program: mkdirat(0xffffffffffffff9c, &(0x7f0000000540)='./file0\x00', 0x0) (async) mkdirat(0xffffffffffffff9c, &(0x7f0000000540)='./file0\x00', 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000500)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]}) mkdir(&(0x7f0000000400)='./file1/file0\x00', 0x0) lsetxattr$trusted_overlay_upper(&(0x7f0000000000)='./file1/file0\x00', &(0x7f0000000180), &(0x7f0000000800)={0x0, 0xfb, 0x3b, 0x0, 0x1, "8a869ca59ebcf4a88e22645407992cbc", "08a29c1162d7313b79a3637b3db3e420f8792663ecac4fe94dba6f2d8ef832ee886e7638a0b4"}, 0x3b, 0x3) r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) setsockopt$bt_l2cap_L2CAP_LM(r0, 0x6, 0x3, &(0x7f0000000480)=0x4, 0x4) getsockopt$bt_l2cap_L2CAP_LM(r0, 0x6, 0x3, &(0x7f0000000780), &(0x7f00000007c0)=0x4) (async) getsockopt$bt_l2cap_L2CAP_LM(r0, 0x6, 0x3, &(0x7f0000000780), &(0x7f00000007c0)=0x4) syz_mount_image$hfsplus(&(0x7f0000000000), &(0x7f0000000400)='./file1\x00', 0xa08006, &(0x7f0000000100)=ANY=[@ANYRES32=0x0], 0xfe, 0x687, &(0x7f0000000fc0)="$eJzs3c1vHGcdB/DvrNeOHaTUfUlaUCWsRioIi8QvcsFcGjggHypUhUOFxMVKnMbKxq1sF7kVAvN+5dA/oBx8QOICEvdIReKAgFvFzeKAKiFx6cm3oJmdtdfxS9Ybv8Tw+Viz+8w8r/PbmWd3dmVNgP9bc+NpPkiRufE31sr1zY3p1ubG9IU6u5WkTDeSZvspxVJSfJzcSHvJ58uNdfnioH4+XJy9+clnm5+215r1UpVvHFavN+v1krEkA/XzXoN9tXfrwPYON7+dKrb3sAzY1U7g4Kw93GP9KNWf8LwFngZF+31zj9HkYpLh+nNA6tmhcbqjO35HmuUAAADgnHpmK1tZy6WzHgcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACcJ/X9/4t6aXTSYyk69/8fqrelTt9snPGYn8SDsx4AAAAAAAAAAByDL25lK2u5lPrH/YftX/ZfqR5fqB4/l/eykoUs51rWMp/VrGY5k0lGuxoaWptfXV2e7KHm1L41p/ob/+/7qwYAAAAAAAAA/2t+mrn27/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPC0KJKB9lO1vNBJj6bRTDKcZKgst578vZM+J4r9Nj44/XEAAADAExnuo84zW9nKWi511h8W1TX/lep6eTjvZSmrWcxqWlnI7foaurzqb2xuTLc2N6bvb25MVx1//2Fbu51v/udIw6haTPu7h/17fqkqMZI7Way2XMutajC306hqll6qx7O97O7kJ+WYRl6v9Tiy2/Vz2dmvD/oW4Tg0jlphtKo0uB2RiXpsZUPPHh6Jx746zUN7mkxj+5ufFw7pqbNLxRFjfrFTL8kvH4n56//67fd6bOYEbEeikSoSU11H35XDY5586Y+/e+tua+ne3Tsr4yd2GJ2WR4+J6a5IvHiuI9E8YvmJKhKXt9fn8u18N+MZy5tZzmJ+kPmsZiH1zJj5+nguH0e7opTsidSNXWtvPm4kQ/Xr0p5FexnTWC5Uqfm8UtW9lMUUeSe3s5DXqr+pTOZrmclMZrte4csHvsLVvlUzbeNoZ/3VL2fnVP9VOVP3Vi/5c68Fj679llrG9dmuuHbPuaNVXveWnSg918P70RHnxuYX6kTZx8/6eds4MY9GYrIrEs8fHonfVOfGSmvp3vLd+XcPaH/9kfVXB3fSv+jrnfmkpp7yeHkuw/VMsvvoKPOe355ldsdrqP7FpZ3X2JN3ucoris6Z+p19ztQy4rNV6Sv7tjRV5b24N2+gHvk//tmVt+vzVt756wkFDIDjdfErF4dG/j3yt5GPRn4+cnfkjeFvXfj6hZeHMvinwW80JwZebbxc/CEf5Uc71/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAED/Vt7/4N58q7WwvH+icXDW8SaK+rY8B5VpZiSnMIzTTBTJ+rG3nLPfrx4SnZsIPmk7b914KnbnXCcGktRbfpzsHD/1S9TPzUWBc+H66v13r6+8/8FXF+/Pv73w9sLS4MzM7MTszGvT1+8sthYm2o9nPUrgJOx8HuixwuAJDwgAAAAAAAAAAAB4rP3+MeAvx/yfBl3djZ3hrgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADn1Nx4moMpMjlxbaJc39yYbpVLJ71Tspmk0UiKHybFx8mNtJeMdjVXHNTPh4uzNz/5bPPTnbaanfKNw+r1Zr1eMpZkoH7eY6i/9m4d1F7Piu09LAN2tRM4OGv/DQAA//+iHAcm") setxattr$trusted_overlay_upper(&(0x7f0000000380)='./file1\x00', &(0x7f00000001c0), &(0x7f0000001400)=ANY=[], 0x835, 0x0) (async) setxattr$trusted_overlay_upper(&(0x7f0000000380)='./file1\x00', &(0x7f00000001c0), &(0x7f0000001400)=ANY=[], 0x835, 0x0) setxattr$trusted_overlay_upper(&(0x7f0000000200)='./file1\x00', &(0x7f00000001c0), &(0x7f0000001400)=ANY=[], 0x835, 0x0) setxattr$security_capability(&(0x7f00000002c0)='./file0\x00', &(0x7f0000000300), &(0x7f00000003c0)=@v3={0x3000000, [{0x9, 0x9}, {0xffff, 0xffffffff}]}, 0x18, 0x1) (async) setxattr$security_capability(&(0x7f00000002c0)='./file0\x00', &(0x7f0000000300), &(0x7f00000003c0)=@v3={0x3000000, [{0x9, 0x9}, {0xffff, 0xffffffff}]}, 0x18, 0x1) bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x8, 0x4, &(0x7f0000000040)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0xffffffdd, 0xa}, [@ldst={0x3, 0x2, 0x3, 0x1c10a1, 0x0, 0x3e}]}, &(0x7f0000003ff6)='GPL\x00', 0x5, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_skb, 0xffffffffffffffff, 0x19, &(0x7f0000000000), 0xb5, 0x10, &(0x7f0000000000), 0x7, 0x0, 0xffffffffffffffff, 0x68000000}, 0x48) (async) bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x8, 0x4, &(0x7f0000000040)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0xffffffdd, 0xa}, [@ldst={0x3, 0x2, 0x3, 0x1c10a1, 0x0, 0x3e}]}, &(0x7f0000003ff6)='GPL\x00', 0x5, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_skb, 0xffffffffffffffff, 0x19, &(0x7f0000000000), 0xb5, 0x10, &(0x7f0000000000), 0x7, 0x0, 0xffffffffffffffff, 0x68000000}, 0x48) lsetxattr$trusted_overlay_redirect(&(0x7f0000000040)='./file1/file0\x00', &(0x7f0000000140), &(0x7f0000000240)='./file1\x00', 0x8, 0x0) (async) lsetxattr$trusted_overlay_redirect(&(0x7f0000000040)='./file1/file0\x00', &(0x7f0000000140), &(0x7f0000000240)='./file1\x00', 0x8, 0x0) r1 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00') fchdir(r2) syz_read_part_table(0x609, &(0x7f0000000d40)="$eJzs1E9rXFUYB+DfnczMnSmGBC0oIjRQ6CrEhXQRcLBBVLppQ6niwp0gCHVhoWBXE9ouRYpbIW4qlFLIF9CNlLRQ3LgKLktxbxGhRDwy98aZli5cJBAtz7M45z3vPf8u59wb/tc6qcelVMOM/8n0+nvBS23VTymlTAdc//jyhWnj/VvHbyfra+fOJ0c2Pkqy9NoLycJ0rtlCd55etyzslgzzaDBLVZOim2QjyWcPbjRhdzbL4jObr/fx4jwXtkZf/Jjm3oyGGaSXb5LV79pn4w9efvPDTlXNbmF1ahr2Dmr97WPNxU2dnemcS8n8SvetJPf2MsuTTr+28Xb7rVVnnpyo01Zz7WfwtOEzmQPaPfu1NdpeuHrtYv/rbtN8+O3RB79c6eXEzUuvL7/YuzO+XrWHdyzJoD/5yVXNYc8d8r4BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIDnz9Zoe6G/F+98Xj9845PuXmux/FVKSVInmXQZtPkqw4UjZVJn42DWv3r/y2Hq0ac7j0sp5VRKOfvb5vxK724vZzf31l2uMn5i2OZuW/f3vwMOU3P+1y6+99Xl0R+329TgyuMzJwZVE9dNOUx+7w/GRy8l6czGDg9lxwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAf907755eWl87dz5J1R0k6Sze2J48OPlK26Ekr/5w8uaFe2urTXtlUvzZP13Xu+X+249uLf50/Oe7c1mv2+7fd5JSrc6n220TW03ZO4x349/9HQAA///wjWn4") ioctl$IOMMU_IOAS_ALLOC(r1, 0x3b81, &(0x7f00000003c0)={0xc}) (async) ioctl$IOMMU_IOAS_ALLOC(r1, 0x3b81, &(0x7f00000003c0)={0xc, 0x0, 0x0}) ioctl$IOMMU_IOAS_MAP$PAGES(r1, 0x3b85, &(0x7f0000000040)={0x28, 0x7, r3, 0x0, &(0x7f0000800000/0x800000)=nil, 0x800000}) ioctl$IOMMU_TEST_OP_CREATE_ACCESS(r1, 0x3ba0, &(0x7f0000000340)={0x48, 0x5, r3, 0x0, 0xffffffffffffffff, 0x1}) ioctl$IOMMU_TEST_OP_ACCESS_PAGES$syz(r1, 0x3ba0, &(0x7f0000000100)={0x48, 0x7, r4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x334e8b}) (async) ioctl$IOMMU_TEST_OP_ACCESS_PAGES$syz(r1, 0x3ba0, &(0x7f0000000100)={0x48, 0x7, r4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x334e8b}) ioctl$IOMMU_IOAS_MAP$PAGES(r2, 0x3b85, &(0x7f0000000840)={0x28, 0x0, r3, 0x0, &(0x7f0000271000/0x4000)=nil, 0x4000, 0x3}) mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x100000c, 0x31, 0xffffffffffffffff, 0x0) chdir(&(0x7f00000001c0)='./bus\x00') syz_read_part_table(0x5df, &(0x7f0000000200)="$eJzs3L+LHGUYB/DvzO7s3sbIWVkJHqQwKHhCSj08heRMF0Q7Qf+BA4l/wO4SwcIflY29FkYhiG0KBQlqOkvh0ELE3sIUhlfm166iVidq4PMpZt7ned/3eWaZmXIn3NvKblKqdrTeJqd1ezxMfkzSJOuXn0nm/VwzrGn3vHj94qXLe1eq+SbXZlfD7HxbcDYWzt4wujnNfdeP3njn3UW74Xa97NOrpPl4lmmq1bjvvT9f9J2qq8V/7vxnJdOd7k59k3z15JnjatLd/PZ5+iB5IDtdsJ9kkuGwShbtaHb6/jcObq2fHsaLDE9M00fLPFKeGOaalFJKneW5ceckeeip/at/VbTJH1+H9jUppTk77q23b8Hx3dn4HF748vtl1g9vqncdS+njk0Xy6snzj3e1qr4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/P+dfe/Tz2RgcdsdqiD599rkPU2+XrpJfx/Hezj/U/8bBrd1rr19thvCHo5/yc5JJ9o/OJvPNulf60ydvdqfpkH1wcdr+x3fr2Ufvf7GtM5Sukq/PfXunTIb0yWbB9ppyUJ+2PQAAAAAAAAAAAAAAAAAAAHQuXrq8d6XOC0mVl7L9u3/JTlKNnwJog1JK+aX0kgs3p8dvz3LtTD9/+7vhswGl+n31w2T3/qTM33ps/KzAqqs07VpU/9av5O/8FgAA//+GxGPP") (async) syz_read_part_table(0x5df, &(0x7f0000000200)="$eJzs3L+LHGUYB/DvzO7s3sbIWVkJHqQwKHhCSj08heRMF0Q7Qf+BA4l/wO4SwcIflY29FkYhiG0KBQlqOkvh0ELE3sIUhlfm166iVidq4PMpZt7ned/3eWaZmXIn3NvKblKqdrTeJqd1ezxMfkzSJOuXn0nm/VwzrGn3vHj94qXLe1eq+SbXZlfD7HxbcDYWzt4wujnNfdeP3njn3UW74Xa97NOrpPl4lmmq1bjvvT9f9J2qq8V/7vxnJdOd7k59k3z15JnjatLd/PZ5+iB5IDtdsJ9kkuGwShbtaHb6/jcObq2fHsaLDE9M00fLPFKeGOaalFJKneW5ceckeeip/at/VbTJH1+H9jUppTk77q23b8Hx3dn4HF748vtl1g9vqncdS+njk0Xy6snzj3e1qr4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/P+dfe/Tz2RgcdsdqiD599rkPU2+XrpJfx/Hezj/U/8bBrd1rr19thvCHo5/yc5JJ9o/OJvPNulf60ydvdqfpkH1wcdr+x3fr2Ufvf7GtM5Sukq/PfXunTIb0yWbB9ppyUJ+2PQAAAAAAAAAAAAAAAAAAAHQuXrq8d6XOC0mVl7L9u3/JTlKNnwJog1JK+aX0kgs3p8dvz3LtTD9/+7vhswGl+n31w2T3/qTM33ps/KzAqqs07VpU/9av5O/8FgAA//+GxGPP") [ 74.642337][ T5315] Bluetooth: hci0: command tx timeout [ 74.734443][ T5337] loop0: detected capacity change from 0 to 1024 [ 74.796616][ T5337] hfsplus: request for non-existent node 134217728 in B*Tree [ 74.807374][ T5337] hfsplus: request for non-existent node 134217728 in B*Tree [ 74.811921][ T5336] ================================================================== [ 74.815664][ T5336] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0xc0/0x2a0 [ 74.818993][ T5336] Read of size 8 at addr ffff8880365a0898 by task syz.0.0/5336 [ 74.822378][ T5336] [ 74.823466][ T5336] CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller-00286-gc435a4f487e8 #0 PREEMPT(full) [ 74.823479][ T5336] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.823486][ T5336] Call Trace: [ 74.823493][ T5336] [ 74.823498][ T5336] dump_stack_lvl+0x189/0x250 [ 74.823514][ T5336] ? __kasan_check_byte+0x12/0x40 [ 74.823528][ T5336] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.823539][ T5336] ? lock_release+0x4b/0x3e0 [ 74.823551][ T5336] ? __virt_addr_valid+0x4a5/0x5c0 [ 74.823565][ T5336] print_report+0xd2/0x2b0 [ 74.823573][ T5336] ? hfsplus_bnode_read+0xc0/0x2a0 [ 74.823584][ T5336] kasan_report+0x118/0x150 [ 74.823596][ T5336] ? hfsplus_bnode_read+0xc0/0x2a0 [ 74.823608][ T5336] hfsplus_bnode_read+0xc0/0x2a0 [ 74.823619][ T5336] hfsplus_bnode_dump+0x300/0x450 [ 74.823631][ T5336] ? __pfx_hfsplus_bnode_dump+0x10/0x10 [ 74.823641][ T5336] ? hfsplus_bnode_write_u16+0x8b/0xd0 [ 74.823652][ T5336] ? hfsplus_bnode_move+0x393/0xb90 [ 74.823661][ T5336] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 74.823672][ T5336] hfsplus_brec_remove+0x480/0x550 [ 74.823687][ T5336] __hfsplus_delete_attr+0x1d4/0x360 [ 74.823701][ T5336] ? __pfx___hfsplus_delete_attr+0x10/0x10 [ 74.823714][ T5336] ? hfsplus_attr_build_key+0xee/0x260 [ 74.823727][ T5336] hfsplus_delete_attr+0x231/0x2d0 [ 74.823741][ T5336] ? __pfx_hfsplus_delete_attr+0x10/0x10 [ 74.823754][ T5336] ? hfsplus_find_init+0x8c/0x1d0 [ 74.823766][ T5336] ? hfsplus_find_init+0x15a/0x1d0 [ 74.823777][ T5336] __hfsplus_setxattr+0x37a/0x1f40 [ 74.823790][ T5336] ? is_bpf_text_address+0x26/0x2b0 [ 74.823801][ T5336] ? kernel_text_address+0xa5/0xe0 [ 74.823810][ T5336] ? unwind_get_return_address+0x4d/0x90 [ 74.823822][ T5336] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 74.823834][ T5336] ? arch_stack_walk+0xfc/0x150 [ 74.823846][ T5336] ? __pfx___hfsplus_setxattr+0x10/0x10 [ 74.823860][ T5336] ? stack_trace_save+0x9c/0xe0 [ 74.823874][ T5336] ? __lock_acquire+0xab9/0xd20 [ 74.823896][ T5336] ? hfsplus_setxattr+0x68/0x180 [ 74.823906][ T5336] ? __kasan_kmalloc+0x93/0xb0 [ 74.823914][ T5336] ? hfsplus_setxattr+0x102/0x180 [ 74.823922][ T5336] hfsplus_setxattr+0x11e/0x180 [ 74.823931][ T5336] hfsplus_trusted_setxattr+0x40/0x60 [ 74.823942][ T5336] ? __pfx_hfsplus_trusted_setxattr+0x10/0x10 [ 74.823955][ T5336] __vfs_setxattr+0x43c/0x480 [ 74.823971][ T5336] __vfs_setxattr_noperm+0x12d/0x660 [ 74.823985][ T5336] vfs_setxattr+0x16b/0x2f0 [ 74.823999][ T5336] ? __pfx_vfs_setxattr+0x10/0x10 [ 74.824010][ T5336] ? mnt_get_write_access+0x223/0x2a0 [ 74.824021][ T5336] filename_setxattr+0x274/0x600 [ 74.824036][ T5336] ? __pfx_filename_setxattr+0x10/0x10 [ 74.824050][ T5336] ? getname_flags+0x1e5/0x540 [ 74.824064][ T5336] path_setxattrat+0x364/0x3a0 [ 74.824075][ T5336] ? __pfx_path_setxattrat+0x10/0x10 [ 74.824089][ T5336] ? rcu_is_watching+0x15/0xb0 [ 74.824100][ T5336] __x64_sys_setxattr+0xbc/0xe0 [ 74.824113][ T5336] do_syscall_64+0xfa/0x3b0 [ 74.824168][ T5336] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.824178][ T5336] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.824193][ T5336] ? clear_bhb_loop+0x60/0xb0 [ 74.824203][ T5336] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.824212][ T5336] RIP: 0033:0x7fcb20d8e929 [ 74.824225][ T5336] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 74.824233][ T5336] RSP: 002b:00007fcb21bd1038 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc [ 74.824244][ T5336] RAX: ffffffffffffffda RBX: 00007fcb20fb5fa0 RCX: 00007fcb20d8e929 [ 74.824251][ T5336] RDX: 0000200000001400 RSI: 00002000000001c0 RDI: 0000200000000200 [ 74.824258][ T5336] RBP: 00007fcb20e10b39 R08: 0000000000000000 R09: 0000000000000000 [ 74.824264][ T5336] R10: 0000000000000835 R11: 0000000000000246 R12: 0000000000000000 [ 74.824270][ T5336] R13: 0000000000000000 R14: 00007fcb20fb5fa0 R15: 00007ffdde843e88 [ 74.824279][ T5336] [ 74.824283][ T5336] [ 74.991569][ T5336] Allocated by task 5336: [ 74.993410][ T5336] kasan_save_track+0x3e/0x80 [ 74.995639][ T5336] __kasan_kmalloc+0x93/0xb0 [ 74.997693][ T5336] __kmalloc_noprof+0x27a/0x4f0 [ 74.999861][ T5336] __hfs_bnode_create+0xf3/0x810 [ 75.001847][ T5336] hfsplus_bnode_find+0x224/0xd20 [ 75.004027][ T5336] hfsplus_brec_find+0x15c/0x500 [ 75.006214][ T5336] hfsplus_attr_exists+0x163/0x1d0 [ 75.008390][ T5336] __hfsplus_setxattr+0x33e/0x1f40 [ 75.010731][ T5336] hfsplus_setxattr+0x11e/0x180 [ 75.012929][ T5336] hfsplus_trusted_setxattr+0x40/0x60 [ 75.015362][ T5336] __vfs_setxattr+0x43c/0x480 [ 75.017432][ T5336] __vfs_setxattr_noperm+0x12d/0x660 [ 75.019804][ T5336] vfs_setxattr+0x16b/0x2f0 [ 75.021676][ T5336] filename_setxattr+0x274/0x600 [ 75.023831][ T5336] path_setxattrat+0x364/0x3a0 [ 75.025918][ T5336] __x64_sys_setxattr+0xbc/0xe0 [ 75.028087][ T5336] do_syscall_64+0xfa/0x3b0 [ 75.030141][ T5336] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.032747][ T5336] [ 75.033827][ T5336] The buggy address belongs to the object at ffff8880365a0800 [ 75.033827][ T5336] which belongs to the cache kmalloc-192 of size 192 [ 75.039842][ T5336] The buggy address is located 0 bytes to the right of [ 75.039842][ T5336] allocated 152-byte region [ffff8880365a0800, ffff8880365a0898) [ 75.045740][ T5336] [ 75.046737][ T5336] The buggy address belongs to the physical page: [ 75.049145][ T5336] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x365a0 [ 75.052678][ T5336] anon flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 75.055843][ T5336] page_type: f5(slab) [ 75.057585][ T5336] raw: 04fff00000000000 ffff88801a4413c0 0000000000000000 dead000000000001 [ 75.061376][ T5336] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 75.065198][ T5336] page dumped because: kasan: bad access detected [ 75.068018][ T5336] page_owner tracks the page as allocated [ 75.070597][ T5336] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 15540016089, free_ts 0 [ 75.078115][ T5336] post_alloc_hook+0x240/0x2a0 [ 75.080225][ T5336] get_page_from_freelist+0x21e4/0x22c0 [ 75.082643][ T5336] __alloc_frozen_pages_noprof+0x181/0x370 [ 75.085272][ T5336] alloc_pages_mpol+0x232/0x4a0 [ 75.087355][ T5336] allocate_slab+0x8a/0x3b0 [ 75.089302][ T5336] ___slab_alloc+0xbfc/0x1480 [ 75.091446][ T5336] __kmalloc_cache_noprof+0x296/0x3d0 [ 75.093839][ T5336] call_usermodehelper_setup+0x8e/0x270 [ 75.096177][ T5336] kobject_uevent_env+0x65c/0x8c0 [ 75.098228][ T5336] device_add+0x557/0xb50 [ 75.099989][ T5336] usb_new_device+0xa39/0x16c0 [ 75.102131][ T5336] register_root_hub+0x275/0x590 [ 75.104293][ T5336] usb_add_hcd+0xba1/0x1050 [ 75.106278][ T5336] vhci_hcd_probe+0x144/0x380 [ 75.108379][ T5336] platform_probe+0x148/0x1d0 [ 75.110515][ T5336] really_probe+0x26a/0x9a0 [ 75.112584][ T5336] page_owner free stack trace missing [ 75.114976][ T5336] [ 75.116053][ T5336] Memory state around the buggy address: [ 75.118506][ T5336] ffff8880365a0780: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.122324][ T5336] ffff8880365a0800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.126274][ T5336] >ffff8880365a0880: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.129732][ T5336] ^ [ 75.131864][ T5336] ffff8880365a0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.135348][ T5336] ffff8880365a0980: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.138777][ T5336] ================================================================== [ 75.177324][ T5336] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.180694][ T5336] CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller-00286-gc435a4f487e8 #0 PREEMPT(full) [ 75.186504][ T5336] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.190917][ T5336] Call Trace: [ 75.192357][ T5336] [ 75.193524][ T5336] dump_stack_lvl+0x99/0x250 [ 75.195624][ T5336] ? __asan_memcpy+0x40/0x70 [ 75.197668][ T5336] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.200000][ T5336] ? __pfx__printk+0x10/0x10 [ 75.202007][ T5336] panic+0x2db/0x790 [ 75.203670][ T5336] ? __pfx_preempt_schedule+0x10/0x10 [ 75.206079][ T5336] ? __pfx_panic+0x10/0x10 [ 75.208010][ T5336] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 75.210641][ T5336] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 75.213347][ T5336] ? hfsplus_bnode_read+0xc0/0x2a0 [ 75.215591][ T5336] check_panic_on_warn+0x89/0xb0 [ 75.217625][ T5336] ? hfsplus_bnode_read+0xc0/0x2a0 [ 75.219734][ T5336] end_report+0x78/0x160 [ 75.221474][ T5336] kasan_report+0x129/0x150 [ 75.223340][ T5336] ? hfsplus_bnode_read+0xc0/0x2a0 [ 75.225493][ T5336] hfsplus_bnode_read+0xc0/0x2a0 [ 75.227582][ T5336] hfsplus_bnode_dump+0x300/0x450 [ 75.230230][ T5336] ? __pfx_hfsplus_bnode_dump+0x10/0x10 [ 75.232769][ T5336] ? hfsplus_bnode_write_u16+0x8b/0xd0 [ 75.235132][ T5336] ? hfsplus_bnode_move+0x393/0xb90 [ 75.237387][ T5336] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 75.239807][ T5336] hfsplus_brec_remove+0x480/0x550 [ 75.241661][ T5336] __hfsplus_delete_attr+0x1d4/0x360 [ 75.243661][ T5336] ? __pfx___hfsplus_delete_attr+0x10/0x10 [ 75.246278][ T5336] ? hfsplus_attr_build_key+0xee/0x260 [ 75.248580][ T5336] hfsplus_delete_attr+0x231/0x2d0 [ 75.250691][ T5336] ? __pfx_hfsplus_delete_attr+0x10/0x10 [ 75.253062][ T5336] ? hfsplus_find_init+0x8c/0x1d0 [ 75.255329][ T5336] ? hfsplus_find_init+0x15a/0x1d0 [ 75.257554][ T5336] __hfsplus_setxattr+0x37a/0x1f40 [ 75.259828][ T5336] ? is_bpf_text_address+0x26/0x2b0 [ 75.262122][ T5336] ? kernel_text_address+0xa5/0xe0 [ 75.264337][ T5336] ? unwind_get_return_address+0x4d/0x90 [ 75.266665][ T5336] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 75.269223][ T5336] ? arch_stack_walk+0xfc/0x150 [ 75.271302][ T5336] ? __pfx___hfsplus_setxattr+0x10/0x10 [ 75.273727][ T5336] ? stack_trace_save+0x9c/0xe0 [ 75.275864][ T5336] ? __lock_acquire+0xab9/0xd20 [ 75.278035][ T5336] ? hfsplus_setxattr+0x68/0x180 [ 75.280196][ T5336] ? __kasan_kmalloc+0x93/0xb0 [ 75.282292][ T5336] ? hfsplus_setxattr+0x102/0x180 [ 75.284478][ T5336] hfsplus_setxattr+0x11e/0x180 [ 75.286630][ T5336] hfsplus_trusted_setxattr+0x40/0x60 [ 75.288906][ T5336] ? __pfx_hfsplus_trusted_setxattr+0x10/0x10 [ 75.291561][ T5336] __vfs_setxattr+0x43c/0x480 [ 75.293657][ T5336] __vfs_setxattr_noperm+0x12d/0x660 [ 75.295994][ T5336] vfs_setxattr+0x16b/0x2f0 [ 75.297979][ T5336] ? __pfx_vfs_setxattr+0x10/0x10 [ 75.300127][ T5336] ? mnt_get_write_access+0x223/0x2a0 [ 75.302538][ T5336] filename_setxattr+0x274/0x600 [ 75.304718][ T5336] ? __pfx_filename_setxattr+0x10/0x10 [ 75.307119][ T5336] ? getname_flags+0x1e5/0x540 [ 75.309204][ T5336] path_setxattrat+0x364/0x3a0 [ 75.311291][ T5336] ? __pfx_path_setxattrat+0x10/0x10 [ 75.313560][ T5336] ? rcu_is_watching+0x15/0xb0 [ 75.315702][ T5336] __x64_sys_setxattr+0xbc/0xe0 [ 75.317825][ T5336] do_syscall_64+0xfa/0x3b0 [ 75.319845][ T5336] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.322127][ T5336] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.324730][ T5336] ? clear_bhb_loop+0x60/0xb0 [ 75.326762][ T5336] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.329258][ T5336] RIP: 0033:0x7fcb20d8e929 [ 75.331264][ T5336] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.339429][ T5336] RSP: 002b:00007fcb21bd1038 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc [ 75.343013][ T5336] RAX: ffffffffffffffda RBX: 00007fcb20fb5fa0 RCX: 00007fcb20d8e929 [ 75.346490][ T5336] RDX: 0000200000001400 RSI: 00002000000001c0 RDI: 0000200000000200 [ 75.349920][ T5336] RBP: 00007fcb20e10b39 R08: 0000000000000000 R09: 0000000000000000 [ 75.353253][ T5336] R10: 0000000000000835 R11: 0000000000000246 R12: 0000000000000000 [ 75.356517][ T5336] R13: 0000000000000000 R14: 00007fcb20fb5fa0 R15: 00007ffdde843e88 [ 75.359867][ T5336] [ 75.361791][ T5336] Kernel Offset: disabled [ 75.363630][ T5336] Rebooting in 86400 seconds..