program: syz_mount_image$hfs(&(0x7f0000000140), &(0x7f00000008c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x2810880, &(0x7f0000000000)=ANY=[], 0x1, 0x2c6, &(0x7f0000000c80)="$eJzs3U1rE0Ecx/Hf7KZpamtdbaUgHqRa9CRtvYiXghRfgxdFbVIohha1gk9g8Sy+AO9F8AX4IjyJ4FlPnnwBva3MZpLMNrtJm5psgt8PRCfZefjPZrM7/0C6AvDfur3+c//Gb/swUqhQ0i0psJsuqSTpvBYqz7d3t3brtWq3jkKpouRhpKSl6aizsV3LamrbJS2cyD4racZ/DYMRx3H8q+ggUKSK+z/M2hhIk+7TGfqVx9leKO0VHUTBzIEO9EKzRccBACiWaVzfA3edn3Hr9yCQltxl37/+/zhdcLwnc1UHRYdQMO/6n2RZsbHv75lkUzvfS1I4uz1oZonHHccuHstqHFmpBaZJZ5WdyWISSzC1uVWvXd/YqVcDvdOa41Wbl7SmqstZnR7RLmYMl1bW0Xtr+vRmYfPQS9PJHCbsHFZz4p/LGrTfvX0U5qv5Zu6bSB9Vba3/SnF7j0Std+rORDv+5bzudp7cS1o1auXM8mwyyIX0ju06yzAvI5HbU3Go9BcEUTrOcmarsg61asxuJW8k189cZqvVHq3mbavPXqv20ZzfctDMB3PXLOqPvmjdW/8Hdm8vqfOTmd1JUtMdGc35ZOaGpaRm5L+0dzGzz6C/+SDNP05zP0DSez3STc0+e/nq8cN6vfa0s1DK3/QPCjaGwfQ8eoXX5ZEIo11oHgSjEk9/BXuOHe5B2yqUT7zrKjpW5c6Z+oXmqfMIHTZP0j0HHczZCaOl/abn13k7zIAwbPbkYRr5n5evLCcJgf0n6rJOj3st27weVzJyg8lWxVNeT8Z9P5+fAU3nZ3Ddcq59r97la9IV73mPnCvSOWmq61zHiVnXdz3g+38AAAAAAAAAAAAAAAAAAIBxM4xfa3jD8Rd9AAAAAAAAAAAAAAAAAAAAAADoQ/79fysa4P1/U78DOMH9f7vc4ARAL38DAAD//0EVdWo=") syz_mount_image$ext4(&(0x7f0000000000)='ext4\x00', &(0x7f0000000100)='./mnt\x00', 0x2200054, &(0x7f0000000140)={[{@minixdf}, {@nodelalloc}]}, 0x1, 0x236, &(0x7f0000000300)="$eJzs3TFoM2UcBvDnLomf/b4gVRdBUEFEtFDqJrjURaEgpYgIKlREXJRWqC1urZOLg84qnVyKuFkdpUtxUQSnqh3qImhxsDjoELlcK9VGFFNz8t3vB5fcJe97//e4e95kOS5Aa00nmU/SSTKTpJekON/grnqZPt3cntpfTgaDx38shu3q7dpZv2tJtpI8mGSvLPJiN9nYffro54NH731jvXfPe7tPTU30IE8dHx0+dvLu4usfLjyw8fmX3y8WmU//D8d1+YoRn3WL5Jb/otj/RNFtegT8E0uvfvBVlftbk9w9zH8vZeqT9+baDXu93P/OX/V964cvbp/kWIHLNxj0qt/ArQHQOmWSfopyNkm9Xpazs/V/+K87V8uXVtdemXlhdX3l+aZnKuCy9JPDRz6+8tG1P+X/u06df+D6VeX/iaWdb6r1k07TowEmqcr/zLOb90X+oXXkH9pL/qG95B/aS/6hveQf2kv+ob3kH9pL/qG95B/a63z+AYB2GVxp+g5koClNzz8AAAAAAAAAAAAAAAAAAMBF21P7y2fLpGp++nZy/HCS7qj6neHziJMbh69XfyqqZr8r6m5jeebOMXcwpvcbvvv6pm+brf/ZHc3W31xJtl5LMtftXrz+itPr79+7+W++7z03ZoExPfRks/V/3Wm2/sJB8kk1/8yNmn/K3DZ8Hz3/9KvzN2b9l38ZcwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMzG8BAAD//8n0bSk=") open(&(0x7f0000000100)='./bus\x00', 0x143142, 0x0) r0 = open(&(0x7f0000000040)='./bus\x00', 0x10103e, 0x0) r1 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0) getdents64(r1, 0x0, 0x0) ioctl$EXT4_IOC_SWAP_BOOT(r0, 0x6611) rename(&(0x7f00000003c0)='./file0\x00', &(0x7f0000000780)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00') socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r2, &(0x7f0000005a40)=[{{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x98}}, {{&(0x7f0000005840)=@file={0x1, './file2\x00'}, 0x6e, 0x0, 0x0, 0x0, 0x0, 0x4004000}}], 0x2, 0x0) [ 68.594675][ T5309] Bluetooth: hci0: command tx timeout [ 68.631541][ T5325] loop0: detected capacity change from 0 to 64 [ 68.687171][ T5325] ================================================================== [ 68.690462][ T5325] BUG: KASAN: slab-out-of-bounds in hfs_bnode_read+0x16a/0x200 [ 68.693498][ T5325] Write of size 94 at addr ffff88801232b380 by task syz.0.0/5325 [ 68.696432][ T5325] [ 68.697361][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted 6.15.0-rc1-syzkaller-00333-g5aaaedb0cb54 #0 PREEMPT(full) [ 68.697371][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.697377][ T5325] Call Trace: [ 68.697382][ T5325] [ 68.697386][ T5325] dump_stack_lvl+0x241/0x360 [ 68.697400][ T5325] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.697410][ T5325] ? rcu_is_watching+0x15/0xb0 [ 68.697420][ T5325] ? __virt_addr_valid+0x183/0x530 [ 68.697430][ T5325] ? lock_release+0x4e/0x3e0 [ 68.697437][ T5325] ? __virt_addr_valid+0x183/0x530 [ 68.697450][ T5325] ? __virt_addr_valid+0x183/0x530 [ 68.697463][ T5325] print_report+0x16e/0x5b0 [ 68.697477][ T5325] ? __virt_addr_valid+0x183/0x530 [ 68.697490][ T5325] ? __virt_addr_valid+0x183/0x530 [ 68.697502][ T5325] ? __virt_addr_valid+0x45f/0x530 [ 68.697515][ T5325] ? __phys_addr+0xba/0x170 [ 68.697527][ T5325] ? hfs_bnode_read+0x16a/0x200 [ 68.697537][ T5325] kasan_report+0x143/0x180 [ 68.697549][ T5325] ? hfs_bnode_read+0x16a/0x200 [ 68.697559][ T5325] kasan_check_range+0x28f/0x2a0 [ 68.697574][ T5325] ? hfs_bnode_read+0x16a/0x200 [ 68.697581][ T5325] __asan_memcpy+0x40/0x70 [ 68.697589][ T5325] hfs_bnode_read+0x16a/0x200 [ 68.697600][ T5325] hfs_bnode_read_key+0x174/0x240 [ 68.697609][ T5325] ? do_raw_spin_unlock+0x58/0x8b0 [ 68.697623][ T5325] ? __pfx_hfs_bnode_read_key+0x10/0x10 [ 68.697635][ T5325] ? _raw_spin_unlock+0x28/0x50 [ 68.697681][ T5325] ? block_dirty_folio+0x167/0x1e0 [ 68.697696][ T5325] hfs_brec_insert+0x6a5/0xbe0 [ 68.697708][ T5325] ? __pfx_hfs_brec_insert+0x10/0x10 [ 68.697718][ T5325] hfs_cat_create+0x3de/0x760 [ 68.697730][ T5325] ? __pfx_hfs_cat_create+0x10/0x10 [ 68.697742][ T5325] ? _raw_spin_unlock+0x28/0x50 [ 68.697750][ T5325] ? hfs_new_inode+0x8df/0xba0 [ 68.697761][ T5325] hfs_create+0x66/0xe0 [ 68.697768][ T5325] ? __pfx_hfs_create+0x10/0x10 [ 68.697777][ T5325] path_openat+0x194b/0x35d0 [ 68.697791][ T5325] ? __pfx_path_openat+0x10/0x10 [ 68.697800][ T5325] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.697815][ T5325] do_filp_open+0x284/0x4e0 [ 68.697827][ T5325] ? __pfx_do_filp_open+0x10/0x10 [ 68.697837][ T5325] ? do_raw_spin_lock+0x151/0x370 [ 68.697859][ T5325] do_sys_openat2+0x12b/0x1d0 [ 68.697875][ T5325] ? __pfx_do_sys_openat2+0x10/0x10 [ 68.697890][ T5325] ? rcu_is_watching+0x15/0xb0 [ 68.697902][ T5325] ? __rseq_handle_notify_resume+0x3c8/0x15d0 [ 68.697920][ T5325] __x64_sys_open+0x226/0x280 [ 68.697944][ T5325] ? __pfx___x64_sys_open+0x10/0x10 [ 68.697960][ T5325] ? do_syscall_64+0xb6/0x230 [ 68.697975][ T5325] do_syscall_64+0xf3/0x230 [ 68.697987][ T5325] ? clear_bhb_loop+0x45/0xa0 [ 68.697998][ T5325] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.698008][ T5325] RIP: 0033:0x7f62fa58d169 [ 68.698019][ T5325] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.698028][ T5325] RSP: 002b:00007f62fb326038 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 68.698041][ T5325] RAX: ffffffffffffffda RBX: 00007f62fa7a5fa0 RCX: 00007f62fa58d169 [ 68.698050][ T5325] RDX: 0000000000000000 RSI: 0000000000143142 RDI: 0000200000000100 [ 68.698059][ T5325] RBP: 00007f62fa60e990 R08: 0000000000000000 R09: 0000000000000000 [ 68.698066][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.698072][ T5325] R13: 0000000000000000 R14: 00007f62fa7a5fa0 R15: 00007ffdc0f5f928 [ 68.698083][ T5325] [ 68.698088][ T5325] [ 68.830240][ T5325] Allocated by task 5325: [ 68.831950][ T5325] kasan_save_track+0x3f/0x80 [ 68.833880][ T5325] __kasan_kmalloc+0x9d/0xb0 [ 68.835701][ T5325] __kmalloc_noprof+0x28e/0x4d0 [ 68.837548][ T5325] hfs_find_init+0x92/0x1f0 [ 68.839328][ T5325] hfs_cat_create+0x181/0x760 [ 68.841139][ T5325] hfs_create+0x66/0xe0 [ 68.842798][ T5325] path_openat+0x194b/0x35d0 [ 68.844648][ T5325] do_filp_open+0x284/0x4e0 [ 68.846451][ T5325] do_sys_openat2+0x12b/0x1d0 [ 68.848324][ T5325] __x64_sys_open+0x226/0x280 [ 68.850250][ T5325] do_syscall_64+0xf3/0x230 [ 68.852057][ T5325] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.854242][ T5325] [ 68.855190][ T5325] The buggy address belongs to the object at ffff88801232b380 [ 68.855190][ T5325] which belongs to the cache kmalloc-96 of size 96 [ 68.860524][ T5325] The buggy address is located 0 bytes inside of [ 68.860524][ T5325] allocated 78-byte region [ffff88801232b380, ffff88801232b3ce) [ 68.866254][ T5325] [ 68.867254][ T5325] The buggy address belongs to the physical page: [ 68.869633][ T5325] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1232b [ 68.873110][ T5325] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 68.875752][ T5325] page_type: f5(slab) [ 68.877417][ T5325] raw: 00fff00000000000 ffff88801b041280 dead000000000100 dead000000000122 [ 68.880606][ T5325] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 68.883862][ T5325] page dumped because: kasan: bad access detected [ 68.886252][ T5325] page_owner tracks the page as allocated [ 68.888338][ T5325] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5325, tgid 5324 (syz.0.0), ts 68679523931, free_ts 68673024741 [ 68.895572][ T5325] post_alloc_hook+0x1f4/0x240 [ 68.897653][ T5325] get_page_from_freelist+0x352b/0x36c0 [ 68.899856][ T5325] __alloc_pages_slowpath+0x436/0x1080 [ 68.902093][ T5325] __alloc_frozen_pages_noprof+0x40d/0x5b0 [ 68.904434][ T5325] allocate_slab+0x66/0x3a0 [ 68.906265][ T5325] ___slab_alloc+0xc3b/0x1500 [ 68.908075][ T5325] __slab_alloc+0x58/0xa0 [ 68.909848][ T5325] __kmalloc_node_noprof+0x2f4/0x4d0 [ 68.911978][ T5325] alloc_slab_obj_exts+0x3a/0xa0 [ 68.913989][ T5325] __memcg_slab_post_alloc_hook+0x31c/0x7e0 [ 68.916260][ T5325] kmem_cache_alloc_noprof+0x28f/0x390 [ 68.918454][ T5325] alloc_empty_file+0x56/0x1d0 [ 68.920414][ T5325] alloc_file_pseudo+0x206/0x320 [ 68.922321][ T5325] __shmem_file_setup+0x237/0x2c0 [ 68.924409][ T5325] __se_sys_memfd_create+0x328/0x7d0 [ 68.926480][ T5325] do_syscall_64+0xf3/0x230 [ 68.928276][ T5325] page last free pid 4731 tgid 4731 stack trace: [ 68.930848][ T5325] __free_frozen_pages+0xde8/0x10a0 [ 68.932873][ T5325] __slab_free+0x2c6/0x390 [ 68.934570][ T5325] qlist_free_all+0x9a/0x140 [ 68.936429][ T5325] kasan_quarantine_reduce+0x14f/0x170 [ 68.938537][ T5325] __kasan_slab_alloc+0x23/0x80 [ 68.940372][ T5325] kmem_cache_alloc_noprof+0x1e1/0x390 [ 68.942331][ T5325] getname_flags+0xb6/0x530 [ 68.944005][ T5325] do_sys_openat2+0xbf/0x1d0 [ 68.945714][ T5325] __x64_sys_openat+0x249/0x2a0 [ 68.947445][ T5325] do_syscall_64+0xf3/0x230 [ 68.949018][ T5325] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.951114][ T5325] [ 68.952015][ T5325] Memory state around the buggy address: [ 68.954042][ T5325] ffff88801232b280: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 68.957078][ T5325] ffff88801232b300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 68.960001][ T5325] >ffff88801232b380: 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc fc [ 68.963453][ T5325] ^ [ 68.966409][ T5325] ffff88801232b400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.969459][ T5325] ffff88801232b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.972467][ T5325] ================================================================== [ 69.013720][ T5325] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 69.016638][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted 6.15.0-rc1-syzkaller-00333-g5aaaedb0cb54 #0 PREEMPT(full) [ 69.021160][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 69.025448][ T5325] Call Trace: [ 69.026786][ T5325] [ 69.027944][ T5325] dump_stack_lvl+0x241/0x360 [ 69.029847][ T5325] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.031995][ T5325] ? __pfx__printk+0x10/0x10 [ 69.033884][ T5325] ? vscnprintf+0x5d/0x90 [ 69.035588][ T5325] panic+0x349/0x880 [ 69.037205][ T5325] ? check_panic_on_warn+0x21/0xb0 [ 69.039215][ T5325] ? __pfx_panic+0x10/0x10 [ 69.041061][ T5325] ? _raw_spin_unlock_irqrestore+0x134/0x140 [ 69.043390][ T5325] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 69.045872][ T5325] ? print_report+0x519/0x5b0 [ 69.047855][ T5325] check_panic_on_warn+0x86/0xb0 [ 69.049850][ T5325] ? hfs_bnode_read+0x16a/0x200 [ 69.051715][ T5325] end_report+0x77/0x160 [ 69.053511][ T5325] kasan_report+0x154/0x180 [ 69.055244][ T5325] ? hfs_bnode_read+0x16a/0x200 [ 69.057140][ T5325] kasan_check_range+0x28f/0x2a0 [ 69.059195][ T5325] ? hfs_bnode_read+0x16a/0x200 [ 69.061148][ T5325] __asan_memcpy+0x40/0x70 [ 69.062819][ T5325] hfs_bnode_read+0x16a/0x200 [ 69.064565][ T5325] hfs_bnode_read_key+0x174/0x240 [ 69.066374][ T5325] ? do_raw_spin_unlock+0x58/0x8b0 [ 69.068247][ T5325] ? __pfx_hfs_bnode_read_key+0x10/0x10 [ 69.070279][ T5325] ? _raw_spin_unlock+0x28/0x50 [ 69.072064][ T5325] ? block_dirty_folio+0x167/0x1e0 [ 69.074003][ T5325] hfs_brec_insert+0x6a5/0xbe0 [ 69.075712][ T5325] ? __pfx_hfs_brec_insert+0x10/0x10 [ 69.077763][ T5325] hfs_cat_create+0x3de/0x760 [ 69.079544][ T5325] ? __pfx_hfs_cat_create+0x10/0x10 [ 69.081630][ T5325] ? _raw_spin_unlock+0x28/0x50 [ 69.083505][ T5325] ? hfs_new_inode+0x8df/0xba0 [ 69.085413][ T5325] hfs_create+0x66/0xe0 [ 69.087099][ T5325] ? __pfx_hfs_create+0x10/0x10 [ 69.089128][ T5325] path_openat+0x194b/0x35d0 [ 69.090971][ T5325] ? __pfx_path_openat+0x10/0x10 [ 69.092886][ T5325] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.095323][ T5325] do_filp_open+0x284/0x4e0 [ 69.097208][ T5325] ? __pfx_do_filp_open+0x10/0x10 [ 69.099082][ T5325] ? do_raw_spin_lock+0x151/0x370 [ 69.101135][ T5325] do_sys_openat2+0x12b/0x1d0 [ 69.102968][ T5325] ? __pfx_do_sys_openat2+0x10/0x10 [ 69.105060][ T5325] ? rcu_is_watching+0x15/0xb0 [ 69.106914][ T5325] ? __rseq_handle_notify_resume+0x3c8/0x15d0 [ 69.109393][ T5325] __x64_sys_open+0x226/0x280 [ 69.111299][ T5325] ? __pfx___x64_sys_open+0x10/0x10 [ 69.113398][ T5325] ? do_syscall_64+0xb6/0x230 [ 69.115283][ T5325] do_syscall_64+0xf3/0x230 [ 69.117202][ T5325] ? clear_bhb_loop+0x45/0xa0 [ 69.119034][ T5325] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.121435][ T5325] RIP: 0033:0x7f62fa58d169 [ 69.123155][ T5325] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 69.130769][ T5325] RSP: 002b:00007f62fb326038 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 69.134161][ T5325] RAX: ffffffffffffffda RBX: 00007f62fa7a5fa0 RCX: 00007f62fa58d169 [ 69.137404][ T5325] RDX: 0000000000000000 RSI: 0000000000143142 RDI: 0000200000000100 [ 69.140685][ T5325] RBP: 00007f62fa60e990 R08: 0000000000000000 R09: 0000000000000000 [ 69.143847][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 69.147045][ T5325] R13: 0000000000000000 R14: 00007f62fa7a5fa0 R15: 00007ffdc0f5f928 [ 69.150387][ T5325] [ 69.151938][ T5325] Kernel Offset: disabled [ 69.153638][ T5325] Rebooting in 86400 seconds..