./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3734160752
<...>
DUID 00:04:b8:e6:73:7f:79:fd:ed:d3:a2:45:9d:0b:c9:97:07:5c
[ 21.553604][ T4689] 8021q: adding VLAN 0 to HW filter on device bond0
forked to background, child pid 4688
[ 21.570738][ T4689] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.1.28' (ECDSA) to the list of known hosts.
execve("./syz-executor3734160752", ["./syz-executor3734160752"], 0x7ffc89d84020 /* 10 vars */) = 0
brk(NULL) = 0x555555c7e000
brk(0x555555c7ec40) = 0x555555c7ec40
arch_prctl(ARCH_SET_FS, 0x555555c7e300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3734160752", 4096) = 28
brk(0x555555c9fc40) = 0x555555c9fc40
brk(0x555555ca0000) = 0x555555ca0000
mprotect(0x7f85fe31e000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
memfd_create("syzkaller", 0) = 3
mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f85f5e46000
write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x10\x01\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x01\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x20\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152
munmap(0x7f85f5e46000, 2097152) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
ioctl(4, LOOP_SET_FD, 3) = 0
close(3) = 0
mkdir("./file0", 0777) = 0
syzkaller login: [ 55.556191][ T5019] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5019 'syz-executor373'
[ 55.584637][ T5019] loop0: detected capacity change from 0 to 4096
[ 55.595751][ T5019] ntfs: (device loop0): ntfs_is_extended_system_file(): Corrupt file name attribute. You should run chkdsk.
[ 55.607306][ T5019] ntfs: (device loop0): ntfs_read_locked_inode(): $DATA attribute is missing.
[ 55.616258][ T5019] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -2. Marking corrupt inode 0x1 as bad. Run chkdsk.
[ 55.629615][ T5019] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Mounting read-only. Run ntfsfix and/or chkdsk.
[ 55.646910][ T5019] ntfs: volume version 3.1.
mount("/dev/loop0", "./file0", "ntfs", MS_NOSUID, "") = 0
openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
chdir("./file0") = 0
ioctl(4, LOOP_CLR_FD) = 0
close(4) = 0
openat(AT_FDCWD, ".", O_RDONLY) = 4
[ 55.652709][ T5019] ntfs: (device loop0): ntfs_lookup_inode_by_name(): Corrupt directory. Aborting lookup.
[ 55.662645][ T5019] ntfs: (device loop0): check_windows_hibernation_status(): Failed to find inode number for hiberfil.sys.
[ 55.673946][ T5019] ntfs: (device loop0): load_system_files(): Failed to determine if Windows is hibernated. Will not be able to remount read-write. Run chkdsk.
[ 55.693813][ T5019] ==================================================================
[ 55.701918][ T5019] BUG: KASAN: slab-out-of-bounds in ntfs_readdir+0x1455/0x29b0
[ 55.709495][ T5019] Read of size 1 at addr ffff88802baf4971 by task syz-executor373/5019
[ 55.717727][ T5019]
[ 55.720060][ T5019] CPU: 0 PID: 5019 Comm: syz-executor373 Not tainted 6.4.0-syzkaller-12069-gc17414a273b8 #0
[ 55.730119][ T5019] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
[ 55.740156][ T5019] Call Trace:
[ 55.743443][ T5019]
[ 55.746354][ T5019] dump_stack_lvl+0xd9/0x150
[ 55.751043][ T5019] print_address_description.constprop.0+0x2c/0x3c0
[ 55.757620][ T5019] kasan_report+0x11d/0x130
[ 55.762103][ T5019] ? ntfs_readdir+0x1455/0x29b0
[ 55.766937][ T5019] ntfs_readdir+0x1455/0x29b0
[ 55.771601][ T5019] ? put_page+0x280/0x280
[ 55.775913][ T5019] ? down_write_killable_nested+0x250/0x250
[ 55.781786][ T5019] iterate_dir+0x20c/0x750
[ 55.786182][ T5019] __x64_sys_getdents64+0x13e/0x2c0
[ 55.791366][ T5019] ? __ia32_sys_getdents+0x2c0/0x2c0
[ 55.796636][ T5019] ? compat_fillonedir+0x470/0x470
[ 55.801751][ T5019] ? lockdep_hardirqs_on+0x7d/0x100
[ 55.806933][ T5019] ? _raw_spin_unlock_irq+0x2e/0x50
[ 55.812121][ T5019] ? ptrace_notify+0xfe/0x140
[ 55.816784][ T5019] do_syscall_64+0x39/0xb0
[ 55.821186][ T5019] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 55.827065][ T5019] RIP: 0033:0x7f85fe2927a9
[ 55.831459][ T5019] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 55.851054][ T5019] RSP: 002b:00007ffd72a33b58 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
[ 55.859447][ T5019] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f85fe2927a9
[ 55.867401][ T5019] RDX: 00000000000000ab RSI: 0000000020000080 RDI: 0000000000000004
[ 55.875348][ T5019] RBP: 00007f85fe252040 R08: 0000000000000000 R09: 0000000000000000
[ 55.883296][ T5019] R10: 000000000001f1b8 R11: 0000000000000246 R12: 00007f85fe2520d0
[ 55.891249][ T5019] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 55.899207][ T5019]
[ 55.902209][ T5019]
[ 55.904507][ T5019] Allocated by task 5019:
[ 55.908820][ T5019] kasan_save_stack+0x22/0x40
[ 55.913479][ T5019] kasan_set_track+0x25/0x30
[ 55.918047][ T5019] __kasan_kmalloc+0xa2/0xb0
[ 55.922618][ T5019] __kmalloc+0x5e/0x190
[ 55.926753][ T5019] ntfs_readdir+0x117f/0x29b0
[ 55.931424][ T5019] iterate_dir+0x20c/0x750
[ 55.935816][ T5019] __x64_sys_getdents64+0x13e/0x2c0
[ 55.940992][ T5019] do_syscall_64+0x39/0xb0
[ 55.945390][ T5019] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 55.951266][ T5019]
[ 55.953564][ T5019] The buggy address belongs to the object at ffff88802baf4900
[ 55.953564][ T5019] which belongs to the cache kmalloc-64 of size 64
[ 55.967413][ T5019] The buggy address is located 57 bytes to the right of
[ 55.967413][ T5019] allocated 56-byte region [ffff88802baf4900, ffff88802baf4938)
[ 55.981878][ T5019]
[ 55.984179][ T5019] The buggy address belongs to the physical page:
[ 55.990655][ T5019] page:ffffea0000aebd00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802baf4c80 pfn:0x2baf4
[ 56.002516][ T5019] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 56.010038][ T5019] page_type: 0xffffffff()
[ 56.014342][ T5019] raw: 00fff00000000200 ffff888012841640 ffffea0000aa7d40 dead000000000006
[ 56.022904][ T5019] raw: ffff88802baf4c80 000000008020001d 00000001ffffffff 0000000000000000
[ 56.031460][ T5019] page dumped because: kasan: bad access detected
[ 56.037847][ T5019] page_owner tracks the page as allocated
[ 56.043534][ T5019] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 38, tgid 38 (kworker/u4:2), ts 8915134478, free_ts 8903626038
[ 56.061314][ T5019] post_alloc_hook+0x2db/0x350
[ 56.066065][ T5019] get_page_from_freelist+0xfed/0x2d30
[ 56.071507][ T5019] __alloc_pages+0x1cb/0x4a0
[ 56.076077][ T5019] alloc_pages+0x1aa/0x270
[ 56.080472][ T5019] allocate_slab+0x25f/0x390
[ 56.085042][ T5019] ___slab_alloc+0xbc3/0x15d0
[ 56.089715][ T5019] __slab_alloc.constprop.0+0x56/0xa0
[ 56.095068][ T5019] __kmem_cache_alloc_node+0x143/0x350
[ 56.100503][ T5019] __kmalloc+0x4e/0x190
[ 56.104636][ T5019] security_task_alloc+0x10f/0x250
[ 56.109730][ T5019] copy_process+0x2531/0x75c0
[ 56.114384][ T5019] kernel_clone+0xeb/0x890
[ 56.118779][ T5019] user_mode_thread+0xb1/0xf0
[ 56.123430][ T5019] call_usermodehelper_exec_work+0xd0/0x180
[ 56.129388][ T5019] process_one_work+0xa34/0x16f0
[ 56.134307][ T5019] worker_thread+0x67d/0x10c0
[ 56.138985][ T5019] page last free stack trace:
[ 56.143630][ T5019] free_unref_page_prepare+0x62e/0xcb0
[ 56.149077][ T5019] free_unref_page+0x33/0x370
[ 56.153733][ T5019] vfree+0x180/0x7b0
[ 56.157606][ T5019] delayed_vfree_work+0x57/0x70
[ 56.162432][ T5019] process_one_work+0xa34/0x16f0
[ 56.167346][ T5019] worker_thread+0x67d/0x10c0
[ 56.171999][ T5019] kthread+0x344/0x440
[ 56.176041][ T5019] ret_from_fork+0x1f/0x30
[ 56.180548][ T5019]
[ 56.182847][ T5019] Memory state around the buggy address:
[ 56.188543][ T5019] ffff88802baf4800: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 56.196579][ T5019] ffff88802baf4880: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 56.204629][ T5019] >ffff88802baf4900: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[ 56.212677][ T5019] ^
[ 56.220459][ T5019] ffff88802baf4980: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 56.228499][ T5019] ffff88802baf4a00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 56.236529][ T5019] ==================================================================
[ 56.244828][ T5019] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 56.252023][ T5019] CPU: 0 PID: 5019 Comm: syz-executor373 Not tainted 6.4.0-syzkaller-12069-gc17414a273b8 #0
[ 56.262078][ T5019] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
[ 56.272134][ T5019] Call Trace:
[ 56.275400][ T5019]
[ 56.278318][ T5019] dump_stack_lvl+0xd9/0x150
[ 56.282910][ T5019] panic+0x686/0x730
[ 56.286796][ T5019] ? panic_smp_self_stop+0xa0/0xa0
[ 56.291899][ T5019] ? preempt_schedule_thunk+0x1a/0x30
[ 56.297266][ T5019] ? preempt_schedule_common+0x45/0xb0
[ 56.302719][ T5019] check_panic_on_warn+0xb1/0xc0
[ 56.307671][ T5019] end_report+0x108/0x150
[ 56.311993][ T5019] kasan_report+0xfa/0x130
[ 56.316401][ T5019] ? ntfs_readdir+0x1455/0x29b0
[ 56.321254][ T5019] ntfs_readdir+0x1455/0x29b0
[ 56.326025][ T5019] ? put_page+0x280/0x280
[ 56.330353][ T5019] ? down_write_killable_nested+0x250/0x250
[ 56.336246][ T5019] iterate_dir+0x20c/0x750
[ 56.340668][ T5019] __x64_sys_getdents64+0x13e/0x2c0
[ 56.345868][ T5019] ? __ia32_sys_getdents+0x2c0/0x2c0
[ 56.351149][ T5019] ? compat_fillonedir+0x470/0x470
[ 56.356257][ T5019] ? lockdep_hardirqs_on+0x7d/0x100
[ 56.361447][ T5019] ? _raw_spin_unlock_irq+0x2e/0x50
[ 56.366642][ T5019] ? ptrace_notify+0xfe/0x140
[ 56.371308][ T5019] do_syscall_64+0x39/0xb0
[ 56.375722][ T5019] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 56.381611][ T5019] RIP: 0033:0x7f85fe2927a9
[ 56.386013][ T5019] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 56.405616][ T5019] RSP: 002b:00007ffd72a33b58 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
[ 56.414020][ T5019] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f85fe2927a9
[ 56.421979][ T5019] RDX: 00000000000000ab RSI: 0000000020000080 RDI: 0000000000000004
[ 56.429939][ T5019] RBP: 00007f85fe252040 R08: 0000000000000000 R09: 0000000000000000
[ 56.437901][ T5019] R10: 000000000001f1b8 R11: 0000000000000246 R12: 00007f85fe2520d0
[ 56.445856][ T5019] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 56.453826][ T5019]
[ 56.457793][ T5019] Kernel Offset: disabled
[ 56.462103][ T5019] Rebooting in 86400 seconds..