[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.150' (ECDSA) to the list of known hosts. syzkaller login: [ 36.093732] IPVS: ftp: loaded support on port[0] = 21 [ 36.195886] chnl_net:caif_netlink_parms(): no params data found [ 36.260159] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.267027] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.275909] device bridge_slave_0 entered promiscuous mode [ 36.283172] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.289635] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.296859] device bridge_slave_1 entered promiscuous mode [ 36.314080] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 36.322801] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 36.340855] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 36.348353] team0: Port device team_slave_0 added [ 36.353959] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 36.361950] team0: Port device team_slave_1 added [ 36.376976] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 36.383227] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.408531] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 36.419954] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 36.426466] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.451735] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 36.465800] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 36.473166] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 36.492217] device hsr_slave_0 entered promiscuous mode [ 36.498047] device hsr_slave_1 entered promiscuous mode [ 36.504434] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 36.511494] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 36.577757] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.584230] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.591123] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.597526] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.628539] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 36.635996] 8021q: adding VLAN 0 to HW filter on device bond0 [ 36.645244] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 36.655046] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.664727] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.671928] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.679269] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 36.690176] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 36.696505] 8021q: adding VLAN 0 to HW filter on device team0 [ 36.705832] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 36.714066] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.720424] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.740957] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 36.750996] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 36.762870] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 36.770381] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 36.778329] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.784774] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.792361] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 36.800571] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 36.808452] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 36.816523] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 36.825029] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 36.831854] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 36.845425] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 36.852650] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 36.859439] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 36.870116] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 36.902614] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 36.914125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 36.947612] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 36.954741] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 36.961200] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 36.971941] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 36.980125] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 36.988241] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 36.997864] device veth0_vlan entered promiscuous mode [ 37.008404] device veth1_vlan entered promiscuous mode [ 37.014753] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 37.023114] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 37.035093] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 37.044524] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 37.051881] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 37.060059] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 37.070232] device veth0_macvtap entered promiscuous mode [ 37.076790] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 37.085513] device veth1_macvtap entered promiscuous mode [ 37.094582] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 37.104295] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 37.114708] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 37.121403] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 37.130101] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 37.140155] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 37.147416] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 37.270825] ntfs: volume version 3.1. [ 37.284264] ================================================================== [ 37.291660] BUG: KASAN: use-after-free in ntfs_collate_names+0x329/0x380 [ 37.298590] Read of size 2 at addr ffff888090a7c92f by task syz-executor120/8112 [ 37.306105] [ 37.307719] CPU: 0 PID: 8112 Comm: syz-executor120 Not tainted 4.19.211-syzkaller #0 [ 37.315577] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 [ 37.324922] Call Trace: [ 37.327497] dump_stack+0x1fc/0x2ef [ 37.331129] print_address_description.cold+0x54/0x219 [ 37.336384] kasan_report_error.cold+0x8a/0x1b9 [ 37.341054] ? ntfs_collate_names+0x329/0x380 [ 37.345530] __asan_report_load2_noabort+0x88/0x90 [ 37.350438] ? ntfs_fill_super+0x5780/0x7e10 [ 37.354840] ? ntfs_collate_names+0x329/0x380 [ 37.359318] ntfs_collate_names+0x329/0x380 [ 37.363624] ? do_syscall_64+0xf9/0x620 [ 37.367589] ntfs_attr_find+0x7e5/0xb10 [ 37.371647] ntfs_attr_lookup+0x1020/0x1f90 [ 37.375951] ? do_read_cache_page+0xfe/0x1170 [ 37.380426] ? ntfs_end_buffer_async_read+0x1210/0x1210 [ 37.385770] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 37.391134] ? kmem_cache_alloc+0x2e1/0x370 [ 37.395437] ntfs_read_locked_inode+0x1cbf/0x56e0 [ 37.400260] ? __ntfs_clear_inode+0x260/0x260 [ 37.404749] ? ntfs_index_lookup+0x2bb0/0x2bb0 [ 37.409326] ? iget5_locked+0x3c/0xd0 [ 37.413109] ntfs_iget+0x12d/0x180 [ 37.416644] ? ntfs_read_locked_inode+0x56e0/0x56e0 [ 37.421642] ? kfree+0x1a7/0x210 [ 37.424990] ntfs_fill_super+0x5851/0x7e10 [ 37.429216] ? ntfs_big_inode_init_once+0x20/0x20 [ 37.434038] ? vsprintf+0x30/0x30 [ 37.437472] ? set_blocksize+0x163/0x3f0 [ 37.441597] mount_bdev+0x2fc/0x3b0 [ 37.445205] ? ntfs_big_inode_init_once+0x20/0x20 [ 37.450026] mount_fs+0xa3/0x310 [ 37.453492] vfs_kern_mount.part.0+0x68/0x470 [ 37.457968] do_mount+0x115c/0x2f50 [ 37.461576] ? lock_acquire+0x170/0x3c0 [ 37.465535] ? check_preemption_disabled+0x41/0x280 [ 37.470529] ? copy_mount_string+0x40/0x40 [ 37.474743] ? copy_mount_options+0x59/0x380 [ 37.479129] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 37.484136] ? kmem_cache_alloc_trace+0x323/0x380 [ 37.488964] ? copy_mount_options+0x26f/0x380 [ 37.493440] ksys_mount+0xcf/0x130 [ 37.496962] __x64_sys_mount+0xba/0x150 [ 37.500917] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 37.505478] do_syscall_64+0xf9/0x620 [ 37.509259] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.514426] RIP: 0033:0x7f434928c49a [ 37.518119] Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 08 01 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 37.537010] RSP: 002b:00007ffe11c0ae68 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 37.544795] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f434928c49a [ 37.552056] RDX: 0000000020000040 RSI: 000000002001ee80 RDI: 00007ffe11c0ae80 [ 37.559309] RBP: 00007ffe11c0ae80 R08: 00007ffe11c0aec0 R09: 000000000001ee5a [ 37.566556] R10: 0000000000a00c9a R11: 0000000000000286 R12: 0000000000000004 [ 37.573805] R13: 00005555559e12b8 R14: 0000000000a00c9a R15: 00007ffe11c0aec0 [ 37.581153] [ 37.582771] The buggy address belongs to the page: [ 37.587765] page:ffffea0002429f00 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 37.595884] flags: 0xfff00000000000() [ 37.599681] raw: 00fff00000000000 ffffea000242cc08 ffffea000242d5c8 0000000000000000 [ 37.607541] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 37.615410] page dumped because: kasan: bad access detected [ 37.621104] [ 37.622812] Memory state around the buggy address: [ 37.627744] ffff888090a7c800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.635088] ffff888090a7c880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.642434] >ffff888090a7c900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.649780] ^ [ 37.654442] ffff888090a7c980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.661790] ffff888090a7ca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.669123] ================================================================== [ 37.676458] Disabling lock debugging due to kernel taint [ 37.686707] Kernel panic - not syncing: panic_on_warn set ... [ 37.686707] [ 37.694101] CPU: 0 PID: 8112 Comm: syz-executor120 Tainted: G B 4.19.211-syzkaller #0 [ 37.703367] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 [ 37.712718] Call Trace: [ 37.715302] dump_stack+0x1fc/0x2ef [ 37.718909] panic+0x26a/0x50e [ 37.722098] ? __warn_printk+0xf3/0xf3 [ 37.725970] ? preempt_schedule_common+0x45/0xc0 [ 37.730706] ? ___preempt_schedule+0x16/0x18 [ 37.735099] ? trace_hardirqs_on+0x55/0x210 [ 37.739401] kasan_end_report+0x43/0x49 [ 37.743356] kasan_report_error.cold+0xa7/0x1b9 [ 37.748007] ? ntfs_collate_names+0x329/0x380 [ 37.752492] __asan_report_load2_noabort+0x88/0x90 [ 37.757401] ? ntfs_fill_super+0x5780/0x7e10 [ 37.761803] ? ntfs_collate_names+0x329/0x380 [ 37.766280] ntfs_collate_names+0x329/0x380 [ 37.770583] ? do_syscall_64+0xf9/0x620 [ 37.774537] ntfs_attr_find+0x7e5/0xb10 [ 37.778492] ntfs_attr_lookup+0x1020/0x1f90 [ 37.782803] ? do_read_cache_page+0xfe/0x1170 [ 37.787297] ? ntfs_end_buffer_async_read+0x1210/0x1210 [ 37.792640] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 37.797896] ? kmem_cache_alloc+0x2e1/0x370 [ 37.802199] ntfs_read_locked_inode+0x1cbf/0x56e0 [ 37.807026] ? __ntfs_clear_inode+0x260/0x260 [ 37.811512] ? ntfs_index_lookup+0x2bb0/0x2bb0 [ 37.816075] ? iget5_locked+0x3c/0xd0 [ 37.819857] ntfs_iget+0x12d/0x180 [ 37.823379] ? ntfs_read_locked_inode+0x56e0/0x56e0 [ 37.828469] ? kfree+0x1a7/0x210 [ 37.831825] ntfs_fill_super+0x5851/0x7e10 [ 37.836046] ? ntfs_big_inode_init_once+0x20/0x20 [ 37.840869] ? vsprintf+0x30/0x30 [ 37.844306] ? set_blocksize+0x163/0x3f0 [ 37.848348] mount_bdev+0x2fc/0x3b0 [ 37.851954] ? ntfs_big_inode_init_once+0x20/0x20 [ 37.856775] mount_fs+0xa3/0x310 [ 37.860130] vfs_kern_mount.part.0+0x68/0x470 [ 37.864613] do_mount+0x115c/0x2f50 [ 37.868241] ? lock_acquire+0x170/0x3c0 [ 37.872203] ? check_preemption_disabled+0x41/0x280 [ 37.877201] ? copy_mount_string+0x40/0x40 [ 37.881418] ? copy_mount_options+0x59/0x380 [ 37.885808] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 37.890822] ? kmem_cache_alloc_trace+0x323/0x380 [ 37.895655] ? copy_mount_options+0x26f/0x380 [ 37.900135] ksys_mount+0xcf/0x130 [ 37.903656] __x64_sys_mount+0xba/0x150 [ 37.907612] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 37.912176] do_syscall_64+0xf9/0x620 [ 37.915970] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.921150] RIP: 0033:0x7f434928c49a [ 37.924844] Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 08 01 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 37.943727] RSP: 002b:00007ffe11c0ae68 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 37.951425] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f434928c49a [ 37.958686] RDX: 0000000020000040 RSI: 000000002001ee80 RDI: 00007ffe11c0ae80 [ 37.965949] RBP: 00007ffe11c0ae80 R08: 00007ffe11c0aec0 R09: 000000000001ee5a [ 37.973204] R10: 0000000000a00c9a R11: 0000000000000286 R12: 0000000000000004 [ 37.980458] R13: 00005555559e12b8 R14: 0000000000a00c9a R15: 00007ffe11c0aec0 [ 37.987975] Kernel Offset: disabled [ 37.991600] Rebooting in 86400 seconds..