loop3: detected capacity change from 0 to 4096
==================================================================
BUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597
Read of size 2 at addr ffff88809ed7e009 by task syz-executor.3/18355

CPU: 1 PID: 18355 Comm: syz-executor.3 Not tainted 6.0.0-syzkaller-07994-ge8bc52cb8df8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597
 ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193
 ntfs_read_locked_inode+0x5b4/0x5ae0 fs/ntfs/inode.c:616
 ntfs_iget+0x12d/0x180 fs/ntfs/inode.c:177
 load_and_init_attrdef fs/ntfs/super.c:1589 [inline]
 load_system_files fs/ntfs/super.c:1817 [inline]
 ntfs_fill_super+0x2ead/0x92d0 fs/ntfs/super.c:2892
 mount_bdev+0x34d/0x410 fs/super.c:1400
 legacy_get_tree+0x105/0x220 fs/fs_context.c:610
 vfs_get_tree+0x89/0x2f0 fs/super.c:1530
 do_new_mount fs/namespace.c:3040 [inline]
 path_mount+0x1326/0x1e20 fs/namespace.c:3370
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f507148bada
Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5072663f88 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f507148bada
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f5072663fe0
RBP: 00007f5072664020 R08: 00007f5072664020 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000
R13: 0000000020000100 R14: 00007f5072663fe0 R15: 0000000020077ea0
 </TASK>

The buggy address belongs to the physical page:
page:ffffea00027b5f80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x9ed7e
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 18315, tgid 18310 (syz-executor.5), ts 1503719496676, free_ts 1505801218051
 prep_new_page mm/page_alloc.c:2532 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5549
 __folio_alloc+0x12/0x40 mm/page_alloc.c:5580
 vma_alloc_folio+0xf9/0x780 mm/mempolicy.c:2231
 alloc_page_vma include/linux/gfp.h:290 [inline]
 wp_page_copy+0xa8d/0x1b10 mm/memory.c:3107
 do_wp_page+0x1d1/0x1910 mm/memory.c:3404
 handle_pte_fault mm/memory.c:4935 [inline]
 __handle_mm_fault+0x1813/0x39b0 mm/memory.c:5059
 handle_mm_fault+0x1c8/0x780 mm/memory.c:5157
 do_user_addr_fault+0x475/0x1210 arch/x86/mm/fault.c:1407
 handle_page_fault arch/x86/mm/fault.c:1498 [inline]
 exc_page_fault+0x94/0x170 arch/x86/mm/fault.c:1554
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1449 [inline]
 free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
 free_unref_page_prepare mm/page_alloc.c:3380 [inline]
 free_unref_page_list+0x16f/0xb90 mm/page_alloc.c:3522
 release_pages+0xbd3/0x1400 mm/swap.c:1012
 tlb_batch_pages_flush+0xa8/0x1a0 mm/mmu_gather.c:58
 zap_pte_range mm/memory.c:1526 [inline]
 zap_pmd_range mm/memory.c:1575 [inline]
 zap_pud_range mm/memory.c:1604 [inline]
 zap_p4d_range mm/memory.c:1625 [inline]
 unmap_page_range+0x21bb/0x3cc0 mm/memory.c:1646
 unmap_single_vma+0x196/0x360 mm/memory.c:1694
 unmap_vmas+0x18c/0x310 mm/memory.c:1731
 exit_mmap+0x1b8/0x490 mm/mmap.c:3116
 __mmput+0x122/0x4b0 kernel/fork.c:1187
 mmput+0x56/0x60 kernel/fork.c:1208
 exit_mm kernel/exit.c:510 [inline]
 do_exit+0x9e2/0x29b0 kernel/exit.c:782
 do_group_exit+0xd2/0x2f0 kernel/exit.c:925
 get_signal+0x2387/0x2610 kernel/signal.c:2857
 arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
 exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294

Memory state around the buggy address:
 ffff88809ed7df00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88809ed7df80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88809ed7e000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff88809ed7e080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88809ed7e100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================