[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.194' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 28.335545] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 28.350851] REISERFS (device loop0): using ordered data mode [ 28.356751] reiserfs: using flush barriers [ 28.362052] REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 28.380031] REISERFS (device loop0): checking transaction log (loop0) [ 29.396116] REISERFS (device loop0): Using tea hash to sort names [ 29.402828] ================================================================== [ 29.410296] BUG: KASAN: out-of-bounds in leaf_paste_entries+0x44b/0x9b0 [ 29.417039] Read of size 18446744073709551584 at addr ffff888083885fa4 by task syz-executor132/7965 [ 29.426194] [ 29.427799] CPU: 1 PID: 7965 Comm: syz-executor132 Not tainted 4.14.218-syzkaller #0 [ 29.435655] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.444983] Call Trace: [ 29.447551] dump_stack+0x1b2/0x281 [ 29.451157] print_address_description.cold+0x54/0x1d3 [ 29.456411] kasan_report_error.cold+0x8a/0x191 [ 29.461054] ? leaf_paste_entries+0x44b/0x9b0 [ 29.465522] kasan_report+0x6f/0x80 [ 29.469123] ? leaf_paste_entries+0x44b/0x9b0 [ 29.473592] memmove+0x20/0x50 [ 29.476815] leaf_paste_entries+0x44b/0x9b0 [ 29.481201] balance_leaf+0x827e/0xba30 [ 29.485154] ? replace_key+0x150/0x150 [ 29.489017] do_balance+0x282/0x630 [ 29.492617] ? get_right_neighbor_position+0x160/0x160 [ 29.497868] ? __mutex_unlock_slowpath+0x75/0x770 [ 29.502684] ? memset+0x20/0x40 [ 29.505975] reiserfs_paste_into_item+0x569/0x6f0 [ 29.510793] ? reiserfs_delete_object+0x1e0/0x1e0 [ 29.515634] ? __mutex_unlock_slowpath+0x23/0x770 [ 29.520449] ? keyed_hash+0x767/0xda0 [ 29.524222] ? search_by_entry_key+0xf50/0xf50 [ 29.528789] ? make_cpu_key+0x22/0x2a0 [ 29.532660] reiserfs_add_entry+0x7d3/0xbc0 [ 29.536959] ? reiserfs_lookup+0x400/0x400 [ 29.541168] ? __mutex_unlock_slowpath+0x23/0x770 [ 29.545985] ? wait_for_completion_io+0x10/0x10 [ 29.550637] reiserfs_mkdir+0x5ca/0x8b0 [ 29.554593] ? reiserfs_mknod+0x690/0x690 [ 29.558721] reiserfs_xattr_init+0x393/0xa50 [ 29.563104] reiserfs_fill_super+0x1b18/0x28c0 [ 29.567670] ? reiserfs_remount+0x1390/0x1390 [ 29.572156] ? lock_downgrade+0x740/0x740 [ 29.576301] ? snprintf+0xa5/0xd0 [ 29.579739] mount_bdev+0x2b3/0x360 [ 29.583391] ? reiserfs_remount+0x1390/0x1390 [ 29.587876] mount_fs+0x92/0x2a0 [ 29.591273] vfs_kern_mount.part.0+0x5b/0x470 [ 29.595749] do_mount+0xe53/0x2a00 [ 29.599283] ? retint_kernel+0x2d/0x2d [ 29.603194] ? copy_mount_string+0x40/0x40 [ 29.607447] ? memset+0x20/0x40 [ 29.610702] ? copy_mount_options+0x1fa/0x2f0 [ 29.615282] ? copy_mnt_ns+0xa30/0xa30 [ 29.619144] SyS_mount+0xa8/0x120 [ 29.622571] ? copy_mnt_ns+0xa30/0xa30 [ 29.626434] do_syscall_64+0x1d5/0x640 [ 29.630312] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.635476] RIP: 0033:0x4451fa [ 29.638645] RSP: 002b:00007fffa1d61368 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 29.646328] RAX: ffffffffffffffda RBX: 00007fffa1d613c0 RCX: 00000000004451fa [ 29.653572] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fffa1d61380 [ 29.660828] RBP: 00007fffa1d61380 R08: 00007fffa1d613c0 R09: 0000000000000000 [ 29.668072] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000200002a8 [ 29.675337] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000007 [ 29.682633] [ 29.684234] The buggy address belongs to the page: [ 29.689139] page:ffffea00020e2140 count:3 mapcount:0 mapping:ffff8880b1dc7aa8 index:0x3d97 [ 29.697517] flags: 0xfff00000001044(referenced|active|private) [ 29.703574] raw: 00fff00000001044 ffff8880b1dc7aa8 0000000000003d97 00000003ffffffff [ 29.711442] raw: dead000000000100 dead000000000200 ffff888088dec5e8 ffff88823b320880 [ 29.719382] page dumped because: kasan: bad access detected [ 29.725077] page->mem_cgroup:ffff88823b320880 [ 29.729553] [ 29.731153] Memory state around the buggy address: [ 29.736055] ffff888083885e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.743405] ffff888083885f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.750736] >ffff888083885f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.758066] ^ [ 29.762446] ffff888083886000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.769781] ffff888083886080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.778672] ================================================================== [ 29.786017] Disabling lock debugging due to kernel taint [ 29.791653] Kernel panic - not syncing: panic_on_warn set ... [ 29.791653] [ 29.799006] CPU: 1 PID: 7965 Comm: syz-executor132 Tainted: G B 4.14.218-syzkaller #0 [ 29.808088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.817425] Call Trace: [ 29.819988] dump_stack+0x1b2/0x281 [ 29.823590] panic+0x1f9/0x42d [ 29.826754] ? add_taint.cold+0x16/0x16 [ 29.830719] ? ___preempt_schedule+0x16/0x18 [ 29.835101] kasan_end_report+0x43/0x49 [ 29.839060] kasan_report_error.cold+0xa7/0x191 [ 29.843701] ? leaf_paste_entries+0x44b/0x9b0 [ 29.848170] kasan_report+0x6f/0x80 [ 29.851768] ? leaf_paste_entries+0x44b/0x9b0 [ 29.856246] memmove+0x20/0x50 [ 29.859424] leaf_paste_entries+0x44b/0x9b0 [ 29.863718] balance_leaf+0x827e/0xba30 [ 29.867669] ? replace_key+0x150/0x150 [ 29.871541] do_balance+0x282/0x630 [ 29.875151] ? get_right_neighbor_position+0x160/0x160 [ 29.880399] ? __mutex_unlock_slowpath+0x75/0x770 [ 29.885213] ? memset+0x20/0x40 [ 29.888476] reiserfs_paste_into_item+0x569/0x6f0 [ 29.893303] ? reiserfs_delete_object+0x1e0/0x1e0 [ 29.898143] ? __mutex_unlock_slowpath+0x23/0x770 [ 29.902958] ? keyed_hash+0x767/0xda0 [ 29.906730] ? search_by_entry_key+0xf50/0xf50 [ 29.911287] ? make_cpu_key+0x22/0x2a0 [ 29.915148] reiserfs_add_entry+0x7d3/0xbc0 [ 29.919444] ? reiserfs_lookup+0x400/0x400 [ 29.923649] ? __mutex_unlock_slowpath+0x23/0x770 [ 29.928464] ? wait_for_completion_io+0x10/0x10 [ 29.933121] reiserfs_mkdir+0x5ca/0x8b0 [ 29.937067] ? reiserfs_mknod+0x690/0x690 [ 29.941191] reiserfs_xattr_init+0x393/0xa50 [ 29.945572] reiserfs_fill_super+0x1b18/0x28c0 [ 29.950136] ? reiserfs_remount+0x1390/0x1390 [ 29.954605] ? lock_downgrade+0x740/0x740 [ 29.958726] ? snprintf+0xa5/0xd0 [ 29.962154] mount_bdev+0x2b3/0x360 [ 29.965754] ? reiserfs_remount+0x1390/0x1390 [ 29.970220] mount_fs+0x92/0x2a0 [ 29.973572] vfs_kern_mount.part.0+0x5b/0x470 [ 29.978041] do_mount+0xe53/0x2a00 [ 29.981553] ? retint_kernel+0x2d/0x2d [ 29.985499] ? copy_mount_string+0x40/0x40 [ 29.989709] ? memset+0x20/0x40 [ 29.992959] ? copy_mount_options+0x1fa/0x2f0 [ 29.997425] ? copy_mnt_ns+0xa30/0xa30 [ 30.001287] SyS_mount+0xa8/0x120 [ 30.004726] ? copy_mnt_ns+0xa30/0xa30 [ 30.008585] do_syscall_64+0x1d5/0x640 [ 30.012445] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.017609] RIP: 0033:0x4451fa [ 30.020771] RSP: 002b:00007fffa1d61368 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 30.028449] RAX: ffffffffffffffda RBX: 00007fffa1d613c0 RCX: 00000000004451fa [ 30.035706] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fffa1d61380 [ 30.042958] RBP: 00007fffa1d61380 R08: 00007fffa1d613c0 R09: 0000000000000000 [ 30.050201] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000200002a8 [ 30.057447] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000007 [ 30.065512] Kernel Offset: disabled [ 30.069122] Rebooting in 86400 seconds..