loop3: detected capacity change from 0 to 4096 ================================================================== BUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597 Read of size 2 at addr ffff88809ed7e009 by task syz-executor.3/18355 CPU: 1 PID: 18355 Comm: syz-executor.3 Not tainted 6.0.0-syzkaller-07994-ge8bc52cb8df8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597 ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193 ntfs_read_locked_inode+0x5b4/0x5ae0 fs/ntfs/inode.c:616 ntfs_iget+0x12d/0x180 fs/ntfs/inode.c:177 load_and_init_attrdef fs/ntfs/super.c:1589 [inline] load_system_files fs/ntfs/super.c:1817 [inline] ntfs_fill_super+0x2ead/0x92d0 fs/ntfs/super.c:2892 mount_bdev+0x34d/0x410 fs/super.c:1400 legacy_get_tree+0x105/0x220 fs/fs_context.c:610 vfs_get_tree+0x89/0x2f0 fs/super.c:1530 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x1326/0x1e20 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f507148bada Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5072663f88 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f507148bada RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f5072663fe0 RBP: 00007f5072664020 R08: 00007f5072664020 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000 R13: 0000000020000100 R14: 00007f5072663fe0 R15: 0000000020077ea0 The buggy address belongs to the physical page: page:ffffea00027b5f80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x9ed7e flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 18315, tgid 18310 (syz-executor.5), ts 1503719496676, free_ts 1505801218051 prep_new_page mm/page_alloc.c:2532 [inline] get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5549 __folio_alloc+0x12/0x40 mm/page_alloc.c:5580 vma_alloc_folio+0xf9/0x780 mm/mempolicy.c:2231 alloc_page_vma include/linux/gfp.h:290 [inline] wp_page_copy+0xa8d/0x1b10 mm/memory.c:3107 do_wp_page+0x1d1/0x1910 mm/memory.c:3404 handle_pte_fault mm/memory.c:4935 [inline] __handle_mm_fault+0x1813/0x39b0 mm/memory.c:5059 handle_mm_fault+0x1c8/0x780 mm/memory.c:5157 do_user_addr_fault+0x475/0x1210 arch/x86/mm/fault.c:1407 handle_page_fault arch/x86/mm/fault.c:1498 [inline] exc_page_fault+0x94/0x170 arch/x86/mm/fault.c:1554 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1449 [inline] free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499 free_unref_page_prepare mm/page_alloc.c:3380 [inline] free_unref_page_list+0x16f/0xb90 mm/page_alloc.c:3522 release_pages+0xbd3/0x1400 mm/swap.c:1012 tlb_batch_pages_flush+0xa8/0x1a0 mm/mmu_gather.c:58 zap_pte_range mm/memory.c:1526 [inline] zap_pmd_range mm/memory.c:1575 [inline] zap_pud_range mm/memory.c:1604 [inline] zap_p4d_range mm/memory.c:1625 [inline] unmap_page_range+0x21bb/0x3cc0 mm/memory.c:1646 unmap_single_vma+0x196/0x360 mm/memory.c:1694 unmap_vmas+0x18c/0x310 mm/memory.c:1731 exit_mmap+0x1b8/0x490 mm/mmap.c:3116 __mmput+0x122/0x4b0 kernel/fork.c:1187 mmput+0x56/0x60 kernel/fork.c:1208 exit_mm kernel/exit.c:510 [inline] do_exit+0x9e2/0x29b0 kernel/exit.c:782 do_group_exit+0xd2/0x2f0 kernel/exit.c:925 get_signal+0x2387/0x2610 kernel/signal.c:2857 arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:166 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 Memory state around the buggy address: ffff88809ed7df00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88809ed7df80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88809ed7e000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88809ed7e080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88809ed7e100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================