syzkaller login: [ 11.596667][ T943] udevd (943) used greatest stack depth: 25384 bytes left [ 18.340674][ T1046] sftp-server (1046) used greatest stack depth: 25248 bytes left [ 24.445830][ T1063] cgroup: Unknown subsys name 'net' [ 24.451279][ T1063] cgroup: Unknown subsys name 'net_prio' [ 24.457108][ T1063] cgroup: Unknown subsys name 'devices' [ 24.463107][ T1063] cgroup: Unknown subsys name 'blkio' [ 24.591015][ T1063] cgroup: Unknown subsys name 'hugetlb' [ 24.596714][ T1063] cgroup: Unknown subsys name 'rlimit' [ 26.839344][ T1066] syz-executor.0 (1066) used greatest stack depth: 23512 bytes left Warning: Permanently added '10.128.0.181' (ED25519) to the list of known hosts. 2024/05/19 18:18:04 ignoring optional flag "sandboxArg"="0" 2024/05/19 18:18:04 parsed 1 programs 2024/05/19 18:18:04 executed programs: 0 [ 47.418266][ T2012] loop0: detected capacity change from 0 to 8192 [ 47.426208][ T2012] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 47.435787][ T2012] REISERFS (device loop0): using ordered data mode [ 47.442401][ T2012] reiserfs: using flush barriers [ 47.447899][ T2012] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 47.464339][ T2012] REISERFS (device loop0): checking transaction log (loop0) [ 47.472385][ T2012] REISERFS (device loop0): Using r5 hash to sort names [ 47.479600][ T2012] ================================================================== [ 47.487659][ T2012] BUG: KASAN: use-after-free in reiserfs_get_unused_objectid+0x26f/0x3c0 [ 47.496293][ T2012] Read of size 250888 at addr ffff88807fd0e058 by task syz-executor.0/2012 [ 47.505308][ T2012] [ 47.507706][ T2012] CPU: 0 PID: 2012 Comm: syz-executor.0 Not tainted 5.15.159-syzkaller #0 [ 47.517219][ T2012] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 47.527624][ T2012] Call Trace: [ 47.530979][ T2012] [ 47.533882][ T2012] dump_stack_lvl+0x41/0x5e [ 47.538632][ T2012] print_address_description.constprop.0.cold+0x6c/0x309 [ 47.545636][ T2012] ? reiserfs_get_unused_objectid+0x26f/0x3c0 [ 47.551682][ T2012] ? reiserfs_get_unused_objectid+0x26f/0x3c0 [ 47.557742][ T2012] kasan_report.cold+0x83/0xdf [ 47.562693][ T2012] ? reiserfs_get_unused_objectid+0x26f/0x3c0 [ 47.568820][ T2012] kasan_check_range+0x13d/0x180 [ 47.573746][ T2012] memmove+0x20/0x60 [ 47.577617][ T2012] reiserfs_get_unused_objectid+0x26f/0x3c0 [ 47.583738][ T2012] reiserfs_new_inode+0x422/0x1ee0 [ 47.588822][ T2012] ? lock_downgrade+0x4f0/0x4f0 [ 47.593661][ T2012] ? reiserfs_fh_to_parent+0x160/0x160 [ 47.599192][ T2012] ? __mutex_unlock_slowpath+0x158/0x450 [ 47.605226][ T2012] ? wait_for_completion+0x220/0x220 [ 47.610674][ T2012] ? wait_for_completion+0x220/0x220 [ 47.616027][ T2012] ? find_held_lock+0x2d/0x110 [ 47.620853][ T2012] ? do_journal_begin_r+0x77c/0xef0 [ 47.626020][ T2012] ? do_raw_spin_lock+0x120/0x2b0 [ 47.631022][ T2012] ? dquot_initialize_needed+0x230/0x230 [ 47.636880][ T2012] ? rwlock_bug.part.0+0x90/0x90 [ 47.641808][ T2012] ? lock_acquire+0x11a/0x250 [ 47.646567][ T2012] reiserfs_mkdir+0x40c/0x870 [ 47.651792][ T2012] ? reiserfs_mknod+0x670/0x670 [ 47.656624][ T2012] ? lock_acquire+0x11a/0x250 [ 47.661364][ T2012] ? try_lookup_one_len+0x130/0x130 [ 47.666557][ T2012] reiserfs_xattr_init+0x494/0xb10 [ 47.671926][ T2012] reiserfs_fill_super+0x1bbc/0x26d0 [ 47.677346][ T2012] ? reiserfs_remount+0x15c0/0x15c0 [ 47.682603][ T2012] ? pointer+0x700/0x700 [ 47.687019][ T2012] ? up_write+0x138/0x200 [ 47.691423][ T2012] ? sget+0x390/0x470 [ 47.696081][ T2012] mount_bdev+0x2c3/0x3a0 [ 47.700392][ T2012] ? reiserfs_remount+0x15c0/0x15c0 [ 47.705633][ T2012] ? reiserfs_kill_sb+0x1d0/0x1d0 [ 47.710647][ T2012] legacy_get_tree+0xfa/0x1f0 [ 47.715302][ T2012] ? security_capable+0x4c/0x90 [ 47.720305][ T2012] vfs_get_tree+0x83/0x1b0 [ 47.724801][ T2012] path_mount+0x44f/0x1a60 [ 47.729280][ T2012] ? finish_automount+0x7d0/0x7d0 [ 47.734286][ T2012] ? kasan_set_free_info+0x20/0x30 [ 47.739632][ T2012] ? user_path_at_empty+0x40/0x50 [ 47.744633][ T2012] ? kmem_cache_free+0x7e/0x470 [ 47.749454][ T2012] __x64_sys_mount+0x1f5/0x260 [ 47.754202][ T2012] ? copy_mnt_ns+0xd20/0xd20 [ 47.758845][ T2012] ? vtime_user_exit+0xde/0x180 [ 47.763937][ T2012] do_syscall_64+0x33/0x80 [ 47.768330][ T2012] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 47.774207][ T2012] RIP: 0033:0x7f7fe7f9a05a [ 47.778701][ T2012] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 47.799078][ T2012] RSP: 002b:00007f7fe7b1aee8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 47.807671][ T2012] RAX: ffffffffffffffda RBX: 00007f7fe7b1af80 RCX: 00007f7fe7f9a05a [ 47.815627][ T2012] RDX: 0000000020000080 RSI: 0000000020000040 RDI: 00007f7fe7b1af40 [ 47.823680][ T2012] RBP: 0000000020000080 R08: 00007f7fe7b1af80 R09: 0000000000008008 [ 47.831634][ T2012] R10: 0000000000008008 R11: 0000000000000246 R12: 0000000020000040 [ 47.839597][ T2012] R13: 00007f7fe7b1af40 R14: 0000000000001138 R15: 00000000200000c0 [ 47.847571][ T2012] [ 47.850592][ T2012] [ 47.852974][ T2012] The buggy address belongs to the page: [ 47.858661][ T2012] page:ffffea0001ff4380 refcount:3 mapcount:0 mapping:ffff888145180808 index:0x10 pfn:0x7fd0e [ 47.869145][ T2012] memcg:ffff888075dc4000 [ 47.873358][ T2012] aops:def_blk_aops ino:700000 [ 47.878091][ T2012] flags: 0xfff00000002022(referenced|active|private|node=0|zone=1|lastcpupid=0x7ff) [ 47.887434][ T2012] raw: 00fff00000002022 0000000000000000 dead000000000122 ffff888145180808 [ 47.896191][ T2012] raw: 0000000000000010 ffff88806a8d4910 00000003ffffffff ffff888075dc4000 [ 47.904749][ T2012] page dumped because: kasan: bad access detected [ 47.911241][ T2012] page_owner tracks the page as allocated [ 47.916936][ T2012] page last allocated via order 0, migratetype Movable, gfp_mask 0x108c48(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE), pid 2012, ts 47426131647, free_ts 46372507336 [ 47.934108][ T2012] get_page_from_freelist+0x12d1/0x2d40 [ 47.939647][ T2012] __alloc_pages+0x1b2/0x440 [ 47.944203][ T2012] pagecache_get_page+0x299/0xdd0 [ 47.949195][ T2012] __getblk_slow+0x1a6/0x7a0 [ 47.953848][ T2012] __bread_gfp+0x1e6/0x2f0 [ 47.958228][ T2012] read_super_block+0x7c/0x840 [ 47.962970][ T2012] reiserfs_fill_super+0xa41/0x26d0 [ 47.968159][ T2012] mount_bdev+0x2c3/0x3a0 [ 47.972548][ T2012] legacy_get_tree+0xfa/0x1f0 [ 47.977280][ T2012] vfs_get_tree+0x83/0x1b0 [ 47.981839][ T2012] path_mount+0x44f/0x1a60 [ 47.986324][ T2012] __x64_sys_mount+0x1f5/0x260 [ 47.991141][ T2012] do_syscall_64+0x33/0x80 [ 47.995525][ T2012] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 48.001558][ T2012] page last free stack trace: [ 48.006202][ T2012] free_pcp_prepare+0x379/0x850 [ 48.011115][ T2012] free_unref_page_list+0x16f/0xbd0 [ 48.016458][ T2012] release_pages+0xb3a/0x1480 [ 48.021133][ T2012] tlb_finish_mmu+0x127/0x790 [ 48.025842][ T2012] exit_mmap+0x1b7/0x530 [ 48.030223][ T2012] mmput+0xd6/0x400 [ 48.034012][ T2012] do_exit+0x884/0x2200 [ 48.038151][ T2012] do_group_exit+0xe7/0x290 [ 48.042626][ T2012] __x64_sys_exit_group+0x35/0x40 [ 48.047629][ T2012] do_syscall_64+0x33/0x80 [ 48.052290][ T2012] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 48.058181][ T2012] [ 48.060479][ T2012] Memory state around the buggy address: [ 48.066315][ T2012] ffff88807fd1cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 48.074461][ T2012] ffff88807fd1cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 48.082549][ T2012] >ffff88807fd1d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 48.090674][ T2012] ^ [ 48.094862][ T2012] ffff88807fd1d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 48.103016][ T2012] ffff88807fd1d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 48.111159][ T2012] ================================================================== [ 48.119726][ T2012] Disabling lock debugging due to kernel taint [ 48.126635][ T2012] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 48.134328][ T2012] Kernel Offset: disabled [ 48.138676][ T2012] Rebooting in 86400 seconds..