syzkaller login: [ 43.355969] can: request_module (can-proto-0) failed. [ 43.360980] can: request_module (can-proto-0) failed. [ 44.179895] IPVS: ftp: loaded support on port[0] = 21 [ 44.285999] ip (3572) used greatest stack depth: 24056 bytes left [ 44.495754] ip (3651) used greatest stack depth: 23712 bytes left [ 44.873346] 8021q: adding VLAN 0 to HW filter on device bond0 [ 44.938119] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.230536] tipc: TX() has been purged, node left! [ 46.887850] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.10.61' (ECDSA) to the list of known hosts. 2020/05/16 14:10:29 parsed 1 programs 2020/05/16 14:10:29 executed programs: 0 [ 52.587485] IPVS: ftp: loaded support on port[0] = 21 [ 52.587807] IPVS: ftp: loaded support on port[0] = 21 [ 52.610644] IPVS: ftp: loaded support on port[0] = 21 [ 52.615512] IPVS: ftp: loaded support on port[0] = 21 [ 52.621263] IPVS: ftp: loaded support on port[0] = 21 [ 52.633514] IPVS: ftp: loaded support on port[0] = 21 [ 52.775489] ntfs: (device loop4): is_boot_sector_ntfs(): Invalid end of sector marker. [ 52.785405] ================================================================== [ 52.793140] BUG: KASAN: use-after-free in ntfs_attr_find+0x9db/0xb00 [ 52.799630] Read of size 4 at addr ffff8881c8970d35 by task syz-executor4/3940 [ 52.806983] [ 52.808611] CPU: 0 PID: 3940 Comm: syz-executor4 Not tainted 5.7.0-rc5-syzkaller #0 [ 52.816405] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.825755] Call Trace: [ 52.828349] dump_stack+0x12f/0x187 [ 52.831974] ? ntfs_attr_find+0x9db/0xb00 [ 52.836815] ? ntfs_attr_find+0x9db/0xb00 [ 52.840472] ntfs: (device loop3): is_boot_sector_ntfs(): Invalid end of sector marker. [ 52.840963] print_address_description.constprop.8+0x3f/0x60 [ 52.840970] ? ntfs_attr_find+0x9db/0xb00 [ 52.840976] ? ntfs_attr_find+0x9db/0xb00 [ 52.863051] __kasan_report.cold.11+0x23/0x3a [ 52.867546] ? ntfs_attr_find+0x9db/0xb00 [ 52.871672] kasan_report+0x38/0x50 [ 52.875370] __asan_report_load_n_noabort+0xf/0x20 [ 52.880283] ntfs_attr_find+0x9db/0xb00 [ 52.884237] ? __alloc_pages_nodemask+0x55d/0x840 [ 52.889060] ? __switch_to_asm+0x40/0x70 [ 52.893717] ? __kasan_check_write+0x14/0x20 [ 52.898190] ntfs_attr_lookup+0x10c9/0x23c0 [ 52.902486] ? kasan_unpoison_shadow+0x35/0x50 [ 52.907042] ? __kasan_kmalloc.constprop.7+0xc1/0xd0 [ 52.912122] ? kmem_cache_alloc+0x30b/0x740 [ 52.916418] ? ntfs_attr_reinit_search_ctx+0x3a0/0x3a0 [ 52.922281] ntfs_read_inode_mount+0x6c2/0x21b0 [ 52.926929] ntfs_fill_super+0x1217/0x2d40 [ 52.931140] ? snprintf+0x91/0xc0 [ 52.934571] ? vsprintf+0x20/0x20 [ 52.938002] mount_bdev+0x27b/0x340 [ 52.941603] ? load_system_files+0x6270/0x6270 [ 52.946174] ? ntfs_rl_punch_nolock+0x1ec0/0x1ec0 [ 52.950992] ntfs_mount+0x10/0x20 [ 52.954423] legacy_get_tree+0x103/0x1f0 [ 52.958467] vfs_get_tree+0x8b/0x2d0 [ 52.962157] ? capable+0x14/0x20 [ 52.965525] do_mount+0x1287/0x1c30 [ 52.969153] ? lock_downgrade+0x960/0x960 [ 52.973280] ? copy_mount_string+0x20/0x20 [ 52.977515] ? ___might_sleep+0x13e/0x2b0 [ 52.981662] ? __kasan_check_write+0x14/0x20 [ 52.986049] ? _copy_from_user+0xc5/0x110 [ 52.990175] __x64_sys_mount+0x169/0x1c0 [ 52.994214] do_syscall_64+0xd0/0x630 [ 52.997992] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 53.003159] RIP: 0033:0x457dea [ 53.006366] Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 dd 8f fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ba 8f fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 53.025287] RSP: 002b:00007f98b5d67bb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 53.032980] RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 0000000000457dea [ 53.040221] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f98b5d67c00 [ 53.047465] RBP: 0000000000000002 R08: 000000002007e200 R09: 0000000020000000 [ 53.054706] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 [ 53.062558] R13: 000000000000066c R14: 00000000006fbac0 R15: 0000000000000000 [ 53.069814] [ 53.071420] Allocated by task 3823: [ 53.075024] save_stack+0x21/0x50 [ 53.078457] __kasan_kmalloc.constprop.7+0xc1/0xd0 [ 53.083364] kasan_kmalloc+0x9/0x10 [ 53.087135] kmem_cache_alloc_trace+0x15b/0x770 [ 53.091785] kobject_uevent_env+0x1c5/0xea0 [ 53.096076] kobject_uevent+0xb/0x10 [ 53.099761] device_add+0xad3/0x1ba0 [ 53.103443] netdev_register_kobject+0x16a/0x360 [ 53.108170] register_netdevice+0x95f/0x1060 [ 53.112548] register_netdev+0x19/0x30 [ 53.116407] ip6_tnl_init_net+0x42c/0x6b0 [ 53.120528] ops_init+0x98/0x380 [ 53.123875] setup_net+0x2e7/0x7e0 [ 53.127384] copy_net_ns+0x25b/0x4a0 [ 53.131067] create_new_namespaces+0x494/0x950 [ 53.135619] unshare_nsproxy_namespaces+0x87/0x1a0 [ 53.140519] ksys_unshare+0x324/0x6f0 [ 53.144291] __x64_sys_unshare+0x2c/0x40 [ 53.148327] do_syscall_64+0xd0/0x630 [ 53.152099] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 53.157256] [ 53.158856] Freed by task 3823: [ 53.162104] save_stack+0x21/0x50 [ 53.165541] __kasan_slab_free+0x11a/0x170 [ 53.169753] kasan_slab_free+0xe/0x10 [ 53.173552] kfree+0xfa/0x290 [ 53.176646] kobject_uevent_env+0x23a/0xea0 [ 53.180939] kobject_uevent+0xb/0x10 [ 53.184626] device_add+0xad3/0x1ba0 [ 53.188338] netdev_register_kobject+0x16a/0x360 [ 53.193065] register_netdevice+0x95f/0x1060 [ 53.197443] register_netdev+0x19/0x30 [ 53.201303] ip6_tnl_init_net+0x42c/0x6b0 [ 53.205420] ops_init+0x98/0x380 [ 53.208757] setup_net+0x2e7/0x7e0 [ 53.212277] copy_net_ns+0x25b/0x4a0 [ 53.215971] create_new_namespaces+0x494/0x950 [ 53.220524] unshare_nsproxy_namespaces+0x87/0x1a0 [ 53.225422] ksys_unshare+0x324/0x6f0 [ 53.229191] __x64_sys_unshare+0x2c/0x40 [ 53.233225] do_syscall_64+0xd0/0x630 [ 53.237001] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 53.242158] [ 53.243758] The buggy address belongs to the object at ffff8881c8970000 [ 53.243758] which belongs to the cache kmalloc-4k of size 4096 [ 53.256414] The buggy address is located 3381 bytes inside of [ 53.256414] 4096-byte region [ffff8881c8970000, ffff8881c8971000) [ 53.269730] The buggy address belongs to the page: [ 53.274643] page:ffffea0007225c00 refcount:1 mapcount:0 mapping:00000000eaee01d3 index:0x0 head:ffffea0007225c00 order:1 compound_mapcount:0 [ 53.287367] flags: 0x2fffc0000010200(slab|head) [ 53.292009] raw: 02fffc0000010200 ffffea0007223a08 ffffea000726db08 ffff8881da002000 [ 53.299860] raw: 0000000000000000 ffff8881c8970000 0000000100000001 0000000000000000 [ 53.307721] page dumped because: kasan: bad access detected [ 53.313401] [ 53.315012] Memory state around the buggy address: [ 53.319926] ffff8881c8970c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.327257] ffff8881c8970c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.334609] >ffff8881c8970d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.342543] ^ [ 53.347440] ffff8881c8970d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.354868] ffff8881c8970e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.362295] ================================================================== [ 53.369724] Disabling lock debugging due to kernel taint [ 53.375287] Kernel panic - not syncing: panic_on_warn set ... [ 53.381256] CPU: 0 PID: 3940 Comm: syz-executor4 Tainted: G B 5.7.0-rc5-syzkaller #0 [ 53.390430] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.399797] Call Trace: [ 53.402529] dump_stack+0x12f/0x187 [ 53.406132] ? ntfs_attr_find+0x930/0xb00 [ 53.410252] ? ntfs_attr_find+0x9db/0xb00 [ 53.413582] ntfs: (device loop3): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 53.414382] panic+0x22a/0x4f5 [ 53.414386] ? add_taint.cold.7+0x11/0x11 [ 53.414392] ? do_raw_spin_unlock+0x54/0x260 [ 53.414401] ? do_raw_spin_unlock+0x54/0x260 [ 53.414406] ? ntfs_attr_find+0x9db/0xb00 [ 53.414409] ? ntfs_attr_find+0x9db/0xb00 [ 53.414414] end_report+0x51/0x59 [ 53.414417] __kasan_report.cold.11+0xe/0x3a [ 53.414422] ? ntfs_attr_find+0x9db/0xb00 [ 53.422132] ntfs: (device loop3): ntfs_read_inode_mount(): Failed to lookup attribute list attribute. You should run chkdsk. [ 53.425296] kasan_report+0x38/0x50 [ 53.425301] __asan_report_load_n_noabort+0xf/0x20 [ 53.425304] ntfs_attr_find+0x9db/0xb00 [ 53.425309] ? __alloc_pages_nodemask+0x55d/0x840 [ 53.425314] ? __switch_to_asm+0x40/0x70 [ 53.425319] ? __kasan_check_write+0x14/0x20 [ 53.425323] ntfs_attr_lookup+0x10c9/0x23c0 [ 53.429527] ntfs: (device loop3): ntfs_read_inode_mount(): Failed. Marking inode as bad. [ 53.433931] ? kasan_unpoison_shadow+0x35/0x50 [ 53.433935] ? __kasan_kmalloc.constprop.7+0xc1/0xd0 [ 53.433940] ? kmem_cache_alloc+0x30b/0x740 [ 53.438335] ntfs: (device loop3): ntfs_fill_super(): Failed to load essential metadata. [ 53.442442] ? ntfs_attr_reinit_search_ctx+0x3a0/0x3a0 [ 53.442448] ntfs_read_inode_mount+0x6c2/0x21b0 [ 53.442454] ntfs_fill_super+0x1217/0x2d40 [ 53.544119] ? snprintf+0x91/0xc0 [ 53.547545] ? vsprintf+0x20/0x20 [ 53.550983] mount_bdev+0x27b/0x340 [ 53.554594] ? load_system_files+0x6270/0x6270 [ 53.559500] ? ntfs_rl_punch_nolock+0x1ec0/0x1ec0 [ 53.564341] ntfs_mount+0x10/0x20 [ 53.567776] legacy_get_tree+0x103/0x1f0 [ 53.571841] vfs_get_tree+0x8b/0x2d0 [ 53.575534] ? capable+0x14/0x20 [ 53.578881] do_mount+0x1287/0x1c30 [ 53.582496] ? lock_downgrade+0x960/0x960 [ 53.586635] ? copy_mount_string+0x20/0x20 [ 53.590859] ? ___might_sleep+0x13e/0x2b0 [ 53.594992] ? __kasan_check_write+0x14/0x20 [ 53.599387] ? _copy_from_user+0xc5/0x110 [ 53.603568] __x64_sys_mount+0x169/0x1c0 [ 53.607670] do_syscall_64+0xd0/0x630 [ 53.611453] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 53.616626] RIP: 0033:0x457dea [ 53.619809] Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 dd 8f fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ba 8f fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 53.639533] RSP: 002b:00007f98b5d67bb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 53.647217] RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 0000000000457dea [ 53.654895] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f98b5d67c00 [ 53.662153] RBP: 0000000000000002 R08: 000000002007e200 R09: 0000000020000000 [ 53.669831] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 [ 53.677082] R13: 000000000000066c R14: 00000000006fbac0 R15: 0000000000000000 [ 53.685108] Kernel Offset: disabled [ 53.688749] Rebooting in 86400 seconds..