================================================================== BUG: KASAN: slab-out-of-bounds in generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline] BUG: KASAN: slab-out-of-bounds in NInoAttr fs/ntfs/inode.h:200 [inline] BUG: KASAN: slab-out-of-bounds in ntfs_test_inode+0x8c/0x29c fs/ntfs/inode.c:55 Read of size 8 at addr ffff00012c327f80 by task syz-executor.5/26959 CPU: 0 PID: 26959 Comm: syz-executor.5 Not tainted 6.6.0-rc3-syzkaller-g2e530aeb342b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233 show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x174/0x514 mm/kasan/report.c:475 kasan_report+0xd8/0x138 mm/kasan/report.c:588 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline] NInoAttr fs/ntfs/inode.h:200 [inline] ntfs_test_inode+0x8c/0x29c fs/ntfs/inode.c:55 find_inode+0x170/0x3b4 fs/inode.c:901 ilookup5_nowait fs/inode.c:1456 [inline] ilookup5+0xc0/0x1e4 fs/inode.c:1485 iget5_locked+0x48/0x234 fs/inode.c:1266 ntfs_iget+0xcc/0x19c fs/ntfs/inode.c:168 load_system_files+0x2720/0x4734 fs/ntfs/super.c:1855 ntfs_fill_super+0x14e0/0x2314 fs/ntfs/super.c:2900 mount_bdev+0x1e8/0x2b4 fs/super.c:1629 ntfs_mount+0x44/0x58 fs/ntfs/super.c:3057 legacy_get_tree+0xd4/0x16c fs/fs_context.c:638 vfs_get_tree+0x90/0x288 fs/super.c:1750 do_new_mount+0x25c/0x8c8 fs/namespace.c:3335 path_mount+0x590/0xe04 fs/namespace.c:3662 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount fs/namespace.c:3861 [inline] __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3861 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Allocated by task 6059: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x7c mm/kasan/common.c:52 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:511 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook+0x90/0x4a0 mm/slab.h:762 slab_alloc_node mm/slub.c:3478 [inline] slab_alloc mm/slub.c:3486 [inline] __kmem_cache_alloc_lru mm/slub.c:3493 [inline] kmem_cache_alloc_lru+0x194/0x394 mm/slub.c:3509 __d_alloc+0x40/0x6ac fs/dcache.c:1768 d_alloc+0x54/0x18c fs/dcache.c:1848 lookup_one_qstr_excl+0xbc/0x230 fs/namei.c:1604 filename_create+0x230/0x468 fs/namei.c:3890 do_mkdirat+0xac/0x610 fs/namei.c:4135 __do_sys_mkdirat fs/namei.c:4158 [inline] __se_sys_mkdirat fs/namei.c:4156 [inline] __arm64_sys_mkdirat+0x90/0xa8 fs/namei.c:4156 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Last potentially related work creation: kasan_save_stack+0x40/0x6c mm/kasan/common.c:45 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:492 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:502 __call_rcu_common kernel/rcu/tree.c:2653 [inline] call_rcu+0x104/0xaf4 kernel/rcu/tree.c:2767 dentry_free+0xa8/0x174 __dentry_kill+0x470/0x5e4 fs/dcache.c:621 dentry_kill+0xc8/0x250 dput+0x218/0x454 fs/dcache.c:913 do_unlinkat+0x4dc/0x830 fs/namei.c:4401 __do_sys_unlinkat fs/namei.c:4441 [inline] __se_sys_unlinkat fs/namei.c:4434 [inline] __arm64_sys_unlinkat+0xcc/0xfc fs/namei.c:4434 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Second to last potentially related work creation: kasan_save_stack+0x40/0x6c mm/kasan/common.c:45 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:492 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:502 __call_rcu_common kernel/rcu/tree.c:2653 [inline] call_rcu+0x104/0xaf4 kernel/rcu/tree.c:2767 dentry_free+0xa8/0x174 __dentry_kill+0x470/0x5e4 fs/dcache.c:621 dentry_kill+0xc8/0x250 dput+0x218/0x454 fs/dcache.c:913 lookup_fast+0x374/0x43c fs/namei.c:1659 walk_component+0x6c/0x36c fs/namei.c:1997 lookup_last fs/namei.c:2458 [inline] path_lookupat+0x13c/0x3d0 fs/namei.c:2482 filename_lookup+0x1d4/0x4e0 fs/namei.c:2511 user_path_at_empty+0x5c/0x1a4 fs/namei.c:2910 user_path_at include/linux/namei.h:57 [inline] do_faccessat+0x508/0xa34 fs/open.c:483 __do_sys_faccessat2 fs/open.c:537 [inline] __se_sys_faccessat2 fs/open.c:534 [inline] __arm64_sys_faccessat2+0x9c/0xb4 fs/open.c:534 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 The buggy address belongs to the object at ffff00012c327d60 which belongs to the cache dentry of size 312 The buggy address is located 232 bytes to the right of allocated 312-byte region [ffff00012c327d60, ffff00012c327e98) The buggy address belongs to the physical page: page:00000000d20b92e1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16c326 head:00000000d20b92e1 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff0000c1eb2801 flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 05ffc00000000840 ffff0000c185ba00 fffffc0004bf3000 dead000000000002 raw: 0000000000000000 0000000000150015 00000001ffffffff ffff0000c1eb2801 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00012c327e80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc ffff00012c327f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff00012c327f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff00012c328000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff00012c328080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Unable to handle kernel paging request at virtual address dfff800000000018 KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff800000000018] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 26959 Comm: syz-executor.5 Tainted: G B 6.6.0-rc3-syzkaller-g2e530aeb342b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : map_mft_record_page fs/ntfs/mft.c:40 [inline] pc : map_mft_record+0x8c/0x7b4 fs/ntfs/mft.c:156 lr : map_mft_record_page fs/ntfs/mft.c:39 [inline] lr : map_mft_record+0x7c/0x7b4 fs/ntfs/mft.c:156 sp : ffff80009a987640 x29: ffff80009a987680 x28: 1fffe00024e22b30 x27: ffff00012c328058 x26: 1fffe00025864ff3 x25: 00000000000000c0 x24: dfff800000000000 x23: dfff800000000000 x22: ffff00012c327f30 x21: ffff00012c327f94 x20: ffff00012c327f98 x19: 0000000000000000 x18: 1fffe0003683bdce x17: ffff80008e19d000 x16: ffff8000802771bc x15: 0000000000000001 x14: 1ffff00013530e74 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000000000 x9 : ffff800092633310 x8 : 0000000000000018 x7 : 0000000000000000 x6 : ffff8000816b72dc x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff8000816b72f4 x2 : 0000000000000000 x1 : 0000000000000008 x0 : 0000000000000000 Call trace: map_mft_record_page fs/ntfs/mft.c:40 [inline] map_mft_record+0x8c/0x7b4 fs/ntfs/mft.c:156 load_system_files+0x279c/0x4734 fs/ntfs/super.c:1863 ntfs_fill_super+0x14e0/0x2314 fs/ntfs/super.c:2900 mount_bdev+0x1e8/0x2b4 fs/super.c:1629 ntfs_mount+0x44/0x58 fs/ntfs/super.c:3057 legacy_get_tree+0xd4/0x16c fs/fs_context.c:638 vfs_get_tree+0x90/0x288 fs/super.c:1750 do_new_mount+0x25c/0x8c8 fs/namespace.c:3335 path_mount+0x590/0xe04 fs/namespace.c:3662 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount fs/namespace.c:3861 [inline] __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3861 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 Code: f9400288 91030119 f81f83a8 d343ff28 (38786908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: f9400288 ldr x8, [x20] 4: 91030119 add x25, x8, #0xc0 8: f81f83a8 stur x8, [x29, #-8] c: d343ff28 lsr x8, x25, #3 * 10: 38786908 ldrb w8, [x8, x24] <-- trapping instruction