Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.85' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 32.971456] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 32.980467] REISERFS (device loop0): using ordered data mode [ 32.987799] reiserfs: using flush barriers [ 32.993076] REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 0, max trans age 30 executing program [ 33.017315] REISERFS (device loop0): checking transaction log (loop0) [ 33.024904] REISERFS (device loop0): Using r5 hash to sort names [ 33.031623] REISERFS (device loop0): using 3.5.x disk format [ 33.038028] REISERFS warning (device loop0): jdm-20006 create_privroot: xattrs/ACLs enabled and couldn't find/create .reiserfs_priv. Failing mount. [ 33.092934] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 33.101862] REISERFS (device loop0): using ordered data mode [ 33.108238] reiserfs: using flush barriers [ 33.113481] REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 0, max trans age 30 [ 33.132861] REISERFS (device loop0): checking transaction log (loop0) [ 33.141034] REISERFS (device loop0): Using r5 hash to sort names [ 33.147945] REISERFS (device loop0): using 3.5.x disk format [ 33.154150] ================================================================== [ 33.161623] BUG: KASAN: use-after-free in search_by_entry_key+0xcda/0xf30 [ 33.168531] Read of size 4 at addr ffff88808c3f1014 by task syz-executor235/8108 [ 33.176039] [ 33.177674] CPU: 0 PID: 8108 Comm: syz-executor235 Not tainted 4.19.211-syzkaller #0 [ 33.185554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.194896] Call Trace: [ 33.197473] dump_stack+0x1fc/0x2ef [ 33.201086] print_address_description.cold+0x54/0x219 [ 33.206348] kasan_report_error.cold+0x8a/0x1b9 [ 33.210998] ? search_by_entry_key+0xcda/0xf30 [ 33.215563] __asan_report_load_n_noabort+0x8b/0xa0 [ 33.220559] ? search_by_entry_key+0xcda/0xf30 [ 33.225121] search_by_entry_key+0xcda/0xf30 [ 33.229511] reiserfs_find_entry.part.0+0x142/0x1480 [ 33.234594] ? lock_acquire+0x170/0x3c0 [ 33.238549] ? reiserfs_write_lock+0x75/0xf0 [ 33.242964] ? search_by_entry_key+0xf30/0xf30 [ 33.247553] ? lock_downgrade+0x720/0x720 [ 33.251693] reiserfs_lookup+0x24a/0x490 [ 33.255758] ? reiserfs_unlink+0x760/0x760 [ 33.259981] ? mark_held_locks+0xf0/0xf0 [ 33.264022] ? reiserfs_write_lock_nested+0x65/0xe0 [ 33.269026] ? __lockdep_init_map+0x100/0x5a0 [ 33.273526] ? __lockdep_init_map+0x100/0x5a0 [ 33.278014] __lookup_slow+0x246/0x4a0 [ 33.281887] ? follow_dotdot_rcu+0x1040/0x1040 [ 33.286456] ? __d_lookup+0x411/0x710 [ 33.290245] ? d_lookup+0x18e/0x250 [ 33.293882] lookup_one_len+0x163/0x190 [ 33.297839] ? try_lookup_one_len+0x180/0x180 [ 33.302321] reiserfs_lookup_privroot+0x92/0x280 [ 33.307060] reiserfs_fill_super+0x1f12/0x2d80 [ 33.311626] ? reiserfs_remount+0x1540/0x1540 [ 33.316112] ? lock_downgrade+0x720/0x720 [ 33.320250] ? snprintf+0xbb/0xf0 [ 33.323686] ? wait_for_completion_io+0x10/0x10 [ 33.328338] mount_bdev+0x2fc/0x3b0 [ 33.331946] ? reiserfs_remount+0x1540/0x1540 [ 33.336424] mount_fs+0xa3/0x310 [ 33.339776] vfs_kern_mount.part.0+0x68/0x470 [ 33.344258] do_mount+0x115c/0x2f50 [ 33.347868] ? lock_acquire+0x170/0x3c0 [ 33.351826] ? check_preemption_disabled+0x41/0x280 [ 33.356826] ? copy_mount_string+0x40/0x40 [ 33.361043] ? copy_mount_options+0x59/0x380 [ 33.365442] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 33.370437] ? kmem_cache_alloc_trace+0x323/0x380 [ 33.375263] ? copy_mount_options+0x26f/0x380 [ 33.379745] ksys_mount+0xcf/0x130 [ 33.383293] __x64_sys_mount+0xba/0x150 [ 33.387260] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 33.391825] do_syscall_64+0xf9/0x620 [ 33.395610] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.400783] RIP: 0033:0x7f8142fbfc8a [ 33.404491] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 33.423373] RSP: 002b:00007ffc7acc0008 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 33.431063] RAX: ffffffffffffffda RBX: 00007ffc7acc0060 RCX: 00007f8142fbfc8a [ 33.438323] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc7acc0020 [ 33.445578] RBP: 00007ffc7acc0020 R08: 00007ffc7acc0060 R09: 0000000000000000 [ 33.452833] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000200000a0 [ 33.460104] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000004 [ 33.467370] [ 33.469415] The buggy address belongs to the page: [ 33.474326] page:ffffea000230fc40 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 33.482445] flags: 0xfff00000000000() [ 33.486228] raw: 00fff00000000000 ffffea000230fc88 ffff8880ba02ea88 0000000000000000 [ 33.494103] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 33.501973] page dumped because: kasan: bad access detected [ 33.507684] [ 33.509292] Memory state around the buggy address: [ 33.514318] ffff88808c3f0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.521665] ffff88808c3f0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.529009] >ffff88808c3f1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.536375] ^ [ 33.540273] ffff88808c3f1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.547619] ffff88808c3f1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.554964] ================================================================== [ 33.562396] Disabling lock debugging due to kernel taint [ 33.571423] Kernel panic - not syncing: panic_on_warn set ... [ 33.571423] [ 33.578800] CPU: 0 PID: 8108 Comm: syz-executor235 Tainted: G B 4.19.211-syzkaller #0 [ 33.588064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.597408] Call Trace: [ 33.599984] dump_stack+0x1fc/0x2ef [ 33.603592] panic+0x26a/0x50e [ 33.606764] ? __warn_printk+0xf3/0xf3 [ 33.610629] ? preempt_schedule_common+0x45/0xc0 [ 33.615364] ? ___preempt_schedule+0x16/0x18 [ 33.619776] ? trace_hardirqs_on+0x55/0x210 [ 33.624080] kasan_end_report+0x43/0x49 [ 33.628032] kasan_report_error.cold+0xa7/0x1b9 [ 33.632687] ? search_by_entry_key+0xcda/0xf30 [ 33.637260] __asan_report_load_n_noabort+0x8b/0xa0 [ 33.642268] ? search_by_entry_key+0xcda/0xf30 [ 33.646832] search_by_entry_key+0xcda/0xf30 [ 33.651244] reiserfs_find_entry.part.0+0x142/0x1480 [ 33.656339] ? lock_acquire+0x170/0x3c0 [ 33.660298] ? reiserfs_write_lock+0x75/0xf0 [ 33.664700] ? search_by_entry_key+0xf30/0xf30 [ 33.669749] ? lock_downgrade+0x720/0x720 [ 33.673879] reiserfs_lookup+0x24a/0x490 [ 33.678104] ? reiserfs_unlink+0x760/0x760 [ 33.682323] ? mark_held_locks+0xf0/0xf0 [ 33.686363] ? reiserfs_write_lock_nested+0x65/0xe0 [ 33.691369] ? __lockdep_init_map+0x100/0x5a0 [ 33.695844] ? __lockdep_init_map+0x100/0x5a0 [ 33.700321] __lookup_slow+0x246/0x4a0 [ 33.704194] ? follow_dotdot_rcu+0x1040/0x1040 [ 33.708757] ? __d_lookup+0x411/0x710 [ 33.712542] ? d_lookup+0x18e/0x250 [ 33.716155] lookup_one_len+0x163/0x190 [ 33.720109] ? try_lookup_one_len+0x180/0x180 [ 33.724588] reiserfs_lookup_privroot+0x92/0x280 [ 33.729339] reiserfs_fill_super+0x1f12/0x2d80 [ 33.733905] ? reiserfs_remount+0x1540/0x1540 [ 33.738380] ? lock_downgrade+0x720/0x720 [ 33.742510] ? snprintf+0xbb/0xf0 [ 33.745948] ? wait_for_completion_io+0x10/0x10 [ 33.750598] mount_bdev+0x2fc/0x3b0 [ 33.754207] ? reiserfs_remount+0x1540/0x1540 [ 33.758681] mount_fs+0xa3/0x310 [ 33.762032] vfs_kern_mount.part.0+0x68/0x470 [ 33.766506] do_mount+0x115c/0x2f50 [ 33.770119] ? lock_acquire+0x170/0x3c0 [ 33.774076] ? check_preemption_disabled+0x41/0x280 [ 33.779074] ? copy_mount_string+0x40/0x40 [ 33.783289] ? copy_mount_options+0x59/0x380 [ 33.787680] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 33.792681] ? kmem_cache_alloc_trace+0x323/0x380 [ 33.797504] ? copy_mount_options+0x26f/0x380 [ 33.801980] ksys_mount+0xcf/0x130 [ 33.805502] __x64_sys_mount+0xba/0x150 [ 33.809458] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 33.814018] do_syscall_64+0xf9/0x620 [ 33.817806] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.822977] RIP: 0033:0x7f8142fbfc8a [ 33.826677] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 33.845574] RSP: 002b:00007ffc7acc0008 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 33.853264] RAX: ffffffffffffffda RBX: 00007ffc7acc0060 RCX: 00007f8142fbfc8a [ 33.860517] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc7acc0020 [ 33.867764] RBP: 00007ffc7acc0020 R08: 00007ffc7acc0060 R09: 0000000000000000 [ 33.875026] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000200000a0 [ 33.882283] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000004 [ 33.889698] Kernel Offset: disabled [ 33.893403] Rebooting in 86400 seconds..