[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.238' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.811527] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 26.820032] ================================================================== [ 26.827402] BUG: KASAN: use-after-free in ntfs_attr_find+0xacd/0xc20 [ 26.833881] Read of size 2 at addr ffff8880958b32aa by task syz-executor363/7959 [ 26.841435] [ 26.843039] CPU: 1 PID: 7959 Comm: syz-executor363 Not tainted 4.14.294-syzkaller #0 [ 26.850890] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 26.860217] Call Trace: [ 26.862779] dump_stack+0x1b2/0x281 [ 26.866379] print_address_description.cold+0x54/0x1d3 [ 26.871626] kasan_report_error.cold+0x8a/0x191 [ 26.876268] ? ntfs_attr_find+0xacd/0xc20 [ 26.880388] __asan_report_load_n_noabort+0x6b/0x80 [ 26.885377] ? ntfs_attr_find+0xacd/0xc20 [ 26.889498] ntfs_attr_find+0xacd/0xc20 [ 26.893444] ntfs_attr_lookup+0xeca/0x1f30 [ 26.897648] ? do_raw_spin_unlock+0x164/0x220 [ 26.902116] ? _raw_spin_unlock+0x29/0x40 [ 26.906235] ? cache_alloc_refill+0x2fa/0x350 [ 26.910703] ? __wait_on_bit+0x150/0x150 [ 26.914734] ? check_preemption_disabled+0x35/0x240 [ 26.919722] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 26.924968] ? kmem_cache_alloc+0x2f8/0x3c0 [ 26.929260] ntfs_read_inode_mount+0x726/0x2060 [ 26.933910] ntfs_fill_super+0x9a6/0x7170 [ 26.938029] ? vsnprintf+0x260/0x1340 [ 26.941812] ? pointer+0x9e0/0x9e0 [ 26.945324] ? lock_downgrade+0x740/0x740 [ 26.949448] ? ntfs_big_inode_init_once+0x20/0x20 [ 26.954259] ? snprintf+0xa5/0xd0 [ 26.957681] ? vsprintf+0x30/0x30 [ 26.961107] ? ns_test_super+0x50/0x50 [ 26.964965] ? set_blocksize+0x125/0x380 [ 26.968998] mount_bdev+0x2b3/0x360 [ 26.972597] ? ntfs_big_inode_init_once+0x20/0x20 [ 26.977411] mount_fs+0x92/0x2a0 [ 26.980750] vfs_kern_mount.part.0+0x5b/0x470 [ 26.985217] do_mount+0xe65/0x2a30 [ 26.988727] ? copy_mount_string+0x40/0x40 [ 26.992949] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 26.997946] ? copy_mnt_ns+0xa30/0xa30 [ 27.001804] ? copy_mount_options+0x1fa/0x2f0 [ 27.006270] ? copy_mnt_ns+0xa30/0xa30 [ 27.010128] SyS_mount+0xa8/0x120 [ 27.013553] ? copy_mnt_ns+0xa30/0xa30 [ 27.017412] do_syscall_64+0x1d5/0x640 [ 27.021274] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.026445] RIP: 0033:0x7ff4d523bd2a [ 27.030128] RSP: 002b:00007ffe9a381478 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 27.037816] RAX: ffffffffffffffda RBX: 00007ffe9a3814d0 RCX: 00007ff4d523bd2a [ 27.045071] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe9a381490 [ 27.052314] RBP: 00007ffe9a381490 R08: 00007ffe9a3814d0 R09: 0000000000000000 [ 27.059558] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020000290 [ 27.066801] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000006 [ 27.074044] [ 27.075655] Allocated by task 1: [ 27.079001] kasan_kmalloc+0xeb/0x160 [ 27.082777] kmem_cache_alloc+0x124/0x3c0 [ 27.086895] getname_flags+0xc8/0x550 [ 27.090667] user_path_at_empty+0x2a/0x50 [ 27.094784] vfs_statx+0xd1/0x180 [ 27.098212] SyS_newlstat+0x83/0xe0 [ 27.101820] do_syscall_64+0x1d5/0x640 [ 27.105696] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.110953] [ 27.112553] Freed by task 1: [ 27.115548] kasan_slab_free+0xc3/0x1a0 [ 27.119493] kmem_cache_free+0x7c/0x2b0 [ 27.123440] putname+0xcd/0x110 [ 27.126689] filename_lookup+0x37b/0x510 [ 27.130737] vfs_statx+0xd1/0x180 [ 27.134160] SyS_newlstat+0x83/0xe0 [ 27.137776] do_syscall_64+0x1d5/0x640 [ 27.141637] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.146799] [ 27.148402] The buggy address belongs to the object at ffff8880958b2b80 [ 27.148402] which belongs to the cache names_cache of size 4096 [ 27.161121] The buggy address is located 1834 bytes inside of [ 27.161121] 4096-byte region [ffff8880958b2b80, ffff8880958b3b80) [ 27.173242] The buggy address belongs to the page: [ 27.178147] page:ffffea0002562c80 count:1 mapcount:0 mapping:ffff8880958b2b80 index:0x0 compound_mapcount: 0 [ 27.188091] flags: 0xfff00000008100(slab|head) [ 27.192646] raw: 00fff00000008100 ffff8880958b2b80 0000000000000000 0000000100000001 [ 27.200497] raw: ffffea0002cc7120 ffffea00025b89a0 ffff88823f8c1200 0000000000000000 [ 27.208348] page dumped because: kasan: bad access detected [ 27.214033] [ 27.215629] Memory state around the buggy address: [ 27.220529] ffff8880958b3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.227857] ffff8880958b3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.235189] >ffff8880958b3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.242532] ^ [ 27.247173] ffff8880958b3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.254514] ffff8880958b3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.261844] ================================================================== [ 27.269170] Disabling lock debugging due to kernel taint [ 27.274953] Kernel panic - not syncing: panic_on_warn set ... [ 27.274953] [ 27.282315] CPU: 1 PID: 7959 Comm: syz-executor363 Tainted: G B 4.14.294-syzkaller #0 [ 27.291397] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 27.300737] Call Trace: [ 27.303311] dump_stack+0x1b2/0x281 [ 27.306921] panic+0x1f9/0x42d [ 27.310087] ? add_taint.cold+0x16/0x16 [ 27.314043] ? ___preempt_schedule+0x16/0x18 [ 27.318433] kasan_end_report+0x43/0x49 [ 27.322383] kasan_report_error.cold+0xa7/0x191 [ 27.327027] ? ntfs_attr_find+0xacd/0xc20 [ 27.331155] __asan_report_load_n_noabort+0x6b/0x80 [ 27.336155] ? ntfs_attr_find+0xacd/0xc20 [ 27.340295] ntfs_attr_find+0xacd/0xc20 [ 27.344251] ntfs_attr_lookup+0xeca/0x1f30 [ 27.348462] ? do_raw_spin_unlock+0x164/0x220 [ 27.352937] ? _raw_spin_unlock+0x29/0x40 [ 27.357061] ? cache_alloc_refill+0x2fa/0x350 [ 27.361532] ? __wait_on_bit+0x150/0x150 [ 27.365575] ? check_preemption_disabled+0x35/0x240 [ 27.370565] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 27.375829] ? kmem_cache_alloc+0x2f8/0x3c0 [ 27.380123] ntfs_read_inode_mount+0x726/0x2060 [ 27.384769] ntfs_fill_super+0x9a6/0x7170 [ 27.388890] ? vsnprintf+0x260/0x1340 [ 27.392661] ? pointer+0x9e0/0x9e0 [ 27.396182] ? lock_downgrade+0x740/0x740 [ 27.400303] ? ntfs_big_inode_init_once+0x20/0x20 [ 27.405117] ? snprintf+0xa5/0xd0 [ 27.408542] ? vsprintf+0x30/0x30 [ 27.411969] ? ns_test_super+0x50/0x50 [ 27.415828] ? set_blocksize+0x125/0x380 [ 27.419863] mount_bdev+0x2b3/0x360 [ 27.423463] ? ntfs_big_inode_init_once+0x20/0x20 [ 27.428276] mount_fs+0x92/0x2a0 [ 27.431634] vfs_kern_mount.part.0+0x5b/0x470 [ 27.436103] do_mount+0xe65/0x2a30 [ 27.439671] ? copy_mount_string+0x40/0x40 [ 27.443893] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 27.448888] ? copy_mnt_ns+0xa30/0xa30 [ 27.452752] ? copy_mount_options+0x1fa/0x2f0 [ 27.457233] ? copy_mnt_ns+0xa30/0xa30 [ 27.461096] SyS_mount+0xa8/0x120 [ 27.464612] ? copy_mnt_ns+0xa30/0xa30 [ 27.468474] do_syscall_64+0x1d5/0x640 [ 27.472355] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.477519] RIP: 0033:0x7ff4d523bd2a [ 27.481199] RSP: 002b:00007ffe9a381478 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 27.488931] RAX: ffffffffffffffda RBX: 00007ffe9a3814d0 RCX: 00007ff4d523bd2a [ 27.496178] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe9a381490 [ 27.503428] RBP: 00007ffe9a381490 R08: 00007ffe9a3814d0 R09: 0000000000000000 [ 27.510682] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020000290 [ 27.517942] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000006 [ 27.525355] Kernel Offset: disabled [ 27.528965] Rebooting in 86400 seconds..