audit: type=1800 audit(1670043169.843:287): pid=24980 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name="bus" dev="loop0" ino=10 res=0 audit: type=1800 audit(1670043169.843:288): pid=24980 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name="bus" dev="loop0" ino=10 res=0 ================================================================== BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x68f/0x710 fs/hfs/trans.c:133 Write of size 1 at addr ffff8880a8b4aa4e by task syz-executor.2/24997 CPU: 1 PID: 24997 Comm: syz-executor.2 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_store1_noabort+0x88/0x90 mm/kasan/report.c:435 hfs_asc2mac+0x68f/0x710 fs/hfs/trans.c:133 hfs_cat_build_key+0xbe/0x1a0 fs/hfs/catalog.c:28 hfs_lookup+0x1c2/0x300 fs/hfs/dir.c:31 __lookup_hash+0x117/0x180 fs/namei.c:1547 filename_create+0x186/0x490 fs/namei.c:3639 user_path_create fs/namei.c:3696 [inline] do_mkdirat+0xa0/0x2d0 fs/namei.c:3834 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fc59f50e0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 netlink: 16 bytes leftover after parsing attributes in process `syz-executor.4'. RSP: 002b:00007fc59da80168 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 00007fc59f62df80 RCX: 00007fc59f50e0d9 RDX: 0000000000000000 RSI: 0000000020000540 RDI: 0000000000000004 RBP: 00007fc59f569ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc4416f81f R14: 00007fc59da80300 R15: 0000000000022000 Allocated by task 24997: __do_kmalloc mm/slab.c:3727 [inline] __kmalloc+0x15a/0x3c0 mm/slab.c:3736 kmalloc include/linux/slab.h:520 [inline] hfs_find_init+0x91/0x230 fs/hfs/bfind.c:21 hfs_lookup+0xfe/0x300 fs/hfs/dir.c:28 __lookup_hash+0x117/0x180 fs/namei.c:1547 filename_create+0x186/0x490 fs/namei.c:3639 user_path_create fs/namei.c:3696 [inline] do_mkdirat+0xa0/0x2d0 fs/namei.c:3834 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 18: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 __rcu_reclaim kernel/rcu/rcu.h:231 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0xa0d/0x18b0 kernel/rcu/tree.c:2881 __do_softirq+0x265/0x980 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880a8b4aa00 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 78 bytes inside of 96-byte region [ffff8880a8b4aa00, ffff8880a8b4aa60) The buggy address belongs to the page: page:ffffea0002a2d280 count:1 mapcount:0 mapping:ffff88813bff04c0 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea0002cf48c8 ffffea0002d05448 ffff88813bff04c0 raw: 0000000000000000 ffff8880a8b4a000 0000000100000020 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a8b4a900: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8880a8b4a980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff8880a8b4aa00: 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc fc ^ ffff8880a8b4aa80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8880a8b4ab00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ==================================================================