option from the mount to silence this warning.
=======================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a40c by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Not tainted 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a40e by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 2 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a410 by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 4 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a412 by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 6 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a414 by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 8 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a416 by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 10 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a418 by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 12 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a41a by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 14 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a41c by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 16 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a41e by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 18 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a420 by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 20 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a422 by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 22 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a424 by task syz-executor209/5090
CPU: 1 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 24 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88801d31a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88801d31a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801d31a400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88801d31a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801d31a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
Read of size 2 at addr ffff88801d31a426 by task syz-executor209/5090
CPU: 0 PID: 5090 Comm: syz-executor209 Tainted: G B 6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
hfsplus_uni2asc+0x910/0xa20 fs/hfsplus/unicode.c:179
hfsplus_readdir+0x87b/0x1000 fs/hfsplus/dir.c:207
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f119fd6ed19
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf59f0758 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f119fd6ed19
RDX: 00000000000000a5 RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f119fde25f0 R08: 000055556a1074c0 R09: 000055556a1074c0
R10: 0000000000000632 R11: 0000000000000246 R12: 00007ffcf59f0780
R13: 00007ffcf59f09a8 R14: 431bde82d7b634db R15: 00007f119fdb703b
Allocated by task 5090:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3966 [inline]
__kmalloc+0x1f9/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
hfsplus_find_init+0x95/0x200 fs/hfsplus/bfind.c:21
hfsplus_readdir+0x266/0x1000 fs/hfsplus/dir.c:144
iterate_dir+0x295/0x9e0 fs/readdir.c:110
__do_sys_getdents64 fs/readdir.c:409 [inline]
__se_sys_getdents64 fs/readdir.c:394 [inline]
__x64_sys_getdents64+0x14f/0x2e0 fs/readdir.c:394
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88801d31a000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 26 bytes to the right of
allocated 1036-byte region [ffff88801d31a000, ffff88801d31a40c)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d318
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff)
page_type: 0xffffffff()
raw: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000840 ffff888015042000 dead000000000122 0000000000000000
head: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
head: 00fff80000000003 ffffea000074c601 dead000000000122 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4534, tgid 1976515163 (udevd), ts 4534, free_ts 104030928511
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3317
__alloc_pages+0x22b/0x2460 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2175 [inline]
allocate_slab mm/slub.c:2338 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2391
___slab_alloc+0x66d/0x1790 mm/slub.c:3525
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3610
__slab_alloc_node mm/slub.c:3663 [inline]
slab_alloc_node mm/slub.c:3835 [inline]
__do_kmalloc_node mm/slub.c:3965 [inline]
__kmalloc+0x3b4/0x440 mm/slub.c:3979
kmalloc include/linux/slab.h:632 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2080
sk_alloc+0x36/0xb90 net/core/sock.c:2133
__netlink_create+0x63/0x300 net/netlink/af_netlink.c:647
netlink_create+0x3dc/0x670 net/netlink/af_netlink.c:708
__sock_create+0x331/0x800 net/socket.c:1571
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14f/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5079 tgid 5079 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2347
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2487
__put_partials+0x14c/0x170 mm/slub.c:2906
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3798 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc+0x136/0x320 mm/slub.c:3852
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:322 [inline]
getname+0x8f/0xe0 fs/namei.c:218
do_sys_openat2+0x104/0x1e0 fs/open.c:1400