./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3912324133 <...> Warning: Permanently added '10.128.0.160' (ED25519) to the list of known hosts. execve("./syz-executor3912324133", ["./syz-executor3912324133"], 0x7ffc60d29c20 /* 10 vars */) = 0 brk(NULL) = 0x555557499000 brk(0x555557499d00) = 0x555557499d00 arch_prctl(ARCH_SET_FS, 0x555557499380) = 0 set_tid_address(0x555557499650) = 5066 set_robust_list(0x555557499660, 24) = 0 rseq(0x555557499ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3912324133", 4096) = 28 getrandom("\x5b\xdf\x36\x22\x4c\x4e\x72\xd9", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555557499d00 brk(0x5555574bad00) = 0x5555574bad00 brk(0x5555574bb000) = 0x5555574bb000 mprotect(0x7f3fcbad6000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5068 attached [pid 5068] set_robust_list(0x555557499660, 24) = 0 [pid 5068] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5068] setpgid(0, 0) = 0 [pid 5066] <... clone resumed>, child_tidptr=0x555557499650) = 5068 [pid 5068] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5068] write(3, "1000", 4) = 4 [pid 5068] close(3) = 0 [pid 5068] memfd_create("syzkaller", 0) = 3 [pid 5068] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3fc3605000 [pid 5068] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5068] munmap(0x7f3fc3605000, 138412032) = 0 [pid 5068] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5068] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5068] close(3) = 0 [pid 5068] mkdir("./file0", 0777) = 0 [ 55.005901][ T5068] loop0: detected capacity change from 0 to 4096 [ 55.022016][ T5068] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 55.031737][ T5068] ================================================================== [ 55.039797][ T5068] BUG: KASAN: use-after-free in ntfs_attr_find+0xaa4/0xbe0 [ 55.047010][ T5068] Read of size 2 at addr ffff888052d77042 by task syz-executor391/5068 [ 55.055248][ T5068] [ 55.057584][ T5068] CPU: 1 PID: 5068 Comm: syz-executor391 Not tainted 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 55.067997][ T5068] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 55.078038][ T5068] Call Trace: [ 55.081323][ T5068] [ 55.084258][ T5068] dump_stack_lvl+0xd9/0x1b0 [ 55.088848][ T5068] print_report+0xc4/0x620 [ 55.093268][ T5068] ? __virt_addr_valid+0x5e/0x2d0 [ 55.098290][ T5068] ? __phys_addr+0xc6/0x140 [ 55.102797][ T5068] kasan_report+0xda/0x110 [ 55.107212][ T5068] ? ntfs_attr_find+0xaa4/0xbe0 [ 55.112059][ T5068] ? ntfs_attr_find+0xaa4/0xbe0 [ 55.116907][ T5068] ntfs_attr_find+0xaa4/0xbe0 [ 55.121590][ T5068] ntfs_attr_lookup+0x10e0/0x2100 [ 55.126616][ T5068] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 55.132595][ T5068] ? trace_kmem_cache_alloc+0x26/0xa0 [ 55.137962][ T5068] ? kmem_cache_alloc+0x1af/0x2f0 [ 55.142988][ T5068] ntfs_read_locked_inode+0x9bf/0x5860 [ 55.148442][ T5068] ntfs_read_inode_mount+0xef9/0x2730 [ 55.153809][ T5068] ntfs_fill_super+0x185c/0x9100 [ 55.158745][ T5068] ? up_write+0x510/0x510 [ 55.163070][ T5068] ? parse_options+0x1db0/0x1db0 [ 55.168002][ T5068] ? lock_sync+0x190/0x190 [ 55.172416][ T5068] ? parse_options+0x1db0/0x1db0 [ 55.177347][ T5068] ? preempt_count_sub+0x160/0x160 [ 55.182453][ T5068] ? sb_set_blocksize+0xf6/0x120 [ 55.187483][ T5068] ? parse_options+0x1db0/0x1db0 [ 55.192409][ T5068] mount_bdev+0x1f3/0x2e0 [ 55.196735][ T5068] ? sget+0x640/0x640 [ 55.200709][ T5068] ? apparmor_capable+0x126/0x1e0 [ 55.205729][ T5068] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 55.211267][ T5068] legacy_get_tree+0x109/0x220 [ 55.216028][ T5068] vfs_get_tree+0x8c/0x370 [ 55.220442][ T5068] path_mount+0x1492/0x1ed0 [ 55.224943][ T5068] ? kmem_cache_free+0xf8/0x350 [ 55.229791][ T5068] ? finish_automount+0xa40/0xa40 [ 55.234814][ T5068] ? putname+0x12e/0x170 [ 55.239052][ T5068] __x64_sys_mount+0x293/0x310 [ 55.243813][ T5068] ? copy_mnt_ns+0xb60/0xb60 [ 55.248398][ T5068] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 55.254633][ T5068] do_syscall_64+0x40/0x110 [ 55.259133][ T5068] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 55.265030][ T5068] RIP: 0033:0x7f3fcba44daa [ 55.269432][ T5068] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 55.289030][ T5068] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 55.297432][ T5068] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 55.305391][ T5068] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 55.313350][ T5068] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 55.321308][ T5068] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 55.329270][ T5068] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 55.337238][ T5068] [ 55.340250][ T5068] [ 55.342563][ T5068] The buggy address belongs to the physical page: [ 55.348956][ T5068] page:ffffea00014b5dc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x52d77 [ 55.359094][ T5068] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 55.366191][ T5068] page_type: 0xffffffff() [ 55.370539][ T5068] raw: 00fff00000000000 ffffea00014d2f88 ffff8880b9942630 0000000000000000 [ 55.379290][ T5068] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 55.387859][ T5068] page dumped because: kasan: bad access detected [ 55.394255][ T5068] page_owner tracks the page as freed [ 55.399607][ T5068] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5068, tgid 5068 (syz-executor391), ts 54959981955, free_ts 55030976425 [ 55.418529][ T5068] post_alloc_hook+0x2d0/0x350 [ 55.423379][ T5068] get_page_from_freelist+0xa25/0x36d0 [ 55.428840][ T5068] __alloc_pages+0x22e/0x2420 [ 55.433515][ T5068] alloc_pages_mpol+0x258/0x5f0 [ 55.438367][ T5068] vma_alloc_folio+0xad/0x220 [ 55.443039][ T5068] do_wp_page+0x13be/0x36b0 [ 55.447541][ T5068] __handle_mm_fault+0x1d7d/0x3d70 [ 55.452666][ T5068] handle_mm_fault+0x47a/0xa10 [ 55.457422][ T5068] do_user_addr_fault+0x30b/0x1000 [ 55.462528][ T5068] exc_page_fault+0x5d/0xc0 [ 55.467029][ T5068] asm_exc_page_fault+0x26/0x30 [ 55.471877][ T5068] page last free stack trace: [ 55.476534][ T5068] free_unref_page_prepare+0x4fa/0xaa0 [ 55.482076][ T5068] free_unref_page_list+0xe6/0xb40 [ 55.487213][ T5068] release_pages+0x32a/0x14f0 [ 55.491877][ T5068] folio_batch_move_lru+0x2f7/0x470 [ 55.497062][ T5068] lru_add_drain_cpu+0x535/0x860 [ 55.501989][ T5068] lru_add_drain+0x10a/0x440 [ 55.506566][ T5068] __folio_batch_release+0x89/0xe0 [ 55.511666][ T5068] truncate_inode_pages_range+0x33e/0xf00 [ 55.517374][ T5068] set_blocksize+0x2af/0x360 [ 55.521959][ T5068] sb_set_blocksize+0x47/0x120 [ 55.526723][ T5068] ntfs_fill_super+0x134d/0x9100 [ 55.531668][ T5068] mount_bdev+0x1f3/0x2e0 [ 55.535990][ T5068] legacy_get_tree+0x109/0x220 [ 55.540746][ T5068] vfs_get_tree+0x8c/0x370 [ 55.545155][ T5068] path_mount+0x1492/0x1ed0 [ 55.549653][ T5068] __x64_sys_mount+0x293/0x310 [ 55.554410][ T5068] [ 55.556721][ T5068] Memory state around the buggy address: [ 55.562336][ T5068] ffff888052d76f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.570383][ T5068] ffff888052d76f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.578429][ T5068] >ffff888052d77000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.586477][ T5068] ^ [ 55.592612][ T5068] ffff888052d77080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.600744][ T5068] ffff888052d77100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.608879][ T5068] ================================================================== [ 55.617104][ T5068] Disabling lock debugging due to kernel taint [ 55.623297][ T5068] ntfs: (device loop0): ntfs_is_extended_system_file(): Inode hard link count doesn't match number of name attributes. You should run chkdsk. [ 55.637938][ T5068] ntfs: (device loop0): ntfs_read_locked_inode(): $DATA attribute is missing. [pid 5068] mount("/dev/loop0", "./file0", "ntfs", MS_NODEV, "") = -1 EINVAL (Invalid argument) [pid 5068] ioctl(4, LOOP_CLR_FD) = 0 [pid 5068] close(4) = 0 [ 55.646849][ T5068] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -2. Marking corrupt inode 0x0 as bad. Run chkdsk. [ 55.659869][ T5068] ntfs: (device loop0): ntfs_read_inode_mount(): ntfs_read_inode() of $MFT failed. BUG or corrupt $MFT. Run chkdsk and if no errors are found, please report you saw this message to linux-ntfs-dev@lists.sourceforge.net [ 55.680969][ T5068] ntfs: (device loop0): ntfs_fill_super(): Failed to load essential metadata. [pid 5068] exit_group(0) = ? [pid 5068] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5068, si_uid=0, si_status=0, si_utime=0, si_stime=11 /* 0.11 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5069 attached , child_tidptr=0x555557499650) = 5069 [pid 5069] set_robust_list(0x555557499660, 24) = 0 [pid 5069] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5069] setpgid(0, 0) = 0 [pid 5069] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5069] write(3, "1000", 4) = 4 [pid 5069] close(3) = 0 [pid 5069] memfd_create("syzkaller", 0) = 3 [pid 5069] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3fc3605000 [pid 5069] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5069] munmap(0x7f3fc3605000, 138412032) = 0 [pid 5069] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5069] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5069] close(3) = 0 [pid 5069] mkdir("./file0", 0777) = -1 EEXIST (File exists) [ 55.850329][ T5069] loop0: detected capacity change from 0 to 4096 [ 55.863374][ T5069] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 55.873238][ T5069] ntfs: (device loop0): ntfs_is_extended_system_file(): Inode hard link count doesn't match number of name attributes. You should run chkdsk. [ 55.887741][ T5069] ntfs: (device loop0): ntfs_read_locked_inode(): $DATA attribute is missing. [pid 5069] mount("/dev/loop0", "./file0", "ntfs", MS_NODEV, "") = -1 EINVAL (Invalid argument) [pid 5069] ioctl(4, LOOP_CLR_FD) = 0 [pid 5069] close(4) = 0 [pid 5069] exit_group(0) = ? [pid 5069] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5069, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} --- openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5070 attached [ 55.896652][ T5069] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -2. Marking corrupt inode 0x0 as bad. Run chkdsk. [pid 5070] set_robust_list(0x555557499660, 24) = 0 [pid 5070] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5070] setpgid(0, 0) = 0 [pid 5070] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5066] <... clone resumed>, child_tidptr=0x555557499650) = 5070 [pid 5070] write(3, "1000", 4) = 4 [pid 5070] close(3) = 0 [pid 5070] memfd_create("syzkaller", 0) = 3 [pid 5070] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3fc3605000 [pid 5070] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5070] munmap(0x7f3fc3605000, 138412032) = 0 [pid 5070] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5070] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5070] close(3) = 0 [pid 5070] mkdir("./file0", 0777) = -1 EEXIST (File exists) [ 56.036025][ T5070] loop0: detected capacity change from 0 to 4096 [ 56.060584][ T5070] ================================================================== [ 56.068651][ T5070] BUG: KASAN: use-after-free in ntfs_attr_find+0xaa4/0xbe0 [ 56.075849][ T5070] Read of size 2 at addr ffff88807ab6f042 by task syz-executor391/5070 [ 56.084162][ T5070] [ 56.086479][ T5070] CPU: 0 PID: 5070 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 56.098361][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 56.108412][ T5070] Call Trace: [ 56.111685][ T5070] [ 56.114605][ T5070] dump_stack_lvl+0xd9/0x1b0 [ 56.119197][ T5070] print_report+0xc4/0x620 [ 56.123614][ T5070] ? __virt_addr_valid+0x5e/0x2d0 [ 56.128639][ T5070] ? __phys_addr+0xc6/0x140 [ 56.133141][ T5070] kasan_report+0xda/0x110 [ 56.137565][ T5070] ? ntfs_attr_find+0xaa4/0xbe0 [ 56.142421][ T5070] ? ntfs_attr_find+0xaa4/0xbe0 [ 56.147282][ T5070] ntfs_attr_find+0xaa4/0xbe0 [ 56.151966][ T5070] ntfs_attr_lookup+0x10e0/0x2100 [ 56.156993][ T5070] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 56.162969][ T5070] ? trace_kmem_cache_alloc+0x26/0xa0 [ 56.168375][ T5070] ? kmem_cache_alloc+0x1af/0x2f0 [ 56.173398][ T5070] ntfs_read_locked_inode+0x9bf/0x5860 [ 56.178894][ T5070] ntfs_read_inode_mount+0xef9/0x2730 [ 56.184297][ T5070] ntfs_fill_super+0x185c/0x9100 [ 56.189238][ T5070] ? up_write+0x510/0x510 [ 56.193566][ T5070] ? rcu_is_watching+0x12/0xb0 [ 56.198328][ T5070] ? parse_options+0x1db0/0x1db0 [ 56.203258][ T5070] ? lock_sync+0x190/0x190 [ 56.207677][ T5070] ? spin_bug+0x1d0/0x1d0 [ 56.211996][ T5070] ? set_blocksize+0x2bd/0x360 [ 56.216767][ T5070] ? preempt_count_sub+0x160/0x160 [ 56.221868][ T5070] ? sb_set_blocksize+0xf6/0x120 [ 56.226811][ T5070] ? parse_options+0x1db0/0x1db0 [ 56.231740][ T5070] mount_bdev+0x1f3/0x2e0 [ 56.236068][ T5070] ? sget+0x640/0x640 [ 56.240044][ T5070] ? apparmor_capable+0x126/0x1e0 [ 56.245063][ T5070] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 56.250603][ T5070] legacy_get_tree+0x109/0x220 [ 56.255372][ T5070] vfs_get_tree+0x8c/0x370 [ 56.259789][ T5070] path_mount+0x1492/0x1ed0 [ 56.264289][ T5070] ? kmem_cache_free+0xf8/0x350 [ 56.269137][ T5070] ? finish_automount+0xa40/0xa40 [ 56.274159][ T5070] ? putname+0x12e/0x170 [ 56.278399][ T5070] __x64_sys_mount+0x293/0x310 [ 56.283161][ T5070] ? copy_mnt_ns+0xb60/0xb60 [ 56.287746][ T5070] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 56.293983][ T5070] do_syscall_64+0x40/0x110 [ 56.298511][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.304408][ T5070] RIP: 0033:0x7f3fcba44daa [ 56.308811][ T5070] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 56.328410][ T5070] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 56.336819][ T5070] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 56.344784][ T5070] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 56.352746][ T5070] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 56.360710][ T5070] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 56.368696][ T5070] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 56.376685][ T5070] [ 56.379698][ T5070] [ 56.382011][ T5070] The buggy address belongs to the physical page: [ 56.388408][ T5070] page:ffffea0001eadbc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7ab6f [ 56.398552][ T5070] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 56.405648][ T5070] page_type: 0xffffffff() [ 56.409973][ T5070] raw: 00fff00000000000 ffffea0001eb2308 ffff8880b9842630 0000000000000000 [ 56.418550][ T5070] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 56.427119][ T5070] page dumped because: kasan: bad access detected [ 56.433517][ T5070] page_owner tracks the page as freed [ 56.438866][ T5070] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5070, tgid 5070 (syz-executor391), ts 56005150053, free_ts 56059945272 [ 56.457783][ T5070] post_alloc_hook+0x2d0/0x350 [ 56.462546][ T5070] get_page_from_freelist+0xa25/0x36d0 [ 56.468001][ T5070] __alloc_pages+0x22e/0x2420 [ 56.472669][ T5070] alloc_pages_mpol+0x258/0x5f0 [ 56.477513][ T5070] vma_alloc_folio+0xad/0x220 [ 56.482186][ T5070] __handle_mm_fault+0xe07/0x3d70 [ 56.487209][ T5070] handle_mm_fault+0x47a/0xa10 [ 56.491976][ T5070] do_user_addr_fault+0x30b/0x1000 [ 56.497083][ T5070] exc_page_fault+0x5d/0xc0 [ 56.501619][ T5070] asm_exc_page_fault+0x26/0x30 [ 56.506472][ T5070] page last free stack trace: [ 56.511129][ T5070] free_unref_page_prepare+0x4fa/0xaa0 [ 56.516584][ T5070] free_unref_page_list+0xe6/0xb40 [ 56.521695][ T5070] release_pages+0x32a/0x14f0 [ 56.526370][ T5070] folio_batch_move_lru+0x2f7/0x470 [ 56.531562][ T5070] lru_add_drain_cpu+0x535/0x860 [ 56.536490][ T5070] lru_add_drain+0x10a/0x440 [ 56.541072][ T5070] __folio_batch_release+0x89/0xe0 [ 56.546174][ T5070] truncate_inode_pages_range+0x33e/0xf00 [ 56.551883][ T5070] set_blocksize+0x2af/0x360 [ 56.556472][ T5070] sb_set_blocksize+0x47/0x120 [ 56.561234][ T5070] ntfs_fill_super+0x134d/0x9100 [ 56.566172][ T5070] mount_bdev+0x1f3/0x2e0 [ 56.570498][ T5070] legacy_get_tree+0x109/0x220 [ 56.575265][ T5070] vfs_get_tree+0x8c/0x370 [ 56.579679][ T5070] path_mount+0x1492/0x1ed0 [ 56.584180][ T5070] __x64_sys_mount+0x293/0x310 [ 56.588938][ T5070] [ 56.591253][ T5070] Memory state around the buggy address: [ 56.596869][ T5070] ffff88807ab6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.604922][ T5070] ffff88807ab6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 56.612968][ T5070] >ffff88807ab6f000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.621016][ T5070] ^ [ 56.627179][ T5070] ffff88807ab6f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.635239][ T5070] ffff88807ab6f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.643295][ T5070] ================================================================== [ 56.651922][ T5070] ================================================================== [ 56.659995][ T5070] BUG: KASAN: use-after-free in ntfs_attr_find+0xac5/0xbe0 [ 56.667227][ T5070] Read of size 1 at addr ffff88807ab6f041 by task syz-executor391/5070 [ 56.675458][ T5070] [ 56.677790][ T5070] CPU: 0 PID: 5070 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 56.689692][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 56.699732][ T5070] Call Trace: [ 56.702997][ T5070] [ 56.705916][ T5070] dump_stack_lvl+0xd9/0x1b0 [ 56.710533][ T5070] print_report+0xc4/0x620 [ 56.714960][ T5070] ? __virt_addr_valid+0x5e/0x2d0 [ 56.720000][ T5070] ? __phys_addr+0xc6/0x140 [ 56.724494][ T5070] kasan_report+0xda/0x110 [ 56.728928][ T5070] ? ntfs_attr_find+0xac5/0xbe0 [ 56.733778][ T5070] ? ntfs_attr_find+0xac5/0xbe0 [ 56.738623][ T5070] ntfs_attr_find+0xac5/0xbe0 [ 56.743290][ T5070] ntfs_attr_lookup+0x10e0/0x2100 [ 56.748310][ T5070] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 56.754307][ T5070] ? trace_kmem_cache_alloc+0x26/0xa0 [ 56.759667][ T5070] ? kmem_cache_alloc+0x1af/0x2f0 [ 56.764691][ T5070] ntfs_read_locked_inode+0x9bf/0x5860 [ 56.770145][ T5070] ntfs_read_inode_mount+0xef9/0x2730 [ 56.775519][ T5070] ntfs_fill_super+0x185c/0x9100 [ 56.780455][ T5070] ? up_write+0x510/0x510 [ 56.784777][ T5070] ? rcu_is_watching+0x12/0xb0 [ 56.789538][ T5070] ? parse_options+0x1db0/0x1db0 [ 56.794468][ T5070] ? lock_sync+0x190/0x190 [ 56.798882][ T5070] ? spin_bug+0x1d0/0x1d0 [ 56.803200][ T5070] ? set_blocksize+0x2bd/0x360 [ 56.807961][ T5070] ? preempt_count_sub+0x160/0x160 [ 56.813062][ T5070] ? sb_set_blocksize+0xf6/0x120 [ 56.817997][ T5070] ? parse_options+0x1db0/0x1db0 [ 56.822948][ T5070] mount_bdev+0x1f3/0x2e0 [ 56.827275][ T5070] ? sget+0x640/0x640 [ 56.831255][ T5070] ? apparmor_capable+0x126/0x1e0 [ 56.836362][ T5070] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 56.841906][ T5070] legacy_get_tree+0x109/0x220 [ 56.846670][ T5070] vfs_get_tree+0x8c/0x370 [ 56.851084][ T5070] path_mount+0x1492/0x1ed0 [ 56.855580][ T5070] ? kmem_cache_free+0xf8/0x350 [ 56.860427][ T5070] ? finish_automount+0xa40/0xa40 [ 56.865448][ T5070] ? putname+0x12e/0x170 [ 56.869681][ T5070] __x64_sys_mount+0x293/0x310 [ 56.874438][ T5070] ? copy_mnt_ns+0xb60/0xb60 [ 56.879026][ T5070] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 56.885265][ T5070] do_syscall_64+0x40/0x110 [ 56.889853][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.895743][ T5070] RIP: 0033:0x7f3fcba44daa [ 56.900150][ T5070] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 56.919750][ T5070] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 56.928152][ T5070] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 56.936115][ T5070] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 56.944075][ T5070] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 56.952057][ T5070] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 56.960041][ T5070] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 56.968020][ T5070] [ 56.971031][ T5070] [ 56.973346][ T5070] The buggy address belongs to the physical page: [ 56.979754][ T5070] page:ffffea0001eadbc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7ab6f [ 56.989909][ T5070] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 56.997017][ T5070] page_type: 0xffffffff() [ 57.001342][ T5070] raw: 00fff00000000000 ffffea0001eb2308 ffff8880b9842630 0000000000000000 [ 57.010118][ T5070] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 57.018703][ T5070] page dumped because: kasan: bad access detected [ 57.025107][ T5070] page_owner tracks the page as freed [ 57.030459][ T5070] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5070, tgid 5070 (syz-executor391), ts 56005150053, free_ts 56059945272 [ 57.049381][ T5070] post_alloc_hook+0x2d0/0x350 [ 57.054149][ T5070] get_page_from_freelist+0xa25/0x36d0 [ 57.059612][ T5070] __alloc_pages+0x22e/0x2420 [ 57.064289][ T5070] alloc_pages_mpol+0x258/0x5f0 [ 57.069134][ T5070] vma_alloc_folio+0xad/0x220 [ 57.073800][ T5070] __handle_mm_fault+0xe07/0x3d70 [ 57.078822][ T5070] handle_mm_fault+0x47a/0xa10 [ 57.083583][ T5070] do_user_addr_fault+0x30b/0x1000 [ 57.088685][ T5070] exc_page_fault+0x5d/0xc0 [ 57.093188][ T5070] asm_exc_page_fault+0x26/0x30 [ 57.098032][ T5070] page last free stack trace: [ 57.102707][ T5070] free_unref_page_prepare+0x4fa/0xaa0 [ 57.108165][ T5070] free_unref_page_list+0xe6/0xb40 [ 57.113272][ T5070] release_pages+0x32a/0x14f0 [ 57.117939][ T5070] folio_batch_move_lru+0x2f7/0x470 [ 57.123130][ T5070] lru_add_drain_cpu+0x535/0x860 [ 57.128061][ T5070] lru_add_drain+0x10a/0x440 [ 57.132642][ T5070] __folio_batch_release+0x89/0xe0 [ 57.137744][ T5070] truncate_inode_pages_range+0x33e/0xf00 [ 57.143458][ T5070] set_blocksize+0x2af/0x360 [ 57.148044][ T5070] sb_set_blocksize+0x47/0x120 [ 57.152803][ T5070] ntfs_fill_super+0x134d/0x9100 [ 57.157729][ T5070] mount_bdev+0x1f3/0x2e0 [ 57.162052][ T5070] legacy_get_tree+0x109/0x220 [ 57.166813][ T5070] vfs_get_tree+0x8c/0x370 [ 57.171222][ T5070] path_mount+0x1492/0x1ed0 [ 57.175726][ T5070] __x64_sys_mount+0x293/0x310 [ 57.180484][ T5070] [ 57.182796][ T5070] Memory state around the buggy address: [ 57.188408][ T5070] ffff88807ab6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.196456][ T5070] ffff88807ab6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.204513][ T5070] >ffff88807ab6f000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.212564][ T5070] ^ [ 57.218699][ T5070] ffff88807ab6f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.226749][ T5070] ffff88807ab6f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.234796][ T5070] ================================================================== [ 57.243510][ T5070] ================================================================== [ 57.251578][ T5070] BUG: KASAN: use-after-free in ntfs_attr_find+0xab6/0xbe0 [ 57.258783][ T5070] Read of size 4 at addr ffff88807ab6f038 by task syz-executor391/5070 [ 57.267021][ T5070] [ 57.269367][ T5070] CPU: 0 PID: 5070 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 57.281264][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 57.291305][ T5070] Call Trace: [ 57.294570][ T5070] [ 57.297487][ T5070] dump_stack_lvl+0xd9/0x1b0 [ 57.302073][ T5070] print_report+0xc4/0x620 [ 57.306482][ T5070] ? __virt_addr_valid+0x5e/0x2d0 [ 57.311496][ T5070] ? __phys_addr+0xc6/0x140 [ 57.315991][ T5070] kasan_report+0xda/0x110 [ 57.320413][ T5070] ? ntfs_attr_find+0xab6/0xbe0 [ 57.325255][ T5070] ? ntfs_attr_find+0xab6/0xbe0 [ 57.330112][ T5070] ntfs_attr_find+0xab6/0xbe0 [ 57.334779][ T5070] ntfs_attr_lookup+0x10e0/0x2100 [ 57.339800][ T5070] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 57.345778][ T5070] ? trace_kmem_cache_alloc+0x26/0xa0 [ 57.351145][ T5070] ? kmem_cache_alloc+0x1af/0x2f0 [ 57.356165][ T5070] ntfs_read_locked_inode+0x9bf/0x5860 [ 57.361644][ T5070] ntfs_read_inode_mount+0xef9/0x2730 [ 57.367014][ T5070] ntfs_fill_super+0x185c/0x9100 [ 57.371949][ T5070] ? up_write+0x510/0x510 [ 57.376273][ T5070] ? rcu_is_watching+0x12/0xb0 [ 57.381030][ T5070] ? parse_options+0x1db0/0x1db0 [ 57.385960][ T5070] ? lock_sync+0x190/0x190 [ 57.390373][ T5070] ? spin_bug+0x1d0/0x1d0 [ 57.394704][ T5070] ? set_blocksize+0x2bd/0x360 [ 57.399468][ T5070] ? preempt_count_sub+0x160/0x160 [ 57.404572][ T5070] ? sb_set_blocksize+0xf6/0x120 [ 57.409511][ T5070] ? parse_options+0x1db0/0x1db0 [ 57.414440][ T5070] mount_bdev+0x1f3/0x2e0 [ 57.418767][ T5070] ? sget+0x640/0x640 [ 57.422744][ T5070] ? apparmor_capable+0x126/0x1e0 [ 57.427765][ T5070] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 57.433301][ T5070] legacy_get_tree+0x109/0x220 [ 57.438081][ T5070] vfs_get_tree+0x8c/0x370 [ 57.442492][ T5070] path_mount+0x1492/0x1ed0 [ 57.446991][ T5070] ? kmem_cache_free+0xf8/0x350 [ 57.451836][ T5070] ? finish_automount+0xa40/0xa40 [ 57.456855][ T5070] ? putname+0x12e/0x170 [ 57.461090][ T5070] __x64_sys_mount+0x293/0x310 [ 57.465850][ T5070] ? copy_mnt_ns+0xb60/0xb60 [ 57.470434][ T5070] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 57.476671][ T5070] do_syscall_64+0x40/0x110 [ 57.481170][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 57.487066][ T5070] RIP: 0033:0x7f3fcba44daa [ 57.491480][ T5070] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 57.511078][ T5070] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 57.519480][ T5070] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 57.527445][ T5070] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 57.535431][ T5070] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 57.543391][ T5070] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 57.551354][ T5070] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 57.559412][ T5070] [ 57.562422][ T5070] [ 57.564734][ T5070] The buggy address belongs to the physical page: [ 57.571128][ T5070] page:ffffea0001eadbc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7ab6f [ 57.581267][ T5070] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 57.588367][ T5070] page_type: 0xffffffff() [ 57.592685][ T5070] raw: 00fff00000000000 ffffea0001eb2308 ffff8880b9842630 0000000000000000 [ 57.601344][ T5070] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 57.609919][ T5070] page dumped because: kasan: bad access detected [ 57.616314][ T5070] page_owner tracks the page as freed [ 57.621664][ T5070] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5070, tgid 5070 (syz-executor391), ts 56005150053, free_ts 56059945272 [ 57.640580][ T5070] post_alloc_hook+0x2d0/0x350 [ 57.645346][ T5070] get_page_from_freelist+0xa25/0x36d0 [ 57.650801][ T5070] __alloc_pages+0x22e/0x2420 [ 57.655472][ T5070] alloc_pages_mpol+0x258/0x5f0 [ 57.660321][ T5070] vma_alloc_folio+0xad/0x220 [ 57.664990][ T5070] __handle_mm_fault+0xe07/0x3d70 [ 57.670012][ T5070] handle_mm_fault+0x47a/0xa10 [ 57.674773][ T5070] do_user_addr_fault+0x30b/0x1000 [ 57.679878][ T5070] exc_page_fault+0x5d/0xc0 [ 57.684379][ T5070] asm_exc_page_fault+0x26/0x30 [ 57.689227][ T5070] page last free stack trace: [ 57.693883][ T5070] free_unref_page_prepare+0x4fa/0xaa0 [ 57.699334][ T5070] free_unref_page_list+0xe6/0xb40 [ 57.704437][ T5070] release_pages+0x32a/0x14f0 [ 57.709103][ T5070] folio_batch_move_lru+0x2f7/0x470 [ 57.714293][ T5070] lru_add_drain_cpu+0x535/0x860 [ 57.719219][ T5070] lru_add_drain+0x10a/0x440 [ 57.723800][ T5070] __folio_batch_release+0x89/0xe0 [ 57.728903][ T5070] truncate_inode_pages_range+0x33e/0xf00 [ 57.734614][ T5070] set_blocksize+0x2af/0x360 [ 57.739205][ T5070] sb_set_blocksize+0x47/0x120 [ 57.743969][ T5070] ntfs_fill_super+0x134d/0x9100 [ 57.748900][ T5070] mount_bdev+0x1f3/0x2e0 [ 57.753225][ T5070] legacy_get_tree+0x109/0x220 [ 57.757990][ T5070] vfs_get_tree+0x8c/0x370 [ 57.762400][ T5070] path_mount+0x1492/0x1ed0 [ 57.766896][ T5070] __x64_sys_mount+0x293/0x310 [ 57.771653][ T5070] [ 57.773962][ T5070] Memory state around the buggy address: [ 57.779581][ T5070] ffff88807ab6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.787665][ T5070] ffff88807ab6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.795715][ T5070] >ffff88807ab6f000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.803762][ T5070] ^ [ 57.809637][ T5070] ffff88807ab6f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.817684][ T5070] ffff88807ab6f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.825731][ T5070] ================================================================== [ 57.833901][ T5070] ================================================================== [ 57.841981][ T5070] BUG: KASAN: use-after-free in ntfs_attr_find+0xaa4/0xbe0 [ 57.849177][ T5070] Read of size 2 at addr ffff88807ab6f042 by task syz-executor391/5070 [ 57.857400][ T5070] [ 57.859711][ T5070] CPU: 1 PID: 5070 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 57.871591][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 57.881637][ T5070] Call Trace: [ 57.884912][ T5070] [ 57.887833][ T5070] dump_stack_lvl+0xd9/0x1b0 [ 57.892419][ T5070] print_report+0xc4/0x620 [ 57.896833][ T5070] ? __virt_addr_valid+0x5e/0x2d0 [ 57.901851][ T5070] ? __phys_addr+0xc6/0x140 [ 57.906350][ T5070] kasan_report+0xda/0x110 [ 57.910767][ T5070] ? ntfs_attr_find+0xaa4/0xbe0 [ 57.915620][ T5070] ? ntfs_attr_find+0xaa4/0xbe0 [ 57.920473][ T5070] ntfs_attr_find+0xaa4/0xbe0 [ 57.925150][ T5070] ntfs_attr_lookup+0x10e0/0x2100 [ 57.930177][ T5070] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 57.936242][ T5070] ? trace_kmem_cache_alloc+0x26/0xa0 [ 57.941609][ T5070] ? kmem_cache_alloc+0x1af/0x2f0 [ 57.946634][ T5070] ntfs_read_locked_inode+0xaf6/0x5860 [ 57.952088][ T5070] ntfs_read_inode_mount+0xef9/0x2730 [ 57.957456][ T5070] ntfs_fill_super+0x185c/0x9100 [ 57.962391][ T5070] ? up_write+0x510/0x510 [ 57.966715][ T5070] ? rcu_is_watching+0x12/0xb0 [ 57.971473][ T5070] ? parse_options+0x1db0/0x1db0 [ 57.976403][ T5070] ? lock_sync+0x190/0x190 [ 57.980816][ T5070] ? spin_bug+0x1d0/0x1d0 [ 57.985134][ T5070] ? set_blocksize+0x2bd/0x360 [ 57.989898][ T5070] ? preempt_count_sub+0x160/0x160 [ 57.995004][ T5070] ? sb_set_blocksize+0xf6/0x120 [ 57.999938][ T5070] ? parse_options+0x1db0/0x1db0 [ 58.004869][ T5070] mount_bdev+0x1f3/0x2e0 [ 58.009202][ T5070] ? sget+0x640/0x640 [ 58.013181][ T5070] ? apparmor_capable+0x126/0x1e0 [ 58.018204][ T5070] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 58.023740][ T5070] legacy_get_tree+0x109/0x220 [ 58.028509][ T5070] vfs_get_tree+0x8c/0x370 [ 58.032922][ T5070] path_mount+0x1492/0x1ed0 [ 58.037458][ T5070] ? kmem_cache_free+0xf8/0x350 [ 58.042307][ T5070] ? finish_automount+0xa40/0xa40 [ 58.047335][ T5070] ? putname+0x12e/0x170 [ 58.051570][ T5070] __x64_sys_mount+0x293/0x310 [ 58.056330][ T5070] ? copy_mnt_ns+0xb60/0xb60 [ 58.060911][ T5070] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 58.067147][ T5070] do_syscall_64+0x40/0x110 [ 58.071648][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 58.077539][ T5070] RIP: 0033:0x7f3fcba44daa [ 58.081947][ T5070] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 58.101593][ T5070] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 58.109998][ T5070] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 58.117956][ T5070] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 58.125917][ T5070] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 58.133878][ T5070] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 58.141837][ T5070] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 58.149804][ T5070] [ 58.152810][ T5070] [ 58.155119][ T5070] The buggy address belongs to the physical page: [ 58.161510][ T5070] page:ffffea0001eadbc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7ab6f [ 58.171647][ T5070] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 58.178745][ T5070] page_type: 0xffffffff() [ 58.183068][ T5070] raw: 00fff00000000000 ffffea0001eb2308 ffff8880b9842630 0000000000000000 [ 58.191641][ T5070] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 58.200211][ T5070] page dumped because: kasan: bad access detected [ 58.206609][ T5070] page_owner tracks the page as freed [ 58.211962][ T5070] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5070, tgid 5070 (syz-executor391), ts 56005150053, free_ts 56059945272 [ 58.230883][ T5070] post_alloc_hook+0x2d0/0x350 [ 58.235649][ T5070] get_page_from_freelist+0xa25/0x36d0 [ 58.241104][ T5070] __alloc_pages+0x22e/0x2420 [ 58.245779][ T5070] alloc_pages_mpol+0x258/0x5f0 [ 58.250622][ T5070] vma_alloc_folio+0xad/0x220 [ 58.255290][ T5070] __handle_mm_fault+0xe07/0x3d70 [ 58.260312][ T5070] handle_mm_fault+0x47a/0xa10 [ 58.265073][ T5070] do_user_addr_fault+0x30b/0x1000 [ 58.270175][ T5070] exc_page_fault+0x5d/0xc0 [ 58.274672][ T5070] asm_exc_page_fault+0x26/0x30 [ 58.279522][ T5070] page last free stack trace: [ 58.284179][ T5070] free_unref_page_prepare+0x4fa/0xaa0 [ 58.289632][ T5070] free_unref_page_list+0xe6/0xb40 [ 58.294738][ T5070] release_pages+0x32a/0x14f0 [ 58.299407][ T5070] folio_batch_move_lru+0x2f7/0x470 [ 58.304592][ T5070] lru_add_drain_cpu+0x535/0x860 [ 58.309557][ T5070] lru_add_drain+0x10a/0x440 [ 58.314139][ T5070] __folio_batch_release+0x89/0xe0 [ 58.319238][ T5070] truncate_inode_pages_range+0x33e/0xf00 [ 58.324948][ T5070] set_blocksize+0x2af/0x360 [ 58.329536][ T5070] sb_set_blocksize+0x47/0x120 [ 58.334297][ T5070] ntfs_fill_super+0x134d/0x9100 [ 58.339224][ T5070] mount_bdev+0x1f3/0x2e0 [ 58.343549][ T5070] legacy_get_tree+0x109/0x220 [ 58.348305][ T5070] vfs_get_tree+0x8c/0x370 [ 58.352709][ T5070] path_mount+0x1492/0x1ed0 [ 58.357211][ T5070] __x64_sys_mount+0x293/0x310 [ 58.361972][ T5070] [ 58.364286][ T5070] Memory state around the buggy address: [ 58.369900][ T5070] ffff88807ab6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.377954][ T5070] ffff88807ab6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.386030][ T5070] >ffff88807ab6f000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.394072][ T5070] ^ [ 58.400206][ T5070] ffff88807ab6f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.408252][ T5070] ffff88807ab6f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.416302][ T5070] ================================================================== [ 58.425121][ T5070] ================================================================== [ 58.433201][ T5070] BUG: KASAN: out-of-bounds in ntfs_attr_find+0xac5/0xbe0 [ 58.440345][ T5070] Read of size 1 at addr ffff88807ab6f041 by task syz-executor391/5070 [ 58.448586][ T5070] [ 58.450890][ T5070] CPU: 1 PID: 5070 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 58.462754][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 58.472792][ T5070] Call Trace: [ 58.476080][ T5070] [ 58.478994][ T5070] dump_stack_lvl+0xd9/0x1b0 [ 58.483580][ T5070] print_report+0xc4/0x620 [ 58.488010][ T5070] ? __virt_addr_valid+0x5e/0x2d0 [ 58.493019][ T5070] ? __phys_addr+0xc6/0x140 [ 58.497509][ T5070] kasan_report+0xda/0x110 [ 58.501913][ T5070] ? ntfs_attr_find+0xac5/0xbe0 [ 58.506754][ T5070] ? ntfs_attr_find+0xac5/0xbe0 [ 58.511592][ T5070] ntfs_attr_find+0xac5/0xbe0 [ 58.516257][ T5070] ntfs_attr_lookup+0x10e0/0x2100 [ 58.521268][ T5070] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 58.527235][ T5070] ? trace_kmem_cache_alloc+0x26/0xa0 [ 58.532598][ T5070] ? kmem_cache_alloc+0x1af/0x2f0 [ 58.537609][ T5070] ntfs_read_locked_inode+0xaf6/0x5860 [ 58.543072][ T5070] ntfs_read_inode_mount+0xef9/0x2730 [ 58.548518][ T5070] ntfs_fill_super+0x185c/0x9100 [ 58.553466][ T5070] ? up_write+0x510/0x510 [ 58.557777][ T5070] ? rcu_is_watching+0x12/0xb0 [ 58.562531][ T5070] ? parse_options+0x1db0/0x1db0 [ 58.567465][ T5070] ? lock_sync+0x190/0x190 [ 58.571861][ T5070] ? spin_bug+0x1d0/0x1d0 [ 58.576176][ T5070] ? set_blocksize+0x2bd/0x360 [ 58.580942][ T5070] ? preempt_count_sub+0x160/0x160 [ 58.586055][ T5070] ? sb_set_blocksize+0xf6/0x120 [ 58.590977][ T5070] ? parse_options+0x1db0/0x1db0 [ 58.595894][ T5070] mount_bdev+0x1f3/0x2e0 [ 58.600206][ T5070] ? sget+0x640/0x640 [ 58.604165][ T5070] ? apparmor_capable+0x126/0x1e0 [ 58.609169][ T5070] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 58.614692][ T5070] legacy_get_tree+0x109/0x220 [ 58.619443][ T5070] vfs_get_tree+0x8c/0x370 [ 58.623841][ T5070] path_mount+0x1492/0x1ed0 [ 58.628330][ T5070] ? kmem_cache_free+0xf8/0x350 [ 58.633162][ T5070] ? finish_automount+0xa40/0xa40 [ 58.638169][ T5070] ? putname+0x12e/0x170 [ 58.642387][ T5070] __x64_sys_mount+0x293/0x310 [ 58.647129][ T5070] ? copy_mnt_ns+0xb60/0xb60 [ 58.651699][ T5070] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 58.657919][ T5070] do_syscall_64+0x40/0x110 [ 58.662435][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 58.668315][ T5070] RIP: 0033:0x7f3fcba44daa [ 58.672709][ T5070] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 58.692296][ T5070] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 58.700687][ T5070] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 58.708636][ T5070] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 58.716583][ T5070] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 58.724534][ T5070] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 58.732509][ T5070] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 58.740554][ T5070] [ 58.743556][ T5070] [ 58.745859][ T5070] The buggy address belongs to the physical page: [ 58.752241][ T5070] page:ffffea0001eadbc0 refcount:2 mapcount:0 mapping:ffff88802592c548 index:0x10 pfn:0x7ab6f [ 58.762453][ T5070] memcg:ffff88814124a000 [ 58.766665][ T5070] aops:shmem_aops ino:3 dentry name:"messages" [ 58.772803][ T5070] flags: 0xfff1800008021c(referenced|uptodate|dirty|workingset|swapbacked|node=0|zone=1|lastcpupid=0x7ff) [ 58.784059][ T5070] page_type: 0xffffffff() [ 58.788362][ T5070] raw: 00fff1800008021c 0000000000000000 dead000000000122 ffff88802592c548 [ 58.796922][ T5070] raw: 0000000000000010 0000000000000000 00000002ffffffff ffff88814124a000 [ 58.805479][ T5070] page dumped because: kasan: bad access detected [ 58.811867][ T5070] page_owner tracks the page as allocated [ 58.817558][ T5070] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 4503, tgid 4503 (syslogd), ts 58426273715, free_ts 56059945272 [ 58.833853][ T5070] post_alloc_hook+0x2d0/0x350 [ 58.838605][ T5070] get_page_from_freelist+0xa25/0x36d0 [ 58.844046][ T5070] __alloc_pages+0x22e/0x2420 [ 58.848711][ T5070] alloc_pages_mpol+0x258/0x5f0 [ 58.853540][ T5070] shmem_alloc_folio+0x10d/0x140 [ 58.858462][ T5070] shmem_alloc_and_add_folio+0x147/0x7b0 [ 58.864076][ T5070] shmem_get_folio_gfp+0x623/0x1360 [ 58.869257][ T5070] shmem_write_begin+0x15a/0x360 [ 58.874173][ T5070] generic_perform_write+0x278/0x600 [ 58.879446][ T5070] shmem_file_write_iter+0x110/0x140 [ 58.884708][ T5070] vfs_write+0x64f/0xdf0 [ 58.888926][ T5070] ksys_write+0x12f/0x250 [ 58.893249][ T5070] do_syscall_64+0x40/0x110 [ 58.897733][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 58.903615][ T5070] page last free stack trace: [ 58.908264][ T5070] free_unref_page_prepare+0x4fa/0xaa0 [ 58.913703][ T5070] free_unref_page_list+0xe6/0xb40 [ 58.918796][ T5070] release_pages+0x32a/0x14f0 [ 58.923466][ T5070] folio_batch_move_lru+0x2f7/0x470 [ 58.928650][ T5070] lru_add_drain_cpu+0x535/0x860 [ 58.933562][ T5070] lru_add_drain+0x10a/0x440 [ 58.938134][ T5070] __folio_batch_release+0x89/0xe0 [ 58.943310][ T5070] truncate_inode_pages_range+0x33e/0xf00 [ 58.949009][ T5070] set_blocksize+0x2af/0x360 [ 58.953599][ T5070] sb_set_blocksize+0x47/0x120 [ 58.958361][ T5070] ntfs_fill_super+0x134d/0x9100 [ 58.963280][ T5070] mount_bdev+0x1f3/0x2e0 [ 58.967589][ T5070] legacy_get_tree+0x109/0x220 [ 58.972334][ T5070] vfs_get_tree+0x8c/0x370 [ 58.976730][ T5070] path_mount+0x1492/0x1ed0 [ 58.981219][ T5070] __x64_sys_mount+0x293/0x310 [ 58.985983][ T5070] [ 58.988307][ T5070] Memory state around the buggy address: [pid 5070] mount("/dev/loop0", "./file0", "ntfs", MS_NODEV, "") = -1 EINVAL (Invalid argument) [ 58.993934][ T5070] ffff88807ab6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.001996][ T5070] ffff88807ab6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.010056][ T5070] >ffff88807ab6f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.018134][ T5070] ^ [ 59.024528][ T5070] ffff88807ab6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.032579][ T5070] ffff88807ab6f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.040653][ T5070] ================================================================== [pid 5070] ioctl(4, LOOP_CLR_FD) = 0 [pid 5070] close(4) = 0 [pid 5070] exit_group(0) = ? [pid 5070] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5070, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} --- openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5072 attached , child_tidptr=0x555557499650) = 5072 [pid 5072] set_robust_list(0x555557499660, 24) = 0 [pid 5072] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5072] setpgid(0, 0) = 0 [pid 5072] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5072] write(3, "1000", 4) = 4 [pid 5072] close(3) = 0 [pid 5072] memfd_create("syzkaller", 0) = 3 [pid 5072] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3fc3605000 [pid 5072] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5072] munmap(0x7f3fc3605000, 138412032) = 0 [pid 5072] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5072] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5072] close(3) = 0 [pid 5072] mkdir("./file0", 0777) = -1 EEXIST (File exists) [pid 5072] mount("/dev/loop0", "./file0", "ntfs", MS_NODEV, "") = -1 EINVAL (Invalid argument) [ 59.176658][ T5072] loop0: detected capacity change from 0 to 4096 [pid 5072] ioctl(4, LOOP_CLR_FD) = 0 [pid 5072] close(4) = 0 [pid 5072] exit_group(0) = ? [pid 5072] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5072, si_uid=0, si_status=0, si_utime=0, si_stime=4 /* 0.04 s */} --- openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557499650) = 5073 ./strace-static-x86_64: Process 5073 attached [pid 5073] set_robust_list(0x555557499660, 24) = 0 [pid 5073] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5073] setpgid(0, 0) = 0 [pid 5073] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5073] write(3, "1000", 4) = 4 [pid 5073] close(3) = 0 [pid 5073] memfd_create("syzkaller", 0) = 3 [pid 5073] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3fc3605000 [pid 5073] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5073] munmap(0x7f3fc3605000, 138412032) = 0 [pid 5073] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5073] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5073] close(3) = 0 [pid 5073] mkdir("./file0", 0777) = -1 EEXIST (File exists) [ 59.337291][ T5073] loop0: detected capacity change from 0 to 4096 [ 59.356343][ T5073] ================================================================== [ 59.364408][ T5073] BUG: KASAN: use-after-free in ntfs_attr_find+0xaa4/0xbe0 [ 59.371605][ T5073] Read of size 2 at addr ffff88807d2aa042 by task syz-executor391/5073 [ 59.379830][ T5073] [ 59.382140][ T5073] CPU: 0 PID: 5073 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 59.394012][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 59.404056][ T5073] Call Trace: [ 59.407331][ T5073] [ 59.410246][ T5073] dump_stack_lvl+0xd9/0x1b0 [ 59.414830][ T5073] print_report+0xc4/0x620 [ 59.419242][ T5073] ? __virt_addr_valid+0x5e/0x2d0 [ 59.424258][ T5073] ? __phys_addr+0xc6/0x140 [ 59.428861][ T5073] kasan_report+0xda/0x110 [ 59.433266][ T5073] ? ntfs_attr_find+0xaa4/0xbe0 [ 59.438110][ T5073] ? ntfs_attr_find+0xaa4/0xbe0 [ 59.442960][ T5073] ntfs_attr_find+0xaa4/0xbe0 [ 59.447631][ T5073] ntfs_attr_lookup+0x10e0/0x2100 [ 59.452653][ T5073] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 59.458628][ T5073] ? trace_kmem_cache_alloc+0x26/0xa0 [ 59.464245][ T5073] ? kmem_cache_alloc+0x1af/0x2f0 [ 59.469266][ T5073] ntfs_read_locked_inode+0x9bf/0x5860 [ 59.474824][ T5073] ntfs_read_inode_mount+0xef9/0x2730 [ 59.480188][ T5073] ntfs_fill_super+0x185c/0x9100 [ 59.485120][ T5073] ? up_write+0x510/0x510 [ 59.489466][ T5073] ? rcu_is_watching+0x12/0xb0 [ 59.494215][ T5073] ? parse_options+0x1db0/0x1db0 [ 59.499140][ T5073] ? lock_sync+0x190/0x190 [ 59.503572][ T5073] ? spin_bug+0x1d0/0x1d0 [ 59.508318][ T5073] ? set_blocksize+0x2bd/0x360 [ 59.513069][ T5073] ? preempt_count_sub+0x160/0x160 [ 59.518182][ T5073] ? sb_set_blocksize+0xf6/0x120 [ 59.523117][ T5073] ? parse_options+0x1db0/0x1db0 [ 59.528209][ T5073] mount_bdev+0x1f3/0x2e0 [ 59.532529][ T5073] ? sget+0x640/0x640 [ 59.536499][ T5073] ? apparmor_capable+0x126/0x1e0 [ 59.541524][ T5073] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 59.547056][ T5073] legacy_get_tree+0x109/0x220 [ 59.551835][ T5073] vfs_get_tree+0x8c/0x370 [ 59.556241][ T5073] path_mount+0x1492/0x1ed0 [ 59.560740][ T5073] ? kmem_cache_free+0xf8/0x350 [ 59.565587][ T5073] ? finish_automount+0xa40/0xa40 [ 59.570617][ T5073] ? putname+0x12e/0x170 [ 59.574865][ T5073] __x64_sys_mount+0x293/0x310 [ 59.579649][ T5073] ? copy_mnt_ns+0xb60/0xb60 [ 59.584279][ T5073] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 59.590556][ T5073] do_syscall_64+0x40/0x110 [ 59.595079][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 59.600990][ T5073] RIP: 0033:0x7f3fcba44daa [ 59.605428][ T5073] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 59.625054][ T5073] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 59.633493][ T5073] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 59.641457][ T5073] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 59.649422][ T5073] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 59.657387][ T5073] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 59.665350][ T5073] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 59.673313][ T5073] [ 59.676331][ T5073] [ 59.678667][ T5073] The buggy address belongs to the physical page: [ 59.685056][ T5073] page:ffffea0001f4aa80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7d2aa [ 59.695197][ T5073] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 59.702311][ T5073] page_type: 0xffffffff() [ 59.706645][ T5073] raw: 00fff00000000000 ffffea0001eb1a08 ffffea0001eb1288 0000000000000000 [ 59.715234][ T5073] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 59.723813][ T5073] page dumped because: kasan: bad access detected [ 59.730219][ T5073] page_owner tracks the page as freed [ 59.735580][ T5073] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5072, tgid 5072 (syz-executor391), ts 59152561300, free_ts 59175354439 [ 59.754588][ T5073] post_alloc_hook+0x2d0/0x350 [ 59.759352][ T5073] get_page_from_freelist+0xa25/0x36d0 [ 59.764804][ T5073] __alloc_pages+0x22e/0x2420 [ 59.769478][ T5073] alloc_pages_mpol+0x258/0x5f0 [ 59.774331][ T5073] vma_alloc_folio+0xad/0x220 [ 59.779005][ T5073] __handle_mm_fault+0xe07/0x3d70 [ 59.784020][ T5073] handle_mm_fault+0x47a/0xa10 [ 59.788807][ T5073] do_user_addr_fault+0x30b/0x1000 [ 59.793908][ T5073] exc_page_fault+0x5d/0xc0 [ 59.798404][ T5073] asm_exc_page_fault+0x26/0x30 [ 59.803248][ T5073] page last free stack trace: [ 59.807903][ T5073] free_unref_page_prepare+0x4fa/0xaa0 [ 59.813347][ T5073] free_unref_page_list+0xe6/0xb40 [ 59.818449][ T5073] release_pages+0x32a/0x14f0 [ 59.823123][ T5073] tlb_batch_pages_flush+0x9a/0x190 [ 59.828315][ T5073] tlb_finish_mmu+0x14b/0x6f0 [ 59.832979][ T5073] unmap_region.constprop.0+0x2e6/0x3b0 [ 59.838511][ T5073] do_vmi_align_munmap+0xde6/0x1600 [ 59.843696][ T5073] do_vmi_munmap+0x20e/0x450 [ 59.848271][ T5073] __vm_munmap+0x144/0x390 [ 59.852673][ T5073] __x64_sys_munmap+0x62/0x80 [ 59.857333][ T5073] do_syscall_64+0x40/0x110 [ 59.861824][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 59.867709][ T5073] [ 59.870010][ T5073] Memory state around the buggy address: [ 59.875619][ T5073] ffff88807d2a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.883677][ T5073] ffff88807d2a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.891743][ T5073] >ffff88807d2aa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.899783][ T5073] ^ [ 59.905917][ T5073] ffff88807d2aa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.913963][ T5073] ffff88807d2aa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.922004][ T5073] ================================================================== [ 59.930540][ T5073] ================================================================== [ 59.938619][ T5073] BUG: KASAN: use-after-free in ntfs_attr_find+0xac5/0xbe0 [ 59.945836][ T5073] Read of size 1 at addr ffff88807d2aa041 by task syz-executor391/5073 [ 59.954054][ T5073] [ 59.956364][ T5073] CPU: 0 PID: 5073 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 59.968407][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 59.978449][ T5073] Call Trace: [ 59.981760][ T5073] [ 59.984670][ T5073] dump_stack_lvl+0xd9/0x1b0 [ 59.989250][ T5073] print_report+0xc4/0x620 [ 59.993685][ T5073] ? __virt_addr_valid+0x5e/0x2d0 [ 59.998699][ T5073] ? __phys_addr+0xc6/0x140 [ 60.003194][ T5073] kasan_report+0xda/0x110 [ 60.007602][ T5073] ? ntfs_attr_find+0xac5/0xbe0 [ 60.012452][ T5073] ? ntfs_attr_find+0xac5/0xbe0 [ 60.017301][ T5073] ntfs_attr_find+0xac5/0xbe0 [ 60.021999][ T5073] ntfs_attr_lookup+0x10e0/0x2100 [ 60.027064][ T5073] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 60.033040][ T5073] ? trace_kmem_cache_alloc+0x26/0xa0 [ 60.038424][ T5073] ? kmem_cache_alloc+0x1af/0x2f0 [ 60.043448][ T5073] ntfs_read_locked_inode+0x9bf/0x5860 [ 60.048933][ T5073] ntfs_read_inode_mount+0xef9/0x2730 [ 60.054300][ T5073] ntfs_fill_super+0x185c/0x9100 [ 60.059239][ T5073] ? up_write+0x510/0x510 [ 60.063571][ T5073] ? rcu_is_watching+0x12/0xb0 [ 60.068334][ T5073] ? parse_options+0x1db0/0x1db0 [ 60.073269][ T5073] ? lock_sync+0x190/0x190 [ 60.077718][ T5073] ? spin_bug+0x1d0/0x1d0 [ 60.082108][ T5073] ? set_blocksize+0x2bd/0x360 [ 60.086877][ T5073] ? preempt_count_sub+0x160/0x160 [ 60.091980][ T5073] ? sb_set_blocksize+0xf6/0x120 [ 60.096917][ T5073] ? parse_options+0x1db0/0x1db0 [ 60.101846][ T5073] mount_bdev+0x1f3/0x2e0 [ 60.106177][ T5073] ? sget+0x640/0x640 [ 60.110149][ T5073] ? apparmor_capable+0x126/0x1e0 [ 60.115169][ T5073] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 60.120703][ T5073] legacy_get_tree+0x109/0x220 [ 60.125463][ T5073] vfs_get_tree+0x8c/0x370 [ 60.129872][ T5073] path_mount+0x1492/0x1ed0 [ 60.134453][ T5073] ? kmem_cache_free+0xf8/0x350 [ 60.139294][ T5073] ? finish_automount+0xa40/0xa40 [ 60.144304][ T5073] ? putname+0x12e/0x170 [ 60.148540][ T5073] __x64_sys_mount+0x293/0x310 [ 60.153300][ T5073] ? copy_mnt_ns+0xb60/0xb60 [ 60.157885][ T5073] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 60.164122][ T5073] do_syscall_64+0x40/0x110 [ 60.168643][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 60.174537][ T5073] RIP: 0033:0x7f3fcba44daa [ 60.178942][ T5073] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 60.198543][ T5073] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 60.206949][ T5073] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 60.214916][ T5073] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 60.222898][ T5073] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 60.230864][ T5073] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 60.238854][ T5073] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 60.246825][ T5073] [ 60.249838][ T5073] [ 60.252156][ T5073] The buggy address belongs to the physical page: [ 60.258552][ T5073] page:ffffea0001f4aa80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7d2aa [ 60.268686][ T5073] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 60.275784][ T5073] page_type: 0xffffffff() [ 60.280105][ T5073] raw: 00fff00000000000 ffffea0001eb1a08 ffffea0001eb1288 0000000000000000 [ 60.288674][ T5073] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 60.297241][ T5073] page dumped because: kasan: bad access detected [ 60.303631][ T5073] page_owner tracks the page as freed [ 60.308976][ T5073] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5072, tgid 5072 (syz-executor391), ts 59152561300, free_ts 59175354439 [ 60.327887][ T5073] post_alloc_hook+0x2d0/0x350 [ 60.332669][ T5073] get_page_from_freelist+0xa25/0x36d0 [ 60.338140][ T5073] __alloc_pages+0x22e/0x2420 [ 60.342823][ T5073] alloc_pages_mpol+0x258/0x5f0 [ 60.347684][ T5073] vma_alloc_folio+0xad/0x220 [ 60.352371][ T5073] __handle_mm_fault+0xe07/0x3d70 [ 60.357408][ T5073] handle_mm_fault+0x47a/0xa10 [ 60.362164][ T5073] do_user_addr_fault+0x30b/0x1000 [ 60.367292][ T5073] exc_page_fault+0x5d/0xc0 [ 60.371783][ T5073] asm_exc_page_fault+0x26/0x30 [ 60.376637][ T5073] page last free stack trace: [ 60.381308][ T5073] free_unref_page_prepare+0x4fa/0xaa0 [ 60.386793][ T5073] free_unref_page_list+0xe6/0xb40 [ 60.391901][ T5073] release_pages+0x32a/0x14f0 [ 60.396593][ T5073] tlb_batch_pages_flush+0x9a/0x190 [ 60.401785][ T5073] tlb_finish_mmu+0x14b/0x6f0 [ 60.406454][ T5073] unmap_region.constprop.0+0x2e6/0x3b0 [ 60.412426][ T5073] do_vmi_align_munmap+0xde6/0x1600 [ 60.417635][ T5073] do_vmi_munmap+0x20e/0x450 [ 60.422213][ T5073] __vm_munmap+0x144/0x390 [ 60.426635][ T5073] __x64_sys_munmap+0x62/0x80 [ 60.431317][ T5073] do_syscall_64+0x40/0x110 [ 60.435804][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 60.441695][ T5073] [ 60.444006][ T5073] Memory state around the buggy address: [ 60.449623][ T5073] ffff88807d2a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 60.457711][ T5073] ffff88807d2a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 60.465765][ T5073] >ffff88807d2aa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.473809][ T5073] ^ [ 60.479961][ T5073] ffff88807d2aa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.488015][ T5073] ffff88807d2aa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.496085][ T5073] ================================================================== [ 60.504625][ T5073] ================================================================== [ 60.512707][ T5073] BUG: KASAN: use-after-free in ntfs_attr_find+0xab6/0xbe0 [ 60.519911][ T5073] Read of size 4 at addr ffff88807d2aa038 by task syz-executor391/5073 [ 60.528139][ T5073] [ 60.530458][ T5073] CPU: 0 PID: 5073 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 60.542361][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 60.552412][ T5073] Call Trace: [ 60.555692][ T5073] [ 60.558736][ T5073] dump_stack_lvl+0xd9/0x1b0 [ 60.563362][ T5073] print_report+0xc4/0x620 [ 60.567808][ T5073] ? __virt_addr_valid+0x5e/0x2d0 [ 60.572841][ T5073] ? __phys_addr+0xc6/0x140 [ 60.577350][ T5073] kasan_report+0xda/0x110 [ 60.581900][ T5073] ? ntfs_attr_find+0xab6/0xbe0 [ 60.586773][ T5073] ? ntfs_attr_find+0xab6/0xbe0 [ 60.591643][ T5073] ntfs_attr_find+0xab6/0xbe0 [ 60.596338][ T5073] ntfs_attr_lookup+0x10e0/0x2100 [ 60.601371][ T5073] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 60.607352][ T5073] ? trace_kmem_cache_alloc+0x26/0xa0 [ 60.612721][ T5073] ? kmem_cache_alloc+0x1af/0x2f0 [ 60.617751][ T5073] ntfs_read_locked_inode+0x9bf/0x5860 [ 60.623211][ T5073] ntfs_read_inode_mount+0xef9/0x2730 [ 60.628586][ T5073] ntfs_fill_super+0x185c/0x9100 [ 60.633534][ T5073] ? up_write+0x510/0x510 [ 60.637862][ T5073] ? rcu_is_watching+0x12/0xb0 [ 60.642624][ T5073] ? parse_options+0x1db0/0x1db0 [ 60.647559][ T5073] ? lock_sync+0x190/0x190 [ 60.651983][ T5073] ? spin_bug+0x1d0/0x1d0 [ 60.656301][ T5073] ? set_blocksize+0x2bd/0x360 [ 60.661070][ T5073] ? preempt_count_sub+0x160/0x160 [ 60.666175][ T5073] ? sb_set_blocksize+0xf6/0x120 [ 60.671120][ T5073] ? parse_options+0x1db0/0x1db0 [ 60.676053][ T5073] mount_bdev+0x1f3/0x2e0 [ 60.680385][ T5073] ? sget+0x640/0x640 [ 60.684365][ T5073] ? apparmor_capable+0x126/0x1e0 [ 60.689389][ T5073] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 60.694935][ T5073] legacy_get_tree+0x109/0x220 [ 60.699701][ T5073] vfs_get_tree+0x8c/0x370 [ 60.704141][ T5073] path_mount+0x1492/0x1ed0 [ 60.708641][ T5073] ? kmem_cache_free+0xf8/0x350 [ 60.713496][ T5073] ? finish_automount+0xa40/0xa40 [ 60.718527][ T5073] ? putname+0x12e/0x170 [ 60.722771][ T5073] __x64_sys_mount+0x293/0x310 [ 60.727538][ T5073] ? copy_mnt_ns+0xb60/0xb60 [ 60.732126][ T5073] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 60.738364][ T5073] do_syscall_64+0x40/0x110 [ 60.742875][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 60.748775][ T5073] RIP: 0033:0x7f3fcba44daa [ 60.753202][ T5073] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 60.772919][ T5073] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 60.781324][ T5073] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 60.789313][ T5073] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 60.797294][ T5073] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 60.805266][ T5073] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 60.813231][ T5073] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 60.821204][ T5073] [ 60.824219][ T5073] [ 60.826532][ T5073] The buggy address belongs to the physical page: [ 60.832927][ T5073] page:ffffea0001f4aa80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7d2aa [ 60.843066][ T5073] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 60.850165][ T5073] page_type: 0xffffffff() [ 60.854486][ T5073] raw: 00fff00000000000 ffffea0001eb1a08 ffffea0001eb1288 0000000000000000 [ 60.863060][ T5073] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 60.871629][ T5073] page dumped because: kasan: bad access detected [ 60.878024][ T5073] page_owner tracks the page as freed [ 60.883376][ T5073] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5072, tgid 5072 (syz-executor391), ts 59152561300, free_ts 59175354439 [ 60.902296][ T5073] post_alloc_hook+0x2d0/0x350 [ 60.907068][ T5073] get_page_from_freelist+0xa25/0x36d0 [ 60.912526][ T5073] __alloc_pages+0x22e/0x2420 [ 60.917202][ T5073] alloc_pages_mpol+0x258/0x5f0 [ 60.922045][ T5073] vma_alloc_folio+0xad/0x220 [ 60.926716][ T5073] __handle_mm_fault+0xe07/0x3d70 [ 60.931742][ T5073] handle_mm_fault+0x47a/0xa10 [ 60.936540][ T5073] do_user_addr_fault+0x30b/0x1000 [ 60.941642][ T5073] exc_page_fault+0x5d/0xc0 [ 60.946140][ T5073] asm_exc_page_fault+0x26/0x30 [ 60.950989][ T5073] page last free stack trace: [ 60.955646][ T5073] free_unref_page_prepare+0x4fa/0xaa0 [ 60.961102][ T5073] free_unref_page_list+0xe6/0xb40 [ 60.966208][ T5073] release_pages+0x32a/0x14f0 [ 60.970871][ T5073] tlb_batch_pages_flush+0x9a/0x190 [ 60.976064][ T5073] tlb_finish_mmu+0x14b/0x6f0 [ 60.980747][ T5073] unmap_region.constprop.0+0x2e6/0x3b0 [ 60.986295][ T5073] do_vmi_align_munmap+0xde6/0x1600 [ 60.991484][ T5073] do_vmi_munmap+0x20e/0x450 [ 60.996240][ T5073] __vm_munmap+0x144/0x390 [ 61.000649][ T5073] __x64_sys_munmap+0x62/0x80 [ 61.005318][ T5073] do_syscall_64+0x40/0x110 [ 61.009818][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 61.015713][ T5073] [ 61.018022][ T5073] Memory state around the buggy address: [ 61.023634][ T5073] ffff88807d2a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.031684][ T5073] ffff88807d2a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.039734][ T5073] >ffff88807d2aa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.048216][ T5073] ^ [ 61.054094][ T5073] ffff88807d2aa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.062144][ T5073] ffff88807d2aa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.070192][ T5073] ================================================================== [ 61.079292][ T5073] ================================================================== [ 61.087367][ T5073] BUG: KASAN: use-after-free in ntfs_attr_find+0xaa4/0xbe0 [ 61.094638][ T5073] Read of size 2 at addr ffff88807d2aa042 by task syz-executor391/5073 [ 61.102891][ T5073] [ 61.105247][ T5073] CPU: 0 PID: 5073 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 61.117121][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 61.127168][ T5073] Call Trace: [ 61.130436][ T5073] [ 61.133436][ T5073] dump_stack_lvl+0xd9/0x1b0 [ 61.138023][ T5073] print_report+0xc4/0x620 [ 61.142445][ T5073] ? __virt_addr_valid+0x5e/0x2d0 [ 61.147462][ T5073] ? __phys_addr+0xc6/0x140 [ 61.151959][ T5073] kasan_report+0xda/0x110 [ 61.156369][ T5073] ? ntfs_attr_find+0xaa4/0xbe0 [ 61.161218][ T5073] ? ntfs_attr_find+0xaa4/0xbe0 [ 61.166063][ T5073] ntfs_attr_find+0xaa4/0xbe0 [ 61.170742][ T5073] ntfs_attr_lookup+0x10e0/0x2100 [ 61.175769][ T5073] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 61.181752][ T5073] ? trace_kmem_cache_alloc+0x26/0xa0 [ 61.187145][ T5073] ? kmem_cache_alloc+0x1af/0x2f0 [ 61.192160][ T5073] ntfs_read_locked_inode+0xaf6/0x5860 [ 61.197608][ T5073] ntfs_read_inode_mount+0xef9/0x2730 [ 61.202971][ T5073] ntfs_fill_super+0x185c/0x9100 [ 61.207900][ T5073] ? up_write+0x510/0x510 [ 61.212308][ T5073] ? rcu_is_watching+0x12/0xb0 [ 61.217061][ T5073] ? parse_options+0x1db0/0x1db0 [ 61.222356][ T5073] ? lock_sync+0x190/0x190 [ 61.226761][ T5073] ? spin_bug+0x1d0/0x1d0 [ 61.231076][ T5073] ? set_blocksize+0x2bd/0x360 [ 61.235827][ T5073] ? preempt_count_sub+0x160/0x160 [ 61.240926][ T5073] ? sb_set_blocksize+0xf6/0x120 [ 61.245858][ T5073] ? parse_options+0x1db0/0x1db0 [ 61.250788][ T5073] mount_bdev+0x1f3/0x2e0 [ 61.255110][ T5073] ? sget+0x640/0x640 [ 61.259083][ T5073] ? apparmor_capable+0x126/0x1e0 [ 61.264098][ T5073] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 61.269630][ T5073] legacy_get_tree+0x109/0x220 [ 61.274405][ T5073] vfs_get_tree+0x8c/0x370 [ 61.278811][ T5073] path_mount+0x1492/0x1ed0 [ 61.283323][ T5073] ? kmem_cache_free+0xf8/0x350 [ 61.288179][ T5073] ? finish_automount+0xa40/0xa40 [ 61.293190][ T5073] ? putname+0x12e/0x170 [ 61.297429][ T5073] __x64_sys_mount+0x293/0x310 [ 61.302187][ T5073] ? copy_mnt_ns+0xb60/0xb60 [ 61.306768][ T5073] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 61.313013][ T5073] do_syscall_64+0x40/0x110 [ 61.317518][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 61.323415][ T5073] RIP: 0033:0x7f3fcba44daa [ 61.327820][ T5073] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 61.347427][ T5073] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 61.355831][ T5073] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 61.363795][ T5073] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 61.371762][ T5073] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 61.379735][ T5073] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 61.387699][ T5073] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 61.395708][ T5073] [ 61.398720][ T5073] [ 61.401046][ T5073] The buggy address belongs to the physical page: [ 61.407473][ T5073] page:ffffea0001f4aa80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7d2aa [ 61.417610][ T5073] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 61.424702][ T5073] page_type: 0xffffffff() [ 61.429020][ T5073] raw: 00fff00000000000 ffffea0001eb1a08 ffffea0001eb1288 0000000000000000 [ 61.437591][ T5073] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 61.446163][ T5073] page dumped because: kasan: bad access detected [ 61.452570][ T5073] page_owner tracks the page as freed [ 61.457923][ T5073] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5072, tgid 5072 (syz-executor391), ts 59152561300, free_ts 59175354439 [ 61.476842][ T5073] post_alloc_hook+0x2d0/0x350 [ 61.481608][ T5073] get_page_from_freelist+0xa25/0x36d0 [ 61.487069][ T5073] __alloc_pages+0x22e/0x2420 [ 61.491748][ T5073] alloc_pages_mpol+0x258/0x5f0 [ 61.496607][ T5073] vma_alloc_folio+0xad/0x220 [ 61.501277][ T5073] __handle_mm_fault+0xe07/0x3d70 [ 61.506299][ T5073] handle_mm_fault+0x47a/0xa10 [ 61.511066][ T5073] do_user_addr_fault+0x30b/0x1000 [ 61.516182][ T5073] exc_page_fault+0x5d/0xc0 [ 61.520755][ T5073] asm_exc_page_fault+0x26/0x30 [ 61.525611][ T5073] page last free stack trace: [ 61.530268][ T5073] free_unref_page_prepare+0x4fa/0xaa0 [ 61.535719][ T5073] free_unref_page_list+0xe6/0xb40 [ 61.540825][ T5073] release_pages+0x32a/0x14f0 [ 61.545516][ T5073] tlb_batch_pages_flush+0x9a/0x190 [ 61.550796][ T5073] tlb_finish_mmu+0x14b/0x6f0 [ 61.555462][ T5073] unmap_region.constprop.0+0x2e6/0x3b0 [ 61.560992][ T5073] do_vmi_align_munmap+0xde6/0x1600 [ 61.566174][ T5073] do_vmi_munmap+0x20e/0x450 [ 61.570754][ T5073] __vm_munmap+0x144/0x390 [ 61.575170][ T5073] __x64_sys_munmap+0x62/0x80 [ 61.579828][ T5073] do_syscall_64+0x40/0x110 [ 61.584330][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 61.590238][ T5073] [ 61.592550][ T5073] Memory state around the buggy address: [ 61.598163][ T5073] ffff88807d2a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.606206][ T5073] ffff88807d2a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.614251][ T5073] >ffff88807d2aa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.622308][ T5073] ^ [ 61.628442][ T5073] ffff88807d2aa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.636487][ T5073] ffff88807d2aa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.644537][ T5073] ================================================================== [ 61.652910][ T5073] ================================================================== [ 61.660987][ T5073] BUG: KASAN: use-after-free in ntfs_attr_find+0xac5/0xbe0 [ 61.668210][ T5073] Read of size 1 at addr ffff88807d2aa041 by task syz-executor391/5073 [ 61.676434][ T5073] [ 61.678746][ T5073] CPU: 0 PID: 5073 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 61.690620][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 61.700663][ T5073] Call Trace: [ 61.703930][ T5073] [ 61.706848][ T5073] dump_stack_lvl+0xd9/0x1b0 [ 61.711467][ T5073] print_report+0xc4/0x620 [ 61.715889][ T5073] ? __virt_addr_valid+0x5e/0x2d0 [ 61.720911][ T5073] ? __phys_addr+0xc6/0x140 [ 61.725418][ T5073] kasan_report+0xda/0x110 [ 61.729835][ T5073] ? ntfs_attr_find+0xac5/0xbe0 [ 61.734686][ T5073] ? ntfs_attr_find+0xac5/0xbe0 [ 61.739541][ T5073] ntfs_attr_find+0xac5/0xbe0 [ 61.744220][ T5073] ntfs_attr_lookup+0x10e0/0x2100 [ 61.749342][ T5073] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 61.755325][ T5073] ? trace_kmem_cache_alloc+0x26/0xa0 [ 61.760691][ T5073] ? kmem_cache_alloc+0x1af/0x2f0 [ 61.765716][ T5073] ntfs_read_locked_inode+0xaf6/0x5860 [ 61.771181][ T5073] ntfs_read_inode_mount+0xef9/0x2730 [ 61.776592][ T5073] ntfs_fill_super+0x185c/0x9100 [ 61.781539][ T5073] ? up_write+0x510/0x510 [ 61.785868][ T5073] ? rcu_is_watching+0x12/0xb0 [ 61.790627][ T5073] ? parse_options+0x1db0/0x1db0 [ 61.795565][ T5073] ? lock_sync+0x190/0x190 [ 61.799981][ T5073] ? spin_bug+0x1d0/0x1d0 [ 61.804299][ T5073] ? set_blocksize+0x2bd/0x360 [ 61.809065][ T5073] ? preempt_count_sub+0x160/0x160 [ 61.814171][ T5073] ? sb_set_blocksize+0xf6/0x120 [ 61.819110][ T5073] ? parse_options+0x1db0/0x1db0 [ 61.824040][ T5073] mount_bdev+0x1f3/0x2e0 [ 61.828370][ T5073] ? sget+0x640/0x640 [ 61.832345][ T5073] ? apparmor_capable+0x126/0x1e0 [ 61.837367][ T5073] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 61.842907][ T5073] legacy_get_tree+0x109/0x220 [ 61.847676][ T5073] vfs_get_tree+0x8c/0x370 [ 61.852091][ T5073] path_mount+0x1492/0x1ed0 [ 61.856601][ T5073] ? kmem_cache_free+0xf8/0x350 [ 61.861449][ T5073] ? finish_automount+0xa40/0xa40 [ 61.866470][ T5073] ? putname+0x12e/0x170 [ 61.870707][ T5073] __x64_sys_mount+0x293/0x310 [ 61.875466][ T5073] ? copy_mnt_ns+0xb60/0xb60 [ 61.880225][ T5073] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 61.886492][ T5073] do_syscall_64+0x40/0x110 [ 61.891016][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 61.896931][ T5073] RIP: 0033:0x7f3fcba44daa [ 61.901344][ T5073] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 61.920949][ T5073] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 61.929359][ T5073] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 61.937324][ T5073] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 61.945288][ T5073] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 61.953257][ T5073] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 61.961219][ T5073] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 61.969185][ T5073] [ 61.972192][ T5073] [ 61.974499][ T5073] The buggy address belongs to the physical page: [ 61.980892][ T5073] page:ffffea0001f4aa80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7d2aa [ 61.991029][ T5073] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 61.998150][ T5073] page_type: 0xffffffff() [ 62.002494][ T5073] raw: 00fff00000000000 ffffea0001eb1a08 ffffea0001eb1288 0000000000000000 [ 62.011071][ T5073] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 62.019731][ T5073] page dumped because: kasan: bad access detected [ 62.026129][ T5073] page_owner tracks the page as freed [ 62.031490][ T5073] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5072, tgid 5072 (syz-executor391), ts 59152561300, free_ts 59175354439 [ 62.050410][ T5073] post_alloc_hook+0x2d0/0x350 [ 62.055175][ T5073] get_page_from_freelist+0xa25/0x36d0 [ 62.060631][ T5073] __alloc_pages+0x22e/0x2420 [ 62.065302][ T5073] alloc_pages_mpol+0x258/0x5f0 [ 62.070149][ T5073] vma_alloc_folio+0xad/0x220 [ 62.074821][ T5073] __handle_mm_fault+0xe07/0x3d70 [ 62.079842][ T5073] handle_mm_fault+0x47a/0xa10 [ 62.084607][ T5073] do_user_addr_fault+0x30b/0x1000 [ 62.089712][ T5073] exc_page_fault+0x5d/0xc0 [ 62.094214][ T5073] asm_exc_page_fault+0x26/0x30 [ 62.099062][ T5073] page last free stack trace: [ 62.103726][ T5073] free_unref_page_prepare+0x4fa/0xaa0 [ 62.109185][ T5073] free_unref_page_list+0xe6/0xb40 [ 62.114295][ T5073] release_pages+0x32a/0x14f0 [ 62.118966][ T5073] tlb_batch_pages_flush+0x9a/0x190 [ 62.124162][ T5073] tlb_finish_mmu+0x14b/0x6f0 [ 62.128835][ T5073] unmap_region.constprop.0+0x2e6/0x3b0 [ 62.134372][ T5073] do_vmi_align_munmap+0xde6/0x1600 [ 62.139565][ T5073] do_vmi_munmap+0x20e/0x450 [ 62.144151][ T5073] __vm_munmap+0x144/0x390 [ 62.148560][ T5073] __x64_sys_munmap+0x62/0x80 [ 62.153231][ T5073] do_syscall_64+0x40/0x110 [ 62.157728][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 62.163621][ T5073] [ 62.165959][ T5073] Memory state around the buggy address: [ 62.171575][ T5073] ffff88807d2a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.179627][ T5073] ffff88807d2a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.187677][ T5073] >ffff88807d2aa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.195719][ T5073] ^ [ 62.201854][ T5073] ffff88807d2aa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.209902][ T5073] ffff88807d2aa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.217948][ T5073] ================================================================== [ 62.226452][ T5073] ================================================================== [ 62.234529][ T5073] BUG: KASAN: use-after-free in ntfs_attr_find+0xab6/0xbe0 [ 62.241745][ T5073] Read of size 4 at addr ffff88807d2aa038 by task syz-executor391/5073 [ 62.249971][ T5073] [ 62.252285][ T5073] CPU: 0 PID: 5073 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 62.264169][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 62.274212][ T5073] Call Trace: [ 62.277480][ T5073] [ 62.280426][ T5073] dump_stack_lvl+0xd9/0x1b0 [ 62.285017][ T5073] print_report+0xc4/0x620 [ 62.289433][ T5073] ? __virt_addr_valid+0x5e/0x2d0 [ 62.294456][ T5073] ? __phys_addr+0xc6/0x140 [ 62.298979][ T5073] kasan_report+0xda/0x110 [ 62.303392][ T5073] ? ntfs_attr_find+0xab6/0xbe0 [ 62.308243][ T5073] ? ntfs_attr_find+0xab6/0xbe0 [ 62.313102][ T5073] ntfs_attr_find+0xab6/0xbe0 [ 62.317781][ T5073] ntfs_attr_lookup+0x10e0/0x2100 [ 62.322817][ T5073] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 62.329924][ T5073] ? trace_kmem_cache_alloc+0x26/0xa0 [ 62.335291][ T5073] ? kmem_cache_alloc+0x1af/0x2f0 [ 62.340313][ T5073] ntfs_read_locked_inode+0xaf6/0x5860 [ 62.345765][ T5073] ntfs_read_inode_mount+0xef9/0x2730 [ 62.351222][ T5073] ntfs_fill_super+0x185c/0x9100 [ 62.356155][ T5073] ? up_write+0x510/0x510 [ 62.360482][ T5073] ? rcu_is_watching+0x12/0xb0 [ 62.365242][ T5073] ? parse_options+0x1db0/0x1db0 [ 62.370170][ T5073] ? lock_sync+0x190/0x190 [ 62.374583][ T5073] ? spin_bug+0x1d0/0x1d0 [ 62.378900][ T5073] ? set_blocksize+0x2bd/0x360 [ 62.383662][ T5073] ? preempt_count_sub+0x160/0x160 [ 62.388762][ T5073] ? sb_set_blocksize+0xf6/0x120 [ 62.393704][ T5073] ? parse_options+0x1db0/0x1db0 [ 62.398633][ T5073] mount_bdev+0x1f3/0x2e0 [ 62.402965][ T5073] ? sget+0x640/0x640 [ 62.406942][ T5073] ? apparmor_capable+0x126/0x1e0 [ 62.411961][ T5073] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 62.417502][ T5073] legacy_get_tree+0x109/0x220 [ 62.422267][ T5073] vfs_get_tree+0x8c/0x370 [ 62.426678][ T5073] path_mount+0x1492/0x1ed0 [ 62.431175][ T5073] ? kmem_cache_free+0xf8/0x350 [ 62.436020][ T5073] ? finish_automount+0xa40/0xa40 [ 62.441039][ T5073] ? putname+0x12e/0x170 [ 62.445278][ T5073] __x64_sys_mount+0x293/0x310 [ 62.450045][ T5073] ? copy_mnt_ns+0xb60/0xb60 [ 62.454632][ T5073] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 62.460960][ T5073] do_syscall_64+0x40/0x110 [ 62.465465][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 62.471359][ T5073] RIP: 0033:0x7f3fcba44daa [ 62.475778][ T5073] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 62.495381][ T5073] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 62.503785][ T5073] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 62.511837][ T5073] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 62.519804][ T5073] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 62.527804][ T5073] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 62.535853][ T5073] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 62.543908][ T5073] [ 62.546917][ T5073] [ 62.549227][ T5073] The buggy address belongs to the physical page: [ 62.555653][ T5073] page:ffffea0001f4aa80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7d2aa [ 62.565797][ T5073] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 62.572890][ T5073] page_type: 0xffffffff() [ 62.577209][ T5073] raw: 00fff00000000000 ffffea0001eb1a08 ffffea0001eb1288 0000000000000000 [ 62.585789][ T5073] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 62.594359][ T5073] page dumped because: kasan: bad access detected [ 62.600762][ T5073] page_owner tracks the page as freed [ 62.606117][ T5073] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5072, tgid 5072 (syz-executor391), ts 59152561300, free_ts 59175354439 [ 62.625576][ T5073] post_alloc_hook+0x2d0/0x350 [ 62.630358][ T5073] get_page_from_freelist+0xa25/0x36d0 [ 62.635850][ T5073] __alloc_pages+0x22e/0x2420 [ 62.640532][ T5073] alloc_pages_mpol+0x258/0x5f0 [ 62.645401][ T5073] vma_alloc_folio+0xad/0x220 [ 62.650077][ T5073] __handle_mm_fault+0xe07/0x3d70 [ 62.655106][ T5073] handle_mm_fault+0x47a/0xa10 [ 62.659869][ T5073] do_user_addr_fault+0x30b/0x1000 [ 62.664976][ T5073] exc_page_fault+0x5d/0xc0 [ 62.669482][ T5073] asm_exc_page_fault+0x26/0x30 [ 62.674333][ T5073] page last free stack trace: [ 62.678994][ T5073] free_unref_page_prepare+0x4fa/0xaa0 [ 62.684456][ T5073] free_unref_page_list+0xe6/0xb40 [ 62.689569][ T5073] release_pages+0x32a/0x14f0 [ 62.694239][ T5073] tlb_batch_pages_flush+0x9a/0x190 [ 62.699439][ T5073] tlb_finish_mmu+0x14b/0x6f0 [ 62.704111][ T5073] unmap_region.constprop.0+0x2e6/0x3b0 [ 62.709649][ T5073] do_vmi_align_munmap+0xde6/0x1600 [ 62.714842][ T5073] do_vmi_munmap+0x20e/0x450 [ 62.719421][ T5073] __vm_munmap+0x144/0x390 [ 62.723829][ T5073] __x64_sys_munmap+0x62/0x80 [ 62.728498][ T5073] do_syscall_64+0x40/0x110 [ 62.732997][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 62.738896][ T5073] [ 62.741206][ T5073] Memory state around the buggy address: [ 62.746823][ T5073] ffff88807d2a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.754869][ T5073] ffff88807d2a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.762920][ T5073] >ffff88807d2aa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.770994][ T5073] ^ [ 62.776889][ T5073] ffff88807d2aa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.784947][ T5073] ffff88807d2aa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.792995][ T5073] ================================================================== [ 62.812117][ T5073] ================================================================== [ 62.820277][ T5073] BUG: KASAN: use-after-free in ntfs_attr_find+0xaa4/0xbe0 [ 62.827470][ T5073] Read of size 2 at addr ffff88807d2aa042 by task syz-executor391/5073 [ 62.835698][ T5073] [ 62.838003][ T5073] CPU: 1 PID: 5073 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 62.849884][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 62.859927][ T5073] Call Trace: [ 62.863189][ T5073] [ 62.866110][ T5073] dump_stack_lvl+0xd9/0x1b0 [ 62.870705][ T5073] print_report+0xc4/0x620 [ 62.875165][ T5073] ? __virt_addr_valid+0x5e/0x2d0 [ 62.880201][ T5073] ? __phys_addr+0xc6/0x140 [ 62.884694][ T5073] kasan_report+0xda/0x110 [ 62.889111][ T5073] ? ntfs_attr_find+0xaa4/0xbe0 [ 62.893980][ T5073] ? ntfs_attr_find+0xaa4/0xbe0 [ 62.898818][ T5073] ntfs_attr_find+0xaa4/0xbe0 [ 62.903489][ T5073] ntfs_attr_lookup+0x10e0/0x2100 [ 62.908504][ T5073] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 62.914471][ T5073] ? trace_kmem_cache_alloc+0x26/0xa0 [ 62.919829][ T5073] ? kmem_cache_alloc+0x1af/0x2f0 [ 62.924842][ T5073] ntfs_read_locked_inode+0x3810/0x5860 [ 62.930378][ T5073] ntfs_read_inode_mount+0xef9/0x2730 [ 62.935737][ T5073] ntfs_fill_super+0x185c/0x9100 [ 62.940660][ T5073] ? up_write+0x510/0x510 [ 62.944977][ T5073] ? rcu_is_watching+0x12/0xb0 [ 62.949724][ T5073] ? parse_options+0x1db0/0x1db0 [ 62.954647][ T5073] ? lock_sync+0x190/0x190 [ 62.959055][ T5073] ? spin_bug+0x1d0/0x1d0 [ 62.963363][ T5073] ? set_blocksize+0x2bd/0x360 [ 62.968113][ T5073] ? preempt_count_sub+0x160/0x160 [ 62.973203][ T5073] ? sb_set_blocksize+0xf6/0x120 [ 62.978227][ T5073] ? parse_options+0x1db0/0x1db0 [ 62.983145][ T5073] mount_bdev+0x1f3/0x2e0 [ 62.987467][ T5073] ? sget+0x640/0x640 [ 62.991459][ T5073] ? apparmor_capable+0x126/0x1e0 [ 62.996482][ T5073] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 63.002019][ T5073] legacy_get_tree+0x109/0x220 [ 63.006793][ T5073] vfs_get_tree+0x8c/0x370 [ 63.011192][ T5073] path_mount+0x1492/0x1ed0 [ 63.015737][ T5073] ? kmem_cache_free+0xf8/0x350 [ 63.020578][ T5073] ? finish_automount+0xa40/0xa40 [ 63.025592][ T5073] ? putname+0x12e/0x170 [ 63.029817][ T5073] __x64_sys_mount+0x293/0x310 [ 63.034581][ T5073] ? copy_mnt_ns+0xb60/0xb60 [ 63.039159][ T5073] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 63.045394][ T5073] do_syscall_64+0x40/0x110 [ 63.049913][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 63.055809][ T5073] RIP: 0033:0x7f3fcba44daa [ 63.060227][ T5073] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 63.079835][ T5073] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 63.088236][ T5073] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 63.096194][ T5073] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 63.104174][ T5073] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 63.112143][ T5073] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 63.120114][ T5073] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 63.128080][ T5073] [ 63.131085][ T5073] [ 63.133389][ T5073] The buggy address belongs to the physical page: [ 63.139783][ T5073] page:ffffea0001f4aa80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7d2aa [ 63.149917][ T5073] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 63.157008][ T5073] page_type: 0xffffffff() [ 63.161316][ T5073] raw: 00fff00000000000 ffffea0001eb1a08 ffffea0001eb1288 0000000000000000 [ 63.169886][ T5073] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 63.178457][ T5073] page dumped because: kasan: bad access detected [ 63.184849][ T5073] page_owner tracks the page as freed [ 63.190197][ T5073] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5072, tgid 5072 (syz-executor391), ts 59152561300, free_ts 59175354439 [ 63.209133][ T5073] post_alloc_hook+0x2d0/0x350 [ 63.213889][ T5073] get_page_from_freelist+0xa25/0x36d0 [ 63.219366][ T5073] __alloc_pages+0x22e/0x2420 [ 63.224036][ T5073] alloc_pages_mpol+0x258/0x5f0 [ 63.228878][ T5073] vma_alloc_folio+0xad/0x220 [ 63.233558][ T5073] __handle_mm_fault+0xe07/0x3d70 [ 63.238571][ T5073] handle_mm_fault+0x47a/0xa10 [ 63.243323][ T5073] do_user_addr_fault+0x30b/0x1000 [ 63.248419][ T5073] exc_page_fault+0x5d/0xc0 [ 63.252905][ T5073] asm_exc_page_fault+0x26/0x30 [ 63.257743][ T5073] page last free stack trace: [ 63.262403][ T5073] free_unref_page_prepare+0x4fa/0xaa0 [ 63.267895][ T5073] free_unref_page_list+0xe6/0xb40 [ 63.273026][ T5073] release_pages+0x32a/0x14f0 [ 63.277720][ T5073] tlb_batch_pages_flush+0x9a/0x190 [ 63.282936][ T5073] tlb_finish_mmu+0x14b/0x6f0 [ 63.287626][ T5073] unmap_region.constprop.0+0x2e6/0x3b0 [ 63.293283][ T5073] do_vmi_align_munmap+0xde6/0x1600 [ 63.298493][ T5073] do_vmi_munmap+0x20e/0x450 [ 63.303086][ T5073] __vm_munmap+0x144/0x390 [ 63.307492][ T5073] __x64_sys_munmap+0x62/0x80 [ 63.312158][ T5073] do_syscall_64+0x40/0x110 [ 63.316655][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 63.322542][ T5073] [ 63.324846][ T5073] Memory state around the buggy address: [ 63.330456][ T5073] ffff88807d2a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.338544][ T5073] ffff88807d2a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.346591][ T5073] >ffff88807d2aa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.354632][ T5073] ^ [ 63.360793][ T5073] ffff88807d2aa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.368837][ T5073] ffff88807d2aa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.376880][ T5073] ================================================================== [ 63.385563][ T5073] ================================================================== [ 63.393639][ T5073] BUG: KASAN: use-after-free in ntfs_attr_find+0xac5/0xbe0 [ 63.400846][ T5073] Read of size 1 at addr ffff88807d2aa041 by task syz-executor391/5073 [ 63.409066][ T5073] [ 63.411376][ T5073] CPU: 1 PID: 5073 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 63.423354][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 63.433396][ T5073] Call Trace: [ 63.436664][ T5073] [ 63.439584][ T5073] dump_stack_lvl+0xd9/0x1b0 [ 63.444169][ T5073] print_report+0xc4/0x620 [ 63.448585][ T5073] ? __virt_addr_valid+0x5e/0x2d0 [ 63.453599][ T5073] ? __phys_addr+0xc6/0x140 [ 63.458107][ T5073] kasan_report+0xda/0x110 [ 63.462514][ T5073] ? ntfs_attr_find+0xac5/0xbe0 [ 63.467361][ T5073] ? ntfs_attr_find+0xac5/0xbe0 [ 63.472204][ T5073] ntfs_attr_find+0xac5/0xbe0 [ 63.476878][ T5073] ntfs_attr_lookup+0x10e0/0x2100 [ 63.481898][ T5073] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 63.487892][ T5073] ? trace_kmem_cache_alloc+0x26/0xa0 [ 63.493277][ T5073] ? kmem_cache_alloc+0x1af/0x2f0 [ 63.498304][ T5073] ntfs_read_locked_inode+0x3810/0x5860 [ 63.503842][ T5073] ntfs_read_inode_mount+0xef9/0x2730 [ 63.509204][ T5073] ntfs_fill_super+0x185c/0x9100 [ 63.514136][ T5073] ? up_write+0x510/0x510 [ 63.518457][ T5073] ? rcu_is_watching+0x12/0xb0 [ 63.523246][ T5073] ? parse_options+0x1db0/0x1db0 [ 63.528226][ T5073] ? lock_sync+0x190/0x190 [ 63.532627][ T5073] ? spin_bug+0x1d0/0x1d0 [ 63.536939][ T5073] ? set_blocksize+0x2bd/0x360 [ 63.541718][ T5073] ? preempt_count_sub+0x160/0x160 [ 63.546818][ T5073] ? sb_set_blocksize+0xf6/0x120 [ 63.551768][ T5073] ? parse_options+0x1db0/0x1db0 [ 63.556694][ T5073] mount_bdev+0x1f3/0x2e0 [ 63.561043][ T5073] ? sget+0x640/0x640 [ 63.565034][ T5073] ? apparmor_capable+0x126/0x1e0 [ 63.570049][ T5073] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 63.575583][ T5073] legacy_get_tree+0x109/0x220 [ 63.580343][ T5073] vfs_get_tree+0x8c/0x370 [ 63.584751][ T5073] path_mount+0x1492/0x1ed0 [ 63.589245][ T5073] ? kmem_cache_free+0xf8/0x350 [ 63.594089][ T5073] ? finish_automount+0xa40/0xa40 [ 63.599104][ T5073] ? putname+0x12e/0x170 [ 63.603362][ T5073] __x64_sys_mount+0x293/0x310 [ 63.608133][ T5073] ? copy_mnt_ns+0xb60/0xb60 [ 63.612716][ T5073] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 63.618961][ T5073] do_syscall_64+0x40/0x110 [ 63.623467][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 63.629369][ T5073] RIP: 0033:0x7f3fcba44daa [ 63.633778][ T5073] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 63.653385][ T5073] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 63.661794][ T5073] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 63.669773][ T5073] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 63.677738][ T5073] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 63.685724][ T5073] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 63.693681][ T5073] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 63.701657][ T5073] [ 63.704665][ T5073] [ 63.706976][ T5073] The buggy address belongs to the physical page: [ 63.713364][ T5073] page:ffffea0001f4aa80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7d2aa [ 63.723500][ T5073] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 63.730600][ T5073] page_type: 0xffffffff() [ 63.734926][ T5073] raw: 00fff00000000000 ffffea0001eb1a08 ffffea0001eb1288 0000000000000000 [ 63.743534][ T5073] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 63.752114][ T5073] page dumped because: kasan: bad access detected [ 63.758531][ T5073] page_owner tracks the page as freed [ 63.763883][ T5073] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5072, tgid 5072 (syz-executor391), ts 59152561300, free_ts 59175354439 [ 63.782809][ T5073] post_alloc_hook+0x2d0/0x350 [ 63.787590][ T5073] get_page_from_freelist+0xa25/0x36d0 [ 63.793046][ T5073] __alloc_pages+0x22e/0x2420 [ 63.797717][ T5073] alloc_pages_mpol+0x258/0x5f0 [ 63.802571][ T5073] vma_alloc_folio+0xad/0x220 [ 63.807282][ T5073] __handle_mm_fault+0xe07/0x3d70 [ 63.812324][ T5073] handle_mm_fault+0x47a/0xa10 [ 63.817091][ T5073] do_user_addr_fault+0x30b/0x1000 [ 63.822198][ T5073] exc_page_fault+0x5d/0xc0 [ 63.826706][ T5073] asm_exc_page_fault+0x26/0x30 [ 63.831554][ T5073] page last free stack trace: [ 63.836243][ T5073] free_unref_page_prepare+0x4fa/0xaa0 [ 63.841694][ T5073] free_unref_page_list+0xe6/0xb40 [ 63.846810][ T5073] release_pages+0x32a/0x14f0 [ 63.851492][ T5073] tlb_batch_pages_flush+0x9a/0x190 [ 63.856703][ T5073] tlb_finish_mmu+0x14b/0x6f0 [ 63.861372][ T5073] unmap_region.constprop.0+0x2e6/0x3b0 [ 63.866906][ T5073] do_vmi_align_munmap+0xde6/0x1600 [ 63.872092][ T5073] do_vmi_munmap+0x20e/0x450 [ 63.876671][ T5073] __vm_munmap+0x144/0x390 [ 63.881097][ T5073] __x64_sys_munmap+0x62/0x80 [ 63.885784][ T5073] do_syscall_64+0x40/0x110 [ 63.890294][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 63.896186][ T5073] [ 63.898495][ T5073] Memory state around the buggy address: [ 63.904112][ T5073] ffff88807d2a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.912220][ T5073] ffff88807d2a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.920267][ T5073] >ffff88807d2aa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.928342][ T5073] ^ [ 63.934478][ T5073] ffff88807d2aa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.942544][ T5073] ffff88807d2aa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.950633][ T5073] ================================================================== [ 63.958879][ T5073] ================================================================== [ 63.966940][ T5073] BUG: KASAN: use-after-free in ntfs_attr_find+0xab6/0xbe0 [ 63.974142][ T5073] Read of size 4 at addr ffff88807d2aa038 by task syz-executor391/5073 [ 63.982370][ T5073] [ 63.984685][ T5073] CPU: 1 PID: 5073 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 63.996648][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 64.006695][ T5073] Call Trace: [ 64.009977][ T5073] [ 64.012898][ T5073] dump_stack_lvl+0xd9/0x1b0 [ 64.017492][ T5073] print_report+0xc4/0x620 [ 64.021914][ T5073] ? __virt_addr_valid+0x5e/0x2d0 [ 64.026969][ T5073] ? __phys_addr+0xc6/0x140 [ 64.031470][ T5073] kasan_report+0xda/0x110 [ 64.035886][ T5073] ? ntfs_attr_find+0xab6/0xbe0 [ 64.040735][ T5073] ? ntfs_attr_find+0xab6/0xbe0 [ 64.045593][ T5073] ntfs_attr_find+0xab6/0xbe0 [ 64.050277][ T5073] ntfs_attr_lookup+0x10e0/0x2100 [ 64.055311][ T5073] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 64.061305][ T5073] ? trace_kmem_cache_alloc+0x26/0xa0 [ 64.066687][ T5073] ? kmem_cache_alloc+0x1af/0x2f0 [ 64.071729][ T5073] ntfs_read_locked_inode+0x3810/0x5860 [ 64.077293][ T5073] ntfs_read_inode_mount+0xef9/0x2730 [ 64.082687][ T5073] ntfs_fill_super+0x185c/0x9100 [ 64.087629][ T5073] ? up_write+0x510/0x510 [ 64.091958][ T5073] ? rcu_is_watching+0x12/0xb0 [ 64.096721][ T5073] ? parse_options+0x1db0/0x1db0 [ 64.101670][ T5073] ? lock_sync+0x190/0x190 [ 64.106087][ T5073] ? spin_bug+0x1d0/0x1d0 [ 64.110409][ T5073] ? set_blocksize+0x2bd/0x360 [ 64.115178][ T5073] ? preempt_count_sub+0x160/0x160 [ 64.120282][ T5073] ? sb_set_blocksize+0xf6/0x120 [ 64.125220][ T5073] ? parse_options+0x1db0/0x1db0 [ 64.130155][ T5073] mount_bdev+0x1f3/0x2e0 [ 64.134489][ T5073] ? sget+0x640/0x640 [ 64.138497][ T5073] ? apparmor_capable+0x126/0x1e0 [ 64.143519][ T5073] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 64.149059][ T5073] legacy_get_tree+0x109/0x220 [ 64.153824][ T5073] vfs_get_tree+0x8c/0x370 [ 64.158241][ T5073] path_mount+0x1492/0x1ed0 [ 64.162746][ T5073] ? kmem_cache_free+0xf8/0x350 [ 64.167597][ T5073] ? finish_automount+0xa40/0xa40 [ 64.172621][ T5073] ? putname+0x12e/0x170 [ 64.176855][ T5073] __x64_sys_mount+0x293/0x310 [ 64.181621][ T5073] ? copy_mnt_ns+0xb60/0xb60 [ 64.186213][ T5073] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 64.192452][ T5073] do_syscall_64+0x40/0x110 [ 64.196999][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 64.202895][ T5073] RIP: 0033:0x7f3fcba44daa [ 64.207301][ T5073] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 64.226903][ T5073] RSP: 002b:00007fffa61e1ed8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 64.235309][ T5073] RAX: ffffffffffffffda RBX: 00007fffa61e1ef0 RCX: 00007f3fcba44daa [ 64.243268][ T5073] RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fffa61e1ef0 [ 64.251241][ T5073] RBP: 0000000000000004 R08: 00007fffa61e1f30 R09: 000000000001f63d [ 64.259213][ T5073] R10: 0000000000000004 R11: 0000000000000286 R12: 0000000000000004 [ 64.267180][ T5073] R13: 00007fffa61e1f30 R14: 0000000000000003 R15: 0000000000200000 [ 64.275150][ T5073] [ 64.278159][ T5073] [ 64.280473][ T5073] The buggy address belongs to the physical page: [ 64.286867][ T5073] page:ffffea0001f4aa80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7d2aa [ 64.297009][ T5073] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 64.304108][ T5073] page_type: 0xffffffff() [ 64.308425][ T5073] raw: 00fff00000000000 ffffea0001eb1a08 ffffea0001eb1288 0000000000000000 [ 64.317001][ T5073] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 64.325569][ T5073] page dumped because: kasan: bad access detected [ 64.331968][ T5073] page_owner tracks the page as freed [ 64.337317][ T5073] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5072, tgid 5072 (syz-executor391), ts 59152561300, free_ts 59175354439 [ 64.356244][ T5073] post_alloc_hook+0x2d0/0x350 [ 64.361014][ T5073] get_page_from_freelist+0xa25/0x36d0 [ 64.366475][ T5073] __alloc_pages+0x22e/0x2420 [ 64.371149][ T5073] alloc_pages_mpol+0x258/0x5f0 [ 64.375996][ T5073] vma_alloc_folio+0xad/0x220 [ 64.380719][ T5073] __handle_mm_fault+0xe07/0x3d70 [ 64.385752][ T5073] handle_mm_fault+0x47a/0xa10 [ 64.390522][ T5073] do_user_addr_fault+0x30b/0x1000 [ 64.395625][ T5073] exc_page_fault+0x5d/0xc0 [ 64.400136][ T5073] asm_exc_page_fault+0x26/0x30 [ 64.404982][ T5073] page last free stack trace: [ 64.409640][ T5073] free_unref_page_prepare+0x4fa/0xaa0 [ 64.415097][ T5073] free_unref_page_list+0xe6/0xb40 [ 64.420204][ T5073] release_pages+0x32a/0x14f0 [ 64.424866][ T5073] tlb_batch_pages_flush+0x9a/0x190 [ 64.430059][ T5073] tlb_finish_mmu+0x14b/0x6f0 [ 64.434729][ T5073] unmap_region.constprop.0+0x2e6/0x3b0 [ 64.440276][ T5073] do_vmi_align_munmap+0xde6/0x1600 [ 64.445464][ T5073] do_vmi_munmap+0x20e/0x450 [ 64.450047][ T5073] __vm_munmap+0x144/0x390 [ 64.454452][ T5073] __x64_sys_munmap+0x62/0x80 [ 64.459129][ T5073] do_syscall_64+0x40/0x110 [ 64.463626][ T5073] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 64.469520][ T5073] [ 64.471830][ T5073] Memory state around the buggy address: [ 64.477443][ T5073] ffff88807d2a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.485492][ T5073] ffff88807d2a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.493629][ T5073] >ffff88807d2aa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.501672][ T5073] ^ [ 64.507543][ T5073] ffff88807d2aa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [pid 5073] mount("/dev/loop0", "./file0", "ntfs", MS_NODEV, "" [pid 5066] kill(-5073, SIGKILL) = 0 [pid 5066] kill(5073, SIGKILL) = 0 [ 64.515592][ T5073] ffff88807d2aa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.523722][ T5073] ================================================================== [ 64.531970][ T5073] __ntfs_error: 15 callbacks suppressed [ 64.531983][ T5073] ntfs: (device loop0): ntfs_is_extended_system_file(): Inode hard link count doesn't match number of name attributes. You should run chkdsk. [ 64.552060][ T5073] ntfs: (device loop0): ntfs_read_locked_inode(): $DATA attribute is missing. [pid 5073] <... mount resumed>) = ? [pid 5073] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=5073, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=16 /* 0.16 s */} --- restart_syscall(<... resuming interrupted kill ...>) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 [ 64.561324][ T5073] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -2. Marking corrupt inode 0x0 as bad. Run chkdsk. [ 64.574838][ T5073] ntfs: (device loop0): ntfs_read_inode_mount(): ntfs_read_inode() of $MFT failed. BUG or corrupt $MFT. Run chkdsk and if no errors are found, please report you saw this message to linux-ntfs-dev@lists.sourceforge.net [ 64.595957][ T5073] ntfs: (device loop0): ntfs_fill_super(): Failed to load essential metadata. ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555557499650) = 5075 ./strace-static-x86_64: Process 5075 attached [pid 5075] set_robust_list(0x555557499660, 24) = 0 [pid 5075] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5075] setpgid(0, 0) = 0 [pid 5075] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5075] write(3, "1000", 4) = 4 [pid 5075] close(3) = 0 [pid 5075] memfd_create("syzkaller", 0) = 3 [pid 5075] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3fc3605000 [pid 5075] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\xf7\x9a\x81\x47\x2b\x73\xcf\x43\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 [pid 5075] munmap(0x7f3fc3605000, 138412032) = 0 [pid 5075] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5075] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5075] close(3) = 0 [pid 5075] mkdir("./file0", 0777) = -1 EEXIST (File exists) [ 64.774339][ T5075] loop0: detected capacity change from 0 to 4096 [ 64.796783][ T5075] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 64.806581][ T5075] ================================================================== [ 64.814644][ T5075] BUG: KASAN: use-after-free in ntfs_attr_find+0xaa4/0xbe0 [ 64.821837][ T5075] Read of size 2 at addr ffff888052d88042 by task syz-executor391/5075 [ 64.830059][ T5075] [ 64.832365][ T5075] CPU: 1 PID: 5075 Comm: syz-executor391 Tainted: G B 6.7.0-rc3-syzkaller-00033-g3b47bc037bd4 #0 [ 64.844230][ T5075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 64.854272][ T5075] Call Trace: [ 64.857536][ T5075] [ 64.860452][ T5075] dump_stack_lvl+0xd9/0x1b0 [ 64.865029][ T5075] print_report+0xc4/0x620 [ 64.869433][ T5075] ? __virt_addr_valid+0x5e/0x2d0 [ 64.874456][ T5075] ? __phys_addr+0xc6/0x140 [ 64.878942][ T5075] kasan_report+0xda/0x110 [ 64.883347][ T5075] ? ntfs_attr_find+0xaa4/0xbe0 [ 64.888181][ T5075] ? ntfs_attr_find+0xaa4/0xbe0 [ 64.893044][ T5075] ntfs_attr_find+0xaa4/0xbe0 [ 64.897714][ T5075] ntfs_attr_lookup+0x10e0/0x2100 [ 64.902733][ T5075] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 64.908709][ T5075] ? trace_kmem_cache_alloc+0x26/0xa0 [ 64.914064][ T5075] ? kmem_cache_alloc+0x1af/0x2f0 [ 64.919074][ T5075] ntfs_read_locked_inode+0x9bf/0x5860 [ 64.924536][ T5075] ntfs_read_inode_mount+0xef9/0x2730 [ 64.929910][ T5075] ntfs_fill_super+0x185c/0x9100 [ 64.934834][ T5075] ? up_write+0x510/0x510 [ 64.939166][ T5075] ? rcu_is_watching+0x12/0xb0 [ 64.943913][ T5075] ? parse_options+0x1db0/0x1db0 [ 64.948832][ T5075] ? lock_sync+0x190/0x190 [ 64.953234][ T5075] ? spin_bug+0x1d0/0x1d0 [ 64.957629][ T5075] ? set_blocksize+0x2bd/0x360 [ 64.962382][ T5075] ? preempt_count_sub+0x160/0x160 [ 64.967475][ T5075] ? sb_set_blocksize+0xf6/0x120 [ 64.972399][ T5075] ? parse_options+0x1db0/0x1db0 [ 64.977314][ T5075] mount_bdev+0x1f3/0x2e0 [ 64.981637][ T5075] ? sget+0x640/0x640 [ 64.985601][ T5075] ? apparmor_capable+0x126/0x1e0 [ 64.990613][ T5075] ? ntfs_rl_punch_nolock+0x15d0/0x15d0 [ 64.996141][ T5075] legacy_get_tree+0x109/0x220 [ 65.000889][ T5075] vfs_get_tree+0x8c/0x370 [ 65.005287][ T5075] path_mount+0x1492/0x1ed0 [ 65.009768][ T5075] ? kmem_cache_free+0xf8/0x350 [ 65.014605][ T5075] ? finish_automount+0xa40/0xa40 [ 65.019617][ T5075] ? putname+0x12e/0x170