syzkaller syzkaller login: [ 24.415448][ T1729] cgroup: Unknown subsys name 'net' [ 24.506636][ T1729] cgroup: Unknown subsys name 'rlimit' [ 24.657091][ T1723] syz-fuzzer[1723]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set [ 27.930182][ T1733] syz-executor.0 (1733) used greatest stack depth: 20856 bytes left [ 28.639600][ T1723] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 28.812636][ T1723] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list Warning: Permanently added '10.128.1.153' (ED25519) to the list of known hosts. 2023/11/01 12:17:52 ignoring optional flag "sandboxArg"="0" 2023/11/01 12:17:52 parsed 1 programs 2023/11/01 12:17:52 executed programs: 0 [ 50.568520][ T2667] loop0: detected capacity change from 0 to 8192 [ 50.577695][ T2667] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 50.592192][ T2667] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 50.601594][ T2667] REISERFS (device loop0): using ordered data mode [ 50.608339][ T2667] reiserfs: using flush barriers [ 50.614365][ T2667] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 50.631030][ T2667] REISERFS (device loop0): checking transaction log (loop0) [ 50.639443][ T2667] REISERFS (device loop0): Using r5 hash to sort names [ 50.646829][ T2667] ================================================================== [ 50.655063][ T2667] BUG: KASAN: use-after-free in reiserfs_get_unused_objectid+0x1e7/0x3f0 [ 50.663466][ T2667] Read of size 250888 at addr ffff88806c151058 by task syz-executor.0/2667 [ 50.672119][ T2667] [ 50.674431][ T2667] CPU: 0 PID: 2667 Comm: syz-executor.0 Not tainted 6.6.0-syzkaller #0 [ 50.682767][ T2667] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 50.692813][ T2667] Call Trace: [ 50.696250][ T2667] [ 50.699170][ T2667] dump_stack_lvl+0xf8/0x260 [ 50.703837][ T2667] ? nf_tcp_handle_invalid+0x300/0x300 [ 50.710167][ T2667] ? panic+0x410/0x410 [ 50.714249][ T2667] ? _printk+0xce/0x110 [ 50.718459][ T2667] print_report+0x163/0x540 [ 50.723210][ T2667] ? reiserfs_write_lock_nested+0x4a/0xb0 [ 50.729528][ T2667] ? reiserfs_get_unused_objectid+0x1e7/0x3f0 [ 50.735765][ T2667] kasan_report+0x175/0x1b0 [ 50.740449][ T2667] ? reiserfs_get_unused_objectid+0x1e7/0x3f0 [ 50.747025][ T2667] kasan_check_range+0x27e/0x290 [ 50.752032][ T2667] ? reiserfs_get_unused_objectid+0x1e7/0x3f0 [ 50.758078][ T2667] __asan_memmove+0x29/0x70 [ 50.762557][ T2667] reiserfs_get_unused_objectid+0x1e7/0x3f0 [ 50.768441][ T2667] reiserfs_new_inode+0x295/0x1990 [ 50.773887][ T2667] ? reiserfs_write_inode+0x260/0x260 [ 50.779316][ T2667] ? do_journal_begin_r+0xbad/0xdd0 [ 50.785008][ T2667] ? reiserfs_security_init+0x3c0/0x3c0 [ 50.790623][ T2667] ? journal_begin+0x13f/0x2f0 [ 50.795379][ T2667] reiserfs_mkdir+0x543/0x870 [ 50.800114][ T2667] ? reiserfs_symlink+0x690/0x690 [ 50.805666][ T2667] ? down_write+0x12d/0x190 [ 50.810161][ T2667] ? up_write+0x143/0x300 [ 50.814568][ T2667] ? __up_read+0x360/0x360 [ 50.819060][ T2667] reiserfs_xattr_init+0x2c9/0x5a0 [ 50.824344][ T2667] reiserfs_fill_super+0x1b9a/0x2070 [ 50.829965][ T2667] ? reiserfs_kill_sb+0x140/0x140 [ 50.834968][ T2667] ? vscnprintf+0x30/0x30 [ 50.839338][ T2667] ? down_write+0x12d/0x190 [ 50.843845][ T2667] ? sb_set_blocksize+0x46/0xd0 [ 50.848673][ T2667] ? setup_bdev_super+0x48a/0x530 [ 50.853877][ T2667] mount_bdev+0x1d6/0x290 [ 50.858206][ T2667] ? reiserfs_kill_sb+0x140/0x140 [ 50.863217][ T2667] ? get_tree_bdev+0x5b0/0x5b0 [ 50.867965][ T2667] ? vfs_parse_fs_string+0x17f/0x210 [ 50.873317][ T2667] ? vfs_parse_fs_param+0x380/0x380 [ 50.878508][ T2667] legacy_get_tree+0xe9/0x170 [ 50.883448][ T2667] ? remove_save_link+0x4f0/0x4f0 [ 50.888460][ T2667] vfs_get_tree+0x7e/0x190 [ 50.892870][ T2667] do_new_mount+0x1e5/0x8f0 [ 50.897348][ T2667] ? do_move_mount_old+0x120/0x120 [ 50.902441][ T2667] __se_sys_mount+0x242/0x2d0 [ 50.907178][ T2667] ? __x64_sys_mount+0xc0/0xc0 [ 50.912123][ T2667] ? fpregs_assert_state_consistent+0x47/0x60 [ 50.918250][ T2667] do_syscall_64+0x44/0xe0 [ 50.922820][ T2667] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 50.928690][ T2667] RIP: 0033:0x7f829a67dfda [ 50.933165][ T2667] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 50.953528][ T2667] RSP: 002b:00007f829b422ee8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 50.961912][ T2667] RAX: ffffffffffffffda RBX: 00007f829b422f80 RCX: 00007f829a67dfda [ 50.969941][ T2667] RDX: 0000000020000080 RSI: 0000000020000040 RDI: 00007f829b422f40 [ 50.978250][ T2667] RBP: 0000000020000080 R08: 00007f829b422f80 R09: 0000000000008008 [ 50.986476][ T2667] R10: 0000000000008008 R11: 0000000000000246 R12: 0000000020000040 [ 50.994417][ T2667] R13: 00007f829b422f40 R14: 0000000000001138 R15: 00000000200000c0 [ 51.002368][ T2667] [ 51.005488][ T2667] [ 51.007981][ T2667] The buggy address belongs to the physical page: [ 51.014375][ T2667] page:ffffea0001b05440 refcount:3 mapcount:0 mapping:ffff888011588870 index:0x10 pfn:0x6c151 [ 51.024849][ T2667] memcg:ffff88807781a000 [ 51.029151][ T2667] aops:def_blk_aops ino:700000 [ 51.033918][ T2667] flags: 0xfff00000008104(referenced|active|private|node=0|zone=1|lastcpupid=0x7ff) [ 51.043341][ T2667] page_type: 0xffffffff() [ 51.047763][ T2667] raw: 00fff00000008104 0000000000000000 dead000000000122 ffff888011588870 [ 51.056492][ T2667] raw: 0000000000000010 ffff88807113d0e8 00000003ffffffff ffff88807781a000 [ 51.065042][ T2667] page dumped because: kasan: bad access detected [ 51.071424][ T2667] page_owner tracks the page as allocated [ 51.077115][ T2667] page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 2667, tgid 2666 (syz-executor.0), ts 50577563287, free_ts 50521578355 [ 51.098179][ T2667] post_alloc_hook+0x26e/0x290 [ 51.102919][ T2667] get_page_from_freelist+0x3201/0x33a0 [ 51.108795][ T2667] __alloc_pages+0x255/0x650 [ 51.113390][ T2667] folio_alloc+0x13/0x30 [ 51.117715][ T2667] filemap_alloc_folio+0xc6/0x3a0 [ 51.123276][ T2667] __filemap_get_folio+0x28f/0x680 [ 51.128361][ T2667] __getblk_gfp+0x1a4/0x460 [ 51.132855][ T2667] __bread_gfp+0xe/0x1d0 [ 51.137069][ T2667] read_super_block+0x84/0x700 [ 51.141983][ T2667] reiserfs_fill_super+0xa22/0x2070 [ 51.147248][ T2667] mount_bdev+0x1d6/0x290 [ 51.151562][ T2667] legacy_get_tree+0xe9/0x170 [ 51.156207][ T2667] vfs_get_tree+0x7e/0x190 [ 51.160601][ T2667] do_new_mount+0x1e5/0x8f0 [ 51.165073][ T2667] __se_sys_mount+0x242/0x2d0 [ 51.169982][ T2667] do_syscall_64+0x44/0xe0 [ 51.174376][ T2667] page last free stack trace: [ 51.179467][ T2667] free_unref_page_prepare+0x7cd/0x8f0 [ 51.184912][ T2667] free_unref_page_list+0x54b/0x7e0 [ 51.190309][ T2667] release_pages+0x194a/0x1af0 [ 51.195061][ T2667] tlb_flush_mmu+0x273/0x3d0 [ 51.199741][ T2667] tlb_finish_mmu+0xb6/0x1c0 [ 51.204319][ T2667] exit_mmap+0x43e/0x990 [ 51.208534][ T2667] __mmput+0x9b/0x2d0 [ 51.212759][ T2667] exit_mm+0x113/0x1b0 [ 51.217000][ T2667] do_exit+0x7cf/0x2350 [ 51.221409][ T2667] do_group_exit+0x1b9/0x280 [ 51.226257][ T2667] __x64_sys_exit_group+0x3f/0x40 [ 51.231816][ T2667] do_syscall_64+0x44/0xe0 [ 51.236312][ T2667] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 51.242371][ T2667] [ 51.244674][ T2667] Memory state around the buggy address: [ 51.250398][ T2667] ffff88806c151f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.258454][ T2667] ffff88806c151f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.266592][ T2667] >ffff88806c152000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.274725][ T2667] ^ [ 51.278873][ T2667] ffff88806c152080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.287236][ T2667] ffff88806c152100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 51.295457][ T2667] ================================================================== [ 51.304834][ T2667] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 51.312497][ T2667] Kernel Offset: disabled [ 51.316977][ T2667] Rebooting in 86400 seconds..