Warning: Permanently added '10.128.0.223' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.470526] audit: type=1400 audit(1601151964.637:8): avc: denied { execmem } for pid=6349 comm="syz-executor164" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 29.486829] REISERFS (device loop0): found reiserfs format "3.5" with standard journal [ 29.500821] REISERFS (device loop0): using ordered data mode [ 29.506791] reiserfs: using flush barriers [ 29.512777] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 29.529622] REISERFS (device loop0): checking transaction log (loop0) [ 30.029494] ================================================================== [ 30.036911] BUG: KASAN: use-after-free in reiserfs_read_locked_inode+0x2028/0x2190 [ 30.044587] Read of size 4 at addr ffff88807caef000 by task syz-executor164/6350 [ 30.052087] [ 30.053706] CPU: 0 PID: 6350 Comm: syz-executor164 Not tainted 4.14.198-syzkaller #0 [ 30.061551] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.070959] Call Trace: [ 30.073520] dump_stack+0x1b2/0x283 [ 30.077152] print_address_description.cold+0x54/0x1d3 [ 30.082422] kasan_report_error.cold+0x8a/0x194 [ 30.087056] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 30.092394] __asan_report_load_n_noabort+0x6b/0x80 [ 30.097383] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 30.102714] reiserfs_read_locked_inode+0x2028/0x2190 [ 30.107873] ? sd_attrs_to_i_attrs+0x230/0x230 [ 30.112522] ? __ww_mutex_wakeup_for_backoff+0x160/0x210 [ 30.117952] reiserfs_fill_super+0x1517/0x28b6 [ 30.122505] ? reiserfs_remount+0x1390/0x1390 [ 30.126972] ? lock_downgrade+0x740/0x740 [ 30.131130] ? snprintf+0xa5/0xd0 [ 30.134563] ? ns_test_super+0x50/0x50 [ 30.138422] ? set_blocksize+0x125/0x380 [ 30.142455] mount_bdev+0x2b3/0x360 [ 30.146061] ? reiserfs_remount+0x1390/0x1390 [ 30.150530] mount_fs+0x92/0x2a0 [ 30.153865] vfs_kern_mount.part.0+0x5b/0x470 [ 30.158328] do_mount+0xe53/0x2a00 [ 30.161848] ? copy_mount_string+0x40/0x40 [ 30.166054] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 30.171044] ? copy_mnt_ns+0xa30/0xa30 [ 30.174903] ? copy_mount_options+0x1fa/0x2f0 [ 30.179375] ? copy_mnt_ns+0xa30/0xa30 [ 30.183235] SyS_mount+0xa8/0x120 [ 30.186661] ? copy_mnt_ns+0xa30/0xa30 [ 30.190525] do_syscall_64+0x1d5/0x640 [ 30.194398] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.199555] RIP: 0033:0x447d8a [ 30.202713] RSP: 002b:00007ffdf5c48f48 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 30.210390] RAX: ffffffffffffffda RBX: 00007ffdf5c48fa0 RCX: 0000000000447d8a [ 30.217635] RDX: 0000000020000040 RSI: 0000000020000100 RDI: 00007ffdf5c48f60 [ 30.224874] RBP: 00007ffdf5c48f60 R08: 00007ffdf5c48fa0 R09: 0000000000000000 [ 30.232120] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 30.239364] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 30.246610] [ 30.248216] The buggy address belongs to the page: [ 30.253113] page:ffffea0001f2bbc0 count:0 mapcount:0 mapping: (null) index:0x1 [ 30.261229] flags: 0xfffe0000000000() [ 30.265004] raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff [ 30.272854] raw: ffffea0001f2bc20 ffff8880aea2ed48 0000000000000000 0000000000000000 [ 30.280699] page dumped because: kasan: bad access detected [ 30.286376] [ 30.287983] Memory state around the buggy address: [ 30.292888] ffff88807caeef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.300217] ffff88807caeef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.307546] >ffff88807caef000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.314877] ^ [ 30.318240] ffff88807caef080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.325569] ffff88807caef100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.332895] ================================================================== [ 30.340220] Disabling lock debugging due to kernel taint [ 30.345884] Kernel panic - not syncing: panic_on_warn set ... [ 30.345884] [ 30.353226] CPU: 0 PID: 6350 Comm: syz-executor164 Tainted: G B 4.14.198-syzkaller #0 [ 30.362301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.371668] Call Trace: [ 30.374226] dump_stack+0x1b2/0x283 [ 30.377822] panic+0x1f9/0x42d [ 30.380982] ? add_taint.cold+0x16/0x16 [ 30.384924] ? ___preempt_schedule+0x16/0x18 [ 30.389304] kasan_end_report+0x43/0x49 [ 30.393244] kasan_report_error.cold+0xa7/0x194 [ 30.397879] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 30.403212] __asan_report_load_n_noabort+0x6b/0x80 [ 30.408197] ? reiserfs_read_locked_inode+0x2028/0x2190 [ 30.413614] reiserfs_read_locked_inode+0x2028/0x2190 [ 30.418800] ? sd_attrs_to_i_attrs+0x230/0x230 [ 30.423350] ? __ww_mutex_wakeup_for_backoff+0x160/0x210 [ 30.428864] reiserfs_fill_super+0x1517/0x28b6 [ 30.433421] ? reiserfs_remount+0x1390/0x1390 [ 30.437886] ? lock_downgrade+0x740/0x740 [ 30.442010] ? snprintf+0xa5/0xd0 [ 30.445465] ? ns_test_super+0x50/0x50 [ 30.449321] ? set_blocksize+0x125/0x380 [ 30.453362] mount_bdev+0x2b3/0x360 [ 30.456985] ? reiserfs_remount+0x1390/0x1390 [ 30.461449] mount_fs+0x92/0x2a0 [ 30.464815] vfs_kern_mount.part.0+0x5b/0x470 [ 30.469278] do_mount+0xe53/0x2a00 [ 30.472788] ? copy_mount_string+0x40/0x40 [ 30.476990] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 30.481973] ? copy_mnt_ns+0xa30/0xa30 [ 30.485828] ? copy_mount_options+0x1fa/0x2f0 [ 30.490289] ? copy_mnt_ns+0xa30/0xa30 [ 30.494141] SyS_mount+0xa8/0x120 [ 30.497564] ? copy_mnt_ns+0xa30/0xa30 [ 30.501445] do_syscall_64+0x1d5/0x640 [ 30.505312] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.510622] RIP: 0033:0x447d8a [ 30.513782] RSP: 002b:00007ffdf5c48f48 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 30.521461] RAX: ffffffffffffffda RBX: 00007ffdf5c48fa0 RCX: 0000000000447d8a [ 30.528696] RDX: 0000000020000040 RSI: 0000000020000100 RDI: 00007ffdf5c48f60 [ 30.535932] RBP: 00007ffdf5c48f60 R08: 00007ffdf5c48fa0 R09: 0000000000000000 [ 30.543175] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 30.550418] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 30.558980] Kernel Offset: disabled [ 30.562586] Rebooting in 86400 seconds..