REISERFS (device loop0): journal params: device loop0, size 15748, journal first block 18, max trans len 1024, max batch 900, max commit age 0, max trans age 30 REISERFS (device loop0): checking transaction log (loop0) REISERFS (device loop0): Using r5 hash to sort names REISERFS (device loop0): using 3.5.x disk format ================================================================== BUG: KASAN: use-after-free in bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline] BUG: KASAN: use-after-free in search_by_entry_key+0x776/0x980 fs/reiserfs/namei.c:164 Read of size 4 at addr ffff888032f21014 by task syz-executor.0/5890 CPU: 0 PID: 5890 Comm: syz-executor.0 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x9a/0xcc lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline] search_by_entry_key+0x776/0x980 fs/reiserfs/namei.c:164 reiserfs_find_entry.part.0+0x133/0xcb0 fs/reiserfs/namei.c:321 reiserfs_find_entry fs/reiserfs/namei.c:367 [inline] reiserfs_lookup+0x1ff/0x3e0 fs/reiserfs/namei.c:367 __lookup_slow+0x1fe/0x3c0 fs/namei.c:1544 lookup_one_len+0x11f/0x150 fs/namei.c:2565 reiserfs_lookup_privroot+0x8d/0x260 fs/reiserfs/xattr.c:979 reiserfs_fill_super+0x1c20/0x2670 fs/reiserfs/super.c:2176 mount_bdev+0x2cb/0x3b0 fs/super.c:1366 legacy_get_tree+0xfa/0x1f0 fs/fs_context.c:592 vfs_get_tree+0x7f/0x2c0 fs/super.c:1496 do_new_mount fs/namespace.c:2881 [inline] path_mount+0x7f3/0x1b30 fs/namespace.c:3211 do_mount fs/namespace.c:3224 [inline] __do_sys_mount fs/namespace.c:3432 [inline] __se_sys_mount fs/namespace.c:3409 [inline] __x64_sys_mount+0x1f5/0x260 fs/namespace.c:3409 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f06c590863a Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f06c507bf88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000040 RCX: 00007f06c590863a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f06c507bfe0 RBP: 00007f06c507c020 R08: 00007f06c507c020 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 R13: 0000000020000100 R14: 00007f06c507bfe0 R15: 0000000020000580 The buggy address belongs to the page: page:00000000a51ceb13 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x32f21 flags: 0xfff00000000000() raw: 00fff00000000000 ffffea0000cbc888 ffff8880b9e56068 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 9, migratetype Movable, gfp_mask 0x3d24ca(GFP_TRANSHUGE|__GFP_NORETRY|__GFP_THISNODE), pid 5321, ts 30982313698 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x144/0x1c0 mm/page_alloc.c:2297 prep_new_page mm/page_alloc.c:2306 [inline] get_page_from_freelist+0x1c6e/0x3f80 mm/page_alloc.c:3945 __alloc_pages_nodemask+0x2d6/0x730 mm/page_alloc.c:4995 __alloc_pages include/linux/gfp.h:511 [inline] __alloc_pages_node include/linux/gfp.h:524 [inline] alloc_pages_vma+0x44f/0x5d0 mm/mempolicy.c:2211 do_huge_pmd_anonymous_page+0x2b5/0x1c70 mm/huge_memory.c:761 create_huge_pmd mm/memory.c:4269 [inline] __handle_mm_fault mm/memory.c:4493 [inline] handle_mm_fault+0x2620/0x4520 mm/memory.c:4620 do_user_addr_fault+0x2d3/0x930 arch/x86/mm/fault.c:1393 handle_page_fault arch/x86/mm/fault.c:1450 [inline] exc_page_fault+0x60/0xc0 arch/x86/mm/fault.c:1506 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1271 [inline] __free_pages_ok+0x4da/0xed0 mm/page_alloc.c:1536 release_pages+0x4b7/0x1400 mm/swap.c:909 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline] tlb_flush_mmu_free mm/mmu_gather.c:242 [inline] tlb_flush_mmu mm/mmu_gather.c:249 [inline] tlb_finish_mmu+0x127/0x790 mm/mmu_gather.c:328 exit_mmap+0x265/0x4c0 mm/mmap.c:3222 __mmput+0xeb/0x3e0 kernel/fork.c:1082 exit_mm kernel/exit.c:501 [inline] do_exit+0x9e9/0x2570 kernel/exit.c:812 do_group_exit+0xe7/0x290 kernel/exit.c:922 __do_sys_exit_group kernel/exit.c:933 [inline] __se_sys_exit_group kernel/exit.c:931 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:931 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Memory state around the buggy address: ffff888032f20f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888032f20f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888032f21000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888032f21080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888032f21100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================