[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.30' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 39.115382] audit: type=1400 audit(1601026700.810:8): avc: denied { execmem } for pid=6493 comm="syz-executor886" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 39.145346] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 39.161813] ntfs: (device loop0): check_mft_mirror(): $MFT and $MFTMirr (record 0) do not match. Run ntfsfix or chkdsk. [ 39.173192] ntfs: (device loop0): load_system_files(): $MFTMirr does not match $MFT. Mounting read-only. Run ntfsfix and/or chkdsk. [ 39.186303] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 39.195558] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 39.202913] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 39.215337] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 39.226116] ntfs: (device loop0): map_mft_record_page(): Mft record 0x4 is corrupt. Run chkdsk. [ 39.235981] ntfs: (device loop0): map_mft_record(): Failed with error code 5. executing program executing program executing program executing program executing program executing program executing program [ 39.521509] ================================================================== [ 39.528893] BUG: KASAN: use-after-free in ntfs_read_locked_inode+0x4731/0x5490 [ 39.536249] Read of size 8 at addr ffff88808462be46 by task syz-executor886/6521 [ 39.543774] [ 39.545405] CPU: 1 PID: 6521 Comm: syz-executor886 Not tainted 4.19.147-syzkaller #0 [ 39.553284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.562635] Call Trace: [ 39.565235] dump_stack+0x22c/0x33e [ 39.568872] print_address_description.cold+0x56/0x25c [ 39.574158] kasan_report_error.cold+0x66/0xb9 [ 39.578747] ? ntfs_read_locked_inode+0x4731/0x5490 [ 39.583772] __asan_report_load_n_noabort+0x8b/0xa0 [ 39.588800] ? ntfs_read_locked_inode+0x4731/0x5490 [ 39.593827] ntfs_read_locked_inode+0x4731/0x5490 [ 39.598680] ? ntfs_index_lookup.cold+0xc2/0xc2 [ 39.603357] ? ntfs_test_inode+0x2c0/0x2c0 [ 39.607587] ? iget5_locked+0x3c/0xd0 [ 39.611371] ntfs_iget+0x12d/0x180 [ 39.614979] ? ntfs_read_locked_inode+0x5490/0x5490 [ 39.620019] ntfs_fill_super+0x1853/0x89d2 [ 39.624286] ? snprintf+0xbb/0xf0 [ 39.627719] ? vsprintf+0x30/0x30 [ 39.631162] ? ntfs_remount+0x500/0x500 [ 39.635115] ? __mutex_add_waiter+0x160/0x160 [ 39.639588] ? set_blocksize+0x163/0x3f0 [ 39.643627] mount_bdev+0x2fc/0x3b0 [ 39.647233] ? ntfs_remount+0x500/0x500 [ 39.651184] mount_fs+0xa3/0x318 [ 39.654535] vfs_kern_mount.part.0+0x68/0x470 [ 39.659048] do_mount+0x51c/0x2f10 [ 39.662583] ? check_preemption_disabled+0x41/0x2b0 [ 39.667590] ? copy_mount_string+0x40/0x40 [ 39.671806] ? kmem_cache_alloc_trace+0x379/0x4b0 [ 39.676628] ? _copy_from_user+0xd2/0x130 [ 39.680755] ? copy_mount_options+0x261/0x370 [ 39.685240] ksys_mount+0xcf/0x130 [ 39.688858] __x64_sys_mount+0xba/0x150 [ 39.692814] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 39.697375] do_syscall_64+0xf9/0x670 [ 39.701154] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.706321] RIP: 0033:0x4494fa [ 39.709491] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5a a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 39.728375] RSP: 002b:00007ffd1f9e4678 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 39.736074] RAX: ffffffffffffffda RBX: 00007ffd1f9e46d0 RCX: 00000000004494fa [ 39.743323] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd1f9e4690 [ 39.750596] RBP: 00007ffd1f9e4690 R08: 00007ffd1f9e46d0 R09: 0000000000000000 [ 39.757852] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ab [ 39.765112] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 39.772375] [ 39.773979] The buggy address belongs to the page: [ 39.778900] page:ffffea0002118ac0 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 39.787023] flags: 0xfffe0000000000() [ 39.790810] raw: 00fffe0000000000 ffffea0002290d48 ffffea00027b4f88 0000000000000000 [ 39.798772] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 39.806644] page dumped because: kasan: bad access detected [ 39.812326] [ 39.813926] Memory state around the buggy address: [ 39.818839] ffff88808462bd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 39.826199] ffff88808462bd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 39.833558] >ffff88808462be00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 39.840905] ^ [ 39.846333] ffff88808462be80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 39.853672] ffff88808462bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 39.861009] ================================================================== [ 39.868367] Disabling lock debugging due to kernel taint [ 39.874193] Kernel panic - not syncing: panic_on_warn set ... [ 39.874193] [ 39.881563] CPU: 1 PID: 6521 Comm: syz-executor886 Tainted: G B 4.19.147-syzkaller #0 [ 39.890830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.900176] Call Trace: [ 39.902780] dump_stack+0x22c/0x33e [ 39.906393] panic+0x2ac/0x565 [ 39.909681] ? __warn_printk+0xf3/0xf3 [ 39.913550] ? preempt_schedule_common+0x45/0xc0 [ 39.918285] ? ___preempt_schedule+0x16/0x18 [ 39.922672] ? trace_hardirqs_on+0x55/0x210 [ 39.926997] kasan_end_report+0x43/0x49 [ 39.930965] kasan_report_error.cold+0x83/0xb9 [ 39.935531] ? ntfs_read_locked_inode+0x4731/0x5490 [ 39.940547] __asan_report_load_n_noabort+0x8b/0xa0 [ 39.945653] ? ntfs_read_locked_inode+0x4731/0x5490 [ 39.950645] ntfs_read_locked_inode+0x4731/0x5490 [ 39.955468] ? ntfs_index_lookup.cold+0xc2/0xc2 [ 39.960149] ? ntfs_test_inode+0x2c0/0x2c0 [ 39.964372] ? iget5_locked+0x3c/0xd0 [ 39.968153] ntfs_iget+0x12d/0x180 [ 39.971759] ? ntfs_read_locked_inode+0x5490/0x5490 [ 39.976769] ntfs_fill_super+0x1853/0x89d2 [ 39.980989] ? snprintf+0xbb/0xf0 [ 39.984419] ? vsprintf+0x30/0x30 [ 39.987851] ? ntfs_remount+0x500/0x500 [ 39.991801] ? __mutex_add_waiter+0x160/0x160 [ 39.996276] ? set_blocksize+0x163/0x3f0 [ 40.000314] mount_bdev+0x2fc/0x3b0 [ 40.003920] ? ntfs_remount+0x500/0x500 [ 40.007894] mount_fs+0xa3/0x318 [ 40.011243] vfs_kern_mount.part.0+0x68/0x470 [ 40.015718] do_mount+0x51c/0x2f10 [ 40.019256] ? check_preemption_disabled+0x41/0x2b0 [ 40.024251] ? copy_mount_string+0x40/0x40 [ 40.028474] ? kmem_cache_alloc_trace+0x379/0x4b0 [ 40.033296] ? _copy_from_user+0xd2/0x130 [ 40.037436] ? copy_mount_options+0x261/0x370 [ 40.041908] ksys_mount+0xcf/0x130 [ 40.045433] __x64_sys_mount+0xba/0x150 [ 40.049386] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 40.053959] do_syscall_64+0xf9/0x670 [ 40.057743] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.062912] RIP: 0033:0x4494fa [ 40.066084] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5a a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 40.084968] RSP: 002b:00007ffd1f9e4678 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 40.092654] RAX: ffffffffffffffda RBX: 00007ffd1f9e46d0 RCX: 00000000004494fa [ 40.099914] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd1f9e4690 [ 40.107180] RBP: 00007ffd1f9e4690 R08: 00007ffd1f9e46d0 R09: 0000000000000000 [ 40.114447] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ab [ 40.121693] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 40.130163] Kernel Offset: disabled [ 40.133774] Rebooting in 86400 seconds..