syzkaller login: [ 45.991386] can: request_module (can-proto-0) failed. [ 45.995889] can: request_module (can-proto-0) failed. [ 46.869391] IPVS: ftp: loaded support on port[0] = 21 [ 46.979849] ip (3569) used greatest stack depth: 23904 bytes left [ 47.063003] ip (3589) used greatest stack depth: 23856 bytes left [ 47.195896] ip (3648) used greatest stack depth: 23280 bytes left [ 47.604701] 8021q: adding VLAN 0 to HW filter on device bond0 [ 47.673344] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 47.984223] tipc: TX() has been purged, node left! [ 49.631008] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.15.216' (ECDSA) to the list of known hosts. 2020/04/16 13:53:28 parsed 1 programs 2020/04/16 13:53:28 executed programs: 0 [ 55.063104] IPVS: ftp: loaded support on port[0] = 21 [ 55.073265] IPVS: ftp: loaded support on port[0] = 21 [ 55.088908] IPVS: ftp: loaded support on port[0] = 21 [ 55.089829] IPVS: ftp: loaded support on port[0] = 21 [ 55.117907] IPVS: ftp: loaded support on port[0] = 21 [ 55.131697] IPVS: ftp: loaded support on port[0] = 21 [ 55.252591] ntfs: (device loop0): is_boot_sector_ntfs(): Invalid end of sector marker. [ 55.262926] ================================================================== [ 55.270327] BUG: KASAN: use-after-free in ntfs_attr_find+0x9db/0xb00 [ 55.276848] Read of size 4 at addr ffff8881c866ed35 by task syz-executor/3932 [ 55.280455] ntfs: (device loop2): is_boot_sector_ntfs(): Invalid end of sector marker. [ 55.284145] [ 55.284153] CPU: 0 PID: 3932 Comm: syz-executor Not tainted 5.7.0-rc1-syzkaller #0 [ 55.284156] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.284158] Call Trace: [ 55.284168] dump_stack+0x12f/0x187 [ 55.284176] ? ntfs_attr_find+0x9db/0xb00 [ 55.284180] ? ntfs_attr_find+0x9db/0xb00 [ 55.284185] print_address_description.constprop.8+0x3b/0x60 [ 55.284189] ? ntfs_attr_find+0x9db/0xb00 [ 55.284192] ? ntfs_attr_find+0x9db/0xb00 [ 55.284198] __kasan_report.cold.11+0x37/0x4e [ 55.343903] ? ntfs_attr_find+0x9db/0xb00 [ 55.348043] kasan_report+0x38/0x50 [ 55.351647] __asan_report_load_n_noabort+0xf/0x20 [ 55.356557] ntfs_attr_find+0x9db/0xb00 [ 55.360522] ? trace_hardirqs_on_caller+0x28/0x180 [ 55.365427] ? __alloc_pages_nodemask+0x55d/0x840 [ 55.370258] ntfs_attr_lookup+0x10c9/0x23c0 [ 55.374660] ? kasan_unpoison_shadow+0x35/0x50 [ 55.379230] ? __kasan_kmalloc.constprop.7+0xc1/0xd0 [ 55.384312] ? kmem_cache_alloc+0x30b/0x740 [ 55.388616] ? ntfs_attr_reinit_search_ctx+0x3a0/0x3a0 [ 55.393903] ntfs_read_inode_mount+0x6c2/0x21b0 [ 55.398567] ntfs_fill_super+0x1217/0x2d40 [ 55.402798] ? snprintf+0x91/0xc0 [ 55.406344] ? vsprintf+0x20/0x20 [ 55.409784] mount_bdev+0x27b/0x340 [ 55.413392] ? load_system_files+0x6270/0x6270 [ 55.417957] ? ntfs_rl_punch_nolock+0x1ec0/0x1ec0 [ 55.422780] ntfs_mount+0x10/0x20 [ 55.426223] legacy_get_tree+0x103/0x1f0 [ 55.430264] vfs_get_tree+0x8b/0x2d0 [ 55.433967] ? capable+0x14/0x20 [ 55.437318] do_mount+0x1287/0x1c30 [ 55.440925] ? lock_downgrade+0x960/0x960 [ 55.445052] ? copy_mount_string+0x20/0x20 [ 55.449301] ? ___might_sleep+0x13e/0x2b0 [ 55.453444] ? __kasan_check_write+0x14/0x20 [ 55.457849] ? _copy_from_user+0xc5/0x110 [ 55.461979] __x64_sys_mount+0x169/0x1c0 [ 55.466023] do_syscall_64+0xd0/0x630 [ 55.469829] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 55.474998] RIP: 0033:0x457dea [ 55.478183] Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 dd 8f fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ba 8f fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 55.497086] RSP: 002b:00007f9122ca3bb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 55.504771] RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 0000000000457dea [ 55.512019] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f9122ca3c00 [ 55.519269] RBP: 0000000000000002 R08: 000000002007e200 R09: 0000000020000000 [ 55.526529] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 [ 55.533787] R13: 000000000000066c R14: 00000000006fbac0 R15: 0000000000000000 [ 55.541052] [ 55.542673] Allocated by task 3944: [ 55.546283] save_stack+0x21/0x50 [ 55.549711] __kasan_kmalloc.constprop.7+0xc1/0xd0 [ 55.554805] kasan_slab_alloc+0x12/0x20 [ 55.558769] kmem_cache_alloc+0x121/0x740 [ 55.562900] getname_flags+0xb8/0x510 [ 55.566676] getname+0xd/0x10 [ 55.569784] do_sys_openat2+0x23d/0x590 [ 55.573742] do_sys_open+0x90/0xe0 [ 55.577275] __x64_sys_open+0x79/0xb0 [ 55.581056] do_syscall_64+0xd0/0x630 [ 55.584843] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 55.590023] [ 55.591628] Freed by task 3944: [ 55.594884] save_stack+0x21/0x50 [ 55.598399] __kasan_slab_free+0x11a/0x170 [ 55.602621] kasan_slab_free+0xe/0x10 [ 55.606414] kmem_cache_free+0x86/0x2e0 [ 55.610366] putname+0xa8/0xe0 [ 55.613535] do_sys_openat2+0x27d/0x590 [ 55.617485] do_sys_open+0x90/0xe0 [ 55.621014] __x64_sys_open+0x79/0xb0 [ 55.624796] do_syscall_64+0xd0/0x630 [ 55.628575] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 55.633784] [ 55.635404] The buggy address belongs to the object at ffff8881c866e7c0 [ 55.635404] which belongs to the cache names_cache of size 4096 [ 55.648365] The buggy address is located 1397 bytes inside of [ 55.648365] 4096-byte region [ffff8881c866e7c0, ffff8881c866f7c0) [ 55.660396] The buggy address belongs to the page: [ 55.665323] page:ffffea0007219b80 refcount:1 mapcount:0 mapping:00000000cd40bc87 index:0x0 head:ffffea0007219b80 order:1 compound_mapcount:0 [ 55.678056] flags: 0x2fffc0000010200(slab|head) [ 55.682707] raw: 02fffc0000010200 ffffea0007219b08 ffffea0007217e08 ffff8881da17aa80 [ 55.690573] raw: 0000000000000000 ffff8881c866e7c0 0000000100000001 0000000000000000 [ 55.698430] page dumped because: kasan: bad access detected [ 55.704128] [ 55.705749] Memory state around the buggy address: [ 55.710668] ffff8881c866ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.718024] ffff8881c866ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.725373] >ffff8881c866ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.732707] ^ [ 55.737633] ffff8881c866ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.744978] ffff8881c866ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.752332] ================================================================== [ 55.759691] Disabling lock debugging due to kernel taint [ 55.765215] Kernel panic - not syncing: panic_on_warn set ... [ 55.771135] CPU: 0 PID: 3932 Comm: syz-executor Tainted: G B 5.7.0-rc1-syzkaller #0 [ 55.780257] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.784761] ntfs: (device loop4): is_boot_sector_ntfs(): Invalid end of sector marker. [ 55.789610] Call Trace: [ 55.789622] dump_stack+0x12f/0x187 [ 55.789629] ? ntfs_attr_find+0x920/0xb00 [ 55.789632] ? ntfs_attr_find+0x9db/0xb00 [ 55.789638] panic+0x22a/0x4f5 [ 55.789641] ? add_taint.cold.7+0x11/0x11 [ 55.789647] ? do_raw_spin_unlock+0x54/0x260 [ 55.789649] ? do_raw_spin_unlock+0x54/0x260 [ 55.789653] ? ntfs_attr_find+0x9db/0xb00 [ 55.789655] ? ntfs_attr_find+0x9db/0xb00 [ 55.789660] end_report+0x51/0x59 [ 55.789668] __kasan_report.cold.11+0xe/0x4e [ 55.789671] ? ntfs_attr_find+0x9db/0xb00 [ 55.789677] kasan_report+0x38/0x50 [ 55.819467] ntfs: (device loop4): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 55.819505] __asan_report_load_n_noabort+0xf/0x20 [ 55.823962] ntfs: (device loop4): ntfs_read_inode_mount(): Failed to lookup attribute list attribute. You should run chkdsk. [ 55.828303] ntfs_attr_find+0x9db/0xb00 [ 55.828309] ? trace_hardirqs_on_caller+0x28/0x180 [ 55.828314] ? __alloc_pages_nodemask+0x55d/0x840 [ 55.828319] ntfs_attr_lookup+0x10c9/0x23c0 [ 55.828325] ? kasan_unpoison_shadow+0x35/0x50 [ 55.832475] ntfs: (device loop4): ntfs_read_inode_mount(): Failed. Marking inode as bad. [ 55.836577] ? __kasan_kmalloc.constprop.7+0xc1/0xd0 [ 55.836583] ? kmem_cache_alloc+0x30b/0x740 [ 55.836587] ? ntfs_attr_reinit_search_ctx+0x3a0/0x3a0 [ 55.836592] ntfs_read_inode_mount+0x6c2/0x21b0 [ 55.836598] ntfs_fill_super+0x1217/0x2d40 [ 55.840049] ntfs: (device loop4): ntfs_fill_super(): Failed to load essential metadata. [ 55.844415] ? snprintf+0x91/0xc0 [ 55.844419] ? vsprintf+0x20/0x20 [ 55.844425] mount_bdev+0x27b/0x340 [ 55.844429] ? load_system_files+0x6270/0x6270 [ 55.886305] ntfs: (device loop2): ntfs_attr_find(): Inode is corrupt. Run chkdsk. [ 55.890166] ? ntfs_rl_punch_nolock+0x1ec0/0x1ec0 [ 55.890170] ntfs_mount+0x10/0x20 [ 55.890176] legacy_get_tree+0x103/0x1f0 [ 55.890182] vfs_get_tree+0x8b/0x2d0 [ 55.890187] ? capable+0x14/0x20 [ 55.890191] do_mount+0x1287/0x1c30 [ 55.890197] ? lock_downgrade+0x960/0x960 [ 55.890201] ? copy_mount_string+0x20/0x20 [ 55.890204] ? ___might_sleep+0x13e/0x2b0 [ 55.890209] ? __kasan_check_write+0x14/0x20 [ 55.890217] ? _copy_from_user+0xc5/0x110 [ 55.894550] ntfs: (device loop2): ntfs_read_inode_mount(): Failed to lookup attribute list attribute. You should run chkdsk. [ 55.899117] __x64_sys_mount+0x169/0x1c0 [ 55.899125] do_syscall_64+0xd0/0x630 [ 55.899131] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 55.899134] RIP: 0033:0x457dea [ 55.899141] Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 dd 8f fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ba 8f fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 55.899142] RSP: 002b:00007f9122ca3bb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 55.899148] RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 0000000000457dea [ 55.907379] ntfs: (device loop2): ntfs_read_inode_mount(): Failed. Marking inode as bad. [ 55.912434] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f9122ca3c00 [ 55.912436] RBP: 0000000000000002 R08: 000000002007e200 R09: 0000000020000000 [ 55.912438] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 [ 55.912440] R13: 000000000000066c R14: 00000000006fbac0 R15: 0000000000000000 [ 55.917376] Kernel Offset: disabled [ 56.109769] Rebooting in 86400 seconds..