[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.44' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 65.596785][ T6891] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 65.607807][ T6891] REISERFS (device loop0): using ordered data mode [ 65.614395][ T6891] reiserfs: using flush barriers [ 65.623189][ T6891] REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 65.644378][ T6891] REISERFS (device loop0): checking transaction log (loop0) [ 67.612414][ T6891] REISERFS (device loop0): Using tea hash to sort names [ 67.619627][ T6891] REISERFS (device loop0): using 3.5.x disk format [ 67.627618][ T6891] ================================================================== [ 67.635798][ T6891] BUG: KASAN: use-after-free in search_by_entry_key+0x81f/0x960 [ 67.643414][ T6891] Read of size 4 at addr ffff88807d41e7bd by task syz-executor210/6891 [ 67.651623][ T6891] [ 67.653952][ T6891] CPU: 1 PID: 6891 Comm: syz-executor210 Not tainted 5.9.0-rc8-syzkaller #0 [ 67.662604][ T6891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.672645][ T6891] Call Trace: [ 67.675921][ T6891] dump_stack+0x198/0x1fd [ 67.680249][ T6891] ? search_by_entry_key+0x81f/0x960 [ 67.685516][ T6891] ? search_by_entry_key+0x81f/0x960 [ 67.690807][ T6891] print_address_description.constprop.0.cold+0xae/0x497 [ 67.697816][ T6891] ? search_by_entry_key+0x81f/0x960 [ 67.703081][ T6891] ? lockdep_hardirqs_off+0x96/0xd0 [ 67.708259][ T6891] ? vprintk_func+0x95/0x1d4 [ 67.712831][ T6891] ? search_by_entry_key+0x81f/0x960 [ 67.718107][ T6891] ? search_by_entry_key+0x81f/0x960 [ 67.723402][ T6891] kasan_report.cold+0x1f/0x37 [ 67.728161][ T6891] ? search_by_entry_key+0x81f/0x960 [ 67.733449][ T6891] search_by_entry_key+0x81f/0x960 [ 67.738548][ T6891] reiserfs_find_entry.part.0+0x139/0xdf0 [ 67.744277][ T6891] ? find_held_lock+0x2d/0x110 [ 67.749062][ T6891] ? lock_is_held_type+0xbb/0xf0 [ 67.753996][ T6891] ? search_by_entry_key+0x960/0x960 [ 67.759268][ T6891] ? __d_lookup_rcu+0x2a3/0x6a0 [ 67.764102][ T6891] ? check_preemption_disabled+0x50/0x130 [ 67.769813][ T6891] reiserfs_lookup+0x24a/0x490 [ 67.774703][ T6891] ? reiserfs_unlink+0x760/0x760 [ 67.779639][ T6891] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 67.785656][ T6891] ? lockdep_init_map_waits+0x26a/0x8a0 [ 67.791209][ T6891] ? __raw_spin_lock_init+0x34/0x100 [ 67.796746][ T6891] __lookup_slow+0x24c/0x480 [ 67.801420][ T6891] ? page_put_link+0x210/0x210 [ 67.806172][ T6891] ? __d_lookup+0x3ff/0x6f0 [ 67.810721][ T6891] ? d_lookup+0x54/0x60 [ 67.814879][ T6891] lookup_one_len+0x163/0x190 [ 67.819550][ T6891] ? try_lookup_one_len+0x180/0x180 [ 67.824889][ T6891] ? down_write_killable+0x170/0x170 [ 67.830163][ T6891] reiserfs_lookup_privroot+0x92/0x280 [ 67.835626][ T6891] reiserfs_fill_super+0x211b/0x2df3 [ 67.840894][ T6891] ? reiserfs_remount+0x1580/0x1580 [ 67.846075][ T6891] ? lock_downgrade+0x830/0x830 [ 67.850921][ T6891] ? snprintf+0xbb/0xf0 [ 67.855065][ T6891] ? wait_for_completion+0x260/0x260 [ 67.860343][ T6891] ? set_blocksize+0x1c1/0x400 [ 67.865103][ T6891] mount_bdev+0x32e/0x3f0 [ 67.869418][ T6891] ? reiserfs_remount+0x1580/0x1580 [ 67.874629][ T6891] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 67.879638][ T6891] legacy_get_tree+0x105/0x220 [ 67.884400][ T6891] vfs_get_tree+0x89/0x2f0 [ 67.888809][ T6891] path_mount+0x1387/0x20a0 [ 67.893296][ T6891] ? strncpy_from_user+0x2bf/0x3e0 [ 67.898388][ T6891] ? copy_mount_string+0x40/0x40 [ 67.903306][ T6891] ? getname_flags.part.0+0x1dd/0x4f0 [ 67.908671][ T6891] __x64_sys_mount+0x27f/0x300 [ 67.914118][ T6891] ? copy_mnt_ns+0xa60/0xa60 [ 67.918722][ T6891] ? check_preemption_disabled+0x50/0x130 [ 67.924451][ T6891] ? syscall_enter_from_user_mode+0x1d/0x60 [ 67.930345][ T6891] do_syscall_64+0x2d/0x70 [ 67.934746][ T6891] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.940635][ T6891] RIP: 0033:0x447d9a [ 67.944524][ T6891] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5a a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 67.964249][ T6891] RSP: 002b:00007ffe3d8a0238 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 67.972680][ T6891] RAX: ffffffffffffffda RBX: 00007ffe3d8a0290 RCX: 0000000000447d9a [ 67.980840][ T6891] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe3d8a0250 [ 67.988797][ T6891] RBP: 00007ffe3d8a0250 R08: 00007ffe3d8a0290 R09: 0000000000000000 [ 67.996769][ T6891] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 68.004827][ T6891] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 68.012808][ T6891] [ 68.015133][ T6891] The buggy address belongs to the page: [ 68.020761][ T6891] page:00000000b141154e refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7d41e [ 68.030908][ T6891] flags: 0xfffe0000000000() [ 68.035398][ T6891] raw: 00fffe0000000000 ffffea0001f507c8 ffff8880ae539608 0000000000000000 [ 68.043988][ T6891] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 68.052553][ T6891] page dumped because: kasan: bad access detected [ 68.058947][ T6891] [ 68.061261][ T6891] Memory state around the buggy address: [ 68.066987][ T6891] ffff88807d41e680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.078636][ T6891] ffff88807d41e700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.086685][ T6891] >ffff88807d41e780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.094731][ T6891] ^ [ 68.100715][ T6891] ffff88807d41e800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.108775][ T6891] ffff88807d41e880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 68.116814][ T6891] ================================================================== [ 68.124869][ T6891] Disabling lock debugging due to kernel taint [ 68.144268][ T6891] Kernel panic - not syncing: panic_on_warn set ... [ 68.150889][ T6891] CPU: 1 PID: 6891 Comm: syz-executor210 Tainted: G B 5.9.0-rc8-syzkaller #0 [ 68.160952][ T6891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.170985][ T6891] Call Trace: [ 68.174282][ T6891] dump_stack+0x198/0x1fd [ 68.178623][ T6891] ? search_by_entry_key+0x800/0x960 [ 68.183900][ T6891] panic+0x382/0x7fb [ 68.187789][ T6891] ? __warn_printk+0xf3/0xf3 [ 68.192446][ T6891] ? preempt_schedule_common+0x59/0xc0 [ 68.197897][ T6891] ? search_by_entry_key+0x81f/0x960 [ 68.203176][ T6891] ? preempt_schedule_thunk+0x16/0x18 [ 68.208537][ T6891] ? trace_hardirqs_on+0x55/0x220 [ 68.213544][ T6891] ? search_by_entry_key+0x81f/0x960 [ 68.218824][ T6891] ? search_by_entry_key+0x81f/0x960 [ 68.224090][ T6891] end_report+0x4d/0x53 [ 68.228237][ T6891] kasan_report.cold+0xd/0x37 [ 68.232892][ T6891] ? search_by_entry_key+0x81f/0x960 [ 68.238154][ T6891] search_by_entry_key+0x81f/0x960 [ 68.243243][ T6891] reiserfs_find_entry.part.0+0x139/0xdf0 [ 68.248955][ T6891] ? find_held_lock+0x2d/0x110 [ 68.253697][ T6891] ? lock_is_held_type+0xbb/0xf0 [ 68.258733][ T6891] ? search_by_entry_key+0x960/0x960 [ 68.264003][ T6891] ? __d_lookup_rcu+0x2a3/0x6a0 [ 68.268832][ T6891] ? check_preemption_disabled+0x50/0x130 [ 68.275153][ T6891] reiserfs_lookup+0x24a/0x490 [ 68.279893][ T6891] ? reiserfs_unlink+0x760/0x760 [ 68.284826][ T6891] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 68.290800][ T6891] ? lockdep_init_map_waits+0x26a/0x8a0 [ 68.296322][ T6891] ? __raw_spin_lock_init+0x34/0x100 [ 68.301582][ T6891] __lookup_slow+0x24c/0x480 [ 68.306160][ T6891] ? page_put_link+0x210/0x210 [ 68.310915][ T6891] ? __d_lookup+0x3ff/0x6f0 [ 68.315410][ T6891] ? d_lookup+0x54/0x60 [ 68.319558][ T6891] lookup_one_len+0x163/0x190 [ 68.324233][ T6891] ? try_lookup_one_len+0x180/0x180 [ 68.329417][ T6891] ? down_write_killable+0x170/0x170 [ 68.334712][ T6891] reiserfs_lookup_privroot+0x92/0x280 [ 68.340851][ T6891] reiserfs_fill_super+0x211b/0x2df3 [ 68.346116][ T6891] ? reiserfs_remount+0x1580/0x1580 [ 68.351291][ T6891] ? lock_downgrade+0x830/0x830 [ 68.356137][ T6891] ? snprintf+0xbb/0xf0 [ 68.360287][ T6891] ? wait_for_completion+0x260/0x260 [ 68.365567][ T6891] ? set_blocksize+0x1c1/0x400 [ 68.370325][ T6891] mount_bdev+0x32e/0x3f0 [ 68.374654][ T6891] ? reiserfs_remount+0x1580/0x1580 [ 68.379875][ T6891] ? reiserfs_kill_sb+0x1e0/0x1e0 [ 68.384896][ T6891] legacy_get_tree+0x105/0x220 [ 68.389637][ T6891] vfs_get_tree+0x89/0x2f0 [ 68.394059][ T6891] path_mount+0x1387/0x20a0 [ 68.398557][ T6891] ? strncpy_from_user+0x2bf/0x3e0 [ 68.403660][ T6891] ? copy_mount_string+0x40/0x40 [ 68.408592][ T6891] ? getname_flags.part.0+0x1dd/0x4f0 [ 68.413955][ T6891] __x64_sys_mount+0x27f/0x300 [ 68.418701][ T6891] ? copy_mnt_ns+0xa60/0xa60 [ 68.423271][ T6891] ? check_preemption_disabled+0x50/0x130 [ 68.428969][ T6891] ? syscall_enter_from_user_mode+0x1d/0x60 [ 68.434871][ T6891] do_syscall_64+0x2d/0x70 [ 68.439302][ T6891] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.445169][ T6891] RIP: 0033:0x447d9a [ 68.449056][ T6891] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5a a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 68.468664][ T6891] RSP: 002b:00007ffe3d8a0238 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 68.477065][ T6891] RAX: ffffffffffffffda RBX: 00007ffe3d8a0290 RCX: 0000000000447d9a [ 68.485040][ T6891] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffe3d8a0250 [ 68.493020][ T6891] RBP: 00007ffe3d8a0250 R08: 00007ffe3d8a0290 R09: 0000000000000000 [ 68.500970][ T6891] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 68.508941][ T6891] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 68.517971][ T6891] Kernel Offset: disabled [ 68.522309][ T6891] Rebooting in 86400 seconds..