[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.181' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.090686] audit: type=1400 audit(1601143994.939:8): avc: denied { execmem } for pid=6354 comm="syz-executor757" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.107711] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 33.122165] REISERFS (device loop0): using ordered data mode [ 33.128180] reiserfs: using flush barriers [ 33.133669] REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 33.151975] REISERFS (device loop0): checking transaction log (loop0) [ 34.317661] REISERFS (device loop0): Using r5 hash to sort names [ 34.324328] REISERFS (device loop0): using 3.5.x disk format [ 34.330578] ================================================================== [ 34.338003] BUG: KASAN: use-after-free in search_by_entry_key+0xc87/0xf70 [ 34.344905] Read of size 4 at addr ffff888078a437bd by task syz-executor757/6355 [ 34.352416] [ 34.354030] CPU: 1 PID: 6355 Comm: syz-executor757 Not tainted 4.14.198-syzkaller #0 [ 34.361971] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.371299] Call Trace: [ 34.373865] dump_stack+0x1b2/0x283 [ 34.377509] print_address_description.cold+0x54/0x1d3 [ 34.382790] kasan_report_error.cold+0x8a/0x194 [ 34.387434] ? search_by_entry_key+0xc87/0xf70 [ 34.392014] __asan_report_load_n_noabort+0x6b/0x80 [ 34.397016] ? search_by_entry_key+0xc87/0xf70 [ 34.401573] search_by_entry_key+0xc87/0xf70 [ 34.405975] ? make_cpu_key+0x22/0x2a0 [ 34.409842] reiserfs_find_entry.part.0+0x138/0x1200 [ 34.414921] ? reiserfs_write_lock+0x75/0xf0 [ 34.419308] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 34.424650] ? save_trace+0xd6/0x290 [ 34.428346] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 34.433778] ? search_by_entry_key+0xf70/0xf70 [ 34.438340] reiserfs_lookup+0x1fd/0x400 [ 34.442386] ? reiserfs_unlink+0x6a0/0x6a0 [ 34.446613] ? fs_reclaim_release+0xd0/0x110 [ 34.451002] ? __d_alloc+0x2a/0xa20 [ 34.454624] ? d_alloc+0x1c7/0x240 [ 34.458167] ? _raw_spin_unlock+0x29/0x40 [ 34.462292] ? d_alloc+0x1cc/0x240 [ 34.465808] __lookup_hash+0x1bb/0x270 [ 34.469672] ? __inode_permission+0xcd/0x2f0 [ 34.474059] lookup_one_len+0x279/0x3a0 [ 34.478012] ? lookup_one_len_unlocked+0x410/0x410 [ 34.482925] reiserfs_lookup_privroot+0x92/0x270 [ 34.487680] reiserfs_fill_super+0x1ad8/0x28b6 [ 34.492244] ? reiserfs_remount+0x1390/0x1390 [ 34.496719] ? lock_downgrade+0x740/0x740 [ 34.501019] ? snprintf+0xa5/0xd0 [ 34.504458] mount_bdev+0x2b3/0x360 [ 34.508079] ? reiserfs_remount+0x1390/0x1390 [ 34.512551] mount_fs+0x92/0x2a0 [ 34.515894] vfs_kern_mount.part.0+0x5b/0x470 [ 34.520386] do_mount+0xe53/0x2a00 [ 34.523904] ? do_raw_spin_unlock+0x164/0x220 [ 34.528406] ? copy_mount_string+0x40/0x40 [ 34.532618] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.537619] ? copy_mnt_ns+0xa30/0xa30 [ 34.541486] ? copy_mount_options+0x1fa/0x2f0 [ 34.545962] ? copy_mnt_ns+0xa30/0xa30 [ 34.549828] SyS_mount+0xa8/0x120 [ 34.553258] ? copy_mnt_ns+0xa30/0xa30 [ 34.557125] do_syscall_64+0x1d5/0x640 [ 34.561009] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.566175] RIP: 0033:0x447d9a [ 34.569340] RSP: 002b:00007ffdc6a01ba8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 34.577030] RAX: ffffffffffffffda RBX: 00007ffdc6a01c00 RCX: 0000000000447d9a [ 34.584279] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffdc6a01bc0 [ 34.591526] RBP: 00007ffdc6a01bc0 R08: 00007ffdc6a01c00 R09: 0000000000000000 [ 34.598771] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 34.606034] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.613288] [ 34.614890] The buggy address belongs to the page: [ 34.619796] page:ffffea0001e290c0 count:0 mapcount:0 mapping: (null) index:0x1 [ 34.627930] flags: 0xfffe0000000000() [ 34.631708] raw: 00fffe0000000000 0000000000000000 0000000000000001 00000000ffffffff [ 34.639563] raw: ffffea0001e29120 ffffea0001e290a0 0000000000000000 0000000000000000 [ 34.647421] page dumped because: kasan: bad access detected [ 34.653102] [ 34.654701] Memory state around the buggy address: [ 34.659607] ffff888078a43680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.666948] ffff888078a43700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.674282] >ffff888078a43780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.681634] ^ [ 34.686801] ffff888078a43800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.694148] ffff888078a43880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.701479] ================================================================== [ 34.708809] Disabling lock debugging due to kernel taint [ 34.714726] Kernel panic - not syncing: panic_on_warn set ... [ 34.714726] [ 34.722084] CPU: 1 PID: 6355 Comm: syz-executor757 Tainted: G B 4.14.198-syzkaller #0 [ 34.731195] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.740540] Call Trace: [ 34.743117] dump_stack+0x1b2/0x283 [ 34.746722] panic+0x1f9/0x42d [ 34.749908] ? add_taint.cold+0x16/0x16 [ 34.753874] ? ___preempt_schedule+0x16/0x18 [ 34.758264] kasan_end_report+0x43/0x49 [ 34.762237] kasan_report_error.cold+0xa7/0x194 [ 34.766883] ? search_by_entry_key+0xc87/0xf70 [ 34.771441] __asan_report_load_n_noabort+0x6b/0x80 [ 34.776437] ? search_by_entry_key+0xc87/0xf70 [ 34.780999] search_by_entry_key+0xc87/0xf70 [ 34.785418] ? make_cpu_key+0x22/0x2a0 [ 34.789293] reiserfs_find_entry.part.0+0x138/0x1200 [ 34.794373] ? reiserfs_write_lock+0x75/0xf0 [ 34.798758] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 34.804092] ? save_trace+0xd6/0x290 [ 34.807788] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 34.813221] ? search_by_entry_key+0xf70/0xf70 [ 34.817780] reiserfs_lookup+0x1fd/0x400 [ 34.821824] ? reiserfs_unlink+0x6a0/0x6a0 [ 34.826035] ? fs_reclaim_release+0xd0/0x110 [ 34.830436] ? __d_alloc+0x2a/0xa20 [ 34.834040] ? d_alloc+0x1c7/0x240 [ 34.837560] ? _raw_spin_unlock+0x29/0x40 [ 34.841703] ? d_alloc+0x1cc/0x240 [ 34.845219] __lookup_hash+0x1bb/0x270 [ 34.849209] ? __inode_permission+0xcd/0x2f0 [ 34.853591] lookup_one_len+0x279/0x3a0 [ 34.857541] ? lookup_one_len_unlocked+0x410/0x410 [ 34.862447] reiserfs_lookup_privroot+0x92/0x270 [ 34.867178] reiserfs_fill_super+0x1ad8/0x28b6 [ 34.871734] ? reiserfs_remount+0x1390/0x1390 [ 34.876206] ? lock_downgrade+0x740/0x740 [ 34.880331] ? snprintf+0xa5/0xd0 [ 34.883773] mount_bdev+0x2b3/0x360 [ 34.887378] ? reiserfs_remount+0x1390/0x1390 [ 34.891901] mount_fs+0x92/0x2a0 [ 34.895245] vfs_kern_mount.part.0+0x5b/0x470 [ 34.899734] do_mount+0xe53/0x2a00 [ 34.903267] ? do_raw_spin_unlock+0x164/0x220 [ 34.907754] ? copy_mount_string+0x40/0x40 [ 34.911977] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.916968] ? copy_mnt_ns+0xa30/0xa30 [ 34.920848] ? copy_mount_options+0x1fa/0x2f0 [ 34.925332] ? copy_mnt_ns+0xa30/0xa30 [ 34.929214] SyS_mount+0xa8/0x120 [ 34.932641] ? copy_mnt_ns+0xa30/0xa30 [ 34.936506] do_syscall_64+0x1d5/0x640 [ 34.940387] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.945549] RIP: 0033:0x447d9a [ 34.948719] RSP: 002b:00007ffdc6a01ba8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 34.956430] RAX: ffffffffffffffda RBX: 00007ffdc6a01c00 RCX: 0000000000447d9a [ 34.963677] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffdc6a01bc0 [ 34.970922] RBP: 00007ffdc6a01bc0 R08: 00007ffdc6a01c00 R09: 0000000000000000 [ 34.978175] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 34.985455] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.993793] Kernel Offset: disabled [ 34.997404] Rebooting in 86400 seconds..