[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.110' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.734118] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 40.753821] REISERFS (device loop0): using ordered data mode [ 40.759888] reiserfs: using flush barriers [ 40.767269] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 40.783613] REISERFS (device loop0): checking transaction log (loop0) [ 40.792344] REISERFS (device loop0): Using r5 hash to sort names [ 40.799712] REISERFS warning: reiserfs-5093 is_leaf: item entry count seems wrong *3.5*[2 1 0(1) DIR], item_len 35, item_location 3985, free_space(entry_count) 2 [ 40.814650] REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 531. Fsck? [ 40.824971] REISERFS (device loop0): Remounting filesystem read-only [ 40.831484] REISERFS error (device loop0): vs-13050 reiserfs_update_sd_size: i/o failure occurred trying to update [2 1 0x0 SD] stat data [ 40.844322] REISERFS warning: reiserfs-5093 is_leaf: item entry count seems wrong *3.5*[2 1 0(1) DIR], item_len 35, item_location 3985, free_space(entry_count) 2 [ 40.858986] REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 531. Fsck? [ 40.868854] REISERFS error (device loop0): zam-7001 reiserfs_find_entry: io error [ 40.876584] REISERFS warning: reiserfs-5093 is_leaf: item entry count seems wrong *3.5*[2 1 0(1) DIR], item_len 35, item_location 3985, free_space(entry_count) 2 [ 40.891248] REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 531. Fsck? [ 40.901156] REISERFS error (device loop0): vs-13050 reiserfs_update_sd_size: i/o failure occurred trying to update [2 1 0x0 SD] stat data [ 40.914369] REISERFS warning (device loop0): jdm-20006 create_privroot: xattrs/ACLs enabled and couldn't find/create .reiserfs_priv. Failing mount. executing program [ 41.020031] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 41.031048] REISERFS (device loop0): using ordered data mode [ 41.037886] reiserfs: using flush barriers [ 41.043031] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 41.061200] REISERFS (device loop0): checking transaction log (loop0) [ 41.069527] REISERFS (device loop0): Using r5 hash to sort names [ 41.076522] ================================================================== [ 41.084038] BUG: KASAN: use-after-free in search_by_entry_key+0xc7e/0xf50 [ 41.090978] Read of size 4 at addr ffff88808b3f4004 by task syz-executor287/7975 [ 41.098503] [ 41.100133] CPU: 1 PID: 7975 Comm: syz-executor287 Not tainted 4.14.302-syzkaller #0 [ 41.108006] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 41.117353] Call Trace: [ 41.119948] dump_stack+0x1b2/0x281 [ 41.123575] print_address_description.cold+0x54/0x1d3 [ 41.128852] kasan_report_error.cold+0x8a/0x191 [ 41.135690] ? search_by_entry_key+0xc7e/0xf50 [ 41.140285] __asan_report_load_n_noabort+0x6b/0x80 [ 41.145304] ? search_by_entry_key+0xc7e/0xf50 [ 41.150402] search_by_entry_key+0xc7e/0xf50 [ 41.154808] ? make_cpu_key+0x22/0x2a0 [ 41.158685] reiserfs_find_entry.part.0+0x138/0x11e0 [ 41.163783] ? reiserfs_write_lock+0x75/0xf0 [ 41.168180] ? mount_bdev+0x2b3/0x360 [ 41.171964] ? mount_fs+0x92/0x2a0 [ 41.175516] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 41.180972] ? lock_acquire+0x80/0x3f0 [ 41.184858] ? search_by_entry_key+0xf50/0xf50 [ 41.189441] reiserfs_lookup+0x1fd/0x400 [ 41.193499] ? reiserfs_unlink+0x6a0/0x6a0 [ 41.197726] ? fs_reclaim_release+0xd0/0x110 [ 41.202162] ? __d_alloc+0x2a/0xa20 [ 41.205796] ? d_alloc+0x1c7/0x240 [ 41.209612] ? _raw_spin_unlock+0x29/0x40 [ 41.213850] ? d_alloc+0x1cc/0x240 [ 41.217391] __lookup_hash+0x1bb/0x270 [ 41.221272] ? __inode_permission+0xcd/0x2f0 [ 41.225765] lookup_one_len+0x279/0x3a0 [ 41.229740] ? lookup_one_len_unlocked+0x410/0x410 [ 41.234675] reiserfs_lookup_privroot+0x92/0x270 [ 41.239450] reiserfs_fill_super+0x1d12/0x2990 [ 41.244284] ? reiserfs_remount+0x1390/0x1390 [ 41.250127] ? lock_downgrade+0x740/0x740 [ 41.254290] ? snprintf+0xa5/0xd0 [ 41.257747] mount_bdev+0x2b3/0x360 [ 41.261369] ? reiserfs_remount+0x1390/0x1390 [ 41.265853] mount_fs+0x92/0x2a0 [ 41.269230] vfs_kern_mount.part.0+0x5b/0x470 [ 41.273720] do_mount+0xe65/0x2a30 [ 41.277265] ? copy_mount_string+0x40/0x40 [ 41.281898] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 41.287192] ? copy_mnt_ns+0xa30/0xa30 [ 41.291079] ? copy_mount_options+0x1fa/0x2f0 [ 41.295580] ? copy_mnt_ns+0xa30/0xa30 [ 41.299464] SyS_mount+0xa8/0x120 [ 41.303053] ? copy_mnt_ns+0xa30/0xa30 [ 41.307082] do_syscall_64+0x1d5/0x640 [ 41.311276] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 41.316909] RIP: 0033:0x7ff59ac1a92a [ 41.320774] RSP: 002b:00007fffbc524d88 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 41.328749] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007ff59ac1a92a [ 41.336167] RDX: 0000000020000000 RSI: 0000000020000040 RDI: 00007fffbc524da0 [ 41.343453] RBP: 00007fffbc524da0 R08: 00007fffbc524de0 R09: 0000000000000000 [ 41.350867] R10: 0000000000208000 R11: 0000000000000286 R12: 0000000000000004 [ 41.358142] R13: 000055555712c2c0 R14: 0000000000208000 R15: 00007fffbc524de0 [ 41.365670] [ 41.367309] The buggy address belongs to the page: [ 41.372245] page:ffffea00022cfd00 count:0 mapcount:0 mapping: (null) index:0x1 [ 41.380471] flags: 0xfff00000000000() [ 41.384281] raw: 00fff00000000000 0000000000000000 0000000000000001 00000000ffffffff [ 41.392180] raw: ffffea00022cfd60 ffffea00023b7560 0000000000000000 0000000000000000 [ 41.400065] page dumped because: kasan: bad access detected [ 41.405770] [ 41.407395] Memory state around the buggy address: [ 41.412316] ffff88808b3f3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.419888] ffff88808b3f3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.427327] >ffff88808b3f4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 41.434706] ^ [ 41.438939] ffff88808b3f4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 41.446295] ffff88808b3f4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 41.454100] ================================================================== [ 41.461462] Disabling lock debugging due to kernel taint [ 41.474383] Kernel panic - not syncing: panic_on_warn set ... [ 41.474383] [ 41.481781] CPU: 0 PID: 7975 Comm: syz-executor287 Tainted: G B 4.14.302-syzkaller #0 [ 41.491347] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 41.500718] Call Trace: [ 41.503340] dump_stack+0x1b2/0x281 [ 41.506967] panic+0x1f9/0x42d [ 41.510152] ? add_taint.cold+0x16/0x16 [ 41.514128] ? ___preempt_schedule+0x16/0x18 [ 41.518530] kasan_end_report+0x43/0x49 [ 41.522494] kasan_report_error.cold+0xa7/0x191 [ 41.527347] ? search_by_entry_key+0xc7e/0xf50 [ 41.531948] __asan_report_load_n_noabort+0x6b/0x80 [ 41.537115] ? search_by_entry_key+0xc7e/0xf50 [ 41.541837] search_by_entry_key+0xc7e/0xf50 [ 41.546249] ? make_cpu_key+0x22/0x2a0 [ 41.550135] reiserfs_find_entry.part.0+0x138/0x11e0 [ 41.555252] ? reiserfs_write_lock+0x75/0xf0 [ 41.559651] ? mount_bdev+0x2b3/0x360 [ 41.563441] ? mount_fs+0x92/0x2a0 [ 41.567149] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 41.572589] ? lock_acquire+0x80/0x3f0 [ 41.576469] ? search_by_entry_key+0xf50/0xf50 [ 41.581045] reiserfs_lookup+0x1fd/0x400 [ 41.585104] ? reiserfs_unlink+0x6a0/0x6a0 [ 41.589331] ? fs_reclaim_release+0xd0/0x110 [ 41.593843] ? __d_alloc+0x2a/0xa20 [ 41.597461] ? d_alloc+0x1c7/0x240 [ 41.600999] ? _raw_spin_unlock+0x29/0x40 [ 41.605137] ? d_alloc+0x1cc/0x240 [ 41.608683] __lookup_hash+0x1bb/0x270 [ 41.612572] ? __inode_permission+0xcd/0x2f0 [ 41.616977] lookup_one_len+0x279/0x3a0 [ 41.620961] ? lookup_one_len_unlocked+0x410/0x410 [ 41.625884] reiserfs_lookup_privroot+0x92/0x270 [ 41.630632] reiserfs_fill_super+0x1d12/0x2990 [ 41.635211] ? reiserfs_remount+0x1390/0x1390 [ 41.639699] ? lock_downgrade+0x740/0x740 [ 41.643852] ? snprintf+0xa5/0xd0 [ 41.647305] mount_bdev+0x2b3/0x360 [ 41.650929] ? reiserfs_remount+0x1390/0x1390 [ 41.655410] mount_fs+0x92/0x2a0 [ 41.658763] vfs_kern_mount.part.0+0x5b/0x470 [ 41.663261] do_mount+0xe65/0x2a30 [ 41.666813] ? copy_mount_string+0x40/0x40 [ 41.671047] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 41.676062] ? copy_mnt_ns+0xa30/0xa30 [ 41.679945] ? copy_mount_options+0x1fa/0x2f0 [ 41.684433] ? copy_mnt_ns+0xa30/0xa30 [ 41.688338] SyS_mount+0xa8/0x120 [ 41.691802] ? copy_mnt_ns+0xa30/0xa30 [ 41.695684] do_syscall_64+0x1d5/0x640 [ 41.699596] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 41.704781] RIP: 0033:0x7ff59ac1a92a [ 41.708484] RSP: 002b:00007fffbc524d88 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 41.716186] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007ff59ac1a92a [ 41.723533] RDX: 0000000020000000 RSI: 0000000020000040 RDI: 00007fffbc524da0 [ 41.730802] RBP: 00007fffbc524da0 R08: 00007fffbc524de0 R09: 0000000000000000 [ 41.738078] R10: 0000000000208000 R11: 0000000000000286 R12: 0000000000000004 [ 41.745340] R13: 000055555712c2c0 R14: 0000000000208000 R15: 00007fffbc524de0 [ 41.752685] Kernel Offset: disabled [ 41.756308] Rebooting in 86400 seconds..