syzkaller login: [ 12.008173][ T931] udevd (931) used greatest stack depth: 25384 bytes left [ 28.227709][ T1049] sftp-server (1049) used greatest stack depth: 25224 bytes left [ 34.567281][ T1065] cgroup: Unknown subsys name 'net' [ 34.572934][ T1065] cgroup: Unknown subsys name 'net_prio' [ 34.578887][ T1065] cgroup: Unknown subsys name 'devices' [ 34.584621][ T1065] cgroup: Unknown subsys name 'blkio' [ 34.680118][ T1065] cgroup: Unknown subsys name 'hugetlb' [ 34.686126][ T1065] cgroup: Unknown subsys name 'rlimit' [ 34.883096][ T1065] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 37.428933][ T1072] syz-executor.0 (1072) used greatest stack depth: 23584 bytes left Warning: Permanently added '10.128.1.42' (ED25519) to the list of known hosts. 2024/12/08 05:20:27 ignoring optional flag "sandboxArg"="0" 2024/12/08 05:20:27 ignoring optional flag "type"="gce" 2024/12/08 05:20:27 parsed 1 programs 2024/12/08 05:20:28 executed programs: 0 [ 55.226463][ T1508] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 57.762052][ T1933] loop0: detected capacity change from 0 to 8192 [ 57.770300][ T1933] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 57.779508][ T1933] REISERFS (device loop0): using ordered data mode [ 57.785986][ T1933] reiserfs: using flush barriers [ 57.792076][ T1933] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 57.808532][ T1933] REISERFS (device loop0): checking transaction log (loop0) [ 57.832118][ T1933] REISERFS (device loop0): Using r5 hash to sort names [ 57.839082][ T1933] REISERFS (device loop0): using 3.5.x disk format [ 57.845903][ T1933] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 57.858131][ T1933] ================================================================== [ 57.866380][ T1933] BUG: KASAN: out-of-bounds in leaf_paste_in_buffer+0x223/0x9b0 [ 57.874054][ T1933] Read of size 18446744073709551365 at addr ffff88806b1be000 by task syz-executor.0/1933 [ 57.883840][ T1933] [ 57.886152][ T1933] CPU: 0 PID: 1933 Comm: syz-executor.0 Not tainted 5.15.173-syzkaller #0 [ 57.894628][ T1933] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 57.904664][ T1933] Call Trace: [ 57.907922][ T1933] [ 57.910831][ T1933] dump_stack_lvl+0x41/0x5e [ 57.915328][ T1933] print_address_description.constprop.0.cold+0x6c/0x309 [ 57.922332][ T1933] ? leaf_paste_in_buffer+0x223/0x9b0 [ 57.927708][ T1933] ? leaf_paste_in_buffer+0x223/0x9b0 [ 57.933058][ T1933] kasan_report.cold+0x83/0xdf [ 57.937800][ T1933] ? leaf_paste_in_buffer+0x223/0x9b0 [ 57.943169][ T1933] kasan_check_range+0x13d/0x180 [ 57.948199][ T1933] memmove+0x20/0x60 [ 57.952090][ T1933] leaf_paste_in_buffer+0x223/0x9b0 [ 57.957353][ T1933] balance_leaf+0x1dbc/0xe180 [ 57.962034][ T1933] ? replace_key+0x300/0x300 [ 57.966627][ T1933] ? do_balance+0x2e0/0x6b0 [ 57.971186][ T1933] do_balance+0x2e0/0x6b0 [ 57.975500][ T1933] ? get_right_neighbor_position+0x170/0x170 [ 57.981466][ T1933] ? wait_for_completion+0x220/0x220 [ 57.986769][ T1933] ? unwind_next_frame+0x13d8/0x1ce0 [ 57.992136][ T1933] reiserfs_paste_into_item+0x63c/0x7b0 [ 57.997712][ T1933] ? reiserfs_delete_object+0x1b0/0x1b0 [ 58.003254][ T1933] ? fs_reclaim_acquire+0xb2/0x160 [ 58.008359][ T1933] ? kasan_unpoison+0x40/0x60 [ 58.013039][ T1933] reiserfs_get_block+0xe98/0x39b0 [ 58.018122][ T1933] ? reiserfs_commit_write+0x620/0x620 [ 58.023571][ T1933] ? lock_downgrade+0x49f/0x4f0 [ 58.028402][ T1933] ? get_obj_cgroup_from_current+0x199/0x410 [ 58.034357][ T1933] ? __lock_acquire.constprop.0+0x478/0xb30 [ 58.040370][ T1933] ? rwlock_bug.part.0+0x90/0x90 [ 58.045307][ T1933] ? do_raw_spin_unlock+0x171/0x230 [ 58.050479][ T1933] __block_write_begin_int+0x2ef/0x1180 [ 58.056018][ T1933] ? reiserfs_commit_write+0x620/0x620 [ 58.061448][ T1933] ? reiserfs_allow_writes+0x90/0x90 [ 58.066702][ T1933] ? invalidate_bh_lrus_cpu+0xe0/0xe0 [ 58.072048][ T1933] ? __mutex_lock+0x1d4/0xea0 [ 58.076706][ T1933] reiserfs_write_begin+0x320/0x820 [ 58.081878][ T1933] generic_cont_expand_simple+0xea/0x120 [ 58.087586][ T1933] ? invalidate_bh_lrus+0x30/0x30 [ 58.092581][ T1933] ? setattr_prepare+0xe3/0xa40 [ 58.097403][ T1933] reiserfs_setattr+0x9b2/0xd20 [ 58.102223][ T1933] ? reiserfs_new_inode+0x1ee0/0x1ee0 [ 58.107563][ T1933] ? current_time+0x6e/0x200 [ 58.112122][ T1933] ? mode_strip_sgid+0x160/0x160 [ 58.117027][ T1933] notify_change+0x4b4/0xea0 [ 58.121588][ T1933] ? down_read_killable+0x380/0x380 [ 58.126780][ T1933] ? do_truncate+0xee/0x1a0 [ 58.131271][ T1933] do_truncate+0xee/0x1a0 [ 58.135587][ T1933] ? file_open_root+0x1f0/0x1f0 [ 58.140479][ T1933] ? lock_acquire+0x11a/0x250 [ 58.145244][ T1933] do_sys_ftruncate+0x423/0x550 [ 58.150083][ T1933] do_syscall_64+0x33/0x80 [ 58.154489][ T1933] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 58.160363][ T1933] RIP: 0033:0x7f2c80ad1ae9 [ 58.164760][ T1933] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 58.184421][ T1933] RSP: 002b:00007f2c806540c8 EFLAGS: 00000246 ORIG_RAX: 000000000000004d [ 58.192807][ T1933] RAX: ffffffffffffffda RBX: 00007f2c80bf0f80 RCX: 00007f2c80ad1ae9 [ 58.200765][ T1933] RDX: 0000000000000000 RSI: 0000000002007ffb RDI: 0000000000000005 [ 58.208716][ T1933] RBP: 00007f2c80b1d47a R08: 0000000000000000 R09: 0000000000000000 [ 58.216700][ T1933] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 58.224655][ T1933] R13: 0000000000000006 R14: 00007f2c80bf0f80 R15: 00007ffe2a7ca8e8 [ 58.232607][ T1933] [ 58.235608][ T1933] [ 58.237913][ T1933] The buggy address belongs to the page: [ 58.243543][ T1933] page:ffffea0001ac6f80 refcount:2 mapcount:1 mapping:0000000000000000 index:0x7f2c80bed pfn:0x6b1be [ 58.254642][ T1933] memcg:ffff888074098000 [ 58.258888][ T1933] anon flags: 0xfff00000080004(uptodate|swapbacked|node=0|zone=1|lastcpupid=0x7ff) [ 58.268144][ T1933] raw: 00fff00000080004 0000000000000000 dead000000000122 ffff88807ba76991 [ 58.276717][ T1933] raw: 00000007f2c80bed 0000000000000000 0000000200000000 ffff888074098000 [ 58.285298][ T1933] page dumped because: kasan: bad access detected [ 58.291701][ T1933] page_owner tracks the page as allocated [ 58.297391][ T1933] page last allocated via order 0, migratetype Movable, gfp_mask 0x1100cca(GFP_HIGHUSER_MOVABLE), pid 1932, ts 57856423292, free_ts 5501142497 [ 58.311860][ T1933] get_page_from_freelist+0x1369/0x31f0 [ 58.317381][ T1933] __alloc_pages+0x1b2/0x440 [ 58.321948][ T1933] alloc_pages_vma+0xe0/0x650 [ 58.326595][ T1933] wp_page_copy+0x18c/0x1890 [ 58.331155][ T1933] __handle_mm_fault+0x15ac/0x33a0 [ 58.336257][ T1933] handle_mm_fault+0x1c5/0x5b0 [ 58.341338][ T1933] do_user_addr_fault+0x298/0xc80 [ 58.346333][ T1933] exc_page_fault+0x5a/0xb0 [ 58.350853][ T1933] asm_exc_page_fault+0x22/0x30 [ 58.355675][ T1933] page last free stack trace: [ 58.360347][ T1933] free_pcp_prepare+0x379/0x850 [ 58.365182][ T1933] free_unref_page+0x19/0x4b0 [ 58.369937][ T1933] free_contig_range+0x8b/0xb0 [ 58.374674][ T1933] destroy_args+0x7e/0x503 [ 58.379169][ T1933] debug_vm_pgtable+0x1773/0x17f5 [ 58.384163][ T1933] do_one_initcall+0xb4/0x320 [ 58.388810][ T1933] kernel_init_freeable+0x51e/0x580 [ 58.393977][ T1933] kernel_init+0x14/0x120 [ 58.398276][ T1933] ret_from_fork+0x1f/0x30 [ 58.402673][ T1933] [ 58.404987][ T1933] Memory state around the buggy address: [ 58.410611][ T1933] ffff88806b1bdf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.418643][ T1933] ffff88806b1bdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.426672][ T1933] >ffff88806b1be000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.434715][ T1933] ^ [ 58.438761][ T1933] ffff88806b1be080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.446806][ T1933] ffff88806b1be100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.454854][ T1933] ================================================================== [ 58.462899][ T1933] Disabling lock debugging due to kernel taint [ 58.469465][ T1933] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 58.476908][ T1933] Kernel Offset: disabled [ 58.481224][ T1933] Rebooting in 86400 seconds..