[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.114' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 44.901232] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 44.910698] REISERFS (device loop0): using ordered data mode [ 44.916494] reiserfs: using flush barriers [ 44.922320] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 44.938397] REISERFS (device loop0): checking transaction log (loop0) [ 44.980783] REISERFS (device loop0): Using r5 hash to sort names [ 44.987358] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. executing program [ 45.106777] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 45.117152] REISERFS (device loop0): using ordered data mode [ 45.123024] reiserfs: using flush barriers [ 45.127831] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 45.144330] REISERFS (device loop0): checking transaction log (loop0) [ 45.185910] REISERFS (device loop0): Using r5 hash to sort names [ 45.192269] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 45.204790] ================================================================== [ 45.212294] BUG: KASAN: use-after-free in leaf_paste_in_buffer+0x981/0xb80 [ 45.219303] Read of size 80 at addr ffff88808a9f7fe0 by task syz-executor313/7984 [ 45.226912] [ 45.228543] CPU: 0 PID: 7984 Comm: syz-executor313 Not tainted 4.14.301-syzkaller #0 [ 45.236499] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 45.245830] Call Trace: [ 45.248398] dump_stack+0x1b2/0x281 [ 45.252002] print_address_description.cold+0x54/0x1d3 [ 45.257254] kasan_report_error.cold+0x8a/0x191 [ 45.261896] ? leaf_paste_in_buffer+0x981/0xb80 [ 45.266564] kasan_report+0x6f/0x80 [ 45.270169] ? leaf_paste_in_buffer+0x981/0xb80 [ 45.274811] memcpy+0x20/0x50 [ 45.277897] leaf_paste_in_buffer+0x981/0xb80 [ 45.282372] leaf_copy_dir_entries.isra.0+0x770/0x8f0 [ 45.287537] ? leaf_paste_entries+0x9b0/0x9b0 [ 45.292006] ? lock_acquire+0x170/0x3f0 [ 45.295956] leaf_move_items+0x147e/0x3440 [ 45.300165] ? do_journal_end+0x441/0x4310 [ 45.304378] ? reiserfs_write_unlock_nested+0xb2/0xf0 [ 45.309540] ? leaf_copy_dir_entries.isra.0+0x8f0/0x8f0 [ 45.314877] ? reiserfs_write_lock_nested+0x59/0xd0 [ 45.319870] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 45.325296] ? get_empty_nodes+0x1fc/0x650 [ 45.329519] ? is_left_neighbor_in_cache+0x2f0/0x2f0 [ 45.334601] leaf_shift_left+0x9f/0x360 [ 45.338566] balance_leaf+0x2b73/0xba30 [ 45.342526] ? replace_key+0x150/0x150 [ 45.346405] do_balance+0x282/0x630 [ 45.350013] ? get_right_neighbor_position+0x160/0x160 [ 45.355268] ? __mutex_unlock_slowpath+0x75/0x770 [ 45.360087] ? memset+0x20/0x40 [ 45.363344] reiserfs_paste_into_item+0x569/0x6f0 [ 45.368165] ? reiserfs_delete_object+0x1e0/0x1e0 [ 45.373002] ? nobh_write_end+0x431/0x440 [ 45.377128] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 45.382552] ? scan_bitmap_block.constprop.0+0xd20/0xd20 [ 45.387973] ? journal_begin+0x206/0x3d0 [ 45.392010] reiserfs_get_block+0x1691/0x36b0 [ 45.396489] ? reiserfs_commit_write+0x650/0x650 [ 45.401224] ? radix_tree_extend+0x31a/0x3e0 [ 45.405610] ? nobh_write_end+0x431/0x440 [ 45.409733] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 45.415178] ? _raw_spin_unlock+0x29/0x40 [ 45.419304] ? create_page_buffers+0xce/0x1c0 [ 45.423790] __block_write_begin_int+0x35c/0x11d0 [ 45.428696] ? reiserfs_commit_write+0x650/0x650 [ 45.433519] ? __breadahead_gfp+0x150/0x150 [ 45.437815] ? wait_for_stable_page+0xe3/0x260 [ 45.442375] reiserfs_write_begin+0x2e3/0x8a0 [ 45.446868] generic_perform_write+0x1d5/0x430 [ 45.451429] ? filemap_page_mkwrite+0x2d0/0x2d0 [ 45.456148] ? current_time+0xb0/0xb0 [ 45.459941] ? lock_acquire+0x170/0x3f0 [ 45.463918] __generic_file_write_iter+0x227/0x590 [ 45.468941] generic_file_write_iter+0x36f/0x650 [ 45.473679] ? iov_iter_init+0xa6/0x1c0 [ 45.477718] __vfs_write+0x44c/0x630 [ 45.481409] ? kernel_read+0x110/0x110 [ 45.485287] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 45.490292] vfs_write+0x17f/0x4d0 [ 45.493809] SyS_write+0xf2/0x210 [ 45.497239] ? SyS_read+0x210/0x210 [ 45.500840] ? do_syscall_64+0x4c/0x640 [ 45.504794] ? SyS_read+0x210/0x210 [ 45.508393] do_syscall_64+0x1d5/0x640 [ 45.512283] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 45.517448] RIP: 0033:0x7feecff6ba49 [ 45.521132] RSP: 002b:00007ffece04a298 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 45.528813] RAX: ffffffffffffffda RBX: 000000000000af5f RCX: 00007feecff6ba49 [ 45.536058] RDX: 000000000000fea7 RSI: 00000000200001c0 RDI: 0000000000000006 [ 45.543301] RBP: 0000000000000000 R08: 00007ffece04a2c0 R09: 00007ffece04a2c0 [ 45.550544] R10: 00007ffece04a2c0 R11: 0000000000000246 R12: 00007ffece04a2bc [ 45.557789] R13: 00007ffece04a2f0 R14: 00007ffece04a2d0 R15: 0000000000000001 [ 45.565056] [ 45.566663] The buggy address belongs to the page: [ 45.571569] page:ffffea00022a7dc0 count:3 mapcount:0 mapping:ffff8880b1bc7b68 index:0x214 [ 45.579859] flags: 0xfff00000001044(referenced|active|private) [ 45.585810] raw: 00fff00000001044 ffff8880b1bc7b68 0000000000000214 00000003ffffffff [ 45.593667] raw: dead000000000100 dead000000000200 ffff88808df743f0 ffff88823b3288c0 [ 45.601521] page dumped because: kasan: bad access detected [ 45.607202] page->mem_cgroup:ffff88823b3288c0 [ 45.611666] [ 45.613268] Memory state around the buggy address: [ 45.618176] ffff88808a9f7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 45.625507] ffff88808a9f7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 45.632838] >ffff88808a9f8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.640255] ^ [ 45.643592] ffff88808a9f8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.650923] ffff88808a9f8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.658261] ================================================================== [ 45.665592] Disabling lock debugging due to kernel taint [ 45.671309] Kernel panic - not syncing: panic_on_warn set ... [ 45.671309] [ 45.678664] CPU: 0 PID: 7984 Comm: syz-executor313 Tainted: G B 4.14.301-syzkaller #0 [ 45.687747] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 45.697090] Call Trace: [ 45.699668] dump_stack+0x1b2/0x281 [ 45.703284] panic+0x1f9/0x42d [ 45.706452] ? add_taint.cold+0x16/0x16 [ 45.710401] ? ___preempt_schedule+0x16/0x18 [ 45.714784] kasan_end_report+0x43/0x49 [ 45.718729] kasan_report_error.cold+0xa7/0x191 [ 45.723371] ? leaf_paste_in_buffer+0x981/0xb80 [ 45.728014] kasan_report+0x6f/0x80 [ 45.731619] ? leaf_paste_in_buffer+0x981/0xb80 [ 45.736259] memcpy+0x20/0x50 [ 45.739337] leaf_paste_in_buffer+0x981/0xb80 [ 45.743830] leaf_copy_dir_entries.isra.0+0x770/0x8f0 [ 45.748992] ? leaf_paste_entries+0x9b0/0x9b0 [ 45.753460] ? lock_acquire+0x170/0x3f0 [ 45.757418] leaf_move_items+0x147e/0x3440 [ 45.761635] ? do_journal_end+0x441/0x4310 [ 45.765852] ? reiserfs_write_unlock_nested+0xb2/0xf0 [ 45.771015] ? leaf_copy_dir_entries.isra.0+0x8f0/0x8f0 [ 45.776353] ? reiserfs_write_lock_nested+0x59/0xd0 [ 45.781342] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 45.786766] ? get_empty_nodes+0x1fc/0x650 [ 45.790973] ? is_left_neighbor_in_cache+0x2f0/0x2f0 [ 45.796049] leaf_shift_left+0x9f/0x360 [ 45.799998] balance_leaf+0x2b73/0xba30 [ 45.803952] ? replace_key+0x150/0x150 [ 45.807812] do_balance+0x282/0x630 [ 45.811414] ? get_right_neighbor_position+0x160/0x160 [ 45.816691] ? __mutex_unlock_slowpath+0x75/0x770 [ 45.821508] ? memset+0x20/0x40 [ 45.824764] reiserfs_paste_into_item+0x569/0x6f0 [ 45.829583] ? reiserfs_delete_object+0x1e0/0x1e0 [ 45.834409] ? nobh_write_end+0x431/0x440 [ 45.838534] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 45.843958] ? scan_bitmap_block.constprop.0+0xd20/0xd20 [ 45.849380] ? journal_begin+0x206/0x3d0 [ 45.853424] reiserfs_get_block+0x1691/0x36b0 [ 45.857895] ? reiserfs_commit_write+0x650/0x650 [ 45.862625] ? radix_tree_extend+0x31a/0x3e0 [ 45.867096] ? nobh_write_end+0x431/0x440 [ 45.871216] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 45.876643] ? _raw_spin_unlock+0x29/0x40 [ 45.880772] ? create_page_buffers+0xce/0x1c0 [ 45.885329] __block_write_begin_int+0x35c/0x11d0 [ 45.890325] ? reiserfs_commit_write+0x650/0x650 [ 45.895067] ? __breadahead_gfp+0x150/0x150 [ 45.899363] ? wait_for_stable_page+0xe3/0x260 [ 45.903918] reiserfs_write_begin+0x2e3/0x8a0 [ 45.908389] generic_perform_write+0x1d5/0x430 [ 45.912952] ? filemap_page_mkwrite+0x2d0/0x2d0 [ 45.917593] ? current_time+0xb0/0xb0 [ 45.921405] ? lock_acquire+0x170/0x3f0 [ 45.925363] __generic_file_write_iter+0x227/0x590 [ 45.930267] generic_file_write_iter+0x36f/0x650 [ 45.934998] ? iov_iter_init+0xa6/0x1c0 [ 45.938944] __vfs_write+0x44c/0x630 [ 45.942629] ? kernel_read+0x110/0x110 [ 45.946515] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 45.951505] vfs_write+0x17f/0x4d0 [ 45.955019] SyS_write+0xf2/0x210 [ 45.958443] ? SyS_read+0x210/0x210 [ 45.962047] ? do_syscall_64+0x4c/0x640 [ 45.965997] ? SyS_read+0x210/0x210 [ 45.969596] do_syscall_64+0x1d5/0x640 [ 45.973466] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 45.978634] RIP: 0033:0x7feecff6ba49 [ 45.982317] RSP: 002b:00007ffece04a298 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 45.989996] RAX: ffffffffffffffda RBX: 000000000000af5f RCX: 00007feecff6ba49 [ 45.997240] RDX: 000000000000fea7 RSI: 00000000200001c0 RDI: 0000000000000006 [ 46.004484] RBP: 0000000000000000 R08: 00007ffece04a2c0 R09: 00007ffece04a2c0 [ 46.011728] R10: 00007ffece04a2c0 R11: 0000000000000246 R12: 00007ffece04a2bc [ 46.018968] R13: 00007ffece04a2f0 R14: 00007ffece04a2d0 R15: 0000000000000001 [ 46.026405] Kernel Offset: disabled [ 46.030009] Rebooting in 86400 seconds..