Warning: Permanently added '10.128.10.9' (ED25519) to the list of known hosts. 2024/07/01 07:58:37 ignoring optional flag "sandboxArg"="0" 2024/07/01 07:58:37 parsed 1 programs 2024/07/01 07:58:38 executed programs: 0 [ 50.989783][ T2172] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 54.451391][ T2590] loop0: detected capacity change from 0 to 4096 [ 54.476997][ T2590] ntfs3: loop0: ino=22, "file0" ntfs_rename [ 54.556579][ T2593] loop0: detected capacity change from 0 to 4096 [ 54.579230][ T2593] ================================================================== [ 54.587298][ T2593] BUG: KASAN: slab-use-after-free in __list_add_valid_or_report+0x4c/0xf0 [ 54.595778][ T2593] Read of size 8 at addr ffff8880492d9548 by task syz-executor.0/2593 [ 54.603892][ T2593] [ 54.606201][ T2593] CPU: 1 PID: 2593 Comm: syz-executor.0 Not tainted 6.10.0-rc6-syzkaller #0 [ 54.614863][ T2593] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 54.624893][ T2593] Call Trace: [ 54.628151][ T2593] [ 54.630986][ T2594] ntfs3: loop0: ino=22, "file0" ntfs_rename [ 54.631151][ T2593] dump_stack_lvl+0x108/0x280 [ 54.641680][ T2593] ? __pfx_dump_stack_lvl+0x10/0x10 [ 54.646860][ T2593] ? __pfx__printk+0x10/0x10 [ 54.651426][ T2593] ? _printk+0xce/0x120 [ 54.655554][ T2593] ? __virt_addr_valid+0x141/0x260 [ 54.660727][ T2593] ? __virt_addr_valid+0x219/0x260 [ 54.665919][ T2593] print_report+0x169/0x550 [ 54.670482][ T2593] ? __virt_addr_valid+0x141/0x260 [ 54.675560][ T2593] ? __virt_addr_valid+0x219/0x260 [ 54.680641][ T2593] ? __list_add_valid_or_report+0x4c/0xf0 [ 54.686357][ T2593] kasan_report+0x143/0x180 [ 54.690844][ T2593] ? __list_add_valid_or_report+0x4c/0xf0 [ 54.696555][ T2593] __list_add_valid_or_report+0x4c/0xf0 [ 54.702086][ T2593] chrdev_open+0x2db/0x580 [ 54.706487][ T2593] ? __pfx_chrdev_open+0x10/0x10 [ 54.711399][ T2593] ? do_raw_spin_unlock+0x13c/0x8b0 [ 54.716591][ T2593] do_dentry_open+0x794/0x1310 [ 54.721399][ T2593] ? __pfx_chrdev_open+0x10/0x10 [ 54.726308][ T2593] path_openat+0x227c/0x2810 [ 54.730874][ T2593] ? stack_depot_save_flags+0x2c/0x6c0 [ 54.736309][ T2593] ? __pfx_path_openat+0x10/0x10 [ 54.741681][ T2593] ? __lock_acquire+0x5cd/0xc10 [ 54.746522][ T2593] do_filp_open+0x22b/0x440 [ 54.751000][ T2593] ? __pfx_do_filp_open+0x10/0x10 [ 54.756007][ T2593] ? _raw_spin_unlock+0x28/0x50 [ 54.760911][ T2593] ? alloc_fd+0x3dd/0x480 [ 54.765293][ T2593] do_sys_openat2+0xf6/0x180 [ 54.769858][ T2593] ? __pfx_do_sys_openat2+0x10/0x10 [ 54.775028][ T2593] ? rcu_is_watching+0x1f/0xa0 [ 54.779761][ T2593] ? __rseq_handle_notify_resume+0x86e/0xe60 [ 54.785720][ T2593] __x64_sys_openat+0x20d/0x260 [ 54.790553][ T2593] ? __pfx___x64_sys_openat+0x10/0x10 [ 54.795983][ T2593] ? switch_fpu_return+0xce/0x140 [ 54.800977][ T2593] do_syscall_64+0x8d/0x170 [ 54.805459][ T2593] ? clear_bhb_loop+0x55/0xb0 [ 54.810117][ T2593] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 54.815997][ T2593] RIP: 0033:0x7fb06e27dea9 [ 54.820391][ T2593] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 54.840065][ T2593] RSP: 002b:00007fb06efd20c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 54.848545][ T2593] RAX: ffffffffffffffda RBX: 00007fb06e3abf80 RCX: 00007fb06e27dea9 [ 54.856584][ T2593] RDX: 0000000000000000 RSI: 0000000020002140 RDI: ffffffffffffff9c [ 54.864630][ T2593] RBP: 00007fb06e2ca4a4 R08: 0000000000000000 R09: 0000000000000000 [ 54.872574][ T2593] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 54.880549][ T2593] R13: 0000000000000016 R14: 00007fb06e3abf80 R15: 00007fff67c1cc38 [ 54.888601][ T2593] [ 54.891617][ T2593] [ 54.893929][ T2593] Allocated by task 2590: [ 54.898240][ T2593] kasan_save_track+0x3f/0x80 [ 54.902901][ T2593] __kasan_slab_alloc+0x66/0x80 [ 54.907720][ T2593] kmem_cache_alloc_lru_noprof+0x135/0x360 [ 54.913512][ T2593] ntfs_alloc_inode+0x20/0x70 [ 54.918155][ T2593] new_inode_pseudo+0x5b/0x190 [ 54.922966][ T2593] new_inode+0x17/0x1b0 [ 54.927103][ T2593] ntfs_new_inode+0x40/0xd0 [ 54.931602][ T2593] ntfs_create_inode+0x540/0x33e0 [ 54.936600][ T2593] ntfs_mknod+0x17/0x20 [ 54.940733][ T2593] vfs_mknod+0x26c/0x290 [ 54.944975][ T2593] do_mknodat+0x382/0x4a0 [ 54.949282][ T2593] __x64_sys_mknodat+0xa4/0xc0 [ 54.954110][ T2593] do_syscall_64+0x8d/0x170 [ 54.958760][ T2593] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 54.965145][ T2593] [ 54.967448][ T2593] Freed by task 23: [ 54.971234][ T2593] kasan_save_track+0x3f/0x80 [ 54.975898][ T2593] kasan_save_free_info+0x40/0x50 [ 54.980891][ T2593] poison_slab_object+0xe0/0x150 [ 54.985805][ T2593] __kasan_slab_free+0x37/0x60 [ 54.990716][ T2593] kmem_cache_free+0x12c/0x3b0 [ 54.995447][ T2593] rcu_core+0xc3c/0x1470 [ 54.999679][ T2593] handle_softirqs+0x1b7/0x570 [ 55.004409][ T2593] run_ksoftirqd+0x28/0x40 [ 55.008791][ T2593] smpboot_thread_fn+0x578/0x7f0 [ 55.013695][ T2593] kthread+0x268/0x2c0 [ 55.017742][ T2593] ret_from_fork+0x32/0x60 [ 55.022120][ T2593] ret_from_fork_asm+0x1a/0x30 [ 55.026858][ T2593] [ 55.029155][ T2593] Last potentially related work creation: [ 55.034836][ T2593] kasan_save_stack+0x3f/0x60 [ 55.039499][ T2593] __kasan_record_aux_stack+0xac/0xc0 [ 55.044844][ T2593] call_rcu+0x159/0x8e0 [ 55.048969][ T2593] __dentry_kill+0x196/0x5b0 [ 55.053627][ T2593] shrink_kill+0x29/0xa0 [ 55.057866][ T2593] shrink_dentry_list+0x1b5/0x410 [ 55.062858][ T2593] shrink_dcache_parent+0xb6/0x2a0 [ 55.067967][ T2593] do_one_tree+0x1b/0xd0 [ 55.072175][ T2593] shrink_dcache_for_umount+0x5f/0xd0 [ 55.077520][ T2593] generic_shutdown_super+0x63/0x260 [ 55.082966][ T2593] kill_block_super+0x3f/0x80 [ 55.087613][ T2593] ntfs3_kill_sb+0x3f/0x1a0 [ 55.092170][ T2593] deactivate_locked_super+0x9f/0x3a0 [ 55.097509][ T2593] cleanup_mnt+0x29f/0x320 [ 55.101895][ T2593] task_work_run+0x20f/0x290 [ 55.106451][ T2593] syscall_exit_to_user_mode+0xb5/0x1c0 [ 55.111966][ T2593] do_syscall_64+0x9a/0x170 [ 55.116441][ T2593] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 55.122299][ T2593] [ 55.124591][ T2593] The buggy address belongs to the object at ffff8880492d8ea0 [ 55.124591][ T2593] which belongs to the cache ntfs_inode_cache of size 1744 [ 55.139142][ T2593] The buggy address is located 1704 bytes inside of [ 55.139142][ T2593] freed 1744-byte region [ffff8880492d8ea0, ffff8880492d9570) [ 55.153609][ T2593] [ 55.155937][ T2593] The buggy address belongs to the physical page: [ 55.162362][ T2593] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x492d8 [ 55.171101][ T2593] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 55.179576][ T2593] memcg:ffff888013b74301 [ 55.183912][ T2593] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 55.191445][ T2593] page_type: 0xffffefff(slab) [ 55.196096][ T2593] raw: 00fff00000000040 ffff88800ab51280 dead000000000122 0000000000000000 [ 55.204688][ T2593] raw: 0000000000000000 0000000080110011 00000001ffffefff ffff888013b74301 [ 55.213419][ T2593] head: 00fff00000000040 ffff88800ab51280 dead000000000122 0000000000000000 [ 55.222055][ T2593] head: 0000000000000000 0000000080110011 00000001ffffefff ffff888013b74301 [ 55.230708][ T2593] head: 00fff00000000003 ffffea000124b601 ffffffffffffffff 0000000000000000 [ 55.239369][ T2593] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 55.248010][ T2593] page dumped because: kasan: bad access detected [ 55.254418][ T2593] page_owner tracks the page as allocated [ 55.260117][ T2593] page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 2590, tgid 2589 (syz-executor.0), ts 54466298744, free_ts 5271133254 [ 55.284065][ T2593] post_alloc_hook+0x10f/0x130 [ 55.288808][ T2593] get_page_from_freelist+0x2c48/0x2d00 [ 55.294354][ T2593] __alloc_pages_noprof+0x256/0x670 [ 55.299698][ T2593] alloc_slab_page+0x5f/0x120 [ 55.304730][ T2593] allocate_slab+0x5d/0x290 [ 55.309350][ T2593] ___slab_alloc+0xa7f/0x11d0 [ 55.314116][ T2593] kmem_cache_alloc_lru_noprof+0x1f6/0x360 [ 55.319895][ T2593] ntfs_alloc_inode+0x20/0x70 [ 55.324569][ T2593] iget5_locked+0x8b/0x210 [ 55.329038][ T2593] ntfs_iget5+0xcb/0x3150 [ 55.333354][ T2593] ntfs_fill_super+0x271d/0x3f50 [ 55.338282][ T2593] get_tree_bdev+0x399/0x590 [ 55.342925][ T2593] vfs_get_tree+0x82/0x190 [ 55.347307][ T2593] do_new_mount+0x21e/0x9b0 [ 55.351771][ T2593] __se_sys_mount+0x242/0x2e0 [ 55.356418][ T2593] do_syscall_64+0x8d/0x170 [ 55.360908][ T2593] page last free pid 1 tgid 1 stack trace: [ 55.366697][ T2593] free_unref_page+0xb6f/0xca0 [ 55.371441][ T2593] free_contig_range+0x91/0x140 [ 55.376363][ T2593] destroy_args+0x72/0x6e0 [ 55.380769][ T2593] debug_vm_pgtable+0x3c2/0x5e0 [ 55.385598][ T2593] do_one_initcall+0x196/0x4d0 [ 55.390331][ T2593] do_initcall_level+0x11e/0x1e0 [ 55.395401][ T2593] do_initcalls+0x3e/0x70 [ 55.399895][ T2593] kernel_init_freeable+0x36a/0x4c0 [ 55.405068][ T2593] kernel_init+0x18/0x1b0 [ 55.409470][ T2593] ret_from_fork+0x32/0x60 [ 55.413862][ T2593] ret_from_fork_asm+0x1a/0x30 [ 55.418700][ T2593] [ 55.421090][ T2593] Memory state around the buggy address: [ 55.426686][ T2593] ffff8880492d9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.434803][ T2593] ffff8880492d9480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.442934][ T2593] >ffff8880492d9500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 55.451056][ T2593] ^ [ 55.457460][ T2593] ffff8880492d9580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fa fb [ 55.465513][ T2593] ffff8880492d9600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.473640][ T2593] ================================================================== [ 55.481981][ T2593] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 55.489743][ T2593] Kernel Offset: disabled [ 55.494066][ T2593] Rebooting in 86400 seconds..