forked to background, child pid 3182 no interfaces have a carri[ 18.654124][ T3183] 8021q: adding VLAN 0 to HW filter on device bond0 er [ 18.665407][ T3183] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.276760][ T3596] loop0: detected capacity change from 0 to 4096 [ 34.283954][ T3596] ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512) [ 34.293275][ T3596] ================================================================== [ 34.301407][ T3596] BUG: KASAN: use-after-free in run_unpack+0x8b7/0x970 [ 34.308261][ T3596] Read of size 1 at addr ffff88802038af00 by task syz-executor391/3596 [ 34.316471][ T3596] [ 34.318772][ T3596] CPU: 0 PID: 3596 Comm: syz-executor391 Not tainted 6.0.0-syzkaller-07994-ge8bc52cb8df8 #0 [ 34.328810][ T3596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 34.338844][ T3596] Call Trace: [ 34.342101][ T3596] [ 34.345016][ T3596] dump_stack_lvl+0xcd/0x134 [ 34.349590][ T3596] print_report.cold+0x2ba/0x719 [ 34.354535][ T3596] ? run_unpack+0x8b7/0x970 [ 34.359043][ T3596] kasan_report+0xb1/0x1e0 [ 34.363446][ T3596] ? run_unpack+0x8b7/0x970 [ 34.367956][ T3596] run_unpack+0x8b7/0x970 [ 34.372287][ T3596] ? run_pack+0x1100/0x1100 [ 34.376792][ T3596] ? ntfs_bread_run+0x310/0x310 [ 34.381652][ T3596] ? kfree+0x1fb/0x580 [ 34.385721][ T3596] run_unpack_ex+0xb0/0x7c0 [ 34.390226][ T3596] ? mi_enum_attr+0x34f/0x630 [ 34.395061][ T3596] ? ni_enum_attr_ex+0x281/0x400 [ 34.399983][ T3596] ? run_unpack+0x970/0x970 [ 34.404467][ T3596] ? ni_fname_type.part.0+0x1e0/0x1e0 [ 34.409821][ T3596] ? mi_read+0x27f/0x5b0 [ 34.414063][ T3596] ntfs_iget5+0xc20/0x3280 [ 34.418480][ T3596] ? ntfs_write_end+0x800/0x800 [ 34.423330][ T3596] ntfs_loadlog_and_replay+0x124/0x5d0 [ 34.428775][ T3596] ? ntfs_write_end+0x800/0x800 [ 34.433624][ T3596] ? ntfs_bio_fill_1+0xa10/0xa10 [ 34.438563][ T3596] ? destroy_inode+0xc4/0x1b0 [ 34.443245][ T3596] ? iput.part.0+0x55d/0x810 [ 34.447910][ T3596] ntfs_fill_super+0x1eff/0x37f0 [ 34.452834][ T3596] ? put_ntfs+0x330/0x330 [ 34.457166][ T3596] ? set_blocksize+0x2e5/0x370 [ 34.461935][ T3596] get_tree_bdev+0x440/0x760 [ 34.466511][ T3596] ? put_ntfs+0x330/0x330 [ 34.470843][ T3596] vfs_get_tree+0x89/0x2f0 [ 34.475244][ T3596] path_mount+0x1326/0x1e20 [ 34.479909][ T3596] ? kmem_cache_free+0xeb/0x5b0 [ 34.484759][ T3596] ? finish_automount+0x960/0x960 [ 34.489787][ T3596] ? putname+0xfe/0x140 [ 34.493926][ T3596] __x64_sys_mount+0x27f/0x300 [ 34.498678][ T3596] ? copy_mnt_ns+0xae0/0xae0 [ 34.503364][ T3596] ? trace_hardirqs_on+0x2d/0x120 [ 34.508388][ T3596] do_syscall_64+0x35/0xb0 [ 34.512793][ T3596] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 34.518673][ T3596] RIP: 0033:0x7fe50e8e568a [ 34.523274][ T3596] Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 34.542863][ T3596] RSP: 002b:00007fff7da0bda8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 34.551261][ T3596] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe50e8e568a [ 34.559211][ T3596] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff7da0bdc0 [ 34.567161][ T3596] RBP: 00007fff7da0bdc0 R08: 00007fff7da0be00 R09: 0000555556a132c0 [ 34.575110][ T3596] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004 [ 34.583065][ T3596] R13: 00007fff7da0be00 R14: 000000000000010c R15: 0000000020001b20 [ 34.591284][ T3596] [ 34.594281][ T3596] [ 34.596584][ T3596] Allocated by task 3575: [ 34.600892][ T3596] kasan_save_stack+0x1e/0x40 [ 34.605557][ T3596] __kasan_kmalloc+0xa9/0xd0 [ 34.610133][ T3596] tomoyo_realpath_from_path+0xbf/0x600 [ 34.615669][ T3596] tomoyo_path_perm+0x21b/0x400 [ 34.620507][ T3596] security_inode_getattr+0xcf/0x140 [ 34.625794][ T3596] vfs_statx+0x16e/0x430 [ 34.630118][ T3596] vfs_fstatat+0x8c/0xb0 [ 34.634421][ T3596] __do_sys_newfstatat+0x94/0x120 [ 34.639425][ T3596] do_syscall_64+0x35/0xb0 [ 34.643823][ T3596] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 34.649719][ T3596] [ 34.652019][ T3596] Freed by task 3575: [ 34.655974][ T3596] kasan_save_stack+0x1e/0x40 [ 34.660632][ T3596] kasan_set_track+0x21/0x30 [ 34.665205][ T3596] kasan_set_free_info+0x20/0x30 [ 34.670131][ T3596] ____kasan_slab_free+0x166/0x1c0 [ 34.675224][ T3596] slab_free_freelist_hook+0x8b/0x1c0 [ 34.680588][ T3596] kfree+0xe2/0x580 [ 34.684374][ T3596] tomoyo_realpath_from_path+0x18c/0x600 [ 34.690003][ T3596] tomoyo_path_perm+0x21b/0x400 [ 34.695102][ T3596] security_inode_getattr+0xcf/0x140 [ 34.700372][ T3596] vfs_statx+0x16e/0x430 [ 34.704590][ T3596] vfs_fstatat+0x8c/0xb0 [ 34.708809][ T3596] __do_sys_newfstatat+0x94/0x120 [ 34.713810][ T3596] do_syscall_64+0x35/0xb0 [ 34.718209][ T3596] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 34.724081][ T3596] [ 34.726452][ T3596] The buggy address belongs to the object at ffff88802038a000 [ 34.726452][ T3596] which belongs to the cache kmalloc-4k of size 4096 [ 34.740496][ T3596] The buggy address is located 3840 bytes inside of [ 34.740496][ T3596] 4096-byte region [ffff88802038a000, ffff88802038b000) [ 34.754008][ T3596] [ 34.756310][ T3596] The buggy address belongs to the physical page: [ 34.762693][ T3596] page:ffffea000080e200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20388 [ 34.772819][ T3596] head:ffffea000080e200 order:3 compound_mapcount:0 compound_pincount:0 [ 34.781117][ T3596] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 34.789076][ T3596] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888011842140 [ 34.797637][ T3596] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 34.806196][ T3596] page dumped because: kasan: bad access detected [ 34.812595][ T3596] page_owner tracks the page as allocated [ 34.818282][ T3596] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 6644107682, free_ts 0 [ 34.837876][ T3596] get_page_from_freelist+0x109b/0x2ce0 [ 34.843433][ T3596] __alloc_pages+0x1c7/0x510 [ 34.848008][ T3596] alloc_page_interleave+0x1e/0x200 [ 34.853186][ T3596] alloc_pages+0x22f/0x270 [ 34.857585][ T3596] allocate_slab+0x27e/0x3d0 [ 34.862151][ T3596] ___slab_alloc+0x84f/0xe80 [ 34.866719][ T3596] __slab_alloc.constprop.0+0x4d/0xa0 [ 34.872067][ T3596] __kmalloc+0x32b/0x340 [ 34.876287][ T3596] wpan_phy_new+0x23/0x290 [ 34.880685][ T3596] ieee802154_alloc_hw+0x11b/0x7a0 [ 34.885777][ T3596] hwsim_add_one+0x9b/0x12e0 [ 34.890609][ T3596] hwsim_probe+0x48/0x120 [ 34.895360][ T3596] platform_probe+0xfc/0x1f0 [ 34.900106][ T3596] really_probe+0x249/0xb90 [ 34.904764][ T3596] __driver_probe_device+0x1df/0x4d0 [ 34.910119][ T3596] driver_probe_device+0x4c/0x1a0 [ 34.915209][ T3596] page_owner free stack trace missing [ 34.920769][ T3596] [ 34.923067][ T3596] Memory state around the buggy address: [ 34.928843][ T3596] ffff88802038ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.936878][ T3596] ffff88802038ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.944915][ T3596] >ffff88802038af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.952947][ T3596] ^ [ 34.957073][ T3596] ffff88802038af80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.965108][ T3596] ffff88802038b000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.973141][ T3596] ================================================================== [ 34.982054][ T3596] Kernel panic - not syncing: panic_on_warn set ... [ 34.988648][ T3596] CPU: 1 PID: 3596 Comm: syz-executor391 Not tainted 6.0.0-syzkaller-07994-ge8bc52cb8df8 #0 [ 34.998917][ T3596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 35.009139][ T3596] Call Trace: [ 35.012400][ T3596] [ 35.015309][ T3596] dump_stack_lvl+0xcd/0x134 [ 35.019895][ T3596] panic+0x2c8/0x622 [ 35.023774][ T3596] ? panic_print_sys_info.part.0+0x10b/0x10b [ 35.029737][ T3596] ? preempt_schedule_common+0x59/0xc0 [ 35.035200][ T3596] ? preempt_schedule_thunk+0x16/0x18 [ 35.040561][ T3596] ? run_unpack+0x8b7/0x970 [ 35.045049][ T3596] end_report.part.0+0x3f/0x7c [ 35.049803][ T3596] kasan_report.cold+0xa/0xf [ 35.054465][ T3596] ? run_unpack+0x8b7/0x970 [ 35.058951][ T3596] run_unpack+0x8b7/0x970 [ 35.063263][ T3596] ? run_pack+0x1100/0x1100 [ 35.067749][ T3596] ? ntfs_bread_run+0x310/0x310 [ 35.072584][ T3596] ? kfree+0x1fb/0x580 [ 35.076634][ T3596] run_unpack_ex+0xb0/0x7c0 [ 35.081122][ T3596] ? mi_enum_attr+0x34f/0x630 [ 35.085779][ T3596] ? ni_enum_attr_ex+0x281/0x400 [ 35.090703][ T3596] ? run_unpack+0x970/0x970 [ 35.095189][ T3596] ? ni_fname_type.part.0+0x1e0/0x1e0 [ 35.100547][ T3596] ? mi_read+0x27f/0x5b0 [ 35.104947][ T3596] ntfs_iget5+0xc20/0x3280 [ 35.109346][ T3596] ? ntfs_write_end+0x800/0x800 [ 35.114174][ T3596] ntfs_loadlog_and_replay+0x124/0x5d0 [ 35.119618][ T3596] ? ntfs_write_end+0x800/0x800 [ 35.124447][ T3596] ? ntfs_bio_fill_1+0xa10/0xa10 [ 35.129367][ T3596] ? destroy_inode+0xc4/0x1b0 [ 35.134026][ T3596] ? iput.part.0+0x55d/0x810 [ 35.138879][ T3596] ntfs_fill_super+0x1eff/0x37f0 [ 35.143986][ T3596] ? put_ntfs+0x330/0x330 [ 35.148299][ T3596] ? set_blocksize+0x2e5/0x370 [ 35.153047][ T3596] get_tree_bdev+0x440/0x760 [ 35.157621][ T3596] ? put_ntfs+0x330/0x330 [ 35.161938][ T3596] vfs_get_tree+0x89/0x2f0 [ 35.166340][ T3596] path_mount+0x1326/0x1e20 [ 35.170828][ T3596] ? kmem_cache_free+0xeb/0x5b0 [ 35.175657][ T3596] ? finish_automount+0x960/0x960 [ 35.180670][ T3596] ? putname+0xfe/0x140 [ 35.184813][ T3596] __x64_sys_mount+0x27f/0x300 [ 35.189561][ T3596] ? copy_mnt_ns+0xae0/0xae0 [ 35.194132][ T3596] ? trace_hardirqs_on+0x2d/0x120 [ 35.199144][ T3596] do_syscall_64+0x35/0xb0 [ 35.203540][ T3596] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 35.209413][ T3596] RIP: 0033:0x7fe50e8e568a [ 35.213804][ T3596] Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.233653][ T3596] RSP: 002b:00007fff7da0bda8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 35.242061][ T3596] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe50e8e568a [ 35.250019][ T3596] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff7da0bdc0 [ 35.257976][ T3596] RBP: 00007fff7da0bdc0 R08: 00007fff7da0be00 R09: 0000555556a132c0 [ 35.265928][ T3596] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004 [ 35.273896][ T3596] R13: 00007fff7da0be00 R14: 000000000000010c R15: 0000000020001b20 [ 35.281851][ T3596] [ 35.285623][ T3596] Kernel Offset: disabled [ 35.289936][ T3596] Rebooting in 86400 seconds..