Warning: Permanently added '10.128.0.178' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.521912] audit: type=1400 audit(1601634749.073:8): avc: denied { execmem } for pid=6356 comm="syz-executor128" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 34.554218] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 34.567324] ntfs: (device loop0): map_mft_record_page(): Mft record 0x1 is corrupt. Run chkdsk. [ 34.577331] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 34.585710] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 34.600124] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Mounting read-only. Run ntfsfix and/or chkdsk. executing program [ 34.614442] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 34.626597] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 34.634549] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 34.647663] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 35.011269] ================================================================== [ 35.018842] BUG: KASAN: use-after-free in ntfs_read_locked_inode+0x425a/0x5000 [ 35.028432] Read of size 8 at addr ffff8880805b06cd by task syz-executor128/6394 [ 35.036781] [ 35.038512] CPU: 1 PID: 6394 Comm: syz-executor128 Not tainted 4.14.198-syzkaller #0 [ 35.047176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.057596] Call Trace: [ 35.060458] dump_stack+0x1b2/0x283 [ 35.064193] print_address_description.cold+0x54/0x1d3 [ 35.070897] kasan_report_error.cold+0x8a/0x194 [ 35.076525] ? ntfs_read_locked_inode+0x425a/0x5000 [ 35.083684] __asan_report_load_n_noabort+0x6b/0x80 [ 35.090098] ? ntfs_read_locked_inode+0x425a/0x5000 [ 35.098327] ntfs_read_locked_inode+0x425a/0x5000 [ 35.103840] ? _raw_spin_unlock+0x29/0x40 [ 35.108329] ? iget5_locked+0x129/0x450 [ 35.112481] ? ntfs_index_lookup+0x2780/0x2780 [ 35.118636] ntfs_iget+0xfa/0x130 [ 35.122635] ? ntfs_read_locked_inode+0x5000/0x5000 [ 35.128581] ntfs_fill_super+0x1ffb/0x7170 [ 35.133197] ? lock_downgrade+0x740/0x740 [ 35.138794] ? ntfs_big_inode_init_once+0x20/0x20 [ 35.144607] ? snprintf+0xa5/0xd0 [ 35.148241] ? vsprintf+0x30/0x30 [ 35.152176] ? ns_test_super+0x50/0x50 [ 35.157431] ? set_blocksize+0x125/0x380 [ 35.164797] mount_bdev+0x2b3/0x360 [ 35.169949] ? ntfs_big_inode_init_once+0x20/0x20 [ 35.175765] mount_fs+0x92/0x2a0 [ 35.182023] vfs_kern_mount.part.0+0x5b/0x470 [ 35.188814] do_mount+0xe53/0x2a00 [ 35.192825] ? perf_trace_drv_tdls_cancel_channel_switch+0x240/0x710 [ 35.199600] ? copy_mount_string+0x40/0x40 [ 35.203848] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.210179] ? copy_mnt_ns+0xa30/0xa30 [ 35.214528] ? copy_mount_options+0x1fa/0x2f0 [ 35.219463] ? copy_mnt_ns+0xa30/0xa30 [ 35.224063] SyS_mount+0xa8/0x120 [ 35.231978] ? copy_mnt_ns+0xa30/0xa30 [ 35.237495] do_syscall_64+0x1d5/0x640 [ 35.243963] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.249414] RIP: 0033:0x44954a [ 35.252766] RSP: 002b:00007fff08421368 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 35.260686] RAX: ffffffffffffffda RBX: 00007fff084213c0 RCX: 000000000044954a [ 35.269447] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff08421380 [ 35.279176] RBP: 00007fff08421380 R08: 00007fff084213c0 R09: 0000000000000000 [ 35.289155] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ac [ 35.297738] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 35.305603] [ 35.307714] The buggy address belongs to the page: [ 35.313614] page:ffffea0002016c00 count:0 mapcount:0 mapping: (null) index:0x1 [ 35.322889] flags: 0xfffe0000000000() [ 35.327432] raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff [ 35.335743] raw: ffffea0002017920 ffffea00020c7b20 0000000000000000 0000000000000000 [ 35.346818] page dumped because: kasan: bad access detected [ 35.353081] [ 35.355887] Memory state around the buggy address: [ 35.365085] ffff8880805b0580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.373991] ffff8880805b0600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.382314] >ffff8880805b0680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.389933] ^ [ 35.396324] ffff8880805b0700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.404487] ffff8880805b0780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.412559] ================================================================== [ 35.421383] Disabling lock debugging due to kernel taint [ 35.428015] Kernel panic - not syncing: panic_on_warn set ... [ 35.428015] [ 35.435493] CPU: 1 PID: 6394 Comm: syz-executor128 Tainted: G B 4.14.198-syzkaller #0 [ 35.445125] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.455040] Call Trace: [ 35.458020] dump_stack+0x1b2/0x283 [ 35.463012] panic+0x1f9/0x42d [ 35.466573] ? add_taint.cold+0x16/0x16 [ 35.471157] ? ___preempt_schedule+0x16/0x18 [ 35.477357] kasan_end_report+0x43/0x49 [ 35.482485] kasan_report_error.cold+0xa7/0x194 [ 35.487773] ? ntfs_read_locked_inode+0x425a/0x5000 [ 35.493327] __asan_report_load_n_noabort+0x6b/0x80 [ 35.498721] ? ntfs_read_locked_inode+0x425a/0x5000 [ 35.504339] ntfs_read_locked_inode+0x425a/0x5000 [ 35.509534] ? _raw_spin_unlock+0x29/0x40 [ 35.514030] ? iget5_locked+0x129/0x450 [ 35.519801] ? ntfs_index_lookup+0x2780/0x2780 [ 35.525798] ntfs_iget+0xfa/0x130 [ 35.529953] ? ntfs_read_locked_inode+0x5000/0x5000 [ 35.535936] ntfs_fill_super+0x1ffb/0x7170 [ 35.542509] ? lock_downgrade+0x740/0x740 [ 35.547035] ? ntfs_big_inode_init_once+0x20/0x20 [ 35.552535] ? snprintf+0xa5/0xd0 [ 35.555991] ? vsprintf+0x30/0x30 [ 35.559451] ? ns_test_super+0x50/0x50 [ 35.563588] ? set_blocksize+0x125/0x380 [ 35.568381] mount_bdev+0x2b3/0x360 [ 35.574543] ? ntfs_big_inode_init_once+0x20/0x20 [ 35.579955] mount_fs+0x92/0x2a0 [ 35.583985] vfs_kern_mount.part.0+0x5b/0x470 [ 35.588829] do_mount+0xe53/0x2a00 [ 35.594081] ? perf_trace_drv_tdls_cancel_channel_switch+0x240/0x710 [ 35.602856] ? copy_mount_string+0x40/0x40 [ 35.607739] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.614132] ? copy_mnt_ns+0xa30/0xa30 [ 35.620923] ? copy_mount_options+0x1fa/0x2f0 [ 35.627324] ? copy_mnt_ns+0xa30/0xa30 [ 35.631647] SyS_mount+0xa8/0x120 [ 35.635754] ? copy_mnt_ns+0xa30/0xa30 [ 35.640695] do_syscall_64+0x1d5/0x640 [ 35.645412] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.651876] RIP: 0033:0x44954a [ 35.655274] RSP: 002b:00007fff08421368 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 35.663538] RAX: ffffffffffffffda RBX: 00007fff084213c0 RCX: 000000000044954a [ 35.671538] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff08421380 [ 35.679117] RBP: 00007fff08421380 R08: 00007fff084213c0 R09: 0000000000000000 [ 35.690798] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ac [ 35.699024] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 35.708812] Kernel Offset: disabled [ 35.714647] Rebooting in 86400 seconds..