[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.198' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 44.345768] ntfs: (device loop0): check_mft_mirror(): $MFT and $MFTMirr (record 0) do not match. Run ntfsfix or chkdsk. [ 44.357107] ntfs: (device loop0): load_system_files(): $MFTMirr does not match $MFT. Mounting read-only. Run ntfsfix and/or chkdsk. [ 44.377068] ntfs: volume version 3.1. [ 44.382242] ntfs: (device loop0): ntfs_lookup_inode_by_name(): Directory index record with vcn 0xffffffff is corrupt. Corrupt inode 0x5. Run chkdsk. [ 44.396036] ntfs: (device loop0): check_windows_hibernation_status(): Failed to find inode number for hiberfil.sys. [ 44.406715] ntfs: (device loop0): load_system_files(): Failed to determine if Windows is hibernated. Will not be able to remount read-write. Run chkdsk. executing program [ 44.500803] ntfs: (device loop0): check_mft_mirror(): $MFT and $MFTMirr (record 0) do not match. Run ntfsfix or chkdsk. [ 44.512039] ntfs: (device loop0): load_system_files(): $MFTMirr does not match $MFT. Mounting read-only. Run ntfsfix and/or chkdsk. [ 44.532756] ntfs: volume version 3.1. [ 44.537772] ================================================================== [ 44.545131] BUG: KASAN: use-after-free in ntfs_lookup_inode_by_name+0x36c0/0x3bd0 [ 44.552727] Read of size 8 at addr ffff88808bb47b80 by task syz-executor549/8104 [ 44.560231] [ 44.561841] CPU: 0 PID: 8104 Comm: syz-executor549 Not tainted 4.19.211-syzkaller #0 [ 44.569696] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 44.579097] Call Trace: [ 44.581681] dump_stack+0x1fc/0x2ef [ 44.585304] print_address_description.cold+0x54/0x219 [ 44.590564] kasan_report_error.cold+0x8a/0x1b9 [ 44.595215] ? ntfs_lookup_inode_by_name+0x36c0/0x3bd0 [ 44.600472] __asan_report_load8_noabort+0x88/0x90 [ 44.605380] ? ntfs_lookup_inode_by_name+0x36c0/0x3bd0 [ 44.610632] ntfs_lookup_inode_by_name+0x36c0/0x3bd0 [ 44.620169] check_windows_hibernation_status+0xd9/0xb10 [ 44.625613] ? load_and_init_mft_mirror+0x350/0x350 [ 44.630612] ? kfree+0x1a7/0x210 [ 44.633961] ntfs_fill_super+0x58be/0x7e10 [ 44.638177] ? ntfs_big_inode_init_once+0x20/0x20 [ 44.642998] ? vsprintf+0x30/0x30 [ 44.646430] ? wait_for_completion_io+0x10/0x10 [ 44.651076] ? set_blocksize+0x163/0x3f0 [ 44.655372] mount_bdev+0x2fc/0x3b0 [ 44.658979] ? ntfs_big_inode_init_once+0x20/0x20 [ 44.663829] mount_fs+0xa3/0x310 [ 44.667177] vfs_kern_mount.part.0+0x68/0x470 [ 44.671687] do_mount+0x115c/0x2f50 [ 44.675296] ? cmp_ex_sort+0xc0/0xc0 [ 44.679076] ? __do_page_fault+0x180/0xd60 [ 44.683291] ? copy_mount_string+0x40/0x40 [ 44.687520] ? copy_mount_options+0x1cd/0x380 [ 44.692025] ? memset+0x20/0x40 [ 44.695297] ? copy_mount_options+0x26f/0x380 [ 44.699770] ksys_mount+0xcf/0x130 [ 44.703293] __x64_sys_mount+0xba/0x150 [ 44.707245] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 44.711803] do_syscall_64+0xf9/0x620 [ 44.715586] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.720752] RIP: 0033:0x7f9bd63bed2a [ 44.724442] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 44.743340] RSP: 002b:00007ffca25ef3f8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 44.751048] RAX: ffffffffffffffda RBX: 000055555651b2c0 RCX: 00007f9bd63bed2a [ 44.758296] RDX: 0000000020000000 RSI: 000000002001ee80 RDI: 00007ffca25ef440 [ 44.765543] RBP: 0000000000000000 R08: 00007ffca25ef480 R09: 0000000000000000 [ 44.772801] R10: 0000000000004010 R11: 0000000000000286 R12: 0000000000000004 [ 44.780085] R13: 00007ffca25ef480 R14: 0000000000000003 R15: 00007ffca25ef440 [ 44.787352] [ 44.788959] The buggy address belongs to the page: [ 44.793864] page:ffffea00022ed1c0 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 44.801987] flags: 0xfff00000000000() [ 44.805793] raw: 00fff00000000000 ffffea00022ed208 ffffea00022ed188 0000000000000000 [ 44.813652] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 44.821511] page dumped because: kasan: bad access detected [ 44.827193] [ 44.828796] Memory state around the buggy address: [ 44.833702] ffff88808bb47a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.841047] ffff88808bb47b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.848380] >ffff88808bb47b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.855711] ^ [ 44.859064] ffff88808bb47c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.866409] ffff88808bb47c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.873740] ================================================================== [ 44.881072] Disabling lock debugging due to kernel taint [ 44.889819] Kernel panic - not syncing: panic_on_warn set ... [ 44.889819] [ 44.897205] CPU: 1 PID: 8104 Comm: syz-executor549 Tainted: G B 4.19.211-syzkaller #0 [ 44.906467] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 44.915809] Call Trace: [ 44.918379] dump_stack+0x1fc/0x2ef [ 44.921988] panic+0x26a/0x50e [ 44.925159] ? __warn_printk+0xf3/0xf3 [ 44.929024] ? preempt_schedule_common+0x45/0xc0 [ 44.933760] ? ___preempt_schedule+0x16/0x18 [ 44.938233] ? trace_hardirqs_on+0x55/0x210 [ 44.942539] kasan_end_report+0x43/0x49 [ 44.946500] kasan_report_error.cold+0xa7/0x1b9 [ 44.951151] ? ntfs_lookup_inode_by_name+0x36c0/0x3bd0 [ 44.956414] __asan_report_load8_noabort+0x88/0x90 [ 44.961321] ? ntfs_lookup_inode_by_name+0x36c0/0x3bd0 [ 44.966675] ntfs_lookup_inode_by_name+0x36c0/0x3bd0 [ 44.971763] check_windows_hibernation_status+0xd9/0xb10 [ 44.977193] ? load_and_init_mft_mirror+0x350/0x350 [ 44.982185] ? kfree+0x1a7/0x210 [ 44.985617] ntfs_fill_super+0x58be/0x7e10 [ 44.989835] ? ntfs_big_inode_init_once+0x20/0x20 [ 44.994659] ? vsprintf+0x30/0x30 [ 44.998091] ? wait_for_completion_io+0x10/0x10 [ 45.002740] ? set_blocksize+0x163/0x3f0 [ 45.006783] mount_bdev+0x2fc/0x3b0 [ 45.010392] ? ntfs_big_inode_init_once+0x20/0x20 [ 45.015230] mount_fs+0xa3/0x310 [ 45.018577] vfs_kern_mount.part.0+0x68/0x470 [ 45.023053] do_mount+0x115c/0x2f50 [ 45.026663] ? cmp_ex_sort+0xc0/0xc0 [ 45.030356] ? __do_page_fault+0x180/0xd60 [ 45.034569] ? copy_mount_string+0x40/0x40 [ 45.038789] ? copy_mount_options+0x1cd/0x380 [ 45.043280] ? memset+0x20/0x40 [ 45.046553] ? copy_mount_options+0x26f/0x380 [ 45.051025] ksys_mount+0xcf/0x130 [ 45.054543] __x64_sys_mount+0xba/0x150 [ 45.058497] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 45.063062] do_syscall_64+0xf9/0x620 [ 45.066870] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.072034] RIP: 0033:0x7f9bd63bed2a [ 45.075727] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 45.097297] RSP: 002b:00007ffca25ef3f8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 45.104989] RAX: ffffffffffffffda RBX: 000055555651b2c0 RCX: 00007f9bd63bed2a [ 45.112262] RDX: 0000000020000000 RSI: 000000002001ee80 RDI: 00007ffca25ef440 [ 45.119514] RBP: 0000000000000000 R08: 00007ffca25ef480 R09: 0000000000000000 [ 45.126764] R10: 0000000000004010 R11: 0000000000000286 R12: 0000000000000004 [ 45.134009] R13: 00007ffca25ef480 R14: 0000000000000003 R15: 00007ffca25ef440 [ 45.141441] Kernel Offset: disabled [ 45.145061] Rebooting in 86400 seconds..