./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3646608770

<...>
forked to background, child pid 3188
no interfaces have a carrier
[   23.504811][ T3189] 8021q: adding VLAN 0 to HW filter on device bond0
[   23.513941][ T3189] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.155' (ECDSA) to the list of known hosts.
execve("./syz-executor3646608770", ["./syz-executor3646608770"], 0x7fff834afe90 /* 10 vars */) = 0
brk(NULL)                               = 0x5555559a9000
brk(0x5555559a9c40)                     = 0x5555559a9c40
arch_prctl(ARCH_SET_FS, 0x5555559a9300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3646608770", 4096) = 28
brk(0x5555559cac40)                     = 0x5555559cac40
brk(0x5555559cb000)                     = 0x5555559cb000
mprotect(0x7efcb8c49000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
memfd_create("syzkaller", 0)            = 3
ftruncate(3, 32768)                     = 0
pwrite64(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x08\x01\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x03\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\xff\x01\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02", 69, 0) = 69
pwrite64(3, "\x46\x49\x4c\x45\xfe\xff\x05\x00\x00\x00\x00\x00\xfd\xff\xff\xff\x01\x00\x01\x00\xff\xff\x00\x00\xa0\x01\x00\x00\x00\x08", 30, 16384) = 30
openat(AT_FDCWD, "/dev/loop0", O_RDWR)  = 4
ioctl(4, LOOP_SET_FD, 3)                = 0
mkdir("./file0", 0777)                  = 0
syzkaller login: [   39.728068][ T3610] loop0: detected capacity change from 0 to 64
[   39.737473][ T3610] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker.
[   39.746809][ T3610] ==================================================================
[   39.754870][ T3610] BUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0
[   39.762085][ T3610] Read of size 2 at addr ffff888021f8e009 by task syz-executor364/3610
[   39.770355][ T3610] 
[   39.772666][ T3610] CPU: 0 PID: 3610 Comm: syz-executor364 Not tainted 6.0.0-rc2-next-20220824-syzkaller #0
[   39.782538][ T3610] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
[   39.792579][ T3610] Call Trace:
[   39.795845][ T3610]  <TASK>
[   39.798766][ T3610]  dump_stack_lvl+0xcd/0x134
[   39.803356][ T3610]  print_report.cold+0x2ba/0x719
[   39.808307][ T3610]  ? ntfs_attr_find+0xc02/0xce0
[   39.813169][ T3610]  kasan_report+0xb1/0x1e0
[   39.817579][ T3610]  ? ntfs_attr_find+0xc02/0xce0
[   39.822420][ T3610]  ntfs_attr_find+0xc02/0xce0
[   39.827088][ T3610]  ? __kasan_init_slab_obj+0x21/0x30
[   39.832364][ T3610]  ntfs_attr_lookup+0x1056/0x2070
[   39.837398][ T3610]  ? ntfs_attr_get_search_ctx+0x41/0x200
[   39.843023][ T3610]  ? out_of_line_wait_on_bit+0xd5/0x110
[   39.848560][ T3610]  ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0
[   39.854549][ T3610]  ? rcu_read_lock_sched_held+0xd/0x70
[   39.860032][ T3610]  ? trace_kmem_cache_alloc+0x32/0xf0
[   39.865430][ T3610]  ? kmem_cache_alloc+0x1f0/0x3d0
[   39.870470][ T3610]  ntfs_read_inode_mount+0x89a/0x2580
[   39.875861][ T3610]  ntfs_fill_super+0x1799/0x92f0
[   39.880819][ T3610]  ? lock_downgrade+0x6e0/0x6e0
[   39.885679][ T3610]  ? parse_options+0x1d70/0x1d70
[   39.890641][ T3610]  ? snprintf+0xbb/0xf0
[   39.894823][ T3610]  ? vsprintf+0x30/0x30
[   39.898988][ T3610]  ? wait_for_completion_io_timeout+0x20/0x20
[   39.905068][ T3610]  ? up_write+0x148/0x470
[   39.909414][ T3610]  ? set_blocksize+0x2e5/0x370
[   39.914189][ T3610]  mount_bdev+0x34d/0x410
[   39.918542][ T3610]  ? parse_options+0x1d70/0x1d70
[   39.923509][ T3610]  ? ntfs_rl_punch_nolock+0x15b0/0x15b0
[   39.929065][ T3610]  legacy_get_tree+0x105/0x220
[   39.933849][ T3610]  vfs_get_tree+0x89/0x2f0
[   39.938277][ T3610]  path_mount+0x1326/0x1e20
[   39.942799][ T3610]  ? kmem_cache_free+0xe7/0x5b0
[   39.947661][ T3610]  ? finish_automount+0x960/0x960
[   39.952719][ T3610]  ? putname+0xfe/0x140
[   39.956891][ T3610]  __x64_sys_mount+0x27f/0x300
[   39.961687][ T3610]  ? copy_mnt_ns+0xae0/0xae0
[   39.966293][ T3610]  ? _raw_spin_unlock_irq+0x2a/0x40
[   39.971508][ T3610]  ? ptrace_notify+0xfa/0x140
[   39.976199][ T3610]  do_syscall_64+0x35/0xb0
[   39.980626][ T3610]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   39.986543][ T3610] RIP: 0033:0x7efcb8bde17a
[   39.990967][ T3610] Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   40.010596][ T3610] RSP: 002b:00007ffea5c543c8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[   40.019015][ T3610] RAX: ffffffffffffffda RBX: 00007ffea5c54420 RCX: 00007efcb8bde17a
[   40.026990][ T3610] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffea5c543e0
[   40.034970][ T3610] RBP: 00007ffea5c543e0 R08: 00007ffea5c54420 R09: 0000000000000000
[   40.042943][ T3610] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020000230
[   40.050930][ T3610] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000002
[   40.058928][ T3610]  </TASK>
[   40.061964][ T3610] 
[   40.064309][ T3610] Allocated by task 3597:
[   40.068634][ T3610]  kasan_save_stack+0x1e/0x40
[   40.073326][ T3610]  __kasan_slab_alloc+0x90/0xc0
[   40.078188][ T3610]  kmem_cache_alloc+0x2b7/0x3d0
[   40.083045][ T3610]  getname_flags.part.0+0x50/0x4f0
[   40.088180][ T3610]  getname+0x8e/0xd0
[   40.092087][ T3610]  do_sys_openat2+0xf5/0x4c0
[   40.096685][ T3610]  __x64_sys_openat+0x13f/0x1f0
[   40.101561][ T3610]  do_syscall_64+0x35/0xb0
[   40.105995][ T3610]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   40.111903][ T3610] 
[   40.114220][ T3610] Freed by task 3597:
[   40.118283][ T3610]  kasan_save_stack+0x1e/0x40
[   40.122985][ T3610]  kasan_set_track+0x21/0x30
[   40.127611][ T3610]  kasan_set_free_info+0x20/0x30
[   40.132577][ T3610]  ____kasan_slab_free+0x166/0x1c0
[   40.137698][ T3610]  slab_free_freelist_hook+0x8b/0x1c0
[   40.143076][ T3610]  kmem_cache_free+0xe7/0x5b0
[   40.147761][ T3610]  putname+0xfe/0x140
[   40.151755][ T3610]  do_sys_openat2+0x153/0x4c0
[   40.156436][ T3610]  __x64_sys_openat+0x13f/0x1f0
[   40.161291][ T3610]  do_syscall_64+0x35/0xb0
[   40.165710][ T3610]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   40.171617][ T3610] 
[   40.173943][ T3610] The buggy address belongs to the object at ffff888021f8d500
[   40.173943][ T3610]  which belongs to the cache names_cache of size 4096
[   40.188096][ T3610] The buggy address is located 2825 bytes inside of
[   40.188096][ T3610]  4096-byte region [ffff888021f8d500, ffff888021f8e500)
[   40.201560][ T3610] 
[   40.203888][ T3610] The buggy address belongs to the physical page:
[   40.210310][ T3610] page:ffffea000087e200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21f88
[   40.220465][ T3610] head:ffffea000087e200 order:3 compound_mapcount:0 compound_pincount:0
[   40.228786][ T3610] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   40.236859][ T3610] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff8880119d4640
[   40.245442][ T3610] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[   40.254061][ T3610] page dumped because: kasan: bad access detected
[   40.260481][ T3610] page_owner tracks the page as allocated
[   40.266200][ T3610] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3597, tgid 3597 (sed), ts 36241512313, free_ts 36198575008
[   40.286799][ T3610]  get_page_from_freelist+0x109b/0x2ce0
[   40.292365][ T3610]  __alloc_pages+0x1c7/0x510
[   40.296968][ T3610]  alloc_pages+0x1a6/0x270
[   40.301395][ T3610]  allocate_slab+0x27e/0x3d0
[   40.306013][ T3610]  ___slab_alloc+0xa3e/0x11d0
[   40.310694][ T3610]  __slab_alloc.constprop.0+0x4d/0xa0
[   40.316089][ T3610]  kmem_cache_alloc+0x31c/0x3d0
[   40.320947][ T3610]  getname_flags.part.0+0x50/0x4f0
[   40.326079][ T3610]  getname_flags+0x9a/0xe0
[   40.330506][ T3610]  vfs_fstatat+0x73/0xb0
[   40.334765][ T3610]  __do_sys_newfstatat+0x91/0x110
[   40.339793][ T3610]  do_syscall_64+0x35/0xb0
[   40.344214][ T3610]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   40.350124][ T3610] page last free stack trace:
[   40.354787][ T3610]  free_pcp_prepare+0x5e4/0xd20
[   40.359651][ T3610]  free_unref_page+0x19/0x4d0
[   40.364338][ T3610]  qlist_free_all+0x6a/0x170
[   40.368940][ T3610]  kasan_quarantine_reduce+0x180/0x200
[   40.374525][ T3610]  __kasan_slab_alloc+0xa2/0xc0
[   40.379384][ T3610]  kmem_cache_alloc+0x2b7/0x3d0
[   40.384241][ T3610]  getname_flags.part.0+0x50/0x4f0
[   40.389368][ T3610]  getname_flags+0x9a/0xe0
[   40.393797][ T3610]  vfs_fstatat+0x73/0xb0
[   40.398041][ T3610]  __do_sys_newfstatat+0x91/0x110
[   40.403071][ T3610]  do_syscall_64+0x35/0xb0
[   40.407493][ T3610]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   40.413404][ T3610] 
[   40.415721][ T3610] Memory state around the buggy address:
[   40.421344][ T3610]  ffff888021f8df00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.429421][ T3610]  ffff888021f8df80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.437486][ T3610] >ffff888021f8e000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.445540][ T3610]                       ^
[   40.449876][ T3610]  ffff888021f8e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.457939][ T3610]  ffff888021f8e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.466013][ T3610] ==================================================================
[   40.474212][ T3610] Kernel panic - not syncing: panic_on_warn set ...
[   40.480819][ T3610] CPU: 1 PID: 3610 Comm: syz-executor364 Not tainted 6.0.0-rc2-next-20220824-syzkaller #0
[   40.490726][ T3610] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
[   40.500785][ T3610] Call Trace:
[   40.504060][ T3610]  <TASK>
[   40.506996][ T3610]  dump_stack_lvl+0xcd/0x134
[   40.511607][ T3610]  panic+0x2c8/0x627
[   40.515513][ T3610]  ? panic_print_sys_info.part.0+0x10b/0x10b
[   40.521505][ T3610]  ? preempt_schedule_common+0x59/0xc0
[   40.526980][ T3610]  ? preempt_schedule_thunk+0x16/0x18
[   40.532384][ T3610]  ? ntfs_attr_find+0xc02/0xce0
[   40.537354][ T3610]  end_report.part.0+0x3f/0x7c
[   40.542140][ T3610]  kasan_report.cold+0xa/0xf
[   40.546748][ T3610]  ? ntfs_attr_find+0xc02/0xce0
[   40.551641][ T3610]  ntfs_attr_find+0xc02/0xce0
[   40.556339][ T3610]  ? __kasan_init_slab_obj+0x21/0x30
[   40.561644][ T3610]  ntfs_attr_lookup+0x1056/0x2070
[   40.566705][ T3610]  ? ntfs_attr_get_search_ctx+0x41/0x200
[   40.572374][ T3610]  ? out_of_line_wait_on_bit+0xd5/0x110
[   40.577936][ T3610]  ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0
[   40.583950][ T3610]  ? rcu_read_lock_sched_held+0xd/0x70
[   40.589416][ T3610]  ? trace_kmem_cache_alloc+0x32/0xf0
[   40.594816][ T3610]  ? kmem_cache_alloc+0x1f0/0x3d0
[   40.599867][ T3610]  ntfs_read_inode_mount+0x89a/0x2580
[   40.605272][ T3610]  ntfs_fill_super+0x1799/0x92f0
[   40.610575][ T3610]  ? lock_downgrade+0x6e0/0x6e0
[   40.615439][ T3610]  ? parse_options+0x1d70/0x1d70
[   40.620382][ T3610]  ? snprintf+0xbb/0xf0
[   40.624545][ T3610]  ? vsprintf+0x30/0x30
[   40.628708][ T3610]  ? wait_for_completion_io_timeout+0x20/0x20
[   40.634786][ T3610]  ? up_write+0x148/0x470
[   40.639130][ T3610]  ? set_blocksize+0x2e5/0x370
[   40.643931][ T3610]  mount_bdev+0x34d/0x410
[   40.648275][ T3610]  ? parse_options+0x1d70/0x1d70
[   40.653219][ T3610]  ? ntfs_rl_punch_nolock+0x15b0/0x15b0
[   40.658771][ T3610]  legacy_get_tree+0x105/0x220
[   40.663558][ T3610]  vfs_get_tree+0x89/0x2f0
[   40.667989][ T3610]  path_mount+0x1326/0x1e20
[   40.672512][ T3610]  ? kmem_cache_free+0xe7/0x5b0
[   40.677370][ T3610]  ? finish_automount+0x960/0x960
[   40.682427][ T3610]  ? putname+0xfe/0x140
[   40.686600][ T3610]  __x64_sys_mount+0x27f/0x300
[   40.691479][ T3610]  ? copy_mnt_ns+0xae0/0xae0
[   40.696082][ T3610]  ? _raw_spin_unlock_irq+0x2a/0x40
[   40.701296][ T3610]  ? ptrace_notify+0xfa/0x140
[   40.705984][ T3610]  do_syscall_64+0x35/0xb0
[   40.710410][ T3610]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   40.716322][ T3610] RIP: 0033:0x7efcb8bde17a
[   40.720739][ T3610] Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   40.740349][ T3610] RSP: 002b:00007ffea5c543c8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[   40.748765][ T3610] RAX: ffffffffffffffda RBX: 00007ffea5c54420 RCX: 00007efcb8bde17a
[   40.756735][ T3610] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffea5c543e0
[   40.764707][ T3610] RBP: 00007ffea5c543e0 R08: 00007ffea5c54420 R09: 0000000000000000
[   40.772690][ T3610] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020000230
[   40.780661][ T3610] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000002
[   40.788638][ T3610]  </TASK>
[   40.791711][ T3610] Kernel Offset: disabled
[   40.796032][ T3610] Rebooting in 86400 seconds..