./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor870811603
<...>
DUID 00:04:7c:8f:25:e4:1e:61:d4:15:b8:1c:50:2a:7f:f5:0b:01
forked to background, child pid 4645
[ 29.940424][ T4646] 8021q: adding VLAN 0 to HW filter on device bond0
[ 29.954352][ T4646] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.159' (ECDSA) to the list of known hosts.
execve("./syz-executor870811603", ["./syz-executor870811603"], 0x7ffcb89bc710 /* 10 vars */) = 0
brk(NULL) = 0x555555e2d000
brk(0x555555e2dc40) = 0x555555e2dc40
arch_prctl(ARCH_SET_FS, 0x555555e2d300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor870811603", 4096) = 27
brk(0x555555e4ec40) = 0x555555e4ec40
brk(0x555555e4f000) = 0x555555e4f000
mprotect(0x7f1aca51f000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid() = 5074
mkdir("./syzkaller.00I8ZR", 0700) = 0
chmod("./syzkaller.00I8ZR", 0777) = 0
chdir("./syzkaller.00I8ZR") = 0
mkdir("./0", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555e2d5d0) = 5075
./strace-static-x86_64: Process 5075 attached
[pid 5075] chdir("./0") = 0
[pid 5075] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5075] setpgid(0, 0) = 0
[pid 5075] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5075] write(3, "1000", 4) = 4
[pid 5075] close(3) = 0
[pid 5075] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5075] memfd_create("syzkaller", 0) = 3
[pid 5075] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1ac2064000
[pid 5075] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x10\x01\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x77\x65\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x01\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xf3\x0f\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x0c\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 97703) = 97703
[pid 5075] munmap(0x7f1ac2064000, 97703) = 0
[pid 5075] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5075] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5075] close(3) = 0
[pid 5075] mkdir("./file0", 0777) = 0
syzkaller login: [ 52.436067][ T5075] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5075 'syz-executor870'
[ 52.453536][ T5075] loop0: detected capacity change from 0 to 190
[ 52.466080][ T5075] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid boot sector checksum.
[ 52.476248][ T5075] ntfs: (device loop0): map_mft_record_page(): Mft record 0x1 is corrupt. Run chkdsk.
[ 52.486422][ T5075] ntfs: (device loop0): map_mft_record(): Failed with error code 5.
[ 52.494408][ T5075] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk.
[ 52.507468][ T5075] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Mounting read-only. Run ntfsfix and/or chkdsk.
[ 52.520531][ T5075] ntfs: (device loop0): ntfs_external_attr_find(): Base inode 0xa contains corrupt attribute list attribute. Unmount and run chkdsk.
[ 52.534233][ T5075] ntfs: (device loop0): ntfs_read_locked_inode(): Failed to lookup $DATA attribute.
[ 52.543673][ T5075] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk.
[ 52.556956][ T5075] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default.
[ 52.568457][ T5075] ==================================================================
[ 52.576536][ T5075] BUG: KASAN: use-after-free in ntfs_read_folio+0x9bc/0x29f0
[ 52.583932][ T5075] Read of size 1 at addr ffff88807345e17f by task syz-executor870/5075
[ 52.592157][ T5075]
[ 52.594476][ T5075] CPU: 0 PID: 5075 Comm: syz-executor870 Not tainted 6.3.0-rc2-syzkaller-00077-g38e04b3e4240 #0
[ 52.604894][ T5075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
[ 52.615029][ T5075] Call Trace:
[ 52.618295][ T5075]
[ 52.621216][ T5075] dump_stack_lvl+0x1e7/0x2d0
[ 52.625900][ T5075] ? nf_tcp_handle_invalid+0x650/0x650
[ 52.631354][ T5075] ? panic+0x770/0x770
[ 52.635414][ T5075] ? _printk+0xd5/0x120
[ 52.639563][ T5075] print_report+0x163/0x540
[ 52.644058][ T5075] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0
[ 52.650030][ T5075] ? __virt_addr_valid+0x22f/0x2e0
[ 52.655138][ T5075] ? __phys_addr+0xba/0x170
[ 52.659634][ T5075] ? ntfs_read_folio+0x9bc/0x29f0
[ 52.664647][ T5075] kasan_report+0x176/0x1b0
[ 52.669139][ T5075] ? ntfs_read_folio+0x9bc/0x29f0
[ 52.674158][ T5075] kasan_check_range+0x283/0x290
[ 52.679101][ T5075] ? ntfs_read_folio+0x9bc/0x29f0
[ 52.684119][ T5075] __asan_memcpy+0x29/0x70
[ 52.688531][ T5075] ntfs_read_folio+0x9bc/0x29f0
[ 52.693377][ T5075] ? __lock_acquire+0x1f80/0x1f80
[ 52.698390][ T5075] ? ntfs_writepage+0x1ae0/0x1ae0
[ 52.703404][ T5075] ? folio_batch_add_and_move+0x16a/0x2c0
[ 52.709112][ T5075] ? folio_add_lru+0x6f0/0x6f0
[ 52.713865][ T5075] ? folio_add_lru+0x353/0x6f0
[ 52.718616][ T5075] filemap_read_folio+0x19d/0x7a0
[ 52.723629][ T5075] ? filemap_add_folio+0x580/0x580
[ 52.728730][ T5075] ? ntfs_writepage+0x1ae0/0x1ae0
[ 52.733745][ T5075] ? maybe_unlock_mmap_for_io+0x140/0x140
[ 52.739454][ T5075] do_read_cache_folio+0x2ee/0x820
[ 52.744557][ T5075] ? ntfs_writepage+0x1ae0/0x1ae0
[ 52.749570][ T5075] do_read_cache_page+0x32/0x230
[ 52.754500][ T5075] load_system_files+0x1c0b/0x4840
[ 52.759611][ T5075] ? ntfs_setup_allocators+0x2d0/0x2d0
[ 52.765063][ T5075] ? mutex_unlock+0x10/0x10
[ 52.769563][ T5075] ? free_vm_area+0x50/0x50
[ 52.774065][ T5075] ? generate_default_upcase+0x8ed/0x940
[ 52.779948][ T5075] ntfs_fill_super+0x19b4/0x2bd0
[ 52.784884][ T5075] mount_bdev+0x271/0x3a0
[ 52.789203][ T5075] ? ntfs_mount+0x40/0x40
[ 52.793521][ T5075] legacy_get_tree+0xef/0x190
[ 52.798187][ T5075] ? ntfs_rl_punch_nolock+0x15b0/0x15b0
[ 52.803732][ T5075] vfs_get_tree+0x8c/0x270
[ 52.808140][ T5075] do_new_mount+0x28f/0xae0
[ 52.812636][ T5075] ? path_mount+0x5f2/0xf80
[ 52.817132][ T5075] ? do_move_mount_old+0x170/0x170
[ 52.822233][ T5075] ? user_path_at_empty+0x12f/0x180
[ 52.827418][ T5075] __se_sys_mount+0x2d9/0x3c0
[ 52.832085][ T5075] ? __x64_sys_mount+0xc0/0xc0
[ 52.836838][ T5075] ? syscall_enter_from_user_mode+0x32/0x260
[ 52.842809][ T5075] ? __x64_sys_mount+0x20/0xc0
[ 52.847560][ T5075] do_syscall_64+0x41/0xc0
[ 52.851969][ T5075] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 52.857853][ T5075] RIP: 0033:0x7f1aca4b2d1a
[ 52.862255][ T5075] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 52.881939][ T5075] RSP: 002b:00007ffcc0f252b8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[ 52.890342][ T5075] RAX: ffffffffffffffda RBX: 0000555555e2d2c0 RCX: 00007f1aca4b2d1a
[ 52.898300][ T5075] RDX: 0000000020000040 RSI: 000000002001f200 RDI: 00007ffcc0f25300
[ 52.906259][ T5075] RBP: 0000000000000000 R08: 00007ffcc0f25340 R09: 0000000000000978
[ 52.914220][ T5075] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004
[ 52.922180][ T5075] R13: 00007ffcc0f25340 R14: 0000000000000003 R15: 00007ffcc0f25300
[ 52.930146][ T5075]
[ 52.933158][ T5075]
[ 52.935470][ T5075] The buggy address belongs to the physical page:
[ 52.941864][ T5075] page:ffffea0001cd1780 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7345e
[ 52.952002][ T5075] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 52.959102][ T5075] raw: 00fff00000000000 ffffea0001cd17c8 ffffea0001cd1748 0000000000000000
[ 52.967697][ T5075] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 52.976260][ T5075] page dumped because: kasan: bad access detected
[ 52.982656][ T5075] page_owner tracks the page as freed
[ 52.988007][ T5075] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5066, tgid 5066 (sshd), ts 46590455458, free_ts 46593964562
[ 53.005966][ T5075] get_page_from_freelist+0x3246/0x33c0
[ 53.011505][ T5075] __alloc_pages+0x255/0x670
[ 53.016085][ T5075] __folio_alloc+0x13/0x30
[ 53.020489][ T5075] vma_alloc_folio+0x48a/0x9a0
[ 53.025252][ T5075] handle_mm_fault+0x2984/0x51c0
[ 53.030177][ T5075] exc_page_fault+0x5b1/0x7c0
[ 53.034852][ T5075] asm_exc_page_fault+0x26/0x30
[ 53.039697][ T5075] page last free stack trace:
[ 53.044364][ T5075] free_unref_page_prepare+0xe2f/0xe70
[ 53.049826][ T5075] free_unref_page_list+0x596/0x830
[ 53.055011][ T5075] release_pages+0x219e/0x2470
[ 53.059767][ T5075] tlb_flush_mmu+0x100/0x210
[ 53.064343][ T5075] tlb_finish_mmu+0xd4/0x1f0
[ 53.068921][ T5075] unmap_region+0x253/0x2a0
[ 53.073410][ T5075] do_vmi_align_munmap+0xba3/0x1200
[ 53.078597][ T5075] do_vmi_munmap+0x24a/0x2b0
[ 53.083171][ T5075] __vm_munmap+0x200/0x310
[ 53.087573][ T5075] __x64_sys_munmap+0x60/0x70
[ 53.092237][ T5075] do_syscall_64+0x41/0xc0
[ 53.096645][ T5075] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 53.102530][ T5075]
[ 53.104844][ T5075] Memory state around the buggy address:
[ 53.110460][ T5075] ffff88807345e000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 53.118509][ T5075] ffff88807345e080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 53.126554][ T5075] >ffff88807345e100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 53.134599][ T5075] ^
[ 53.142556][ T5075] ffff88807345e180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 53.150604][ T5075] ffff88807345e200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 53.158661][ T5075] ==================================================================
[ 53.167235][ T5075] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 53.174435][ T5075] CPU: 0 PID: 5075 Comm: syz-executor870 Not tainted 6.3.0-rc2-syzkaller-00077-g38e04b3e4240 #0
[ 53.184849][ T5075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
[ 53.194902][ T5075] Call Trace:
[ 53.198170][ T5075]
[ 53.201093][ T5075] dump_stack_lvl+0x1e7/0x2d0
[ 53.205768][ T5075] ? nf_tcp_handle_invalid+0x650/0x650
[ 53.211220][ T5075] ? panic+0x770/0x770
[ 53.215277][ T5075] ? lock_release+0xbf/0x9d0
[ 53.219875][ T5075] ? vscnprintf+0x5d/0x80
[ 53.224205][ T5075] panic+0x31c/0x770
[ 53.228123][ T5075] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 53.234271][ T5075] ? check_panic_on_warn+0x21/0xa0
[ 53.239383][ T5075] ? memcpy_page_flushcache+0x100/0x100
[ 53.244917][ T5075] ? mark_lock+0x9a/0x340
[ 53.249240][ T5075] ? _raw_spin_unlock_irqrestore+0xd8/0x140
[ 53.255154][ T5075] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 53.261045][ T5075] ? _raw_spin_unlock+0x40/0x40
[ 53.265890][ T5075] check_panic_on_warn+0x82/0xa0
[ 53.270821][ T5075] ? ntfs_read_folio+0x9bc/0x29f0
[ 53.275836][ T5075] end_report+0x63/0x110
[ 53.280070][ T5075] kasan_report+0x183/0x1b0
[ 53.284563][ T5075] ? ntfs_read_folio+0x9bc/0x29f0
[ 53.289592][ T5075] kasan_check_range+0x283/0x290
[ 53.294530][ T5075] ? ntfs_read_folio+0x9bc/0x29f0
[ 53.299541][ T5075] __asan_memcpy+0x29/0x70
[ 53.303950][ T5075] ntfs_read_folio+0x9bc/0x29f0
[ 53.308796][ T5075] ? __lock_acquire+0x1f80/0x1f80
[ 53.313813][ T5075] ? ntfs_writepage+0x1ae0/0x1ae0
[ 53.318824][ T5075] ? folio_batch_add_and_move+0x16a/0x2c0
[ 53.324533][ T5075] ? folio_add_lru+0x6f0/0x6f0
[ 53.329291][ T5075] ? folio_add_lru+0x353/0x6f0
[ 53.334046][ T5075] filemap_read_folio+0x19d/0x7a0
[ 53.339072][ T5075] ? filemap_add_folio+0x580/0x580
[ 53.344172][ T5075] ? ntfs_writepage+0x1ae0/0x1ae0
[ 53.349186][ T5075] ? maybe_unlock_mmap_for_io+0x140/0x140
[ 53.354897][ T5075] do_read_cache_folio+0x2ee/0x820
[ 53.360004][ T5075] ? ntfs_writepage+0x1ae0/0x1ae0
[ 53.365019][ T5075] do_read_cache_page+0x32/0x230
[ 53.369972][ T5075] load_system_files+0x1c0b/0x4840
[ 53.375077][ T5075] ? ntfs_setup_allocators+0x2d0/0x2d0
[ 53.380530][ T5075] ? mutex_unlock+0x10/0x10
[ 53.385023][ T5075] ? free_vm_area+0x50/0x50
[ 53.389518][ T5075] ? generate_default_upcase+0x8ed/0x940
[ 53.395148][ T5075] ntfs_fill_super+0x19b4/0x2bd0
[ 53.400086][ T5075] mount_bdev+0x271/0x3a0
[ 53.404427][ T5075] ? ntfs_mount+0x40/0x40
[ 53.408781][ T5075] legacy_get_tree+0xef/0x190
[ 53.413466][ T5075] ? ntfs_rl_punch_nolock+0x15b0/0x15b0
[ 53.419019][ T5075] vfs_get_tree+0x8c/0x270
[ 53.423543][ T5075] do_new_mount+0x28f/0xae0
[ 53.428068][ T5075] ? path_mount+0x5f2/0xf80
[ 53.432563][ T5075] ? do_move_mount_old+0x170/0x170
[ 53.437666][ T5075] ? user_path_at_empty+0x12f/0x180
[ 53.442859][ T5075] __se_sys_mount+0x2d9/0x3c0
[ 53.447540][ T5075] ? __x64_sys_mount+0xc0/0xc0
[ 53.452293][ T5075] ? syscall_enter_from_user_mode+0x32/0x260
[ 53.458263][ T5075] ? __x64_sys_mount+0x20/0xc0
[ 53.463021][ T5075] do_syscall_64+0x41/0xc0
[ 53.467435][ T5075] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 53.473323][ T5075] RIP: 0033:0x7f1aca4b2d1a
[ 53.477925][ T5075] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 53.499045][ T5075] RSP: 002b:00007ffcc0f252b8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[ 53.507642][ T5075] RAX: ffffffffffffffda RBX: 0000555555e2d2c0 RCX: 00007f1aca4b2d1a
[ 53.516422][ T5075] RDX: 0000000020000040 RSI: 000000002001f200 RDI: 00007ffcc0f25300
[ 53.525139][ T5075] RBP: 0000000000000000 R08: 00007ffcc0f25340 R09: 0000000000000978
[ 53.533692][ T5075] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004
[ 53.542015][ T5075] R13: 00007ffcc0f25340 R14: 0000000000000003 R15: 00007ffcc0f25300
[ 53.550622][ T5075]
[ 53.553774][ T5075] Kernel Offset: disabled
[ 53.558199][ T5075] Rebooting in 86400 seconds..