Warning: Permanently added '10.128.1.136' (ED25519) to the list of known hosts. executing program [ 33.139775][ T6239] loop0: detected capacity change from 0 to 1024 [ 33.193293][ T586] ================================================================== [ 33.195414][ T586] BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0xa1c/0x168c [ 33.197694][ T586] Read of size 1024 at addr ffff0000d10a9c00 by task kworker/u8:6/586 [ 33.199850][ T586] [ 33.200448][ T586] CPU: 0 PID: 586 Comm: kworker/u8:6 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0 [ 33.203066][ T586] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 33.205768][ T586] Workqueue: loop0 loop_rootcg_workfn [ 33.207208][ T586] Call trace: [ 33.208080][ T586] dump_backtrace+0x1b8/0x1e4 [ 33.209329][ T586] show_stack+0x2c/0x3c [ 33.210422][ T586] dump_stack_lvl+0xe4/0x150 [ 33.211662][ T586] print_report+0x198/0x538 [ 33.212877][ T586] kasan_report+0xd8/0x138 [ 33.214039][ T586] kasan_check_range+0x268/0x2a8 [ 33.215341][ T586] __asan_memcpy+0x3c/0x84 [ 33.216518][ T586] copy_page_from_iter_atomic+0xa1c/0x168c [ 33.218058][ T586] generic_perform_write+0x310/0x588 [ 33.219496][ T586] shmem_file_write_iter+0x110/0x138 [ 33.220897][ T586] do_iter_readv_writev+0x438/0x658 [ 33.222262][ T586] vfs_iter_write+0x31c/0x6b8 [ 33.223558][ T586] loop_process_work+0x1128/0x1d80 [ 33.224880][ T586] loop_rootcg_workfn+0x28/0x38 [ 33.226144][ T586] process_one_work+0x7b8/0x15d4 [ 33.227467][ T586] worker_thread+0x938/0xef4 [ 33.228715][ T586] kthread+0x288/0x310 [ 33.229786][ T586] ret_from_fork+0x10/0x20 [ 33.230941][ T586] [ 33.231550][ T586] Allocated by task 6239: [ 33.232720][ T586] kasan_save_track+0x40/0x78 [ 33.233984][ T586] kasan_save_alloc_info+0x40/0x50 [ 33.235373][ T586] __kasan_kmalloc+0xac/0xc4 [ 33.236752][ T586] __kmalloc+0x2b8/0x508 [ 33.237935][ T586] hfsplus_read_wrapper+0x3ac/0xfcc [ 33.239325][ T586] hfsplus_fill_super+0x2f0/0x166c [ 33.240707][ T586] mount_bdev+0x1d4/0x2a0 [ 33.241889][ T586] hfsplus_mount+0x44/0x58 [ 33.243046][ T586] legacy_get_tree+0xd4/0x16c [ 33.244378][ T586] vfs_get_tree+0x90/0x288 [ 33.245605][ T586] do_new_mount+0x278/0x900 [ 33.246868][ T586] path_mount+0x590/0xe04 [ 33.248160][ T586] __arm64_sys_mount+0x45c/0x594 [ 33.249484][ T586] invoke_syscall+0x98/0x2b8 [ 33.250714][ T586] el0_svc_common+0x130/0x23c [ 33.252017][ T586] do_el0_svc+0x48/0x58 [ 33.253160][ T586] el0_svc+0x54/0x168 [ 33.254267][ T586] el0t_64_sync_handler+0x84/0xfc [ 33.255648][ T586] el0t_64_sync+0x190/0x194 [ 33.256895][ T586] [ 33.257493][ T586] The buggy address belongs to the object at ffff0000d10a9c00 [ 33.257493][ T586] which belongs to the cache kmalloc-512 of size 512 [ 33.261299][ T586] The buggy address is located 0 bytes inside of [ 33.261299][ T586] allocated 512-byte region [ffff0000d10a9c00, ffff0000d10a9e00) [ 33.265015][ T586] [ 33.265595][ T586] The buggy address belongs to the physical page: [ 33.267339][ T586] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1110a8 [ 33.269713][ T586] head: order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 33.271780][ T586] flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 33.273955][ T586] page_type: 0xffffffff() [ 33.275177][ T586] raw: 05ffc00000000840 ffff0000c0001c80 fffffdffc3634c00 dead000000000002 [ 33.277476][ T586] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 33.279785][ T586] head: 05ffc00000000840 ffff0000c0001c80 fffffdffc3634c00 dead000000000002 [ 33.282205][ T586] head: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 33.284538][ T586] head: 05ffc00000000002 fffffdffc3442a01 fffffdffc3442a48 00000000ffffffff [ 33.286794][ T586] head: 0000000400000000 0000000000000000 00000000ffffffff 0000000000000000 [ 33.289151][ T586] page dumped because: kasan: bad access detected [ 33.290848][ T586] [ 33.291433][ T586] Memory state around the buggy address: [ 33.292992][ T586] ffff0000d10a9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.295187][ T586] ffff0000d10a9d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.297349][ T586] >ffff0000d10a9e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.299520][ T586] ^ [ 33.300620][ T586] ffff0000d10a9e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.302763][ T586] ffff0000d10a9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.304965][ T586] ================================================================== [ 33.307289][ T586] Disabling lock debugging due to kernel taint