[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.141' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.164315] ntfs: (device loop0): parse_options(): Option utf8 is no longer supported, using option nls=utf8. Please use option nls=utf8 in the future and make sure utf8 is compiled either as a module or into the kernel. [ 29.184591] ntfs: (device loop0): parse_options(): Invalid mft_zone_multiplier. Using default value, i.e. 1. [ 29.196118] ================================================================== [ 29.203480] BUG: KASAN: slab-out-of-bounds in ntfs_attr_find+0xacd/0xc20 [ 29.210312] Read of size 2 at addr ffff888095409ab2 by task syz-executor216/7974 [ 29.217960] [ 29.219576] CPU: 0 PID: 7974 Comm: syz-executor216 Not tainted 4.14.295-syzkaller #0 [ 29.227433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 29.236766] Call Trace: [ 29.239353] dump_stack+0x1b2/0x281 [ 29.242961] print_address_description.cold+0x54/0x1d3 [ 29.248211] kasan_report_error.cold+0x8a/0x191 [ 29.252865] ? ntfs_attr_find+0xacd/0xc20 [ 29.256986] __asan_report_load_n_noabort+0x6b/0x80 [ 29.261978] ? ntfs_attr_find+0xacd/0xc20 [ 29.266105] ntfs_attr_find+0xacd/0xc20 [ 29.270154] ntfs_attr_lookup+0xeca/0x1f30 [ 29.274363] ? do_raw_spin_unlock+0x164/0x220 [ 29.278831] ? _raw_spin_unlock+0x29/0x40 [ 29.282953] ? cache_alloc_refill+0x2fa/0x350 [ 29.287423] ? __wait_on_bit+0x150/0x150 [ 29.291460] ? check_preemption_disabled+0x35/0x240 [ 29.296450] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 29.301702] ? kmem_cache_alloc+0x2f8/0x3c0 [ 29.306026] ntfs_read_inode_mount+0x726/0x2060 [ 29.310676] ntfs_fill_super+0x9a6/0x7170 [ 29.314802] ? vsnprintf+0x260/0x1340 [ 29.318589] ? pointer+0x9e0/0x9e0 [ 29.322106] ? lock_downgrade+0x740/0x740 [ 29.326228] ? ntfs_big_inode_init_once+0x20/0x20 [ 29.331041] ? snprintf+0xa5/0xd0 [ 29.334472] ? vsprintf+0x30/0x30 [ 29.337928] ? ns_test_super+0x50/0x50 [ 29.341792] ? set_blocksize+0x125/0x380 [ 29.345828] mount_bdev+0x2b3/0x360 [ 29.349431] ? ntfs_big_inode_init_once+0x20/0x20 [ 29.354246] mount_fs+0x92/0x2a0 [ 29.357676] vfs_kern_mount.part.0+0x5b/0x470 [ 29.362146] do_mount+0xe65/0x2a30 [ 29.365662] ? copy_mount_string+0x40/0x40 [ 29.369871] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 29.374868] ? copy_mnt_ns+0xa30/0xa30 [ 29.378731] ? copy_mount_options+0x1fa/0x2f0 [ 29.383233] ? copy_mnt_ns+0xa30/0xa30 [ 29.387117] SyS_mount+0xa8/0x120 [ 29.390556] ? copy_mnt_ns+0xa30/0xa30 [ 29.394428] do_syscall_64+0x1d5/0x640 [ 29.398415] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.403590] RIP: 0033:0x7f8b3de8aa7a [ 29.407287] RSP: 002b:00007ffe1476d448 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 29.414968] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8b3de8aa7a [ 29.422215] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe1476d460 [ 29.429478] RBP: 00007ffe1476d460 R08: 00007ffe1476d4a0 R09: 00007ffe1476d4b0 [ 29.436723] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004 [ 29.444102] R13: 00007ffe1476d4a0 R14: 0000000000000088 R15: 0000000020000ec0 [ 29.451352] [ 29.452956] Allocated by task 6274: [ 29.456560] kasan_kmalloc+0xeb/0x160 [ 29.460335] kmem_cache_alloc+0x124/0x3c0 [ 29.464460] getname_flags+0xc8/0x550 [ 29.468234] user_path_at_empty+0x2a/0x50 [ 29.472354] SyS_readlinkat+0xa8/0x270 [ 29.476214] do_syscall_64+0x1d5/0x640 [ 29.480074] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.485232] [ 29.486834] Freed by task 6274: [ 29.490090] kasan_slab_free+0xc3/0x1a0 [ 29.494038] kmem_cache_free+0x7c/0x2b0 [ 29.498003] putname+0xcd/0x110 [ 29.501255] filename_lookup+0x37b/0x510 [ 29.505288] SyS_readlinkat+0xa8/0x270 [ 29.509150] do_syscall_64+0x1d5/0x640 [ 29.513013] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.518172] [ 29.519775] The buggy address belongs to the object at ffff888095408380 [ 29.519775] which belongs to the cache names_cache of size 4096 [ 29.532491] The buggy address is located 1842 bytes to the right of [ 29.532491] 4096-byte region [ffff888095408380, ffff888095409380) [ 29.545036] The buggy address belongs to the page: [ 29.549942] page:ffffea0002550200 count:1 mapcount:0 mapping:ffff888095408380 index:0x0 compound_mapcount: 0 [ 29.559932] flags: 0xfff00000008100(slab|head) [ 29.564498] raw: 00fff00000008100 ffff888095408380 0000000000000000 0000000100000001 [ 29.572355] raw: ffffea0002cb2120 ffffea000257a3a0 ffff88823f8c1200 0000000000000000 [ 29.580222] page dumped because: kasan: bad access detected [ 29.585903] [ 29.587508] Memory state around the buggy address: [ 29.592418] ffff888095409980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.599755] ffff888095409a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.607100] >ffff888095409a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.614438] ^ [ 29.619349] ffff888095409b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.626696] ffff888095409b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.634127] ================================================================== [ 29.641463] Disabling lock debugging due to kernel taint [ 29.652440] Kernel panic - not syncing: panic_on_warn set ... [ 29.652440] [ 29.659816] CPU: 1 PID: 7974 Comm: syz-executor216 Tainted: G B 4.14.295-syzkaller #0 [ 29.668902] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 29.678372] Call Trace: [ 29.680947] dump_stack+0x1b2/0x281 [ 29.684559] panic+0x1f9/0x42d [ 29.687731] ? add_taint.cold+0x16/0x16 [ 29.691689] ? ___preempt_schedule+0x16/0x18 [ 29.696083] kasan_end_report+0x43/0x49 [ 29.700041] kasan_report_error.cold+0xa7/0x191 [ 29.704700] ? ntfs_attr_find+0xacd/0xc20 [ 29.708858] __asan_report_load_n_noabort+0x6b/0x80 [ 29.714033] ? ntfs_attr_find+0xacd/0xc20 [ 29.718162] ntfs_attr_find+0xacd/0xc20 [ 29.722129] ntfs_attr_lookup+0xeca/0x1f30 [ 29.726359] ? do_raw_spin_unlock+0x164/0x220 [ 29.730838] ? _raw_spin_unlock+0x29/0x40 [ 29.734965] ? cache_alloc_refill+0x2fa/0x350 [ 29.739444] ? __wait_on_bit+0x150/0x150 [ 29.743489] ? check_preemption_disabled+0x35/0x240 [ 29.748487] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 29.753741] ? kmem_cache_alloc+0x2f8/0x3c0 [ 29.758035] ntfs_read_inode_mount+0x726/0x2060 [ 29.762679] ntfs_fill_super+0x9a6/0x7170 [ 29.766800] ? vsnprintf+0x260/0x1340 [ 29.770574] ? pointer+0x9e0/0x9e0 [ 29.774085] ? lock_downgrade+0x740/0x740 [ 29.778205] ? ntfs_big_inode_init_once+0x20/0x20 [ 29.783021] ? snprintf+0xa5/0xd0 [ 29.786447] ? vsprintf+0x30/0x30 [ 29.789878] ? ns_test_super+0x50/0x50 [ 29.793764] ? set_blocksize+0x125/0x380 [ 29.797810] mount_bdev+0x2b3/0x360 [ 29.801442] ? ntfs_big_inode_init_once+0x20/0x20 [ 29.806262] mount_fs+0x92/0x2a0 [ 29.809613] vfs_kern_mount.part.0+0x5b/0x470 [ 29.814171] do_mount+0xe65/0x2a30 [ 29.817797] ? copy_mount_string+0x40/0x40 [ 29.822009] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 29.826997] ? copy_mnt_ns+0xa30/0xa30 [ 29.830877] ? copy_mount_options+0x1fa/0x2f0 [ 29.835349] ? copy_mnt_ns+0xa30/0xa30 [ 29.839214] SyS_mount+0xa8/0x120 [ 29.842640] ? copy_mnt_ns+0xa30/0xa30 [ 29.846512] do_syscall_64+0x1d5/0x640 [ 29.850376] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.855542] RIP: 0033:0x7f8b3de8aa7a [ 29.859251] RSP: 002b:00007ffe1476d448 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 29.866941] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8b3de8aa7a [ 29.874192] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe1476d460 [ 29.881451] RBP: 00007ffe1476d460 R08: 00007ffe1476d4a0 R09: 00007ffe1476d4b0 [ 29.888970] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004 [ 29.896222] R13: 00007ffe1476d4a0 R14: 0000000000000088 R15: 0000000020000ec0 [ 29.903674] Kernel Offset: disabled [ 29.907298] Rebooting in 86400 seconds..