Extracting prog: 1m54.997719392s
Minimizing prog: 5m18.003088857s
Simplifying prog options: 0s
Extracting C: 38.170294885s
Simplifying C: 15m32.103331779s


1 programs, timeouts [30s 6m0s]
extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
detailed listing:
executing program 0:
syz_mount_image$hfsplus(&(0x7f0000000100), &(0x7f00000002c0)='./file0\x00', 0x814054, &(0x7f00000003c0)=ANY=[], 0xfd, 0x678, &(0x7f0000000980)="$eJzs3U1oHOcZB/D/rFay1gFF+XJMCdTEkJaa2pKF07oU4pZSVAglpIdeK2I5Fl4rrqQUxZRG/aLXHnotpBT10p5aeikUDOm5veVWdAwUesnJzaFTZnZWWsmSvI4tS2p+PzH7vjPvzDvPPDufK5YN8Kk1ey7tOykye+7V1Wp8Y2Smu7E+c7Our890k5xI0kravSLFYlK8n1xJvtfud1PsKLfpT/zgo40Pe7Xb/xxoaiWdh9yKtWbImSQjvXL8UfX3RlN+csVmEq4kOduUcOhGk5TbfP/UVstuypGBkV2Pd+B4KXrXzXtMJifTu5hW9wG9q2LvRuBYWzvsAAAAAOAxePLuu8lqJg47DgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgO+r+D3/z+f9EMrX79TIr+7/+PNdPS1I+mISO70zroQAAAAAAAAADg4H12JL9/vSwn+uNlUf/P/8V65Nn69Ym8neXMZynns5q5rGQlS5lOMjnQ0djq3MrK0nQ2ekt+XJblHkte3HXJX391uIA7j2SzAQAAAAAAAOAYKfZrfKUpf5LZTDyeeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYDhFMtIr6uHZfn0yrXaS8SRj1XxryT/69eOg6BVrO6ffOYRYAAAA4HF78m7uZjUT/fGyqJ/5T9WPzON5O4tZyUJW0s18rjaP0dVTf2tjfaa7sT5zsxru7fdr/96q/2nivmHUPab32cPuaz5dz9HJtSzUU87njbyVbq6mVS9ZOd2PZ/e4flzFVLzSGDJBV5uy2vJfbn2QcARM1hkZ3czIVBNblY2n9s/E4LvzCdY0ndbmJz/PPrKcF/8ty17tZH9K8sS37p/z0QfamIeyMxMXB/a+U/tnIvncn//w3evdxRvXry2fOzq70QM4UfbfoXszMTOQief/7zMxaCqjaeW5zfHZfDPfybmcyWtZKov8IHNZyXzO5Bt1ba7Zn6vXyf0zdWXb2Gv7BNFJcxad3DyL7hlTFnaJ6cV62Yks5Nt5K1czn5frv4uZzpdyKZdyeeAdfm6Io771YGfas58f2JRf9DfpSKjy+tRAXgfPuZN12+CUVsoTveWefvTXo/ZnVtNEkfy0KY+GnZmYHthfntk/E7+pTyvL3cUbS9fnbg25vpeasjqOfn6krszV/vL0b9tp12NNTop2fa6o2p6p3sjBtiZfY81/XHptrZ1tv+tstm0dqSPNOrcfqWPNPdy9PV2s257ftW2mbjs90Fbdb43WbR+XZdm73wLgyDv5hZNjnX91/t55r/OzzvXOq+NfP/HlEy+MZfRvo19pT4281Hqh+GPey49y/yd0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgvpbfuX1jrtudX9pRKcvy3T2aDqSSdrJtyl//MjBP/xf8h++wmvtKK3kswX9qK+N77j87K/8py/JoxDxMpWwclXgOo3LYZybgoF1YuXnrwvI7t7+4cHPuzfk35xcvX7p0eerypZdnLlxb6M5P9V4PO0rgIAzcgQMAAAAAAAAAAADHxHBfzike7rs9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9h9lzad1Jkeur8VDW+sT7TrYZ+fWvOdpJWkuKHSfF+ciW9IZMD3RV7redXC5df/+CjjQ+3+mr352/tt9xw1pohZ5KMNOUuxh+sv6Lu59be/Q2p2NzCKmFn+4mDw/a/AAAA////Gh1s")
r0 = syz_open_dev$loop(&(0x7f00000001c0), 0x0, 0x0)
ioctl$LOOP_SET_BLOCK_SIZE(r0, 0x4c09, 0x800)

program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
single: successfully extracted reproducer
found reproducer with 3 syscalls
minimizing guilty program
testing program (duration=52.770190374s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop
detailed listing:
executing program 0:
syz_mount_image$hfsplus(&(0x7f0000000100), &(0x7f00000002c0)='./file0\x00', 0x814054, &(0x7f00000003c0)=ANY=[], 0xfd, 0x678, &(0x7f0000000980)="$eJzs3U1oHOcZB/D/rFay1gFF+XJMCdTEkJaa2pKF07oU4pZSVAglpIdeK2I5Fl4rrqQUxZRG/aLXHnotpBT10p5aeikUDOm5veVWdAwUesnJzaFTZnZWWsmSvI4tS2p+PzH7vjPvzDvPPDufK5YN8Kk1ey7tOykye+7V1Wp8Y2Smu7E+c7Our890k5xI0kravSLFYlK8n1xJvtfud1PsKLfpT/zgo40Pe7Xb/xxoaiWdh9yKtWbImSQjvXL8UfX3RlN+csVmEq4kOduUcOhGk5TbfP/UVstuypGBkV2Pd+B4KXrXzXtMJifTu5hW9wG9q2LvRuBYWzvsAAAAAOAxePLuu8lqJg47DgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgO+r+D3/z+f9EMrX79TIr+7/+PNdPS1I+mISO70zroQAAAAAAAAADg4H12JL9/vSwn+uNlUf/P/8V65Nn69Ym8neXMZynns5q5rGQlS5lOMjnQ0djq3MrK0nQ2ekt+XJblHkte3HXJX391uIA7j2SzAQAAAAAAAOAYKfZrfKUpf5LZTDyeeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYDhFMtIr6uHZfn0yrXaS8SRj1XxryT/69eOg6BVrO6ffOYRYAAAA4HF78m7uZjUT/fGyqJ/5T9WPzON5O4tZyUJW0s18rjaP0dVTf2tjfaa7sT5zsxru7fdr/96q/2nivmHUPab32cPuaz5dz9HJtSzUU87njbyVbq6mVS9ZOd2PZ/e4flzFVLzSGDJBV5uy2vJfbn2QcARM1hkZ3czIVBNblY2n9s/E4LvzCdY0ndbmJz/PPrKcF/8ty17tZH9K8sS37p/z0QfamIeyMxMXB/a+U/tnIvncn//w3evdxRvXry2fOzq70QM4UfbfoXszMTOQief/7zMxaCqjaeW5zfHZfDPfybmcyWtZKov8IHNZyXzO5Bt1ba7Zn6vXyf0zdWXb2Gv7BNFJcxad3DyL7hlTFnaJ6cV62Yks5Nt5K1czn5frv4uZzpdyKZdyeeAdfm6Io771YGfas58f2JRf9DfpSKjy+tRAXgfPuZN12+CUVsoTveWefvTXo/ZnVtNEkfy0KY+GnZmYHthfntk/E7+pTyvL3cUbS9fnbg25vpeasjqOfn6krszV/vL0b9tp12NNTop2fa6o2p6p3sjBtiZfY81/XHptrZ1tv+tstm0dqSPNOrcfqWPNPdy9PV2s257ftW2mbjs90Fbdb43WbR+XZdm73wLgyDv5hZNjnX91/t55r/OzzvXOq+NfP/HlEy+MZfRvo19pT4281Hqh+GPey49y/yd0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgvpbfuX1jrtudX9pRKcvy3T2aDqSSdrJtyl//MjBP/xf8h++wmvtKK3kswX9qK+N77j87K/8py/JoxDxMpWwclXgOo3LYZybgoF1YuXnrwvI7t7+4cHPuzfk35xcvX7p0eerypZdnLlxb6M5P9V4PO0rgIAzcgQMAAAAAAAAAAADHxHBfzike7rs9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9h9lzad1Jkeur8VDW+sT7TrYZ+fWvOdpJWkuKHSfF+ciW9IZMD3RV7redXC5df/+CjjQ+3+mr352/tt9xw1pohZ5KMNOUuxh+sv6Lu59be/Q2p2NzCKmFn+4mDw/a/AAAA////Gh1s")
syz_open_dev$loop(&(0x7f00000001c0), 0x0, 0x0)

program did not crash
testing program (duration=52.770190374s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-ioctl$LOOP_SET_BLOCK_SIZE
detailed listing:
executing program 0:
syz_mount_image$hfsplus(&(0x7f0000000100), &(0x7f00000002c0)='./file0\x00', 0x814054, &(0x7f00000003c0)=ANY=[], 0xfd, 0x678, &(0x7f0000000980)="$eJzs3U1oHOcZB/D/rFay1gFF+XJMCdTEkJaa2pKF07oU4pZSVAglpIdeK2I5Fl4rrqQUxZRG/aLXHnotpBT10p5aeikUDOm5veVWdAwUesnJzaFTZnZWWsmSvI4tS2p+PzH7vjPvzDvPPDufK5YN8Kk1ey7tOykye+7V1Wp8Y2Smu7E+c7Our890k5xI0kravSLFYlK8n1xJvtfud1PsKLfpT/zgo40Pe7Xb/xxoaiWdh9yKtWbImSQjvXL8UfX3RlN+csVmEq4kOduUcOhGk5TbfP/UVstuypGBkV2Pd+B4KXrXzXtMJifTu5hW9wG9q2LvRuBYWzvsAAAAAOAxePLuu8lqJg47DgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgO+r+D3/z+f9EMrX79TIr+7/+PNdPS1I+mISO70zroQAAAAAAAAADg4H12JL9/vSwn+uNlUf/P/8V65Nn69Ym8neXMZynns5q5rGQlS5lOMjnQ0djq3MrK0nQ2ekt+XJblHkte3HXJX391uIA7j2SzAQAAAAAAAOAYKfZrfKUpf5LZTDyeeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYDhFMtIr6uHZfn0yrXaS8SRj1XxryT/69eOg6BVrO6ffOYRYAAAA4HF78m7uZjUT/fGyqJ/5T9WPzON5O4tZyUJW0s18rjaP0dVTf2tjfaa7sT5zsxru7fdr/96q/2nivmHUPab32cPuaz5dz9HJtSzUU87njbyVbq6mVS9ZOd2PZ/e4flzFVLzSGDJBV5uy2vJfbn2QcARM1hkZ3czIVBNblY2n9s/E4LvzCdY0ndbmJz/PPrKcF/8ty17tZH9K8sS37p/z0QfamIeyMxMXB/a+U/tnIvncn//w3evdxRvXry2fOzq70QM4UfbfoXszMTOQief/7zMxaCqjaeW5zfHZfDPfybmcyWtZKov8IHNZyXzO5Bt1ba7Zn6vXyf0zdWXb2Gv7BNFJcxad3DyL7hlTFnaJ6cV62Yks5Nt5K1czn5frv4uZzpdyKZdyeeAdfm6Io771YGfas58f2JRf9DfpSKjy+tRAXgfPuZN12+CUVsoTveWefvTXo/ZnVtNEkfy0KY+GnZmYHthfntk/E7+pTyvL3cUbS9fnbg25vpeasjqOfn6krszV/vL0b9tp12NNTop2fa6o2p6p3sjBtiZfY81/XHptrZ1tv+tstm0dqSPNOrcfqWPNPdy9PV2s257ftW2mbjs90Fbdb43WbR+XZdm73wLgyDv5hZNjnX91/t55r/OzzvXOq+NfP/HlEy+MZfRvo19pT4281Hqh+GPey49y/yd0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgvpbfuX1jrtudX9pRKcvy3T2aDqSSdrJtyl//MjBP/xf8h++wmvtKK3kswX9qK+N77j87K/8py/JoxDxMpWwclXgOo3LYZybgoF1YuXnrwvI7t7+4cHPuzfk35xcvX7p0eerypZdnLlxb6M5P9V4PO0rgIAzcgQMAAAAAAAAAAADHxHBfzike7rs9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9h9lzad1Jkeur8VDW+sT7TrYZ+fWvOdpJWkuKHSfF+ciW9IZMD3RV7redXC5df/+CjjQ+3+mr352/tt9xw1pohZ5KMNOUuxh+sv6Lu59be/Q2p2NzCKmFn+4mDw/a/AAAA////Gh1s")
ioctl$LOOP_SET_BLOCK_SIZE(0xffffffffffffffff, 0x4c09, 0x800)

program did not crash
testing program (duration=52.770190374s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f00000001c0), 0x0, 0x0)
ioctl$LOOP_SET_BLOCK_SIZE(r0, 0x4c09, 0x800)

program did not crash
testing program (duration=52.770190374s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
detailed listing:
executing program 0:
syz_mount_image$hfsplus(&(0x7f0000000100), &(0x7f00000002c0)='./file0\x00', 0x814054, &(0x7f00000003c0)=ANY=[], 0xfd, 0x678, &(0x7f0000000980)="$eJzs3U1oHOcZB/D/rFay1gFF+XJMCdTEkJaa2pKF07oU4pZSVAglpIdeK2I5Fl4rrqQUxZRG/aLXHnotpBT10p5aeikUDOm5veVWdAwUesnJzaFTZnZWWsmSvI4tS2p+PzH7vjPvzDvPPDufK5YN8Kk1ey7tOykye+7V1Wp8Y2Smu7E+c7Our890k5xI0kravSLFYlK8n1xJvtfud1PsKLfpT/zgo40Pe7Xb/xxoaiWdh9yKtWbImSQjvXL8UfX3RlN+csVmEq4kOduUcOhGk5TbfP/UVstuypGBkV2Pd+B4KXrXzXtMJifTu5hW9wG9q2LvRuBYWzvsAAAAAOAxePLuu8lqJg47DgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgO+r+D3/z+f9EMrX79TIr+7/+PNdPS1I+mISO70zroQAAAAAAAAADg4H12JL9/vSwn+uNlUf/P/8V65Nn69Ym8neXMZynns5q5rGQlS5lOMjnQ0djq3MrK0nQ2ekt+XJblHkte3HXJX391uIA7j2SzAQAAAAAAAOAYKfZrfKUpf5LZTDyeeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYDhFMtIr6uHZfn0yrXaS8SRj1XxryT/69eOg6BVrO6ffOYRYAAAA4HF78m7uZjUT/fGyqJ/5T9WPzON5O4tZyUJW0s18rjaP0dVTf2tjfaa7sT5zsxru7fdr/96q/2nivmHUPab32cPuaz5dz9HJtSzUU87njbyVbq6mVS9ZOd2PZ/e4flzFVLzSGDJBV5uy2vJfbn2QcARM1hkZ3czIVBNblY2n9s/E4LvzCdY0ndbmJz/PPrKcF/8ty17tZH9K8sS37p/z0QfamIeyMxMXB/a+U/tnIvncn//w3evdxRvXry2fOzq70QM4UfbfoXszMTOQief/7zMxaCqjaeW5zfHZfDPfybmcyWtZKov8IHNZyXzO5Bt1ba7Zn6vXyf0zdWXb2Gv7BNFJcxad3DyL7hlTFnaJ6cV62Yks5Nt5K1czn5frv4uZzpdyKZdyeeAdfm6Io771YGfas58f2JRf9DfpSKjy+tRAXgfPuZN12+CUVsoTveWefvTXo/ZnVtNEkfy0KY+GnZmYHthfntk/E7+pTyvL3cUbS9fnbg25vpeasjqOfn6krszV/vL0b9tp12NNTop2fa6o2p6p3sjBtiZfY81/XHptrZ1tv+tstm0dqSPNOrcfqWPNPdy9PV2s257ftW2mbjs90Fbdb43WbR+XZdm73wLgyDv5hZNjnX91/t55r/OzzvXOq+NfP/HlEy+MZfRvo19pT4281Hqh+GPey49y/yd0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgvpbfuX1jrtudX9pRKcvy3T2aDqSSdrJtyl//MjBP/xf8h++wmvtKK3kswX9qK+N77j87K/8py/JoxDxMpWwclXgOo3LYZybgoF1YuXnrwvI7t7+4cHPuzfk35xcvX7p0eerypZdnLlxb6M5P9V4PO0rgIAzcgQMAAAAAAAAAAADHxHBfzike7rs9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9h9lzad1Jkeur8VDW+sT7TrYZ+fWvOdpJWkuKHSfF+ciW9IZMD3RV7redXC5df/+CjjQ+3+mr352/tt9xw1pohZ5KMNOUuxh+sv6Lu59be/Q2p2NzCKmFn+4mDw/a/AAAA////Gh1s")
r0 = syz_open_dev$loop(0x0, 0x0, 0x0)
ioctl$LOOP_SET_BLOCK_SIZE(r0, 0x4c09, 0x800)

program did not crash
extracting C reproducer
testing compiled C program (duration=52.770190374s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
simplifying C reproducer
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program did not crash
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program did not crash
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
testing compiled C program (duration=52.770190374s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$hfsplus-syz_open_dev$loop-ioctl$LOOP_SET_BLOCK_SIZE
program crashed: KASAN: slab-out-of-bounds Read in generic_perform_write
reproducing took 23m23.274454853s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0x8e3/0x1230 lib/iov_iter.c:978
Read of size 2048 at addr ffff888028c9e000 by task kworker/u4:2/154

CPU: 0 PID: 154 Comm: kworker/u4:2 Not tainted 5.15.166-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: loop0 loop_rootcg_workfn
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 print_address_description+0x63/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
 kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
 memcpy+0x25/0x60 mm/kasan/shadow.c:65
 copy_page_from_iter_atomic+0x8e3/0x1230 lib/iov_iter.c:978
 generic_perform_write+0x33a/0x5b0 mm/filemap.c:3793
 __generic_file_write_iter+0x243/0x4f0 mm/filemap.c:3912
 generic_file_write_iter+0xa7/0x1b0 mm/filemap.c:3944
 do_iter_readv_writev+0x594/0x7a0
 do_iter_write+0x1e6/0x760 fs/read_write.c:855
 lo_write_bvec+0x297/0x740 drivers/block/loop.c:316
 lo_write_simple drivers/block/loop.c:338 [inline]
 do_req_filebacked drivers/block/loop.c:656 [inline]
 loop_handle_cmd drivers/block/loop.c:2234 [inline]
 loop_process_work+0x2309/0x2af0 drivers/block/loop.c:2274
 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

Allocated by task 3563:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xba/0xf0 mm/kasan/common.c:513
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 __kmalloc+0x168/0x300 mm/slub.c:4407
 kmalloc include/linux/slab.h:596 [inline]
 hfsplus_read_wrapper+0x4e3/0x13b0 fs/hfsplus/wrapper.c:180
 hfsplus_fill_super+0x38a/0x1c90 fs/hfsplus/super.c:413
 mount_bdev+0x2c9/0x3f0 fs/super.c:1398
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
 vfs_get_tree+0x88/0x270 fs/super.c:1528
 do_new_mount+0x2ba/0xb40 fs/namespace.c:3005
 do_mount fs/namespace.c:3348 [inline]
 __do_sys_mount fs/namespace.c:3556 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3533
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff888028c9e000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 512-byte region [ffff888028c9e000, ffff888028c9e200)
The buggy address belongs to the page:
page:ffffea0000a32700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28c9c
head:ffffea0000a32700 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888017041c80
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3563, ts 46370829577, free_ts 36882141059
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
 __alloc_pages+0x272/0x700 mm/page_alloc.c:5423
 alloc_slab_page mm/slub.c:1775 [inline]
 allocate_slab mm/slub.c:1912 [inline]
 new_slab+0xbb/0x4b0 mm/slub.c:1975
 ___slab_alloc+0x6f6/0xe10 mm/slub.c:3008
 __slab_alloc mm/slub.c:3095 [inline]
 slab_alloc_node mm/slub.c:3186 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc_trace+0x1a0/0x290 mm/slub.c:3245
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 binderfs_binder_ctl_create drivers/android/binderfs.c:418 [inline]
 binderfs_fill_super+0x60b/0xe40 drivers/android/binderfs.c:719
 vfs_get_super fs/super.c:1170 [inline]
 get_tree_nodev+0xaf/0x160 fs/super.c:1200
 vfs_get_tree+0x88/0x270 fs/super.c:1528
 do_new_mount+0x2ba/0xb40 fs/namespace.c:3005
 do_mount fs/namespace.c:3348 [inline]
 __do_sys_mount fs/namespace.c:3556 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3533
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
 put_page include/linux/mm.h:1247 [inline]
 __skb_frag_unref include/linux/skbuff.h:3236 [inline]
 skb_release_data+0x411/0x8a0 net/core/skbuff.c:672
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb+0x4c/0x60 net/core/skbuff.c:756
 sk_eat_skb include/net/sock.h:2724 [inline]
 tcp_recvmsg_locked+0x1629/0x29b0 net/ipv4/tcp.c:2517
 tcp_recvmsg+0x24e/0x7f0 net/ipv4/tcp.c:2563
 inet_recvmsg+0x157/0x280 net/ipv4/af_inet.c:870
 sock_recvmsg_nosec net/socket.c:966 [inline]
 sock_recvmsg net/socket.c:984 [inline]
 sock_read_iter+0x353/0x480 net/socket.c:1057
 call_read_iter include/linux/fs.h:2166 [inline]
 new_sync_read fs/read_write.c:404 [inline]
 vfs_read+0xa93/0xe10 fs/read_write.c:485
 ksys_read+0x1a2/0x2c0 fs/read_write.c:623
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff888028c9e100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888028c9e180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888028c9e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888028c9e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888028c9e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0x8e3/0x1230 lib/iov_iter.c:978
Read of size 2048 at addr ffff888028c9e000 by task kworker/u4:2/154

CPU: 0 PID: 154 Comm: kworker/u4:2 Not tainted 5.15.166-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: loop0 loop_rootcg_workfn
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 print_address_description+0x63/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
 kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
 memcpy+0x25/0x60 mm/kasan/shadow.c:65
 copy_page_from_iter_atomic+0x8e3/0x1230 lib/iov_iter.c:978
 generic_perform_write+0x33a/0x5b0 mm/filemap.c:3793
 __generic_file_write_iter+0x243/0x4f0 mm/filemap.c:3912
 generic_file_write_iter+0xa7/0x1b0 mm/filemap.c:3944
 do_iter_readv_writev+0x594/0x7a0
 do_iter_write+0x1e6/0x760 fs/read_write.c:855
 lo_write_bvec+0x297/0x740 drivers/block/loop.c:316
 lo_write_simple drivers/block/loop.c:338 [inline]
 do_req_filebacked drivers/block/loop.c:656 [inline]
 loop_handle_cmd drivers/block/loop.c:2234 [inline]
 loop_process_work+0x2309/0x2af0 drivers/block/loop.c:2274
 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

Allocated by task 3563:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xba/0xf0 mm/kasan/common.c:513
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 __kmalloc+0x168/0x300 mm/slub.c:4407
 kmalloc include/linux/slab.h:596 [inline]
 hfsplus_read_wrapper+0x4e3/0x13b0 fs/hfsplus/wrapper.c:180
 hfsplus_fill_super+0x38a/0x1c90 fs/hfsplus/super.c:413
 mount_bdev+0x2c9/0x3f0 fs/super.c:1398
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
 vfs_get_tree+0x88/0x270 fs/super.c:1528
 do_new_mount+0x2ba/0xb40 fs/namespace.c:3005
 do_mount fs/namespace.c:3348 [inline]
 __do_sys_mount fs/namespace.c:3556 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3533
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff888028c9e000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 512-byte region [ffff888028c9e000, ffff888028c9e200)
The buggy address belongs to the page:
page:ffffea0000a32700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28c9c
head:ffffea0000a32700 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888017041c80
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3563, ts 46370829577, free_ts 36882141059
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
 __alloc_pages+0x272/0x700 mm/page_alloc.c:5423
 alloc_slab_page mm/slub.c:1775 [inline]
 allocate_slab mm/slub.c:1912 [inline]
 new_slab+0xbb/0x4b0 mm/slub.c:1975
 ___slab_alloc+0x6f6/0xe10 mm/slub.c:3008
 __slab_alloc mm/slub.c:3095 [inline]
 slab_alloc_node mm/slub.c:3186 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc_trace+0x1a0/0x290 mm/slub.c:3245
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 binderfs_binder_ctl_create drivers/android/binderfs.c:418 [inline]
 binderfs_fill_super+0x60b/0xe40 drivers/android/binderfs.c:719
 vfs_get_super fs/super.c:1170 [inline]
 get_tree_nodev+0xaf/0x160 fs/super.c:1200
 vfs_get_tree+0x88/0x270 fs/super.c:1528
 do_new_mount+0x2ba/0xb40 fs/namespace.c:3005
 do_mount fs/namespace.c:3348 [inline]
 __do_sys_mount fs/namespace.c:3556 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3533
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
 put_page include/linux/mm.h:1247 [inline]
 __skb_frag_unref include/linux/skbuff.h:3236 [inline]
 skb_release_data+0x411/0x8a0 net/core/skbuff.c:672
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb+0x4c/0x60 net/core/skbuff.c:756
 sk_eat_skb include/net/sock.h:2724 [inline]
 tcp_recvmsg_locked+0x1629/0x29b0 net/ipv4/tcp.c:2517
 tcp_recvmsg+0x24e/0x7f0 net/ipv4/tcp.c:2563
 inet_recvmsg+0x157/0x280 net/ipv4/af_inet.c:870
 sock_recvmsg_nosec net/socket.c:966 [inline]
 sock_recvmsg net/socket.c:984 [inline]
 sock_read_iter+0x353/0x480 net/socket.c:1057
 call_read_iter include/linux/fs.h:2166 [inline]
 new_sync_read fs/read_write.c:404 [inline]
 vfs_read+0xa93/0xe10 fs/read_write.c:485
 ksys_read+0x1a2/0x2c0 fs/read_write.c:623
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff888028c9e100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888028c9e180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888028c9e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888028c9e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888028c9e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================