Extracting prog: 6m51.5710117s Minimizing prog: 29m58.941288433s Simplifying prog options: 0s Extracting C: 4m35.034143806s Simplifying C: 17m37.47857469s 1 programs, timeouts [30s 6m0s] extracting reproducer from 1 programs testing a last program of every proc single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE detailed listing: executing program 0: syz_mount_image$hfsplus(&(0x7f0000000000), &(0x7f0000002900)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x2000010, &(0x7f00000022c0)=ANY=[], 0x1, 0x6c9, &(0x7f00000037c0)="$eJzs3c1vHGcdB/DvrNeuN1TBaRMaoSKsRCpIEYkTK4VwwSCEcqhQVQ49W4nTWN0kVeIit0LgAoITEof+AQXJNw4IiXtQuHApt159rITEJeIQ9bJoZmftXe/6LfFb4POJxvM888w885vfPDPjXWe1Af5vXb+Q5sMUuX7hjeWyvrY6215bnX2hbm4nKcuNpNmdpbibFI+SubK96JvSNx/y8eK1tz57vPZ5t9asp2r9se22G2HEuiv1lOm6v+mRW47vdhcrdXh5McmNej5oYrd9DaxYJu18PYcj1xmyspfN93LdAsdM7+lUdJ+bQ6aSE0km698DUt8dGocX4cHY010OAAAAnlOf3jvqCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOD5U3//f1FPjXqe6RS97/+f6C2ry8fQ3K7XfHigcQAAAAAAAADA4fj6kzzJck726p2i+pv/uapyOl90ki/l/TzIQu7nYpYzn6Us5X4uJ5nq62hieX5p6f7l9S1Lo7e8MnLLK4d1xAAAAAAAAADwP+mXaW38/R8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI6DIhnrzqrpdD3PVBrNbLRlJflnkomjjncPilELHx5+HAAAAPBMJp9imy8/yZMs52Sv3imq1/xfqV4vT+b93M1SFrOUdhZys34NXb7qb6ytzrbXVmfvlFNZH+z3+//eUxgTdQ9jVW3Uns9Wa7RyK4vVkou5UQVzM43uvs8nZ3vx9MXV56MypuJ7tV1G1qzTWu7s91u9i7Avdv9WRKtXaJY/ehmZqWMrs3Gqm4GieqMm2ZyJHc9Oc6A2VfU6vr6ny2msv/Nz+gByfqKel8fzmwPN+V6tZ6KRKhNXeqOvvGa2z0Tyjb/+6e3b7bvv3r714MLxOaQdjG2xfPOYmO3LxCvPdSaae1x/psrEmfX69fwoP8mFTOfN3M9ifpr5LGUhnbp9vh7P5c+p7TM1N1B7c6dIJurz0j1nu4lpOj+sSvM5V217Mospci83s5DXq39XcjnfztVczbW+M3xmy7irY6uu+sbmq753pv82Mvjz36wL5d3ttxt3ubntjnir0blfuvf+Mq+n+vLaHfWP19c61XcdzPRl6aVedsZHdv4098bmV+tCuY9fDT93j9BUnYnyAuo9JXrRvdzNRLN6Fg2P8z90yu3Svtvp3J5/b4v+VzbVX6vn5bBa/dpOa/eMPhX7qxwvL2WyvpMMjo6y7eX1u0xfW2djLHfbBp+45XZnqrai6F2pP869agAMX6kT9e9wwz1dqdpeGdk2W7Wd7Wsb+H0r99LOzUPIHwBP4x9vrxencmKi9a/Wp61PWr9u3W69MfmDF77zwqsTGf/7+HebM2OvNV4t/pJP8vON1/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDTe/DBh+/Ot9sL90cXGls3DRRa2bxkp543FYr6C332ttXxLUwmGVhSfc/RoYfR2hzGUKHzi+TQ89P7EsHR6/yuLDSHRtSowtzAkj8Pd/jRHiMsdnddHGChkcPd6VhGD4AjvCkBh+LS0p33Lj344MNvLd6Zf2fhnYW741evXpu5dvX12Uu3FtsLM92fRx0lcBA2HvpHHQkAAAAAAAAAAACwW6M+GHDuxZ0+NLKrz3j4n4UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAvrh+Ic2HKXJ55uJMWV9bnW2XU6+8sWYzSaORFD9LikfJXLpTpvq6K/LHR+mM2M/Hi9fe+uzx2ucbfTW76yeNer617VuTrNRTppOM1fNnMNDfjWfur/hP7xjKhH3R6XTmni0+2B//DQAA///VJPUP") r0 = syz_open_dev$loop(&(0x7f00000001c0), 0x0, 0x0) ioctl$LOOP_SET_BLOCK_SIZE(r0, 0x4c09, 0x800) program did not crash single: failed to extract reproducer single: executing 1 programs separately with timeout 6m0s testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE detailed listing: executing program 0: syz_mount_image$hfsplus(&(0x7f0000000000), &(0x7f0000002900)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x2000010, &(0x7f00000022c0)=ANY=[], 0x1, 0x6c9, &(0x7f00000037c0)="$eJzs3c1vHGcdB/DvrNeuN1TBaRMaoSKsRCpIEYkTK4VwwSCEcqhQVQ49W4nTWN0kVeIit0LgAoITEof+AQXJNw4IiXtQuHApt159rITEJeIQ9bJoZmftXe/6LfFb4POJxvM888w885vfPDPjXWe1Af5vXb+Q5sMUuX7hjeWyvrY6215bnX2hbm4nKcuNpNmdpbibFI+SubK96JvSNx/y8eK1tz57vPZ5t9asp2r9se22G2HEuiv1lOm6v+mRW47vdhcrdXh5McmNej5oYrd9DaxYJu18PYcj1xmyspfN93LdAsdM7+lUdJ+bQ6aSE0km698DUt8dGocX4cHY010OAAAAnlOf3jvqCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOD5U3//f1FPjXqe6RS97/+f6C2ry8fQ3K7XfHigcQAAAAAAAADA4fj6kzzJck726p2i+pv/uapyOl90ki/l/TzIQu7nYpYzn6Us5X4uJ5nq62hieX5p6f7l9S1Lo7e8MnLLK4d1xAAAAAAAAADwP+mXaW38/R8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI6DIhnrzqrpdD3PVBrNbLRlJflnkomjjncPilELHx5+HAAAAPBMJp9imy8/yZMs52Sv3imq1/xfqV4vT+b93M1SFrOUdhZys34NXb7qb6ytzrbXVmfvlFNZH+z3+//eUxgTdQ9jVW3Uns9Wa7RyK4vVkou5UQVzM43uvs8nZ3vx9MXV56MypuJ7tV1G1qzTWu7s91u9i7Avdv9WRKtXaJY/ehmZqWMrs3Gqm4GieqMm2ZyJHc9Oc6A2VfU6vr6ny2msv/Nz+gByfqKel8fzmwPN+V6tZ6KRKhNXeqOvvGa2z0Tyjb/+6e3b7bvv3r714MLxOaQdjG2xfPOYmO3LxCvPdSaae1x/psrEmfX69fwoP8mFTOfN3M9ifpr5LGUhnbp9vh7P5c+p7TM1N1B7c6dIJurz0j1nu4lpOj+sSvM5V217Mospci83s5DXq39XcjnfztVczbW+M3xmy7irY6uu+sbmq753pv82Mvjz36wL5d3ttxt3ubntjnir0blfuvf+Mq+n+vLaHfWP19c61XcdzPRl6aVedsZHdv4098bmV+tCuY9fDT93j9BUnYnyAuo9JXrRvdzNRLN6Fg2P8z90yu3Svtvp3J5/b4v+VzbVX6vn5bBa/dpOa/eMPhX7qxwvL2WyvpMMjo6y7eX1u0xfW2djLHfbBp+45XZnqrai6F2pP869agAMX6kT9e9wwz1dqdpeGdk2W7Wd7Wsb+H0r99LOzUPIHwBP4x9vrxencmKi9a/Wp61PWr9u3W69MfmDF77zwqsTGf/7+HebM2OvNV4t/pJP8vON1/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDTe/DBh+/Ot9sL90cXGls3DRRa2bxkp543FYr6C332ttXxLUwmGVhSfc/RoYfR2hzGUKHzi+TQ89P7EsHR6/yuLDSHRtSowtzAkj8Pd/jRHiMsdnddHGChkcPd6VhGD4AjvCkBh+LS0p33Lj344MNvLd6Zf2fhnYW741evXpu5dvX12Uu3FtsLM92fRx0lcBA2HvpHHQkAAAAAAAAAAACwW6M+GHDuxZ0+NLKrz3j4n4UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAvrh+Ic2HKXJ55uJMWV9bnW2XU6+8sWYzSaORFD9LikfJXLpTpvq6K/LHR+mM2M/Hi9fe+uzx2ucbfTW76yeNer617VuTrNRTppOM1fNnMNDfjWfur/hP7xjKhH3R6XTmni0+2B//DQAA///VJPUP") r0 = syz_open_dev$loop(&(0x7f00000001c0), 0x0, 0x0) ioctl$LOOP_SET_BLOCK_SIZE(r0, 0x4c09, 0x800) program crashed: KASAN: slab-out-of-bounds Write in shmem_file_read_iter single: successfully extracted reproducer found reproducer with 3 syscalls minimizing guilty program testing program (duration=7m19.604731957s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop detailed listing: executing program 0: syz_mount_image$hfsplus(&(0x7f0000000000), &(0x7f0000002900)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x2000010, &(0x7f00000022c0)=ANY=[], 0x1, 0x6c9, &(0x7f00000037c0)="$eJzs3c1vHGcdB/DvrNeuN1TBaRMaoSKsRCpIEYkTK4VwwSCEcqhQVQ49W4nTWN0kVeIit0LgAoITEof+AQXJNw4IiXtQuHApt159rITEJeIQ9bJoZmftXe/6LfFb4POJxvM888w885vfPDPjXWe1Af5vXb+Q5sMUuX7hjeWyvrY6215bnX2hbm4nKcuNpNmdpbibFI+SubK96JvSNx/y8eK1tz57vPZ5t9asp2r9se22G2HEuiv1lOm6v+mRW47vdhcrdXh5McmNej5oYrd9DaxYJu18PYcj1xmyspfN93LdAsdM7+lUdJ+bQ6aSE0km698DUt8dGocX4cHY010OAAAAnlOf3jvqCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOD5U3//f1FPjXqe6RS97/+f6C2ry8fQ3K7XfHigcQAAAAAAAADA4fj6kzzJck726p2i+pv/uapyOl90ki/l/TzIQu7nYpYzn6Us5X4uJ5nq62hieX5p6f7l9S1Lo7e8MnLLK4d1xAAAAAAAAADwP+mXaW38/R8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI6DIhnrzqrpdD3PVBrNbLRlJflnkomjjncPilELHx5+HAAAAPBMJp9imy8/yZMs52Sv3imq1/xfqV4vT+b93M1SFrOUdhZys34NXb7qb6ytzrbXVmfvlFNZH+z3+//eUxgTdQ9jVW3Uns9Wa7RyK4vVkou5UQVzM43uvs8nZ3vx9MXV56MypuJ7tV1G1qzTWu7s91u9i7Avdv9WRKtXaJY/ehmZqWMrs3Gqm4GieqMm2ZyJHc9Oc6A2VfU6vr6ny2msv/Nz+gByfqKel8fzmwPN+V6tZ6KRKhNXeqOvvGa2z0Tyjb/+6e3b7bvv3r714MLxOaQdjG2xfPOYmO3LxCvPdSaae1x/psrEmfX69fwoP8mFTOfN3M9ifpr5LGUhnbp9vh7P5c+p7TM1N1B7c6dIJurz0j1nu4lpOj+sSvM5V217Mospci83s5DXq39XcjnfztVczbW+M3xmy7irY6uu+sbmq753pv82Mvjz36wL5d3ttxt3ubntjnir0blfuvf+Mq+n+vLaHfWP19c61XcdzPRl6aVedsZHdv4098bmV+tCuY9fDT93j9BUnYnyAuo9JXrRvdzNRLN6Fg2P8z90yu3Svtvp3J5/b4v+VzbVX6vn5bBa/dpOa/eMPhX7qxwvL2WyvpMMjo6y7eX1u0xfW2djLHfbBp+45XZnqrai6F2pP869agAMX6kT9e9wwz1dqdpeGdk2W7Wd7Wsb+H0r99LOzUPIHwBP4x9vrxencmKi9a/Wp61PWr9u3W69MfmDF77zwqsTGf/7+HebM2OvNV4t/pJP8vON1/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDTe/DBh+/Ot9sL90cXGls3DRRa2bxkp543FYr6C332ttXxLUwmGVhSfc/RoYfR2hzGUKHzi+TQ89P7EsHR6/yuLDSHRtSowtzAkj8Pd/jRHiMsdnddHGChkcPd6VhGD4AjvCkBh+LS0p33Lj344MNvLd6Zf2fhnYW741evXpu5dvX12Uu3FtsLM92fRx0lcBA2HvpHHQkAAAAAAAAAAACwW6M+GHDuxZ0+NLKrz3j4n4UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAvrh+Ic2HKXJ55uJMWV9bnW2XU6+8sWYzSaORFD9LikfJXLpTpvq6K/LHR+mM2M/Hi9fe+uzx2ucbfTW76yeNer617VuTrNRTppOM1fNnMNDfjWfur/hP7xjKhH3R6XTmni0+2B//DQAA///VJPUP") syz_open_dev$loop(&(0x7f00000001c0), 0x0, 0x0) program did not crash testing program (duration=7m19.604731957s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-ioctl$LOOP_SET_BLOCK_SIZE detailed listing: executing program 0: syz_mount_image$hfsplus(&(0x7f0000000000), &(0x7f0000002900)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x2000010, &(0x7f00000022c0)=ANY=[], 0x1, 0x6c9, &(0x7f00000037c0)="$eJzs3c1vHGcdB/DvrNeuN1TBaRMaoSKsRCpIEYkTK4VwwSCEcqhQVQ49W4nTWN0kVeIit0LgAoITEof+AQXJNw4IiXtQuHApt159rITEJeIQ9bJoZmftXe/6LfFb4POJxvM888w885vfPDPjXWe1Af5vXb+Q5sMUuX7hjeWyvrY6215bnX2hbm4nKcuNpNmdpbibFI+SubK96JvSNx/y8eK1tz57vPZ5t9asp2r9se22G2HEuiv1lOm6v+mRW47vdhcrdXh5McmNej5oYrd9DaxYJu18PYcj1xmyspfN93LdAsdM7+lUdJ+bQ6aSE0km698DUt8dGocX4cHY010OAAAAnlOf3jvqCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOD5U3//f1FPjXqe6RS97/+f6C2ry8fQ3K7XfHigcQAAAAAAAADA4fj6kzzJck726p2i+pv/uapyOl90ki/l/TzIQu7nYpYzn6Us5X4uJ5nq62hieX5p6f7l9S1Lo7e8MnLLK4d1xAAAAAAAAADwP+mXaW38/R8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI6DIhnrzqrpdD3PVBrNbLRlJflnkomjjncPilELHx5+HAAAAPBMJp9imy8/yZMs52Sv3imq1/xfqV4vT+b93M1SFrOUdhZys34NXb7qb6ytzrbXVmfvlFNZH+z3+//eUxgTdQ9jVW3Uns9Wa7RyK4vVkou5UQVzM43uvs8nZ3vx9MXV56MypuJ7tV1G1qzTWu7s91u9i7Avdv9WRKtXaJY/ehmZqWMrs3Gqm4GieqMm2ZyJHc9Oc6A2VfU6vr6ny2msv/Nz+gByfqKel8fzmwPN+V6tZ6KRKhNXeqOvvGa2z0Tyjb/+6e3b7bvv3r714MLxOaQdjG2xfPOYmO3LxCvPdSaae1x/psrEmfX69fwoP8mFTOfN3M9ifpr5LGUhnbp9vh7P5c+p7TM1N1B7c6dIJurz0j1nu4lpOj+sSvM5V217Mospci83s5DXq39XcjnfztVczbW+M3xmy7irY6uu+sbmq753pv82Mvjz36wL5d3ttxt3ubntjnir0blfuvf+Mq+n+vLaHfWP19c61XcdzPRl6aVedsZHdv4098bmV+tCuY9fDT93j9BUnYnyAuo9JXrRvdzNRLN6Fg2P8z90yu3Svtvp3J5/b4v+VzbVX6vn5bBa/dpOa/eMPhX7qxwvL2WyvpMMjo6y7eX1u0xfW2djLHfbBp+45XZnqrai6F2pP869agAMX6kT9e9wwz1dqdpeGdk2W7Wd7Wsb+H0r99LOzUPIHwBP4x9vrxencmKi9a/Wp61PWr9u3W69MfmDF77zwqsTGf/7+HebM2OvNV4t/pJP8vON1/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDTe/DBh+/Ot9sL90cXGls3DRRa2bxkp543FYr6C332ttXxLUwmGVhSfc/RoYfR2hzGUKHzi+TQ89P7EsHR6/yuLDSHRtSowtzAkj8Pd/jRHiMsdnddHGChkcPd6VhGD4AjvCkBh+LS0p33Lj344MNvLd6Zf2fhnYW741evXpu5dvX12Uu3FtsLM92fRx0lcBA2HvpHHQkAAAAAAAAAAACwW6M+GHDuxZ0+NLKrz3j4n4UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAvrh+Ic2HKXJ55uJMWV9bnW2XU6+8sWYzSaORFD9LikfJXLpTpvq6K/LHR+mM2M/Hi9fe+uzx2ucbfTW76yeNer617VuTrNRTppOM1fNnMNDfjWfur/hP7xjKhH3R6XTmni0+2B//DQAA///VJPUP") ioctl$LOOP_SET_BLOCK_SIZE(0xffffffffffffffff, 0x4c09, 0x800) program did not crash testing program (duration=7m19.604731957s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE detailed listing: executing program 0: r0 = syz_open_dev$loop(&(0x7f00000001c0), 0x0, 0x0) ioctl$LOOP_SET_BLOCK_SIZE(r0, 0x4c09, 0x800) program did not crash testing program (duration=7m19.604731957s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE detailed listing: executing program 0: syz_mount_image$hfsplus(&(0x7f0000000000), &(0x7f0000002900)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x2000010, &(0x7f00000022c0)=ANY=[], 0x1, 0x6c9, &(0x7f00000037c0)="$eJzs3c1vHGcdB/DvrNeuN1TBaRMaoSKsRCpIEYkTK4VwwSCEcqhQVQ49W4nTWN0kVeIit0LgAoITEof+AQXJNw4IiXtQuHApt159rITEJeIQ9bJoZmftXe/6LfFb4POJxvM888w885vfPDPjXWe1Af5vXb+Q5sMUuX7hjeWyvrY6215bnX2hbm4nKcuNpNmdpbibFI+SubK96JvSNx/y8eK1tz57vPZ5t9asp2r9se22G2HEuiv1lOm6v+mRW47vdhcrdXh5McmNej5oYrd9DaxYJu18PYcj1xmyspfN93LdAsdM7+lUdJ+bQ6aSE0km698DUt8dGocX4cHY010OAAAAnlOf3jvqCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOD5U3//f1FPjXqe6RS97/+f6C2ry8fQ3K7XfHigcQAAAAAAAADA4fj6kzzJck726p2i+pv/uapyOl90ki/l/TzIQu7nYpYzn6Us5X4uJ5nq62hieX5p6f7l9S1Lo7e8MnLLK4d1xAAAAAAAAADwP+mXaW38/R8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI6DIhnrzqrpdD3PVBrNbLRlJflnkomjjncPilELHx5+HAAAAPBMJp9imy8/yZMs52Sv3imq1/xfqV4vT+b93M1SFrOUdhZys34NXb7qb6ytzrbXVmfvlFNZH+z3+//eUxgTdQ9jVW3Uns9Wa7RyK4vVkou5UQVzM43uvs8nZ3vx9MXV56MypuJ7tV1G1qzTWu7s91u9i7Avdv9WRKtXaJY/ehmZqWMrs3Gqm4GieqMm2ZyJHc9Oc6A2VfU6vr6ny2msv/Nz+gByfqKel8fzmwPN+V6tZ6KRKhNXeqOvvGa2z0Tyjb/+6e3b7bvv3r714MLxOaQdjG2xfPOYmO3LxCvPdSaae1x/psrEmfX69fwoP8mFTOfN3M9ifpr5LGUhnbp9vh7P5c+p7TM1N1B7c6dIJurz0j1nu4lpOj+sSvM5V217Mospci83s5DXq39XcjnfztVczbW+M3xmy7irY6uu+sbmq753pv82Mvjz36wL5d3ttxt3ubntjnir0blfuvf+Mq+n+vLaHfWP19c61XcdzPRl6aVedsZHdv4098bmV+tCuY9fDT93j9BUnYnyAuo9JXrRvdzNRLN6Fg2P8z90yu3Svtvp3J5/b4v+VzbVX6vn5bBa/dpOa/eMPhX7qxwvL2WyvpMMjo6y7eX1u0xfW2djLHfbBp+45XZnqrai6F2pP869agAMX6kT9e9wwz1dqdpeGdk2W7Wd7Wsb+H0r99LOzUPIHwBP4x9vrxencmKi9a/Wp61PWr9u3W69MfmDF77zwqsTGf/7+HebM2OvNV4t/pJP8vON1/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDTe/DBh+/Ot9sL90cXGls3DRRa2bxkp543FYr6C332ttXxLUwmGVhSfc/RoYfR2hzGUKHzi+TQ89P7EsHR6/yuLDSHRtSowtzAkj8Pd/jRHiMsdnddHGChkcPd6VhGD4AjvCkBh+LS0p33Lj344MNvLd6Zf2fhnYW741evXpu5dvX12Uu3FtsLM92fRx0lcBA2HvpHHQkAAAAAAAAAAACwW6M+GHDuxZ0+NLKrz3j4n4UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAvrh+Ic2HKXJ55uJMWV9bnW2XU6+8sWYzSaORFD9LikfJXLpTpvq6K/LHR+mM2M/Hi9fe+uzx2ucbfTW76yeNer617VuTrNRTppOM1fNnMNDfjWfur/hP7xjKhH3R6XTmni0+2B//DQAA///VJPUP") r0 = syz_open_dev$loop(0x0, 0x0, 0x0) ioctl$LOOP_SET_BLOCK_SIZE(r0, 0x4c09, 0x800) program did not crash extracting C reproducer testing compiled C program (duration=7m19.604731957s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE program crashed: KASAN: slab-out-of-bounds Write in shmem_file_read_iter simplifying C reproducer testing compiled C program (duration=7m19.604731957s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE program crashed: KASAN: slab-out-of-bounds Write in shmem_file_read_iter testing compiled C program (duration=7m19.604731957s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE program crashed: no output from test machine a never seen crash title: no output from test machine, ignore testing compiled C program (duration=7m19.604731957s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE program crashed: KASAN: slab-out-of-bounds Write in shmem_file_read_iter testing compiled C program (duration=7m19.604731957s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE program crashed: KASAN: slab-out-of-bounds Write in shmem_file_read_iter testing compiled C program (duration=7m19.604731957s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write a never seen crash title: KASAN: slab-out-of-bounds Read in generic_perform_write, ignore testing compiled C program (duration=7m19.604731957s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE program crashed: KASAN: slab-out-of-bounds Write in shmem_file_read_iter testing compiled C program (duration=7m19.604731957s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE program crashed: KASAN: slab-out-of-bounds Write in shmem_file_read_iter reproducing took 59m3.025051449s repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy_to_iter lib/iov_iter.c:65 [inline] BUG: KASAN: slab-out-of-bounds in iterate_bvec include/linux/iov_iter.h:123 [inline] BUG: KASAN: slab-out-of-bounds in iterate_and_advance2 include/linux/iov_iter.h:304 [inline] BUG: KASAN: slab-out-of-bounds in iterate_and_advance include/linux/iov_iter.h:328 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0x81c/0x1860 lib/iov_iter.c:185 Write of size 2048 at addr ffff0000c5924000 by task kworker/u8:4/167 CPU: 1 UID: 0 PID: 167 Comm: kworker/u8:4 Tainted: G W 6.12.0-rc3-syzkaller-gc7e6f5e2fb8d #0 Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: loop0 loop_rootcg_workfn Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x198/0x538 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 kasan_check_range+0x268/0x2a8 mm/kasan/generic.c:189 __asan_memcpy+0x54/0x84 mm/kasan/shadow.c:106 memcpy_to_iter lib/iov_iter.c:65 [inline] iterate_bvec include/linux/iov_iter.h:123 [inline] iterate_and_advance2 include/linux/iov_iter.h:304 [inline] iterate_and_advance include/linux/iov_iter.h:328 [inline] _copy_to_iter+0x81c/0x1860 lib/iov_iter.c:185 copy_page_to_iter+0x204/0x2fc lib/iov_iter.c:362 shmem_file_read_iter+0x4a4/0x9e0 mm/shmem.c:3167 do_iter_readv_writev+0x490/0x6d4 vfs_iter_read+0x138/0x3bc fs/read_write.c:923 lo_read_simple drivers/block/loop.c:283 [inline] do_req_filebacked drivers/block/loop.c:516 [inline] loop_handle_cmd drivers/block/loop.c:1910 [inline] loop_process_work+0xc3c/0x1fe8 drivers/block/loop.c:1945 loop_rootcg_workfn+0x28/0x38 drivers/block/loop.c:1976 process_one_work+0x7bc/0x1600 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x97c/0xeec kernel/workqueue.c:3391 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Allocated by task 13249: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:257 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_noprof+0x2a4/0x49c mm/slub.c:4276 kmalloc_noprof include/linux/slab.h:882 [inline] hfsplus_read_wrapper+0x38c/0xf6c fs/hfsplus/wrapper.c:182 hfsplus_fill_super+0x2f0/0x166c fs/hfsplus/super.c:419 mount_bdev+0x1d4/0x2a0 fs/super.c:1679 hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:647 legacy_get_tree+0xd4/0x16c fs/fs_context.c:662 vfs_get_tree+0x90/0x28c fs/super.c:1800 do_new_mount+0x278/0x900 fs/namespace.c:3507 path_mount+0x590/0xe04 fs/namespace.c:3834 do_mount fs/namespace.c:3847 [inline] __do_sys_mount fs/namespace.c:4055 [inline] __se_sys_mount fs/namespace.c:4032 [inline] __arm64_sys_mount+0x45c/0x5a8 fs/namespace.c:4032 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the object at ffff0000c5924000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes inside of allocated 512-byte region [ffff0000c5924000, ffff0000c5924200) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105924 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 ksm flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000040 ffff0000c0001c80 fffffdffc343a800 dead000000000003 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 05ffc00000000040 ffff0000c0001c80 fffffdffc343a800 dead000000000003 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 05ffc00000000002 fffffdffc3164901 ffffffffffffffff 0000000000000000 head: ffff000000000004 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000c5924100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000c5924180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000c5924200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff0000c5924280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000c5924300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== final repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy_to_iter lib/iov_iter.c:65 [inline] BUG: KASAN: slab-out-of-bounds in iterate_bvec include/linux/iov_iter.h:123 [inline] BUG: KASAN: slab-out-of-bounds in iterate_and_advance2 include/linux/iov_iter.h:304 [inline] BUG: KASAN: slab-out-of-bounds in iterate_and_advance include/linux/iov_iter.h:328 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0x81c/0x1860 lib/iov_iter.c:185 Write of size 2048 at addr ffff0000c5924000 by task kworker/u8:4/167 CPU: 1 UID: 0 PID: 167 Comm: kworker/u8:4 Tainted: G W 6.12.0-rc3-syzkaller-gc7e6f5e2fb8d #0 Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: loop0 loop_rootcg_workfn Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x198/0x538 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 kasan_check_range+0x268/0x2a8 mm/kasan/generic.c:189 __asan_memcpy+0x54/0x84 mm/kasan/shadow.c:106 memcpy_to_iter lib/iov_iter.c:65 [inline] iterate_bvec include/linux/iov_iter.h:123 [inline] iterate_and_advance2 include/linux/iov_iter.h:304 [inline] iterate_and_advance include/linux/iov_iter.h:328 [inline] _copy_to_iter+0x81c/0x1860 lib/iov_iter.c:185 copy_page_to_iter+0x204/0x2fc lib/iov_iter.c:362 shmem_file_read_iter+0x4a4/0x9e0 mm/shmem.c:3167 do_iter_readv_writev+0x490/0x6d4 vfs_iter_read+0x138/0x3bc fs/read_write.c:923 lo_read_simple drivers/block/loop.c:283 [inline] do_req_filebacked drivers/block/loop.c:516 [inline] loop_handle_cmd drivers/block/loop.c:1910 [inline] loop_process_work+0xc3c/0x1fe8 drivers/block/loop.c:1945 loop_rootcg_workfn+0x28/0x38 drivers/block/loop.c:1976 process_one_work+0x7bc/0x1600 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x97c/0xeec kernel/workqueue.c:3391 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Allocated by task 13249: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:257 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_noprof+0x2a4/0x49c mm/slub.c:4276 kmalloc_noprof include/linux/slab.h:882 [inline] hfsplus_read_wrapper+0x38c/0xf6c fs/hfsplus/wrapper.c:182 hfsplus_fill_super+0x2f0/0x166c fs/hfsplus/super.c:419 mount_bdev+0x1d4/0x2a0 fs/super.c:1679 hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:647 legacy_get_tree+0xd4/0x16c fs/fs_context.c:662 vfs_get_tree+0x90/0x28c fs/super.c:1800 do_new_mount+0x278/0x900 fs/namespace.c:3507 path_mount+0x590/0xe04 fs/namespace.c:3834 do_mount fs/namespace.c:3847 [inline] __do_sys_mount fs/namespace.c:4055 [inline] __se_sys_mount fs/namespace.c:4032 [inline] __arm64_sys_mount+0x45c/0x5a8 fs/namespace.c:4032 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the object at ffff0000c5924000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes inside of allocated 512-byte region [ffff0000c5924000, ffff0000c5924200) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105924 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 ksm flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000040 ffff0000c0001c80 fffffdffc343a800 dead000000000003 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 05ffc00000000040 ffff0000c0001c80 fffffdffc343a800 dead000000000003 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 05ffc00000000002 fffffdffc3164901 ffffffffffffffff 0000000000000000 head: ffff000000000004 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000c5924100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000c5924180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000c5924200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff0000c5924280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000c5924300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================