syz-executor.1: attempt to access beyond end of device loop1: rw=0, sector=2560, nr_sectors = 2 limit=1949 syz-executor.1: attempt to access beyond end of device loop1: rw=0, sector=2562, nr_sectors = 2 limit=1949 ================================================================== BUG: KASAN: slab-out-of-bounds in load_system_files+0x3626/0x4870 fs/ntfs/super.c:1831 Read of size 1 at addr ffff88803d167f59 by task syz-executor.1/21999 CPU: 1 PID: 21999 Comm: syz-executor.1 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x65/0x4b0 mm/kasan/report.c:317 print_report+0x108/0x1f0 mm/kasan/report.c:433 kasan_report+0xc3/0xf0 mm/kasan/report.c:495 load_system_files+0x3626/0x4870 fs/ntfs/super.c:1831 ntfs_fill_super+0x19a9/0x2bf0 fs/ntfs/super.c:2892 mount_bdev+0x26c/0x3a0 fs/super.c:1400 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1530 do_new_mount+0x289/0xad0 fs/namespace.c:3040 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f06b828cada Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f06b942ef88 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f06b828cada RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f06b942efe0 RBP: 00007f06b942f020 R08: 00007f06b942f020 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000 R13: 0000000020000100 R14: 00007f06b942efe0 R15: 0000000020079ca0 Allocated by task 3638: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:437 [inline] __kasan_slab_alloc+0xa3/0xd0 mm/kasan/common.c:470 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:727 [inline] slab_alloc_node mm/slub.c:3248 [inline] slab_alloc mm/slub.c:3256 [inline] __kmem_cache_alloc_lru mm/slub.c:3263 [inline] kmem_cache_alloc_lru+0x175/0x2d0 mm/slub.c:3280 __d_alloc+0x31/0x750 fs/dcache.c:1769 d_alloc+0x48/0x1d0 fs/dcache.c:1849 __lookup_hash+0xc8/0x240 fs/namei.c:1597 filename_create+0x25f/0x4f0 fs/namei.c:3785 do_mkdirat+0xb5/0x550 fs/namei.c:4028 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Last potentially related work creation: kasan_save_stack+0x2b/0x50 mm/kasan/common.c:38 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348 call_rcu+0x163/0x970 kernel/rcu/tree.c:2796 __dentry_kill+0x46b/0x5b0 fs/dcache.c:621 dentry_kill+0xbb/0x290 dput+0x1f3/0x410 fs/dcache.c:913 handle_mounts fs/namei.c:1548 [inline] step_into+0x45d/0x10f0 fs/namei.c:1831 lookup_last fs/namei.c:2450 [inline] path_lookupat+0x17d/0x450 fs/namei.c:2474 filename_lookup+0x274/0x650 fs/namei.c:2503 user_path_at_empty+0x40/0x1a0 fs/namei.c:2876 do_readlinkat+0x10c/0x3d0 fs/stat.c:468 __do_sys_readlink fs/stat.c:501 [inline] __se_sys_readlink fs/stat.c:498 [inline] __x64_sys_readlink+0x7b/0x90 fs/stat.c:498 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff88803d167d60 which belongs to the cache dentry of size 312 The buggy address is located 193 bytes to the right of 312-byte region [ffff88803d167d60, ffff88803d167e98) The buggy address belongs to the physical page: page:ffffea0000f45980 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3d166 head:ffffea0000f45980 order:1 compound_mapcount:0 compound_pincount:0 memcg:ffff888021bcf101 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffffea0001c4b780 dead000000000002 ffff8880121d4640 raw: 0000000000000000 0000000000150015 00000001ffffffff ffff888021bcf101 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Reclaimable, gfp_mask 0x1d20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5499, tgid 5499 (udevd), ts 327957402582, free_ts 327187571423 prep_new_page mm/page_alloc.c:2532 [inline] get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283 __alloc_pages+0x259/0x560 mm/page_alloc.c:5549 alloc_slab_page+0x70/0xf0 mm/slub.c:1829 allocate_slab+0x5e/0x520 mm/slub.c:1974 new_slab mm/slub.c:2034 [inline] ___slab_alloc+0x3ee/0xc40 mm/slub.c:3036 __slab_alloc mm/slub.c:3123 [inline] slab_alloc_node mm/slub.c:3214 [inline] slab_alloc mm/slub.c:3256 [inline] __kmem_cache_alloc_lru mm/slub.c:3263 [inline] kmem_cache_alloc_lru+0x225/0x2d0 mm/slub.c:3280 __d_alloc+0x31/0x750 fs/dcache.c:1769 d_alloc fs/dcache.c:1849 [inline] d_alloc_parallel+0xcb/0x1240 fs/dcache.c:2647 lookup_open fs/namei.c:3338 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x8fb/0x2df0 fs/namei.c:3688 do_filp_open+0x264/0x4f0 fs/namei.c:3718 do_sys_openat2+0x124/0x4e0 fs/open.c:1310 do_sys_open fs/open.c:1326 [inline] __do_sys_openat fs/open.c:1342 [inline] __se_sys_openat fs/open.c:1337 [inline] __x64_sys_openat+0x243/0x290 fs/open.c:1337 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1449 [inline] free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1499 free_unref_page_prepare mm/page_alloc.c:3380 [inline] free_unref_page+0x7d/0x5f0 mm/page_alloc.c:3476 free_slab mm/slub.c:2073 [inline] discard_slab mm/slub.c:2079 [inline] __unfreeze_partials+0x1ab/0x200 mm/slub.c:2553 put_cpu_partial+0x106/0x170 mm/slub.c:2629 qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x169/0x180 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x2f/0xd0 mm/kasan/common.c:447 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:727 [inline] slab_alloc_node mm/slub.c:3248 [inline] slab_alloc mm/slub.c:3256 [inline] __kmem_cache_alloc_lru mm/slub.c:3263 [inline] kmem_cache_alloc+0x1a6/0x310 mm/slub.c:3273 getname_flags+0xb8/0x4e0 fs/namei.c:139 vfs_fstatat fs/stat.c:266 [inline] __do_sys_newfstatat fs/stat.c:437 [inline] __se_sys_newfstatat+0xcb/0x7d0 fs/stat.c:431 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff88803d167e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88803d167e80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88803d167f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88803d167f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88803d168000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================