./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor232037833 <...> forked to background, child pid 3208 no interfaces have a carrier [ 27.080132][ T3209] 8021q: adding VLAN 0 to HW filter on device bond0 [ 27.089450][ T3209] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.154' (ECDSA) to the list of known hosts. execve("./syz-executor232037833", ["./syz-executor232037833"], 0x7ffd8fe158a0 /* 10 vars */) = 0 brk(NULL) = 0x55555591e000 brk(0x55555591ec40) = 0x55555591ec40 arch_prctl(ARCH_SET_FS, 0x55555591e300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor232037833", 4096) = 27 brk(0x55555593fc40) = 0x55555593fc40 brk(0x555555940000) = 0x555555940000 mprotect(0x7fd3fefc5000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd3f6b0b000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 munmap(0x7fd3f6b0b000, 524288) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./bus", 0777) = 0 mount("/dev/loop0", "./bus", "hfsplus", MS_NOEXEC|MS_RELATIME, "") = 0 openat(AT_FDCWD, "./bus", O_RDONLY|O_DIRECTORY) = 3 chdir("./bus") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 openat(AT_FDCWD, ".", O_RDONLY) = 4 getdents64(4, 0x20000340 /* 3 entries */, 97) = 80 getdents64(4, 0x20000340 /* 3 entries */, 97) = 96 syzkaller login: [ 61.301458][ T3629] loop0: detected capacity change from 0 to 1024 [ 61.330621][ T3629] ================================================================== [ 61.338709][ T3629] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x953/0xa50 [ 61.346387][ T3629] Read of size 2 at addr ffff8880182bd40c by task syz-executor232/3629 [ 61.354625][ T3629] [ 61.356942][ T3629] CPU: 0 PID: 3629 Comm: syz-executor232 Not tainted 6.1.0-syzkaller #0 [ 61.365294][ T3629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 61.375327][ T3629] Call Trace: [ 61.378588][ T3629] [ 61.381499][ T3629] dump_stack_lvl+0xd1/0x138 [ 61.386075][ T3629] print_report+0x15e/0x45d [ 61.390563][ T3629] ? __phys_addr+0xc8/0x140 [ 61.395051][ T3629] ? hfsplus_uni2asc+0x953/0xa50 [ 61.399973][ T3629] kasan_report+0xbf/0x1f0 [ 61.404377][ T3629] ? hfsplus_uni2asc+0x953/0xa50 [ 61.409301][ T3629] ? char2uni+0x130/0x130 [ 61.413612][ T3629] hfsplus_uni2asc+0x953/0xa50 [ 61.418361][ T3629] ? char2uni+0x130/0x130 [ 61.422694][ T3629] ? hfsplus_bnode_read+0xb8/0x150 [ 61.427790][ T3629] hfsplus_readdir+0x70d/0xf30 [ 61.432540][ T3629] ? hfsplus_dir_release+0x1d0/0x1d0 [ 61.437809][ T3629] ? __lock_acquire+0x166e/0x56d0 [ 61.442829][ T3629] ? lock_release+0x810/0x810 [ 61.447490][ T3629] ? aa_path_link+0x2f0/0x2f0 [ 61.452148][ T3629] ? down_read_killable+0x1ab/0x490 [ 61.457325][ T3629] ? down_read+0x450/0x450 [ 61.461718][ T3629] ? fsnotify_perm.part.0+0x221/0x610 [ 61.467071][ T3629] ? apparmor_file_permission+0x268/0x4e0 [ 61.472795][ T3629] iterate_dir+0x56e/0x6f0 [ 61.477196][ T3629] __x64_sys_getdents64+0x13e/0x2c0 [ 61.482389][ T3629] ? __ia32_sys_getdents+0x2c0/0x2c0 [ 61.487658][ T3629] ? compat_filldir+0x6b0/0x6b0 [ 61.492491][ T3629] ? lockdep_hardirqs_on+0x7d/0x100 [ 61.497669][ T3629] ? _raw_spin_unlock_irq+0x2e/0x50 [ 61.502848][ T3629] ? ptrace_notify+0xfe/0x140 [ 61.507518][ T3629] do_syscall_64+0x39/0xb0 [ 61.511917][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.517792][ T3629] RIP: 0033:0x7fd3fef57869 [ 61.522204][ T3629] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 61.541790][ T3629] RSP: 002b:00007ffe51f345b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 61.550181][ T3629] RAX: ffffffffffffffda RBX: 000000000000003f RCX: 00007fd3fef57869 [ 61.558134][ T3629] RDX: 0000000000000061 RSI: 0000000020000340 RDI: 0000000000000004 [ 61.566102][ T3629] RBP: 00007fd3fef17100 R08: 0000000000000000 R09: 0000000000000000 [ 61.574070][ T3629] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd3fef17190 [ 61.582020][ T3629] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 61.589973][ T3629] [ 61.592972][ T3629] [ 61.595271][ T3629] Allocated by task 3629: [ 61.599574][ T3629] kasan_save_stack+0x22/0x40 [ 61.604231][ T3629] kasan_set_track+0x25/0x30 [ 61.608801][ T3629] __kasan_kmalloc+0xa5/0xb0 [ 61.613369][ T3629] __kmalloc+0x5a/0xd0 [ 61.617418][ T3629] hfsplus_find_init+0x95/0x230 [ 61.622250][ T3629] hfsplus_readdir+0x21f/0xf30 [ 61.626999][ T3629] iterate_dir+0x56e/0x6f0 [ 61.631396][ T3629] __x64_sys_getdents64+0x13e/0x2c0 [ 61.636571][ T3629] do_syscall_64+0x39/0xb0 [ 61.640987][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.646868][ T3629] [ 61.649170][ T3629] Last potentially related work creation: [ 61.654858][ T3629] kasan_save_stack+0x22/0x40 [ 61.659521][ T3629] __kasan_record_aux_stack+0xbc/0xd0 [ 61.664877][ T3629] call_rcu+0x9d/0x820 [ 61.668926][ T3629] netlink_release+0xf0f/0x1dd0 [ 61.673779][ T3629] __sock_release+0xcd/0x280 [ 61.678352][ T3629] sock_close+0x1c/0x20 [ 61.682487][ T3629] __fput+0x27c/0xa90 [ 61.686450][ T3629] task_work_run+0x16f/0x270 [ 61.691023][ T3629] exit_to_user_mode_prepare+0x23c/0x250 [ 61.696635][ T3629] syscall_exit_to_user_mode+0x1d/0x50 [ 61.702070][ T3629] do_syscall_64+0x46/0xb0 [ 61.706464][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.712338][ T3629] [ 61.714636][ T3629] The buggy address belongs to the object at ffff8880182bd000 [ 61.714636][ T3629] which belongs to the cache kmalloc-2k of size 2048 [ 61.728685][ T3629] The buggy address is located 1036 bytes inside of [ 61.728685][ T3629] 2048-byte region [ffff8880182bd000, ffff8880182bd800) [ 61.742108][ T3629] [ 61.744409][ T3629] The buggy address belongs to the physical page: [ 61.750795][ T3629] page:ffffea000060ae00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x182b8 [ 61.760921][ T3629] head:ffffea000060ae00 order:3 compound_mapcount:0 compound_pincount:0 [ 61.769220][ T3629] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 61.777180][ T3629] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888012042000 [ 61.785741][ T3629] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 61.794314][ T3629] page dumped because: kasan: bad access detected [ 61.800700][ T3629] page_owner tracks the page as allocated [ 61.806387][ T3629] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2338714128, free_ts 0 [ 61.826006][ T3629] get_page_from_freelist+0x10b5/0x2d50 [ 61.831542][ T3629] __alloc_pages+0x1cb/0x5b0 [ 61.836114][ T3629] alloc_page_interleave+0x1e/0x200 [ 61.841292][ T3629] alloc_pages+0x233/0x270 [ 61.845692][ T3629] allocate_slab+0x25f/0x350 [ 61.850260][ T3629] ___slab_alloc+0xa91/0x1400 [ 61.854933][ T3629] __slab_alloc.constprop.0+0x56/0xa0 [ 61.860283][ T3629] __kmem_cache_alloc_node+0x199/0x3e0 [ 61.865724][ T3629] kmalloc_trace+0x26/0x60 [ 61.870132][ T3629] pnp_alloc_dev+0x51/0x380 [ 61.874615][ T3629] pnpacpi_add_device_handler+0x200/0x779 [ 61.880312][ T3629] acpi_ns_get_device_callback+0x3b9/0x415 [ 61.886103][ T3629] acpi_ns_walk_namespace+0x250/0x432 [ 61.891460][ T3629] acpi_get_devices+0xdb/0x12e [ 61.896208][ T3629] pnpacpi_init+0x99/0xf2 [ 61.900521][ T3629] do_one_initcall+0x141/0x780 [ 61.905267][ T3629] page_owner free stack trace missing [ 61.910610][ T3629] [ 61.912910][ T3629] Memory state around the buggy address: [ 61.918533][ T3629] ffff8880182bd300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.926572][ T3629] ffff8880182bd380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.934618][ T3629] >ffff8880182bd400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.942655][ T3629] ^ [ 61.946958][ T3629] ffff8880182bd480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.955081][ T3629] ffff8880182bd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.963120][ T3629] ================================================================== [ 61.971390][ T3629] Kernel panic - not syncing: panic_on_warn set ... [ 61.977971][ T3629] CPU: 0 PID: 3629 Comm: syz-executor232 Not tainted 6.1.0-syzkaller #0 [ 61.986282][ T3629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 61.996318][ T3629] Call Trace: [ 61.999580][ T3629] [ 62.002512][ T3629] dump_stack_lvl+0xd1/0x138 [ 62.007096][ T3629] panic+0x2cc/0x626 [ 62.010983][ T3629] ? panic_print_sys_info.part.0+0x110/0x110 [ 62.016962][ T3629] ? preempt_schedule_common+0x59/0xc0 [ 62.022420][ T3629] ? preempt_schedule_thunk+0x1a/0x1c [ 62.027788][ T3629] end_report.part.0+0x3f/0x7c [ 62.032542][ T3629] ? hfsplus_uni2asc+0x953/0xa50 [ 62.037472][ T3629] kasan_report.cold+0xa/0xf [ 62.042050][ T3629] ? hfsplus_uni2asc+0x953/0xa50 [ 62.046980][ T3629] ? char2uni+0x130/0x130 [ 62.051305][ T3629] hfsplus_uni2asc+0x953/0xa50 [ 62.056059][ T3629] ? char2uni+0x130/0x130 [ 62.060377][ T3629] ? hfsplus_bnode_read+0xb8/0x150 [ 62.065483][ T3629] hfsplus_readdir+0x70d/0xf30 [ 62.070240][ T3629] ? hfsplus_dir_release+0x1d0/0x1d0 [ 62.075522][ T3629] ? __lock_acquire+0x166e/0x56d0 [ 62.080550][ T3629] ? lock_release+0x810/0x810 [ 62.085220][ T3629] ? aa_path_link+0x2f0/0x2f0 [ 62.089884][ T3629] ? down_read_killable+0x1ab/0x490 [ 62.095066][ T3629] ? down_read+0x450/0x450 [ 62.099464][ T3629] ? fsnotify_perm.part.0+0x221/0x610 [ 62.104822][ T3629] ? apparmor_file_permission+0x268/0x4e0 [ 62.110541][ T3629] iterate_dir+0x56e/0x6f0 [ 62.114944][ T3629] __x64_sys_getdents64+0x13e/0x2c0 [ 62.120130][ T3629] ? __ia32_sys_getdents+0x2c0/0x2c0 [ 62.125401][ T3629] ? compat_filldir+0x6b0/0x6b0 [ 62.130240][ T3629] ? lockdep_hardirqs_on+0x7d/0x100 [ 62.135424][ T3629] ? _raw_spin_unlock_irq+0x2e/0x50 [ 62.140608][ T3629] ? ptrace_notify+0xfe/0x140 [ 62.145279][ T3629] do_syscall_64+0x39/0xb0 [ 62.149685][ T3629] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 62.155569][ T3629] RIP: 0033:0x7fd3fef57869 [ 62.159966][ T3629] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 62.179563][ T3629] RSP: 002b:00007ffe51f345b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 62.187960][ T3629] RAX: ffffffffffffffda RBX: 000000000000003f RCX: 00007fd3fef57869 [ 62.195915][ T3629] RDX: 0000000000000061 RSI: 0000000020000340 RDI: 0000000000000004 [ 62.203891][ T3629] RBP: 00007fd3fef17100 R08: 0000000000000000 R09: 0000000000000000 [ 62.211851][ T3629] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd3fef17190 [ 62.219808][ T3629] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 62.227771][ T3629] [ 62.231650][ T3629] Kernel Offset: disabled [ 62.235954][ T3629] Rebooting in 86400 seconds..