[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.228' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.907084] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 29.915560] ================================================================== [ 29.922932] BUG: KASAN: use-after-free in ntfs_attr_find+0xacd/0xc20 [ 29.929404] Read of size 2 at addr ffff88809638a482 by task syz-executor607/7970 [ 29.936920] [ 29.938522] CPU: 1 PID: 7970 Comm: syz-executor607 Not tainted 4.14.293-syzkaller #0 [ 29.946373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 29.955699] Call Trace: [ 29.958264] dump_stack+0x1b2/0x281 [ 29.961868] print_address_description.cold+0x54/0x1d3 [ 29.967116] kasan_report_error.cold+0x8a/0x191 [ 29.971777] ? ntfs_attr_find+0xacd/0xc20 [ 29.975900] __asan_report_load_n_noabort+0x6b/0x80 [ 29.980895] ? ntfs_attr_find+0xacd/0xc20 [ 29.985062] ntfs_attr_find+0xacd/0xc20 [ 29.989010] ntfs_attr_lookup+0xeca/0x1f30 [ 29.993227] ? do_raw_spin_unlock+0x164/0x220 [ 29.997694] ? _raw_spin_unlock+0x29/0x40 [ 30.001816] ? cache_alloc_refill+0x2fa/0x350 [ 30.006283] ? __wait_on_bit+0x150/0x150 [ 30.010313] ? check_preemption_disabled+0x35/0x240 [ 30.015301] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 30.020548] ? kmem_cache_alloc+0x2f8/0x3c0 [ 30.024841] ntfs_read_inode_mount+0x726/0x2060 [ 30.029497] ntfs_fill_super+0x9a6/0x7170 [ 30.033617] ? vsnprintf+0x260/0x1340 [ 30.037392] ? pointer+0x9e0/0x9e0 [ 30.040905] ? lock_downgrade+0x740/0x740 [ 30.045025] ? ntfs_big_inode_init_once+0x20/0x20 [ 30.049840] ? snprintf+0xa5/0xd0 [ 30.053264] ? vsprintf+0x30/0x30 [ 30.056692] ? ns_test_super+0x50/0x50 [ 30.060551] ? set_blocksize+0x125/0x380 [ 30.064584] mount_bdev+0x2b3/0x360 [ 30.068183] ? ntfs_big_inode_init_once+0x20/0x20 [ 30.073001] mount_fs+0x92/0x2a0 [ 30.076340] vfs_kern_mount.part.0+0x5b/0x470 [ 30.080807] do_mount+0xe65/0x2a30 [ 30.084318] ? copy_mount_string+0x40/0x40 [ 30.088524] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 30.093511] ? copy_mnt_ns+0xa30/0xa30 [ 30.097372] ? copy_mount_options+0x1fa/0x2f0 [ 30.101838] ? copy_mnt_ns+0xa30/0xa30 [ 30.105708] SyS_mount+0xa8/0x120 [ 30.109132] ? copy_mnt_ns+0xa30/0xa30 [ 30.113002] do_syscall_64+0x1d5/0x640 [ 30.116869] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.122035] RIP: 0033:0x7f24578d403a [ 30.125718] RSP: 002b:00007fffff6bb148 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 30.133396] RAX: ffffffffffffffda RBX: 00007fffff6bb1a0 RCX: 00007f24578d403a [ 30.140643] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fffff6bb160 [ 30.147889] RBP: 00007fffff6bb160 R08: 00007fffff6bb1a0 R09: 0000000000000000 [ 30.155130] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020000260 [ 30.162373] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000004 [ 30.169619] [ 30.171218] The buggy address belongs to the page: [ 30.176120] page:ffffea000258e280 count:0 mapcount:0 mapping: (null) index:0xffff88809638a640 [ 30.185537] flags: 0xfff00000000000() [ 30.189309] raw: 00fff00000000000 0000000000000000 ffff88809638a640 00000000ffffffff [ 30.197170] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 [ 30.205019] page dumped because: kasan: bad access detected [ 30.210700] [ 30.212300] Memory state around the buggy address: [ 30.217199] ffff88809638a380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.224530] ffff88809638a400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.231881] >ffff88809638a480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.239209] ^ [ 30.242547] ffff88809638a500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.249900] ffff88809638a580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.257229] ================================================================== [ 30.264558] Disabling lock debugging due to kernel taint [ 30.272207] Kernel panic - not syncing: panic_on_warn set ... [ 30.272207] [ 30.279575] CPU: 1 PID: 7970 Comm: syz-executor607 Tainted: G B 4.14.293-syzkaller #0 [ 30.288658] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 30.297995] Call Trace: [ 30.300559] dump_stack+0x1b2/0x281 [ 30.304161] panic+0x1f9/0x42d [ 30.307327] ? add_taint.cold+0x16/0x16 [ 30.311277] ? ___preempt_schedule+0x16/0x18 [ 30.315659] kasan_end_report+0x43/0x49 [ 30.319608] kasan_report_error.cold+0xa7/0x191 [ 30.324253] ? ntfs_attr_find+0xacd/0xc20 [ 30.328374] __asan_report_load_n_noabort+0x6b/0x80 [ 30.333382] ? ntfs_attr_find+0xacd/0xc20 [ 30.337502] ntfs_attr_find+0xacd/0xc20 [ 30.341451] ntfs_attr_lookup+0xeca/0x1f30 [ 30.345660] ? do_raw_spin_unlock+0x164/0x220 [ 30.350126] ? _raw_spin_unlock+0x29/0x40 [ 30.354249] ? cache_alloc_refill+0x2fa/0x350 [ 30.358733] ? __wait_on_bit+0x150/0x150 [ 30.362768] ? check_preemption_disabled+0x35/0x240 [ 30.368423] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 30.373687] ? kmem_cache_alloc+0x2f8/0x3c0 [ 30.377989] ntfs_read_inode_mount+0x726/0x2060 [ 30.382643] ntfs_fill_super+0x9a6/0x7170 [ 30.386772] ? vsnprintf+0x260/0x1340 [ 30.390549] ? pointer+0x9e0/0x9e0 [ 30.394066] ? lock_downgrade+0x740/0x740 [ 30.398208] ? ntfs_big_inode_init_once+0x20/0x20 [ 30.403026] ? snprintf+0xa5/0xd0 [ 30.406454] ? vsprintf+0x30/0x30 [ 30.409883] ? ns_test_super+0x50/0x50 [ 30.413745] ? set_blocksize+0x125/0x380 [ 30.417780] mount_bdev+0x2b3/0x360 [ 30.421382] ? ntfs_big_inode_init_once+0x20/0x20 [ 30.426198] mount_fs+0x92/0x2a0 [ 30.429537] vfs_kern_mount.part.0+0x5b/0x470 [ 30.434010] do_mount+0xe65/0x2a30 [ 30.437537] ? copy_mount_string+0x40/0x40 [ 30.441754] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 30.446769] ? copy_mnt_ns+0xa30/0xa30 [ 30.450650] ? copy_mount_options+0x1fa/0x2f0 [ 30.455122] ? copy_mnt_ns+0xa30/0xa30 [ 30.458984] SyS_mount+0xa8/0x120 [ 30.462414] ? copy_mnt_ns+0xa30/0xa30 [ 30.466276] do_syscall_64+0x1d5/0x640 [ 30.470140] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.475304] RIP: 0033:0x7f24578d403a [ 30.478990] RSP: 002b:00007fffff6bb148 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 30.486687] RAX: ffffffffffffffda RBX: 00007fffff6bb1a0 RCX: 00007f24578d403a [ 30.493933] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fffff6bb160 [ 30.501176] RBP: 00007fffff6bb160 R08: 00007fffff6bb1a0 R09: 0000000000000000 [ 30.508436] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020000260 [ 30.515679] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000004 [ 30.523092] Kernel Offset: disabled [ 30.526697] Rebooting in 86400 seconds..