Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.9' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 68.525642][ T8471] loop0: detected capacity change from 0 to 8185 [ 68.535945][ T8471] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 68.549063][ T8471] ntfs: (device loop0): map_mft_record_page(): Mft record 0x1 is corrupt. Run chkdsk. [ 68.558798][ T8471] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 68.567677][ T8471] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 68.581304][ T8471] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Mounting read-only. Run ntfsfix and/or chkdsk. [ 68.594745][ T8471] ntfs: (device loop0): ntfs_read_locked_inode(): $DATA attribute is missing. [ 68.604586][ T8471] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -2. Marking corrupt inode 0xa as bad. Run chkdsk. executing program [ 68.626304][ T8471] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 68.638690][ T8471] ntfs: (device loop0): map_mft_record_page(): Mft record 0x4 is corrupt. Run chkdsk. [ 68.649188][ T8471] ntfs: (device loop0): map_mft_record(): Failed with error code 5. executing program [ 68.731017][ T8478] loop0: detected capacity change from 0 to 8185 executing program executing program [ 68.826390][ T8483] loop0: detected capacity change from 0 to 8185 executing program executing program executing program [ 68.922271][ T8489] loop0: detected capacity change from 0 to 8185 executing program [ 69.009851][ T8495] loop0: detected capacity change from 0 to 8185 executing program [ 69.081108][ T8502] loop0: detected capacity change from 0 to 8185 executing program executing program executing program [ 69.153078][ T8507] loop0: detected capacity change from 0 to 8185 executing program [ 69.206623][ T8512] loop0: detected capacity change from 0 to 8185 [ 69.309654][ T8517] loop0: detected capacity change from 0 to 8185 [ 69.320771][ T8517] ================================================================== [ 69.328877][ T8517] BUG: KASAN: use-after-free in ntfs_read_locked_inode+0x5714/0x5af0 [ 69.336982][ T8517] Read of size 8 at addr ffff888036d2cdb8 by task syz-executor965/8517 [ 69.345229][ T8517] [ 69.347552][ T8517] CPU: 0 PID: 8517 Comm: syz-executor965 Not tainted 5.13.0-rc2-next-20210518-syzkaller #0 [ 69.357543][ T8517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.367870][ T8517] Call Trace: [ 69.371335][ T8517] dump_stack_lvl+0x13e/0x1d6 [ 69.376132][ T8517] ? ntfs_read_locked_inode+0x5714/0x5af0 [ 69.381874][ T8517] print_address_description.constprop.0.cold+0x6c/0x309 [ 69.388925][ T8517] ? ntfs_read_locked_inode+0x5714/0x5af0 [ 69.394671][ T8517] ? ntfs_read_locked_inode+0x5714/0x5af0 [ 69.400405][ T8517] kasan_report.cold+0x83/0xdf [ 69.405327][ T8517] ? ntfs_read_locked_inode+0x5714/0x5af0 [ 69.411135][ T8517] ntfs_read_locked_inode+0x5714/0x5af0 [ 69.416705][ T8517] ? ntfs_test_inode+0x2f0/0x2f0 [ 69.421755][ T8517] ntfs_iget+0x12d/0x180 [ 69.426017][ T8517] ? ntfs_read_locked_inode+0x5af0/0x5af0 [ 69.431755][ T8517] ? lockdep_init_map_type+0x2c3/0x7b0 [ 69.437231][ T8517] ntfs_fill_super+0x1f75/0x84e0 [ 69.442216][ T8517] ? load_and_init_usnjrnl+0x15c0/0x15c0 [ 69.447864][ T8517] ? vsprintf+0x30/0x30 [ 69.452051][ T8517] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 69.457792][ T8517] ? set_blocksize+0x1c1/0x3b0 [ 69.462576][ T8517] mount_bdev+0x34d/0x410 [ 69.466916][ T8517] ? load_and_init_usnjrnl+0x15c0/0x15c0 [ 69.472576][ T8517] ? ntfs_rl_punch_nolock+0x1d10/0x1d10 [ 69.478139][ T8517] legacy_get_tree+0x105/0x220 [ 69.482918][ T8517] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.489176][ T8517] vfs_get_tree+0x89/0x2f0 [ 69.493637][ T8517] path_mount+0x132a/0x1fa0 [ 69.498423][ T8517] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 69.504678][ T8517] ? strncpy_from_user+0x2a0/0x3e0 [ 69.509820][ T8517] ? finish_automount+0xaf0/0xaf0 [ 69.514874][ T8517] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.521133][ T8517] ? getname_flags.part.0+0x1dd/0x4f0 [ 69.526525][ T8517] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 69.532784][ T8517] __x64_sys_mount+0x27f/0x300 [ 69.537566][ T8517] ? copy_mnt_ns+0xae0/0xae0 [ 69.542220][ T8517] ? syscall_enter_from_user_mode+0x21/0x70 [ 69.548148][ T8517] do_syscall_64+0x31/0xb0 [ 69.552576][ T8517] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 69.558498][ T8517] RIP: 0033:0x44876a [ 69.562490][ T8517] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 69.582116][ T8517] RSP: 002b:00007ffd48f43638 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 69.590546][ T8517] RAX: ffffffffffffffda RBX: 00007ffd48f43690 RCX: 000000000044876a [ 69.598530][ T8517] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd48f43650 [ 69.606510][ T8517] RBP: 00007ffd48f43650 R08: 00007ffd48f43690 R09: 0000000000000000 [ 69.614575][ T8517] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020001fa0 [ 69.622556][ T8517] R13: 0000000000000003 R14: 0000000000000004 R15: 000000000000013c [ 69.630549][ T8517] [ 69.632885][ T8517] The buggy address belongs to the page: [ 69.638511][ T8517] page:ffffea0000db4b00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x36d2c [ 69.648671][ T8517] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 69.655888][ T8517] raw: 00fff00000000000 ffffea0000bbb148 ffffea0000d195c8 0000000000000000 [ 69.664495][ T8517] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 69.673076][ T8517] page dumped because: kasan: bad access detected [ 69.679486][ T8517] page_owner tracks the page as freed [ 69.684864][ T8517] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 8464, ts 63337994321, free_ts 68380784236 [ 69.699379][ T8517] get_page_from_freelist+0x125c/0x2ed0 [ 69.704955][ T8517] __alloc_pages+0x1b2/0x500 [ 69.709560][ T8517] alloc_pages_vma+0xdd/0x770 [ 69.714246][ T8517] wp_page_copy+0x1bf/0x2270 [ 69.718850][ T8517] do_wp_page+0x2cb/0x1ad0 [ 69.723280][ T8517] __handle_mm_fault+0x236b/0x5200 [ 69.728399][ T8517] handle_mm_fault+0x1b9/0x7e0 [ 69.733172][ T8517] do_user_addr_fault+0x483/0x1210 [ 69.738296][ T8517] exc_page_fault+0x9e/0x180 [ 69.742900][ T8517] asm_exc_page_fault+0x1e/0x30 [ 69.747771][ T8517] page last free stack trace: [ 69.752443][ T8517] free_pcp_prepare+0x217/0x300 [ 69.757306][ T8517] free_unref_page_list+0x19f/0x1050 [ 69.762838][ T8517] release_pages+0x824/0x20b0 [ 69.767511][ T8517] tlb_finish_mmu+0x165/0x8c0 [ 69.772216][ T8517] exit_mmap+0x1ea/0x620 [ 69.776587][ T8517] __mmput+0x122/0x470 [ 69.780641][ T8517] mmput+0x58/0x60 [ 69.784343][ T8517] do_exit+0xb0a/0x2a70 [ 69.788715][ T8517] do_group_exit+0x125/0x310 [ 69.793316][ T8517] __x64_sys_exit_group+0x3a/0x50 [ 69.798423][ T8517] do_syscall_64+0x31/0xb0 [ 69.802915][ T8517] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 69.808802][ T8517] [ 69.811135][ T8517] Memory state around the buggy address: [ 69.816743][ T8517] ffff888036d2cc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.824793][ T8517] ffff888036d2cd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.832941][ T8517] >ffff888036d2cd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.841427][ T8517] ^ [ 69.847624][ T8517] ffff888036d2ce00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.855672][ T8517] ffff888036d2ce80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.863718][ T8517] ================================================================== [ 69.871756][ T8517] Disabling lock debugging due to kernel taint [ 69.886729][ T8517] Kernel panic - not syncing: panic_on_warn set ... [ 69.893431][ T8517] CPU: 1 PID: 8517 Comm: syz-executor965 Tainted: G B 5.13.0-rc2-next-20210518-syzkaller #0 [ 69.904835][ T8517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.914878][ T8517] Call Trace: [ 69.918149][ T8517] dump_stack_lvl+0x13e/0x1d6 [ 69.922823][ T8517] ? ntfs_read_locked_inode+0x56f0/0x5af0 [ 69.928530][ T8517] panic+0x306/0x73d [ 69.932522][ T8517] ? __warn_printk+0xf3/0xf3 [ 69.937106][ T8517] ? preempt_schedule_common+0x59/0xc0 [ 69.942653][ T8517] ? ntfs_read_locked_inode+0x5714/0x5af0 [ 69.948373][ T8517] ? preempt_schedule_thunk+0x16/0x18 [ 69.953755][ T8517] ? trace_hardirqs_on+0x38/0x1c0 [ 69.958774][ T8517] ? trace_hardirqs_on+0x51/0x1c0 [ 69.963797][ T8517] ? ntfs_read_locked_inode+0x5714/0x5af0 [ 69.969523][ T8517] ? ntfs_read_locked_inode+0x5714/0x5af0 [ 69.975279][ T8517] end_report.cold+0x5a/0x5a [ 69.979870][ T8517] kasan_report.cold+0x71/0xdf [ 69.984633][ T8517] ? ntfs_read_locked_inode+0x5714/0x5af0 [ 69.990345][ T8517] ntfs_read_locked_inode+0x5714/0x5af0 [ 69.995883][ T8517] ? ntfs_test_inode+0x2f0/0x2f0 [ 70.000811][ T8517] ntfs_iget+0x12d/0x180 [ 70.005059][ T8517] ? ntfs_read_locked_inode+0x5af0/0x5af0 [ 70.010776][ T8517] ? lockdep_init_map_type+0x2c3/0x7b0 [ 70.016236][ T8517] ntfs_fill_super+0x1f75/0x84e0 [ 70.021170][ T8517] ? load_and_init_usnjrnl+0x15c0/0x15c0 [ 70.026801][ T8517] ? vsprintf+0x30/0x30 [ 70.030947][ T8517] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 70.036660][ T8517] ? set_blocksize+0x1c1/0x3b0 [ 70.041416][ T8517] mount_bdev+0x34d/0x410 [ 70.045732][ T8517] ? load_and_init_usnjrnl+0x15c0/0x15c0 [ 70.051353][ T8517] ? ntfs_rl_punch_nolock+0x1d10/0x1d10 [ 70.056888][ T8517] legacy_get_tree+0x105/0x220 [ 70.061638][ T8517] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.067869][ T8517] vfs_get_tree+0x89/0x2f0 [ 70.072278][ T8517] path_mount+0x132a/0x1fa0 [ 70.076797][ T8517] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 70.083025][ T8517] ? strncpy_from_user+0x2a0/0x3e0 [ 70.088126][ T8517] ? finish_automount+0xaf0/0xaf0 [ 70.093148][ T8517] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.099376][ T8517] ? getname_flags.part.0+0x1dd/0x4f0 [ 70.104734][ T8517] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 70.110962][ T8517] __x64_sys_mount+0x27f/0x300 [ 70.115725][ T8517] ? copy_mnt_ns+0xae0/0xae0 [ 70.120350][ T8517] ? syscall_enter_from_user_mode+0x21/0x70 [ 70.126675][ T8517] do_syscall_64+0x31/0xb0 [ 70.131112][ T8517] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 70.137021][ T8517] RIP: 0033:0x44876a [ 70.140907][ T8517] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 70.160509][ T8517] RSP: 002b:00007ffd48f43638 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 70.169003][ T8517] RAX: ffffffffffffffda RBX: 00007ffd48f43690 RCX: 000000000044876a [ 70.176977][ T8517] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd48f43650 [ 70.184933][ T8517] RBP: 00007ffd48f43650 R08: 00007ffd48f43690 R09: 0000000000000000 [ 70.192889][ T8517] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020001fa0 [ 70.200846][ T8517] R13: 0000000000000003 R14: 0000000000000004 R15: 000000000000013c [ 70.209691][ T8517] Kernel Offset: disabled [ 70.214016][ T8517] Rebooting in 86400 seconds..