[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.39' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.699678] ================================================================== [ 29.707062] BUG: KASAN: use-after-free in ntfs_attr_find+0xacd/0xc20 [ 29.713533] Read of size 2 at addr ffff8880b4046252 by task syz-executor205/7967 [ 29.721051] [ 29.722671] CPU: 0 PID: 7967 Comm: syz-executor205 Not tainted 4.14.294-syzkaller #0 [ 29.730553] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 29.739907] Call Trace: [ 29.742477] dump_stack+0x1b2/0x281 [ 29.746089] print_address_description.cold+0x54/0x1d3 [ 29.751343] kasan_report_error.cold+0x8a/0x191 [ 29.755989] ? ntfs_attr_find+0xacd/0xc20 [ 29.760111] __asan_report_load_n_noabort+0x6b/0x80 [ 29.765117] ? ntfs_attr_find+0xacd/0xc20 [ 29.769239] ntfs_attr_find+0xacd/0xc20 [ 29.773190] ntfs_attr_lookup+0xeca/0x1f30 [ 29.777404] ? do_raw_spin_unlock+0x164/0x220 [ 29.781876] ? _raw_spin_unlock+0x29/0x40 [ 29.786006] ? cache_alloc_refill+0x2fa/0x350 [ 29.790527] ? check_preemption_disabled+0x35/0x240 [ 29.795522] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 29.800773] ? kmem_cache_alloc+0x2f8/0x3c0 [ 29.805085] ntfs_read_inode_mount+0x7b1/0x2060 [ 29.809733] ntfs_fill_super+0x9a6/0x7170 [ 29.813859] ? vsnprintf+0x260/0x1340 [ 29.817634] ? pointer+0x9e0/0x9e0 [ 29.821149] ? lock_downgrade+0x740/0x740 [ 29.825270] ? ntfs_big_inode_init_once+0x20/0x20 [ 29.830085] ? snprintf+0xa5/0xd0 [ 29.833511] ? vsprintf+0x30/0x30 [ 29.836944] ? ns_test_super+0x50/0x50 [ 29.840826] ? set_blocksize+0x125/0x380 [ 29.844861] mount_bdev+0x2b3/0x360 [ 29.848461] ? ntfs_big_inode_init_once+0x20/0x20 [ 29.853375] mount_fs+0x92/0x2a0 [ 29.856719] vfs_kern_mount.part.0+0x5b/0x470 [ 29.861203] do_mount+0xe65/0x2a30 [ 29.864718] ? copy_mount_string+0x40/0x40 [ 29.868932] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 29.873925] ? copy_mnt_ns+0xa30/0xa30 [ 29.877786] ? copy_mount_options+0x1fa/0x2f0 [ 29.882255] ? copy_mnt_ns+0xa30/0xa30 [ 29.886116] SyS_mount+0xa8/0x120 [ 29.889547] ? copy_mnt_ns+0xa30/0xa30 [ 29.893421] do_syscall_64+0x1d5/0x640 [ 29.897284] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.902460] RIP: 0033:0x7f8917d0029a [ 29.906144] RSP: 002b:00007ffd29875298 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 29.913826] RAX: ffffffffffffffda RBX: 00007ffd298752f0 RCX: 00007f8917d0029a [ 29.921070] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd298752b0 [ 29.928312] RBP: 00007ffd298752b0 R08: 00007ffd298752f0 R09: 0000000000000000 [ 29.935553] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020000e30 [ 29.942794] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000082 [ 29.950039] [ 29.951655] Allocated by task 1: [ 29.954998] kasan_kmalloc+0xeb/0x160 [ 29.958773] kmem_cache_alloc+0x124/0x3c0 [ 29.962893] getname_flags+0xc8/0x550 [ 29.966681] do_sys_open+0x1ce/0x410 [ 29.970367] do_syscall_64+0x1d5/0x640 [ 29.974228] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.979385] [ 29.981001] Freed by task 1: [ 29.984000] kasan_slab_free+0xc3/0x1a0 [ 29.987950] kmem_cache_free+0x7c/0x2b0 [ 29.991893] putname+0xcd/0x110 [ 29.995163] do_sys_open+0x203/0x410 [ 29.998849] do_syscall_64+0x1d5/0x640 [ 30.002712] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.007871] [ 30.009471] The buggy address belongs to the object at ffff8880b4046000 [ 30.009471] which belongs to the cache names_cache of size 4096 [ 30.022187] The buggy address is located 594 bytes inside of [ 30.022187] 4096-byte region [ffff8880b4046000, ffff8880b4047000) [ 30.034127] The buggy address belongs to the page: [ 30.039037] page:ffffea0002d01180 count:1 mapcount:0 mapping:ffff8880b4046000 index:0x0 compound_mapcount: 0 [ 30.048972] flags: 0xfff00000008100(slab|head) [ 30.053525] raw: 00fff00000008100 ffff8880b4046000 0000000000000000 0000000100000001 [ 30.061383] raw: ffffea0002d28420 ffffea00025b14a0 ffff88823f8c1200 0000000000000000 [ 30.069238] page dumped because: kasan: bad access detected [ 30.074920] [ 30.076517] Memory state around the buggy address: [ 30.081431] ffff8880b4046100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.088760] ffff8880b4046180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.096097] >ffff8880b4046200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.103441] ^ [ 30.109483] ffff8880b4046280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.116814] ffff8880b4046300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.124145] ================================================================== [ 30.131475] Disabling lock debugging due to kernel taint [ 30.139230] Kernel panic - not syncing: panic_on_warn set ... [ 30.139230] [ 30.146599] CPU: 1 PID: 7967 Comm: syz-executor205 Tainted: G B 4.14.294-syzkaller #0 [ 30.155677] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 30.165017] Call Trace: [ 30.167580] dump_stack+0x1b2/0x281 [ 30.171191] panic+0x1f9/0x42d [ 30.174361] ? add_taint.cold+0x16/0x16 [ 30.178324] ? ___preempt_schedule+0x16/0x18 [ 30.182708] kasan_end_report+0x43/0x49 [ 30.186657] kasan_report_error.cold+0xa7/0x191 [ 30.191303] ? ntfs_attr_find+0xacd/0xc20 [ 30.195426] __asan_report_load_n_noabort+0x6b/0x80 [ 30.200416] ? ntfs_attr_find+0xacd/0xc20 [ 30.204598] ntfs_attr_find+0xacd/0xc20 [ 30.208561] ntfs_attr_lookup+0xeca/0x1f30 [ 30.212782] ? do_raw_spin_unlock+0x164/0x220 [ 30.217272] ? _raw_spin_unlock+0x29/0x40 [ 30.221398] ? cache_alloc_refill+0x2fa/0x350 [ 30.225871] ? check_preemption_disabled+0x35/0x240 [ 30.230863] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 30.236113] ? kmem_cache_alloc+0x2f8/0x3c0 [ 30.240407] ntfs_read_inode_mount+0x7b1/0x2060 [ 30.245050] ntfs_fill_super+0x9a6/0x7170 [ 30.249200] ? vsnprintf+0x260/0x1340 [ 30.252978] ? pointer+0x9e0/0x9e0 [ 30.256489] ? lock_downgrade+0x740/0x740 [ 30.260612] ? ntfs_big_inode_init_once+0x20/0x20 [ 30.265601] ? snprintf+0xa5/0xd0 [ 30.269027] ? vsprintf+0x30/0x30 [ 30.272454] ? ns_test_super+0x50/0x50 [ 30.276321] ? set_blocksize+0x125/0x380 [ 30.280375] mount_bdev+0x2b3/0x360 [ 30.284030] ? ntfs_big_inode_init_once+0x20/0x20 [ 30.288858] mount_fs+0x92/0x2a0 [ 30.292204] vfs_kern_mount.part.0+0x5b/0x470 [ 30.296677] do_mount+0xe65/0x2a30 [ 30.300211] ? copy_mount_string+0x40/0x40 [ 30.304425] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 30.309416] ? copy_mnt_ns+0xa30/0xa30 [ 30.313277] ? copy_mount_options+0x1fa/0x2f0 [ 30.317749] ? copy_mnt_ns+0xa30/0xa30 [ 30.321613] SyS_mount+0xa8/0x120 [ 30.325039] ? copy_mnt_ns+0xa30/0xa30 [ 30.328906] do_syscall_64+0x1d5/0x640 [ 30.332785] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.337960] RIP: 0033:0x7f8917d0029a [ 30.341714] RSP: 002b:00007ffd29875298 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 30.349394] RAX: ffffffffffffffda RBX: 00007ffd298752f0 RCX: 00007f8917d0029a [ 30.356634] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd298752b0 [ 30.363873] RBP: 00007ffd298752b0 R08: 00007ffd298752f0 R09: 0000000000000000 [ 30.371207] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000020000e30 [ 30.378447] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000082 [ 30.385898] Kernel Offset: disabled [ 30.389513] Rebooting in 86400 seconds..