[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.43' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.112591] audit: type=1400 audit(1601359305.430:8): avc: denied { execmem } for pid=6341 comm="syz-executor300" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.143619] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 33.155830] ntfs: (device loop0): map_mft_record_page(): Mft record 0x1 is corrupt. Run chkdsk. [ 33.165218] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 33.183330] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x1 as bad. Run chkdsk. [ 33.195638] ntfs: (device loop0): load_system_files(): Failed to load $MFTMirr. Mounting read-only. Run ntfsfix and/or chkdsk. [ 33.208225] ntfs: (device loop0): map_mft_record_page(): Mft record 0xa is corrupt. Run chkdsk. [ 33.217310] ntfs: (device loop0): map_mft_record(): Failed with error code 5. [ 33.225542] ntfs: (device loop0): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0xa as bad. Run chkdsk. [ 33.237943] ntfs: (device loop0): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. [ 33.249074] ntfs: volume version 3.1. executing program [ 33.307594] ntfs: volume version 3.1. executing program executing program executing program [ 33.365629] ntfs: volume version 3.1. executing program [ 33.424731] ntfs: volume version 3.1. [ 33.428762] ================================================================== [ 33.436137] BUG: KASAN: use-after-free in ntfs_are_names_equal+0x143/0x150 [ 33.443152] Read of size 2 at addr ffff888080ff6ee8 by task syz-executor300/6360 [ 33.450685] [ 33.452324] CPU: 1 PID: 6360 Comm: syz-executor300 Not tainted 4.14.198-syzkaller #0 [ 33.460203] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.469661] Call Trace: [ 33.472259] dump_stack+0x1b2/0x283 [ 33.476008] print_address_description.cold+0x54/0x1d3 [ 33.481299] kasan_report_error.cold+0x8a/0x194 [ 33.486301] ? ntfs_are_names_equal+0x143/0x150 [ 33.490985] __asan_report_load2_noabort+0x68/0x70 [ 33.495931] ? ntfs_are_names_equal+0x143/0x150 [ 33.500614] ntfs_are_names_equal+0x143/0x150 [ 33.505288] ntfs_attr_find+0x36f/0xa10 [ 33.509285] ntfs_attr_lookup+0xeca/0x1f30 [ 33.513531] ? do_read_cache_page+0xcd/0xbb0 [ 33.518356] ? ntfs_end_buffer_async_read+0x1040/0x1040 [ 33.523708] ? check_preemption_disabled+0x35/0x240 [ 33.529187] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 33.534482] ? kmem_cache_alloc+0x2f8/0x3c0 [ 33.538800] ntfs_attr_iget+0x641/0x2180 [ 33.542847] ? __ntfs_init_inode+0x4f0/0x4f0 [ 33.547579] ? kmem_cache_alloc+0x2f8/0x3c0 [ 33.551898] ntfs_read_locked_inode+0x24a2/0x5000 [ 33.556787] ? iget5_locked+0x129/0x450 [ 33.560853] ? ntfs_index_lookup+0x2780/0x2780 [ 33.565560] ntfs_iget+0xfa/0x130 [ 33.569012] ? ntfs_read_locked_inode+0x5000/0x5000 [ 33.574023] ? destroy_inode+0xb9/0x110 [ 33.578010] ? kfree+0x11d/0x250 [ 33.581381] ntfs_fill_super+0x4caf/0x7170 [ 33.585921] ? lock_downgrade+0x740/0x740 [ 33.590133] ? ntfs_big_inode_init_once+0x20/0x20 [ 33.595096] ? vsprintf+0x30/0x30 [ 33.598836] ? ns_test_super+0x50/0x50 [ 33.602731] ? set_blocksize+0x125/0x380 [ 33.606840] mount_bdev+0x2b3/0x360 [ 33.610467] ? ntfs_big_inode_init_once+0x20/0x20 [ 33.615422] mount_fs+0x92/0x2a0 [ 33.618882] vfs_kern_mount.part.0+0x5b/0x470 [ 33.623446] do_mount+0xe53/0x2a00 [ 33.626990] ? copy_mount_string+0x40/0x40 [ 33.631225] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 33.636248] ? copy_mnt_ns+0xa30/0xa30 [ 33.640138] ? copy_mount_options+0x1fa/0x2f0 [ 33.644628] ? copy_mnt_ns+0xa30/0xa30 [ 33.648499] SyS_mount+0xa8/0x120 [ 33.652144] ? copy_mnt_ns+0xa30/0xa30 [ 33.656029] do_syscall_64+0x1d5/0x640 [ 33.659903] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.665074] RIP: 0033:0x44955a [ 33.668254] RSP: 002b:00007fff358d5f58 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 33.675935] RAX: ffffffffffffffda RBX: 00007fff358d5fb0 RCX: 000000000044955a [ 33.683181] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff358d5f70 [ 33.690616] RBP: 00007fff358d5f70 R08: 00007fff358d5fb0 R09: 0000000000000000 [ 33.697909] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ab [ 33.705163] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 33.712423] [ 33.714033] The buggy address belongs to the page: [ 33.718952] page:ffffea000203fd80 count:1 mapcount:0 mapping:ffff888094cfd848 index:0x7f7e [ 33.727348] flags: 0xfffe000004003c(referenced|uptodate|dirty|lru|swapbacked) [ 33.734607] raw: 00fffe000004003c ffff888094cfd848 0000000000007f7e 00000001ffffffff [ 33.742482] raw: ffffea00020f74a0 ffffea00020e7720 0000000000000000 ffff8880aa3f6a40 [ 33.750349] page dumped because: kasan: bad access detected [ 33.756048] page->mem_cgroup:ffff8880aa3f6a40 [ 33.760518] [ 33.762119] Memory state around the buggy address: [ 33.767041] ffff888080ff6d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.774381] ffff888080ff6e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.781739] >ffff888080ff6e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.789120] ^ [ 33.795858] ffff888080ff6f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.803284] ffff888080ff6f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.810614] ================================================================== [ 33.817967] Disabling lock debugging due to kernel taint [ 33.823998] Kernel panic - not syncing: panic_on_warn set ... [ 33.823998] [ 33.831363] CPU: 1 PID: 6360 Comm: syz-executor300 Tainted: G B 4.14.198-syzkaller #0 [ 33.840485] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.850009] Call Trace: [ 33.852582] dump_stack+0x1b2/0x283 [ 33.856191] panic+0x1f9/0x42d [ 33.859403] ? add_taint.cold+0x16/0x16 [ 33.863373] ? ___preempt_schedule+0x16/0x18 [ 33.867789] kasan_end_report+0x43/0x49 [ 33.871921] kasan_report_error.cold+0xa7/0x194 [ 33.876597] ? ntfs_are_names_equal+0x143/0x150 [ 33.881247] __asan_report_load2_noabort+0x68/0x70 [ 33.886259] ? ntfs_are_names_equal+0x143/0x150 [ 33.892278] ntfs_are_names_equal+0x143/0x150 [ 33.896771] ntfs_attr_find+0x36f/0xa10 [ 33.900733] ntfs_attr_lookup+0xeca/0x1f30 [ 33.904951] ? do_read_cache_page+0xcd/0xbb0 [ 33.910382] ? ntfs_end_buffer_async_read+0x1040/0x1040 [ 33.915732] ? check_preemption_disabled+0x35/0x240 [ 33.920729] ? ntfs_attr_reinit_search_ctx+0x3c0/0x3c0 [ 33.926000] ? kmem_cache_alloc+0x2f8/0x3c0 [ 33.930300] ntfs_attr_iget+0x641/0x2180 [ 33.934340] ? __ntfs_init_inode+0x4f0/0x4f0 [ 33.938724] ? kmem_cache_alloc+0x2f8/0x3c0 [ 33.943108] ntfs_read_locked_inode+0x24a2/0x5000 [ 33.947928] ? iget5_locked+0x129/0x450 [ 33.951877] ? ntfs_index_lookup+0x2780/0x2780 [ 33.956456] ntfs_iget+0xfa/0x130 [ 33.959903] ? ntfs_read_locked_inode+0x5000/0x5000 [ 33.964912] ? destroy_inode+0xb9/0x110 [ 33.968881] ? kfree+0x11d/0x250 [ 33.972224] ntfs_fill_super+0x4caf/0x7170 [ 33.976441] ? lock_downgrade+0x740/0x740 [ 33.980563] ? ntfs_big_inode_init_once+0x20/0x20 [ 33.985385] ? vsprintf+0x30/0x30 [ 33.988814] ? ns_test_super+0x50/0x50 [ 33.992743] ? set_blocksize+0x125/0x380 [ 33.996826] mount_bdev+0x2b3/0x360 [ 34.000440] ? ntfs_big_inode_init_once+0x20/0x20 [ 34.005268] mount_fs+0x92/0x2a0 [ 34.008622] vfs_kern_mount.part.0+0x5b/0x470 [ 34.013101] do_mount+0xe53/0x2a00 [ 34.016642] ? copy_mount_string+0x40/0x40 [ 34.020966] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.026125] ? copy_mnt_ns+0xa30/0xa30 [ 34.030058] ? copy_mount_options+0x1fa/0x2f0 [ 34.034551] ? copy_mnt_ns+0xa30/0xa30 [ 34.038522] SyS_mount+0xa8/0x120 [ 34.041953] ? copy_mnt_ns+0xa30/0xa30 [ 34.045820] do_syscall_64+0x1d5/0x640 [ 34.050302] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.055625] RIP: 0033:0x44955a [ 34.058794] RSP: 002b:00007fff358d5f58 EFLAGS: 00000287 ORIG_RAX: 00000000000000a5 [ 34.066596] RAX: ffffffffffffffda RBX: 00007fff358d5fb0 RCX: 000000000044955a [ 34.073983] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff358d5f70 [ 34.081234] RBP: 00007fff358d5f70 R08: 00007fff358d5fb0 R09: 0000000000000000 [ 34.088484] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000000000ab [ 34.095822] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.104660] Kernel Offset: disabled [ 34.108305] Rebooting in 86400 seconds..