[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.0' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 32.553534] audit: type=1400 audit(1600741185.355:8): avc: denied { execmem } for pid=6350 comm="syz-executor396" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 32.560586] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 32.584265] REISERFS (device loop0): using ordered data mode [ 32.590377] reiserfs: using flush barriers [ 32.595624] REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 32.613036] REISERFS (device loop0): checking transaction log (loop0) [ 33.639410] REISERFS (device loop0): Using tea hash to sort names [ 33.645827] REISERFS (device loop0): using 3.5.x disk format [ 33.652064] ================================================================== [ 33.659490] BUG: KASAN: use-after-free in search_by_entry_key+0xc87/0xf70 [ 33.666386] Read of size 4 at addr ffff888078a1c7bd by task syz-executor396/6350 [ 33.673921] [ 33.675537] CPU: 0 PID: 6350 Comm: syz-executor396 Not tainted 4.14.198-syzkaller #0 [ 33.683388] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.692757] Call Trace: [ 33.695325] dump_stack+0x1b2/0x283 [ 33.698929] print_address_description.cold+0x54/0x1d3 [ 33.704182] kasan_report_error.cold+0x8a/0x194 [ 33.708855] ? search_by_entry_key+0xc87/0xf70 [ 33.713412] __asan_report_load_n_noabort+0x6b/0x80 [ 33.718406] ? search_by_entry_key+0xc87/0xf70 [ 33.722997] search_by_entry_key+0xc87/0xf70 [ 33.727378] ? make_cpu_key+0x22/0x2a0 [ 33.731240] reiserfs_find_entry.part.0+0x138/0x1200 [ 33.736315] ? reiserfs_write_lock+0x75/0xf0 [ 33.740697] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 33.746073] ? save_trace+0xd6/0x290 [ 33.749781] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 33.755242] ? search_by_entry_key+0xf70/0xf70 [ 33.759850] reiserfs_lookup+0x1fd/0x400 [ 33.763893] ? reiserfs_unlink+0x6a0/0x6a0 [ 33.768107] ? fs_reclaim_release+0xd0/0x110 [ 33.772498] ? __d_alloc+0x2a/0xa20 [ 33.776101] ? d_alloc+0x1c7/0x240 [ 33.779622] ? _raw_spin_unlock+0x29/0x40 [ 33.783743] ? d_alloc+0x1cc/0x240 [ 33.787257] __lookup_hash+0x1bb/0x270 [ 33.791116] ? __inode_permission+0xcd/0x2f0 [ 33.795509] lookup_one_len+0x279/0x3a0 [ 33.799457] ? lookup_one_len_unlocked+0x410/0x410 [ 33.804362] reiserfs_lookup_privroot+0x92/0x270 [ 33.809127] reiserfs_fill_super+0x1ad8/0x28b6 [ 33.813721] ? reiserfs_remount+0x1390/0x1390 [ 33.818196] ? lock_downgrade+0x740/0x740 [ 33.822320] ? snprintf+0xa5/0xd0 [ 33.825750] mount_bdev+0x2b3/0x360 [ 33.829350] ? reiserfs_remount+0x1390/0x1390 [ 33.833819] mount_fs+0x92/0x2a0 [ 33.837198] vfs_kern_mount.part.0+0x5b/0x470 [ 33.841667] do_mount+0xe53/0x2a00 [ 33.845183] ? copy_mount_string+0x40/0x40 [ 33.849391] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 33.854380] ? copy_mnt_ns+0xa30/0xa30 [ 33.858271] ? copy_mount_options+0x1fa/0x2f0 [ 33.862761] ? copy_mnt_ns+0xa30/0xa30 [ 33.866622] SyS_mount+0xa8/0x120 [ 33.870047] ? copy_mnt_ns+0xa30/0xa30 [ 33.873910] do_syscall_64+0x1d5/0x640 [ 33.877772] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.882935] RIP: 0033:0x44706a [ 33.886098] RSP: 002b:00007ffeabc83998 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 33.893791] RAX: ffffffffffffffda RBX: 00007ffeabc839f0 RCX: 000000000044706a [ 33.901037] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffeabc839b0 [ 33.908404] RBP: 00007ffeabc839b0 R08: 00007ffeabc839f0 R09: 00007ffe00000015 [ 33.915660] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 33.922926] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 33.930174] [ 33.931774] The buggy address belongs to the page: [ 33.936675] page:ffffea0001e28700 count:0 mapcount:0 mapping: (null) index:0x1 [ 33.944973] flags: 0xfffe0000000000() [ 33.948744] raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff [ 33.956601] raw: ffffea0001e28760 ffff8880aea2ed48 0000000000000000 0000000000000000 [ 33.964462] page dumped because: kasan: bad access detected [ 33.970141] [ 33.971740] Memory state around the buggy address: [ 33.976641] ffff888078a1c680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.983991] ffff888078a1c700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.991325] >ffff888078a1c780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.998776] ^ [ 34.003937] ffff888078a1c800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.011268] ffff888078a1c880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.018597] ================================================================== [ 34.026105] Disabling lock debugging due to kernel taint [ 34.031825] Kernel panic - not syncing: panic_on_warn set ... [ 34.031825] [ 34.039182] CPU: 0 PID: 6350 Comm: syz-executor396 Tainted: G B 4.14.198-syzkaller #0 [ 34.048266] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.057608] Call Trace: [ 34.060174] dump_stack+0x1b2/0x283 [ 34.063777] panic+0x1f9/0x42d [ 34.066945] ? add_taint.cold+0x16/0x16 [ 34.070911] ? ___preempt_schedule+0x16/0x18 [ 34.075298] kasan_end_report+0x43/0x49 [ 34.079261] kasan_report_error.cold+0xa7/0x194 [ 34.083919] ? search_by_entry_key+0xc87/0xf70 [ 34.088477] __asan_report_load_n_noabort+0x6b/0x80 [ 34.093466] ? search_by_entry_key+0xc87/0xf70 [ 34.098019] search_by_entry_key+0xc87/0xf70 [ 34.102398] ? make_cpu_key+0x22/0x2a0 [ 34.106255] reiserfs_find_entry.part.0+0x138/0x1200 [ 34.111331] ? reiserfs_write_lock+0x75/0xf0 [ 34.115746] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 34.121079] ? save_trace+0xd6/0x290 [ 34.124767] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 34.130226] ? search_by_entry_key+0xf70/0xf70 [ 34.134780] reiserfs_lookup+0x1fd/0x400 [ 34.138851] ? reiserfs_unlink+0x6a0/0x6a0 [ 34.143093] ? fs_reclaim_release+0xd0/0x110 [ 34.147510] ? __d_alloc+0x2a/0xa20 [ 34.151124] ? d_alloc+0x1c7/0x240 [ 34.154639] ? _raw_spin_unlock+0x29/0x40 [ 34.158781] ? d_alloc+0x1cc/0x240 [ 34.162293] __lookup_hash+0x1bb/0x270 [ 34.166163] ? __inode_permission+0xcd/0x2f0 [ 34.170542] lookup_one_len+0x279/0x3a0 [ 34.174486] ? lookup_one_len_unlocked+0x410/0x410 [ 34.179389] reiserfs_lookup_privroot+0x92/0x270 [ 34.184117] reiserfs_fill_super+0x1ad8/0x28b6 [ 34.188673] ? reiserfs_remount+0x1390/0x1390 [ 34.193140] ? lock_downgrade+0x740/0x740 [ 34.197259] ? snprintf+0xa5/0xd0 [ 34.200697] mount_bdev+0x2b3/0x360 [ 34.204304] ? reiserfs_remount+0x1390/0x1390 [ 34.208776] mount_fs+0x92/0x2a0 [ 34.212120] vfs_kern_mount.part.0+0x5b/0x470 [ 34.216587] do_mount+0xe53/0x2a00 [ 34.220098] ? copy_mount_string+0x40/0x40 [ 34.224315] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.229300] ? copy_mnt_ns+0xa30/0xa30 [ 34.233157] ? copy_mount_options+0x1fa/0x2f0 [ 34.237644] ? copy_mnt_ns+0xa30/0xa30 [ 34.241506] SyS_mount+0xa8/0x120 [ 34.244959] ? copy_mnt_ns+0xa30/0xa30 [ 34.248845] do_syscall_64+0x1d5/0x640 [ 34.252722] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.257895] RIP: 0033:0x44706a [ 34.261059] RSP: 002b:00007ffeabc83998 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 34.268845] RAX: ffffffffffffffda RBX: 00007ffeabc839f0 RCX: 000000000044706a [ 34.276211] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffeabc839b0 [ 34.283453] RBP: 00007ffeabc839b0 R08: 00007ffeabc839f0 R09: 00007ffe00000015 [ 34.290695] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 34.297935] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.306527] Kernel Offset: disabled [ 34.310134] Rebooting in 86400 seconds..