./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor232037833
<...>
forked to background, child pid 3208
no interfaces have a carrier
[ 27.080132][ T3209] 8021q: adding VLAN 0 to HW filter on device bond0
[ 27.089450][ T3209] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.154' (ECDSA) to the list of known hosts.
execve("./syz-executor232037833", ["./syz-executor232037833"], 0x7ffd8fe158a0 /* 10 vars */) = 0
brk(NULL) = 0x55555591e000
brk(0x55555591ec40) = 0x55555591ec40
arch_prctl(ARCH_SET_FS, 0x55555591e300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor232037833", 4096) = 27
brk(0x55555593fc40) = 0x55555593fc40
brk(0x555555940000) = 0x555555940000
mprotect(0x7fd3fefc5000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
memfd_create("syzkaller", 0) = 3
mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd3f6b0b000
write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288
munmap(0x7fd3f6b0b000, 524288) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
ioctl(4, LOOP_SET_FD, 3) = 0
close(3) = 0
mkdir("./bus", 0777) = 0
mount("/dev/loop0", "./bus", "hfsplus", MS_NOEXEC|MS_RELATIME, "") = 0
openat(AT_FDCWD, "./bus", O_RDONLY|O_DIRECTORY) = 3
chdir("./bus") = 0
ioctl(4, LOOP_CLR_FD) = 0
close(4) = 0
openat(AT_FDCWD, ".", O_RDONLY) = 4
getdents64(4, 0x20000340 /* 3 entries */, 97) = 80
getdents64(4, 0x20000340 /* 3 entries */, 97) = 96
syzkaller login: [ 61.301458][ T3629] loop0: detected capacity change from 0 to 1024
[ 61.330621][ T3629] ==================================================================
[ 61.338709][ T3629] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x953/0xa50
[ 61.346387][ T3629] Read of size 2 at addr ffff8880182bd40c by task syz-executor232/3629
[ 61.354625][ T3629]
[ 61.356942][ T3629] CPU: 0 PID: 3629 Comm: syz-executor232 Not tainted 6.1.0-syzkaller #0
[ 61.365294][ T3629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 61.375327][ T3629] Call Trace:
[ 61.378588][ T3629]
[ 61.381499][ T3629] dump_stack_lvl+0xd1/0x138
[ 61.386075][ T3629] print_report+0x15e/0x45d
[ 61.390563][ T3629] ? __phys_addr+0xc8/0x140
[ 61.395051][ T3629] ? hfsplus_uni2asc+0x953/0xa50
[ 61.399973][ T3629] kasan_report+0xbf/0x1f0
[ 61.404377][ T3629] ? hfsplus_uni2asc+0x953/0xa50
[ 61.409301][ T3629] ? char2uni+0x130/0x130
[ 61.413612][ T3629] hfsplus_uni2asc+0x953/0xa50
[ 61.418361][ T3629] ? char2uni+0x130/0x130
[ 61.422694][ T3629] ? hfsplus_bnode_read+0xb8/0x150
[ 61.427790][ T3629] hfsplus_readdir+0x70d/0xf30
[ 61.432540][ T3629] ? hfsplus_dir_release+0x1d0/0x1d0
[ 61.437809][ T3629] ? __lock_acquire+0x166e/0x56d0
[ 61.442829][ T3629] ? lock_release+0x810/0x810
[ 61.447490][ T3629] ? aa_path_link+0x2f0/0x2f0
[ 61.452148][ T3629] ? down_read_killable+0x1ab/0x490
[ 61.457325][ T3629] ? down_read+0x450/0x450
[ 61.461718][ T3629] ? fsnotify_perm.part.0+0x221/0x610
[ 61.467071][ T3629] ? apparmor_file_permission+0x268/0x4e0
[ 61.472795][ T3629] iterate_dir+0x56e/0x6f0
[ 61.477196][ T3629] __x64_sys_getdents64+0x13e/0x2c0
[ 61.482389][ T3629] ? __ia32_sys_getdents+0x2c0/0x2c0
[ 61.487658][ T3629] ? compat_filldir+0x6b0/0x6b0
[ 61.492491][ T3629] ? lockdep_hardirqs_on+0x7d/0x100
[ 61.497669][ T3629] ? _raw_spin_unlock_irq+0x2e/0x50
[ 61.502848][ T3629] ? ptrace_notify+0xfe/0x140
[ 61.507518][ T3629] do_syscall_64+0x39/0xb0
[ 61.511917][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 61.517792][ T3629] RIP: 0033:0x7fd3fef57869
[ 61.522204][ T3629] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 61.541790][ T3629] RSP: 002b:00007ffe51f345b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
[ 61.550181][ T3629] RAX: ffffffffffffffda RBX: 000000000000003f RCX: 00007fd3fef57869
[ 61.558134][ T3629] RDX: 0000000000000061 RSI: 0000000020000340 RDI: 0000000000000004
[ 61.566102][ T3629] RBP: 00007fd3fef17100 R08: 0000000000000000 R09: 0000000000000000
[ 61.574070][ T3629] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd3fef17190
[ 61.582020][ T3629] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 61.589973][ T3629]
[ 61.592972][ T3629]
[ 61.595271][ T3629] Allocated by task 3629:
[ 61.599574][ T3629] kasan_save_stack+0x22/0x40
[ 61.604231][ T3629] kasan_set_track+0x25/0x30
[ 61.608801][ T3629] __kasan_kmalloc+0xa5/0xb0
[ 61.613369][ T3629] __kmalloc+0x5a/0xd0
[ 61.617418][ T3629] hfsplus_find_init+0x95/0x230
[ 61.622250][ T3629] hfsplus_readdir+0x21f/0xf30
[ 61.626999][ T3629] iterate_dir+0x56e/0x6f0
[ 61.631396][ T3629] __x64_sys_getdents64+0x13e/0x2c0
[ 61.636571][ T3629] do_syscall_64+0x39/0xb0
[ 61.640987][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 61.646868][ T3629]
[ 61.649170][ T3629] Last potentially related work creation:
[ 61.654858][ T3629] kasan_save_stack+0x22/0x40
[ 61.659521][ T3629] __kasan_record_aux_stack+0xbc/0xd0
[ 61.664877][ T3629] call_rcu+0x9d/0x820
[ 61.668926][ T3629] netlink_release+0xf0f/0x1dd0
[ 61.673779][ T3629] __sock_release+0xcd/0x280
[ 61.678352][ T3629] sock_close+0x1c/0x20
[ 61.682487][ T3629] __fput+0x27c/0xa90
[ 61.686450][ T3629] task_work_run+0x16f/0x270
[ 61.691023][ T3629] exit_to_user_mode_prepare+0x23c/0x250
[ 61.696635][ T3629] syscall_exit_to_user_mode+0x1d/0x50
[ 61.702070][ T3629] do_syscall_64+0x46/0xb0
[ 61.706464][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 61.712338][ T3629]
[ 61.714636][ T3629] The buggy address belongs to the object at ffff8880182bd000
[ 61.714636][ T3629] which belongs to the cache kmalloc-2k of size 2048
[ 61.728685][ T3629] The buggy address is located 1036 bytes inside of
[ 61.728685][ T3629] 2048-byte region [ffff8880182bd000, ffff8880182bd800)
[ 61.742108][ T3629]
[ 61.744409][ T3629] The buggy address belongs to the physical page:
[ 61.750795][ T3629] page:ffffea000060ae00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x182b8
[ 61.760921][ T3629] head:ffffea000060ae00 order:3 compound_mapcount:0 compound_pincount:0
[ 61.769220][ T3629] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 61.777180][ T3629] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888012042000
[ 61.785741][ T3629] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
[ 61.794314][ T3629] page dumped because: kasan: bad access detected
[ 61.800700][ T3629] page_owner tracks the page as allocated
[ 61.806387][ T3629] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2338714128, free_ts 0
[ 61.826006][ T3629] get_page_from_freelist+0x10b5/0x2d50
[ 61.831542][ T3629] __alloc_pages+0x1cb/0x5b0
[ 61.836114][ T3629] alloc_page_interleave+0x1e/0x200
[ 61.841292][ T3629] alloc_pages+0x233/0x270
[ 61.845692][ T3629] allocate_slab+0x25f/0x350
[ 61.850260][ T3629] ___slab_alloc+0xa91/0x1400
[ 61.854933][ T3629] __slab_alloc.constprop.0+0x56/0xa0
[ 61.860283][ T3629] __kmem_cache_alloc_node+0x199/0x3e0
[ 61.865724][ T3629] kmalloc_trace+0x26/0x60
[ 61.870132][ T3629] pnp_alloc_dev+0x51/0x380
[ 61.874615][ T3629] pnpacpi_add_device_handler+0x200/0x779
[ 61.880312][ T3629] acpi_ns_get_device_callback+0x3b9/0x415
[ 61.886103][ T3629] acpi_ns_walk_namespace+0x250/0x432
[ 61.891460][ T3629] acpi_get_devices+0xdb/0x12e
[ 61.896208][ T3629] pnpacpi_init+0x99/0xf2
[ 61.900521][ T3629] do_one_initcall+0x141/0x780
[ 61.905267][ T3629] page_owner free stack trace missing
[ 61.910610][ T3629]
[ 61.912910][ T3629] Memory state around the buggy address:
[ 61.918533][ T3629] ffff8880182bd300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.926572][ T3629] ffff8880182bd380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.934618][ T3629] >ffff8880182bd400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 61.942655][ T3629] ^
[ 61.946958][ T3629] ffff8880182bd480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 61.955081][ T3629] ffff8880182bd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 61.963120][ T3629] ==================================================================
[ 61.971390][ T3629] Kernel panic - not syncing: panic_on_warn set ...
[ 61.977971][ T3629] CPU: 0 PID: 3629 Comm: syz-executor232 Not tainted 6.1.0-syzkaller #0
[ 61.986282][ T3629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[ 61.996318][ T3629] Call Trace:
[ 61.999580][ T3629]
[ 62.002512][ T3629] dump_stack_lvl+0xd1/0x138
[ 62.007096][ T3629] panic+0x2cc/0x626
[ 62.010983][ T3629] ? panic_print_sys_info.part.0+0x110/0x110
[ 62.016962][ T3629] ? preempt_schedule_common+0x59/0xc0
[ 62.022420][ T3629] ? preempt_schedule_thunk+0x1a/0x1c
[ 62.027788][ T3629] end_report.part.0+0x3f/0x7c
[ 62.032542][ T3629] ? hfsplus_uni2asc+0x953/0xa50
[ 62.037472][ T3629] kasan_report.cold+0xa/0xf
[ 62.042050][ T3629] ? hfsplus_uni2asc+0x953/0xa50
[ 62.046980][ T3629] ? char2uni+0x130/0x130
[ 62.051305][ T3629] hfsplus_uni2asc+0x953/0xa50
[ 62.056059][ T3629] ? char2uni+0x130/0x130
[ 62.060377][ T3629] ? hfsplus_bnode_read+0xb8/0x150
[ 62.065483][ T3629] hfsplus_readdir+0x70d/0xf30
[ 62.070240][ T3629] ? hfsplus_dir_release+0x1d0/0x1d0
[ 62.075522][ T3629] ? __lock_acquire+0x166e/0x56d0
[ 62.080550][ T3629] ? lock_release+0x810/0x810
[ 62.085220][ T3629] ? aa_path_link+0x2f0/0x2f0
[ 62.089884][ T3629] ? down_read_killable+0x1ab/0x490
[ 62.095066][ T3629] ? down_read+0x450/0x450
[ 62.099464][ T3629] ? fsnotify_perm.part.0+0x221/0x610
[ 62.104822][ T3629] ? apparmor_file_permission+0x268/0x4e0
[ 62.110541][ T3629] iterate_dir+0x56e/0x6f0
[ 62.114944][ T3629] __x64_sys_getdents64+0x13e/0x2c0
[ 62.120130][ T3629] ? __ia32_sys_getdents+0x2c0/0x2c0
[ 62.125401][ T3629] ? compat_filldir+0x6b0/0x6b0
[ 62.130240][ T3629] ? lockdep_hardirqs_on+0x7d/0x100
[ 62.135424][ T3629] ? _raw_spin_unlock_irq+0x2e/0x50
[ 62.140608][ T3629] ? ptrace_notify+0xfe/0x140
[ 62.145279][ T3629] do_syscall_64+0x39/0xb0
[ 62.149685][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 62.155569][ T3629] RIP: 0033:0x7fd3fef57869
[ 62.159966][ T3629] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 62.179563][ T3629] RSP: 002b:00007ffe51f345b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
[ 62.187960][ T3629] RAX: ffffffffffffffda RBX: 000000000000003f RCX: 00007fd3fef57869
[ 62.195915][ T3629] RDX: 0000000000000061 RSI: 0000000020000340 RDI: 0000000000000004
[ 62.203891][ T3629] RBP: 00007fd3fef17100 R08: 0000000000000000 R09: 0000000000000000
[ 62.211851][ T3629] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd3fef17190
[ 62.219808][ T3629] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 62.227771][ T3629]
[ 62.231650][ T3629] Kernel Offset: disabled
[ 62.235954][ T3629] Rebooting in 86400 seconds..