[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.127' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 36.470475] IPVS: ftp: loaded support on port[0] = 21 [ 36.506601] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 36.515740] ================================================================== [ 36.523115] BUG: KASAN: use-after-free in ntfs_attr_find+0x9db/0xb10 [ 36.529607] Read of size 4 at addr ffff88809ea34c13 by task syz-executor686/8083 [ 36.537132] [ 36.538777] CPU: 0 PID: 8083 Comm: syz-executor686 Not tainted 4.19.152-syzkaller #0 [ 36.546658] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.555992] Call Trace: [ 36.558585] dump_stack+0x1fc/0x2fe [ 36.562214] print_address_description.cold+0x54/0x219 [ 36.567836] kasan_report_error.cold+0x8a/0x1c7 [ 36.572493] ? ntfs_attr_find+0x9db/0xb10 [ 36.576622] __asan_report_load_n_noabort+0x8b/0xa0 [ 36.581630] ? ntfs_attr_find+0x9db/0xb10 [ 36.585757] ntfs_attr_find+0x9db/0xb10 [ 36.589713] ntfs_attr_lookup+0x1020/0x1f90 [ 36.594014] ? lock_downgrade+0x720/0x720 [ 36.598142] ? do_raw_spin_unlock+0x171/0x230 [ 36.602617] ? _raw_spin_unlock+0x29/0x40 [ 36.606758] ? cache_alloc_refill+0x2f8/0x340 [ 36.611333] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 36.616595] ? kmem_cache_alloc+0x2e1/0x370 [ 36.621025] ntfs_read_inode_mount+0x6fa/0x2200 [ 36.625691] ntfs_fill_super+0xa16/0x7e10 [ 36.629837] ? pointer+0x850/0x850 [ 36.633373] ? lock_downgrade+0x720/0x720 [ 36.637503] ? ntfs_big_inode_init_once+0x20/0x20 [ 36.642338] ? vsprintf+0x30/0x30 [ 36.645770] ? wait_for_completion_io+0x10/0x10 [ 36.650421] ? set_blocksize+0x163/0x3f0 [ 36.654462] mount_bdev+0x2fc/0x3b0 [ 36.658091] ? ntfs_big_inode_init_once+0x20/0x20 [ 36.662927] mount_fs+0xa3/0x30c [ 36.666293] vfs_kern_mount.part.0+0x68/0x470 [ 36.670768] do_mount+0x113c/0x2f10 [ 36.674395] ? cmp_ex_sort+0xc0/0xc0 [ 36.678102] ? __do_page_fault+0x180/0xd60 [ 36.682322] ? copy_mount_string+0x40/0x40 [ 36.687151] ? copy_mount_options+0x1cd/0x380 [ 36.691672] ? memset+0x20/0x40 [ 36.694932] ? copy_mount_options+0x26f/0x380 [ 36.699408] ksys_mount+0xcf/0x130 [ 36.702928] __x64_sys_mount+0xba/0x150 [ 36.706885] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 36.711448] do_syscall_64+0xf9/0x620 [ 36.715231] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.720425] RIP: 0033:0x4474fa [ 36.723597] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 1d aa fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 fa a9 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 36.742489] RSP: 002b:00007fff5c32e2d8 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 36.750191] RAX: ffffffffffffffda RBX: 00007fff5c32e330 RCX: 00000000004474fa [ 36.758500] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff5c32e2f0 [ 36.765748] RBP: 0000000000000004 R08: 00007fff5c32e330 R09: 00007fff5c32e320 [ 36.772997] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000003 [ 36.780246] R13: 00007fff5c32e2f0 R14: 0000000000000000 R15: 0000000020000240 [ 36.787497] [ 36.789112] Allocated by task 8056: [ 36.792732] kmem_cache_alloc+0x122/0x370 [ 36.796879] getname_flags+0xce/0x590 [ 36.801209] user_path_at_empty+0x2a/0x50 [ 36.805341] vfs_statx+0x113/0x210 [ 36.808867] __se_sys_newstat+0x96/0x120 [ 36.812917] do_syscall_64+0xf9/0x620 [ 36.816699] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.821869] [ 36.823471] Freed by task 8056: [ 36.826736] kmem_cache_free+0x7f/0x260 [ 36.830689] putname+0xe1/0x120 [ 36.833955] filename_lookup+0x3d0/0x5a0 [ 36.838079] vfs_statx+0x113/0x210 [ 36.841707] __se_sys_newstat+0x96/0x120 [ 36.845761] do_syscall_64+0xf9/0x620 [ 36.849544] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.854706] [ 36.856308] The buggy address belongs to the object at ffff88809ea34b80 [ 36.856308] which belongs to the cache names_cache of size 4096 [ 36.869045] The buggy address is located 147 bytes inside of [ 36.869045] 4096-byte region [ffff88809ea34b80, ffff88809ea35b80) [ 36.880992] The buggy address belongs to the page: [ 36.885899] page:ffffea00027a8d00 count:1 mapcount:0 mapping:ffff88813be83e40 index:0x0 compound_mapcount: 0 [ 36.895854] flags: 0xfff00000008100(slab|head) [ 36.900434] raw: 00fff00000008100 ffffea00027a8d88 ffffea00027a8c08 ffff88813be83e40 [ 36.908292] raw: 0000000000000000 ffff88809ea34b80 0000000100000001 0000000000000000 [ 36.916232] page dumped because: kasan: bad access detected [ 36.921925] [ 36.923533] Memory state around the buggy address: [ 36.928443] ffff88809ea34b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.935790] ffff88809ea34b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.943126] >ffff88809ea34c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.950469] ^ [ 36.954336] ffff88809ea34c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.961676] ffff88809ea34d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.969019] ================================================================== [ 36.976350] Disabling lock debugging due to kernel taint [ 36.985926] Kernel panic - not syncing: panic_on_warn set ... [ 36.985926] [ 36.993424] CPU: 0 PID: 8083 Comm: syz-executor686 Tainted: G B 4.19.152-syzkaller #0 [ 37.002688] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.012034] Call Trace: [ 37.014653] dump_stack+0x1fc/0x2fe [ 37.018274] panic+0x26a/0x50e [ 37.021469] ? __warn_printk+0xf3/0xf3 [ 37.025340] ? preempt_schedule_common+0x45/0xc0 [ 37.030076] ? ___preempt_schedule+0x16/0x18 [ 37.034463] ? trace_hardirqs_on+0x55/0x210 [ 37.038778] kasan_end_report+0x43/0x49 [ 37.042750] kasan_report_error.cold+0xa7/0x1c7 [ 37.047413] ? ntfs_attr_find+0x9db/0xb10 [ 37.051540] __asan_report_load_n_noabort+0x8b/0xa0 [ 37.056542] ? ntfs_attr_find+0x9db/0xb10 [ 37.060703] ntfs_attr_find+0x9db/0xb10 [ 37.064659] ntfs_attr_lookup+0x1020/0x1f90 [ 37.068960] ? lock_downgrade+0x720/0x720 [ 37.073100] ? do_raw_spin_unlock+0x171/0x230 [ 37.077596] ? _raw_spin_unlock+0x29/0x40 [ 37.081734] ? cache_alloc_refill+0x2f8/0x340 [ 37.086218] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 37.091471] ? kmem_cache_alloc+0x2e1/0x370 [ 37.095771] ntfs_read_inode_mount+0x6fa/0x2200 [ 37.100419] ntfs_fill_super+0xa16/0x7e10 [ 37.104562] ? pointer+0x850/0x850 [ 37.108081] ? lock_downgrade+0x720/0x720 [ 37.112221] ? ntfs_big_inode_init_once+0x20/0x20 [ 37.117042] ? vsprintf+0x30/0x30 [ 37.120473] ? wait_for_completion_io+0x10/0x10 [ 37.125159] ? set_blocksize+0x163/0x3f0 [ 37.129225] mount_bdev+0x2fc/0x3b0 [ 37.132839] ? ntfs_big_inode_init_once+0x20/0x20 [ 37.137683] mount_fs+0xa3/0x30c [ 37.141038] vfs_kern_mount.part.0+0x68/0x470 [ 37.145515] do_mount+0x113c/0x2f10 [ 37.149121] ? cmp_ex_sort+0xc0/0xc0 [ 37.152937] ? __do_page_fault+0x180/0xd60 [ 37.157152] ? copy_mount_string+0x40/0x40 [ 37.161388] ? copy_mount_options+0x1cd/0x380 [ 37.165866] ? memset+0x20/0x40 [ 37.169127] ? copy_mount_options+0x26f/0x380 [ 37.173613] ksys_mount+0xcf/0x130 [ 37.177154] __x64_sys_mount+0xba/0x150 [ 37.181120] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 37.185680] do_syscall_64+0xf9/0x620 [ 37.189465] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.194631] RIP: 0033:0x4474fa [ 37.197802] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 1d aa fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 fa a9 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 37.216701] RSP: 002b:00007fff5c32e2d8 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 37.224400] RAX: ffffffffffffffda RBX: 00007fff5c32e330 RCX: 00000000004474fa [ 37.231647] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff5c32e2f0 [ 37.238913] RBP: 0000000000000004 R08: 00007fff5c32e330 R09: 00007fff5c32e320 [ 37.246172] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000003 [ 37.253430] R13: 00007fff5c32e2f0 R14: 0000000000000000 R15: 0000000020000240 [ 37.261258] Kernel Offset: disabled [ 37.264878] Rebooting in 86400 seconds..