[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.102' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.420165] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 27.428872] REISERFS (device loop0): using ordered data mode [ 27.442318] reiserfs: using flush barriers [ 27.447215] REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 0, max trans age 30 executing program [ 27.464980] REISERFS (device loop0): checking transaction log (loop0) [ 27.473421] REISERFS (device loop0): Using r5 hash to sort names [ 27.479734] REISERFS (device loop0): using 3.5.x disk format [ 27.486493] REISERFS warning (device loop0): jdm-20006 create_privroot: xattrs/ACLs enabled and couldn't find/create .reiserfs_priv. Failing mount. [ 27.554619] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 27.563349] REISERFS (device loop0): using ordered data mode [ 27.569148] reiserfs: using flush barriers [ 27.574925] REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 0, max trans age 30 [ 27.592173] REISERFS (device loop0): checking transaction log (loop0) [ 27.599337] REISERFS (device loop0): Using r5 hash to sort names [ 27.605555] REISERFS (device loop0): using 3.5.x disk format [ 27.611575] ================================================================== [ 27.619042] BUG: KASAN: use-after-free in search_by_entry_key+0xc7e/0xf50 [ 27.625949] Read of size 4 at addr ffff88808e567014 by task syz-executor265/7986 [ 27.633530] [ 27.635139] CPU: 0 PID: 7986 Comm: syz-executor265 Not tainted 4.14.282-syzkaller #0 [ 27.642994] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.652325] Call Trace: [ 27.654893] dump_stack+0x1b2/0x281 [ 27.658507] print_address_description.cold+0x54/0x1d3 [ 27.663763] kasan_report_error.cold+0x8a/0x191 [ 27.668428] ? search_by_entry_key+0xc7e/0xf50 [ 27.672987] __asan_report_load_n_noabort+0x6b/0x80 [ 27.677980] ? search_by_entry_key+0xc7e/0xf50 [ 27.682554] search_by_entry_key+0xc7e/0xf50 [ 27.686955] ? make_cpu_key+0x22/0x2a0 [ 27.690818] reiserfs_find_entry.part.0+0x138/0x11e0 [ 27.696168] ? reiserfs_write_lock+0x75/0xf0 [ 27.700575] ? mount_bdev+0x2b3/0x360 [ 27.704366] ? mount_fs+0x92/0x2a0 [ 27.707991] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 27.713428] ? lock_acquire+0xb0/0x3f0 [ 27.717315] ? search_by_entry_key+0xf50/0xf50 [ 27.721880] reiserfs_lookup+0x1fd/0x400 [ 27.725918] ? reiserfs_unlink+0x6a0/0x6a0 [ 27.730136] ? fs_reclaim_release+0xd0/0x110 [ 27.734526] ? __d_alloc+0x2a/0xa20 [ 27.738143] ? d_alloc+0x1c7/0x240 [ 27.741666] ? _raw_spin_unlock+0x29/0x40 [ 27.745791] ? d_alloc+0x1cc/0x240 [ 27.749310] __lookup_hash+0x1bb/0x270 [ 27.753173] ? __inode_permission+0xcd/0x2f0 [ 27.757555] lookup_one_len+0x279/0x3a0 [ 27.761513] ? lookup_one_len_unlocked+0x410/0x410 [ 27.766428] reiserfs_lookup_privroot+0x92/0x270 [ 27.771175] reiserfs_fill_super+0x1d0c/0x2980 [ 27.775734] ? reiserfs_remount+0x1390/0x1390 [ 27.780233] ? lock_downgrade+0x740/0x740 [ 27.784450] ? snprintf+0xa5/0xd0 [ 27.787903] mount_bdev+0x2b3/0x360 [ 27.791505] ? reiserfs_remount+0x1390/0x1390 [ 27.795984] mount_fs+0x92/0x2a0 [ 27.799329] vfs_kern_mount.part.0+0x5b/0x470 [ 27.803825] do_mount+0xe65/0x2a30 [ 27.807362] ? do_raw_spin_unlock+0x164/0x220 [ 27.811837] ? copy_mount_string+0x40/0x40 [ 27.816049] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 27.821043] ? copy_mnt_ns+0xa30/0xa30 [ 27.824907] ? copy_mount_options+0x1fa/0x2f0 [ 27.829395] ? copy_mnt_ns+0xa30/0xa30 [ 27.833271] SyS_mount+0xa8/0x120 [ 27.836705] ? copy_mnt_ns+0xa30/0xa30 [ 27.840572] do_syscall_64+0x1d5/0x640 [ 27.844481] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.849653] RIP: 0033:0x7efc74892c8a [ 27.853529] RSP: 002b:00007ffce89740d8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 27.861214] RAX: ffffffffffffffda RBX: 00007ffce8974130 RCX: 00007efc74892c8a [ 27.868481] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffce89740f0 [ 27.875738] RBP: 00007ffce89740f0 R08: 00007ffce8974130 R09: 0000000000000000 [ 27.882988] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000200000a0 [ 27.892134] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000004 [ 27.899405] [ 27.901009] The buggy address belongs to the page: [ 27.905922] page:ffffea00023959c0 count:0 mapcount:0 mapping: (null) index:0x1 [ 27.914046] flags: 0xfff00000000000() [ 27.917827] raw: 00fff00000000000 0000000000000000 0000000000000001 00000000ffffffff [ 27.925682] raw: ffffea00023907a0 ffff8880ba437b48 0000000000000000 0000000000000000 [ 27.933548] page dumped because: kasan: bad access detected [ 27.939232] [ 27.940834] Memory state around the buggy address: [ 27.945738] ffff88808e566f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.953108] ffff88808e566f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 27.960444] >ffff88808e567000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.967777] ^ [ 27.971640] ffff88808e567080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.978974] ffff88808e567100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.986307] ================================================================== [ 27.993638] Disabling lock debugging due to kernel taint [ 27.999335] Kernel panic - not syncing: panic_on_warn set ... [ 27.999335] [ 28.006690] CPU: 0 PID: 7986 Comm: syz-executor265 Tainted: G B 4.14.282-syzkaller #0 [ 28.015773] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.025114] Call Trace: [ 28.027677] dump_stack+0x1b2/0x281 [ 28.031280] panic+0x1f9/0x42d [ 28.034449] ? add_taint.cold+0x16/0x16 [ 28.038399] ? ___preempt_schedule+0x16/0x18 [ 28.042787] kasan_end_report+0x43/0x49 [ 28.046735] kasan_report_error.cold+0xa7/0x191 [ 28.051393] ? search_by_entry_key+0xc7e/0xf50 [ 28.055950] __asan_report_load_n_noabort+0x6b/0x80 [ 28.060954] ? search_by_entry_key+0xc7e/0xf50 [ 28.065508] search_by_entry_key+0xc7e/0xf50 [ 28.069893] ? make_cpu_key+0x22/0x2a0 [ 28.073843] reiserfs_find_entry.part.0+0x138/0x11e0 [ 28.078922] ? reiserfs_write_lock+0x75/0xf0 [ 28.083301] ? mount_bdev+0x2b3/0x360 [ 28.087075] ? mount_fs+0x92/0x2a0 [ 28.090591] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 28.096019] ? lock_acquire+0xb0/0x3f0 [ 28.099880] ? search_by_entry_key+0xf50/0xf50 [ 28.104441] reiserfs_lookup+0x1fd/0x400 [ 28.108477] ? reiserfs_unlink+0x6a0/0x6a0 [ 28.112686] ? fs_reclaim_release+0xd0/0x110 [ 28.117068] ? __d_alloc+0x2a/0xa20 [ 28.120665] ? d_alloc+0x1c7/0x240 [ 28.124181] ? _raw_spin_unlock+0x29/0x40 [ 28.128301] ? d_alloc+0x1cc/0x240 [ 28.131819] __lookup_hash+0x1bb/0x270 [ 28.135684] ? __inode_permission+0xcd/0x2f0 [ 28.140066] lookup_one_len+0x279/0x3a0 [ 28.144031] ? lookup_one_len_unlocked+0x410/0x410 [ 28.148953] reiserfs_lookup_privroot+0x92/0x270 [ 28.153683] reiserfs_fill_super+0x1d0c/0x2980 [ 28.158253] ? reiserfs_remount+0x1390/0x1390 [ 28.162729] ? lock_downgrade+0x740/0x740 [ 28.166850] ? snprintf+0xa5/0xd0 [ 28.170277] mount_bdev+0x2b3/0x360 [ 28.173896] ? reiserfs_remount+0x1390/0x1390 [ 28.178381] mount_fs+0x92/0x2a0 [ 28.181728] vfs_kern_mount.part.0+0x5b/0x470 [ 28.186197] do_mount+0xe65/0x2a30 [ 28.189886] ? do_raw_spin_unlock+0x164/0x220 [ 28.194355] ? copy_mount_string+0x40/0x40 [ 28.198563] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 28.203567] ? copy_mnt_ns+0xa30/0xa30 [ 28.207426] ? copy_mount_options+0x1fa/0x2f0 [ 28.211911] ? copy_mnt_ns+0xa30/0xa30 [ 28.215798] SyS_mount+0xa8/0x120 [ 28.219238] ? copy_mnt_ns+0xa30/0xa30 [ 28.223120] do_syscall_64+0x1d5/0x640 [ 28.226986] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.232153] RIP: 0033:0x7efc74892c8a [ 28.235836] RSP: 002b:00007ffce89740d8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 28.243518] RAX: ffffffffffffffda RBX: 00007ffce8974130 RCX: 00007efc74892c8a [ 28.250776] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffce89740f0 [ 28.258021] RBP: 00007ffce89740f0 R08: 00007ffce8974130 R09: 0000000000000000 [ 28.265287] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000200000a0 [ 28.272530] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000004 [ 28.279942] Kernel Offset: disabled [ 28.283547] Rebooting in 86400 seconds..