[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.67' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 39.223150] audit: type=1400 audit(1602019140.167:8): avc: denied { execmem } for pid=6473 comm="syz-executor733" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 39.250984] REISERFS (device loop0): found reiserfs format "3.5" with standard journal [ 39.260526] REISERFS (device loop0): using ordered data mode [ 39.266939] reiserfs: using flush barriers [ 39.273217] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 39.291076] REISERFS (device loop0): checking transaction log (loop0) [ 40.049239] ================================================================== [ 40.056774] BUG: KASAN: use-after-free in reiserfs_read_locked_inode+0x216f/0x2220 [ 40.064458] Read of size 4 at addr ffff88807c3ec000 by task syz-executor733/6474 [ 40.072002] [ 40.073611] CPU: 1 PID: 6474 Comm: syz-executor733 Not tainted 4.19.149-syzkaller #0 [ 40.081465] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.090824] Call Trace: [ 40.093390] dump_stack+0x22c/0x33e [ 40.096996] print_address_description.cold+0x56/0x25c [ 40.102297] kasan_report_error.cold+0x66/0xb9 [ 40.106859] ? reiserfs_read_locked_inode+0x216f/0x2220 [ 40.112237] __asan_report_load_n_noabort+0x8b/0xa0 [ 40.117231] ? reiserfs_read_locked_inode+0x216f/0x2220 [ 40.122573] reiserfs_read_locked_inode+0x216f/0x2220 [ 40.127744] ? sd_attrs_to_i_attrs+0x260/0x260 [ 40.132298] ? reiserfs_write_lock+0x75/0xf0 [ 40.136683] ? ww_mutex_unlock+0x200/0x2f0 [ 40.140895] ? do_raw_spin_lock+0xcb/0x220 [ 40.145154] reiserfs_fill_super+0x172e/0x2e60 [ 40.149755] ? reiserfs_remount+0x1640/0x1640 [ 40.154229] ? lock_downgrade+0x750/0x750 [ 40.158356] ? snprintf+0xbb/0xf0 [ 40.161787] ? vsprintf+0x30/0x30 [ 40.165218] ? __mutex_add_waiter+0x160/0x160 [ 40.169696] mount_bdev+0x2fc/0x3b0 [ 40.173297] ? reiserfs_remount+0x1640/0x1640 [ 40.177769] mount_fs+0xa3/0x318 [ 40.181129] vfs_kern_mount.part.0+0x68/0x470 [ 40.185616] do_mount+0x51c/0x2f10 [ 40.189159] ? __do_page_fault+0x1ca/0xe00 [ 40.193370] ? copy_mount_string+0x40/0x40 [ 40.197584] ? copy_mount_options+0x1c3/0x370 [ 40.202052] ? copy_mount_options+0x1d0/0x370 [ 40.206524] ? memset+0x20/0x40 [ 40.209778] ? copy_mount_options+0x261/0x370 [ 40.214252] ksys_mount+0xcf/0x130 [ 40.217769] __x64_sys_mount+0xba/0x150 [ 40.221719] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 40.226279] do_syscall_64+0xf9/0x670 [ 40.230057] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.235223] RIP: 0033:0x447d8a [ 40.238392] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5a a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 40.257268] RSP: 002b:00007fffcfcfb068 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 40.264952] RAX: ffffffffffffffda RBX: 00007fffcfcfb0c0 RCX: 0000000000447d8a [ 40.272210] RDX: 0000000020000040 RSI: 0000000020000100 RDI: 00007fffcfcfb080 [ 40.279464] RBP: 00007fffcfcfb080 R08: 00007fffcfcfb0c0 R09: 0000000000000000 [ 40.286725] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 40.293977] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 40.301232] [ 40.302834] The buggy address belongs to the page: [ 40.307740] page:ffffea0001f0fb00 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 40.315856] flags: 0xfffe0000000000() [ 40.319637] raw: 00fffe0000000000 ffffea0001f0fb48 ffff8880ae32fc88 0000000000000000 [ 40.327494] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 40.335349] page dumped because: kasan: bad access detected [ 40.341031] [ 40.342632] Memory state around the buggy address: [ 40.347579] ffff88807c3ebf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.354915] ffff88807c3ebf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.362250] >ffff88807c3ec000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.369583] ^ [ 40.372925] ffff88807c3ec080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.380257] ffff88807c3ec100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.387782] ================================================================== [ 40.395111] Disabling lock debugging due to kernel taint [ 40.403533] Kernel panic - not syncing: panic_on_warn set ... [ 40.403533] [ 40.411048] CPU: 1 PID: 6474 Comm: syz-executor733 Tainted: G B 4.19.149-syzkaller #0 [ 40.420309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.429655] Call Trace: [ 40.432225] dump_stack+0x22c/0x33e [ 40.435841] panic+0x2ac/0x565 [ 40.439018] ? __warn_printk+0xf3/0xf3 [ 40.442900] ? preempt_schedule_common+0x45/0xc0 [ 40.447645] ? ___preempt_schedule+0x16/0x18 [ 40.452036] ? trace_hardirqs_on+0x55/0x210 [ 40.456350] kasan_end_report+0x43/0x49 [ 40.460304] kasan_report_error.cold+0x83/0xb9 [ 40.464871] ? reiserfs_read_locked_inode+0x216f/0x2220 [ 40.470262] __asan_report_load_n_noabort+0x8b/0xa0 [ 40.475261] ? reiserfs_read_locked_inode+0x216f/0x2220 [ 40.480603] reiserfs_read_locked_inode+0x216f/0x2220 [ 40.485787] ? sd_attrs_to_i_attrs+0x260/0x260 [ 40.490347] ? reiserfs_write_lock+0x75/0xf0 [ 40.494822] ? ww_mutex_unlock+0x200/0x2f0 [ 40.499080] ? do_raw_spin_lock+0xcb/0x220 [ 40.503469] reiserfs_fill_super+0x172e/0x2e60 [ 40.508066] ? reiserfs_remount+0x1640/0x1640 [ 40.512539] ? lock_downgrade+0x750/0x750 [ 40.516666] ? snprintf+0xbb/0xf0 [ 40.520094] ? vsprintf+0x30/0x30 [ 40.523532] ? __mutex_add_waiter+0x160/0x160 [ 40.528048] mount_bdev+0x2fc/0x3b0 [ 40.531656] ? reiserfs_remount+0x1640/0x1640 [ 40.536144] mount_fs+0xa3/0x318 [ 40.539491] vfs_kern_mount.part.0+0x68/0x470 [ 40.543962] do_mount+0x51c/0x2f10 [ 40.547495] ? __do_page_fault+0x1ca/0xe00 [ 40.551707] ? copy_mount_string+0x40/0x40 [ 40.555918] ? copy_mount_options+0x1c3/0x370 [ 40.560422] ? copy_mount_options+0x1d0/0x370 [ 40.564895] ? memset+0x20/0x40 [ 40.568155] ? copy_mount_options+0x261/0x370 [ 40.572634] ksys_mount+0xcf/0x130 [ 40.576153] __x64_sys_mount+0xba/0x150 [ 40.580103] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 40.584663] do_syscall_64+0xf9/0x670 [ 40.588442] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.593609] RIP: 0033:0x447d8a [ 40.596779] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 7d a3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 5a a3 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 40.615654] RSP: 002b:00007fffcfcfb068 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 40.623470] RAX: ffffffffffffffda RBX: 00007fffcfcfb0c0 RCX: 0000000000447d8a [ 40.630740] RDX: 0000000020000040 RSI: 0000000020000100 RDI: 00007fffcfcfb080 [ 40.637986] RBP: 00007fffcfcfb080 R08: 00007fffcfcfb0c0 R09: 0000000000000000 [ 40.645248] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006 [ 40.652503] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 40.661041] Kernel Offset: disabled [ 40.664655] Rebooting in 86400 seconds..