./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1758350483 <...> Warning: Permanently added '10.128.1.159' (ED25519) to the list of known hosts. execve("./syz-executor1758350483", ["./syz-executor1758350483"], 0x7ffdd7081c20 /* 10 vars */) = 0 brk(NULL) = 0x555556307000 brk(0x555556307d00) = 0x555556307d00 arch_prctl(ARCH_SET_FS, 0x555556307380) = 0 set_tid_address(0x555556307650) = 5065 set_robust_list(0x555556307660, 24) = 0 rseq(0x555556307ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1758350483", 4096) = 28 getrandom("\x8b\x8c\x4e\x57\xc1\x38\x78\x93", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555556307d00 brk(0x555556328d00) = 0x555556328d00 brk(0x555556329000) = 0x555556329000 mprotect(0x7f7cc319b000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.ReHP6C", 0700) = 0 chmod("./syzkaller.ReHP6C", 0777) = 0 chdir("./syzkaller.ReHP6C") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5067 attached , child_tidptr=0x555556307650) = 5067 [pid 5067] set_robust_list(0x555556307660, 24) = 0 [pid 5067] chdir("./0") = 0 [pid 5067] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5067] setpgid(0, 0) = 0 [pid 5067] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5067] write(3, "1000", 4) = 4 [pid 5067] close(3) = 0 [pid 5067] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5067] memfd_create("syzkaller", 0) = 3 [pid 5067] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7cbace7000 [pid 5067] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5067] munmap(0x7f7cbace7000, 138412032) = 0 [pid 5067] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5067] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5067] close(3) = 0 [pid 5067] mkdir("./file2", 0777) = 0 [ 54.588631][ T5067] loop0: detected capacity change from 0 to 8192 [ 54.604224][ T5067] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 54.617304][ T5067] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 54.626870][ T5067] REISERFS (device loop0): using ordered data mode [ 54.633398][ T5067] reiserfs: using flush barriers [ 54.640075][ T5067] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 54.656540][ T5067] REISERFS (device loop0): checking transaction log (loop0) [ 54.666235][ T5067] REISERFS (device loop0): Using tea hash to sort names [ 54.674100][ T5067] REISERFS warning (device loop0): jdm-13090 reiserfs_new_inode: ACLs aren't enabled in the fs, but vfs thinks they are! [pid 5067] mount("/dev/loop0", "./file2", "reiserfs", MS_NODEV|MS_NOEXEC|MS_SYNCHRONOUS|MS_SILENT|MS_POSIXACL, "") = 0 [pid 5067] openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3 [pid 5067] chdir("./file2") = 0 [pid 5067] ioctl(4, LOOP_CLR_FD) = 0 [pid 5067] close(4) = 0 [pid 5067] exit_group(0) = ? [pid 5067] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5067, si_uid=0, si_status=0, si_utime=0, si_stime=14 /* 0.14 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563086f0 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 [ 54.687127][ T5067] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. umount2("./0/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file2", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556310730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556310730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file2") = 0 getdents64(3, 0x5555563086f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5069 attached [pid 5069] set_robust_list(0x555556307660, 24 [pid 5065] <... clone resumed>, child_tidptr=0x555556307650) = 5069 [pid 5069] <... set_robust_list resumed>) = 0 [pid 5069] chdir("./1") = 0 [pid 5069] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5069] setpgid(0, 0) = 0 [pid 5069] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5069] write(3, "1000", 4) = 4 [pid 5069] close(3) = 0 [pid 5069] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5069] memfd_create("syzkaller", 0) = 3 [pid 5069] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7cbace7000 [pid 5069] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5069] munmap(0x7f7cbace7000, 138412032) = 0 [pid 5069] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5069] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5069] close(3) = 0 [pid 5069] mkdir("./file2", 0777) = 0 [ 54.913240][ T5069] loop0: detected capacity change from 0 to 8192 [ 54.935230][ T5069] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 54.948356][ T5069] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 54.957559][ T5069] REISERFS (device loop0): using ordered data mode [ 54.964103][ T5069] reiserfs: using flush barriers [ 54.970092][ T5069] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 54.986562][ T5069] REISERFS (device loop0): checking transaction log (loop0) [ 54.995185][ T5069] REISERFS (device loop0): Using tea hash to sort names [ 55.002245][ T5069] ================================================================== [ 55.010311][ T5069] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 55.017945][ T5069] Read of size 4 at addr ffff888077960fc4 by task syz-executor175/5069 [ 55.026160][ T5069] [ 55.028469][ T5069] CPU: 1 PID: 5069 Comm: syz-executor175 Not tainted 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 55.038864][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 55.048904][ T5069] Call Trace: [ 55.052172][ T5069] [ 55.055089][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 55.059686][ T5069] print_report+0xc4/0x620 [ 55.064097][ T5069] ? __virt_addr_valid+0x5e/0x2d0 [ 55.069111][ T5069] ? __phys_addr+0xc6/0x140 [ 55.073602][ T5069] kasan_report+0xda/0x110 [ 55.078009][ T5069] ? search_by_entry_key+0x80b/0x940 [ 55.083291][ T5069] ? search_by_entry_key+0x80b/0x940 [ 55.088571][ T5069] search_by_entry_key+0x80b/0x940 [ 55.093674][ T5069] reiserfs_find_entry+0x1dc/0xe70 [ 55.098781][ T5069] ? search_by_entry_key+0x940/0x940 [ 55.104059][ T5069] reiserfs_lookup+0x1f5/0x690 [ 55.108815][ T5069] ? reiserfs_unlink+0x740/0x740 [ 55.113751][ T5069] __lookup_slow+0x24d/0x450 [ 55.118329][ T5069] ? lookup_open.isra.0+0x13b0/0x13b0 [ 55.123685][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 55.129055][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 55.135298][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 55.141532][ T5069] ? d_lookup+0xe9/0x180 [ 55.145761][ T5069] lookup_one_len+0x17d/0x1b0 [ 55.150433][ T5069] ? __lookup_slow+0x450/0x450 [ 55.155185][ T5069] reiserfs_lookup_privroot+0x94/0x200 [ 55.160630][ T5069] reiserfs_fill_super+0x20f9/0x3160 [ 55.165909][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 55.171093][ T5069] ? up_write+0x510/0x510 [ 55.175414][ T5069] ? lock_sync+0x190/0x190 [ 55.179839][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 55.185022][ T5069] mount_bdev+0x1f3/0x2e0 [ 55.189343][ T5069] ? sget+0x640/0x640 [ 55.193312][ T5069] ? apparmor_capable+0x126/0x1e0 [ 55.198328][ T5069] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 55.203335][ T5069] legacy_get_tree+0x109/0x220 [ 55.208105][ T5069] vfs_get_tree+0x8c/0x370 [ 55.212512][ T5069] path_mount+0x1492/0x1ed0 [ 55.217014][ T5069] ? kmem_cache_free+0xf8/0x350 [ 55.221864][ T5069] ? finish_automount+0xa40/0xa40 [ 55.226881][ T5069] ? putname+0x12e/0x170 [ 55.231117][ T5069] __x64_sys_mount+0x293/0x310 [ 55.235876][ T5069] ? copy_mnt_ns+0xb60/0xb60 [ 55.240453][ T5069] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 55.246687][ T5069] do_syscall_64+0x40/0x110 [ 55.251186][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 55.257064][ T5069] RIP: 0033:0x7f7cc312746a [ 55.261462][ T5069] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 55.281083][ T5069] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 55.289484][ T5069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 55.297438][ T5069] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 55.305395][ T5069] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 55.313354][ T5069] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 55.321313][ T5069] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 55.329277][ T5069] [ 55.332282][ T5069] [ 55.334590][ T5069] The buggy address belongs to the physical page: [ 55.340982][ T5069] page:ffffea0001de5800 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77960 [ 55.351118][ T5069] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 55.358213][ T5069] page_type: 0xffffffff() [ 55.362525][ T5069] raw: 00fff00000000000 ffffea0001de5848 ffffea0001de57c8 0000000000000000 [ 55.371095][ T5069] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 55.379656][ T5069] page dumped because: kasan: bad access detected [ 55.386045][ T5069] page_owner tracks the page as freed [ 55.391392][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5067, tgid 5067 (syz-executor175), ts 54563871928, free_ts 54780879905 [ 55.408480][ T5069] post_alloc_hook+0x2d0/0x350 [ 55.413241][ T5069] get_page_from_freelist+0xa25/0x36d0 [ 55.418692][ T5069] __alloc_pages+0x22e/0x2420 [ 55.423356][ T5069] alloc_pages_mpol+0x258/0x5f0 [ 55.428195][ T5069] shmem_alloc_folio+0x10d/0x140 [ 55.433120][ T5069] shmem_alloc_and_add_folio+0x147/0x7b0 [ 55.438739][ T5069] shmem_get_folio_gfp+0x623/0x1360 [ 55.443953][ T5069] shmem_write_begin+0x15a/0x360 [ 55.448880][ T5069] generic_perform_write+0x278/0x600 [ 55.454158][ T5069] shmem_file_write_iter+0x110/0x140 [ 55.459426][ T5069] vfs_write+0x64f/0xdf0 [ 55.463659][ T5069] ksys_write+0x12f/0x250 [ 55.467973][ T5069] do_syscall_64+0x40/0x110 [ 55.472481][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 55.478363][ T5069] page last free stack trace: [ 55.483016][ T5069] free_unref_page_prepare+0x4fa/0xaa0 [ 55.488467][ T5069] free_unref_page_list+0xe6/0xb40 [ 55.493571][ T5069] release_pages+0x32a/0x14f0 [ 55.498233][ T5069] __folio_batch_release+0x77/0xe0 [ 55.503331][ T5069] shmem_undo_range+0x57a/0x1140 [ 55.508259][ T5069] shmem_evict_inode+0x39f/0xba0 [ 55.513182][ T5069] evict+0x2ed/0x6b0 [ 55.517064][ T5069] iput.part.0+0x560/0x7b0 [ 55.521469][ T5069] iput+0x5c/0x80 [ 55.525106][ T5069] dentry_unlink_inode+0x292/0x430 [ 55.530209][ T5069] __dentry_kill+0x3b8/0x640 [ 55.534812][ T5069] dput+0x7eb/0xd90 [ 55.538605][ T5069] __fput+0x3b9/0xb70 [ 55.542571][ T5069] task_work_run+0x14d/0x240 [ 55.547145][ T5069] ptrace_notify+0x10d/0x130 [ 55.551719][ T5069] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 55.558032][ T5069] [ 55.560336][ T5069] Memory state around the buggy address: [ 55.565943][ T5069] ffff888077960e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.573986][ T5069] ffff888077960f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.582029][ T5069] >ffff888077960f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.590072][ T5069] ^ [ 55.596200][ T5069] ffff888077961000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.604250][ T5069] ffff888077961080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 55.612294][ T5069] ================================================================== [ 55.621097][ T5069] Disabling lock debugging due to kernel taint [ 55.627259][ T5069] ================================================================== [ 55.635375][ T5069] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 55.643014][ T5069] Read of size 4 at addr ffff888077962fc4 by task syz-executor175/5069 [ 55.651237][ T5069] [ 55.653545][ T5069] CPU: 1 PID: 5069 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 55.665424][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 55.675473][ T5069] Call Trace: [ 55.678739][ T5069] [ 55.681668][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 55.686254][ T5069] print_report+0xc4/0x620 [ 55.690668][ T5069] ? __virt_addr_valid+0x5e/0x2d0 [ 55.695682][ T5069] ? __phys_addr+0xc6/0x140 [ 55.700176][ T5069] kasan_report+0xda/0x110 [ 55.704586][ T5069] ? search_by_entry_key+0x80b/0x940 [ 55.709871][ T5069] ? search_by_entry_key+0x80b/0x940 [ 55.715149][ T5069] search_by_entry_key+0x80b/0x940 [ 55.720259][ T5069] reiserfs_find_entry+0x1dc/0xe70 [ 55.725906][ T5069] ? search_by_entry_key+0x940/0x940 [ 55.731281][ T5069] reiserfs_lookup+0x1f5/0x690 [ 55.736051][ T5069] ? reiserfs_unlink+0x740/0x740 [ 55.740988][ T5069] __lookup_slow+0x24d/0x450 [ 55.745570][ T5069] ? lookup_open.isra.0+0x13b0/0x13b0 [ 55.750937][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 55.756305][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 55.762539][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 55.768780][ T5069] ? d_lookup+0xe9/0x180 [ 55.773623][ T5069] lookup_one_len+0x17d/0x1b0 [ 55.778296][ T5069] ? __lookup_slow+0x450/0x450 [ 55.783051][ T5069] reiserfs_lookup_privroot+0x94/0x200 [ 55.788495][ T5069] reiserfs_fill_super+0x20f9/0x3160 [ 55.793768][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 55.798951][ T5069] ? up_write+0x510/0x510 [ 55.803269][ T5069] ? lock_sync+0x190/0x190 [ 55.807681][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 55.812872][ T5069] mount_bdev+0x1f3/0x2e0 [ 55.817194][ T5069] ? sget+0x640/0x640 [ 55.821166][ T5069] ? apparmor_capable+0x126/0x1e0 [ 55.826181][ T5069] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 55.831208][ T5069] legacy_get_tree+0x109/0x220 [ 55.835968][ T5069] vfs_get_tree+0x8c/0x370 [ 55.840375][ T5069] path_mount+0x1492/0x1ed0 [ 55.844907][ T5069] ? kmem_cache_free+0xf8/0x350 [ 55.849749][ T5069] ? finish_automount+0xa40/0xa40 [ 55.854766][ T5069] ? putname+0x12e/0x170 [ 55.859003][ T5069] __x64_sys_mount+0x293/0x310 [ 55.863757][ T5069] ? copy_mnt_ns+0xb60/0xb60 [ 55.868339][ T5069] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 55.874572][ T5069] do_syscall_64+0x40/0x110 [ 55.879069][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 55.884996][ T5069] RIP: 0033:0x7f7cc312746a [ 55.889410][ T5069] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 55.909027][ T5069] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 55.917430][ T5069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 55.925403][ T5069] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 55.933364][ T5069] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 55.941323][ T5069] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 55.949300][ T5069] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 55.957292][ T5069] [ 55.960308][ T5069] [ 55.962615][ T5069] The buggy address belongs to the physical page: [ 55.969179][ T5069] page:ffffea0001de5880 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77962 [ 55.979315][ T5069] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 55.986411][ T5069] page_type: 0xffffffff() [ 55.990723][ T5069] raw: 00fff00000000000 ffffea0001de58c8 ffffea0001de5848 0000000000000000 [ 55.999297][ T5069] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 56.007856][ T5069] page dumped because: kasan: bad access detected [ 56.014245][ T5069] page_owner tracks the page as freed [ 56.019590][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5067, tgid 5067 (syz-executor175), ts 54563916098, free_ts 54780853914 [ 56.036588][ T5069] post_alloc_hook+0x2d0/0x350 [ 56.041346][ T5069] get_page_from_freelist+0xa25/0x36d0 [ 56.046803][ T5069] __alloc_pages+0x22e/0x2420 [ 56.051475][ T5069] alloc_pages_mpol+0x258/0x5f0 [ 56.056313][ T5069] shmem_alloc_folio+0x10d/0x140 [ 56.061237][ T5069] shmem_alloc_and_add_folio+0x147/0x7b0 [ 56.066863][ T5069] shmem_get_folio_gfp+0x623/0x1360 [ 56.072048][ T5069] shmem_write_begin+0x15a/0x360 [ 56.076995][ T5069] generic_perform_write+0x278/0x600 [ 56.082276][ T5069] shmem_file_write_iter+0x110/0x140 [ 56.087549][ T5069] vfs_write+0x64f/0xdf0 [ 56.091775][ T5069] ksys_write+0x12f/0x250 [ 56.096087][ T5069] do_syscall_64+0x40/0x110 [ 56.100584][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.106549][ T5069] page last free stack trace: [ 56.111202][ T5069] free_unref_page_prepare+0x4fa/0xaa0 [ 56.116653][ T5069] free_unref_page_list+0xe6/0xb40 [ 56.121755][ T5069] release_pages+0x32a/0x14f0 [ 56.126415][ T5069] __folio_batch_release+0x77/0xe0 [ 56.131519][ T5069] shmem_undo_range+0x57a/0x1140 [ 56.136443][ T5069] shmem_evict_inode+0x39f/0xba0 [ 56.141373][ T5069] evict+0x2ed/0x6b0 [ 56.145258][ T5069] iput.part.0+0x560/0x7b0 [ 56.149664][ T5069] iput+0x5c/0x80 [ 56.153285][ T5069] dentry_unlink_inode+0x292/0x430 [ 56.158386][ T5069] __dentry_kill+0x3b8/0x640 [ 56.162958][ T5069] dput+0x7eb/0xd90 [ 56.166747][ T5069] __fput+0x3b9/0xb70 [ 56.170715][ T5069] task_work_run+0x14d/0x240 [ 56.175313][ T5069] ptrace_notify+0x10d/0x130 [ 56.179988][ T5069] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 56.186309][ T5069] [ 56.188616][ T5069] Memory state around the buggy address: [ 56.194224][ T5069] ffff888077962e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.202269][ T5069] ffff888077962f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.210308][ T5069] >ffff888077962f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.218348][ T5069] ^ [ 56.224488][ T5069] ffff888077963000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.232530][ T5069] ffff888077963080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.240570][ T5069] ================================================================== [ 56.248840][ T5069] ================================================================== [ 56.256902][ T5069] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 56.264551][ T5069] Read of size 4 at addr ffff888077963fc4 by task syz-executor175/5069 [ 56.272774][ T5069] [ 56.275089][ T5069] CPU: 1 PID: 5069 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 56.287043][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 56.297080][ T5069] Call Trace: [ 56.300347][ T5069] [ 56.303265][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 56.307860][ T5069] print_report+0xc4/0x620 [ 56.312269][ T5069] ? __virt_addr_valid+0x5e/0x2d0 [ 56.317286][ T5069] ? __phys_addr+0xc6/0x140 [ 56.321779][ T5069] kasan_report+0xda/0x110 [ 56.326198][ T5069] ? search_by_entry_key+0x80b/0x940 [ 56.331474][ T5069] ? search_by_entry_key+0x80b/0x940 [ 56.336748][ T5069] search_by_entry_key+0x80b/0x940 [ 56.341861][ T5069] reiserfs_find_entry+0x1dc/0xe70 [ 56.347052][ T5069] ? search_by_entry_key+0x940/0x940 [ 56.352331][ T5069] reiserfs_lookup+0x1f5/0x690 [ 56.357085][ T5069] ? reiserfs_unlink+0x740/0x740 [ 56.362022][ T5069] __lookup_slow+0x24d/0x450 [ 56.366602][ T5069] ? lookup_open.isra.0+0x13b0/0x13b0 [ 56.372056][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 56.377441][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 56.383679][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 56.389915][ T5069] ? d_lookup+0xe9/0x180 [ 56.394146][ T5069] lookup_one_len+0x17d/0x1b0 [ 56.398827][ T5069] ? __lookup_slow+0x450/0x450 [ 56.403580][ T5069] reiserfs_lookup_privroot+0x94/0x200 [ 56.409025][ T5069] reiserfs_fill_super+0x20f9/0x3160 [ 56.414302][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 56.419486][ T5069] ? up_write+0x510/0x510 [ 56.423808][ T5069] ? lock_sync+0x190/0x190 [ 56.428224][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 56.433413][ T5069] mount_bdev+0x1f3/0x2e0 [ 56.437733][ T5069] ? sget+0x640/0x640 [ 56.441704][ T5069] ? apparmor_capable+0x126/0x1e0 [ 56.446717][ T5069] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 56.451725][ T5069] legacy_get_tree+0x109/0x220 [ 56.456487][ T5069] vfs_get_tree+0x8c/0x370 [ 56.460896][ T5069] path_mount+0x1492/0x1ed0 [ 56.465398][ T5069] ? kmem_cache_free+0xf8/0x350 [ 56.470237][ T5069] ? finish_automount+0xa40/0xa40 [ 56.475249][ T5069] ? putname+0x12e/0x170 [ 56.479478][ T5069] __x64_sys_mount+0x293/0x310 [ 56.484235][ T5069] ? copy_mnt_ns+0xb60/0xb60 [ 56.488819][ T5069] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 56.495052][ T5069] do_syscall_64+0x40/0x110 [ 56.499548][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.505438][ T5069] RIP: 0033:0x7f7cc312746a [ 56.509840][ T5069] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 56.529434][ T5069] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 56.538610][ T5069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 56.546566][ T5069] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 56.554523][ T5069] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 56.562499][ T5069] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 56.570468][ T5069] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 56.578434][ T5069] [ 56.581439][ T5069] [ 56.583747][ T5069] The buggy address belongs to the physical page: [ 56.590142][ T5069] page:ffffea0001de58c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77963 [ 56.600278][ T5069] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 56.607369][ T5069] page_type: 0xffffffff() [ 56.611769][ T5069] raw: 00fff00000000000 ffffea0001de5908 ffffea0001de5888 0000000000000000 [ 56.620340][ T5069] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 56.628905][ T5069] page dumped because: kasan: bad access detected [ 56.635297][ T5069] page_owner tracks the page as freed [ 56.640643][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5067, tgid 5067 (syz-executor175), ts 54563930338, free_ts 54780841234 [ 56.657667][ T5069] post_alloc_hook+0x2d0/0x350 [ 56.662429][ T5069] get_page_from_freelist+0xa25/0x36d0 [ 56.667882][ T5069] __alloc_pages+0x22e/0x2420 [ 56.672553][ T5069] alloc_pages_mpol+0x258/0x5f0 [ 56.677393][ T5069] shmem_alloc_folio+0x10d/0x140 [ 56.682322][ T5069] shmem_alloc_and_add_folio+0x147/0x7b0 [ 56.687942][ T5069] shmem_get_folio_gfp+0x623/0x1360 [ 56.693134][ T5069] shmem_write_begin+0x15a/0x360 [ 56.698060][ T5069] generic_perform_write+0x278/0x600 [ 56.703339][ T5069] shmem_file_write_iter+0x110/0x140 [ 56.708606][ T5069] vfs_write+0x64f/0xdf0 [ 56.712851][ T5069] ksys_write+0x12f/0x250 [ 56.717161][ T5069] do_syscall_64+0x40/0x110 [ 56.721655][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.727532][ T5069] page last free stack trace: [ 56.732185][ T5069] free_unref_page_prepare+0x4fa/0xaa0 [ 56.737634][ T5069] free_unref_page_list+0xe6/0xb40 [ 56.742736][ T5069] release_pages+0x32a/0x14f0 [ 56.747397][ T5069] __folio_batch_release+0x77/0xe0 [ 56.752514][ T5069] shmem_undo_range+0x57a/0x1140 [ 56.757449][ T5069] shmem_evict_inode+0x39f/0xba0 [ 56.762390][ T5069] evict+0x2ed/0x6b0 [ 56.766280][ T5069] iput.part.0+0x560/0x7b0 [ 56.770700][ T5069] iput+0x5c/0x80 [ 56.774344][ T5069] dentry_unlink_inode+0x292/0x430 [ 56.779457][ T5069] __dentry_kill+0x3b8/0x640 [ 56.784037][ T5069] dput+0x7eb/0xd90 [ 56.787830][ T5069] __fput+0x3b9/0xb70 [ 56.791799][ T5069] task_work_run+0x14d/0x240 [ 56.796373][ T5069] ptrace_notify+0x10d/0x130 [ 56.800950][ T5069] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 56.807266][ T5069] [ 56.809612][ T5069] Memory state around the buggy address: [ 56.815220][ T5069] ffff888077963e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.823264][ T5069] ffff888077963f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.831334][ T5069] >ffff888077963f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.839379][ T5069] ^ [ 56.845507][ T5069] ffff888077964000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.853551][ T5069] ffff888077964080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.861591][ T5069] ================================================================== [ 56.869739][ T5069] ================================================================== [ 56.877816][ T5069] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 56.885453][ T5069] Read of size 4 at addr ffff8880779647c4 by task syz-executor175/5069 [ 56.893678][ T5069] [ 56.895993][ T5069] CPU: 0 PID: 5069 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 56.907865][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 56.917907][ T5069] Call Trace: [ 56.921175][ T5069] [ 56.924097][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 56.928687][ T5069] print_report+0xc4/0x620 [ 56.933097][ T5069] ? __virt_addr_valid+0x5e/0x2d0 [ 56.938113][ T5069] ? __phys_addr+0xc6/0x140 [ 56.942610][ T5069] kasan_report+0xda/0x110 [ 56.947022][ T5069] ? search_by_entry_key+0x80b/0x940 [ 56.952302][ T5069] ? search_by_entry_key+0x80b/0x940 [ 56.957583][ T5069] search_by_entry_key+0x80b/0x940 [ 56.962696][ T5069] reiserfs_find_entry+0x1dc/0xe70 [ 56.967809][ T5069] ? search_by_entry_key+0x940/0x940 [ 56.973091][ T5069] reiserfs_lookup+0x1f5/0x690 [ 56.977848][ T5069] ? reiserfs_unlink+0x740/0x740 [ 56.982791][ T5069] __lookup_slow+0x24d/0x450 [ 56.987377][ T5069] ? lookup_open.isra.0+0x13b0/0x13b0 [ 56.992739][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 56.998106][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 57.004343][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 57.010579][ T5069] ? d_lookup+0xe9/0x180 [ 57.014833][ T5069] lookup_one_len+0x17d/0x1b0 [ 57.019503][ T5069] ? __lookup_slow+0x450/0x450 [ 57.024256][ T5069] reiserfs_lookup_privroot+0x94/0x200 [ 57.029706][ T5069] reiserfs_fill_super+0x20f9/0x3160 [ 57.034985][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 57.040179][ T5069] ? up_write+0x510/0x510 [ 57.044501][ T5069] ? lock_sync+0x190/0x190 [ 57.048915][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 57.054101][ T5069] mount_bdev+0x1f3/0x2e0 [ 57.059206][ T5069] ? sget+0x640/0x640 [ 57.063181][ T5069] ? apparmor_capable+0x126/0x1e0 [ 57.068203][ T5069] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 57.073215][ T5069] legacy_get_tree+0x109/0x220 [ 57.077974][ T5069] vfs_get_tree+0x8c/0x370 [ 57.082382][ T5069] path_mount+0x1492/0x1ed0 [ 57.086883][ T5069] ? kmem_cache_free+0xf8/0x350 [ 57.091740][ T5069] ? finish_automount+0xa40/0xa40 [ 57.096759][ T5069] ? putname+0x12e/0x170 [ 57.101004][ T5069] __x64_sys_mount+0x293/0x310 [ 57.105762][ T5069] ? copy_mnt_ns+0xb60/0xb60 [ 57.110349][ T5069] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 57.116581][ T5069] do_syscall_64+0x40/0x110 [ 57.121079][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 57.126963][ T5069] RIP: 0033:0x7f7cc312746a [ 57.131381][ T5069] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 57.150978][ T5069] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 57.159377][ T5069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 57.167333][ T5069] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 57.175292][ T5069] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 57.183255][ T5069] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 57.191213][ T5069] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 57.199181][ T5069] [ 57.202190][ T5069] [ 57.204498][ T5069] The buggy address belongs to the physical page: [ 57.210899][ T5069] page:ffffea0001de5900 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77964 [ 57.221036][ T5069] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 57.228126][ T5069] page_type: 0xffffffff() [ 57.232615][ T5069] raw: 00fff00000000000 ffffea0001de5948 ffffea0001de58c8 0000000000000000 [ 57.241181][ T5069] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 57.249745][ T5069] page dumped because: kasan: bad access detected [ 57.256195][ T5069] page_owner tracks the page as freed [ 57.261550][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5067, tgid 5067 (syz-executor175), ts 54563944748, free_ts 54780829164 [ 57.278555][ T5069] post_alloc_hook+0x2d0/0x350 [ 57.283325][ T5069] get_page_from_freelist+0xa25/0x36d0 [ 57.288777][ T5069] __alloc_pages+0x22e/0x2420 [ 57.293457][ T5069] alloc_pages_mpol+0x258/0x5f0 [ 57.298306][ T5069] shmem_alloc_folio+0x10d/0x140 [ 57.303237][ T5069] shmem_alloc_and_add_folio+0x147/0x7b0 [ 57.308859][ T5069] shmem_get_folio_gfp+0x623/0x1360 [ 57.314045][ T5069] shmem_write_begin+0x15a/0x360 [ 57.318973][ T5069] generic_perform_write+0x278/0x600 [ 57.324250][ T5069] shmem_file_write_iter+0x110/0x140 [ 57.329517][ T5069] vfs_write+0x64f/0xdf0 [ 57.333746][ T5069] ksys_write+0x12f/0x250 [ 57.338061][ T5069] do_syscall_64+0x40/0x110 [ 57.342555][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 57.348436][ T5069] page last free stack trace: [ 57.353086][ T5069] free_unref_page_prepare+0x4fa/0xaa0 [ 57.358536][ T5069] free_unref_page_list+0xe6/0xb40 [ 57.363638][ T5069] release_pages+0x32a/0x14f0 [ 57.368309][ T5069] __folio_batch_release+0x77/0xe0 [ 57.373413][ T5069] shmem_undo_range+0x57a/0x1140 [ 57.378341][ T5069] shmem_evict_inode+0x39f/0xba0 [ 57.383264][ T5069] evict+0x2ed/0x6b0 [ 57.387153][ T5069] iput.part.0+0x560/0x7b0 [ 57.391565][ T5069] iput+0x5c/0x80 [ 57.395209][ T5069] dentry_unlink_inode+0x292/0x430 [ 57.400311][ T5069] __dentry_kill+0x3b8/0x640 [ 57.404892][ T5069] dput+0x7eb/0xd90 [ 57.408694][ T5069] __fput+0x3b9/0xb70 [ 57.412664][ T5069] task_work_run+0x14d/0x240 [ 57.417238][ T5069] ptrace_notify+0x10d/0x130 [ 57.421818][ T5069] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 57.428138][ T5069] [ 57.430445][ T5069] Memory state around the buggy address: [ 57.436054][ T5069] ffff888077964680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.444100][ T5069] ffff888077964700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.452235][ T5069] >ffff888077964780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.460285][ T5069] ^ [ 57.466420][ T5069] ffff888077964800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.474469][ T5069] ffff888077964880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.482520][ T5069] ================================================================== [ 57.490769][ T5069] ================================================================== [ 57.498840][ T5069] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 57.506501][ T5069] Read of size 4 at addr ffff888077964bc4 by task syz-executor175/5069 [ 57.514747][ T5069] [ 57.517082][ T5069] CPU: 0 PID: 5069 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 57.528984][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 57.539028][ T5069] Call Trace: [ 57.542296][ T5069] [ 57.545216][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 57.549808][ T5069] print_report+0xc4/0x620 [ 57.554219][ T5069] ? __virt_addr_valid+0x5e/0x2d0 [ 57.559235][ T5069] ? __phys_addr+0xc6/0x140 [ 57.563730][ T5069] kasan_report+0xda/0x110 [ 57.568139][ T5069] ? search_by_entry_key+0x80b/0x940 [ 57.573420][ T5069] ? search_by_entry_key+0x80b/0x940 [ 57.578701][ T5069] search_by_entry_key+0x80b/0x940 [ 57.583817][ T5069] reiserfs_find_entry+0x1dc/0xe70 [ 57.588948][ T5069] ? search_by_entry_key+0x940/0x940 [ 57.594230][ T5069] reiserfs_lookup+0x1f5/0x690 [ 57.598991][ T5069] ? reiserfs_unlink+0x740/0x740 [ 57.603956][ T5069] __lookup_slow+0x24d/0x450 [ 57.608558][ T5069] ? lookup_open.isra.0+0x13b0/0x13b0 [ 57.613926][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 57.619299][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 57.625540][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 57.631815][ T5069] ? d_lookup+0xe9/0x180 [ 57.636097][ T5069] lookup_one_len+0x17d/0x1b0 [ 57.640772][ T5069] ? __lookup_slow+0x450/0x450 [ 57.645541][ T5069] reiserfs_lookup_privroot+0x94/0x200 [ 57.650994][ T5069] reiserfs_fill_super+0x20f9/0x3160 [ 57.656278][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 57.661469][ T5069] ? up_write+0x510/0x510 [ 57.665844][ T5069] ? lock_sync+0x190/0x190 [ 57.670263][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 57.675454][ T5069] mount_bdev+0x1f3/0x2e0 [ 57.679786][ T5069] ? sget+0x640/0x640 [ 57.683784][ T5069] ? apparmor_capable+0x126/0x1e0 [ 57.688814][ T5069] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 57.693832][ T5069] legacy_get_tree+0x109/0x220 [ 57.698594][ T5069] vfs_get_tree+0x8c/0x370 [ 57.703006][ T5069] path_mount+0x1492/0x1ed0 [ 57.707503][ T5069] ? kmem_cache_free+0xf8/0x350 [ 57.712351][ T5069] ? finish_automount+0xa40/0xa40 [ 57.717369][ T5069] ? putname+0x12e/0x170 [ 57.721625][ T5069] __x64_sys_mount+0x293/0x310 [ 57.726397][ T5069] ? copy_mnt_ns+0xb60/0xb60 [ 57.730981][ T5069] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 57.737221][ T5069] do_syscall_64+0x40/0x110 [ 57.741726][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 57.747609][ T5069] RIP: 0033:0x7f7cc312746a [ 57.752015][ T5069] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 57.771627][ T5069] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 57.780033][ T5069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 57.787992][ T5069] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 57.795964][ T5069] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 57.803922][ T5069] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 57.811887][ T5069] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 57.819896][ T5069] [ 57.822901][ T5069] [ 57.825208][ T5069] The buggy address belongs to the physical page: [ 57.831602][ T5069] page:ffffea0001de5900 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77964 [ 57.841735][ T5069] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 57.848826][ T5069] page_type: 0xffffffff() [ 57.853138][ T5069] raw: 00fff00000000000 ffffea0001de5948 ffffea0001de58c8 0000000000000000 [ 57.861709][ T5069] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 57.870274][ T5069] page dumped because: kasan: bad access detected [ 57.876667][ T5069] page_owner tracks the page as freed [ 57.882017][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5067, tgid 5067 (syz-executor175), ts 54563944748, free_ts 54780829164 [ 57.899028][ T5069] post_alloc_hook+0x2d0/0x350 [ 57.903793][ T5069] get_page_from_freelist+0xa25/0x36d0 [ 57.909255][ T5069] __alloc_pages+0x22e/0x2420 [ 57.913931][ T5069] alloc_pages_mpol+0x258/0x5f0 [ 57.918778][ T5069] shmem_alloc_folio+0x10d/0x140 [ 57.923706][ T5069] shmem_alloc_and_add_folio+0x147/0x7b0 [ 57.929420][ T5069] shmem_get_folio_gfp+0x623/0x1360 [ 57.934719][ T5069] shmem_write_begin+0x15a/0x360 [ 57.939649][ T5069] generic_perform_write+0x278/0x600 [ 57.945015][ T5069] shmem_file_write_iter+0x110/0x140 [ 57.950288][ T5069] vfs_write+0x64f/0xdf0 [ 57.954525][ T5069] ksys_write+0x12f/0x250 [ 57.958842][ T5069] do_syscall_64+0x40/0x110 [ 57.963361][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 57.969246][ T5069] page last free stack trace: [ 57.973903][ T5069] free_unref_page_prepare+0x4fa/0xaa0 [ 57.979356][ T5069] free_unref_page_list+0xe6/0xb40 [ 57.984463][ T5069] release_pages+0x32a/0x14f0 [ 57.989127][ T5069] __folio_batch_release+0x77/0xe0 [ 57.994229][ T5069] shmem_undo_range+0x57a/0x1140 [ 57.999163][ T5069] shmem_evict_inode+0x39f/0xba0 [ 58.004089][ T5069] evict+0x2ed/0x6b0 [ 58.007976][ T5069] iput.part.0+0x560/0x7b0 [ 58.012396][ T5069] iput+0x5c/0x80 [ 58.016019][ T5069] dentry_unlink_inode+0x292/0x430 [ 58.021116][ T5069] __dentry_kill+0x3b8/0x640 [ 58.025693][ T5069] dput+0x7eb/0xd90 [ 58.029487][ T5069] __fput+0x3b9/0xb70 [ 58.033461][ T5069] task_work_run+0x14d/0x240 [ 58.038041][ T5069] ptrace_notify+0x10d/0x130 [ 58.042636][ T5069] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 58.048960][ T5069] [ 58.051291][ T5069] Memory state around the buggy address: [ 58.056903][ T5069] ffff888077964a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.064949][ T5069] ffff888077964b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.072994][ T5069] >ffff888077964b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.081059][ T5069] ^ [ 58.087199][ T5069] ffff888077964c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.095255][ T5069] ffff888077964c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.103302][ T5069] ================================================================== [ 58.112197][ T5069] ================================================================== [ 58.120264][ T5069] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 58.127984][ T5069] Read of size 4 at addr ffff888077964dc4 by task syz-executor175/5069 [ 58.136206][ T5069] [ 58.138513][ T5069] CPU: 1 PID: 5069 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 58.150382][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 58.160422][ T5069] Call Trace: [ 58.163690][ T5069] [ 58.166607][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 58.171194][ T5069] print_report+0xc4/0x620 [ 58.175606][ T5069] ? __virt_addr_valid+0x5e/0x2d0 [ 58.180621][ T5069] ? __phys_addr+0xc6/0x140 [ 58.185110][ T5069] kasan_report+0xda/0x110 [ 58.189519][ T5069] ? search_by_entry_key+0x80b/0x940 [ 58.194794][ T5069] ? search_by_entry_key+0x80b/0x940 [ 58.200160][ T5069] search_by_entry_key+0x80b/0x940 [ 58.205265][ T5069] reiserfs_find_entry+0x1dc/0xe70 [ 58.210379][ T5069] ? search_by_entry_key+0x940/0x940 [ 58.215658][ T5069] reiserfs_lookup+0x1f5/0x690 [ 58.220412][ T5069] ? reiserfs_unlink+0x740/0x740 [ 58.225361][ T5069] __lookup_slow+0x24d/0x450 [ 58.229949][ T5069] ? lookup_open.isra.0+0x13b0/0x13b0 [ 58.235311][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 58.240676][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 58.246919][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 58.253150][ T5069] ? d_lookup+0xe9/0x180 [ 58.257383][ T5069] lookup_one_len+0x17d/0x1b0 [ 58.262049][ T5069] ? __lookup_slow+0x450/0x450 [ 58.266801][ T5069] reiserfs_lookup_privroot+0x94/0x200 [ 58.272254][ T5069] reiserfs_fill_super+0x20f9/0x3160 [ 58.277531][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 58.282726][ T5069] ? up_write+0x510/0x510 [ 58.287051][ T5069] ? lock_sync+0x190/0x190 [ 58.291468][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 58.296661][ T5069] mount_bdev+0x1f3/0x2e0 [ 58.301682][ T5069] ? sget+0x640/0x640 [ 58.305656][ T5069] ? apparmor_capable+0x126/0x1e0 [ 58.310697][ T5069] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 58.315712][ T5069] legacy_get_tree+0x109/0x220 [ 58.320476][ T5069] vfs_get_tree+0x8c/0x370 [ 58.324883][ T5069] path_mount+0x1492/0x1ed0 [ 58.329381][ T5069] ? kmem_cache_free+0xf8/0x350 [ 58.334224][ T5069] ? finish_automount+0xa40/0xa40 [ 58.339239][ T5069] ? putname+0x12e/0x170 [ 58.343469][ T5069] __x64_sys_mount+0x293/0x310 [ 58.348223][ T5069] ? copy_mnt_ns+0xb60/0xb60 [ 58.352892][ T5069] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 58.359298][ T5069] do_syscall_64+0x40/0x110 [ 58.363806][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 58.369689][ T5069] RIP: 0033:0x7f7cc312746a [ 58.374086][ T5069] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 58.393690][ T5069] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 58.402091][ T5069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 58.410053][ T5069] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 58.418020][ T5069] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 58.425975][ T5069] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 58.433932][ T5069] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 58.441896][ T5069] [ 58.444904][ T5069] [ 58.447213][ T5069] The buggy address belongs to the physical page: [ 58.453608][ T5069] page:ffffea0001de5900 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77964 [ 58.463743][ T5069] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 58.470838][ T5069] page_type: 0xffffffff() [ 58.475152][ T5069] raw: 00fff00000000000 ffffea0001de5948 ffffea0001de58c8 0000000000000000 [ 58.483717][ T5069] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 58.492284][ T5069] page dumped because: kasan: bad access detected [ 58.498679][ T5069] page_owner tracks the page as freed [ 58.504023][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5067, tgid 5067 (syz-executor175), ts 54563944748, free_ts 54780829164 [ 58.521025][ T5069] post_alloc_hook+0x2d0/0x350 [ 58.525790][ T5069] get_page_from_freelist+0xa25/0x36d0 [ 58.531242][ T5069] __alloc_pages+0x22e/0x2420 [ 58.535910][ T5069] alloc_pages_mpol+0x258/0x5f0 [ 58.540750][ T5069] shmem_alloc_folio+0x10d/0x140 [ 58.545697][ T5069] shmem_alloc_and_add_folio+0x147/0x7b0 [ 58.551327][ T5069] shmem_get_folio_gfp+0x623/0x1360 [ 58.556514][ T5069] shmem_write_begin+0x15a/0x360 [ 58.561436][ T5069] generic_perform_write+0x278/0x600 [ 58.566714][ T5069] shmem_file_write_iter+0x110/0x140 [ 58.571986][ T5069] vfs_write+0x64f/0xdf0 [ 58.576209][ T5069] ksys_write+0x12f/0x250 [ 58.580522][ T5069] do_syscall_64+0x40/0x110 [ 58.585010][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 58.590888][ T5069] page last free stack trace: [ 58.595539][ T5069] free_unref_page_prepare+0x4fa/0xaa0 [ 58.600985][ T5069] free_unref_page_list+0xe6/0xb40 [ 58.606087][ T5069] release_pages+0x32a/0x14f0 [ 58.610759][ T5069] __folio_batch_release+0x77/0xe0 [ 58.615856][ T5069] shmem_undo_range+0x57a/0x1140 [ 58.620782][ T5069] shmem_evict_inode+0x39f/0xba0 [ 58.625705][ T5069] evict+0x2ed/0x6b0 [ 58.629588][ T5069] iput.part.0+0x560/0x7b0 [ 58.633992][ T5069] iput+0x5c/0x80 [ 58.637617][ T5069] dentry_unlink_inode+0x292/0x430 [ 58.642713][ T5069] __dentry_kill+0x3b8/0x640 [ 58.647288][ T5069] dput+0x7eb/0xd90 [ 58.651087][ T5069] __fput+0x3b9/0xb70 [ 58.655059][ T5069] task_work_run+0x14d/0x240 [ 58.659629][ T5069] ptrace_notify+0x10d/0x130 [ 58.664202][ T5069] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 58.670627][ T5069] [ 58.672936][ T5069] Memory state around the buggy address: [ 58.678545][ T5069] ffff888077964c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.686585][ T5069] ffff888077964d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.696279][ T5069] >ffff888077964d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.704319][ T5069] ^ [ 58.710461][ T5069] ffff888077964e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.718504][ T5069] ffff888077964e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.726542][ T5069] ================================================================== [ 58.735584][ T5069] ================================================================== [ 58.743668][ T5069] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 58.751320][ T5069] Read of size 4 at addr ffff888077964ec4 by task syz-executor175/5069 [ 58.759560][ T5069] [ 58.761862][ T5069] CPU: 1 PID: 5069 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 58.773726][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 58.783770][ T5069] Call Trace: [ 58.787030][ T5069] [ 58.789945][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 58.794522][ T5069] print_report+0xc4/0x620 [ 58.798926][ T5069] ? __virt_addr_valid+0x5e/0x2d0 [ 58.803934][ T5069] ? __phys_addr+0xc6/0x140 [ 58.808422][ T5069] kasan_report+0xda/0x110 [ 58.812827][ T5069] ? search_by_entry_key+0x80b/0x940 [ 58.818093][ T5069] ? search_by_entry_key+0x80b/0x940 [ 58.823366][ T5069] search_by_entry_key+0x80b/0x940 [ 58.828492][ T5069] reiserfs_find_entry+0x1dc/0xe70 [ 58.833597][ T5069] ? search_by_entry_key+0x940/0x940 [ 58.838874][ T5069] reiserfs_lookup+0x1f5/0x690 [ 58.843632][ T5069] ? reiserfs_unlink+0x740/0x740 [ 58.848562][ T5069] __lookup_slow+0x24d/0x450 [ 58.853176][ T5069] ? lookup_open.isra.0+0x13b0/0x13b0 [ 58.858531][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 58.863889][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 58.870116][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 58.876424][ T5069] ? d_lookup+0xe9/0x180 [ 58.880651][ T5069] lookup_one_len+0x17d/0x1b0 [ 58.885312][ T5069] ? __lookup_slow+0x450/0x450 [ 58.890071][ T5069] reiserfs_lookup_privroot+0x94/0x200 [ 58.895519][ T5069] reiserfs_fill_super+0x20f9/0x3160 [ 58.900792][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 58.905984][ T5069] ? up_write+0x510/0x510 [ 58.910297][ T5069] ? lock_sync+0x190/0x190 [ 58.914708][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 58.919891][ T5069] mount_bdev+0x1f3/0x2e0 [ 58.924210][ T5069] ? sget+0x640/0x640 [ 58.928183][ T5069] ? apparmor_capable+0x126/0x1e0 [ 58.933217][ T5069] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 58.938229][ T5069] legacy_get_tree+0x109/0x220 [ 58.942980][ T5069] vfs_get_tree+0x8c/0x370 [ 58.947378][ T5069] path_mount+0x1492/0x1ed0 [ 58.951869][ T5069] ? kmem_cache_free+0xf8/0x350 [ 58.956699][ T5069] ? finish_automount+0xa40/0xa40 [ 58.961712][ T5069] ? putname+0x12e/0x170 [ 58.965933][ T5069] __x64_sys_mount+0x293/0x310 [ 58.970696][ T5069] ? copy_mnt_ns+0xb60/0xb60 [ 58.975284][ T5069] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 58.981513][ T5069] do_syscall_64+0x40/0x110 [ 58.986009][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 58.991891][ T5069] RIP: 0033:0x7f7cc312746a [ 58.996289][ T5069] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 59.015893][ T5069] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 59.024324][ T5069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 59.032278][ T5069] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 59.040233][ T5069] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 59.048188][ T5069] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 59.056152][ T5069] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 59.064127][ T5069] [ 59.067139][ T5069] [ 59.069442][ T5069] The buggy address belongs to the physical page: [ 59.075829][ T5069] page:ffffea0001de5900 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77964 [ 59.085954][ T5069] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 59.093048][ T5069] page_type: 0xffffffff() [ 59.097357][ T5069] raw: 00fff00000000000 ffffea0001de5948 ffffea0001de58c8 0000000000000000 [ 59.105917][ T5069] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 59.114476][ T5069] page dumped because: kasan: bad access detected [ 59.120865][ T5069] page_owner tracks the page as freed [ 59.126229][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5067, tgid 5067 (syz-executor175), ts 54563944748, free_ts 54780829164 [ 59.143230][ T5069] post_alloc_hook+0x2d0/0x350 [ 59.147981][ T5069] get_page_from_freelist+0xa25/0x36d0 [ 59.153430][ T5069] __alloc_pages+0x22e/0x2420 [ 59.158090][ T5069] alloc_pages_mpol+0x258/0x5f0 [ 59.162930][ T5069] shmem_alloc_folio+0x10d/0x140 [ 59.167879][ T5069] shmem_alloc_and_add_folio+0x147/0x7b0 [ 59.173515][ T5069] shmem_get_folio_gfp+0x623/0x1360 [ 59.178786][ T5069] shmem_write_begin+0x15a/0x360 [ 59.183712][ T5069] generic_perform_write+0x278/0x600 [ 59.188984][ T5069] shmem_file_write_iter+0x110/0x140 [ 59.194249][ T5069] vfs_write+0x64f/0xdf0 [ 59.198468][ T5069] ksys_write+0x12f/0x250 [ 59.202777][ T5069] do_syscall_64+0x40/0x110 [ 59.207261][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 59.213131][ T5069] page last free stack trace: [ 59.217774][ T5069] free_unref_page_prepare+0x4fa/0xaa0 [ 59.223219][ T5069] free_unref_page_list+0xe6/0xb40 [ 59.228316][ T5069] release_pages+0x32a/0x14f0 [ 59.232971][ T5069] __folio_batch_release+0x77/0xe0 [ 59.238058][ T5069] shmem_undo_range+0x57a/0x1140 [ 59.242974][ T5069] shmem_evict_inode+0x39f/0xba0 [ 59.247892][ T5069] evict+0x2ed/0x6b0 [ 59.251776][ T5069] iput.part.0+0x560/0x7b0 [ 59.256176][ T5069] iput+0x5c/0x80 [ 59.259797][ T5069] dentry_unlink_inode+0x292/0x430 [ 59.264904][ T5069] __dentry_kill+0x3b8/0x640 [ 59.269472][ T5069] dput+0x7eb/0xd90 [ 59.273258][ T5069] __fput+0x3b9/0xb70 [ 59.277217][ T5069] task_work_run+0x14d/0x240 [ 59.281805][ T5069] ptrace_notify+0x10d/0x130 [ 59.286385][ T5069] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 59.292697][ T5069] [ 59.294999][ T5069] Memory state around the buggy address: [ 59.300600][ T5069] ffff888077964d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.308643][ T5069] ffff888077964e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.316710][ T5069] >ffff888077964e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.324750][ T5069] ^ [ 59.330881][ T5069] ffff888077964f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.338935][ T5069] ffff888077964f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.346977][ T5069] ================================================================== [ 59.355887][ T5069] ================================================================== [ 59.363949][ T5069] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 59.371599][ T5069] Read of size 4 at addr ffff888077964f44 by task syz-executor175/5069 [ 59.379814][ T5069] [ 59.382121][ T5069] CPU: 1 PID: 5069 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 59.394006][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 59.404078][ T5069] Call Trace: [ 59.407346][ T5069] [ 59.410261][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 59.414834][ T5069] print_report+0xc4/0x620 [ 59.419237][ T5069] ? __virt_addr_valid+0x5e/0x2d0 [ 59.424331][ T5069] ? __phys_addr+0xc6/0x140 [ 59.428817][ T5069] kasan_report+0xda/0x110 [ 59.433216][ T5069] ? search_by_entry_key+0x80b/0x940 [ 59.438584][ T5069] ? search_by_entry_key+0x80b/0x940 [ 59.443858][ T5069] search_by_entry_key+0x80b/0x940 [ 59.448954][ T5069] reiserfs_find_entry+0x1dc/0xe70 [ 59.454054][ T5069] ? search_by_entry_key+0x940/0x940 [ 59.459325][ T5069] reiserfs_lookup+0x1f5/0x690 [ 59.464081][ T5069] ? reiserfs_unlink+0x740/0x740 [ 59.469019][ T5069] __lookup_slow+0x24d/0x450 [ 59.473598][ T5069] ? lookup_open.isra.0+0x13b0/0x13b0 [ 59.478956][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 59.484319][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 59.490550][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 59.496784][ T5069] ? d_lookup+0xe9/0x180 [ 59.501126][ T5069] lookup_one_len+0x17d/0x1b0 [ 59.505804][ T5069] ? __lookup_slow+0x450/0x450 [ 59.510574][ T5069] reiserfs_lookup_privroot+0x94/0x200 [ 59.516032][ T5069] reiserfs_fill_super+0x20f9/0x3160 [ 59.521311][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 59.526497][ T5069] ? up_write+0x510/0x510 [ 59.530832][ T5069] ? lock_sync+0x190/0x190 [ 59.535246][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 59.540430][ T5069] mount_bdev+0x1f3/0x2e0 [ 59.544754][ T5069] ? sget+0x640/0x640 [ 59.548728][ T5069] ? apparmor_capable+0x126/0x1e0 [ 59.553745][ T5069] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 59.558757][ T5069] legacy_get_tree+0x109/0x220 [ 59.563524][ T5069] vfs_get_tree+0x8c/0x370 [ 59.567933][ T5069] path_mount+0x1492/0x1ed0 [ 59.572429][ T5069] ? kmem_cache_free+0xf8/0x350 [ 59.577277][ T5069] ? finish_automount+0xa40/0xa40 [ 59.582295][ T5069] ? putname+0x12e/0x170 [ 59.586525][ T5069] __x64_sys_mount+0x293/0x310 [ 59.591278][ T5069] ? copy_mnt_ns+0xb60/0xb60 [ 59.595858][ T5069] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 59.602090][ T5069] do_syscall_64+0x40/0x110 [ 59.606591][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 59.612472][ T5069] RIP: 0033:0x7f7cc312746a [ 59.616872][ T5069] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 59.636473][ T5069] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 59.644876][ T5069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 59.652836][ T5069] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 59.660829][ T5069] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 59.668786][ T5069] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 59.676749][ T5069] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 59.684717][ T5069] [ 59.687718][ T5069] [ 59.690024][ T5069] The buggy address belongs to the physical page: [ 59.696420][ T5069] page:ffffea0001de5900 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77964 [ 59.706558][ T5069] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 59.713652][ T5069] page_type: 0xffffffff() [ 59.717974][ T5069] raw: 00fff00000000000 ffffea0001de5948 ffffea0001de58c8 0000000000000000 [ 59.726545][ T5069] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 59.735110][ T5069] page dumped because: kasan: bad access detected [ 59.741504][ T5069] page_owner tracks the page as freed [ 59.746849][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5067, tgid 5067 (syz-executor175), ts 54563944748, free_ts 54780829164 [ 59.763890][ T5069] post_alloc_hook+0x2d0/0x350 [ 59.768660][ T5069] get_page_from_freelist+0xa25/0x36d0 [ 59.774115][ T5069] __alloc_pages+0x22e/0x2420 [ 59.778782][ T5069] alloc_pages_mpol+0x258/0x5f0 [ 59.783630][ T5069] shmem_alloc_folio+0x10d/0x140 [ 59.788551][ T5069] shmem_alloc_and_add_folio+0x147/0x7b0 [ 59.794171][ T5069] shmem_get_folio_gfp+0x623/0x1360 [ 59.799355][ T5069] shmem_write_begin+0x15a/0x360 [ 59.804277][ T5069] generic_perform_write+0x278/0x600 [ 59.809554][ T5069] shmem_file_write_iter+0x110/0x140 [ 59.814822][ T5069] vfs_write+0x64f/0xdf0 [ 59.819046][ T5069] ksys_write+0x12f/0x250 [ 59.823357][ T5069] do_syscall_64+0x40/0x110 [ 59.827856][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 59.833736][ T5069] page last free stack trace: [ 59.838386][ T5069] free_unref_page_prepare+0x4fa/0xaa0 [ 59.843834][ T5069] free_unref_page_list+0xe6/0xb40 [ 59.848936][ T5069] release_pages+0x32a/0x14f0 [ 59.853600][ T5069] __folio_batch_release+0x77/0xe0 [ 59.858958][ T5069] shmem_undo_range+0x57a/0x1140 [ 59.863882][ T5069] shmem_evict_inode+0x39f/0xba0 [ 59.868808][ T5069] evict+0x2ed/0x6b0 [ 59.872692][ T5069] iput.part.0+0x560/0x7b0 [ 59.877094][ T5069] iput+0x5c/0x80 [ 59.880715][ T5069] dentry_unlink_inode+0x292/0x430 [ 59.885817][ T5069] __dentry_kill+0x3b8/0x640 [ 59.890389][ T5069] dput+0x7eb/0xd90 [ 59.894185][ T5069] __fput+0x3b9/0xb70 [ 59.898153][ T5069] task_work_run+0x14d/0x240 [ 59.902727][ T5069] ptrace_notify+0x10d/0x130 [ 59.907301][ T5069] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 59.913620][ T5069] [ 59.915924][ T5069] Memory state around the buggy address: [ 59.921532][ T5069] ffff888077964e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.929573][ T5069] ffff888077964e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.937615][ T5069] >ffff888077964f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.945652][ T5069] ^ [ 59.951784][ T5069] ffff888077964f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.959835][ T5069] ffff888077965000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 59.967877][ T5069] ================================================================== [ 59.976111][ T5069] ================================================================== [ 59.984180][ T5069] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 59.991807][ T5069] Read of size 4 at addr ffff888077964f84 by task syz-executor175/5069 [ 60.000028][ T5069] [ 60.002337][ T5069] CPU: 0 PID: 5069 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 60.014207][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 60.024250][ T5069] Call Trace: [ 60.027526][ T5069] [ 60.030443][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 60.035027][ T5069] print_report+0xc4/0x620 [ 60.039439][ T5069] ? __virt_addr_valid+0x5e/0x2d0 [ 60.044455][ T5069] ? __phys_addr+0xc6/0x140 [ 60.048951][ T5069] kasan_report+0xda/0x110 [ 60.053360][ T5069] ? search_by_entry_key+0x80b/0x940 [ 60.058635][ T5069] ? search_by_entry_key+0x80b/0x940 [ 60.063912][ T5069] search_by_entry_key+0x80b/0x940 [ 60.069018][ T5069] reiserfs_find_entry+0x1dc/0xe70 [ 60.074126][ T5069] ? search_by_entry_key+0x940/0x940 [ 60.079440][ T5069] reiserfs_lookup+0x1f5/0x690 [ 60.084200][ T5069] ? reiserfs_unlink+0x740/0x740 [ 60.089150][ T5069] __lookup_slow+0x24d/0x450 [ 60.093732][ T5069] ? lookup_open.isra.0+0x13b0/0x13b0 [ 60.099091][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 60.104456][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 60.110690][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 60.116925][ T5069] ? d_lookup+0xe9/0x180 [ 60.121160][ T5069] lookup_one_len+0x17d/0x1b0 [ 60.125830][ T5069] ? __lookup_slow+0x450/0x450 [ 60.130586][ T5069] reiserfs_lookup_privroot+0x94/0x200 [ 60.136056][ T5069] reiserfs_fill_super+0x20f9/0x3160 [ 60.141337][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 60.146524][ T5069] ? up_write+0x510/0x510 [ 60.150931][ T5069] ? lock_sync+0x190/0x190 [ 60.155346][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 60.160707][ T5069] mount_bdev+0x1f3/0x2e0 [ 60.165030][ T5069] ? sget+0x640/0x640 [ 60.169000][ T5069] ? apparmor_capable+0x126/0x1e0 [ 60.174026][ T5069] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 60.179037][ T5069] legacy_get_tree+0x109/0x220 [ 60.183795][ T5069] vfs_get_tree+0x8c/0x370 [ 60.188201][ T5069] path_mount+0x1492/0x1ed0 [ 60.192698][ T5069] ? kmem_cache_free+0xf8/0x350 [ 60.197539][ T5069] ? finish_automount+0xa40/0xa40 [ 60.202555][ T5069] ? putname+0x12e/0x170 [ 60.206787][ T5069] __x64_sys_mount+0x293/0x310 [ 60.211614][ T5069] ? copy_mnt_ns+0xb60/0xb60 [ 60.216196][ T5069] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 60.222427][ T5069] do_syscall_64+0x40/0x110 [ 60.226923][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 60.232810][ T5069] RIP: 0033:0x7f7cc312746a [ 60.237209][ T5069] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 60.256821][ T5069] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 60.265224][ T5069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 60.273186][ T5069] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 60.281147][ T5069] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 60.289107][ T5069] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 60.297064][ T5069] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 60.305027][ T5069] [ 60.308029][ T5069] [ 60.310336][ T5069] The buggy address belongs to the physical page: [ 60.316724][ T5069] page:ffffea0001de5900 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77964 [ 60.326858][ T5069] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 60.333953][ T5069] page_type: 0xffffffff() [ 60.338271][ T5069] raw: 00fff00000000000 ffffea0001de5948 ffffea0001de58c8 0000000000000000 [ 60.346838][ T5069] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 60.355411][ T5069] page dumped because: kasan: bad access detected [ 60.361822][ T5069] page_owner tracks the page as freed [ 60.367169][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5067, tgid 5067 (syz-executor175), ts 54563944748, free_ts 54780829164 [ 60.384179][ T5069] post_alloc_hook+0x2d0/0x350 [ 60.388947][ T5069] get_page_from_freelist+0xa25/0x36d0 [ 60.394402][ T5069] __alloc_pages+0x22e/0x2420 [ 60.399074][ T5069] alloc_pages_mpol+0x258/0x5f0 [ 60.403915][ T5069] shmem_alloc_folio+0x10d/0x140 [ 60.408842][ T5069] shmem_alloc_and_add_folio+0x147/0x7b0 [ 60.414466][ T5069] shmem_get_folio_gfp+0x623/0x1360 [ 60.419653][ T5069] shmem_write_begin+0x15a/0x360 [ 60.424579][ T5069] generic_perform_write+0x278/0x600 [ 60.429860][ T5069] shmem_file_write_iter+0x110/0x140 [ 60.435155][ T5069] vfs_write+0x64f/0xdf0 [ 60.439384][ T5069] ksys_write+0x12f/0x250 [ 60.443699][ T5069] do_syscall_64+0x40/0x110 [ 60.448243][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 60.454122][ T5069] page last free stack trace: [ 60.458775][ T5069] free_unref_page_prepare+0x4fa/0xaa0 [ 60.464236][ T5069] free_unref_page_list+0xe6/0xb40 [ 60.469343][ T5069] release_pages+0x32a/0x14f0 [ 60.474010][ T5069] __folio_batch_release+0x77/0xe0 [ 60.479114][ T5069] shmem_undo_range+0x57a/0x1140 [ 60.484045][ T5069] shmem_evict_inode+0x39f/0xba0 [ 60.488971][ T5069] evict+0x2ed/0x6b0 [ 60.492860][ T5069] iput.part.0+0x560/0x7b0 [ 60.497265][ T5069] iput+0x5c/0x80 [ 60.500887][ T5069] dentry_unlink_inode+0x292/0x430 [ 60.505983][ T5069] __dentry_kill+0x3b8/0x640 [ 60.510559][ T5069] dput+0x7eb/0xd90 [ 60.514351][ T5069] __fput+0x3b9/0xb70 [ 60.518324][ T5069] task_work_run+0x14d/0x240 [ 60.522901][ T5069] ptrace_notify+0x10d/0x130 [ 60.527484][ T5069] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 60.533809][ T5069] [ 60.536116][ T5069] Memory state around the buggy address: [ 60.541730][ T5069] ffff888077964e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.549778][ T5069] ffff888077964f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.557824][ T5069] >ffff888077964f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.565867][ T5069] ^ [ 60.569957][ T5069] ffff888077965000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.578002][ T5069] ffff888077965080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 60.586041][ T5069] ================================================================== [ 60.594523][ T5069] ================================================================== [ 60.602594][ T5069] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 60.610247][ T5069] Read of size 4 at addr ffff888077964fa4 by task syz-executor175/5069 [ 60.618479][ T5069] [ 60.620789][ T5069] CPU: 1 PID: 5069 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 60.632666][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 60.642706][ T5069] Call Trace: [ 60.645971][ T5069] [ 60.648890][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 60.653478][ T5069] print_report+0xc4/0x620 [ 60.657890][ T5069] ? __virt_addr_valid+0x5e/0x2d0 [ 60.662905][ T5069] ? __phys_addr+0xc6/0x140 [ 60.667404][ T5069] kasan_report+0xda/0x110 [ 60.671821][ T5069] ? search_by_entry_key+0x80b/0x940 [ 60.677102][ T5069] ? search_by_entry_key+0x80b/0x940 [ 60.682382][ T5069] search_by_entry_key+0x80b/0x940 [ 60.687492][ T5069] reiserfs_find_entry+0x1dc/0xe70 [ 60.692601][ T5069] ? search_by_entry_key+0x940/0x940 [ 60.697880][ T5069] reiserfs_lookup+0x1f5/0x690 [ 60.702637][ T5069] ? reiserfs_unlink+0x740/0x740 [ 60.707576][ T5069] __lookup_slow+0x24d/0x450 [ 60.712154][ T5069] ? lookup_open.isra.0+0x13b0/0x13b0 [ 60.717516][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 60.722885][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 60.729116][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 60.735350][ T5069] ? d_lookup+0xe9/0x180 [ 60.739586][ T5069] lookup_one_len+0x17d/0x1b0 [ 60.744253][ T5069] ? __lookup_slow+0x450/0x450 [ 60.749004][ T5069] reiserfs_lookup_privroot+0x94/0x200 [ 60.754451][ T5069] reiserfs_fill_super+0x20f9/0x3160 [ 60.759757][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 60.764950][ T5069] ? up_write+0x510/0x510 [ 60.769299][ T5069] ? lock_sync+0x190/0x190 [ 60.773714][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 60.778898][ T5069] mount_bdev+0x1f3/0x2e0 [ 60.783223][ T5069] ? sget+0x640/0x640 [ 60.787203][ T5069] ? apparmor_capable+0x126/0x1e0 [ 60.792221][ T5069] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 60.797238][ T5069] legacy_get_tree+0x109/0x220 [ 60.801997][ T5069] vfs_get_tree+0x8c/0x370 [ 60.806406][ T5069] path_mount+0x1492/0x1ed0 [ 60.810902][ T5069] ? kmem_cache_free+0xf8/0x350 [ 60.815745][ T5069] ? finish_automount+0xa40/0xa40 [ 60.820762][ T5069] ? putname+0x12e/0x170 [ 60.824996][ T5069] __x64_sys_mount+0x293/0x310 [ 60.829752][ T5069] ? copy_mnt_ns+0xb60/0xb60 [ 60.834332][ T5069] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 60.840565][ T5069] do_syscall_64+0x40/0x110 [ 60.845064][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 60.850948][ T5069] RIP: 0033:0x7f7cc312746a [ 60.855352][ T5069] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 60.874957][ T5069] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 60.883369][ T5069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 60.891332][ T5069] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 60.899294][ T5069] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 60.907248][ T5069] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 60.915206][ T5069] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 60.923177][ T5069] [ 60.926188][ T5069] [ 60.928503][ T5069] The buggy address belongs to the physical page: [ 60.934894][ T5069] page:ffffea0001de5900 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77964 [ 60.945026][ T5069] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 60.952116][ T5069] page_type: 0xffffffff() [ 60.956431][ T5069] raw: 00fff00000000000 ffffea0001de5948 ffffea0001de58c8 0000000000000000 [ 60.965002][ T5069] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 60.973568][ T5069] page dumped because: kasan: bad access detected [ 60.979961][ T5069] page_owner tracks the page as freed [ 60.985305][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5067, tgid 5067 (syz-executor175), ts 54563944748, free_ts 54780829164 [ 61.002313][ T5069] post_alloc_hook+0x2d0/0x350 [ 61.007073][ T5069] get_page_from_freelist+0xa25/0x36d0 [ 61.012529][ T5069] __alloc_pages+0x22e/0x2420 [ 61.017202][ T5069] alloc_pages_mpol+0x258/0x5f0 [ 61.022046][ T5069] shmem_alloc_folio+0x10d/0x140 [ 61.026972][ T5069] shmem_alloc_and_add_folio+0x147/0x7b0 [ 61.032598][ T5069] shmem_get_folio_gfp+0x623/0x1360 [ 61.037809][ T5069] shmem_write_begin+0x15a/0x360 [ 61.042738][ T5069] generic_perform_write+0x278/0x600 [ 61.048017][ T5069] shmem_file_write_iter+0x110/0x140 [ 61.053288][ T5069] vfs_write+0x64f/0xdf0 [ 61.057520][ T5069] ksys_write+0x12f/0x250 [ 61.061838][ T5069] do_syscall_64+0x40/0x110 [ 61.066332][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 61.072214][ T5069] page last free stack trace: [ 61.076867][ T5069] free_unref_page_prepare+0x4fa/0xaa0 [ 61.082323][ T5069] free_unref_page_list+0xe6/0xb40 [ 61.087427][ T5069] release_pages+0x32a/0x14f0 [ 61.092092][ T5069] __folio_batch_release+0x77/0xe0 [ 61.097196][ T5069] shmem_undo_range+0x57a/0x1140 [ 61.102127][ T5069] shmem_evict_inode+0x39f/0xba0 [ 61.107063][ T5069] evict+0x2ed/0x6b0 [ 61.110951][ T5069] iput.part.0+0x560/0x7b0 [ 61.115361][ T5069] iput+0x5c/0x80 [ 61.118989][ T5069] dentry_unlink_inode+0x292/0x430 [ 61.124089][ T5069] __dentry_kill+0x3b8/0x640 [ 61.128669][ T5069] dput+0x7eb/0xd90 [ 61.132472][ T5069] __fput+0x3b9/0xb70 [ 61.136447][ T5069] task_work_run+0x14d/0x240 [ 61.142237][ T5069] ptrace_notify+0x10d/0x130 [ 61.146822][ T5069] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 61.153146][ T5069] [ 61.155454][ T5069] Memory state around the buggy address: [ 61.161067][ T5069] ffff888077964e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.169119][ T5069] ffff888077964f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.177168][ T5069] >ffff888077964f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.185217][ T5069] ^ [pid 5069] mount("/dev/loop0", "./file2", "reiserfs", MS_NODEV|MS_NOEXEC|MS_SYNCHRONOUS|MS_SILENT|MS_POSIXACL, "" [pid 5065] kill(-5069, SIGKILL) = 0 [pid 5065] kill(5069, SIGKILL) = 0 [ 61.190311][ T5069] ffff888077965000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.198357][ T5069] ffff888077965080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 61.206398][ T5069] ================================================================== [ 61.215497][ T5069] ================================================================== [ 61.223579][ T5069] BUG: KASAN: out-of-bounds in search_by_entry_key+0x80b/0x940 [ 61.231149][ T5069] Read of size 4 at addr ffff888077964fb4 by task syz-executor175/5069 [ 61.239368][ T5069] [ 61.241679][ T5069] CPU: 0 PID: 5069 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 61.253547][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 61.263608][ T5069] Call Trace: [ 61.266903][ T5069] [ 61.269821][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 61.274406][ T5069] print_report+0xc4/0x620 [ 61.278812][ T5069] ? __virt_addr_valid+0x5e/0x2d0 [ 61.283825][ T5069] ? __phys_addr+0xc6/0x140 [ 61.288320][ T5069] kasan_report+0xda/0x110 [ 61.292758][ T5069] ? search_by_entry_key+0x80b/0x940 [ 61.298034][ T5069] ? search_by_entry_key+0x80b/0x940 [ 61.303318][ T5069] search_by_entry_key+0x80b/0x940 [ 61.308425][ T5069] reiserfs_find_entry+0x1dc/0xe70 [ 61.313531][ T5069] ? search_by_entry_key+0x940/0x940 [ 61.318808][ T5069] reiserfs_lookup+0x1f5/0x690 [ 61.323654][ T5069] ? reiserfs_unlink+0x740/0x740 [ 61.328584][ T5069] __lookup_slow+0x24d/0x450 [ 61.333162][ T5069] ? lookup_open.isra.0+0x13b0/0x13b0 [ 61.338546][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 61.343906][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 61.350137][ T5069] ? secondary_startup_64_no_verify+0x11b/0x17b [ 61.356367][ T5069] ? d_lookup+0xe9/0x180 [ 61.360708][ T5069] lookup_one_len+0x17d/0x1b0 [ 61.365369][ T5069] ? __lookup_slow+0x450/0x450 [ 61.370142][ T5069] reiserfs_lookup_privroot+0x94/0x200 [ 61.375583][ T5069] reiserfs_fill_super+0x20f9/0x3160 [ 61.380854][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 61.386033][ T5069] ? up_write+0x510/0x510 [ 61.390349][ T5069] ? lock_sync+0x190/0x190 [ 61.394761][ T5069] ? reiserfs_remount+0x1640/0x1640 [ 61.399945][ T5069] mount_bdev+0x1f3/0x2e0 [ 61.404269][ T5069] ? sget+0x640/0x640 [ 61.408250][ T5069] ? apparmor_capable+0x126/0x1e0 [ 61.413280][ T5069] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 61.418303][ T5069] legacy_get_tree+0x109/0x220 [ 61.423236][ T5069] vfs_get_tree+0x8c/0x370 [ 61.427644][ T5069] path_mount+0x1492/0x1ed0 [ 61.432139][ T5069] ? kmem_cache_free+0xf8/0x350 [ 61.436979][ T5069] ? finish_automount+0xa40/0xa40 [ 61.442002][ T5069] ? putname+0x12e/0x170 [ 61.446245][ T5069] __x64_sys_mount+0x293/0x310 [ 61.451003][ T5069] ? copy_mnt_ns+0xb60/0xb60 [ 61.455579][ T5069] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 61.461811][ T5069] do_syscall_64+0x40/0x110 [ 61.466307][ T5069] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 61.472200][ T5069] RIP: 0033:0x7f7cc312746a [ 61.476595][ T5069] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 61.496199][ T5069] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 61.504616][ T5069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 61.512606][ T5069] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 61.520571][ T5069] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 61.528530][ T5069] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 61.536483][ T5069] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 61.544455][ T5069] [ 61.547456][ T5069] [ 61.549762][ T5069] The buggy address belongs to the physical page: [ 61.556254][ T5069] page:ffffea0001de5900 refcount:3 mapcount:0 mapping:ffff88801b540878 index:0x20066 pfn:0x77964 [ 61.566735][ T5069] memcg:ffff88814124a000 [ 61.570955][ T5069] aops:def_blk_aops ino:800001 [ 61.575707][ T5069] flags: 0xfff00000008204(referenced|workingset|private|node=0|zone=1|lastcpupid=0x7ff) [ 61.585410][ T5069] page_type: 0xffffffff() [ 61.589745][ T5069] raw: 00fff00000008204 0000000000000000 dead000000000122 ffff88801b540878 [ 61.598312][ T5069] raw: 0000000000020066 ffff888077cf0ae0 00000003ffffffff ffff88814124a000 [ 61.606884][ T5069] page dumped because: kasan: bad access detected [ 61.613296][ T5069] page_owner tracks the page as allocated [ 61.618991][ T5069] page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 4484, tgid 4484 (jbd2/sda1-8), ts 61215862402, free_ts 54780829164 [ 61.639205][ T5069] post_alloc_hook+0x2d0/0x350 [ 61.643964][ T5069] get_page_from_freelist+0xa25/0x36d0 [ 61.649411][ T5069] __alloc_pages+0x22e/0x2420 [ 61.654077][ T5069] alloc_pages_mpol+0x258/0x5f0 [ 61.658915][ T5069] folio_alloc+0x1e/0xe0 [ 61.663137][ T5069] filemap_alloc_folio+0x3bb/0x490 [ 61.668234][ T5069] __filemap_get_folio+0x54c/0xaa0 [ 61.673322][ T5069] __getblk_slow+0x1b8/0x720 [ 61.677895][ T5069] bdev_getblk+0xad/0xc0 [ 61.682116][ T5069] jbd2_journal_get_descriptor_buffer+0x199/0x500 [ 61.688519][ T5069] jbd2_journal_commit_transaction+0x1a19/0x63b0 [ 61.694828][ T5069] kjournald2+0x1fb/0x900 [ 61.699136][ T5069] kthread+0x2c6/0x3a0 [ 61.703184][ T5069] ret_from_fork+0x45/0x80 [ 61.707573][ T5069] ret_from_fork_asm+0x11/0x20 [ 61.712323][ T5069] page last free stack trace: [ 61.716969][ T5069] free_unref_page_prepare+0x4fa/0xaa0 [ 61.723108][ T5069] free_unref_page_list+0xe6/0xb40 [ 61.728212][ T5069] release_pages+0x32a/0x14f0 [ 61.732884][ T5069] __folio_batch_release+0x77/0xe0 [ 61.737984][ T5069] shmem_undo_range+0x57a/0x1140 [ 61.742907][ T5069] shmem_evict_inode+0x39f/0xba0 [ 61.747833][ T5069] evict+0x2ed/0x6b0 [ 61.751711][ T5069] iput.part.0+0x560/0x7b0 [ 61.756118][ T5069] iput+0x5c/0x80 [ 61.759737][ T5069] dentry_unlink_inode+0x292/0x430 [ 61.764826][ T5069] __dentry_kill+0x3b8/0x640 [ 61.769463][ T5069] dput+0x7eb/0xd90 [ 61.773250][ T5069] __fput+0x3b9/0xb70 [ 61.777205][ T5069] task_work_run+0x14d/0x240 [ 61.781773][ T5069] ptrace_notify+0x10d/0x130 [ 61.786340][ T5069] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 61.792649][ T5069] [ 61.794954][ T5069] Memory state around the buggy address: [ 61.800557][ T5069] ffff888077964e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.808594][ T5069] ffff888077964f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.816642][ T5069] >ffff888077964f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.824696][ T5069] ^ [ 61.830590][ T5069] ffff888077965000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [pid 5069] <... mount resumed>) = ? [pid 5069] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=5069, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=25 /* 0.25 s */} --- umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555563086f0 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 umount2("./1/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [ 61.838734][ T5069] ffff888077965080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 61.846773][ T5069] ================================================================== [ 61.855245][ T5069] REISERFS warning (device loop0): jdm-13090 reiserfs_new_inode: ACLs aren't enabled in the fs, but vfs thinks they are! [ 61.867929][ T5069] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. newfstatat(AT_FDCWD, "./1/file2", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556310730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556310730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file2") = 0 getdents64(3, 0x5555563086f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = 0 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556307650) = 5072 ./strace-static-x86_64: Process 5072 attached [pid 5072] set_robust_list(0x555556307660, 24) = 0 [pid 5072] chdir("./2") = 0 [pid 5072] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5072] setpgid(0, 0) = 0 [pid 5072] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5072] write(3, "1000", 4) = 4 [pid 5072] close(3) = 0 [pid 5072] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5072] memfd_create("syzkaller", 0) = 3 [pid 5072] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7cbace7000 [pid 5072] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 5072] munmap(0x7f7cbace7000, 138412032) = 0 [pid 5072] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5072] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5072] close(3) = 0 [pid 5072] mkdir("./file2", 0777) = 0 [ 62.079682][ T5072] loop0: detected capacity change from 0 to 8192 [ 62.093645][ T5072] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 62.106636][ T5072] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 62.115943][ T5072] REISERFS (device loop0): using ordered data mode [ 62.122487][ T5072] reiserfs: using flush barriers [ 62.128315][ T5072] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 62.144639][ T5072] REISERFS (device loop0): checking transaction log (loop0) [ 62.152711][ T5072] REISERFS (device loop0): Using tea hash to sort names [ 62.159700][ T5072] ================================================================== [ 62.167746][ T5072] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 62.175487][ T5072] Read of size 4 at addr ffff88807764efc4 by task syz-executor175/5072 [ 62.183735][ T5072] [ 62.186047][ T5072] CPU: 1 PID: 5072 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 62.197916][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 62.208046][ T5072] Call Trace: [ 62.211319][ T5072] [ 62.214234][ T5072] dump_stack_lvl+0xd9/0x1b0 [ 62.218848][ T5072] print_report+0xc4/0x620 [ 62.223260][ T5072] ? __virt_addr_valid+0x5e/0x2d0 [ 62.228272][ T5072] ? __phys_addr+0xc6/0x140 [ 62.232769][ T5072] kasan_report+0xda/0x110 [ 62.237187][ T5072] ? search_by_entry_key+0x80b/0x940 [ 62.242464][ T5072] ? search_by_entry_key+0x80b/0x940 [ 62.247744][ T5072] search_by_entry_key+0x80b/0x940 [ 62.252850][ T5072] reiserfs_find_entry+0x1dc/0xe70 [ 62.257954][ T5072] ? search_by_entry_key+0x940/0x940 [ 62.263231][ T5072] ? lock_release+0x4bf/0x690 [ 62.267907][ T5072] reiserfs_lookup+0x1f5/0x690 [ 62.272668][ T5072] ? reiserfs_unlink+0x740/0x740 [ 62.277605][ T5072] __lookup_slow+0x24d/0x450 [ 62.282187][ T5072] ? lookup_open.isra.0+0x13b0/0x13b0 [ 62.287545][ T5072] ? reacquire_held_locks+0x4c0/0x4c0 [ 62.292938][ T5072] ? secondary_startup_64_no_verify+0x11b/0x17b [ 62.299173][ T5072] ? secondary_startup_64_no_verify+0x11b/0x17b [ 62.305415][ T5072] ? d_lookup+0xe9/0x180 [ 62.309648][ T5072] lookup_one_len+0x17d/0x1b0 [ 62.314318][ T5072] ? __lookup_slow+0x450/0x450 [ 62.319080][ T5072] reiserfs_lookup_privroot+0x94/0x200 [ 62.324528][ T5072] reiserfs_fill_super+0x20f9/0x3160 [ 62.329809][ T5072] ? reiserfs_remount+0x1640/0x1640 [ 62.334995][ T5072] ? up_write+0x510/0x510 [ 62.339313][ T5072] ? rcu_is_watching+0x12/0xb0 [ 62.344062][ T5072] ? lock_acquire+0x464/0x520 [ 62.348820][ T5072] ? lock_sync+0x190/0x190 [ 62.353235][ T5072] ? reiserfs_remount+0x1640/0x1640 [ 62.358419][ T5072] mount_bdev+0x1f3/0x2e0 [ 62.362742][ T5072] ? sget+0x640/0x640 [ 62.366711][ T5072] ? apparmor_capable+0x126/0x1e0 [ 62.371725][ T5072] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 62.376732][ T5072] legacy_get_tree+0x109/0x220 [ 62.381490][ T5072] vfs_get_tree+0x8c/0x370 [ 62.385899][ T5072] path_mount+0x1492/0x1ed0 [ 62.390390][ T5072] ? kmem_cache_free+0xf8/0x350 [ 62.395321][ T5072] ? finish_automount+0xa40/0xa40 [ 62.400344][ T5072] ? putname+0x12e/0x170 [ 62.404573][ T5072] __x64_sys_mount+0x293/0x310 [ 62.409329][ T5072] ? copy_mnt_ns+0xb60/0xb60 [ 62.413911][ T5072] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 62.420143][ T5072] do_syscall_64+0x40/0x110 [ 62.424640][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 62.430520][ T5072] RIP: 0033:0x7f7cc312746a [ 62.434918][ T5072] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 62.455909][ T5072] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 62.464518][ T5072] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 62.472480][ T5072] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 62.480443][ T5072] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 62.488403][ T5072] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 62.496359][ T5072] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 62.504322][ T5072] [ 62.507325][ T5072] [ 62.509638][ T5072] The buggy address belongs to the physical page: [ 62.516028][ T5072] page:ffffea0001dd9380 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7764e [ 62.526161][ T5072] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 62.533255][ T5072] page_type: 0xffffffff() [ 62.537568][ T5072] raw: 00fff00000000000 ffffea0001dd93c8 ffffea0001dd9348 0000000000000000 [ 62.546397][ T5072] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 62.555135][ T5072] page dumped because: kasan: bad access detected [ 62.561616][ T5072] page_owner tracks the page as freed [ 62.566965][ T5072] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5069, tgid 5069 (syz-executor175), ts 54892176994, free_ts 61993977098 [ 62.584068][ T5072] post_alloc_hook+0x2d0/0x350 [ 62.588840][ T5072] get_page_from_freelist+0xa25/0x36d0 [ 62.594312][ T5072] __alloc_pages+0x22e/0x2420 [ 62.598985][ T5072] alloc_pages_mpol+0x258/0x5f0 [ 62.603828][ T5072] shmem_alloc_folio+0x10d/0x140 [ 62.608757][ T5072] shmem_alloc_and_add_folio+0x147/0x7b0 [ 62.614379][ T5072] shmem_get_folio_gfp+0x623/0x1360 [ 62.619583][ T5072] shmem_write_begin+0x15a/0x360 [ 62.624525][ T5072] generic_perform_write+0x278/0x600 [ 62.629807][ T5072] shmem_file_write_iter+0x110/0x140 [ 62.635084][ T5072] vfs_write+0x64f/0xdf0 [ 62.639404][ T5072] ksys_write+0x12f/0x250 [ 62.643748][ T5072] do_syscall_64+0x40/0x110 [ 62.648260][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 62.654145][ T5072] page last free stack trace: [ 62.658806][ T5072] free_unref_page_prepare+0x4fa/0xaa0 [ 62.664265][ T5072] free_unref_page_list+0xe6/0xb40 [ 62.669368][ T5072] release_pages+0x32a/0x14f0 [ 62.674028][ T5072] __folio_batch_release+0x77/0xe0 [ 62.679126][ T5072] shmem_undo_range+0x57a/0x1140 [ 62.684051][ T5072] shmem_evict_inode+0x39f/0xba0 [ 62.688974][ T5072] evict+0x2ed/0x6b0 [ 62.692903][ T5072] iput.part.0+0x560/0x7b0 [ 62.697309][ T5072] iput+0x5c/0x80 [ 62.700930][ T5072] dentry_unlink_inode+0x292/0x430 [ 62.706026][ T5072] __dentry_kill+0x3b8/0x640 [ 62.710602][ T5072] dput+0x7eb/0xd90 [ 62.714422][ T5072] __fput+0x3b9/0xb70 [ 62.718390][ T5072] task_work_run+0x14d/0x240 [ 62.722964][ T5072] ptrace_notify+0x10d/0x130 [ 62.727538][ T5072] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 62.733859][ T5072] [ 62.736169][ T5072] Memory state around the buggy address: [ 62.741779][ T5072] ffff88807764ee80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.749830][ T5072] ffff88807764ef00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.757876][ T5072] >ffff88807764ef80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.765920][ T5072] ^ [ 62.772057][ T5072] ffff88807764f000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.780111][ T5072] ffff88807764f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 62.788153][ T5072] ================================================================== [ 62.796414][ T5072] ================================================================== [ 62.804479][ T5072] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 62.812139][ T5072] Read of size 4 at addr ffff888077650fc4 by task syz-executor175/5072 [ 62.820362][ T5072] [ 62.822673][ T5072] CPU: 1 PID: 5072 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 62.834544][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 62.844587][ T5072] Call Trace: [ 62.847896][ T5072] [ 62.850817][ T5072] dump_stack_lvl+0xd9/0x1b0 [ 62.855435][ T5072] print_report+0xc4/0x620 [ 62.859850][ T5072] ? __virt_addr_valid+0x5e/0x2d0 [ 62.864864][ T5072] ? __phys_addr+0xc6/0x140 [ 62.869358][ T5072] kasan_report+0xda/0x110 [ 62.873769][ T5072] ? search_by_entry_key+0x80b/0x940 [ 62.879049][ T5072] ? search_by_entry_key+0x80b/0x940 [ 62.884331][ T5072] search_by_entry_key+0x80b/0x940 [ 62.889442][ T5072] reiserfs_find_entry+0x1dc/0xe70 [ 62.894549][ T5072] ? search_by_entry_key+0x940/0x940 [ 62.899826][ T5072] ? lock_release+0x4bf/0x690 [ 62.904501][ T5072] reiserfs_lookup+0x1f5/0x690 [ 62.909259][ T5072] ? reiserfs_unlink+0x740/0x740 [ 62.914197][ T5072] __lookup_slow+0x24d/0x450 [ 62.918779][ T5072] ? lookup_open.isra.0+0x13b0/0x13b0 [ 62.924143][ T5072] ? reacquire_held_locks+0x4c0/0x4c0 [ 62.929509][ T5072] ? secondary_startup_64_no_verify+0x11b/0x17b [ 62.935745][ T5072] ? secondary_startup_64_no_verify+0x11b/0x17b [ 62.941981][ T5072] ? d_lookup+0xe9/0x180 [ 62.946218][ T5072] lookup_one_len+0x17d/0x1b0 [ 62.950891][ T5072] ? __lookup_slow+0x450/0x450 [ 62.955652][ T5072] reiserfs_lookup_privroot+0x94/0x200 [ 62.961100][ T5072] reiserfs_fill_super+0x20f9/0x3160 [ 62.966466][ T5072] ? reiserfs_remount+0x1640/0x1640 [ 62.971656][ T5072] ? up_write+0x510/0x510 [ 62.975976][ T5072] ? rcu_is_watching+0x12/0xb0 [ 62.980730][ T5072] ? lock_acquire+0x464/0x520 [ 62.985399][ T5072] ? lock_sync+0x190/0x190 [ 62.989818][ T5072] ? reiserfs_remount+0x1640/0x1640 [ 62.995180][ T5072] mount_bdev+0x1f3/0x2e0 [ 62.999513][ T5072] ? sget+0x640/0x640 [ 63.003485][ T5072] ? apparmor_capable+0x126/0x1e0 [ 63.008502][ T5072] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 63.013512][ T5072] legacy_get_tree+0x109/0x220 [ 63.018272][ T5072] vfs_get_tree+0x8c/0x370 [ 63.022686][ T5072] path_mount+0x1492/0x1ed0 [ 63.027183][ T5072] ? kmem_cache_free+0xf8/0x350 [ 63.032025][ T5072] ? finish_automount+0xa40/0xa40 [ 63.037041][ T5072] ? putname+0x12e/0x170 [ 63.041271][ T5072] __x64_sys_mount+0x293/0x310 [ 63.046031][ T5072] ? copy_mnt_ns+0xb60/0xb60 [ 63.050645][ T5072] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 63.056994][ T5072] do_syscall_64+0x40/0x110 [ 63.061492][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 63.067373][ T5072] RIP: 0033:0x7f7cc312746a [ 63.071775][ T5072] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 63.091381][ T5072] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 63.099790][ T5072] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 63.107758][ T5072] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 63.115725][ T5072] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 63.123686][ T5072] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 63.131644][ T5072] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 63.139608][ T5072] [ 63.142614][ T5072] [ 63.144924][ T5072] The buggy address belongs to the physical page: [ 63.151322][ T5072] page:ffffea0001dd9400 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77650 [ 63.161465][ T5072] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 63.168561][ T5072] page_type: 0xffffffff() [ 63.172879][ T5072] raw: 00fff00000000000 ffffea0001dd9448 ffffea0001dd93c8 0000000000000000 [ 63.181449][ T5072] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 63.190016][ T5072] page dumped because: kasan: bad access detected [ 63.196414][ T5072] page_owner tracks the page as freed [ 63.201765][ T5072] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5069, tgid 5069 (syz-executor175), ts 54892205174, free_ts 61994209658 [ 63.218779][ T5072] post_alloc_hook+0x2d0/0x350 [ 63.223549][ T5072] get_page_from_freelist+0xa25/0x36d0 [ 63.229006][ T5072] __alloc_pages+0x22e/0x2420 [ 63.233676][ T5072] alloc_pages_mpol+0x258/0x5f0 [ 63.238519][ T5072] shmem_alloc_folio+0x10d/0x140 [ 63.243448][ T5072] shmem_alloc_and_add_folio+0x147/0x7b0 [ 63.249071][ T5072] shmem_get_folio_gfp+0x623/0x1360 [ 63.254262][ T5072] shmem_write_begin+0x15a/0x360 [ 63.259189][ T5072] generic_perform_write+0x278/0x600 [ 63.264468][ T5072] shmem_file_write_iter+0x110/0x140 [ 63.269739][ T5072] vfs_write+0x64f/0xdf0 [ 63.273967][ T5072] ksys_write+0x12f/0x250 [ 63.278287][ T5072] do_syscall_64+0x40/0x110 [ 63.282784][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 63.288667][ T5072] page last free stack trace: [ 63.293318][ T5072] free_unref_page_prepare+0x4fa/0xaa0 [ 63.298772][ T5072] free_unref_page_list+0xe6/0xb40 [ 63.303883][ T5072] release_pages+0x32a/0x14f0 [ 63.308545][ T5072] __folio_batch_release+0x77/0xe0 [ 63.313644][ T5072] shmem_undo_range+0x57a/0x1140 [ 63.318655][ T5072] shmem_evict_inode+0x39f/0xba0 [ 63.323574][ T5072] evict+0x2ed/0x6b0 [ 63.327457][ T5072] iput.part.0+0x560/0x7b0 [ 63.331860][ T5072] iput+0x5c/0x80 [ 63.335483][ T5072] dentry_unlink_inode+0x292/0x430 [ 63.340578][ T5072] __dentry_kill+0x3b8/0x640 [ 63.345151][ T5072] dput+0x7eb/0xd90 [ 63.348942][ T5072] __fput+0x3b9/0xb70 [ 63.352906][ T5072] task_work_run+0x14d/0x240 [ 63.357478][ T5072] ptrace_notify+0x10d/0x130 [ 63.362086][ T5072] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 63.368404][ T5072] [ 63.370713][ T5072] Memory state around the buggy address: [ 63.376321][ T5072] ffff888077650e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.384363][ T5072] ffff888077650f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.392407][ T5072] >ffff888077650f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.400447][ T5072] ^ [ 63.406576][ T5072] ffff888077651000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.414643][ T5072] ffff888077651080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 63.422705][ T5072] ================================================================== [ 63.431120][ T5072] ================================================================== [ 63.439183][ T5072] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 63.446843][ T5072] Read of size 4 at addr ffff888077651fc4 by task syz-executor175/5072 [ 63.455082][ T5072] [ 63.457396][ T5072] CPU: 1 PID: 5072 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 63.469294][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 63.479335][ T5072] Call Trace: [ 63.482602][ T5072] [ 63.485520][ T5072] dump_stack_lvl+0xd9/0x1b0 [ 63.490106][ T5072] print_report+0xc4/0x620 [ 63.494519][ T5072] ? __virt_addr_valid+0x5e/0x2d0 [ 63.499530][ T5072] ? __phys_addr+0xc6/0x140 [ 63.504020][ T5072] kasan_report+0xda/0x110 [ 63.508434][ T5072] ? search_by_entry_key+0x80b/0x940 [ 63.513704][ T5072] ? search_by_entry_key+0x80b/0x940 [ 63.518992][ T5072] search_by_entry_key+0x80b/0x940 [ 63.524091][ T5072] reiserfs_find_entry+0x1dc/0xe70 [ 63.529191][ T5072] ? search_by_entry_key+0x940/0x940 [ 63.534506][ T5072] ? lock_release+0x4bf/0x690 [ 63.539172][ T5072] reiserfs_lookup+0x1f5/0x690 [ 63.543927][ T5072] ? reiserfs_unlink+0x740/0x740 [ 63.548855][ T5072] __lookup_slow+0x24d/0x450 [ 63.553540][ T5072] ? lookup_open.isra.0+0x13b0/0x13b0 [ 63.558913][ T5072] ? reacquire_held_locks+0x4c0/0x4c0 [ 63.564270][ T5072] ? secondary_startup_64_no_verify+0x11b/0x17b [ 63.570495][ T5072] ? secondary_startup_64_no_verify+0x11b/0x17b [ 63.576723][ T5072] ? d_lookup+0xe9/0x180 [ 63.580949][ T5072] lookup_one_len+0x17d/0x1b0 [ 63.585610][ T5072] ? __lookup_slow+0x450/0x450 [ 63.590354][ T5072] reiserfs_lookup_privroot+0x94/0x200 [ 63.595794][ T5072] reiserfs_fill_super+0x20f9/0x3160 [ 63.601070][ T5072] ? reiserfs_remount+0x1640/0x1640 [ 63.606246][ T5072] ? up_write+0x510/0x510 [ 63.610556][ T5072] ? rcu_is_watching+0x12/0xb0 [ 63.615303][ T5072] ? lock_acquire+0x464/0x520 [ 63.619962][ T5072] ? lock_sync+0x190/0x190 [ 63.624363][ T5072] ? reiserfs_remount+0x1640/0x1640 [ 63.629547][ T5072] mount_bdev+0x1f3/0x2e0 [ 63.633885][ T5072] ? sget+0x640/0x640 [ 63.637851][ T5072] ? apparmor_capable+0x126/0x1e0 [ 63.642859][ T5072] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 63.647858][ T5072] legacy_get_tree+0x109/0x220 [ 63.652606][ T5072] vfs_get_tree+0x8c/0x370 [ 63.657009][ T5072] path_mount+0x1492/0x1ed0 [ 63.661503][ T5072] ? kmem_cache_free+0xf8/0x350 [ 63.666343][ T5072] ? finish_automount+0xa40/0xa40 [ 63.671353][ T5072] ? putname+0x12e/0x170 [ 63.675582][ T5072] __x64_sys_mount+0x293/0x310 [ 63.680336][ T5072] ? copy_mnt_ns+0xb60/0xb60 [ 63.684904][ T5072] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 63.691127][ T5072] do_syscall_64+0x40/0x110 [ 63.695611][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 63.701486][ T5072] RIP: 0033:0x7f7cc312746a [ 63.705879][ T5072] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 63.725469][ T5072] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 63.733864][ T5072] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 63.741836][ T5072] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 63.749790][ T5072] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 63.757743][ T5072] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 63.765695][ T5072] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 63.773651][ T5072] [ 63.776652][ T5072] [ 63.778957][ T5072] The buggy address belongs to the physical page: [ 63.785339][ T5072] page:ffffea0001dd9440 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77651 [ 63.795463][ T5072] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 63.802547][ T5072] page_type: 0xffffffff() [ 63.806856][ T5072] raw: 00fff00000000000 ffffea0001dd9488 ffffea0001dd9408 0000000000000000 [ 63.815597][ T5072] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 63.824156][ T5072] page dumped because: kasan: bad access detected [ 63.830544][ T5072] page_owner tracks the page as freed [ 63.835887][ T5072] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5069, tgid 5069 (syz-executor175), ts 54892219263, free_ts 61994203248 [ 63.852881][ T5072] post_alloc_hook+0x2d0/0x350 [ 63.857633][ T5072] get_page_from_freelist+0xa25/0x36d0 [ 63.863077][ T5072] __alloc_pages+0x22e/0x2420 [ 63.867741][ T5072] alloc_pages_mpol+0x258/0x5f0 [ 63.872578][ T5072] shmem_alloc_folio+0x10d/0x140 [ 63.877493][ T5072] shmem_alloc_and_add_folio+0x147/0x7b0 [ 63.883107][ T5072] shmem_get_folio_gfp+0x623/0x1360 [ 63.888289][ T5072] shmem_write_begin+0x15a/0x360 [ 63.893216][ T5072] generic_perform_write+0x278/0x600 [ 63.898516][ T5072] shmem_file_write_iter+0x110/0x140 [ 63.903782][ T5072] vfs_write+0x64f/0xdf0 [ 63.908001][ T5072] ksys_write+0x12f/0x250 [ 63.912336][ T5072] do_syscall_64+0x40/0x110 [ 63.916849][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 63.922729][ T5072] page last free stack trace: [ 63.927388][ T5072] free_unref_page_prepare+0x4fa/0xaa0 [ 63.932832][ T5072] free_unref_page_list+0xe6/0xb40 [ 63.937932][ T5072] release_pages+0x32a/0x14f0 [ 63.942588][ T5072] __folio_batch_release+0x77/0xe0 [ 63.947680][ T5072] shmem_undo_range+0x57a/0x1140 [ 63.952603][ T5072] shmem_evict_inode+0x39f/0xba0 [ 63.957517][ T5072] evict+0x2ed/0x6b0 [ 63.961394][ T5072] iput.part.0+0x560/0x7b0 [ 63.965789][ T5072] iput+0x5c/0x80 [ 63.969401][ T5072] dentry_unlink_inode+0x292/0x430 [ 63.974492][ T5072] __dentry_kill+0x3b8/0x640 [ 63.979061][ T5072] dput+0x7eb/0xd90 [ 63.982853][ T5072] __fput+0x3b9/0xb70 [ 63.986812][ T5072] task_work_run+0x14d/0x240 [ 63.991380][ T5072] ptrace_notify+0x10d/0x130 [ 63.995951][ T5072] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 64.002261][ T5072] [ 64.004568][ T5072] Memory state around the buggy address: [ 64.010176][ T5072] ffff888077651e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.018222][ T5072] ffff888077651f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.026259][ T5072] >ffff888077651f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.034326][ T5072] ^ [ 64.040458][ T5072] ffff888077652000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.048499][ T5072] ffff888077652080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.056544][ T5072] ================================================================== [ 64.064841][ T5072] ================================================================== [ 64.072918][ T5072] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 64.080581][ T5072] Read of size 4 at addr ffff8880776527c4 by task syz-executor175/5072 [ 64.088812][ T5072] [ 64.091124][ T5072] CPU: 1 PID: 5072 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 64.103693][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 64.113741][ T5072] Call Trace: [ 64.117012][ T5072] [ 64.119932][ T5072] dump_stack_lvl+0xd9/0x1b0 [ 64.124520][ T5072] print_report+0xc4/0x620 [ 64.128934][ T5072] ? __virt_addr_valid+0x5e/0x2d0 [ 64.133950][ T5072] ? __phys_addr+0xc6/0x140 [ 64.138445][ T5072] kasan_report+0xda/0x110 [ 64.142858][ T5072] ? search_by_entry_key+0x80b/0x940 [ 64.148144][ T5072] ? search_by_entry_key+0x80b/0x940 [ 64.153428][ T5072] search_by_entry_key+0x80b/0x940 [ 64.158537][ T5072] reiserfs_find_entry+0x1dc/0xe70 [ 64.163649][ T5072] ? search_by_entry_key+0x940/0x940 [ 64.168928][ T5072] ? lock_release+0x4bf/0x690 [ 64.173714][ T5072] reiserfs_lookup+0x1f5/0x690 [ 64.178487][ T5072] ? reiserfs_unlink+0x740/0x740 [ 64.183457][ T5072] __lookup_slow+0x24d/0x450 [ 64.188042][ T5072] ? lookup_open.isra.0+0x13b0/0x13b0 [ 64.193425][ T5072] ? reacquire_held_locks+0x4c0/0x4c0 [ 64.198794][ T5072] ? secondary_startup_64_no_verify+0x11b/0x17b [ 64.205029][ T5072] ? secondary_startup_64_no_verify+0x11b/0x17b [ 64.211267][ T5072] ? d_lookup+0xe9/0x180 [ 64.215508][ T5072] lookup_one_len+0x17d/0x1b0 [ 64.220177][ T5072] ? __lookup_slow+0x450/0x450 [ 64.224931][ T5072] reiserfs_lookup_privroot+0x94/0x200 [ 64.230384][ T5072] reiserfs_fill_super+0x20f9/0x3160 [ 64.235660][ T5072] ? reiserfs_remount+0x1640/0x1640 [ 64.240859][ T5072] ? up_write+0x510/0x510 [ 64.245958][ T5072] ? rcu_is_watching+0x12/0xb0 [ 64.250795][ T5072] ? lock_acquire+0x464/0x520 [ 64.255467][ T5072] ? lock_sync+0x190/0x190 [ 64.259879][ T5072] ? reiserfs_remount+0x1640/0x1640 [ 64.265065][ T5072] mount_bdev+0x1f3/0x2e0 [ 64.269390][ T5072] ? sget+0x640/0x640 [ 64.273362][ T5072] ? apparmor_capable+0x126/0x1e0 [ 64.278384][ T5072] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 64.283395][ T5072] legacy_get_tree+0x109/0x220 [ 64.288154][ T5072] vfs_get_tree+0x8c/0x370 [ 64.292572][ T5072] path_mount+0x1492/0x1ed0 [ 64.297071][ T5072] ? kmem_cache_free+0xf8/0x350 [ 64.301916][ T5072] ? finish_automount+0xa40/0xa40 [ 64.306933][ T5072] ? putname+0x12e/0x170 [ 64.311166][ T5072] __x64_sys_mount+0x293/0x310 [ 64.315920][ T5072] ? copy_mnt_ns+0xb60/0xb60 [ 64.320499][ T5072] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 64.326730][ T5072] do_syscall_64+0x40/0x110 [ 64.331227][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 64.337109][ T5072] RIP: 0033:0x7f7cc312746a [ 64.341509][ T5072] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 64.361112][ T5072] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 64.369636][ T5072] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 64.377596][ T5072] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 64.385576][ T5072] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 64.393534][ T5072] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40 [ 64.401491][ T5072] R13: 00007fff028d6d80 R14: 0000000000400000 R15: 0000000000000003 [ 64.409453][ T5072] [ 64.412458][ T5072] [ 64.414761][ T5072] The buggy address belongs to the physical page: [ 64.421151][ T5072] page:ffffea0001dd9480 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x77652 [ 64.431288][ T5072] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 64.438389][ T5072] page_type: 0xffffffff() [ 64.442701][ T5072] raw: 00fff00000000000 ffffea0001dd94c8 ffffea0001dd9448 0000000000000000 [ 64.451273][ T5072] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 64.459837][ T5072] page dumped because: kasan: bad access detected [ 64.466228][ T5072] page_owner tracks the page as freed [ 64.471585][ T5072] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5069, tgid 5069 (syz-executor175), ts 54892233423, free_ts 61994196708 [ 64.488586][ T5072] post_alloc_hook+0x2d0/0x350 [ 64.493345][ T5072] get_page_from_freelist+0xa25/0x36d0 [ 64.498803][ T5072] __alloc_pages+0x22e/0x2420 [ 64.503483][ T5072] alloc_pages_mpol+0x258/0x5f0 [ 64.508323][ T5072] shmem_alloc_folio+0x10d/0x140 [ 64.513245][ T5072] shmem_alloc_and_add_folio+0x147/0x7b0 [ 64.518866][ T5072] shmem_get_folio_gfp+0x623/0x1360 [ 64.524050][ T5072] shmem_write_begin+0x15a/0x360 [ 64.528976][ T5072] generic_perform_write+0x278/0x600 [ 64.534255][ T5072] shmem_file_write_iter+0x110/0x140 [ 64.539524][ T5072] vfs_write+0x64f/0xdf0 [ 64.543751][ T5072] ksys_write+0x12f/0x250 [ 64.548062][ T5072] do_syscall_64+0x40/0x110 [ 64.552556][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 64.558445][ T5072] page last free stack trace: [ 64.563100][ T5072] free_unref_page_prepare+0x4fa/0xaa0 [ 64.568553][ T5072] free_unref_page_list+0xe6/0xb40 [ 64.573654][ T5072] release_pages+0x32a/0x14f0 [ 64.578319][ T5072] __folio_batch_release+0x77/0xe0 [ 64.583415][ T5072] shmem_undo_range+0x57a/0x1140 [ 64.588342][ T5072] shmem_evict_inode+0x39f/0xba0 [ 64.593263][ T5072] evict+0x2ed/0x6b0 [ 64.597146][ T5072] iput.part.0+0x560/0x7b0 [ 64.601551][ T5072] iput+0x5c/0x80 [ 64.605176][ T5072] dentry_unlink_inode+0x292/0x430 [ 64.610272][ T5072] __dentry_kill+0x3b8/0x640 [ 64.614854][ T5072] dput+0x7eb/0xd90 [ 64.618648][ T5072] __fput+0x3b9/0xb70 [ 64.622616][ T5072] task_work_run+0x14d/0x240 [ 64.627189][ T5072] ptrace_notify+0x10d/0x130 [ 64.631767][ T5072] syscall_exit_to_user_mode_prepare+0x126/0x230 [ 64.638086][ T5072] [ 64.640392][ T5072] Memory state around the buggy address: [ 64.646002][ T5072] ffff888077652680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.654047][ T5072] ffff888077652700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.662090][ T5072] >ffff888077652780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.670129][ T5072] ^ [ 64.676260][ T5072] ffff888077652800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.684307][ T5072] ffff888077652880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 64.692359][ T5072] ================================================================== [ 64.700535][ T5072] ================================================================== [ 64.708607][ T5072] BUG: KASAN: use-after-free in search_by_entry_key+0x80b/0x940 [ 64.716240][ T5072] Read of size 4 at addr ffff888077652bc4 by task syz-executor175/5072 [ 64.724460][ T5072] [ 64.726771][ T5072] CPU: 0 PID: 5072 Comm: syz-executor175 Tainted: G B 6.7.0-rc8-syzkaller-00055-g5eff55d725a4 #0 [ 64.738650][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 64.748695][ T5072] Call Trace: [ 64.751975][ T5072] [ 64.754897][ T5072] dump_stack_lvl+0xd9/0x1b0 [ 64.759487][ T5072] print_report+0xc4/0x620 [ 64.763899][ T5072] ? __virt_addr_valid+0x5e/0x2d0 [ 64.768924][ T5072] ? __phys_addr+0xc6/0x140 [ 64.773420][ T5072] kasan_report+0xda/0x110 [ 64.777840][ T5072] ? search_by_entry_key+0x80b/0x940 [ 64.783124][ T5072] ? search_by_entry_key+0x80b/0x940 [ 64.788407][ T5072] search_by_entry_key+0x80b/0x940 [ 64.793519][ T5072] reiserfs_find_entry+0x1dc/0xe70 [ 64.798630][ T5072] ? search_by_entry_key+0x940/0x940 [ 64.803908][ T5072] ? lock_release+0x4bf/0x690 [ 64.808582][ T5072] reiserfs_lookup+0x1f5/0x690 [ 64.813339][ T5072] ? reiserfs_unlink+0x740/0x740 [ 64.818278][ T5072] __lookup_slow+0x24d/0x450 [ 64.822861][ T5072] ? lookup_open.isra.0+0x13b0/0x13b0 [ 64.828222][ T5072] ? reacquire_held_locks+0x4c0/0x4c0 [ 64.833589][ T5072] ? secondary_startup_64_no_verify+0x11b/0x17b [ 64.839827][ T5072] ? secondary_startup_64_no_verify+0x11b/0x17b [ 64.846062][ T5072] ? d_lookup+0xe9/0x180 [ 64.850294][ T5072] lookup_one_len+0x17d/0x1b0 [ 64.854962][ T5072] ? __lookup_slow+0x450/0x450 [ 64.859750][ T5072] reiserfs_lookup_privroot+0x94/0x200 [ 64.865199][ T5072] reiserfs_fill_super+0x20f9/0x3160 [ 64.870481][ T5072] ? reiserfs_remount+0x1640/0x1640 [ 64.875673][ T5072] ? up_write+0x510/0x510 [ 64.879995][ T5072] ? rcu_is_watching+0x12/0xb0 [ 64.884754][ T5072] ? lock_acquire+0x464/0x520 [ 64.889440][ T5072] ? lock_sync+0x190/0x190 [ 64.893858][ T5072] ? reiserfs_remount+0x1640/0x1640 [ 64.899135][ T5072] mount_bdev+0x1f3/0x2e0 [ 64.903473][ T5072] ? sget+0x640/0x640 [ 64.907454][ T5072] ? apparmor_capable+0x126/0x1e0 [ 64.912478][ T5072] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 64.917495][ T5072] legacy_get_tree+0x109/0x220 [ 64.922263][ T5072] vfs_get_tree+0x8c/0x370 [ 64.926680][ T5072] path_mount+0x1492/0x1ed0 [ 64.931184][ T5072] ? kmem_cache_free+0xf8/0x350 [ 64.936033][ T5072] ? finish_automount+0xa40/0xa40 [ 64.941149][ T5072] ? putname+0x12e/0x170 [ 64.945479][ T5072] __x64_sys_mount+0x293/0x310 [ 64.950246][ T5072] ? copy_mnt_ns+0xb60/0xb60 [ 64.954880][ T5072] ? syscall_trace_enter.constprop.0+0xaf/0x1e0 [ 64.961118][ T5072] do_syscall_64+0x40/0x110 [ 64.965632][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 64.971517][ T5072] RIP: 0033:0x7f7cc312746a [ 64.975947][ T5072] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 64.996251][ T5072] RSP: 002b:00007fff028d6cf8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 65.004659][ T5072] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7cc312746a [ 65.012625][ T5072] RDX: 0000000020000180 RSI: 0000000020000040 RDI: 00007fff028d6d40 [ 65.020594][ T5072] RBP: 0000000000000004 R08: 00007fff028d6d80 R09: 0000000000001127 [ 65.028555][ T5072] R10: 000000000001801c R11: 0000000000000286 R12: 00007fff028d6d40