L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. REISERFS (device loop3): checking transaction log (loop3) REISERFS (device loop3): Using rupasov hash to sort names BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 992b9067 P4D 992b9067 PUD 98be6067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 0 PID: 9799 Comm: syz-executor.3 Not tainted 4.19.192-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010: (null) Code: Bad RIP value. RSP: 0018:ffff888039c0f8a8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 1ffff11007381f18 RCX: ffffc9000c260000 RDX: 0000000000000000 RSI: ffff88808dc69b80 RDI: ffff888239b011a8 RBP: ffffffff8878d5c0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000005 R11: 0000000000000000 R12: ffff88808dc69b80 R13: ffff888239b011a8 R14: ffff888039c0fa38 R15: ffff888039c0f8e0 FS: 00007f95a79f4700(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000098d5a000 CR4: 00000000001426f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __lookup_slow+0x246/0x4a0 fs/namei.c:1672 lookup_one_len+0x163/0x190 fs/namei.c:2544 reiserfs_lookup_privroot+0x92/0x280 fs/reiserfs/xattr.c:970 reiserfs_fill_super+0x202c/0x2cf0 fs/reiserfs/super.c:2179 mount_bdev+0x2fc/0x3b0 fs/super.c:1158 mount_fs+0xa3/0x310 fs/super.c:1261 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2469 [inline] do_mount+0x113c/0x2f10 fs/namespace.c:2799 ksys_mount+0xcf/0x130 fs/namespace.c:3015 __do_sys_mount fs/namespace.c:3029 [inline] __se_sys_mount fs/namespace.c:3026 [inline] __x64_sys_mount+0xba/0x150 fs/namespace.c:3026 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x467afa Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f95a79f3fa8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 0000000000467afa RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f95a79f4000 RBP: 00007f95a79f4040 R08: 00007f95a79f4040 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000 R13: 0000000020000100 R14: 00007f95a79f4000 R15: 0000000020011500 Modules linked in: CR2: 0000000000000000 ---[ end trace 8d0b6e35e3a0d4b4 ]--- RIP: 0010: (null) Code: Bad RIP value. RSP: 0018:ffff888039c0f8a8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 1ffff11007381f18 RCX: ffffc9000c260000 UDF-fs: error (device loop1): udf_process_sequence: Primary Volume Descriptor not found! RDX: 0000000000000000 RSI: ffff88808dc69b80 RDI: ffff888239b011a8 audit: type=1804 audit(1622526527.664:3): pid=9808 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.4" name="/root/syzkaller-testdir485003026/syzkaller.WlsJr2/2/cgroup.controllers" dev="sda1" ino=13928 res=1 netlink: 20 bytes leftover after parsing attributes in process `syz-executor.5'. UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2020/09/19 18:44 (1000) netlink: 20 bytes leftover after parsing attributes in process `syz-executor.5'. RBP: ffffffff8878d5c0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000005 R11: 0000000000000000 R12: ffff88808dc69b80 device batadv0 entered promiscuous mode R13: ffff888239b011a8 R14: ffff888039c0fa38 R15: ffff888039c0f8e0 FS: 00007f95a79f4700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056179c7a6188 CR3: 0000000098d5a000 CR4: 00000000001426e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 netlink: 20 bytes leftover after parsing attributes in process `syz-executor.5'. DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400