[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.197' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 42.366596] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 42.375560] REISERFS (device loop0): using ordered data mode [ 42.381937] reiserfs: using flush barriers [ 42.387592] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 42.403383] REISERFS (device loop0): checking transaction log (loop0) [ 42.411597] REISERFS (device loop0): Using r5 hash to sort names [ 42.418740] ================================================================== [ 42.426191] BUG: KASAN: use-after-free in search_by_entry_key+0xcda/0xf30 [ 42.433117] Read of size 4 at addr ffff88808a183004 by task syz-executor190/8107 [ 42.440624] [ 42.442243] CPU: 1 PID: 8107 Comm: syz-executor190 Not tainted 4.19.211-syzkaller #0 [ 42.450118] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 42.459537] Call Trace: [ 42.462117] dump_stack+0x1fc/0x2ef [ 42.465730] print_address_description.cold+0x54/0x219 [ 42.471062] kasan_report_error.cold+0x8a/0x1b9 [ 42.475719] ? search_by_entry_key+0xcda/0xf30 [ 42.480290] __asan_report_load_n_noabort+0x8b/0xa0 [ 42.485293] ? search_by_entry_key+0xcda/0xf30 [ 42.489865] search_by_entry_key+0xcda/0xf30 [ 42.494363] reiserfs_find_entry.part.0+0x142/0x1480 [ 42.499567] ? reiserfs_write_lock+0x75/0xf0 [ 42.503964] ? search_by_entry_key+0xf30/0xf30 [ 42.508529] ? lock_downgrade+0x720/0x720 [ 42.512663] reiserfs_lookup+0x24a/0x490 [ 42.516775] ? reiserfs_unlink+0x760/0x760 [ 42.521005] ? mark_held_locks+0xf0/0xf0 [ 42.525056] ? __lockdep_init_map+0x100/0x5a0 [ 42.529536] ? __lockdep_init_map+0x100/0x5a0 [ 42.534324] __lookup_slow+0x246/0x4a0 [ 42.538208] ? follow_dotdot_rcu+0x1040/0x1040 [ 42.542782] ? __d_lookup+0x411/0x710 [ 42.546571] ? d_lookup+0x18e/0x250 [ 42.550186] lookup_one_len+0x163/0x190 [ 42.554145] ? try_lookup_one_len+0x180/0x180 [ 42.558630] reiserfs_lookup_privroot+0x92/0x280 [ 42.563371] reiserfs_fill_super+0x1f12/0x2d80 [ 42.567952] ? reiserfs_remount+0x1540/0x1540 [ 42.572441] ? lock_downgrade+0x720/0x720 [ 42.577619] ? snprintf+0xbb/0xf0 [ 42.581055] ? wait_for_completion_io+0x10/0x10 [ 42.585708] mount_bdev+0x2fc/0x3b0 [ 42.589324] ? reiserfs_remount+0x1540/0x1540 [ 42.593889] mount_fs+0xa3/0x310 [ 42.597250] vfs_kern_mount.part.0+0x68/0x470 [ 42.601742] do_mount+0x115c/0x2f50 [ 42.605370] ? lock_acquire+0x170/0x3c0 [ 42.609524] ? check_preemption_disabled+0x41/0x280 [ 42.614537] ? copy_mount_string+0x40/0x40 [ 42.618759] ? copy_mount_options+0x59/0x380 [ 42.623173] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 42.628182] ? kmem_cache_alloc_trace+0x323/0x380 [ 42.633019] ? copy_mount_options+0x26f/0x380 [ 42.637673] ksys_mount+0xcf/0x130 [ 42.641202] __x64_sys_mount+0xba/0x150 [ 42.645157] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 42.649720] do_syscall_64+0xf9/0x620 [ 42.653510] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.658689] RIP: 0033:0x7fe539e9292a [ 42.662385] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 42.681354] RSP: 002b:00007ffff8a7ee28 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 42.689043] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe539e9292a [ 42.696290] RDX: 0000000020000000 RSI: 0000000020000040 RDI: 00007ffff8a7ee40 [ 42.703537] RBP: 00007ffff8a7ee40 R08: 00007ffff8a7ee80 R09: 0000000000000000 [ 42.710789] R10: 0000000000208000 R11: 0000000000000286 R12: 0000000000000004 [ 42.718038] R13: 0000555555e522c0 R14: 0000000000208000 R15: 00007ffff8a7ee80 [ 42.725292] [ 42.726910] The buggy address belongs to the page: [ 42.731823] page:ffffea00022860c0 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 42.740981] flags: 0xfff00000000000() [ 42.744762] raw: 00fff00000000000 ffffea0002286108 ffff8880ba12ea88 0000000000000000 [ 42.752709] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 42.760567] page dumped because: kasan: bad access detected [ 42.766249] [ 42.767892] Memory state around the buggy address: [ 42.772894] ffff88808a182f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.780252] ffff88808a182f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.787676] >ffff88808a183000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 42.795011] ^ [ 42.798353] ffff88808a183080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 42.806036] ffff88808a183100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 42.813370] ================================================================== [ 42.820821] Disabling lock debugging due to kernel taint [ 42.829248] Kernel panic - not syncing: panic_on_warn set ... [ 42.829248] [ 42.836719] CPU: 1 PID: 8107 Comm: syz-executor190 Tainted: G B 4.19.211-syzkaller #0 [ 42.846675] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 42.856101] Call Trace: [ 42.858675] dump_stack+0x1fc/0x2ef [ 42.862308] panic+0x26a/0x50e [ 42.865484] ? __warn_printk+0xf3/0xf3 [ 42.869441] ? preempt_schedule_common+0x45/0xc0 [ 42.874186] ? ___preempt_schedule+0x16/0x18 [ 42.878610] ? trace_hardirqs_on+0x55/0x210 [ 42.882914] kasan_end_report+0x43/0x49 [ 42.886868] kasan_report_error.cold+0xa7/0x1b9 [ 42.891515] ? search_by_entry_key+0xcda/0xf30 [ 42.896078] __asan_report_load_n_noabort+0x8b/0xa0 [ 42.901082] ? search_by_entry_key+0xcda/0xf30 [ 42.905641] search_by_entry_key+0xcda/0xf30 [ 42.910027] reiserfs_find_entry.part.0+0x142/0x1480 [ 42.915108] ? reiserfs_write_lock+0x75/0xf0 [ 42.919505] ? search_by_entry_key+0xf30/0xf30 [ 42.924065] ? lock_downgrade+0x720/0x720 [ 42.928212] reiserfs_lookup+0x24a/0x490 [ 42.932250] ? reiserfs_unlink+0x760/0x760 [ 42.936717] ? mark_held_locks+0xf0/0xf0 [ 42.940936] ? __lockdep_init_map+0x100/0x5a0 [ 42.945410] ? __lockdep_init_map+0x100/0x5a0 [ 42.949886] __lookup_slow+0x246/0x4a0 [ 42.953751] ? follow_dotdot_rcu+0x1040/0x1040 [ 42.958313] ? __d_lookup+0x411/0x710 [ 42.962096] ? d_lookup+0x18e/0x250 [ 42.965791] lookup_one_len+0x163/0x190 [ 42.969765] ? try_lookup_one_len+0x180/0x180 [ 42.974258] reiserfs_lookup_privroot+0x92/0x280 [ 42.978993] reiserfs_fill_super+0x1f12/0x2d80 [ 42.983687] ? reiserfs_remount+0x1540/0x1540 [ 42.988163] ? lock_downgrade+0x720/0x720 [ 42.992309] ? snprintf+0xbb/0xf0 [ 42.995760] ? wait_for_completion_io+0x10/0x10 [ 43.000417] mount_bdev+0x2fc/0x3b0 [ 43.004204] ? reiserfs_remount+0x1540/0x1540 [ 43.008681] mount_fs+0xa3/0x310 [ 43.012030] vfs_kern_mount.part.0+0x68/0x470 [ 43.016513] do_mount+0x115c/0x2f50 [ 43.020347] ? lock_acquire+0x170/0x3c0 [ 43.024311] ? check_preemption_disabled+0x41/0x280 [ 43.029324] ? copy_mount_string+0x40/0x40 [ 43.033550] ? copy_mount_options+0x59/0x380 [ 43.038202] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 43.043308] ? kmem_cache_alloc_trace+0x323/0x380 [ 43.048277] ? copy_mount_options+0x26f/0x380 [ 43.052868] ksys_mount+0xcf/0x130 [ 43.056399] __x64_sys_mount+0xba/0x150 [ 43.060618] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.065182] do_syscall_64+0xf9/0x620 [ 43.068965] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.074136] RIP: 0033:0x7fe539e9292a [ 43.077833] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 43.096717] RSP: 002b:00007ffff8a7ee28 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 43.104406] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe539e9292a [ 43.111657] RDX: 0000000020000000 RSI: 0000000020000040 RDI: 00007ffff8a7ee40 [ 43.118905] RBP: 00007ffff8a7ee40 R08: 00007ffff8a7ee80 R09: 0000000000000000 [ 43.126150] R10: 0000000000208000 R11: 0000000000000286 R12: 0000000000000004 [ 43.133399] R13: 0000555555e522c0 R14: 0000000000208000 R15: 00007ffff8a7ee80 [ 43.140888] Kernel Offset: disabled [ 43.144498] Rebooting in 86400 seconds..