20/0x30 [ 37.722187][ T4307] task_work_run+0x240/0x2f0 [ 37.723209][ T4307] do_exit+0x538/0x1af8 [ 37.724192][ T4307] do_group_exit+0x194/0x22c [ 37.725254][ T4307] __wake_up_parent+0x0/0x60 [ 37.726290][ T4307] invoke_syscall+0x98/0x2c0 [ 37.727332][ T4307] el0_svc_common+0x138/0x258 [ 37.728472][ T4307] do_el0_svc+0x64/0x218 [ 37.729532][ T4307] el0_svc+0x58/0x168 [ 37.730483][ T4307] el0t_64_sync_handler+0x84/0xf0 [ 37.731713][ T4307] el0t_64_sync+0x18c/0x190 [ 37.732798][ T4307] [ 37.733349][ T4307] The buggy address belongs to the object at ffff0000d833e000 [ 37.733349][ T4307] which belongs to the cache kmalloc-4k of size 4096 [ 37.736769][ T4307] The buggy address is located 56 bytes inside of [ 37.736769][ T4307] 4096-byte region [ffff0000d833e000, ffff0000d833f000) [ 37.739840][ T4307] [ 37.740396][ T4307] The buggy address belongs to the physical page: [ 37.741874][ T4307] page:00000000386b5da6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118338 [ 37.744227][ T4307] head:00000000386b5da6 order:3 compound_mapcount:0 compound_pincount:0 [ 37.746141][ T4307] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 37.748066][ T4307] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002a80 [ 37.750047][ T4307] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 37.752036][ T4307] page dumped because: kasan: bad access detected [ 37.753494][ T4307] [ 37.754083][ T4307] Memory state around the buggy address: [ 37.755417][ T4307] ffff0000d833df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.757295][ T4307] ffff0000d833df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.759161][ T4307] >ffff0000d833e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.761020][ T4307] ^ [ 37.762387][ T4307] ffff0000d833e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.764291][ T4307] ffff0000d833e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.766107][ T4307] ================================================================== [ 37.768451][ T4307] Disabling lock debugging due to kernel taint