program: syz_mount_image$hfsplus(&(0x7f0000000000), &(0x7f0000000140)='./file1\x00', 0x1008400, &(0x7f0000000080)=ANY=[@ANYRES16=0x0, @ANYRES64], 0x86, 0x680, &(0x7f0000000340)="$eJzs3c1vHGcdB/DvbNZONpTUTZM2RZUSNRIgIhI7Vgrm0oAQyqFCVTlwthInsbJJi+0it0LUvF8rkT+gHHzjgJC4R5QLF7j16mMlBJdeMKdFMzu7Xr/bCfHa4fOJxvPMPPM8z+/57czOvsRygP9bNy6l+ShFblx6c7HcXlmebK8sT97vlZMcT9JImt1Vin93Op1PkuvpLnml3Fl3V2w3zsPZqbc//Xzls+5Ws16q4xs7tdubpXrJhSTH6vXj+e2m/m7u1t+J3fos+jMsE3axlzgYtpEknco/H3b3/Oivz/VrBrS2ar3rmQ8cAUX3vrnJWHKyvtDL1wHdu2L3nn2kLQ07AAAAADgAz69mNYs5New4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4Cip//5/US+NXvlCit7f/x+t96UuHy7n93f4o6cVBwAAAAAAAAAcoPOrWc1iTiVZKrc7RfWd/2tV5Znq5xfyXuYzk7lczmKms5CFzGUiydhAR6OL0wsLcxP9lr3/GbC55dUtW17dJdDj9br1v5o5AAAAAAAAADxTfp4b1ff/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwaBTJse6qWs70ymNpNJOcSDJaHreU/L1XPsoeDTsAAAAAeAKdPR73/GpWs5hT/XZF9Z7/pep9/4m8lwdZyGwW0s5MblWfBXTf9TdWlifbK8uT98tlc7/f/te+wq16TPezh61HPlcd0crtzFZ7Ludm3klR3Eqjalk614tn67h+VsZUvNE1slM4A9m7Va/LmX9Urzf5cF+T3c4+P0wZqzIy0s/IeB1bmY0Xds7EPh+djSNNpNEP9syGkTZMYl3O39jjeCfrdTmfX2+X86HYmImrA2ffSzvnPPnKn37/w7vtB/fu3p6/dHimtDe9DwW7V0ZrcyYmBzLx8rOciU3Gq0yc7W/fyPfyg1zKhbyVuczmx5nOQmZyId+tStP1+VwMXPLbZOr6uq23dotktD5Du8+i62PKLjG9VrU9ldl8P+/kVmbyevXvaibyjVzLtUwNPMJn9/BM29jmqu98ccvgL361LrSS/KZeV+40d5v4U1bm9YWBvA4+545VdYN71rJ0eh/3o16W/rBzKM0v1YVyjF/U68NhYyYmBjLx4s6Z+F31tDLffnBv7u70u3sb7vRHdaG8jn51qO4S5flyunywqq31Z0dZ92JdN1Ita/karb9x6bZrbKo726/rXqlL216po/VruM09Xa3qXt6ybrKqOzdQt/H1Vrv/euhZ+PIH4Jl18msnR1v/aP2t9XHrl627rTdPfOf4N4+/OpqRv4x8qzl+7MuNV4s/5uP8dO39PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8Pjm3//g3nS7PTO3odDpdD7cpuooF47V0z7AQV95LhnWlEeTHI7M/6fT6dR7isMQz86FTul4Oo/Z/M9J9nZwM8lWVeeHn4QhPzEBT92VhfvvXpl//4Ovz96fvjNzZ+bB1LVrU+NT116fvHJ7tj0z3v057CiBp2Htpj/sSAAAAAAAAAAAAIC9OohfJ9h+9BMHOVUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgiLpxKc1HKTIxfnm83F5ZnmyXS6+8dmQzSSNJ8ZOk+CS5nu6SsYHuiu3GeTg79fann698ttZXs3d8Y6d2W2ps3LFUL7mQ5Fi9fgLr+rv5xP0V/RmWCbvYSxwM238DAAD///NMCDQ=") r0 = syz_open_dev$dri(&(0x7f0000000000), 0x2, 0x800) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r0, 0xc01064b5, &(0x7f0000000100)={&(0x7f00000000c0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x8}) syz_mount_image$hfsplus(&(0x7f0000000980), &(0x7f0000000a80)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x2000010, &(0x7f0000000bc0)=ANY=[@ANYRES8=0x0, @ANYRES8, @ANYBLOB="4a3a9f8c2aab73255ecca15a5a34325eec52c449bc0f78c4d4996b7c34f8c4027731d8084daf83fa32ac4f26093d06abe1c066b64b56d81577ccc09ee10fa7258f8c9a08a6fa6f21d52366469e697011812e7133138514e15b9fe1f64a7d3062ee9a77ca0a5d9f6af20321dc3f0f0577b860b69773048ec9a9a6d40e94d2f4aca5a132897494efd6232446f0d416f1a75c1e7e1e233ad655fc58f85c70c7dd0ceb659e250e5119c5992ee82dcfb95d0269ade1e10bd70f4b00"/197], 0xff, 0x6de, &(0x7f0000000180)="$eJzs3c9vHGcZB/DvrNeON1TBaZM2QkVYiVSQIhInVgrhgkEI5VChqhx6thKnsbpJqsRFaYUgBQQnJA79AwqSbxwQEvegcOFSbr36WAmJS8QhqpAWzezsete7ju0kXifw+UTjed9533nnmWd+eddZbYD/W5dOp3kvRS6dfuNOWd9YX2xvrC8eqpvbScpyI2l2ZyluJMX9ZKlsLwamDMxHfLx68a3PHmx83q0166nqP9Vfb3ZXIY/Zxt16ynw93vzYNad3NX53rCq8vJDkcj0fNrPbsYY6lkk7Vc/hwHVG3N3L6tte78Czr/d0KrrPzRFzyeH6yVz9TlDfHRqTi3B/7OkuBwAAAM+pT28edAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADw/Km//7+op0Y9z3yK3vf/z/SW1eVn0NKue97b1zgAAAAAAAAAYDK+9jAPcydHevVOUf3N/2RVOZYvOsmX8n5uZyW3ciZ3spy1rOVWziWZGxho5s7y2tqtc/01S+PXPD92zfOT2mMAAAAAAAAA+J/0i7Q2//4PAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPgiKZ6s6q6Vg9z1wazWy25W7yjyQzBx3vHhTjFt6bfBwAAADwRGYfY50vP8zD3MmRXr1TVK/5X65eL8/m/dzIWlazlnZWcqV+DV2+6m9srC+2N9YXr5dTWR8e93v/2lMYM/UIU1Vt3JZPVD1auZrVasmZXC6S/3Q6nUZ326eSE714BuIa8FEZU/Hd2i4ja9ZpLff8d9u9i/BUDL8V0XhEz9ZmcEk/Iwt1bOWaR7sZKKo3apKtmdjx6DSHanPVqNP9LZ1Lo//Oz7F9yPnhel7uz6/3Ned71c9EI1UmzqfRP1IvPzoTydf/8se3r7VvvHvt6u3Tz84u7WBqm+Vbz4nFgUy88lxnornH/gtVJo7365fyw/w4pzOfN3Mrq/lJlrOWlXTq9uX6fC5/zj06U0tDtTd3imSmPi7dY7abmObzg6q0nJPVukeymiI3cyUreb36dz7n8q1cyIVcHDjCx7eNu9q36qpvbL3qe0f6r2ODP/WNulDe3X6zeZdbetQeb3d2Pi3de3+Z16MDee2e9Q/6vY4OXAcLA1l6sZed6bGDP869sfmVulBu45c7PCcma67ORHkB9Z4Svehe6maiWT2LRs/z33fK9dK+0elcW35vm/Hvbqm/Vs/L02r9qzv17hl/KJ6u8nx5MbP1nWT47CjbXurfZQbaOpvncrdt+Ilbrne8aiuK3pX6o9ysToDRK3Wm/h1udKTzVdsrY9sWq7YTA21Dv2/lZtq5MoH8AfA4/v52vziXwzOtf7Y+bX3S+lXrWuuN2e8f+vahV2cy/bfp7zQXpl5rvFr8OZ/kZ5uv/wEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgMd3+4MP311ut1dujS80tm9aXup9cU27vdLK1j7bjXxo/IBF/YU+O8TzTBbSHG2aLfMyuGS6m6gJR9jaGsZIofPzZOIZ632J4Pg+vy0LzZEzalxhaWjJn0YH/GiPERa7uy72sdDIZDdaXsXjmg7ohgRMzNm16++dvf3Bh99cvb78zso7KzemL1y4uHDxwuuLZ6+utlcWuj8POkpgP2w+9A86EgAAAAAAAAAAAGC3xn0w4OQLO31oZFef8fA/CwEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICn4tLpNO+lyLmFMwtlfWN9sV1OvfJmz2aSRiMpfpoU95OldKfMDQxX5A/30xmznY9XL7712YONzzfHanb7J416vr1Htya5W0+ZTzJVz5/A0HiXn3i84t+9fSgT9kWn01l6svjg6fhvAAAA///1I/PD") r2 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file1\x00', 0x105042, 0x1db) unlink(&(0x7f0000000080)='./file1\x00') close(r2) r3 = syz_open_dev$dri(&(0x7f0000000040), 0xd21, 0x0) ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f0000000000)={0x0, &(0x7f00000000c0)=[0x0], 0x0, 0x0, 0x0, 0x1}) ioctl$DRM_IOCTL_MODE_GETCRTC(r3, 0xc06864a1, &(0x7f0000000100)={0x0, 0x0, r4}) ioctl$DRM_IOCTL_MODE_CREATEPROPBLOB(r0, 0xc01064bd, &(0x7f00000001c0)={&(0x7f0000000240)="ddcbd87b34bde472cc923520b1ded0d4c1bca60bceb1c15f0d5bd4f5c7432e6c9c031fec97b82de42e7dc29b6f105fb5f4980dd7d856e2ef86b560295cae550b7a694accfcdeb5c84c31f68cc9eb8e9e08512cd9ce1d8f0d6188f8bc508f8d412d68ec41ecb4925697b4f3e3553fc8d82ac9df0933f53055ae01c264870cd1bd9593e88922c1fff486d1cdf8fdfbafc04e4ee699e4c861434c3d316cae8a573f6f07f2b455ef93761de88386920b9df6e9418396632fa81aaa77f4cd7cd5891b7edb3cbccd54d0b8bd710ffab73c4f7dbe094136fbeddad656ad5aa6108642044dd489255dcbbe5653e5b2cd306248f6476364d70c9cfb366d1ca2211d3c80", 0xff, 0x0}) r6 = syz_open_dev$dri(&(0x7f0000000080), 0x1, 0x0) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r6, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_CREATEPROPBLOB(r6, 0xc01064bd, &(0x7f0000000280)={&(0x7f00000004c0)="00a1a4010400", 0x6}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r6, 0xc01064b5, &(0x7f0000000140)={&(0x7f0000000480)=[0x0], 0x1}) ioctl$DRM_IOCTL_MODE_GET_LEASE(r6, 0xc01064c8, &(0x7f0000000340)={0x0, 0x0, 0x0}) ioctl$BTRFS_IOC_TREE_SEARCH(r2, 0xd0009411, &(0x7f0000000cc0)={{0x0, 0x29, 0x6b6, 0x3, 0x8, 0xffff, 0xff, 0x3, 0x5fe, 0x3, 0x7, 0x4, 0x4, 0x9, 0x7fffffffffffffff}}) ioctl$BTRFS_IOC_TREE_SEARCH_V2(r6, 0xc0709411, &(0x7f0000001cc0)={{r8, 0x9, 0x0, 0xd7b3, 0x9, 0x0, 0xe, 0x3, 0x0, 0xfffffffc, 0x3, 0x8, 0x0, 0x7fffffffffffffff, 0x3}, 0x48, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) ioctl$DRM_IOCTL_MODE_GETPLANE(r6, 0xc02064b6, &(0x7f00000001c0)={r7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_MODE_GETRESOURCES(r0, 0xc04064a0, &(0x7f0000000b00)={&(0x7f00000009c0)=[0x0, 0x0], &(0x7f0000000a40)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000a80)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000ac0)=[0x0, 0x0], 0x2, 0x7, 0x6, 0x2}) ioctl$DRM_IOCTL_MODE_CREATE_LEASE(0xffffffffffffffff, 0xc01864c6, &(0x7f0000000b80)={&(0x7f0000000b40)=[r1, r4, r5, r7, r9], 0x5, 0x800}) bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0x2, 0x12, &(0x7f0000000380)=ANY=[@ANYBLOB="180000001c000000000000000700000018110000", @ANYRES32, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000083000000bf090000000000005509010000000000950000000000000018170000", @ANYRES32, @ANYBLOB="000000000000000003bb010001800000bf91000000000000b7020000000000008500000084000000b7000441d74c052b3314a5072dc62b6c"], 0x0, 0x7, 0x0, 0x0, 0x41000, 0xe, '\x00', 0x0, @fallback=0x2f, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x1}, 0x94) syz_usb_connect$cdc_ecm(0x2, 0x62, &(0x7f00000003c0)=ANY=[@ANYBLOB="12010000020000082505a1a440000102030109025000010100000009040000030806"], 0x0) r10 = syz_open_dev$usbfs(&(0x7f0000000180), 0x10000001d, 0x8041) ioctl$USBDEVFS_IOCTL(r10, 0xc0105512, &(0x7f0000000200)=@usbdevfs_connect) ioctl$DRM_IOCTL_DROP_MASTER(r0, 0x641f) ioctl$DRM_IOCTL_SET_MASTER(r0, 0x641e) listxattr(&(0x7f0000000a00)='./file1\x00', 0x0, 0x0) ioctl$KVM_UNREGISTER_COALESCED_MMIO(r0, 0x4010ae68, &(0x7f0000000040)={0xeeef0000, 0x0, 0x1}) [ 84.464864][ T4668] Bluetooth: hci0: command tx timeout [ 84.560402][ T5324] loop0: detected capacity change from 0 to 1024 [ 84.710734][ T25] audit: type=1800 audit(1751217822.520:2): pid=5324 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.0" name="file1" dev="loop0" ino=20 res=0 errno=0 [ 84.731217][ T5324] hfsplus: request for non-existent node 128 in B*Tree [ 84.734284][ T5324] hfsplus: request for non-existent node 128 in B*Tree [ 84.737495][ T5324] ================================================================== [ 84.740958][ T5324] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0xc0/0x2a0 [ 84.744479][ T5324] Read of size 8 at addr ffff888034a743c0 by task syz.0.0/5324 [ 84.747679][ T5324] [ 84.748736][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00346-gafa9a6f4f574 #0 PREEMPT(full) [ 84.748752][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 84.748759][ T5324] Call Trace: [ 84.748766][ T5324] [ 84.748771][ T5324] dump_stack_lvl+0x189/0x250 [ 84.748795][ T5324] ? __kasan_check_byte+0x12/0x40 [ 84.748808][ T5324] ? __pfx_dump_stack_lvl+0x10/0x10 [ 84.748822][ T5324] ? lock_release+0x4b/0x3e0 [ 84.748838][ T5324] ? __virt_addr_valid+0x4a5/0x5c0 [ 84.748848][ T5324] print_report+0xd2/0x2b0 [ 84.748860][ T5324] ? hfsplus_bnode_read+0xc0/0x2a0 [ 84.748873][ T5324] kasan_report+0x118/0x150 [ 84.748883][ T5324] ? hfsplus_bnode_read+0xc0/0x2a0 [ 84.748898][ T5324] hfsplus_bnode_read+0xc0/0x2a0 [ 84.748913][ T5324] hfsplus_bnode_dump+0x300/0x450 [ 84.748928][ T5324] ? __pfx_hfsplus_bnode_dump+0x10/0x10 [ 84.748943][ T5324] ? hfsplus_bnode_write_u16+0x8b/0xd0 [ 84.748955][ T5324] ? hfsplus_bnode_move+0x393/0xb90 [ 84.748968][ T5324] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 84.748978][ T5324] hfsplus_brec_remove+0x480/0x550 [ 84.748994][ T5324] __hfsplus_delete_attr+0x1d4/0x360 [ 84.749004][ T5324] ? __pfx___hfsplus_delete_attr+0x10/0x10 [ 84.749014][ T5324] ? hfsplus_find_init+0x8c/0x1d0 [ 84.749029][ T5324] hfsplus_delete_all_attrs+0x277/0x410 [ 84.749040][ T5324] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10 [ 84.749049][ T5324] ? rcu_is_watching+0x15/0xb0 [ 84.749063][ T5324] ? __mark_inode_dirty+0x3ab/0xdf0 [ 84.749077][ T5324] hfsplus_delete_cat+0x92c/0xd20 [ 84.749088][ T5324] ? __pfx_hfsplus_delete_cat+0x10/0x10 [ 84.749104][ T5324] ? down_write+0x162/0x1f0 [ 84.749169][ T5324] ? __pfx_down_write+0x10/0x10 [ 84.749179][ T5324] ? __pfx_locks_remove_posix+0x10/0x10 [ 84.749196][ T5324] hfsplus_file_release+0x18f/0x3e0 [ 84.749208][ T5324] ? __fput+0x43d/0xa70 [ 84.749223][ T5324] ? __pfx_hfsplus_file_release+0x10/0x10 [ 84.749236][ T5324] __fput+0x449/0xa70 [ 84.749252][ T5324] fput_close_sync+0x119/0x200 [ 84.749264][ T5324] ? __pfx_fput_close_sync+0x10/0x10 [ 84.749279][ T5324] __x64_sys_close+0x7f/0x110 [ 84.749293][ T5324] do_syscall_64+0xfa/0x3b0 [ 84.749306][ T5324] ? lockdep_hardirqs_on+0x9c/0x150 [ 84.749318][ T5324] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.749328][ T5324] ? clear_bhb_loop+0x60/0xb0 [ 84.749339][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.749349][ T5324] RIP: 0033:0x7fb03158e929 [ 84.749360][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 84.749369][ T5324] RSP: 002b:00007fb0323a5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 84.749383][ T5324] RAX: ffffffffffffffda RBX: 00007fb0317b5fa0 RCX: 00007fb03158e929 [ 84.749392][ T5324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 84.749398][ T5324] RBP: 00007fb031610b39 R08: 0000000000000000 R09: 0000000000000000 [ 84.749405][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.749412][ T5324] R13: 0000000000000000 R14: 00007fb0317b5fa0 R15: 00007ffc19ae6f58 [ 84.749422][ T5324] [ 84.749426][ T5324] [ 84.886097][ T5324] Allocated by task 5324: [ 84.887869][ T5324] kasan_save_track+0x3e/0x80 [ 84.889793][ T5324] __kasan_kmalloc+0x93/0xb0 [ 84.891898][ T5324] __kmalloc_noprof+0x27a/0x4f0 [ 84.893997][ T5324] __hfs_bnode_create+0xf3/0x810 [ 84.896297][ T5324] hfsplus_bnode_find+0x224/0xd20 [ 84.898436][ T5324] hfsplus_brec_find+0x15c/0x500 [ 84.900680][ T5324] __hfsplus_getxattr+0x301/0x7e0 [ 84.902927][ T5324] hfsplus_getxattr+0x10d/0x180 [ 84.907237][ T5324] vfs_getxattr_alloc+0x42b/0x580 [ 84.909599][ T5324] ima_read_xattr+0x38/0x60 [ 84.911575][ T5324] process_measurement+0xfd7/0x1a40 [ 84.913893][ T5324] ima_file_check+0xd7/0x120 [ 84.915970][ T5324] security_file_post_open+0xbb/0x290 [ 84.918369][ T5324] path_openat+0x2f26/0x3830 [ 84.920419][ T5324] do_filp_open+0x1fa/0x410 [ 84.922404][ T5324] do_sys_openat2+0x121/0x1c0 [ 84.924475][ T5324] __x64_sys_openat+0x138/0x170 [ 84.926592][ T5324] do_syscall_64+0xfa/0x3b0 [ 84.928603][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.930991][ T5324] [ 84.932057][ T5324] The buggy address belongs to the object at ffff888034a74300 [ 84.932057][ T5324] which belongs to the cache kmalloc-192 of size 192 [ 84.938124][ T5324] The buggy address is located 40 bytes to the right of [ 84.938124][ T5324] allocated 152-byte region [ffff888034a74300, ffff888034a74398) [ 84.944280][ T5324] [ 84.945401][ T5324] The buggy address belongs to the physical page: [ 84.948105][ T5324] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x34a74 [ 84.951839][ T5324] ksm flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 84.955162][ T5324] page_type: f5(slab) [ 84.956886][ T5324] raw: 04fff00000000000 ffff88801a4413c0 ffffea0000d9b540 dead000000000003 [ 84.960396][ T5324] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 84.963957][ T5324] page dumped because: kasan: bad access detected [ 84.966737][ T5324] page_owner tracks the page as allocated [ 84.969134][ T5324] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 11334603758, free_ts 0 [ 84.976471][ T5324] post_alloc_hook+0x240/0x2a0 [ 84.978456][ T5324] get_page_from_freelist+0x21e4/0x22c0 [ 84.980638][ T5324] __alloc_frozen_pages_noprof+0x181/0x370 [ 84.983122][ T5324] allocate_slab+0x65/0x3b0 [ 84.985111][ T5324] ___slab_alloc+0xbfc/0x1480 [ 84.987178][ T5324] __kvmalloc_node_noprof+0x429/0x5f0 [ 84.989509][ T5324] sbitmap_init_node+0x2c9/0x630 [ 84.991710][ T5324] blk_mq_alloc_and_init_hctx+0x4ea/0xd60 [ 84.994004][ T5324] __blk_mq_realloc_hw_ctxs+0x169/0x400 [ 84.996487][ T5324] blk_mq_init_allocated_queue+0x400/0x1490 [ 84.999010][ T5324] __blk_mq_alloc_disk+0x1f6/0x340 [ 85.001200][ T5324] nbd_dev_add+0x476/0xb00 [ 85.003218][ T5324] nbd_init+0x21a/0x2d0 [ 85.005119][ T5324] do_one_initcall+0x233/0x820 [ 85.007200][ T5324] do_initcall_level+0x137/0x1f0 [ 85.009801][ T5324] do_initcalls+0x69/0xd0 [ 85.011694][ T5324] page_owner free stack trace missing [ 85.013962][ T5324] [ 85.015110][ T5324] Memory state around the buggy address: [ 85.017555][ T5324] ffff888034a74280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 85.021122][ T5324] ffff888034a74300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 85.024520][ T5324] >ffff888034a74380: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.027935][ T5324] ^ [ 85.030579][ T5324] ffff888034a74400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.033947][ T5324] ffff888034a74480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 85.037358][ T5324] ================================================================== [ 85.072586][ T5324] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 85.075322][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00346-gafa9a6f4f574 #0 PREEMPT(full) [ 85.079670][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.083918][ T5324] Call Trace: [ 85.085434][ T5324] [ 85.086730][ T5324] dump_stack_lvl+0x99/0x250 [ 85.088700][ T5324] ? __asan_memcpy+0x40/0x70 [ 85.090598][ T5324] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.092802][ T5324] ? __pfx__printk+0x10/0x10 [ 85.094885][ T5324] panic+0x2db/0x790 [ 85.096666][ T5324] ? __pfx_preempt_schedule+0x10/0x10 [ 85.099022][ T5324] ? __pfx_panic+0x10/0x10 [ 85.101015][ T5324] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 85.103629][ T5324] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 85.106445][ T5324] ? hfsplus_bnode_read+0xc0/0x2a0 [ 85.108745][ T5324] check_panic_on_warn+0x89/0xb0 [ 85.110937][ T5324] ? hfsplus_bnode_read+0xc0/0x2a0 [ 85.113235][ T5324] end_report+0x78/0x160 [ 85.115182][ T5324] kasan_report+0x129/0x150 [ 85.117168][ T5324] ? hfsplus_bnode_read+0xc0/0x2a0 [ 85.119282][ T5324] hfsplus_bnode_read+0xc0/0x2a0 [ 85.121475][ T5324] hfsplus_bnode_dump+0x300/0x450 [ 85.123613][ T5324] ? __pfx_hfsplus_bnode_dump+0x10/0x10 [ 85.125961][ T5324] ? hfsplus_bnode_write_u16+0x8b/0xd0 [ 85.128338][ T5324] ? hfsplus_bnode_move+0x393/0xb90 [ 85.130617][ T5324] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 85.132959][ T5324] hfsplus_brec_remove+0x480/0x550 [ 85.135176][ T5324] __hfsplus_delete_attr+0x1d4/0x360 [ 85.137388][ T5324] ? __pfx___hfsplus_delete_attr+0x10/0x10 [ 85.139987][ T5324] ? hfsplus_find_init+0x8c/0x1d0 [ 85.142229][ T5324] hfsplus_delete_all_attrs+0x277/0x410 [ 85.144652][ T5324] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10 [ 85.147242][ T5324] ? rcu_is_watching+0x15/0xb0 [ 85.149375][ T5324] ? __mark_inode_dirty+0x3ab/0xdf0 [ 85.151709][ T5324] hfsplus_delete_cat+0x92c/0xd20 [ 85.153978][ T5324] ? __pfx_hfsplus_delete_cat+0x10/0x10 [ 85.156497][ T5324] ? down_write+0x162/0x1f0 [ 85.158369][ T5324] ? __pfx_down_write+0x10/0x10 [ 85.160495][ T5324] ? __pfx_locks_remove_posix+0x10/0x10 [ 85.162771][ T5324] hfsplus_file_release+0x18f/0x3e0 [ 85.165050][ T5324] ? __fput+0x43d/0xa70 [ 85.166871][ T5324] ? __pfx_hfsplus_file_release+0x10/0x10 [ 85.169381][ T5324] __fput+0x449/0xa70 [ 85.171066][ T5324] fput_close_sync+0x119/0x200 [ 85.173032][ T5324] ? __pfx_fput_close_sync+0x10/0x10 [ 85.175564][ T5324] __x64_sys_close+0x7f/0x110 [ 85.177560][ T5324] do_syscall_64+0xfa/0x3b0 [ 85.179471][ T5324] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.181632][ T5324] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.184366][ T5324] ? clear_bhb_loop+0x60/0xb0 [ 85.186402][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.188906][ T5324] RIP: 0033:0x7fb03158e929 [ 85.190741][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.198968][ T5324] RSP: 002b:00007fb0323a5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 85.202574][ T5324] RAX: ffffffffffffffda RBX: 00007fb0317b5fa0 RCX: 00007fb03158e929 [ 85.206094][ T5324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 85.209567][ T5324] RBP: 00007fb031610b39 R08: 0000000000000000 R09: 0000000000000000 [ 85.213844][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.217386][ T5324] R13: 0000000000000000 R14: 00007fb0317b5fa0 R15: 00007ffc19ae6f58 [ 85.221104][ T5324] [ 85.222822][ T5324] Kernel Offset: disabled [ 85.224640][ T5324] Rebooting in 86400 seconds..