syzkaller syzkaller login: [ 22.859405][ T907] cgroup: Unknown subsys name 'net' [ 22.860739][ T907] cgroup: Unknown subsys name 'net_prio' [ 22.861715][ T907] cgroup: Unknown subsys name 'devices' [ 22.862895][ T907] cgroup: Unknown subsys name 'blkio' [ 22.951640][ T907] cgroup: Unknown subsys name 'hugetlb' [ 22.957493][ T907] cgroup: Unknown subsys name 'rlimit' [ 24.845166][ T907] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k Warning: Permanently added '10.128.1.171' (ED25519) to the list of known hosts. 2024/01/17 05:18:32 ignoring optional flag "sandboxArg"="0" 2024/01/17 05:18:32 parsed 1 programs 2024/01/17 05:18:34 executed programs: 0 [ 47.731929][ T1433] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 49.923620][ T1858] loop0: detected capacity change from 0 to 1024 [ 49.934712][ T1858] hfsplus: request for non-existent node 32768 in B*Tree [ 49.942185][ T1858] hfsplus: request for non-existent node 32768 in B*Tree [ 49.949997][ T1858] ================================================================== [ 49.958321][ T1858] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x159/0x160 [ 49.966278][ T1858] Read of size 8 at addr ffff888107d96dc0 by task syz-executor.0/1858 [ 49.974573][ T1858] [ 49.976876][ T1858] CPU: 0 PID: 1858 Comm: syz-executor.0 Not tainted 5.15.147-syzkaller #0 [ 49.985735][ T1858] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 49.995863][ T1858] Call Trace: [ 49.999132][ T1858] [ 50.002058][ T1858] dump_stack_lvl+0x41/0x5e [ 50.006728][ T1858] print_address_description.constprop.0.cold+0x6c/0x309 [ 50.013814][ T1858] ? hfsplus_bnode_read+0x159/0x160 [ 50.019019][ T1858] ? hfsplus_bnode_read+0x159/0x160 [ 50.024296][ T1858] kasan_report.cold+0x83/0xdf [ 50.029251][ T1858] ? hfsplus_bnode_read+0x159/0x160 [ 50.034543][ T1858] hfsplus_bnode_read+0x159/0x160 [ 50.039992][ T1858] hfsplus_bnode_dump+0x1f6/0x310 [ 50.045364][ T1858] ? hfsplus_bnode_move+0x700/0x700 [ 50.050666][ T1858] ? hfsplus_bnode_write+0x170/0x170 [ 50.056192][ T1858] ? __mark_inode_dirty+0x6a3/0x8f0 [ 50.061364][ T1858] hfsplus_brec_remove+0x322/0x430 [ 50.066447][ T1858] __hfsplus_delete_attr+0x1f1/0x340 [ 50.071704][ T1858] ? hfsplus_find_exit+0xc0/0xc0 [ 50.076783][ T1858] ? hfsplus_part_find+0xc00/0xc00 [ 50.081954][ T1858] hfsplus_delete_all_attrs+0x12d/0x330 [ 50.087734][ T1858] ? hfsplus_delete_attr+0x260/0x260 [ 50.092991][ T1858] ? rwlock_bug.part.0+0x90/0x90 [ 50.098020][ T1858] ? do_raw_spin_unlock+0x171/0x230 [ 50.103287][ T1858] ? __mark_inode_dirty+0x751/0x8f0 [ 50.108664][ T1858] hfsplus_delete_cat+0x74e/0xdd0 [ 50.113659][ T1858] ? hfsplus_create_cat+0x10a0/0x10a0 [ 50.119088][ T1858] ? mutex_trylock+0x280/0x280 [ 50.124290][ T1858] ? __lock_acquire.constprop.0+0x478/0xb30 [ 50.130237][ T1858] hfsplus_unlink+0x196/0x770 [ 50.134970][ T1858] ? hfsplus_symlink+0x260/0x260 [ 50.139873][ T1858] ? down_write+0xc8/0x130 [ 50.144257][ T1858] ? down_write_killable_nested+0x160/0x160 [ 50.150116][ T1858] vfs_unlink+0x291/0x800 [ 50.154995][ T1858] do_unlinkat+0x30f/0x550 [ 50.160293][ T1858] ? __ia32_sys_rmdir+0xe0/0xe0 [ 50.165139][ T1858] ? getname_flags.part.0+0x89/0x440 [ 50.170574][ T1858] __x64_sys_unlink+0xa0/0xe0 [ 50.175228][ T1858] do_syscall_64+0x35/0x80 [ 50.179801][ T1858] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 50.186222][ T1858] RIP: 0033:0x7f95c3dccb29 [ 50.190723][ T1858] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 50.210501][ T1858] RSP: 002b:00007f95c394f0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000057 [ 50.219079][ T1858] RAX: ffffffffffffffda RBX: 00007f95c3eebf80 RCX: 00007f95c3dccb29 [ 50.227119][ T1858] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140 [ 50.235154][ T1858] RBP: 00007f95c3e1847a R08: 0000000000000000 R09: 0000000000000000 [ 50.243107][ T1858] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 50.251233][ T1858] R13: 0000000000000006 R14: 00007f95c3eebf80 R15: 00007ffddba83ac8 [ 50.259276][ T1858] [ 50.262279][ T1858] [ 50.264596][ T1858] Allocated by task 1858: [ 50.268903][ T1858] kasan_save_stack+0x1b/0x40 [ 50.273758][ T1858] __kasan_kmalloc+0x7c/0x90 [ 50.278324][ T1858] __hfs_bnode_create+0xec/0x9b0 [ 50.283370][ T1858] hfsplus_bnode_find+0x23d/0xa00 [ 50.288464][ T1858] hfsplus_brec_find+0x252/0x450 [ 50.293477][ T1858] hfsplus_delete_all_attrs+0x255/0x330 [ 50.299087][ T1858] hfsplus_delete_cat+0x74e/0xdd0 [ 50.304395][ T1858] hfsplus_unlink+0x196/0x770 [ 50.310393][ T1858] vfs_unlink+0x291/0x800 [ 50.314694][ T1858] do_unlinkat+0x30f/0x550 [ 50.319096][ T1858] __x64_sys_unlink+0xa0/0xe0 [ 50.323751][ T1858] do_syscall_64+0x35/0x80 [ 50.328318][ T1858] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 50.334209][ T1858] [ 50.336512][ T1858] Last potentially related work creation: [ 50.342223][ T1858] kasan_save_stack+0x1b/0x40 [ 50.346878][ T1858] kasan_record_aux_stack+0xc5/0xf0 [ 50.352055][ T1858] insert_work+0x45/0x380 [ 50.356536][ T1858] __queue_work+0x520/0xbd0 [ 50.361013][ T1858] queue_work_on+0x52/0x70 [ 50.365516][ T1858] call_usermodehelper_exec+0x2d4/0x430 [ 50.371224][ T1858] __request_module+0x33b/0x660 [ 50.376059][ T1858] dev_load+0xa3/0xb0 [ 50.380308][ T1858] dev_ioctl+0x1e9/0xbf0 [ 50.384614][ T1858] sock_do_ioctl+0x15e/0x1c0 [ 50.389186][ T1858] sock_ioctl+0x227/0x4e0 [ 50.393511][ T1858] __x64_sys_ioctl+0x11f/0x190 [ 50.398256][ T1858] do_syscall_64+0x35/0x80 [ 50.402739][ T1858] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 50.412216][ T1858] [ 50.414541][ T1858] The buggy address belongs to the object at ffff888107d96d00 [ 50.414541][ T1858] which belongs to the cache kmalloc-192 of size 192 [ 50.429018][ T1858] The buggy address is located 0 bytes to the right of [ 50.429018][ T1858] 192-byte region [ffff888107d96d00, ffff888107d96dc0) [ 50.442694][ T1858] The buggy address belongs to the page: [ 50.448663][ T1858] page:ffffea00041f6580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107d96 [ 50.459248][ T1858] flags: 0x100000000000200(slab|node=0|zone=2) [ 50.465420][ T1858] raw: 0100000000000200 0000000000000000 0000000100000001 ffff888100041a00 [ 50.474271][ T1858] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 50.482859][ T1858] page dumped because: kasan: bad access detected [ 50.489328][ T1858] page_owner tracks the page as allocated [ 50.495187][ T1858] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 1630344888, free_ts 0 [ 50.510384][ T1858] get_page_from_freelist+0x13ed/0x3430 [ 50.515990][ T1858] __alloc_pages+0x1b2/0x420 [ 50.520565][ T1858] alloc_page_interleave+0xf/0x160 [ 50.525762][ T1858] allocate_slab+0x2eb/0x430 [ 50.530333][ T1858] ___slab_alloc+0xb1c/0xf80 [ 50.534898][ T1858] kmem_cache_alloc_trace+0x2db/0x310 [ 50.540341][ T1858] call_usermodehelper_setup+0x74/0x2f0 [ 50.545961][ T1858] kobject_uevent_env+0xa72/0x10d0 [ 50.551059][ T1858] kset_register+0x184/0x1e0 [ 50.555623][ T1858] __class_register+0x1ed/0x460 [ 50.560456][ T1858] __class_create+0xc0/0x120 [ 50.565029][ T1858] dca_sysfs_init+0x73/0x9c [ 50.569508][ T1858] do_one_initcall+0xb4/0x2e0 [ 50.574201][ T1858] kernel_init_freeable+0x519/0x571 [ 50.579381][ T1858] kernel_init+0x14/0x120 [ 50.583692][ T1858] ret_from_fork+0x1f/0x30 [ 50.588179][ T1858] page_owner free stack trace missing [ 50.593614][ T1858] [ 50.595912][ T1858] Memory state around the buggy address: [ 50.601758][ T1858] ffff888107d96c80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 50.609900][ T1858] ffff888107d96d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.618022][ T1858] >ffff888107d96d80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.627060][ T1858] ^ [ 50.633202][ T1858] ffff888107d96e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.641412][ T1858] ffff888107d96e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 50.649466][ T1858] ================================================================== [ 50.657848][ T1858] Disabling lock debugging due to kernel taint [ 50.664204][ T1858] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 50.671703][ T1858] Kernel Offset: disabled [ 50.676095][ T1858] Rebooting in 86400 seconds..