Warning: Permanently added '10.128.1.138' (ED25519) to the list of known hosts. 2024/09/21 09:04:28 ignoring optional flag "sandboxArg"="0" 2024/09/21 09:04:29 parsed 1 programs 2024/09/21 09:04:29 executed programs: 0 [ 61.952546][ T2180] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 66.334469][ T2598] loop0: detected capacity change from 0 to 4096 [ 66.371825][ T2598] ntfs3: loop0: ino=22, "file0" ntfs_rename [ 66.430555][ T2600] loop0: detected capacity change from 0 to 4096 [ 66.455484][ T2600] ================================================================== [ 66.463646][ T2600] BUG: KASAN: slab-use-after-free in __list_add_valid_or_report+0x4c/0xf0 [ 66.472160][ T2600] Read of size 8 at addr ffff8880729456b8 by task syz-executor.0/2600 [ 66.480282][ T2600] [ 66.482604][ T2600] CPU: 0 UID: 0 PID: 2600 Comm: syz-executor.0 Not tainted 6.11.0-syzkaller #0 [ 66.491514][ T2600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 66.501559][ T2600] Call Trace: [ 66.504851][ T2600] [ 66.507261][ T2601] ntfs3: loop0: ino=22, "file0" ntfs_rename [ 66.507773][ T2600] dump_stack_lvl+0x108/0x280 [ 66.507795][ T2600] ? __pfx_dump_stack_lvl+0x10/0x10 [ 66.523509][ T2600] ? __pfx__printk+0x10/0x10 [ 66.528079][ T2600] ? _printk+0xce/0x120 [ 66.532212][ T2600] ? __virt_addr_valid+0x141/0x270 [ 66.537300][ T2600] ? __virt_addr_valid+0x229/0x270 [ 66.542388][ T2600] print_report+0x169/0x550 [ 66.546869][ T2600] ? __virt_addr_valid+0x141/0x270 [ 66.551972][ T2600] ? __virt_addr_valid+0x229/0x270 [ 66.557057][ T2600] ? __list_add_valid_or_report+0x4c/0xf0 [ 66.562755][ T2600] kasan_report+0x143/0x180 [ 66.567236][ T2600] ? __list_add_valid_or_report+0x4c/0xf0 [ 66.572940][ T2600] __list_add_valid_or_report+0x4c/0xf0 [ 66.578464][ T2600] chrdev_open+0x2d6/0x540 [ 66.582861][ T2600] ? __pfx_chrdev_open+0x10/0x10 [ 66.587777][ T2600] ? do_raw_spin_unlock+0x13c/0x8b0 [ 66.592950][ T2600] do_dentry_open+0x6e9/0x1070 [ 66.597690][ T2600] ? __pfx_chrdev_open+0x10/0x10 [ 66.602602][ T2600] vfs_open+0x36/0x290 [ 66.606651][ T2600] path_openat+0x233f/0x29f0 [ 66.611222][ T2600] ? stack_trace_save+0x118/0x1d0 [ 66.616251][ T2600] ? __pfx_path_openat+0x10/0x10 [ 66.621185][ T2600] ? __lock_acquire+0x61d/0xc70 [ 66.626013][ T2600] do_filp_open+0x22b/0x440 [ 66.630493][ T2600] ? __pfx_do_filp_open+0x10/0x10 [ 66.635496][ T2600] ? _raw_spin_unlock+0x28/0x50 [ 66.640324][ T2600] ? alloc_fd+0x3dd/0x480 [ 66.644633][ T2600] do_sys_openat2+0xf6/0x180 [ 66.649204][ T2600] ? __pfx_do_sys_openat2+0x10/0x10 [ 66.654380][ T2600] ? rcu_is_watching+0x1f/0xa0 [ 66.659127][ T2600] ? __rseq_handle_notify_resume+0x86e/0xe60 [ 66.665173][ T2600] __x64_sys_openat+0x20d/0x260 [ 66.670002][ T2600] ? __pfx___x64_sys_openat+0x10/0x10 [ 66.675352][ T2600] ? switch_fpu_return+0xce/0x140 [ 66.680357][ T2600] do_syscall_64+0x8d/0x170 [ 66.684841][ T2600] ? clear_bhb_loop+0x55/0xb0 [ 66.689504][ T2600] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 66.695379][ T2600] RIP: 0033:0x7f04b407dea9 [ 66.699784][ T2600] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 66.719374][ T2600] RSP: 002b:00007f04b3bff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 66.727769][ T2600] RAX: ffffffffffffffda RBX: 00007f04b41abf80 RCX: 00007f04b407dea9 [ 66.735719][ T2600] RDX: 0000000000000000 RSI: 0000000020002140 RDI: ffffffffffffff9c [ 66.743689][ T2600] RBP: 00007f04b40ca4a4 R08: 0000000000000000 R09: 0000000000000000 [ 66.751642][ T2600] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 66.759593][ T2600] R13: 0000000000000016 R14: 00007f04b41abf80 R15: 00007ffdc3ba7278 [ 66.767547][ T2600] [ 66.770553][ T2600] [ 66.772859][ T2600] Allocated by task 2598: [ 66.777162][ T2600] kasan_save_track+0x3f/0x80 [ 66.781823][ T2600] __kasan_slab_alloc+0x66/0x80 [ 66.786651][ T2600] kmem_cache_alloc_lru_noprof+0x135/0x360 [ 66.792435][ T2600] ntfs_alloc_inode+0x20/0x70 [ 66.797086][ T2600] new_inode+0x60/0x2a0 [ 66.801216][ T2600] ntfs_new_inode+0x40/0xd0 [ 66.805692][ T2600] ntfs_create_inode+0x4fd/0x3100 [ 66.810691][ T2600] ntfs_mknod+0x17/0x20 [ 66.814823][ T2600] vfs_mknod+0x26c/0x290 [ 66.819041][ T2600] do_mknodat+0x382/0x4a0 [ 66.823346][ T2600] __x64_sys_mknodat+0xa2/0xc0 [ 66.828084][ T2600] do_syscall_64+0x8d/0x170 [ 66.832564][ T2600] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 66.838435][ T2600] [ 66.840740][ T2600] Freed by task 0: [ 66.844437][ T2600] kasan_save_track+0x3f/0x80 [ 66.849093][ T2600] kasan_save_free_info+0x40/0x50 [ 66.854105][ T2600] __kasan_slab_free+0x59/0x70 [ 66.858847][ T2600] kmem_cache_free+0x189/0x480 [ 66.863589][ T2600] rcu_core+0xc96/0x1510 [ 66.867815][ T2600] handle_softirqs+0x1b5/0x570 [ 66.872556][ T2600] __irq_exit_rcu+0x45/0xe0 [ 66.877032][ T2600] sysvec_apic_timer_interrupt+0x92/0xb0 [ 66.882642][ T2600] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 66.888598][ T2600] [ 66.890905][ T2600] Last potentially related work creation: [ 66.896599][ T2600] kasan_save_stack+0x3f/0x60 [ 66.901254][ T2600] __kasan_record_aux_stack+0xac/0xc0 [ 66.906601][ T2600] call_rcu+0x159/0x8e0 [ 66.910733][ T2600] evict+0x7a0/0x900 [ 66.914603][ T2600] __dentry_kill+0x196/0x5b0 [ 66.919171][ T2600] shrink_kill+0x29/0xa0 [ 66.923431][ T2600] shrink_dentry_list+0x1b5/0x410 [ 66.928428][ T2600] shrink_dcache_parent+0xb6/0x2a0 [ 66.933513][ T2600] do_one_tree+0x1b/0xd0 [ 66.937740][ T2600] shrink_dcache_for_umount+0x85/0x120 [ 66.943172][ T2600] generic_shutdown_super+0x63/0x260 [ 66.948429][ T2600] kill_block_super+0x3f/0x80 [ 66.953080][ T2600] ntfs3_kill_sb+0x3f/0x1a0 [ 66.957559][ T2600] deactivate_locked_super+0x9f/0x3a0 [ 66.962906][ T2600] cleanup_mnt+0x29f/0x320 [ 66.967318][ T2600] task_work_run+0x20f/0x290 [ 66.971886][ T2600] syscall_exit_to_user_mode+0xb5/0x1d0 [ 66.977409][ T2600] do_syscall_64+0x9a/0x170 [ 66.981888][ T2600] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 66.987753][ T2600] [ 66.990059][ T2600] The buggy address belongs to the object at ffff888072945018 [ 66.990059][ T2600] which belongs to the cache ntfs_inode_cache of size 1736 [ 67.004607][ T2600] The buggy address is located 1696 bytes inside of [ 67.004607][ T2600] freed 1736-byte region [ffff888072945018, ffff8880729456e0) [ 67.018550][ T2600] [ 67.020856][ T2600] The buggy address belongs to the physical page: [ 67.027251][ T2600] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x72940 [ 67.035990][ T2600] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 67.044461][ T2600] memcg:ffff888011adb501 [ 67.048678][ T2600] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 67.056197][ T2600] page_type: 0xfdffffff(slab) [ 67.060850][ T2600] raw: 00fff00000000040 ffff888011afd3c0 dead000000000122 0000000000000000 [ 67.069406][ T2600] raw: 0000000000000000 0000000000110011 00000001fdffffff ffff888011adb501 [ 67.077966][ T2600] head: 00fff00000000040 ffff888011afd3c0 dead000000000122 0000000000000000 [ 67.086619][ T2600] head: 0000000000000000 0000000000110011 00000001fdffffff ffff888011adb501 [ 67.095285][ T2600] head: 00fff00000000003 ffffea0001ca5001 ffffffffffffffff 0000000000000000 [ 67.103929][ T2600] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 67.112576][ T2600] page dumped because: kasan: bad access detected [ 67.118971][ T2600] page_owner tracks the page as allocated [ 67.124663][ T2600] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 2598, tgid 2596 (syz-executor.0), ts 66358360913, free_ts 6724268147 [ 67.147034][ T2600] post_alloc_hook+0x10f/0x130 [ 67.151777][ T2600] get_page_from_freelist+0x2c48/0x2d00 [ 67.157294][ T2600] __alloc_pages_noprof+0x256/0x670 [ 67.162470][ T2600] alloc_pages_mpol_noprof+0x289/0x4e0 [ 67.167904][ T2600] alloc_slab_page+0x6a/0x130 [ 67.172570][ T2600] allocate_slab+0x5d/0x290 [ 67.177060][ T2600] ___slab_alloc+0xa7f/0x11d0 [ 67.181719][ T2600] kmem_cache_alloc_lru_noprof+0x1f6/0x360 [ 67.187511][ T2600] ntfs_alloc_inode+0x20/0x70 [ 67.192172][ T2600] iget5_locked+0x89/0x1f0 [ 67.196566][ T2600] ntfs_iget5+0xc2/0x3070 [ 67.200872][ T2600] ntfs_fill_super+0x2a48/0x3ce0 [ 67.205802][ T2600] get_tree_bdev+0x399/0x590 [ 67.210373][ T2600] vfs_get_tree+0x86/0x1a0 [ 67.214765][ T2600] do_new_mount+0x21e/0x9b0 [ 67.219242][ T2600] __se_sys_mount+0x23c/0x2d0 [ 67.223897][ T2600] page last free pid 1 tgid 1 stack trace: [ 67.229692][ T2600] free_unref_page+0xb6f/0xca0 [ 67.234434][ T2600] free_contig_range+0x91/0x140 [ 67.239263][ T2600] destroy_args+0x72/0x6e0 [ 67.243655][ T2600] debug_vm_pgtable+0x3c2/0x5e0 [ 67.248477][ T2600] do_one_initcall+0x196/0x4d0 [ 67.253215][ T2600] do_initcall_level+0x11e/0x1e0 [ 67.258144][ T2600] do_initcalls+0x3e/0x70 [ 67.262450][ T2600] kernel_init_freeable+0x36a/0x4c0 [ 67.267641][ T2600] kernel_init+0x18/0x1b0 [ 67.271948][ T2600] ret_from_fork+0x32/0x60 [ 67.276339][ T2600] ret_from_fork_asm+0x1a/0x30 [ 67.281077][ T2600] [ 67.283380][ T2600] Memory state around the buggy address: [ 67.289000][ T2600] ffff888072945580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.297038][ T2600] ffff888072945600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.305073][ T2600] >ffff888072945680: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 67.313108][ T2600] ^ [ 67.318970][ T2600] ffff888072945700: fc fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb [ 67.327004][ T2600] ffff888072945780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.335039][ T2600] ================================================================== [ 67.343409][ T2600] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 67.350969][ T2600] Kernel Offset: disabled [ 67.355275][ T2600] Rebooting in 86400 seconds..