Starting OpenBSD Secure Shell server... [ OK ] Started Daily apt download activities. [ OK ] Started Daily apt upgrade and clean activities. [ OK ] Reached target Timers. Starting getty on tty2-tty6 if dbus and logind are not available... [ OK ] Started System Logging Service. [ OK ] Started Permit User Sessions. [ 56.294159][ T6562] sshd (6562) used greatest stack depth: 23240 bytes left [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.025364][ T28] audit: type=1400 audit(1602089989.118:8): avc: denied { execmem } for pid=6872 comm="syz-executor208" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 73.047537][ T6873] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 73.060396][ T6873] ntfs: (device loop0): check_mft_mirror(): $MFT and $MFTMirr (record 0) do not match. Run ntfsfix or chkdsk. [ 73.072185][ T6873] ntfs: (device loop0): load_system_files(): $MFTMirr does not match $MFT. Mounting read-only. Run ntfsfix and/or chkdsk. [ 73.086265][ T6873] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 73.096296][ T6873] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 73.104614][ T6873] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. executing program executing program [ 73.118238][ T6873] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 73.130429][ T6873] ntfs: (device loop0): map_mft_record_page(): Mft record 0x4 is corrupt. Run chkdsk. [ 73.140573][ T6873] ntfs: (device loop0): map_mft_record(): Failed with error code 5. executing program executing program executing program executing program executing program executing program executing program executing program [ 73.475043][ T6894] ================================================================== [ 73.483145][ T6894] BUG: KASAN: use-after-free in ntfs_read_locked_inode+0x49dc/0x58b0 [ 73.491210][ T6894] Read of size 8 at addr ffff88808e402e46 by task syz-executor208/6894 [ 73.499451][ T6894] [ 73.501784][ T6894] CPU: 0 PID: 6894 Comm: syz-executor208 Not tainted 5.9.0-rc8-syzkaller #0 [ 73.510445][ T6894] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.520525][ T6894] Call Trace: [ 73.523820][ T6894] dump_stack+0x198/0x1fd [ 73.528161][ T6894] ? ntfs_read_locked_inode+0x49dc/0x58b0 [ 73.533885][ T6894] ? ntfs_read_locked_inode+0x49dc/0x58b0 [ 73.539610][ T6894] print_address_description.constprop.0.cold+0xae/0x497 [ 73.546653][ T6894] ? ntfs_read_locked_inode+0x49dc/0x58b0 [ 73.552386][ T6894] ? lockdep_hardirqs_off+0x96/0xd0 [ 73.557591][ T6894] ? vprintk_func+0x95/0x1d4 [ 73.562186][ T6894] ? ntfs_read_locked_inode+0x49dc/0x58b0 [ 73.567908][ T6894] ? ntfs_read_locked_inode+0x49dc/0x58b0 [ 73.573632][ T6894] kasan_report.cold+0x1f/0x37 [ 73.578400][ T6894] ? ntfs_read_locked_inode+0x49dc/0x58b0 [ 73.584123][ T6894] ntfs_read_locked_inode+0x49dc/0x58b0 [ 73.589758][ T6894] ? iget5_locked+0x115/0x220 [ 73.594432][ T6894] ? ntfs_test_inode+0x2f0/0x2f0 [ 73.599369][ T6894] ntfs_iget+0x12d/0x180 [ 73.604575][ T6894] ? ntfs_read_locked_inode+0x58b0/0x58b0 [ 73.610287][ T6894] ? generate_default_upcase+0x451/0x600 [ 73.615904][ T6894] ntfs_fill_super+0xb30/0x8560 [ 73.620771][ T6894] ? load_and_init_usnjrnl+0x1180/0x1180 [ 73.626391][ T6894] ? vsprintf+0x30/0x30 [ 73.630548][ T6894] ? wait_for_completion+0x260/0x260 [ 73.635821][ T6894] ? set_blocksize+0x1c1/0x400 [ 73.640569][ T6894] mount_bdev+0x32e/0x3f0 [ 73.644926][ T6894] ? load_and_init_usnjrnl+0x1180/0x1180 [ 73.650564][ T6894] ? ntfs_rl_punch_nolock+0x1d10/0x1d10 [ 73.656086][ T6894] legacy_get_tree+0x105/0x220 [ 73.660831][ T6894] vfs_get_tree+0x89/0x2f0 [ 73.665231][ T6894] path_mount+0x1387/0x20a0 [ 73.669757][ T6894] ? strncpy_from_user+0x2bf/0x3e0 [ 73.674845][ T6894] ? copy_mount_string+0x40/0x40 [ 73.679760][ T6894] ? getname_flags.part.0+0x1dd/0x4f0 [ 73.685129][ T6894] __x64_sys_mount+0x27f/0x300 [ 73.689875][ T6894] ? copy_mnt_ns+0xa60/0xa60 [ 73.694466][ T6894] ? check_preemption_disabled+0x50/0x130 [ 73.700206][ T6894] ? syscall_enter_from_user_mode+0x1d/0x60 [ 73.706086][ T6894] do_syscall_64+0x2d/0x70 [ 73.710505][ T6894] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.716379][ T6894] RIP: 0033:0x4494fa [ 73.720270][ T6894] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5a a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 73.739856][ T6894] RSP: 002b:00007ffd3c1a4dc8 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 73.748251][ T6894] RAX: ffffffffffffffda RBX: 00007ffd3c1a4e20 RCX: 00000000004494fa [ 73.756205][ T6894] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd3c1a4de0 [ 73.764247][ T6894] RBP: 00007ffd3c1a4de0 R08: 00007ffd3c1a4e20 R09: 0000000000000000 [ 73.772201][ T6894] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ab [ 73.780160][ T6894] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 73.788114][ T6894] [ 73.790447][ T6894] Allocated by task 6875: [ 73.794778][ T6894] kasan_save_stack+0x1b/0x40 [ 73.799432][ T6894] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 73.805060][ T6894] __kmalloc+0x1b0/0x360 [ 73.809305][ T6894] tomoyo_realpath_from_path+0xc3/0x620 [ 73.814854][ T6894] tomoyo_path2_perm+0x264/0x6b0 [ 73.819778][ T6894] tomoyo_path_rename+0xd2/0x130 [ 73.824690][ T6894] security_path_rename+0x1b5/0x2e0 [ 73.829880][ T6894] do_renameat2+0x481/0xbf0 [ 73.834369][ T6894] __x64_sys_rename+0x5d/0x80 [ 73.839020][ T6894] do_syscall_64+0x2d/0x70 [ 73.843419][ T6894] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.849283][ T6894] [ 73.851593][ T6894] Freed by task 6875: [ 73.855549][ T6894] kasan_save_stack+0x1b/0x40 [ 73.860213][ T6894] kasan_set_track+0x1c/0x30 [ 73.864790][ T6894] kasan_set_free_info+0x1b/0x30 [ 73.869748][ T6894] __kasan_slab_free+0xd8/0x120 [ 73.874597][ T6894] kfree+0x10e/0x2b0 [ 73.878470][ T6894] tomoyo_realpath_from_path+0x191/0x620 [ 73.884080][ T6894] tomoyo_path2_perm+0x264/0x6b0 [ 73.889006][ T6894] tomoyo_path_rename+0xd2/0x130 [ 73.893919][ T6894] security_path_rename+0x1b5/0x2e0 [ 73.899092][ T6894] do_renameat2+0x481/0xbf0 [ 73.903573][ T6894] __x64_sys_rename+0x5d/0x80 [ 73.908237][ T6894] do_syscall_64+0x2d/0x70 [ 73.912653][ T6894] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.918516][ T6894] [ 73.920846][ T6894] The buggy address belongs to the object at ffff88808e402000 [ 73.920846][ T6894] which belongs to the cache kmalloc-4k of size 4096 [ 73.934895][ T6894] The buggy address is located 3654 bytes inside of [ 73.934895][ T6894] 4096-byte region [ffff88808e402000, ffff88808e403000) [ 73.948341][ T6894] The buggy address belongs to the page: [ 73.953981][ T6894] page:00000000ec636ae4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8e402 [ 73.964108][ T6894] head:00000000ec636ae4 order:1 compound_mapcount:0 [ 73.970673][ T6894] flags: 0xfffe0000010200(slab|head) [ 73.975950][ T6894] raw: 00fffe0000010200 ffffea00024bfe08 ffffea000242b508 ffff8880aa040900 [ 73.984546][ T6894] raw: 0000000000000000 ffff88808e402000 0000000100000001 0000000000000000 [ 73.993365][ T6894] page dumped because: kasan: bad access detected [ 73.999754][ T6894] [ 74.002058][ T6894] Memory state around the buggy address: [ 74.007665][ T6894] ffff88808e402d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.015808][ T6894] ffff88808e402d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.023862][ T6894] >ffff88808e402e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.031914][ T6894] ^ [ 74.038042][ T6894] ffff88808e402e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.046095][ T6894] ffff88808e402f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.054145][ T6894] ================================================================== [ 74.062194][ T6894] Disabling lock debugging due to kernel taint [ 74.069388][ T6894] Kernel panic - not syncing: panic_on_warn set ... [ 74.075980][ T6894] CPU: 0 PID: 6894 Comm: syz-executor208 Tainted: G B 5.9.0-rc8-syzkaller #0 [ 74.086037][ T6894] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.096089][ T6894] Call Trace: [ 74.099388][ T6894] dump_stack+0x198/0x1fd [ 74.103721][ T6894] ? ntfs_read_locked_inode+0x49c0/0x58b0 [ 74.109428][ T6894] panic+0x382/0x7fb [ 74.113420][ T6894] ? __warn_printk+0xf3/0xf3 [ 74.118004][ T6894] ? preempt_schedule_common+0x59/0xc0 [ 74.123440][ T6894] ? ntfs_read_locked_inode+0x49dc/0x58b0 [ 74.129155][ T6894] ? preempt_schedule_thunk+0x16/0x18 [ 74.134532][ T6894] ? trace_hardirqs_on+0x55/0x220 [ 74.139534][ T6894] ? ntfs_read_locked_inode+0x49dc/0x58b0 [ 74.145233][ T6894] ? ntfs_read_locked_inode+0x49dc/0x58b0 [ 74.150929][ T6894] end_report+0x4d/0x53 [ 74.155062][ T6894] kasan_report.cold+0xd/0x37 [ 74.159718][ T6894] ? ntfs_read_locked_inode+0x49dc/0x58b0 [ 74.165416][ T6894] ntfs_read_locked_inode+0x49dc/0x58b0 [ 74.170944][ T6894] ? iget5_locked+0x115/0x220 [ 74.175616][ T6894] ? ntfs_test_inode+0x2f0/0x2f0 [ 74.180609][ T6894] ntfs_iget+0x12d/0x180 [ 74.184844][ T6894] ? ntfs_read_locked_inode+0x58b0/0x58b0 [ 74.190548][ T6894] ? generate_default_upcase+0x451/0x600 [ 74.196158][ T6894] ntfs_fill_super+0xb30/0x8560 [ 74.200995][ T6894] ? load_and_init_usnjrnl+0x1180/0x1180 [ 74.206610][ T6894] ? vsprintf+0x30/0x30 [ 74.210751][ T6894] ? wait_for_completion+0x260/0x260 [ 74.216015][ T6894] ? set_blocksize+0x1c1/0x400 [ 74.220756][ T6894] mount_bdev+0x32e/0x3f0 [ 74.225095][ T6894] ? load_and_init_usnjrnl+0x1180/0x1180 [ 74.230715][ T6894] ? ntfs_rl_punch_nolock+0x1d10/0x1d10 [ 74.236305][ T6894] legacy_get_tree+0x105/0x220 [ 74.241053][ T6894] vfs_get_tree+0x89/0x2f0 [ 74.245459][ T6894] path_mount+0x1387/0x20a0 [ 74.250066][ T6894] ? strncpy_from_user+0x2bf/0x3e0 [ 74.255161][ T6894] ? copy_mount_string+0x40/0x40 [ 74.260097][ T6894] ? getname_flags.part.0+0x1dd/0x4f0 [ 74.265459][ T6894] __x64_sys_mount+0x27f/0x300 [ 74.270205][ T6894] ? copy_mnt_ns+0xa60/0xa60 [ 74.274793][ T6894] ? check_preemption_disabled+0x50/0x130 [ 74.280507][ T6894] ? syscall_enter_from_user_mode+0x1d/0x60 [ 74.286499][ T6894] do_syscall_64+0x2d/0x70 [ 74.290901][ T6894] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.296776][ T6894] RIP: 0033:0x4494fa [ 74.300669][ T6894] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5a a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 74.320322][ T6894] RSP: 002b:00007ffd3c1a4dc8 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 74.328745][ T6894] RAX: ffffffffffffffda RBX: 00007ffd3c1a4e20 RCX: 00000000004494fa [ 74.336718][ T6894] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd3c1a4de0 [ 74.344702][ T6894] RBP: 00007ffd3c1a4de0 R08: 00007ffd3c1a4e20 R09: 0000000000000000 [ 74.352661][ T6894] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ab [ 74.360637][ T6894] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 74.369762][ T6894] Kernel Offset: disabled [ 74.374091][ T6894] Rebooting in 86400 seconds..