[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.100' (ECDSA) to the list of known hosts. syzkaller login: [ 57.533665] audit: type=1400 audit(1602724219.080:9): avc: denied { execmem } for pid=6496 comm="syz-executor611" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 58.662584] IPVS: ftp: loaded support on port[0] = 21 [ 58.759104] chnl_net:caif_netlink_parms(): no params data found [ 58.886856] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.894127] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.902053] device bridge_slave_0 entered promiscuous mode [ 58.909510] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.916011] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.923319] device bridge_slave_1 entered promiscuous mode [ 58.942386] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 58.952249] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 58.972080] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 58.980662] team0: Port device team_slave_0 added [ 58.986338] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 58.993912] team0: Port device team_slave_1 added [ 59.009756] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 59.016158] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 59.041820] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 59.054006] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 59.060520] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 59.085761] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 59.096787] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 59.104570] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 59.124502] device hsr_slave_0 entered promiscuous mode [ 59.130828] device hsr_slave_1 entered promiscuous mode [ 59.137174] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 59.144604] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 59.216540] bridge0: port 2(bridge_slave_1) entered blocking state [ 59.223209] bridge0: port 2(bridge_slave_1) entered forwarding state [ 59.230052] bridge0: port 1(bridge_slave_0) entered blocking state [ 59.236651] bridge0: port 1(bridge_slave_0) entered forwarding state [ 59.273367] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 59.279614] 8021q: adding VLAN 0 to HW filter on device bond0 [ 59.289134] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 59.298987] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 59.308268] bridge0: port 1(bridge_slave_0) entered disabled state [ 59.316029] bridge0: port 2(bridge_slave_1) entered disabled state [ 59.323469] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 59.335626] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 59.341875] 8021q: adding VLAN 0 to HW filter on device team0 [ 59.352201] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 59.359874] bridge0: port 1(bridge_slave_0) entered blocking state [ 59.366298] bridge0: port 1(bridge_slave_0) entered forwarding state [ 59.376800] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 59.385890] bridge0: port 2(bridge_slave_1) entered blocking state [ 59.392388] bridge0: port 2(bridge_slave_1) entered forwarding state [ 59.408408] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 59.417114] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 59.427692] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 59.439113] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 59.449798] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 59.459783] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 59.465978] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 59.480004] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 59.487887] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 59.494856] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 59.506535] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 59.519371] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 59.529514] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 59.563407] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 59.571634] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 59.578181] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 59.588496] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 59.596469] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 59.603868] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 59.613644] device veth0_vlan entered promiscuous mode [ 59.623756] device veth1_vlan entered promiscuous mode [ 59.629650] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 59.640008] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 59.653120] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 59.663306] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 59.671248] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 59.678528] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 59.689191] device veth0_macvtap entered promiscuous mode [ 59.696373] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 59.705421] device veth1_macvtap entered promiscuous mode [ 59.715457] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 59.725050] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 59.737265] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 59.744731] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 59.754147] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 59.763877] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 59.771374] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 59.777957] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 59.786210] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 59.914780] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 59.922173] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 59.933683] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 59.945881] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready executing program [ 59.962227] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 59.969741] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 59.977498] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 59.985089] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 60.004761] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 60.016786] ntfs: (device loop0): map_mft_record_page(): Mft record 0x1 is corrupt. Run chkdsk. [ 60.026727] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 60.035433] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 60.048738] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Mounting read-only. Run ntfsfix and/or chkdsk. [ 60.062017] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 60.071558] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 60.079050] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 60.092063] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 60.103700] ================================================================== [ 60.111326] BUG: KASAN: use-after-free in ntfs_read_locked_inode+0x4731/0x5490 [ 60.118675] Read of size 8 at addr ffff8880819a46cd by task syz-executor611/6497 [ 60.126184] [ 60.127797] CPU: 1 PID: 6497 Comm: syz-executor611 Not tainted 4.19.150-syzkaller #0 [ 60.135666] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.145019] Call Trace: [ 60.147614] dump_stack+0x22c/0x33e [ 60.151245] print_address_description.cold+0x56/0x25c [ 60.156526] kasan_report_error.cold+0x66/0xb9 [ 60.161123] ? ntfs_read_locked_inode+0x4731/0x5490 [ 60.166137] __asan_report_load_n_noabort+0x8b/0xa0 [ 60.171157] ? ntfs_read_locked_inode+0x4731/0x5490 [ 60.176152] ntfs_read_locked_inode+0x4731/0x5490 [ 60.181080] ? ntfs_index_lookup.cold+0xc2/0xc2 [ 60.185743] ? ntfs_test_inode+0x2c0/0x2c0 [ 60.189983] ? iget5_locked+0x3c/0xd0 [ 60.193783] ntfs_iget+0x12d/0x180 [ 60.197305] ? ntfs_read_locked_inode+0x5490/0x5490 [ 60.202320] ? iput+0x511/0x890 [ 60.205588] ntfs_fill_super+0x22b0/0x89d2 [ 60.209825] ? snprintf+0xbb/0xf0 [ 60.213266] ? vsprintf+0x30/0x30 [ 60.216701] ? ntfs_remount+0x500/0x500 [ 60.220678] ? __mutex_add_waiter+0x160/0x160 [ 60.225181] ? set_blocksize+0x163/0x3f0 [ 60.229484] mount_bdev+0x2fc/0x3b0 [ 60.233094] ? ntfs_remount+0x500/0x500 [ 60.237054] mount_fs+0xa3/0x318 [ 60.240404] vfs_kern_mount.part.0+0x68/0x470 [ 60.244880] do_mount+0x51c/0x2f10 [ 60.248399] ? __do_page_fault+0x1ca/0xe00 [ 60.252611] ? copy_mount_string+0x40/0x40 [ 60.256827] ? copy_mount_options+0x1c3/0x370 [ 60.261319] ? copy_mount_options+0x1d0/0x370 [ 60.265853] ? memset+0x20/0x40 [ 60.269126] ? copy_mount_options+0x261/0x370 [ 60.273624] ksys_mount+0xcf/0x130 [ 60.277149] __x64_sys_mount+0xba/0x150 [ 60.281106] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 60.285680] do_syscall_64+0xf9/0x670 [ 60.289462] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.294656] RIP: 0033:0x45761a [ 60.298050] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ed a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ca a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 60.316954] RSP: 002b:00007ffcd49d7368 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 60.324645] RAX: ffffffffffffffda RBX: 00007ffcd49d73c0 RCX: 000000000045761a [ 60.331921] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcd49d7380 [ 60.339179] RBP: 0000000000000004 R08: 00007ffcd49d73c0 R09: 0000000000316777 [ 60.346617] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000003 [ 60.353887] R13: 00007ffcd49d7380 R14: 0000000000000000 R15: 0000000020001230 [ 60.361165] [ 60.362781] The buggy address belongs to the page: [ 60.367702] page:ffffea0002066900 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 60.375855] flags: 0xfffe0000000000() [ 60.379653] raw: 00fffe0000000000 ffffea0002066948 ffffea00020668c8 0000000000000000 [ 60.387626] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 60.395619] page dumped because: kasan: bad access detected [ 60.401755] [ 60.403364] Memory state around the buggy address: [ 60.408292] ffff8880819a4580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.415650] ffff8880819a4600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.422987] >ffff8880819a4680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.430416] ^ [ 60.436101] ffff8880819a4700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.443434] ffff8880819a4780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.450949] ================================================================== [ 60.458290] Disabling lock debugging due to kernel taint [ 60.468733] Kernel panic - not syncing: panic_on_warn set ... [ 60.468733] [ 60.476135] CPU: 1 PID: 6497 Comm: syz-executor611 Tainted: G B 4.19.150-syzkaller #0 [ 60.485402] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.494750] Call Trace: [ 60.497322] dump_stack+0x22c/0x33e [ 60.500930] panic+0x2ac/0x565 [ 60.504101] ? __warn_printk+0xf3/0xf3 [ 60.507984] ? preempt_schedule_common+0x45/0xc0 [ 60.512729] ? ___preempt_schedule+0x16/0x18 [ 60.517133] ? trace_hardirqs_on+0x55/0x210 [ 60.521451] kasan_end_report+0x43/0x49 [ 60.525420] kasan_report_error.cold+0x83/0xb9 [ 60.529996] ? ntfs_read_locked_inode+0x4731/0x5490 [ 60.534993] __asan_report_load_n_noabort+0x8b/0xa0 [ 60.539988] ? ntfs_read_locked_inode+0x4731/0x5490 [ 60.544992] ntfs_read_locked_inode+0x4731/0x5490 [ 60.549813] ? ntfs_index_lookup.cold+0xc2/0xc2 [ 60.554546] ? ntfs_test_inode+0x2c0/0x2c0 [ 60.558768] ? iget5_locked+0x3c/0xd0 [ 60.562558] ntfs_iget+0x12d/0x180 [ 60.566091] ? ntfs_read_locked_inode+0x5490/0x5490 [ 60.571084] ? iput+0x511/0x890 [ 60.574351] ntfs_fill_super+0x22b0/0x89d2 [ 60.578565] ? snprintf+0xbb/0xf0 [ 60.582009] ? vsprintf+0x30/0x30 [ 60.585440] ? ntfs_remount+0x500/0x500 [ 60.589404] ? __mutex_add_waiter+0x160/0x160 [ 60.593888] ? set_blocksize+0x163/0x3f0 [ 60.597948] mount_bdev+0x2fc/0x3b0 [ 60.601557] ? ntfs_remount+0x500/0x500 [ 60.605523] mount_fs+0xa3/0x318 [ 60.608869] vfs_kern_mount.part.0+0x68/0x470 [ 60.613354] do_mount+0x51c/0x2f10 [ 60.616871] ? __do_page_fault+0x1ca/0xe00 [ 60.621083] ? copy_mount_string+0x40/0x40 [ 60.625293] ? copy_mount_options+0x1c3/0x370 [ 60.629767] ? copy_mount_options+0x1d0/0x370 [ 60.634267] ? memset+0x20/0x40 [ 60.638091] ? copy_mount_options+0x261/0x370 [ 60.642574] ksys_mount+0xcf/0x130 [ 60.646106] __x64_sys_mount+0xba/0x150 [ 60.650057] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 60.654616] do_syscall_64+0xf9/0x670 [ 60.658408] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.663586] RIP: 0033:0x45761a [ 60.666759] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ed a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ca a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 60.685638] RSP: 002b:00007ffcd49d7368 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 60.693321] RAX: ffffffffffffffda RBX: 00007ffcd49d73c0 RCX: 000000000045761a [ 60.700569] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcd49d7380 [ 60.707824] RBP: 0000000000000004 R08: 00007ffcd49d73c0 R09: 0000000000316777 [ 60.715074] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000003 [ 60.722321] R13: 00007ffcd49d7380 R14: 0000000000000000 R15: 0000000020001230 [ 60.731106] Kernel Offset: disabled [ 60.734743] Rebooting in 86400 seconds..