syzkaller syzkaller login: [ 18.567383][ T1689] sftp-server (1689) used greatest stack depth: 22672 bytes left [ 24.831777][ T1705] cgroup: Unknown subsys name 'net' [ 24.932732][ T1705] cgroup: Unknown subsys name 'rlimit' [ 25.062845][ T1699] syz-fuzzer[1699]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set [ 27.343244][ T1984] modprobe (1984) used greatest stack depth: 21112 bytes left [ 28.422653][ T1707] syz-executor.0 (1707) used greatest stack depth: 20920 bytes left [ 29.142636][ T2121] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 29.313004][ T2121] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list Warning: Permanently added '10.128.1.168' (ED25519) to the list of known hosts. 2023/10/18 06:38:52 ignoring optional flag "sandboxArg"="0" 2023/10/18 06:38:53 parsed 1 programs 2023/10/18 06:38:53 executed programs: 0 [ 51.228409][ T2642] loop0: detected capacity change from 0 to 8192 [ 51.236418][ T2642] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 51.249500][ T2642] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 51.259168][ T2642] REISERFS (device loop0): using ordered data mode [ 51.265816][ T2642] reiserfs: using flush barriers [ 51.271630][ T2642] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 51.288324][ T2642] REISERFS (device loop0): checking transaction log (loop0) [ 51.296501][ T2642] REISERFS (device loop0): Using r5 hash to sort names [ 51.303568][ T2642] ================================================================== [ 51.311633][ T2642] BUG: KASAN: use-after-free in strlen+0x58/0x70 [ 51.317948][ T2642] Read of size 1 at addr ffff88806ca797a3 by task syz-executor.0/2642 [ 51.326162][ T2642] [ 51.328482][ T2642] CPU: 1 PID: 2642 Comm: syz-executor.0 Not tainted 6.6.0-rc6-syzkaller #0 [ 51.337050][ T2642] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 [ 51.347161][ T2642] Call Trace: [ 51.350414][ T2642] [ 51.353317][ T2642] dump_stack_lvl+0xf8/0x260 [ 51.357879][ T2642] ? nf_tcp_handle_invalid+0x300/0x300 [ 51.363300][ T2642] ? panic+0x410/0x410 [ 51.367687][ T2642] ? _printk+0xce/0x110 [ 51.371815][ T2642] print_report+0x163/0x540 [ 51.376402][ T2642] ? strlen+0x58/0x70 [ 51.380405][ T2642] kasan_report+0x175/0x1b0 [ 51.384903][ T2642] ? strlen+0x58/0x70 [ 51.388951][ T2642] strlen+0x58/0x70 [ 51.392820][ T2642] reiserfs_find_entry+0x8c8/0x1a30 [ 51.398085][ T2642] ? reiserfs_get_parent+0x270/0x270 [ 51.403365][ T2642] reiserfs_lookup+0x1ba/0x4c0 [ 51.408133][ T2642] ? reiserfs_init_priv_inode+0x120/0x120 [ 51.413870][ T2642] ? lockdep_init_map_type+0xa1/0x700 [ 51.419233][ T2642] ? __init_waitqueue_head+0xae/0x150 [ 51.424603][ T2642] __lookup_slow+0x203/0x2f0 [ 51.429192][ T2642] ? lookup_one_len+0x112/0x240 [ 51.434380][ T2642] ? lookup_one_len+0x240/0x240 [ 51.439383][ T2642] ? d_lookup+0x173/0x1e0 [ 51.443695][ T2642] ? security_inode_permission+0x4c/0xc0 [ 51.449415][ T2642] lookup_one_len+0x1f7/0x240 [ 51.454091][ T2642] ? lookup_one_common+0x330/0x330 [ 51.459182][ T2642] reiserfs_lookup_privroot+0x84/0x150 [ 51.464623][ T2642] reiserfs_fill_super+0x14eb/0x2070 [ 51.469889][ T2642] ? reiserfs_kill_sb+0x140/0x140 [ 51.474883][ T2642] ? vscnprintf+0x30/0x30 [ 51.479188][ T2642] ? down_write+0x12d/0x190 [ 51.483662][ T2642] ? sb_set_blocksize+0x46/0xd0 [ 51.488629][ T2642] ? setup_bdev_super+0x3f0/0x4a0 [ 51.493711][ T2642] mount_bdev+0x1d6/0x290 [ 51.498010][ T2642] ? reiserfs_kill_sb+0x140/0x140 [ 51.503021][ T2642] ? get_tree_bdev+0x5b0/0x5b0 [ 51.507770][ T2642] ? vfs_parse_fs_string+0x17f/0x210 [ 51.513232][ T2642] ? vfs_parse_fs_param+0x380/0x380 [ 51.518423][ T2642] legacy_get_tree+0xe9/0x170 [ 51.523349][ T2642] ? remove_save_link+0x4f0/0x4f0 [ 51.528435][ T2642] vfs_get_tree+0x7e/0x190 [ 51.532848][ T2642] do_new_mount+0x1e5/0x8f0 [ 51.537324][ T2642] ? do_move_mount_old+0x120/0x120 [ 51.542580][ T2642] ? user_path_at_empty+0xf1/0x140 [ 51.547751][ T2642] __se_sys_mount+0x242/0x2d0 [ 51.552529][ T2642] ? __x64_sys_mount+0xc0/0xc0 [ 51.557476][ T2642] ? fpregs_assert_state_consistent+0x47/0x60 [ 51.563567][ T2642] do_syscall_64+0x41/0x90 [ 51.567972][ T2642] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.573845][ T2642] RIP: 0033:0x7f3b25c7e05a [ 51.578321][ T2642] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 51.597997][ T2642] RSP: 002b:00007f3b26943ee8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 51.606470][ T2642] RAX: ffffffffffffffda RBX: 00007f3b26943f80 RCX: 00007f3b25c7e05a [ 51.614500][ T2642] RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 00007f3b26943f40 [ 51.622620][ T2642] RBP: 00000000200000c0 R08: 00007f3b26943f80 R09: 0000000000008001 [ 51.631607][ T2642] R10: 0000000000008001 R11: 0000000000000246 R12: 0000000020000040 [ 51.639553][ T2642] R13: 00007f3b26943f40 R14: 0000000000001122 R15: 0000000020000080 [ 51.647612][ T2642] [ 51.650692][ T2642] [ 51.652990][ T2642] The buggy address belongs to the physical page: [ 51.659378][ T2642] page:ffffea0001b29e40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6ca79 [ 51.670018][ T2642] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 51.677130][ T2642] page_type: 0xffffffff() [ 51.681454][ T2642] raw: 00fff00000000000 ffffea0001b29f88 ffffea0001b29c48 0000000000000000 [ 51.690908][ T2642] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 51.699651][ T2642] page dumped because: kasan: bad access detected [ 51.706037][ T2642] page_owner tracks the page as freed [ 51.711383][ T2642] page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 2635, tgid 2635 (modprobe), ts 51139370689, free_ts 51145577941 [ 51.728802][ T2642] post_alloc_hook+0x26e/0x290 [ 51.733540][ T2642] get_page_from_freelist+0x3201/0x33a0 [ 51.739055][ T2642] __alloc_pages+0x255/0x650 [ 51.743962][ T2642] __folio_alloc+0x13/0x30 [ 51.748353][ T2642] vma_alloc_folio+0x48e/0x9f0 [ 51.753198][ T2642] handle_mm_fault+0x1d36/0x4a30 [ 51.758120][ T2642] exc_page_fault+0x354/0x8d0 [ 51.762767][ T2642] asm_exc_page_fault+0x26/0x30 [ 51.767855][ T2642] page last free stack trace: [ 51.772762][ T2642] free_unref_page_prepare+0x7cd/0x8f0 [ 51.778191][ T2642] free_unref_page_list+0x54b/0x7e0 [ 51.783444][ T2642] release_pages+0x194a/0x1af0 [ 51.788177][ T2642] tlb_flush_mmu+0x273/0x3d0 [ 51.792757][ T2642] tlb_finish_mmu+0xb6/0x1c0 [ 51.797317][ T2642] exit_mmap+0x43e/0x990 [ 51.801702][ T2642] __mmput+0x9b/0x2d0 [ 51.805657][ T2642] exit_mm+0x113/0x1b0 [ 51.809720][ T2642] do_exit+0x7cf/0x2350 [ 51.813870][ T2642] do_group_exit+0x1b9/0x280 [ 51.818444][ T2642] __x64_sys_exit_group+0x3f/0x40 [ 51.823484][ T2642] do_syscall_64+0x41/0x90 [ 51.828080][ T2642] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.833977][ T2642] [ 51.836283][ T2642] Memory state around the buggy address: [ 51.841914][ T2642] ffff88806ca79680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.849968][ T2642] ffff88806ca79700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.858145][ T2642] >ffff88806ca79780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.866321][ T2642] ^ [ 51.871433][ T2642] ffff88806ca79800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.879564][ T2642] ffff88806ca79880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.888028][ T2642] ================================================================== [ 51.897356][ T2642] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 51.904899][ T2642] Kernel Offset: disabled [ 51.909352][ T2642] Rebooting in 86400 seconds..