[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.198' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.460189] audit: type=1400 audit(1600683302.391:8): avc: denied { execmem } for pid=6381 comm="syz-executor462" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 34.467308] REISERFS (device loop0): found reiserfs format "3.5" with standard journal [ 34.489512] REISERFS (device loop0): using ordered data mode [ 34.495788] reiserfs: using flush barriers [ 34.500978] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 34.521028] REISERFS (device loop0): checking transaction log (loop0) [ 35.128012] ================================================================== [ 35.137762] BUG: KASAN: use-after-free in reiserfs_read_locked_inode+0x2028/0x2190 [ 35.146049] Read of size 4 at addr ffff88807cafb000 by task syz-executor462/6381 [ 35.153853] [ 35.155489] CPU: 1 PID: 6381 Comm: syz-executor462 Not tainted 4.14.198-syzkaller #0 [ 35.164476] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.174137] Call Trace: [ 35.177020] dump_stack+0x1b2/0x283 [ 35.180799] print_address_description.cold+0x54/0x1d3 [ 35.186293] kasan_report_error.cold+0x8a/0x194 [ 35.191014] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 35.196517] __asan_report_load_n_noabort+0x6b/0x80 [ 35.201794] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 35.207778] reiserfs_read_locked_inode+0x2028/0x2190 [ 35.213620] ? sd_attrs_to_i_attrs+0x230/0x230 [ 35.218213] ? __ww_mutex_wakeup_for_backoff+0x160/0x210 [ 35.224073] reiserfs_fill_super+0x1517/0x28b6 [ 35.228783] ? reiserfs_remount+0x1390/0x1390 [ 35.233410] ? lock_downgrade+0x740/0x740 [ 35.237789] ? snprintf+0xa5/0xd0 [ 35.241419] ? ns_test_super+0x50/0x50 [ 35.245510] ? set_blocksize+0x125/0x380 [ 35.249831] mount_bdev+0x2b3/0x360 [ 35.253600] ? reiserfs_remount+0x1390/0x1390 [ 35.258334] mount_fs+0x92/0x2a0 [ 35.261752] vfs_kern_mount.part.0+0x5b/0x470 [ 35.266247] do_mount+0xe53/0x2a00 [ 35.269927] ? copy_mount_string+0x40/0x40 [ 35.275758] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.280765] ? copy_mnt_ns+0xa30/0xa30 [ 35.284785] ? copy_mount_options+0x1fa/0x2f0 [ 35.289408] ? copy_mnt_ns+0xa30/0xa30 [ 35.293709] SyS_mount+0xa8/0x120 [ 35.297342] ? copy_mnt_ns+0xa30/0xa30 [ 35.301958] do_syscall_64+0x1d5/0x640 [ 35.305948] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.311489] RIP: 0033:0x446e7a [ 35.314679] RSP: 002b:00007ffc5020f0e8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 35.323149] RAX: ffffffffffffffda RBX: 00007ffc5020f140 RCX: 0000000000446e7a [ 35.333444] RDX: 0000000020000040 RSI: 0000000020000100 RDI: 00007ffc5020f100 [ 35.342457] RBP: 00007ffc5020f100 R08: 00007ffc5020f140 R09: 00007ffc00000015 [ 35.350809] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 35.358458] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 35.365823] [ 35.367624] The buggy address belongs to the page: [ 35.372656] page:ffffea0001f2bec0 count:0 mapcount:0 mapping: (null) index:0x1 [ 35.381144] flags: 0xfffe0000000000() [ 35.385038] raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff [ 35.393365] raw: ffffea0001f2bf20 ffff8880aeb2ed48 0000000000000000 0000000000000000 [ 35.401832] page dumped because: kasan: bad access detected [ 35.408219] [ 35.409843] Memory state around the buggy address: [ 35.415927] ffff88807cafaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.423889] ffff88807cafaf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.431823] >ffff88807cafb000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.439613] ^ [ 35.443131] ffff88807cafb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.450834] ffff88807cafb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 35.458579] ================================================================== [ 35.466161] Disabling lock debugging due to kernel taint [ 35.483835] Kernel panic - not syncing: panic_on_warn set ... [ 35.483835] [ 35.491927] CPU: 0 PID: 6381 Comm: syz-executor462 Tainted: G B 4.14.198-syzkaller #0 [ 35.501333] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.511389] Call Trace: [ 35.514357] dump_stack+0x1b2/0x283 [ 35.518296] panic+0x1f9/0x42d [ 35.521853] ? add_taint.cold+0x16/0x16 [ 35.525905] ? ___preempt_schedule+0x16/0x18 [ 35.530752] kasan_end_report+0x43/0x49 [ 35.534950] kasan_report_error.cold+0xa7/0x194 [ 35.541185] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 35.548035] __asan_report_load_n_noabort+0x6b/0x80 [ 35.553302] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 35.558996] reiserfs_read_locked_inode+0x2028/0x2190 [ 35.564500] ? sd_attrs_to_i_attrs+0x230/0x230 [ 35.569142] ? __ww_mutex_wakeup_for_backoff+0x160/0x210 [ 35.574842] reiserfs_fill_super+0x1517/0x28b6 [ 35.579598] ? reiserfs_remount+0x1390/0x1390 [ 35.584404] ? lock_downgrade+0x740/0x740 [ 35.588772] ? snprintf+0xa5/0xd0 [ 35.592475] ? ns_test_super+0x50/0x50 [ 35.596581] ? set_blocksize+0x125/0x380 [ 35.600826] mount_bdev+0x2b3/0x360 [ 35.604465] ? reiserfs_remount+0x1390/0x1390 [ 35.609091] mount_fs+0x92/0x2a0 [ 35.612828] vfs_kern_mount.part.0+0x5b/0x470 [ 35.617585] do_mount+0xe53/0x2a00 [ 35.621419] ? copy_mount_string+0x40/0x40 [ 35.625952] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.630968] ? copy_mnt_ns+0xa30/0xa30 [ 35.634847] ? copy_mount_options+0x1fa/0x2f0 [ 35.639997] ? copy_mnt_ns+0xa30/0xa30 [ 35.644360] SyS_mount+0xa8/0x120 [ 35.647932] ? copy_mnt_ns+0xa30/0xa30 [ 35.652053] do_syscall_64+0x1d5/0x640 [ 35.656081] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.661876] RIP: 0033:0x446e7a [ 35.665145] RSP: 002b:00007ffc5020f0e8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 35.673159] RAX: ffffffffffffffda RBX: 00007ffc5020f140 RCX: 0000000000446e7a [ 35.680641] RDX: 0000000020000040 RSI: 0000000020000100 RDI: 00007ffc5020f100 [ 35.688049] RBP: 00007ffc5020f100 R08: 00007ffc5020f140 R09: 00007ffc00000015 [ 35.695725] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 35.703384] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 35.713449] Kernel Offset: disabled [ 35.717352] Rebooting in 86400 seconds..