Warning: Permanently added '10.128.0.86' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 42.927966] audit: type=1400 audit(1600640075.163:8): avc: denied { execmem } for pid=6351 comm="syz-executor267" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 42.935530] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 42.963244] ntfs: (device loop0): check_mft_mirror(): $MFT and $MFTMirr (record 0) do not match. Run ntfsfix or chkdsk. [ 42.974468] ntfs: (device loop0): load_system_files(): $MFTMirr does not match $MFT. Mounting read-only. Run ntfsfix and/or chkdsk. [ 42.989594] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 42.998927] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 43.006348] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. executing program [ 43.018628] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 43.029448] ntfs: (device loop0): map_mft_record_page(): Mft record 0x4 is corrupt. Run chkdsk. [ 43.038471] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 43.095352] ================================================================== [ 43.102738] BUG: KASAN: use-after-free in ntfs_read_locked_inode+0x425a/0x5000 [ 43.110090] Read of size 8 at addr ffff88808093ee46 by task syz-executor267/6358 [ 43.117636] [ 43.119257] CPU: 1 PID: 6358 Comm: syz-executor267 Not tainted 4.14.198-syzkaller #0 [ 43.127194] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.136533] Call Trace: [ 43.139100] dump_stack+0x1b2/0x283 [ 43.142706] print_address_description.cold+0x54/0x1d3 [ 43.147957] kasan_report_error.cold+0x8a/0x194 [ 43.152600] ? ntfs_read_locked_inode+0x425a/0x5000 [ 43.157587] __asan_report_load_n_noabort+0x6b/0x80 [ 43.162574] ? ntfs_read_locked_inode+0x425a/0x5000 [ 43.167607] ntfs_read_locked_inode+0x425a/0x5000 [ 43.172431] ? _raw_spin_unlock+0x29/0x40 [ 43.176550] ? iget5_locked+0x129/0x450 [ 43.180544] ? ntfs_index_lookup+0x2780/0x2780 [ 43.185138] ntfs_iget+0xfa/0x130 [ 43.188564] ? ntfs_read_locked_inode+0x5000/0x5000 [ 43.193566] ntfs_fill_super+0xa5a/0x7170 [ 43.197721] ? vsnprintf+0x260/0x1340 [ 43.201528] ? pointer+0x9e0/0x9e0 [ 43.205103] ? lock_downgrade+0x740/0x740 [ 43.209221] ? ntfs_big_inode_init_once+0x20/0x20 [ 43.214076] ? snprintf+0xa5/0xd0 [ 43.217516] ? vsprintf+0x30/0x30 [ 43.220953] ? ns_test_super+0x50/0x50 [ 43.224815] ? set_blocksize+0x125/0x380 [ 43.228850] mount_bdev+0x2b3/0x360 [ 43.232459] ? ntfs_big_inode_init_once+0x20/0x20 [ 43.237298] mount_fs+0x92/0x2a0 [ 43.240637] vfs_kern_mount.part.0+0x5b/0x470 [ 43.245104] do_mount+0xe53/0x2a00 [ 43.248615] ? copy_mount_string+0x40/0x40 [ 43.252837] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 43.257825] ? copy_mnt_ns+0xa30/0xa30 [ 43.261694] ? copy_mount_options+0x1fa/0x2f0 [ 43.266170] ? copy_mnt_ns+0xa30/0xa30 [ 43.270043] SyS_mount+0xa8/0x120 [ 43.273469] ? copy_mnt_ns+0xa30/0xa30 [ 43.277327] do_syscall_64+0x1d5/0x640 [ 43.281189] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 43.286366] RIP: 0033:0x4494fa [ 43.289539] RSP: 002b:00007ffdddd0a7a8 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 43.297218] RAX: ffffffffffffffda RBX: 00007ffdddd0a800 RCX: 00000000004494fa [ 43.304460] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffdddd0a7c0 [ 43.311724] RBP: 00007ffdddd0a7c0 R08: 00007ffdddd0a800 R09: 0000000000000000 [ 43.318987] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ab [ 43.326228] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 43.333487] [ 43.335085] The buggy address belongs to the page: [ 43.339998] page:ffffea0002024f80 count:0 mapcount:0 mapping: (null) index:0x1 [ 43.348119] flags: 0xfffe0000000000() [ 43.351891] raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff [ 43.359743] raw: ffffea0002025320 ffffea00020e4aa0 0000000000000000 0000000000000000 [ 43.367593] page dumped because: kasan: bad access detected [ 43.373273] [ 43.374870] Memory state around the buggy address: [ 43.379779] ffff88808093ed00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.387123] ffff88808093ed80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.402873] >ffff88808093ee00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.410205] ^ [ 43.415755] ffff88808093ee80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.423092] ffff88808093ef00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.430420] ================================================================== [ 43.437763] Disabling lock debugging due to kernel taint [ 43.443590] Kernel panic - not syncing: panic_on_warn set ... [ 43.443590] [ 43.450951] CPU: 1 PID: 6358 Comm: syz-executor267 Tainted: G B 4.14.198-syzkaller #0 [ 43.460064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.469426] Call Trace: [ 43.471991] dump_stack+0x1b2/0x283 [ 43.475608] panic+0x1f9/0x42d [ 43.478774] ? add_taint.cold+0x16/0x16 [ 43.482723] ? ___preempt_schedule+0x16/0x18 [ 43.487125] kasan_end_report+0x43/0x49 [ 43.491072] kasan_report_error.cold+0xa7/0x194 [ 43.495715] ? ntfs_read_locked_inode+0x425a/0x5000 [ 43.500715] __asan_report_load_n_noabort+0x6b/0x80 [ 43.505710] ? ntfs_read_locked_inode+0x425a/0x5000 [ 43.510699] ntfs_read_locked_inode+0x425a/0x5000 [ 43.515533] ? _raw_spin_unlock+0x29/0x40 [ 43.519653] ? iget5_locked+0x129/0x450 [ 43.523598] ? ntfs_index_lookup+0x2780/0x2780 [ 43.528153] ntfs_iget+0xfa/0x130 [ 43.531582] ? ntfs_read_locked_inode+0x5000/0x5000 [ 43.536692] ntfs_fill_super+0xa5a/0x7170 [ 43.540812] ? vsnprintf+0x260/0x1340 [ 43.544604] ? pointer+0x9e0/0x9e0 [ 43.548127] ? lock_downgrade+0x740/0x740 [ 43.552262] ? ntfs_big_inode_init_once+0x20/0x20 [ 43.557078] ? snprintf+0xa5/0xd0 [ 43.560501] ? vsprintf+0x30/0x30 [ 43.563928] ? ns_test_super+0x50/0x50 [ 43.567814] ? set_blocksize+0x125/0x380 [ 43.571849] mount_bdev+0x2b3/0x360 [ 43.575451] ? ntfs_big_inode_init_once+0x20/0x20 [ 43.580272] mount_fs+0x92/0x2a0 [ 43.583746] vfs_kern_mount.part.0+0x5b/0x470 [ 43.588218] do_mount+0xe53/0x2a00 [ 43.591748] ? copy_mount_string+0x40/0x40 [ 43.595980] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 43.600976] ? copy_mnt_ns+0xa30/0xa30 [ 43.604838] ? copy_mount_options+0x1fa/0x2f0 [ 43.609306] ? copy_mnt_ns+0xa30/0xa30 [ 43.613184] SyS_mount+0xa8/0x120 [ 43.616609] ? copy_mnt_ns+0xa30/0xa30 [ 43.620478] do_syscall_64+0x1d5/0x640 [ 43.624350] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 43.629511] RIP: 0033:0x4494fa [ 43.632674] RSP: 002b:00007ffdddd0a7a8 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 43.640350] RAX: ffffffffffffffda RBX: 00007ffdddd0a800 RCX: 00000000004494fa [ 43.647605] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffdddd0a7c0 [ 43.654867] RBP: 00007ffdddd0a7c0 R08: 00007ffdddd0a800 R09: 0000000000000000 [ 43.662110] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ab [ 43.669368] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 43.678047] Kernel Offset: disabled [ 43.681658] Rebooting in 86400 seconds..