kernel BUG at fs/reiserfs/journal.c:LINE!

kernel BUG at fs/reiserfs/journal.c:LINE!
Status: upstream: reported syz repro on 2018/03/31 15:55
Reported-by: syzbot+6820505ae5978f4f8f2f@syzkaller.appspotmail.com
First crash: 833d, last: 50d

Cause bisection: the bug happens on the oldest tested release
Crash: no output from test machine (log)
Repro: syz .config

Sample crash report:

REISERFS (device loop4): using ordered data mode
reiserfs: using flush barriers
REISERFS (device loop2): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop7): found reiserfs format "3.5" with non-standard journal
------------[ cut here ]------------
kernel BUG at fs/reiserfs/journal.c:3640!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
REISERFS (device loop7): using ordered data mode
CPU: 0 PID: 4612 Comm: syz-executor1 Not tainted 4.17.0-rc1+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:check_journal_end fs/reiserfs/journal.c:3640 [inline]
RIP: 0010:do_journal_end+0x3cfd/0x5110 fs/reiserfs/journal.c:4037
RSP: 0018:ffff8801d8667160 EFLAGS: 00010293
reiserfs: using flush barriers
RAX: ffff8801d8b340c0 RBX: ffffc9000238c000 RCX: ffffffff81fc831c
RDX: 0000000000000000 RSI: ffffffff81fcb84d RDI: 0000000000000007
RBP: ffff8801d8667728 R08: ffff8801d8b340c0 R09: fffff5200047180b
REISERFS (device loop7): journal params: device loop7, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
R10: fffff5200047180b R11: ffffc9000238c05b R12: 0000000000000000
R13: ffffc9000238c058 R14: 0000000000000000 R15: ffff8801d86679e0
FS:  00007fbe538ef700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004ba7ee CR3: 00000001d9bab000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
REISERFS (device loop7): checking transaction log (loop7)
Call Trace:
init_special_inode: bogus i_mode (0) for inode loop7:2
REISERFS warning (device loop7): vs-13075 reiserfs_read_locked_inode: dead inode read from disk [1 2 0x0 SD]. This is likely to be race with knfsd. Ignore
REISERFS (device loop7): Using r5 hash to sort names
REISERFS (device loop7): using 3.5.x disk format
REISERFS (device loop2): using ordered data mode
reiserfs: using flush barriers
REISERFS (device loop5): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop4): journal params: device loop4, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
 journal_end+0x25f/0x2f0 fs/reiserfs/journal.c:3409
 reiserfs_fill_super+0x2732/0x3900 fs/reiserfs/super.c:2168
REISERFS (device loop5): using ordered data mode
reiserfs: using flush barriers
REISERFS (device loop4): checking transaction log (loop4)
 mount_bdev+0x30c/0x3e0 fs/super.c:1165
init_special_inode: bogus i_mode (0) for inode loop4:2
 get_super_block+0x34/0x40 fs/reiserfs/super.c:2605
 mount_fs+0xae/0x328 fs/super.c:1268
 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
REISERFS warning (device loop4): vs-13075 reiserfs_read_locked_inode: dead inode read from disk [1 2 0x0 SD]. This is likely to be race with knfsd. Ignore
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2517 [inline]
 do_mount+0x564/0x3070 fs/namespace.c:2847
REISERFS (device loop4): Using r5 hash to sort names
REISERFS (device loop5): journal params: device loop5, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
 ksys_mount+0x12d/0x140 fs/namespace.c:3063
 __do_sys_mount fs/namespace.c:3077 [inline]
 __se_sys_mount fs/namespace.c:3074 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
REISERFS (device loop5): checking transaction log (loop5)
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457daa
REISERFS (device loop4): using 3.5.x disk format
RSP: 002b:00007fbe538eeba8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 0000000000457daa
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fbe538eebf0
RBP: 0000000000000014 R08: 0000000020013900 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000014 R14: 00000000006fcc58 R15: 0000000000000000
Code: e8 
init_special_inode: bogus i_mode (0) for inode loop5:2
09 ed fe ff e9 e4 f8 ff ff e8 ef 77 7c ff 0f 0b e8 e8 77 7c ff 0f 0b e8 e1 77 7c ff 0f 
REISERFS warning (device loop5): vs-13075 reiserfs_read_locked_inode: dead inode read from disk [1 2 0x0 SD]. This is likely to be race with knfsd. Ignore
0b e8 da 
REISERFS (device loop5): Using r5 hash to sort names
77 7c ff 0f 0b e8 d3 77 7c ff <0f> 0b e8 cc 77 7c ff 0f 0b e8 c5 
REISERFS (device loop5): using 3.5.x disk format
77 7c ff 0f 0b e8 be 77 7c ff 
RIP: check_journal_end fs/reiserfs/journal.c:3640 [inline] RSP: ffff8801d8667160
RIP: do_journal_end+0x3cfd/0x5110 fs/reiserfs/journal.c:4037 RSP: ffff8801d8667160
---[ end trace 3847d80045300073 ]---
REISERFS (device loop2): journal params: device loop2, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro
ci-upstream-kasan-gce-root	2020/05/21 04:58	upstream	b85051e7	cc402841	.config	log	report	syz
ci-upstream-kasan-gce-root	2020/04/21 04:39	upstream	ae83d0b4	cc402841	.config	log	report	syz
ci-upstream-kasan-gce-root	2020/03/22 04:22	upstream	b74b991f	cc402841	.config	log	report	syz
ci-upstream-kasan-gce-root	2020/01/27 21:16	upstream	34dabd81	cc402841	.config	log	report	syz
ci-upstream-kasan-gce-root	2019/12/18 10:05	upstream	2187f215	cc402841	.config	log	report	syz
ci-upstream-kasan-gce-root	2019/10/27 14:44	upstream	9dd23268	8fbce0e4	.config	log	report	syz
ci-upstream-kasan-gce-root	2019/09/27 14:25	upstream	9dd23268	8fbce0e4	.config	log	report	syz
ci-upstream-kasan-gce-root	2019/08/17 16:27	upstream	9dd23268	8fbce0e4	.config	log	report	syz

Crashes (8):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	Maintainers
ci-upstream-kasan-gce-root	2018/04/20 14:06	upstream	87ef1202	cc402841	.config	log	report	syz	akpm@linux-foundation.org, colin.king@canonical.com, dhowells@redhat.com, gregkh@linuxfoundation.org, jack@suse.cz, jeffm@suse.com, linux-kernel@vger.kernel.org, mingo@kernel.org, reiserfs-devel@vger.kernel.org, tglx@linutronix.de
ci-upstream-kasan-gce-root	2018/04/19 14:28	upstream	87ef1202	3642839c	.config	log	report	syz	akpm@linux-foundation.org, colin.king@canonical.com, dhowells@redhat.com, jack@suse.cz, jeffm@suse.com, kstewart@linuxfoundation.org, linux-kernel@vger.kernel.org, mingo@kernel.org, reiserfs-devel@vger.kernel.org
ci-upstream-kasan-gce-root	2018/04/03 11:58	upstream	642e7fd2	676bd07e	.config	log	report	syz	colin.king@canonical.com, dhowells@redhat.com, gregkh@linuxfoundation.org, jack@suse.cz, linux-kernel@vger.kernel.org, mingo@kernel.org, reiserfs-devel@vger.kernel.org, tglx@linutronix.de
ci-upstream-kasan-gce-root	2018/04/03 04:53	upstream	86bbbeba	676bd07e	.config	log	report	syz	colin.king@canonical.com, dhowells@redhat.com, gregkh@linuxfoundation.org, jack@suse.cz, linux-kernel@vger.kernel.org, mingo@kernel.org, pombredanne@nexb.com, reiserfs-devel@vger.kernel.org
ci-upstream-kasan-gce-root	2018/04/02 22:45	upstream	86bbbeba	676bd07e	.config	log	report	syz	colin.king@canonical.com, dhowells@redhat.com, gregkh@linuxfoundation.org, jack@suse.cz, kstewart@linuxfoundation.org, linux-kernel@vger.kernel.org, mingo@kernel.org, pombredanne@nexb.com, reiserfs-devel@vger.kernel.org
ci-upstream-kasan-gce-root	2018/04/02 20:40	upstream	86bbbeba	676bd07e	.config	log	report	syz	colin.king@canonical.com, dhowells@redhat.com, gregkh@linuxfoundation.org, jack@suse.cz, linux-kernel@vger.kernel.org, mingo@kernel.org, pombredanne@nexb.com, reiserfs-devel@vger.kernel.org, tglx@linutronix.de
ci-upstream-kasan-gce-root	2018/04/01 21:29	upstream	10b84dad	dc889257	.config	log	report	syz	colin.king@canonical.com, dhowells@redhat.com, gregkh@linuxfoundation.org, jack@suse.cz, linux-kernel@vger.kernel.org, mingo@kernel.org, reiserfs-devel@vger.kernel.org, tglx@linutronix.de
ci-upstream-kasan-gce-root	2018/03/30 20:38	upstream	9dd23268	8fbce0e4	.config	log	report	syz	colin.king@canonical.com, dhowells@redhat.com, gregkh@linuxfoundation.org, jack@suse.cz, linux-kernel@vger.kernel.org, mingo@kernel.org, reiserfs-devel@vger.kernel.org