loop0: detected capacity change from 0 to 64 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:423 [inline] BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline] BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70 Write of size 94 at addr ffff888143b6ee00 by task syz-executor110/5831 CPU: 0 UID: 0 PID: 5831 Comm: syz-executor110 Not tainted 6.13.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 memcpy_from_page include/linux/highmem.h:423 [inline] hfs_bnode_read fs/hfs/bnode.c:35 [inline] hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70 hfs_brec_insert+0x7f3/0xbd0 fs/hfs/brec.c:159 hfs_cat_create+0x41d/0xa50 fs/hfs/catalog.c:118 hfs_create+0x66/0xe0 fs/hfs/dir.c:202 lookup_open fs/namei.c:3649 [inline] open_last_lookups fs/namei.c:3748 [inline] path_openat+0x1c03/0x3590 fs/namei.c:3984 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 file_open_name fs/open.c:1347 [inline] filp_open+0x261/0x2d0 fs/open.c:1367 do_coredump+0x20f5/0x3100 fs/coredump.c:699 get_signal+0x140b/0x1750 kernel/signal.c:3021 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] irqentry_exit_to_user_mode+0x7e/0x250 kernel/entry/common.c:231 exc_page_fault+0x590/0x8b0 arch/x86/mm/fault.c:1542 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0033:0x7f3c22b3881e Code: fd d7 c9 0f bc d1 c5 fe 7f 27 c5 fe 7f 6f 20 c5 fe 7f 77 40 c5 fe 7f 7f 60 49 83 c0 1f 49 29 d0 48 8d 7c 17 61 e9 d2 04 00 00 fe 6f 1e c5 fe 6f 56 20 c5 fd 74 cb c5 fd d7 d1 49 83 f8 21 0f RSP: 002b:00007f3c22aeb038 EFLAGS: 00010287 RAX: 00007f3c22aeb0d0 RBX: 0000000020000200 RCX: 0000000000000000 RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007f3c22aeb0d0 RBP: 0000000000000000 R08: 00000000000000e0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000240 R13: 00007f3c22aeb0d0 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 5831: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_noprof+0x285/0x4c0 mm/slub.c:4310 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_find_init+0x90/0x1f0 fs/hfs/bfind.c:21 hfs_cat_create+0x182/0xa50 fs/hfs/catalog.c:96 hfs_create+0x66/0xe0 fs/hfs/dir.c:202 lookup_open fs/namei.c:3649 [inline] open_last_lookups fs/namei.c:3748 [inline] path_openat+0x1c03/0x3590 fs/namei.c:3984 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 file_open_name fs/open.c:1347 [inline] filp_open+0x261/0x2d0 fs/open.c:1367 do_coredump+0x20f5/0x3100 fs/coredump.c:699 get_signal+0x140b/0x1750 kernel/signal.c:3021 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] irqentry_exit_to_user_mode+0x7e/0x250 kernel/entry/common.c:231 exc_page_fault+0x590/0x8b0 arch/x86/mm/fault.c:1542 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 The buggy address belongs to the object at ffff888143b6ee00 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 0 bytes inside of allocated 78-byte region [ffff888143b6ee00, ffff888143b6ee4e) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143b6e flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 057ff00000000000 ffff88801ac41280 dead000000000100 dead000000000122 raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 1, tgid 1 (swapper/0), ts 7467531069, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1558 prep_new_page mm/page_alloc.c:1566 [inline] get_page_from_freelist+0x3651/0x37a0 mm/page_alloc.c:3476 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4753 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_slab_page+0x59/0x110 mm/slub.c:2425 allocate_slab+0x5a/0x2b0 mm/slub.c:2589 new_slab mm/slub.c:2642 [inline] ___slab_alloc+0xc27/0x14a0 mm/slub.c:3830 __slab_alloc+0x58/0xa0 mm/slub.c:3920 __slab_alloc_node mm/slub.c:3995 [inline] slab_alloc_node mm/slub.c:4156 [inline] __kmalloc_cache_node_noprof+0x294/0x3a0 mm/slub.c:4337 kmalloc_node_noprof include/linux/slab.h:924 [inline] alloc_node_nr_active kernel/workqueue.c:4870 [inline] __alloc_workqueue+0x709/0x1f20 kernel/workqueue.c:5724 alloc_workqueue+0xd6/0x210 kernel/workqueue.c:5784 nvmet_init+0xfb/0x200 drivers/nvme/target/core.c:1787 do_one_initcall+0x248/0x870 init/main.c:1266 do_initcall_level+0x157/0x210 init/main.c:1328 do_initcalls+0x3f/0x80 init/main.c:1344 kernel_init_freeable+0x435/0x5d0 init/main.c:1577 kernel_init+0x1d/0x2b0 init/main.c:1466 page_owner free stack trace missing Memory state around the buggy address: ffff888143b6ed00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ffff888143b6ed80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff888143b6ee00: 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc fc ^ ffff888143b6ee80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888143b6ef00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================