[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.22' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 32.503780] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 32.512506] REISERFS (device loop0): using ordered data mode [ 32.518303] reiserfs: using flush barriers [ 32.524540] REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 32.542524] REISERFS (device loop0): checking transaction log (loop0) [ 33.740800] REISERFS (device loop0): Using r5 hash to sort names [ 33.747111] REISERFS (device loop0): using 3.5.x disk format [ 33.753472] ================================================================== [ 33.760898] BUG: KASAN: use-after-free in leaf_paste_entries+0x421/0x9b0 [ 33.767742] Read of size 18446744073709549059 at addr ffff8880835179bf by task syz-executor427/7983 [ 33.781956] [ 33.783561] CPU: 1 PID: 7983 Comm: syz-executor427 Not tainted 4.14.209-syzkaller #0 [ 33.791417] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.800748] Call Trace: [ 33.803317] dump_stack+0x1b2/0x283 [ 33.806924] print_address_description.cold+0x54/0x1d3 [ 33.812179] kasan_report_error.cold+0x8a/0x194 [ 33.816827] ? leaf_paste_entries+0x421/0x9b0 [ 33.821300] kasan_report+0x6f/0x7b [ 33.824906] ? leaf_paste_entries+0x421/0x9b0 [ 33.829381] memmove+0x20/0x50 [ 33.832552] leaf_paste_entries+0x421/0x9b0 [ 33.836881] balance_leaf+0x8298/0xbaa0 [ 33.840838] ? reiserfs_prepare_for_journal+0xd5/0x150 [ 33.846119] ? replace_key+0x150/0x150 [ 33.850011] do_balance+0x27e/0x630 [ 33.853619] ? get_right_neighbor_position+0x160/0x160 [ 33.858942] ? __mutex_unlock_slowpath+0x75/0x770 [ 33.863764] ? memset+0x20/0x40 [ 33.867052] reiserfs_paste_into_item+0x569/0x6f0 [ 33.871876] ? reiserfs_delete_object+0x1e0/0x1e0 [ 33.876720] ? __mutex_unlock_slowpath+0x23/0x770 [ 33.881542] ? search_by_entry_key+0xf70/0xf70 [ 33.886128] ? r5_hash+0x8f/0xb0 [ 33.889475] ? make_cpu_key+0x22/0x2a0 [ 33.893342] reiserfs_add_entry+0x7d3/0xbc0 [ 33.897647] ? reiserfs_lookup+0x400/0x400 [ 33.901864] ? __mutex_unlock_slowpath+0x23/0x770 [ 33.906686] ? wait_for_completion_io+0x10/0x10 [ 33.911351] reiserfs_mkdir+0x5ca/0x8b0 [ 33.915308] ? reiserfs_mknod+0x690/0x690 [ 33.919448] reiserfs_xattr_init+0x393/0xa49 [ 33.923844] reiserfs_fill_super+0x1b18/0x28be [ 33.928416] ? reiserfs_remount+0x1390/0x1390 [ 33.932897] ? lock_downgrade+0x740/0x740 [ 33.937053] ? snprintf+0xa5/0xd0 [ 33.940605] mount_bdev+0x2b3/0x360 [ 33.944213] ? reiserfs_remount+0x1390/0x1390 [ 33.948691] mount_fs+0x92/0x2a0 [ 33.952042] vfs_kern_mount.part.0+0x5b/0x470 [ 33.956520] do_mount+0xe53/0x2a00 [ 33.960050] ? retint_kernel+0x2d/0x2d [ 33.963921] ? copy_mount_string+0x40/0x40 [ 33.968139] ? memset+0x20/0x40 [ 33.971404] ? copy_mount_options+0x1fa/0x2f0 [ 33.975909] ? copy_mnt_ns+0xa30/0xa30 [ 33.979783] SyS_mount+0xa8/0x120 [ 33.983247] ? copy_mnt_ns+0xa30/0xa30 [ 33.987147] do_syscall_64+0x1d5/0x640 [ 33.991061] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.996264] RIP: 0033:0x44706a [ 33.999441] RSP: 002b:00007ffe53434408 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 34.007162] RAX: ffffffffffffffda RBX: 00007ffe53434460 RCX: 000000000044706a [ 34.014414] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe53434420 [ 34.021697] RBP: 00007ffe53434420 R08: 00007ffe53434460 R09: 00007ffe00000015 [ 34.028984] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 34.036270] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.043530] [ 34.045139] The buggy address belongs to the page: [ 34.050052] page:ffffea00020d45c0 count:0 mapcount:0 mapping: (null) index:0x1 [ 34.058178] flags: 0xfff00000000000() [ 34.061965] raw: 00fff00000000000 0000000000000000 0000000000000001 00000000ffffffff [ 34.069829] raw: ffffea00020d4620 ffff8880ba52dac8 0000000000000000 0000000000000000 [ 34.077693] page dumped because: kasan: bad access detected [ 34.083386] [ 34.084995] Memory state around the buggy address: [ 34.089907] ffff888083517880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.097417] ffff888083517900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.104760] >ffff888083517980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.112102] ^ [ 34.117316] ffff888083517a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.124660] ffff888083517a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.132004] ================================================================== [ 34.139347] Disabling lock debugging due to kernel taint [ 34.145058] Kernel panic - not syncing: panic_on_warn set ... [ 34.145058] [ 34.152625] CPU: 1 PID: 7983 Comm: syz-executor427 Tainted: G B 4.14.209-syzkaller #0 [ 34.161765] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.171135] Call Trace: [ 34.173732] dump_stack+0x1b2/0x283 [ 34.177401] panic+0x1f9/0x42d [ 34.180628] ? add_taint.cold+0x16/0x16 [ 34.184647] ? ___preempt_schedule+0x16/0x18 [ 34.189046] kasan_end_report+0x43/0x49 [ 34.193006] kasan_report_error.cold+0xa7/0x194 [ 34.197661] ? leaf_paste_entries+0x421/0x9b0 [ 34.202143] kasan_report+0x6f/0x7b [ 34.205880] ? leaf_paste_entries+0x421/0x9b0 [ 34.210360] memmove+0x20/0x50 [ 34.213542] leaf_paste_entries+0x421/0x9b0 [ 34.217855] balance_leaf+0x8298/0xbaa0 [ 34.221864] ? reiserfs_prepare_for_journal+0xd5/0x150 [ 34.227356] ? replace_key+0x150/0x150 [ 34.231234] do_balance+0x27e/0x630 [ 34.234850] ? get_right_neighbor_position+0x160/0x160 [ 34.240119] ? __mutex_unlock_slowpath+0x75/0x770 [ 34.244948] ? memset+0x20/0x40 [ 34.248214] reiserfs_paste_into_item+0x569/0x6f0 [ 34.253046] ? reiserfs_delete_object+0x1e0/0x1e0 [ 34.257888] ? __mutex_unlock_slowpath+0x23/0x770 [ 34.262837] ? search_by_entry_key+0xf70/0xf70 [ 34.267407] ? r5_hash+0x8f/0xb0 [ 34.270760] ? make_cpu_key+0x22/0x2a0 [ 34.274754] reiserfs_add_entry+0x7d3/0xbc0 [ 34.279064] ? reiserfs_lookup+0x400/0x400 [ 34.283359] ? __mutex_unlock_slowpath+0x23/0x770 [ 34.288238] ? wait_for_completion_io+0x10/0x10 [ 34.292902] reiserfs_mkdir+0x5ca/0x8b0 [ 34.296862] ? reiserfs_mknod+0x690/0x690 [ 34.301013] reiserfs_xattr_init+0x393/0xa49 [ 34.305435] reiserfs_fill_super+0x1b18/0x28be [ 34.310018] ? reiserfs_remount+0x1390/0x1390 [ 34.314543] ? lock_downgrade+0x740/0x740 [ 34.318679] ? snprintf+0xa5/0xd0 [ 34.322120] mount_bdev+0x2b3/0x360 [ 34.325789] ? reiserfs_remount+0x1390/0x1390 [ 34.330272] mount_fs+0x92/0x2a0 [ 34.333636] vfs_kern_mount.part.0+0x5b/0x470 [ 34.338129] do_mount+0xe53/0x2a00 [ 34.341656] ? retint_kernel+0x2d/0x2d [ 34.345548] ? copy_mount_string+0x40/0x40 [ 34.349790] ? memset+0x20/0x40 [ 34.353073] ? copy_mount_options+0x1fa/0x2f0 [ 34.357719] ? copy_mnt_ns+0xa30/0xa30 [ 34.361685] SyS_mount+0xa8/0x120 [ 34.365181] ? copy_mnt_ns+0xa30/0xa30 [ 34.369059] do_syscall_64+0x1d5/0x640 [ 34.372988] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.378285] RIP: 0033:0x44706a [ 34.381638] RSP: 002b:00007ffe53434408 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 34.389444] RAX: ffffffffffffffda RBX: 00007ffe53434460 RCX: 000000000044706a [ 34.396708] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe53434420 [ 34.404262] RBP: 00007ffe53434420 R08: 00007ffe53434460 R09: 00007ffe00000015 [ 34.411615] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 34.419020] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.427109] Kernel Offset: disabled [ 34.430736] Rebooting in 86400 seconds..