Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.194' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.457123] IPVS: ftp: loaded support on port[0] = 21 [ 35.530321] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 35.539788] REISERFS (device loop0): using ordered data mode [ 35.546060] reiserfs: using flush barriers [ 35.552022] REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 0, max trans age 30 [ 35.570041] REISERFS (device loop0): checking transaction log (loop0) [ 35.578139] REISERFS (device loop0): Using rupasov hash to sort names [ 35.585232] ================================================================== [ 35.592736] BUG: KASAN: use-after-free in search_by_entry_key+0xc7e/0xf50 [ 35.599656] Read of size 4 at addr ffff88808b9a6004 by task syz-executor314/7986 [ 35.607170] [ 35.608779] CPU: 0 PID: 7986 Comm: syz-executor314 Not tainted 4.14.230-syzkaller #0 [ 35.616712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.626073] Call Trace: [ 35.628650] dump_stack+0x1b2/0x281 [ 35.632266] print_address_description.cold+0x54/0x1d3 [ 35.637527] kasan_report_error.cold+0x8a/0x191 [ 35.642558] ? search_by_entry_key+0xc7e/0xf50 [ 35.647129] __asan_report_load_n_noabort+0x6b/0x80 [ 35.652137] ? search_by_entry_key+0xc7e/0xf50 [ 35.656860] search_by_entry_key+0xc7e/0xf50 [ 35.661282] ? make_cpu_key+0x22/0x2a0 [ 35.665174] reiserfs_find_entry.part.0+0x138/0x11e0 [ 35.670265] ? reiserfs_write_lock+0x75/0xf0 [ 35.674663] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 35.680013] ? save_trace+0xd6/0x290 [ 35.683716] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 35.689308] ? search_by_entry_key+0xf50/0xf50 [ 35.694153] reiserfs_lookup+0x1fd/0x400 [ 35.698199] ? reiserfs_unlink+0x6a0/0x6a0 [ 35.702415] ? fs_reclaim_release+0xd0/0x110 [ 35.706896] ? __d_alloc+0x2a/0xa20 [ 35.710516] ? d_alloc+0x1c7/0x240 [ 35.714056] ? _raw_spin_unlock+0x29/0x40 [ 35.718179] ? d_alloc+0x1cc/0x240 [ 35.721698] __lookup_hash+0x1bb/0x270 [ 35.725567] ? __inode_permission+0xcd/0x2f0 [ 35.729964] lookup_one_len+0x279/0x3a0 [ 35.733929] ? lookup_one_len_unlocked+0x410/0x410 [ 35.738847] reiserfs_lookup_privroot+0x92/0x270 [ 35.743603] reiserfs_fill_super+0x1211/0x28c0 [ 35.748183] ? reiserfs_remount+0x1390/0x1390 [ 35.752677] ? lock_downgrade+0x740/0x740 [ 35.756804] ? snprintf+0xa5/0xd0 [ 35.760262] ? ns_test_super+0x50/0x50 [ 35.764136] ? set_blocksize+0x125/0x380 [ 35.768201] mount_bdev+0x2b3/0x360 [ 35.771854] ? reiserfs_remount+0x1390/0x1390 [ 35.776368] mount_fs+0x92/0x2a0 [ 35.779714] vfs_kern_mount.part.0+0x5b/0x470 [ 35.784382] do_mount+0xe53/0x2a00 [ 35.787914] ? do_raw_spin_unlock+0x164/0x220 [ 35.792387] ? copy_mount_string+0x40/0x40 [ 35.796599] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.801659] ? copy_mnt_ns+0xa30/0xa30 [ 35.805548] ? copy_mount_options+0x1fa/0x2f0 [ 35.810096] ? copy_mnt_ns+0xa30/0xa30 [ 35.813979] SyS_mount+0xa8/0x120 [ 35.817951] ? copy_mnt_ns+0xa30/0xa30 [ 35.821824] do_syscall_64+0x1d5/0x640 [ 35.825713] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.830895] RIP: 0033:0x44c95a [ 35.834077] RSP: 002b:00007ffe5b400d98 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 35.841775] RAX: ffffffffffffffda RBX: 00007ffe5b400df0 RCX: 000000000044c95a [ 35.849042] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe5b400db0 [ 35.856293] RBP: 00007ffe5b400db0 R08: 00007ffe5b400df0 R09: 0000003400000000 [ 35.863543] R10: 0000000000208403 R11: 0000000000000286 R12: 0000000000000004 [ 35.870789] R13: 0000000000000003 R14: 0000000000000003 R15: 0000000000000004 [ 35.878057] [ 35.879659] The buggy address belongs to the page: [ 35.884582] page:ffffea00022e6980 count:0 mapcount:0 mapping: (null) index:0x1 [ 35.892711] flags: 0xfff00000000000() [ 35.896493] raw: 00fff00000000000 0000000000000000 0000000000000001 00000000ffffffff [ 35.904376] raw: ffffea00022e69e0 ffff8880ba42dac8 0000000000000000 0000000000000000 [ 35.912243] page dumped because: kasan: bad access detected [ 35.918045] [ 35.919652] Memory state around the buggy address: [ 35.924586] ffff88808b9a5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.931930] ffff88808b9a5f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.939285] >ffff88808b9a6000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.946631] ^ [ 35.949979] ffff88808b9a6080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.957322] ffff88808b9a6100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.964665] ================================================================== [ 35.972009] Disabling lock debugging due to kernel taint [ 35.977717] Kernel panic - not syncing: panic_on_warn set ... [ 35.977717] [ 35.985184] CPU: 0 PID: 7986 Comm: syz-executor314 Tainted: G B 4.14.230-syzkaller #0 [ 35.994284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.003634] Call Trace: [ 36.006846] dump_stack+0x1b2/0x281 [ 36.010462] panic+0x1f9/0x42d [ 36.013629] ? add_taint.cold+0x16/0x16 [ 36.017683] kasan_end_report+0x43/0x49 [ 36.021640] kasan_report_error.cold+0xa7/0x191 [ 36.026293] ? search_by_entry_key+0xc7e/0xf50 [ 36.030861] __asan_report_load_n_noabort+0x6b/0x80 [ 36.035870] ? search_by_entry_key+0xc7e/0xf50 [ 36.040428] search_by_entry_key+0xc7e/0xf50 [ 36.044831] ? make_cpu_key+0x22/0x2a0 [ 36.048694] reiserfs_find_entry.part.0+0x138/0x11e0 [ 36.053776] ? reiserfs_write_lock+0x75/0xf0 [ 36.058159] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 36.063504] ? save_trace+0xd6/0x290 [ 36.067206] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 36.072666] ? search_by_entry_key+0xf50/0xf50 [ 36.077228] reiserfs_lookup+0x1fd/0x400 [ 36.081279] ? reiserfs_unlink+0x6a0/0x6a0 [ 36.085490] ? fs_reclaim_release+0xd0/0x110 [ 36.089889] ? __d_alloc+0x2a/0xa20 [ 36.093490] ? d_alloc+0x1c7/0x240 [ 36.097010] ? _raw_spin_unlock+0x29/0x40 [ 36.101134] ? d_alloc+0x1cc/0x240 [ 36.104751] __lookup_hash+0x1bb/0x270 [ 36.108629] ? __inode_permission+0xcd/0x2f0 [ 36.113021] lookup_one_len+0x279/0x3a0 [ 36.116971] ? lookup_one_len_unlocked+0x410/0x410 [ 36.121893] reiserfs_lookup_privroot+0x92/0x270 [ 36.126627] reiserfs_fill_super+0x1211/0x28c0 [ 36.131213] ? reiserfs_remount+0x1390/0x1390 [ 36.135685] ? lock_downgrade+0x740/0x740 [ 36.139820] ? snprintf+0xa5/0xd0 [ 36.143268] ? ns_test_super+0x50/0x50 [ 36.147146] ? set_blocksize+0x125/0x380 [ 36.151187] mount_bdev+0x2b3/0x360 [ 36.154792] ? reiserfs_remount+0x1390/0x1390 [ 36.159280] mount_fs+0x92/0x2a0 [ 36.162625] vfs_kern_mount.part.0+0x5b/0x470 [ 36.167197] do_mount+0xe53/0x2a00 [ 36.170891] ? do_raw_spin_unlock+0x164/0x220 [ 36.175378] ? copy_mount_string+0x40/0x40 [ 36.179607] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 36.184616] ? copy_mnt_ns+0xa30/0xa30 [ 36.188492] ? copy_mount_options+0x1fa/0x2f0 [ 36.192962] ? copy_mnt_ns+0xa30/0xa30 [ 36.196842] SyS_mount+0xa8/0x120 [ 36.200289] ? copy_mnt_ns+0xa30/0xa30 [ 36.204157] do_syscall_64+0x1d5/0x640 [ 36.208090] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.213260] RIP: 0033:0x44c95a [ 36.216432] RSP: 002b:00007ffe5b400d98 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 36.224120] RAX: ffffffffffffffda RBX: 00007ffe5b400df0 RCX: 000000000044c95a [ 36.231389] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe5b400db0 [ 36.238664] RBP: 00007ffe5b400db0 R08: 00007ffe5b400df0 R09: 0000003400000000 [ 36.245912] R10: 0000000000208403 R11: 0000000000000286 R12: 0000000000000004 [ 36.253186] R13: 0000000000000003 R14: 0000000000000003 R15: 0000000000000004 [ 36.260521] Kernel Offset: disabled [ 36.264135] Rebooting in 86400 seconds..