[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   44.538831] can: request_module (can-proto-0) failed.
[   44.547879] can: request_module (can-proto-0) failed.
[   45.353854] IPVS: ftp: loaded support on port[0] = 21
[   45.968068] 8021q: adding VLAN 0 to HW filter on device bond0
[   46.035212] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   46.330795] tipc: TX() has been purged, node left!
[   47.908784] bond0 (unregistering): Released all slaves
Warning: Permanently added '10.128.0.218' (ECDSA) to the list of known hosts.
2020/01/12 21:48:53 parsed 1 programs
2020/01/12 21:48:53 executed programs: 0
[   53.012144] IPVS: ftp: loaded support on port[0] = 21
[   53.026064] IPVS: ftp: loaded support on port[0] = 21
[   53.032795] IPVS: ftp: loaded support on port[0] = 21
[   53.039428] IPVS: ftp: loaded support on port[0] = 21
[   53.047078] IPVS: ftp: loaded support on port[0] = 21
[   53.047281] IPVS: ftp: loaded support on port[0] = 21
[   53.117563] ntfs: (device loop3): is_boot_sector_ntfs(): Invalid end of sector marker.
[   53.126228] ==================================================================
[   53.133628] BUG: KASAN: use-after-free in ntfs_attr_find+0x9df/0xb00
[   53.140114] Read of size 4 at addr ffff8881ca50ad35 by task syz-executor3/4450
[   53.147466] 
[   53.149100] CPU: 0 PID: 4450 Comm: syz-executor3 Not tainted 5.5.0-rc5-syzkaller #0
[   53.156884] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.166229] Call Trace:
[   53.168825]  dump_stack+0x12f/0x187
[   53.172453]  ? ntfs_attr_find+0x9df/0xb00
[   53.176596]  print_address_description.constprop.8+0x3b/0x60
[   53.182390]  ? ntfs_attr_find+0x9df/0xb00
[   53.186532]  ? ntfs_attr_find+0x9df/0xb00
[   53.190675]  __kasan_report.cold.11+0x1b/0x39
[   53.195166]  ? __isolate_free_page+0x410/0x490
[   53.199742]  ? ntfs_attr_find+0x9df/0xb00
[   53.203885]  kasan_report+0x12/0x20
[   53.207506]  __asan_report_load_n_noabort+0xf/0x20
[   53.212656]  ntfs_attr_find+0x9df/0xb00
[   53.216636]  ? __alloc_pages_nodemask+0x563/0x850
[   53.221456]  ? __switch_to_asm+0x34/0x70
[   53.225493]  ? __switch_to_asm+0x40/0x70
[   53.229552]  ? __kasan_check_write+0x14/0x20
[   53.233941]  ntfs_attr_lookup+0x10c9/0x23c0
[   53.238253]  ? kasan_unpoison_shadow+0x35/0x50
[   53.242814]  ? __kasan_kmalloc.constprop.7+0xc1/0xd0
[   53.247895]  ? kmem_cache_alloc+0x30b/0x740
[   53.252194]  ? ntfs_attr_reinit_search_ctx+0x3a0/0x3a0
[   53.257511]  ntfs_read_inode_mount+0x6bf/0x20c0
[   53.262331]  ntfs_fill_super+0x121e/0x2d50
[   53.266617]  ? snprintf+0x91/0xc0
[   53.270124]  ? vsprintf+0x20/0x20
[   53.273688]  mount_bdev+0x27b/0x340
[   53.277411]  ? load_system_files+0x6530/0x6530
[   53.281984]  ? ntfs_rl_punch_nolock+0x1ec0/0x1ec0
[   53.286811]  ntfs_mount+0x10/0x20
[   53.290245]  legacy_get_tree+0x103/0x1f0
[   53.294301]  vfs_get_tree+0x8b/0x2d0
[   53.298009]  ? capable+0x14/0x20
[   53.301369]  do_mount+0x1285/0x1b70
[   53.304990]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   53.311472]  ? copy_mount_string+0x20/0x20
[   53.315698]  ? retint_kernel+0x10/0x10
[   53.319569]  ? copy_mount_options+0x1ab/0x2c0
[   53.324051]  __x64_sys_mount+0x169/0x1c0
[   53.328103]  do_syscall_64+0xd0/0x600
[   53.331895]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.337088] RIP: 0033:0x457dea
[   53.340259] Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 dd 8f fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ba 8f fb ff c3 66 0f 1f 84 00 00 00 00 00
[   53.359240] RSP: 002b:00007f9cbdef6bb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   53.366931] RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 0000000000457dea
[   53.374182] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f9cbdef6c00
[   53.381448] RBP: 0000000000000002 R08: 000000002007e200 R09: 0000000020000000
[   53.388699] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
[   53.395955] R13: 000000000000066c R14: 00000000006fbac0 R15: 0000000000000000
[   53.403298] 
[   53.404914] Allocated by task 2386:
[   53.408532]  save_stack+0x21/0x90
[   53.411966]  __kasan_kmalloc.constprop.7+0xc1/0xd0
[   53.416873]  kasan_slab_alloc+0x12/0x20
[   53.420826]  kmem_cache_alloc_node+0x138/0x750
[   53.425400]  copy_process+0x1564/0x61e0
[   53.429453]  _do_fork+0xec/0xbf0
[   53.432805]  __x64_sys_clone+0x18e/0x240
[   53.436847]  do_syscall_64+0xd0/0x600
[   53.440769]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.446290] 
[   53.447896] Freed by task 2618:
[   53.451173]  save_stack+0x21/0x90
[   53.454617]  __kasan_slab_free+0x11a/0x170
[   53.458826]  kasan_slab_free+0xe/0x10
[   53.462600]  kmem_cache_free+0x86/0x2e0
[   53.466549]  free_task+0xa5/0xd0
[   53.469901]  __put_task_struct+0x1c3/0x470
[   53.474126]  delayed_put_task_struct+0x170/0x250
[   53.478861]  rcu_core+0x529/0x1390
[   53.482380]  rcu_core_si+0x9/0x10
[   53.485820]  __do_softirq+0x248/0x94c
[   53.489597] 
[   53.491203] The buggy address belongs to the object at ffff8881ca50a180
[   53.491203]  which belongs to the cache task_struct of size 6144
[   53.503928] The buggy address is located 2997 bytes inside of
[   53.503928]  6144-byte region [ffff8881ca50a180, ffff8881ca50b980)
[   53.515966] The buggy address belongs to the page:
[   53.520875] page:ffffea0007294280 refcount:1 mapcount:0 mapping:ffff8881da1891c0 index:0x0 compound_mapcount: 0
[   53.531085] raw: 02fffc0000010200 ffffea00072bfa08 ffffea00072b4408 ffff8881da1891c0
[   53.538953] raw: 0000000000000000 ffff8881ca50a180 0000000100000001 0000000000000000
[   53.546837] page dumped because: kasan: bad access detected
[   53.552521] 
[   53.554125] Memory state around the buggy address:
[   53.559143]  ffff8881ca50ac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.566554]  ffff8881ca50ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.573893] >ffff8881ca50ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.581358]                                      ^
[   53.586274]  ffff8881ca50ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.593618]  ffff8881ca50ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.600951] ==================================================================
[   53.608288] Disabling lock debugging due to kernel taint
[   53.613817] Kernel panic - not syncing: panic_on_warn set ...
[   53.619713] CPU: 0 PID: 4450 Comm: syz-executor3 Tainted: G    B             5.5.0-rc5-syzkaller #0
[   53.628965] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.638302] Call Trace:
[   53.640882]  dump_stack+0x12f/0x187
[   53.644514]  ? ntfs_attr_find+0x9b0/0xb00
[   53.648667]  panic+0x22a/0x4f5
[   53.651847]  ? add_taint.cold.7+0x11/0x11
[   53.656148]  ? do_raw_spin_unlock+0x54/0x260
[   53.660566]  ? do_raw_spin_unlock+0x54/0x260
[   53.665041]  ? ntfs_attr_find+0x9df/0xb00
[   53.669170]  ? ntfs_attr_find+0x9df/0xb00
[   53.673305]  end_report+0x47/0x4f
[   53.676734]  __kasan_report.cold.11+0xe/0x39
[   53.681148]  ? __isolate_free_page+0x410/0x490
[   53.685714]  ? ntfs_attr_find+0x9df/0xb00
[   53.689856]  kasan_report+0x12/0x20
[   53.693486]  __asan_report_load_n_noabort+0xf/0x20
[   53.698407]  ntfs_attr_find+0x9df/0xb00
[   53.702496]  ? __alloc_pages_nodemask+0x563/0x850
[   53.707327]  ? __switch_to_asm+0x34/0x70
[   53.711371]  ? __switch_to_asm+0x40/0x70
[   53.715413]  ? __kasan_check_write+0x14/0x20
[   53.719990]  ntfs_attr_lookup+0x10c9/0x23c0
[   53.724300]  ? kasan_unpoison_shadow+0x35/0x50
[   53.728961]  ? __kasan_kmalloc.constprop.7+0xc1/0xd0
[   53.734479]  ? kmem_cache_alloc+0x30b/0x740
[   53.738786]  ? ntfs_attr_reinit_search_ctx+0x3a0/0x3a0
[   53.744113]  ntfs_read_inode_mount+0x6bf/0x20c0
[   53.748772]  ntfs_fill_super+0x121e/0x2d50
[   53.752996]  ? snprintf+0x91/0xc0
[   53.756426]  ? vsprintf+0x20/0x20
[   53.759993]  mount_bdev+0x27b/0x340
[   53.763605]  ? load_system_files+0x6530/0x6530
[   53.768348]  ? ntfs_rl_punch_nolock+0x1ec0/0x1ec0
[   53.773274]  ntfs_mount+0x10/0x20
[   53.776717]  legacy_get_tree+0x103/0x1f0
[   53.780760]  vfs_get_tree+0x8b/0x2d0
[   53.784463]  ? capable+0x14/0x20
[   53.787806]  do_mount+0x1285/0x1b70
[   53.791409]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   53.796139]  ? copy_mount_string+0x20/0x20
[   53.800350]  ? retint_kernel+0x10/0x10
[   53.804229]  ? copy_mount_options+0x1ab/0x2c0
[   53.808705]  __x64_sys_mount+0x169/0x1c0
[   53.812746]  do_syscall_64+0xd0/0x600
[   53.816536]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.821886] RIP: 0033:0x457dea
[   53.825057] Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 dd 8f fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ba 8f fb ff c3 66 0f 1f 84 00 00 00 00 00
[   53.844986] RSP: 002b:00007f9cbdef6bb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   53.852675] RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 0000000000457dea
[   53.859930] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f9cbdef6c00
[   53.867183] RBP: 0000000000000002 R08: 000000002007e200 R09: 0000000020000000
[   53.874455] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
[   53.881708] R13: 000000000000066c R14: 00000000006fbac0 R15: 0000000000000000
[   53.889836] Kernel Offset: disabled
[   53.893451] Rebooting in 86400 seconds..