[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.90' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.433050] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 33.441727] REISERFS (device loop0): using ordered data mode [ 33.447736] reiserfs: using flush barriers [ 33.453708] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 33.469476] REISERFS (device loop0): checking transaction log (loop0) [ 33.477460] REISERFS (device loop0): Using rupasov hash to sort names [ 33.484808] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. executing program [ 33.566429] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 33.575187] REISERFS (device loop0): using ordered data mode [ 33.581486] reiserfs: using flush barriers [ 33.586302] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 33.602171] REISERFS (device loop0): checking transaction log (loop0) [ 33.609418] REISERFS (device loop0): Using rupasov hash to sort names [ 33.616128] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. executing program [ 33.700630] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 33.709645] REISERFS (device loop0): using ordered data mode [ 33.715690] reiserfs: using flush barriers [ 33.721446] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 33.737045] REISERFS (device loop0): checking transaction log (loop0) [ 33.744306] REISERFS (device loop0): Using rupasov hash to sort names [ 33.751158] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. executing program [ 33.833705] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 33.842914] REISERFS (device loop0): using ordered data mode [ 33.848897] reiserfs: using flush barriers [ 33.853975] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 33.869642] REISERFS (device loop0): checking transaction log (loop0) [ 33.876786] REISERFS (device loop0): Using rupasov hash to sort names [ 33.883931] ================================================================== [ 33.891484] BUG: KASAN: use-after-free in search_by_entry_key+0xc7e/0xf50 [ 33.898506] Read of size 4 at addr ffff88808b517714 by task syz-executor653/8004 [ 33.906016] [ 33.907621] CPU: 1 PID: 8004 Comm: syz-executor653 Not tainted 4.14.296-syzkaller #0 [ 33.915473] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 33.924803] Call Trace: [ 33.927367] dump_stack+0x1b2/0x281 [ 33.930996] print_address_description.cold+0x54/0x1d3 [ 33.936252] kasan_report_error.cold+0x8a/0x191 [ 33.940898] ? search_by_entry_key+0xc7e/0xf50 [ 33.945458] __asan_report_load_n_noabort+0x6b/0x80 [ 33.950451] ? search_by_entry_key+0xc7e/0xf50 [ 33.955023] search_by_entry_key+0xc7e/0xf50 [ 33.959412] ? make_cpu_key+0x22/0x2a0 [ 33.963289] reiserfs_find_entry.part.0+0x138/0x11e0 [ 33.968366] ? reiserfs_write_lock+0x75/0xf0 [ 33.972849] ? mount_bdev+0x2b3/0x360 [ 33.976722] ? mount_fs+0x92/0x2a0 [ 33.980241] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 33.985673] ? lock_acquire+0x100/0x3f0 [ 33.989631] ? search_by_entry_key+0xf50/0xf50 [ 33.994200] reiserfs_lookup+0x1fd/0x400 [ 33.998339] ? reiserfs_unlink+0x6a0/0x6a0 [ 34.002550] ? fs_reclaim_release+0xd0/0x110 [ 34.006936] ? __d_alloc+0x2a/0xa20 [ 34.010540] ? d_alloc+0x1c7/0x240 [ 34.014073] ? _raw_spin_unlock+0x29/0x40 [ 34.018194] ? d_alloc+0x1cc/0x240 [ 34.021710] __lookup_hash+0x1bb/0x270 [ 34.025571] ? __inode_permission+0xcd/0x2f0 [ 34.029968] lookup_one_len+0x279/0x3a0 [ 34.033925] ? lookup_one_len_unlocked+0x410/0x410 [ 34.038833] reiserfs_lookup_privroot+0x92/0x270 [ 34.043565] reiserfs_fill_super+0x1d12/0x2990 [ 34.048123] ? reiserfs_remount+0x1390/0x1390 [ 34.052593] ? lock_downgrade+0x740/0x740 [ 34.056725] ? snprintf+0xa5/0xd0 [ 34.060169] mount_bdev+0x2b3/0x360 [ 34.063774] ? reiserfs_remount+0x1390/0x1390 [ 34.068245] mount_fs+0x92/0x2a0 [ 34.071588] vfs_kern_mount.part.0+0x5b/0x470 [ 34.076065] do_mount+0xe65/0x2a30 [ 34.079584] ? retint_kernel+0x2d/0x2d [ 34.083454] ? copy_mount_string+0x40/0x40 [ 34.087664] ? memset+0x20/0x40 [ 34.090927] ? copy_mount_options+0x1fa/0x2f0 [ 34.095395] ? copy_mnt_ns+0xa30/0xa30 [ 34.099259] SyS_mount+0xa8/0x120 [ 34.102689] ? copy_mnt_ns+0xa30/0xa30 [ 34.106559] do_syscall_64+0x1d5/0x640 [ 34.110426] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.115594] RIP: 0033:0x7fcbe732140a [ 34.119287] RSP: 002b:00007fff96bc4428 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 34.126969] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcbe732140a [ 34.135000] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff96bc4440 [ 34.142250] RBP: 00007fff96bc4440 R08: 00007fff96bc4480 R09: 00005555574b22c0 [ 34.149499] R10: 0000000000200080 R11: 0000000000000286 R12: 0000000000000004 [ 34.156748] R13: 00007fff96bc4480 R14: 0000000000000006 R15: 0000000020000350 [ 34.164087] [ 34.165692] The buggy address belongs to the page: [ 34.170623] page:ffffea00022d45c0 count:0 mapcount:-127 mapping: (null) index:0x1 [ 34.179087] flags: 0xfff00000000000() [ 34.182863] raw: 00fff00000000000 0000000000000000 0000000000000001 00000000ffffff80 [ 34.190734] raw: ffff88813fffb7d0 ffffea00022ef420 0000000000000000 0000000000000000 [ 34.198762] page dumped because: kasan: bad access detected [ 34.204443] [ 34.206046] Memory state around the buggy address: [ 34.210950] ffff88808b517600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.218282] ffff88808b517680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.225622] >ffff88808b517700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.232953] ^ [ 34.236813] ffff88808b517780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.244147] ffff88808b517800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.251659] ================================================================== [ 34.259019] Disabling lock debugging due to kernel taint [ 34.264909] Kernel panic - not syncing: panic_on_warn set ... [ 34.264909] [ 34.272278] CPU: 1 PID: 8004 Comm: syz-executor653 Tainted: G B 4.14.296-syzkaller #0 [ 34.281456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 [ 34.290800] Call Trace: [ 34.293367] dump_stack+0x1b2/0x281 [ 34.296970] panic+0x1f9/0x42d [ 34.300138] ? add_taint.cold+0x16/0x16 [ 34.304088] ? ___preempt_schedule+0x16/0x18 [ 34.308470] kasan_end_report+0x43/0x49 [ 34.312416] kasan_report_error.cold+0xa7/0x191 [ 34.317058] ? search_by_entry_key+0xc7e/0xf50 [ 34.321640] __asan_report_load_n_noabort+0x6b/0x80 [ 34.326660] ? search_by_entry_key+0xc7e/0xf50 [ 34.331234] search_by_entry_key+0xc7e/0xf50 [ 34.335619] ? make_cpu_key+0x22/0x2a0 [ 34.339495] reiserfs_find_entry.part.0+0x138/0x11e0 [ 34.344570] ? reiserfs_write_lock+0x75/0xf0 [ 34.348971] ? mount_bdev+0x2b3/0x360 [ 34.352743] ? mount_fs+0x92/0x2a0 [ 34.356332] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 34.361760] ? lock_acquire+0x100/0x3f0 [ 34.365713] ? search_by_entry_key+0xf50/0xf50 [ 34.370272] reiserfs_lookup+0x1fd/0x400 [ 34.374406] ? reiserfs_unlink+0x6a0/0x6a0 [ 34.378612] ? fs_reclaim_release+0xd0/0x110 [ 34.382996] ? __d_alloc+0x2a/0xa20 [ 34.386599] ? d_alloc+0x1c7/0x240 [ 34.390115] ? _raw_spin_unlock+0x29/0x40 [ 34.394296] ? d_alloc+0x1cc/0x240 [ 34.397827] __lookup_hash+0x1bb/0x270 [ 34.401706] ? __inode_permission+0xcd/0x2f0 [ 34.406103] lookup_one_len+0x279/0x3a0 [ 34.410055] ? lookup_one_len_unlocked+0x410/0x410 [ 34.414961] reiserfs_lookup_privroot+0x92/0x270 [ 34.419691] reiserfs_fill_super+0x1d12/0x2990 [ 34.424250] ? reiserfs_remount+0x1390/0x1390 [ 34.428720] ? lock_downgrade+0x740/0x740 [ 34.432841] ? snprintf+0xa5/0xd0 [ 34.436274] mount_bdev+0x2b3/0x360 [ 34.439875] ? reiserfs_remount+0x1390/0x1390 [ 34.444344] mount_fs+0x92/0x2a0 [ 34.447685] vfs_kern_mount.part.0+0x5b/0x470 [ 34.452170] do_mount+0xe65/0x2a30 [ 34.455693] ? retint_kernel+0x2d/0x2d [ 34.459558] ? copy_mount_string+0x40/0x40 [ 34.463778] ? memset+0x20/0x40 [ 34.467030] ? copy_mount_options+0x1fa/0x2f0 [ 34.471496] ? copy_mnt_ns+0xa30/0xa30 [ 34.475355] SyS_mount+0xa8/0x120 [ 34.478784] ? copy_mnt_ns+0xa30/0xa30 [ 34.482646] do_syscall_64+0x1d5/0x640 [ 34.486509] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.491669] RIP: 0033:0x7fcbe732140a [ 34.495350] RSP: 002b:00007fff96bc4428 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 34.503131] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcbe732140a [ 34.510376] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff96bc4440 [ 34.517619] RBP: 00007fff96bc4440 R08: 00007fff96bc4480 R09: 00005555574b22c0 [ 34.524865] R10: 0000000000200080 R11: 0000000000000286 R12: 0000000000000004 [ 34.533061] R13: 00007fff96bc4480 R14: 0000000000000006 R15: 0000000020000350 [ 34.540477] Kernel Offset: disabled [ 34.544084] Rebooting in 86400 seconds..