[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.179' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 53.036415] ================================================================== [ 53.043821] BUG: KASAN: use-after-free in ntfs_attr_find+0xacd/0xc20 [ 53.050307] Read of size 2 at addr ffff8881677960ab by task syz-executor577/8001 [ 53.057827] [ 53.059450] CPU: 1 PID: 8001 Comm: syz-executor577 Not tainted 4.14.295-syzkaller #0 [ 53.067673] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 53.077013] Call Trace: [ 53.079581] dump_stack+0x1b2/0x281 [ 53.083198] print_address_description.cold+0x54/0x1d3 [ 53.088453] kasan_report_error.cold+0x8a/0x191 [ 53.093213] ? ntfs_attr_find+0xacd/0xc20 [ 53.097350] __asan_report_load_n_noabort+0x6b/0x80 [ 53.102350] ? ntfs_attr_find+0xacd/0xc20 [ 53.106622] ntfs_attr_find+0xacd/0xc20 [ 53.110604] ntfs_attr_lookup+0xeca/0x1f30 [ 53.114815] ? alloc_pages_current+0x15d/0x260 [ 53.119379] ? do_read_cache_page+0xcd/0xc10 [ 53.123794] ? ntfs_end_buffer_async_read+0x10a0/0x10a0 [ 53.129137] ? check_preemption_disabled+0x35/0x240 [ 53.134130] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 53.139381] ? kmem_cache_alloc+0x2f8/0x3c0 [ 53.143676] ntfs_read_locked_inode+0xa8d/0x51b0 [ 53.148406] ? _raw_spin_unlock+0x29/0x40 [ 53.152530] ? iget5_locked+0x129/0x450 [ 53.156477] ? ntfs_index_lookup+0x2780/0x2780 [ 53.161030] ntfs_iget+0xfa/0x130 [ 53.164453] ? ntfs_read_locked_inode+0x51b0/0x51b0 [ 53.169440] ? __lockdep_init_map+0x100/0x560 [ 53.173999] ntfs_fill_super+0x1be3/0x7170 [ 53.179548] ? lock_downgrade+0x740/0x740 [ 53.183755] ? ntfs_big_inode_init_once+0x20/0x20 [ 53.188606] ? snprintf+0xa5/0xd0 [ 53.192032] ? vsprintf+0x30/0x30 [ 53.195460] mount_bdev+0x2b3/0x360 [ 53.199058] ? ntfs_big_inode_init_once+0x20/0x20 [ 53.203886] mount_fs+0x92/0x2a0 [ 53.207241] vfs_kern_mount.part.0+0x5b/0x470 [ 53.211719] do_mount+0xe65/0x2a30 [ 53.215511] ? copy_mount_string+0x40/0x40 [ 53.219722] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 53.224726] ? copy_mnt_ns+0xa30/0xa30 [ 53.228593] ? copy_mount_options+0x1fa/0x2f0 [ 53.233066] ? copy_mnt_ns+0xa30/0xa30 [ 53.237016] SyS_mount+0xa8/0x120 [ 53.240441] ? copy_mnt_ns+0xa30/0xa30 [ 53.244300] do_syscall_64+0x1d5/0x640 [ 53.248161] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 53.253323] RIP: 0033:0x7f87530a89ca [ 53.257007] RSP: 002b:00007ffc448ff628 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 53.264687] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f87530a89ca [ 53.271930] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc448ff640 [ 53.279172] RBP: 00007ffc448ff640 R08: 00007ffc448ff680 R09: 000055555637f2c0 [ 53.286545] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004 [ 53.293797] R13: 00007ffc448ff680 R14: 000000000000013b R15: 0000000020001f88 [ 53.301050] [ 53.302659] The buggy address belongs to the page: [ 53.307565] page:ffffea00059de580 count:0 mapcount:0 mapping: (null) index:0x0 [ 53.315683] flags: 0x57ff00000000000() [ 53.319546] raw: 057ff00000000000 0000000000000000 0000000000000000 00000000ffffffff [ 53.327411] raw: ffffea00059de5a0 ffffea00059de5a0 0000000000000000 0000000000000000 [ 53.335266] page dumped because: kasan: bad access detected [ 53.340972] [ 53.342578] Memory state around the buggy address: [ 53.347486] ffff888167795f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.354822] ffff888167796000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.362157] >ffff888167796080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.370015] ^ [ 53.374659] ffff888167796100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.381999] ffff888167796180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 53.389334] ================================================================== [ 53.396667] Disabling lock debugging due to kernel taint [ 53.402171] Kernel panic - not syncing: panic_on_warn set ... [ 53.402171] [ 53.409528] CPU: 1 PID: 8001 Comm: syz-executor577 Tainted: G B 4.14.295-syzkaller #0 [ 53.418606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 53.427944] Call Trace: [ 53.430512] dump_stack+0x1b2/0x281 [ 53.434113] panic+0x1f9/0x42d [ 53.437282] ? add_taint.cold+0x16/0x16 [ 53.441231] ? ___preempt_schedule+0x16/0x18 [ 53.445621] kasan_end_report+0x43/0x49 [ 53.449577] kasan_report_error.cold+0xa7/0x191 [ 53.454305] ? ntfs_attr_find+0xacd/0xc20 [ 53.458427] __asan_report_load_n_noabort+0x6b/0x80 [ 53.463414] ? ntfs_attr_find+0xacd/0xc20 [ 53.467535] ntfs_attr_find+0xacd/0xc20 [ 53.471482] ntfs_attr_lookup+0xeca/0x1f30 [ 53.475691] ? alloc_pages_current+0x15d/0x260 [ 53.480250] ? do_read_cache_page+0xcd/0xc10 [ 53.484629] ? ntfs_end_buffer_async_read+0x10a0/0x10a0 [ 53.489966] ? check_preemption_disabled+0x35/0x240 [ 53.494963] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 53.500211] ? kmem_cache_alloc+0x2f8/0x3c0 [ 53.504505] ntfs_read_locked_inode+0xa8d/0x51b0 [ 53.509234] ? _raw_spin_unlock+0x29/0x40 [ 53.513356] ? iget5_locked+0x129/0x450 [ 53.517302] ? ntfs_index_lookup+0x2780/0x2780 [ 53.521856] ntfs_iget+0xfa/0x130 [ 53.525282] ? ntfs_read_locked_inode+0x51b0/0x51b0 [ 53.530270] ? __lockdep_init_map+0x100/0x560 [ 53.534736] ntfs_fill_super+0x1be3/0x7170 [ 53.538945] ? lock_downgrade+0x740/0x740 [ 53.543064] ? ntfs_big_inode_init_once+0x20/0x20 [ 53.547881] ? snprintf+0xa5/0xd0 [ 53.551305] ? vsprintf+0x30/0x30 [ 53.554731] mount_bdev+0x2b3/0x360 [ 53.558331] ? ntfs_big_inode_init_once+0x20/0x20 [ 53.563144] mount_fs+0x92/0x2a0 [ 53.566483] vfs_kern_mount.part.0+0x5b/0x470 [ 53.570951] do_mount+0xe65/0x2a30 [ 53.574465] ? copy_mount_string+0x40/0x40 [ 53.578672] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 53.583658] ? copy_mnt_ns+0xa30/0xa30 [ 53.587518] ? copy_mount_options+0x1fa/0x2f0 [ 53.591985] ? copy_mnt_ns+0xa30/0xa30 [ 53.595842] SyS_mount+0xa8/0x120 [ 53.599266] ? copy_mnt_ns+0xa30/0xa30 [ 53.603126] do_syscall_64+0x1d5/0x640 [ 53.606989] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 53.612149] RIP: 0033:0x7f87530a89ca [ 53.615833] RSP: 002b:00007ffc448ff628 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 53.623598] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f87530a89ca [ 53.630844] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc448ff640 [ 53.638088] RBP: 00007ffc448ff640 R08: 00007ffc448ff680 R09: 000055555637f2c0 [ 53.645332] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000004 [ 53.652575] R13: 00007ffc448ff680 R14: 000000000000013b R15: 0000000020001f88 [ 53.659991] Kernel Offset: disabled [ 53.663594] Rebooting in 86400 seconds..