[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.6' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 546.895672] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 546.904918] REISERFS (device loop0): using ordered data mode [ 546.912270] reiserfs: using flush barriers [ 546.918350] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 546.934197] REISERFS (device loop0): checking transaction log (loop0) [ 546.989309] REISERFS (device loop0): Using r5 hash to sort names [ 546.996050] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. executing program [ 547.115824] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 547.124776] REISERFS (device loop0): using ordered data mode [ 547.134375] reiserfs: using flush barriers [ 547.140176] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 547.156109] REISERFS (device loop0): checking transaction log (loop0) [ 547.209831] REISERFS (device loop0): Using r5 hash to sort names [ 547.216142] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. executing program [ 547.356969] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 547.365573] REISERFS (device loop0): using ordered data mode [ 547.372184] reiserfs: using flush barriers [ 547.378313] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 547.394082] REISERFS (device loop0): checking transaction log (loop0) [ 547.447798] REISERFS (device loop0): Using r5 hash to sort names [ 547.454123] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. executing program [ 547.574695] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 547.583753] REISERFS (device loop0): using ordered data mode [ 547.593361] reiserfs: using flush barriers [ 547.598562] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 547.614215] REISERFS (device loop0): checking transaction log (loop0) [ 547.666213] REISERFS (device loop0): Using r5 hash to sort names [ 547.672554] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. executing program [ 547.781013] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 547.790166] REISERFS (device loop0): using ordered data mode [ 547.796042] reiserfs: using flush barriers [ 547.802876] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 547.818955] REISERFS (device loop0): checking transaction log (loop0) [ 547.873972] REISERFS (device loop0): Using r5 hash to sort names [ 547.880353] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. executing program [ 547.989944] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 547.998924] REISERFS (device loop0): using ordered data mode [ 548.009593] reiserfs: using flush barriers [ 548.014715] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 548.031253] REISERFS (device loop0): checking transaction log (loop0) executing program [ 548.084701] REISERFS (device loop0): Using r5 hash to sort names [ 548.091185] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 548.181223] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 548.189914] REISERFS (device loop0): using ordered data mode [ 548.195706] reiserfs: using flush barriers [ 548.202038] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 548.218020] REISERFS (device loop0): checking transaction log (loop0) [ 548.270069] REISERFS (device loop0): Using r5 hash to sort names [ 548.276366] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. executing program [ 548.390342] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 548.399104] REISERFS (device loop0): using ordered data mode [ 548.409656] reiserfs: using flush barriers [ 548.414845] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 548.431441] REISERFS (device loop0): checking transaction log (loop0) executing program [ 548.482737] REISERFS (device loop0): Using r5 hash to sort names [ 548.489087] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 548.560291] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 548.569255] REISERFS (device loop0): using ordered data mode [ 548.575128] reiserfs: using flush barriers [ 548.582235] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 548.598658] REISERFS (device loop0): checking transaction log (loop0) [ 548.650775] REISERFS (device loop0): Using r5 hash to sort names [ 548.657597] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 548.669771] ================================================================== [ 548.677290] BUG: KASAN: use-after-free in leaf_paste_in_buffer+0xa27/0xc20 [ 548.684305] Read of size 80 at addr ffff888089da7fe0 by task syz-executor866/8190 [ 548.691912] [ 548.693551] CPU: 0 PID: 8190 Comm: syz-executor866 Not tainted 4.19.211-syzkaller #0 [ 548.701422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 548.710765] Call Trace: [ 548.713336] dump_stack+0x1fc/0x2ef [ 548.716948] print_address_description.cold+0x54/0x219 [ 548.722381] kasan_report_error.cold+0x8a/0x1b9 [ 548.727028] ? leaf_paste_in_buffer+0xa27/0xc20 [ 548.731677] kasan_report+0x8f/0xa0 [ 548.735282] ? leaf_paste_in_buffer+0xa27/0xc20 [ 548.739931] memcpy+0x20/0x50 [ 548.743020] leaf_paste_in_buffer+0xa27/0xc20 [ 548.747497] ? bpf_patch_insn_single+0x80/0x1f0 [ 548.752146] leaf_copy_dir_entries.isra.0+0x7f3/0x980 [ 548.757318] ? leaf_paste_entries+0x910/0x910 [ 548.761797] leaf_move_items+0x17f6/0x3b60 [ 548.766013] ? leaf_copy_dir_entries.isra.0+0x980/0x980 [ 548.771357] ? lock_downgrade+0x720/0x720 [ 548.775484] ? reiserfs_write_lock_nested+0x65/0xe0 [ 548.780480] ? get_empty_nodes+0x22b/0x710 [ 548.784700] leaf_shift_left+0xa0/0x380 [ 548.788667] balance_leaf+0x2fb8/0xca70 [ 548.792638] ? replace_key+0x160/0x160 [ 548.796507] do_balance+0x30a/0x760 [ 548.800118] ? get_right_neighbor_position+0x170/0x170 [ 548.805376] ? __mutex_unlock_slowpath+0xea/0x610 [ 548.810202] ? memset+0x20/0x40 [ 548.813464] reiserfs_paste_into_item+0x636/0x7d0 [ 548.818287] ? reiserfs_delete_object+0x200/0x200 [ 548.823104] ? search_by_key+0x22c3/0x3f10 [ 548.827349] ? scan_bitmap_block.constprop.0+0xf60/0xf60 [ 548.832780] ? journal_begin+0x210/0x400 [ 548.836824] reiserfs_get_block+0x19ee/0x3e40 [ 548.841305] ? reiserfs_commit_write+0x6f0/0x6f0 [ 548.846130] ? do_raw_spin_lock+0xcb/0x220 [ 548.850347] ? check_preemption_disabled+0x41/0x280 [ 548.855351] ? alloc_buffer_head+0x20/0x130 [ 548.859667] ? do_raw_spin_unlock+0x171/0x230 [ 548.864150] ? _raw_spin_unlock+0x29/0x40 [ 548.868275] ? create_page_buffers+0x190/0x350 [ 548.872849] __block_write_begin_int+0x46c/0x17b0 [ 548.877677] ? reiserfs_commit_write+0x6f0/0x6f0 [ 548.882415] ? __breadahead_gfp+0x130/0x130 [ 548.886742] ? wait_for_stable_page+0x122/0x360 [ 548.891392] reiserfs_write_begin+0x39f/0xa10 [ 548.895876] generic_perform_write+0x1f8/0x4d0 [ 548.900441] ? filemap_page_mkwrite+0x2f0/0x2f0 [ 548.905086] ? current_time+0x1c0/0x1c0 [ 548.909040] ? lock_acquire+0x170/0x3c0 [ 548.912993] __generic_file_write_iter+0x24b/0x610 [ 548.917900] generic_file_write_iter+0x3f8/0x730 [ 548.922641] __vfs_write+0x51b/0x770 [ 548.926334] ? kernel_read+0x110/0x110 [ 548.930205] ? check_preemption_disabled+0x41/0x280 [ 548.935208] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 548.940203] vfs_write+0x1f3/0x540 [ 548.943749] ksys_write+0x12b/0x2a0 [ 548.947353] ? __ia32_sys_read+0xb0/0xb0 [ 548.951395] ? trace_hardirqs_off_caller+0x6e/0x210 [ 548.956389] ? do_syscall_64+0x21/0x620 [ 548.960347] do_syscall_64+0xf9/0x620 [ 548.964127] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 548.969293] RIP: 0033:0x7f286b234a49 [ 548.972983] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 548.991868] RSP: 002b:00007ffcdd10f3d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 548.999554] RAX: ffffffffffffffda RBX: 0000000000085e20 RCX: 00007f286b234a49 [ 549.006801] RDX: 000000000000fea7 RSI: 00000000200001c0 RDI: 0000000000000006 [ 549.014047] RBP: 0000000000000000 R08: 00007ffcdd10f400 R09: 00007ffcdd10f400 [ 549.021292] R10: 00007ffcdd10f400 R11: 0000000000000246 R12: 00007ffcdd10f3fc [ 549.028539] R13: 00007ffcdd10f430 R14: 00007ffcdd10f410 R15: 0000000000000008 [ 549.035796] [ 549.037398] The buggy address belongs to the page: [ 549.042310] page:ffffea00022769c0 count:3 mapcount:0 mapping:ffff88808ffb0ba0 index:0x214 [ 549.050611] flags: 0xfff00000001044(referenced|active|private) [ 549.056569] raw: 00fff00000001044 dead000000000100 dead000000000200 ffff88808ffb0ba0 [ 549.064433] raw: 0000000000000214 ffff88808a52c150 00000003ffffffff ffff8880b59f68c0 [ 549.072292] page dumped because: kasan: bad access detected [ 549.077977] page->mem_cgroup:ffff8880b59f68c0 [ 549.082446] [ 549.084055] Memory state around the buggy address: [ 549.088966] ffff888089da7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 549.096301] ffff888089da7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 549.103645] >ffff888089da8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 549.110988] ^ [ 549.114340] ffff888089da8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 549.121809] ffff888089da8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 549.129145] ================================================================== [ 549.136480] Disabling lock debugging due to kernel taint [ 549.142016] Kernel panic - not syncing: panic_on_warn set ... [ 549.142016] [ 549.149384] CPU: 0 PID: 8190 Comm: syz-executor866 Tainted: G B 4.19.211-syzkaller #0 [ 549.158646] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 549.167995] Call Trace: [ 549.170582] dump_stack+0x1fc/0x2ef [ 549.174210] panic+0x26a/0x50e [ 549.177394] ? __warn_printk+0xf3/0xf3 [ 549.181259] ? preempt_schedule_common+0x45/0xc0 [ 549.185992] ? ___preempt_schedule+0x16/0x18 [ 549.190377] ? trace_hardirqs_on+0x55/0x210 [ 549.194680] kasan_end_report+0x43/0x49 [ 549.198636] kasan_report_error.cold+0xa7/0x1b9 [ 549.203286] ? leaf_paste_in_buffer+0xa27/0xc20 [ 549.207930] kasan_report+0x8f/0xa0 [ 549.211543] ? leaf_paste_in_buffer+0xa27/0xc20 [ 549.216186] memcpy+0x20/0x50 [ 549.219270] leaf_paste_in_buffer+0xa27/0xc20 [ 549.223743] ? bpf_patch_insn_single+0x80/0x1f0 [ 549.228393] leaf_copy_dir_entries.isra.0+0x7f3/0x980 [ 549.233560] ? leaf_paste_entries+0x910/0x910 [ 549.238037] leaf_move_items+0x17f6/0x3b60 [ 549.242251] ? leaf_copy_dir_entries.isra.0+0x980/0x980 [ 549.247592] ? lock_downgrade+0x720/0x720 [ 549.251714] ? reiserfs_write_lock_nested+0x65/0xe0 [ 549.256718] ? get_empty_nodes+0x22b/0x710 [ 549.260941] leaf_shift_left+0xa0/0x380 [ 549.264892] balance_leaf+0x2fb8/0xca70 [ 549.268847] ? replace_key+0x160/0x160 [ 549.272710] do_balance+0x30a/0x760 [ 549.276314] ? get_right_neighbor_position+0x170/0x170 [ 549.281566] ? __mutex_unlock_slowpath+0xea/0x610 [ 549.286386] ? memset+0x20/0x40 [ 549.289646] reiserfs_paste_into_item+0x636/0x7d0 [ 549.294466] ? reiserfs_delete_object+0x200/0x200 [ 549.299283] ? search_by_key+0x22c3/0x3f10 [ 549.303510] ? scan_bitmap_block.constprop.0+0xf60/0xf60 [ 549.308941] ? journal_begin+0x210/0x400 [ 549.312977] reiserfs_get_block+0x19ee/0x3e40 [ 549.317453] ? reiserfs_commit_write+0x6f0/0x6f0 [ 549.322186] ? do_raw_spin_lock+0xcb/0x220 [ 549.326498] ? check_preemption_disabled+0x41/0x280 [ 549.331501] ? alloc_buffer_head+0x20/0x130 [ 549.335822] ? do_raw_spin_unlock+0x171/0x230 [ 549.340297] ? _raw_spin_unlock+0x29/0x40 [ 549.344424] ? create_page_buffers+0x190/0x350 [ 549.348982] __block_write_begin_int+0x46c/0x17b0 [ 549.353801] ? reiserfs_commit_write+0x6f0/0x6f0 [ 549.358535] ? __breadahead_gfp+0x130/0x130 [ 549.362846] ? wait_for_stable_page+0x122/0x360 [ 549.367493] reiserfs_write_begin+0x39f/0xa10 [ 549.371979] generic_perform_write+0x1f8/0x4d0 [ 549.376540] ? filemap_page_mkwrite+0x2f0/0x2f0 [ 549.381183] ? current_time+0x1c0/0x1c0 [ 549.385137] ? lock_acquire+0x170/0x3c0 [ 549.389087] __generic_file_write_iter+0x24b/0x610 [ 549.393992] generic_file_write_iter+0x3f8/0x730 [ 549.398728] __vfs_write+0x51b/0x770 [ 549.402423] ? kernel_read+0x110/0x110 [ 549.406289] ? check_preemption_disabled+0x41/0x280 [ 549.411282] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 549.416276] vfs_write+0x1f3/0x540 [ 549.419798] ksys_write+0x12b/0x2a0 [ 549.423402] ? __ia32_sys_read+0xb0/0xb0 [ 549.427447] ? trace_hardirqs_off_caller+0x6e/0x210 [ 549.432438] ? do_syscall_64+0x21/0x620 [ 549.436395] do_syscall_64+0xf9/0x620 [ 549.440178] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 549.445431] RIP: 0033:0x7f286b234a49 [ 549.449121] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 549.468002] RSP: 002b:00007ffcdd10f3d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 549.475692] RAX: ffffffffffffffda RBX: 0000000000085e20 RCX: 00007f286b234a49 [ 549.482939] RDX: 000000000000fea7 RSI: 00000000200001c0 RDI: 0000000000000006 [ 549.490185] RBP: 0000000000000000 R08: 00007ffcdd10f400 R09: 00007ffcdd10f400 [ 549.497430] R10: 00007ffcdd10f400 R11: 0000000000000246 R12: 00007ffcdd10f3fc [ 549.504684] R13: 00007ffcdd10f430 R14: 00007ffcdd10f410 R15: 0000000000000008 [ 549.512127] Kernel Offset: disabled [ 549.515734] Rebooting in 86400 seconds..