REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop0): checking transaction log (loop0) REISERFS (device loop0): Using r5 hash to sort names REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. ================================================================== BUG: KASAN: out-of-bounds in memcpy include/linux/string.h:376 [inline] BUG: KASAN: out-of-bounds in leaf_paste_in_buffer+0x981/0xb80 fs/reiserfs/lbalance.c:1043 Read of size 80 at addr ffff88808b242fe0 by task syz-executor211/8196 CPU: 1 PID: 8196 Comm: syz-executor211 Not tainted 4.14.300-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351 kasan_report+0x6f/0x80 mm/kasan/report.c:409 memcpy+0x20/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:376 [inline] leaf_paste_in_buffer+0x981/0xb80 fs/reiserfs/lbalance.c:1043 leaf_copy_dir_entries.isra.0+0x770/0x8f0 fs/reiserfs/lbalance.c:108 leaf_copy_boundary_item fs/reiserfs/lbalance.c:168 [inline] leaf_copy_items fs/reiserfs/lbalance.c:551 [inline] leaf_move_items+0x147e/0x3440 fs/reiserfs/lbalance.c:726 leaf_shift_left+0x9f/0x360 fs/reiserfs/lbalance.c:750 balance_leaf_left fs/reiserfs/do_balan.c:622 [inline] balance_leaf+0x2b73/0xba30 fs/reiserfs/do_balan.c:1420 do_balance+0x282/0x630 fs/reiserfs/do_balan.c:1899 reiserfs_insert_item+0x95b/0xc70 fs/reiserfs/stree.c:2271 reiserfs_get_block+0xb54/0x36b0 fs/reiserfs/inode.c:876 __block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038 reiserfs_write_begin+0x2e3/0x8a0 fs/reiserfs/inode.c:2793 generic_perform_write+0x1d5/0x430 mm/filemap.c:3055 __generic_file_write_iter+0x227/0x590 mm/filemap.c:3180 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208 call_write_iter include/linux/fs.h:1780 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x44c/0x630 fs/read_write.c:482 __kernel_write+0xf5/0x330 fs/read_write.c:501 dump_emit+0x153/0x280 fs/coredump.c:806 elf_core_dump+0x2672/0x4410 fs/binfmt_elf.c:2308 do_coredump+0x1a43/0x29f0 fs/coredump.c:770 get_signal+0xc9f/0x1ca0 kernel/signal.c:2406 do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 The buggy address belongs to the page: page:ffffea00022c9080 count:2 mapcount:0 mapping:ffff8880a4c13b68 index:0x213 flags: 0xfff00000001064(referenced|lru|active|private) raw: 00fff00000001064 ffff8880a4c13b68 0000000000000213 00000002ffffffff raw: ffffea00022c9060 ffffea00022c2f20 ffff88808abf3348 ffff88823b3288c0 page dumped because: kasan: bad access detected page->mem_cgroup:ffff88823b3288c0 Memory state around the buggy address: ffff88808b242f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88808b242f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88808b243000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff88808b243080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88808b243100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================