Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.650019] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 34.660696] ntfs: (device loop0): map_mft_record_page(): Mft record 0x1 is corrupt. Run chkdsk. [ 34.670482] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 34.678638] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 34.691185] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Mounting read-only. Run ntfsfix and/or chkdsk. [ 34.703415] ntfs: (device loop0): ntfs_read_locked_inode(): $DATA attribute is missing. [ 34.711617] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -2. Marking corrupt inode 0xa as bad. Run chkdsk. [ 34.723916] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 34.735104] ntfs: (device loop0): map_mft_record_page(): Mft record 0x4 is corrupt. Run chkdsk. [ 34.744603] ntfs: (device loop0): map_mft_record(): Failed with error code 5. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 35.477913] ================================================================== [ 35.485422] BUG: KASAN: use-after-free in ntfs_read_locked_inode+0x5268/0x56f0 [ 35.492828] Read of size 8 at addr ffff88808cfc5db8 by task syz-executor175/8194 [ 35.500343] [ 35.502076] CPU: 1 PID: 8194 Comm: syz-executor175 Not tainted 4.19.195-syzkaller #0 [ 35.510195] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.519819] Call Trace: [ 35.522412] dump_stack+0x1fc/0x2ef [ 35.526078] print_address_description.cold+0x54/0x219 [ 35.531344] kasan_report_error.cold+0x8a/0x1b9 [ 35.536001] ? ntfs_read_locked_inode+0x5268/0x56f0 [ 35.541025] __asan_report_load_n_noabort+0x8b/0xa0 [ 35.546029] ? ntfs_read_locked_inode+0x5268/0x56f0 [ 35.551028] ntfs_read_locked_inode+0x5268/0x56f0 [ 35.555873] ntfs_iget+0x12d/0x180 [ 35.559393] ? ntfs_read_locked_inode+0x56f0/0x56f0 [ 35.564396] ? ntfs_fill_super+0xc35/0x7e10 [ 35.568715] ? ntfs_fill_super+0xc47/0x7e10 [ 35.573019] ? __lockdep_init_map+0x100/0x5a0 [ 35.577523] ntfs_fill_super+0xcd3/0x7e10 [ 35.581654] ? pointer+0x850/0x850 [ 35.585303] ? lock_downgrade+0x720/0x720 [ 35.589457] ? ntfs_big_inode_init_once+0x20/0x20 [ 35.594282] ? vsprintf+0x30/0x30 [ 35.597751] ? wait_for_completion_io+0x10/0x10 [ 35.602402] ? set_blocksize+0x163/0x3f0 [ 35.606464] mount_bdev+0x2fc/0x3b0 [ 35.610077] ? ntfs_big_inode_init_once+0x20/0x20 [ 35.614899] mount_fs+0xa3/0x310 [ 35.618273] vfs_kern_mount.part.0+0x68/0x470 [ 35.622751] do_mount+0x113c/0x2f10 [ 35.626361] ? do_raw_spin_unlock+0x171/0x230 [ 35.630859] ? check_preemption_disabled+0x41/0x280 [ 35.635871] ? copy_mount_string+0x40/0x40 [ 35.640090] ? copy_mount_options+0x59/0x380 [ 35.644539] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.649594] ? kmem_cache_alloc_trace+0x323/0x380 [ 35.654420] ? copy_mount_options+0x26f/0x380 [ 35.658896] ksys_mount+0xcf/0x130 [ 35.662419] __x64_sys_mount+0xba/0x150 [ 35.666489] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 35.671065] do_syscall_64+0xf9/0x620 [ 35.674868] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.680051] RIP: 0033:0x44876a [ 35.683229] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.702222] RSP: 002b:00007ffcc012e498 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 35.710094] RAX: ffffffffffffffda RBX: 00007ffcc012e4f0 RCX: 000000000044876a [ 35.717342] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcc012e4b0 [ 35.724591] RBP: 00007ffcc012e4b0 R08: 00007ffcc012e4f0 R09: 0000000000000000 [ 35.731849] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020001fa0 [ 35.739113] R13: 0000000000000003 R14: 0000000000000004 R15: 000000000000013c [ 35.746381] [ 35.748001] The buggy address belongs to the page: [ 35.752915] page:ffffea000233f140 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 35.761045] flags: 0xfff00000000000() [ 35.764826] raw: 00fff00000000000 ffffea00023a4248 ffffea00023a0848 0000000000000000 [ 35.772687] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 35.780550] page dumped because: kasan: bad access detected [ 35.786259] [ 35.787864] Memory state around the buggy address: [ 35.792781] ffff88808cfc5c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.800134] ffff88808cfc5d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.807477] >ffff88808cfc5d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.814813] ^ [ 35.820009] ffff88808cfc5e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.827608] ffff88808cfc5e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.834977] ================================================================== [ 35.842415] Disabling lock debugging due to kernel taint [ 35.849893] Kernel panic - not syncing: panic_on_warn set ... [ 35.849893] [ 35.857267] CPU: 1 PID: 8194 Comm: syz-executor175 Tainted: G B 4.19.195-syzkaller #0 [ 35.866644] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.876078] Call Trace: [ 35.878675] dump_stack+0x1fc/0x2ef [ 35.882401] panic+0x26a/0x50e [ 35.885598] ? __warn_printk+0xf3/0xf3 [ 35.889490] ? preempt_schedule_common+0x45/0xc0 [ 35.894249] ? ___preempt_schedule+0x16/0x18 [ 35.898757] ? trace_hardirqs_on+0x55/0x210 [ 35.903277] kasan_end_report+0x43/0x49 [ 35.907250] kasan_report_error.cold+0xa7/0x1b9 [ 35.911923] ? ntfs_read_locked_inode+0x5268/0x56f0 [ 35.916961] __asan_report_load_n_noabort+0x8b/0xa0 [ 35.921982] ? ntfs_read_locked_inode+0x5268/0x56f0 [ 35.927087] ntfs_read_locked_inode+0x5268/0x56f0 [ 35.932020] ntfs_iget+0x12d/0x180 [ 35.935564] ? ntfs_read_locked_inode+0x56f0/0x56f0 [ 35.940593] ? ntfs_fill_super+0xc35/0x7e10 [ 35.944921] ? ntfs_fill_super+0xc47/0x7e10 [ 35.949255] ? __lockdep_init_map+0x100/0x5a0 [ 35.953750] ntfs_fill_super+0xcd3/0x7e10 [ 35.957899] ? pointer+0x850/0x850 [ 35.961563] ? lock_downgrade+0x720/0x720 [ 35.965718] ? ntfs_big_inode_init_once+0x20/0x20 [ 35.970564] ? vsprintf+0x30/0x30 [ 35.974027] ? wait_for_completion_io+0x10/0x10 [ 35.978706] ? set_blocksize+0x163/0x3f0 [ 35.982770] mount_bdev+0x2fc/0x3b0 [ 35.986446] ? ntfs_big_inode_init_once+0x20/0x20 [ 35.991297] mount_fs+0xa3/0x310 [ 35.994659] vfs_kern_mount.part.0+0x68/0x470 [ 35.999149] do_mount+0x113c/0x2f10 [ 36.002785] ? do_raw_spin_unlock+0x171/0x230 [ 36.007263] ? check_preemption_disabled+0x41/0x280 [ 36.012259] ? copy_mount_string+0x40/0x40 [ 36.016488] ? copy_mount_options+0x59/0x380 [ 36.020882] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 36.025923] ? kmem_cache_alloc_trace+0x323/0x380 [ 36.030746] ? copy_mount_options+0x26f/0x380 [ 36.035229] ksys_mount+0xcf/0x130 [ 36.038850] __x64_sys_mount+0xba/0x150 [ 36.042809] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 36.047370] do_syscall_64+0xf9/0x620 [ 36.051155] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.056327] RIP: 0033:0x44876a [ 36.059506] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 36.078490] RSP: 002b:00007ffcc012e498 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 36.086280] RAX: ffffffffffffffda RBX: 00007ffcc012e4f0 RCX: 000000000044876a [ 36.093545] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcc012e4b0 [ 36.100796] RBP: 00007ffcc012e4b0 R08: 00007ffcc012e4f0 R09: 0000000000000000 [ 36.108053] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020001fa0 [ 36.115300] R13: 0000000000000003 R14: 0000000000000004 R15: 000000000000013c [ 36.123594] Kernel Offset: disabled [ 36.127208] Rebooting in 86400 seconds..