REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop0): checking transaction log (loop0)
REISERFS (device loop0): Using r5 hash to sort names
reiserfs: enabling write barrier flush mode
==================================================================
BUG: KASAN: out-of-bounds in memmove include/linux/string.h:360 [inline]
BUG: KASAN: out-of-bounds in leaf_paste_entries+0x3f9/0xa20 fs/reiserfs/lbalance.c:1378
Read of size 18446744073709551584 at addr ffff880099b74fa4 by task syz-executor.0/5047

CPU: 1 PID: 5047 Comm: syz-executor.0 Not tainted 4.19.0-syzkaller #0
REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x10c/0x17a lib/dump_stack.c:113
 print_address_description.cold.6+0x9/0x244 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold.7+0x242/0x305 mm/kasan/report.c:396
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13c/0x1b0 mm/kasan/kasan.c:267
 memmove+0x23/0x50 mm/kasan/kasan.c:293
 memmove include/linux/string.h:360 [inline]
 leaf_paste_entries+0x3f9/0xa20 fs/reiserfs/lbalance.c:1378
REISERFS (device loop3): using ordered data mode
 balance_leaf_finish_node_paste_dirent fs/reiserfs/do_balan.c:1306 [inline]
 balance_leaf_finish_node_paste.isra.15+0x4b6/0x1300 fs/reiserfs/do_balan.c:1332
reiserfs: using flush barriers
 balance_leaf_finish_node fs/reiserfs/do_balan.c:1375 [inline]
 balance_leaf fs/reiserfs/do_balan.c:1463 [inline]
 do_balance+0x2485/0x6cf0 fs/reiserfs/do_balan.c:1899
REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
 reiserfs_paste_into_item+0x50a/0x630 fs/reiserfs/stree.c:2142
 reiserfs_add_entry+0x7d2/0xb40 fs/reiserfs/namei.c:563
REISERFS (device loop3): checking transaction log (loop3)
 reiserfs_mkdir+0x5a0/0x840 fs/reiserfs/namei.c:855
REISERFS (device loop3): Using r5 hash to sort names
 xattr_mkdir.constprop.4+0x91/0xc0 fs/reiserfs/xattr.c:76
 create_privroot fs/reiserfs/xattr.c:859 [inline]
 reiserfs_xattr_init+0x39c/0xa3c fs/reiserfs/xattr.c:978
 reiserfs_remount+0xf49/0x1501 fs/reiserfs/super.c:1598
reiserfs: enabling write barrier flush mode
 do_remount_sb+0x158/0x640 fs/super.c:888
 do_remount fs/namespace.c:2278 [inline]
 do_mount+0xfd8/0x26e0 fs/namespace.c:2778
REISERFS (device loop4): found reiserfs format "3.5" with non-standard journal
kasan: CONFIG_KASAN_INLINE enabled
BUG: unable to handle kernel paging request at ffff8800a35f6000
PGD 7401067 
P4D 7401067 
PUD 23ffff067 
 ksys_mount+0xb1/0xd0 fs/namespace.c:3003
PMD a3604063 
 __do_sys_mount fs/namespace.c:3017 [inline]
 __se_sys_mount fs/namespace.c:3014 [inline]
 __x64_sys_mount+0xb9/0x150 fs/namespace.c:3014
PTE 80000000a35f6161
 do_syscall_64+0xca/0x340 arch/x86/entry/common.c:290
Oops: 0003 [#1] PREEMPT SMP KASAN
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
CPU: 0 PID: 5099 Comm: syz-executor.3 Not tainted 4.19.0-syzkaller #0
RIP: 0033:0x7fc5a826222a
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Code: 40 48 89 44 1f 44 00 00 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 1f 44 00 00 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 0f 1f 84 00 00 00 <00> 00 0f 1f 40 00 49 89 ca b8 0f 1f 84 00 00 00 00 00 0f 1f 40 00
RIP: 0010:__memmove+0x53/0x1a0 arch/x86/lib/memmove_64.S:74
RSP: 002b:00007fc5a7de2ee8 EFLAGS: 00000246
Code: fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20 48 83 ea 20 4c 8b 1e 4c 8b 56 08 4c 8b 4e 10 4c 8b 46 18 48 8d 76 20 4c 89 1f <4c> 89 57 08 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20
 ORIG_RAX: 00000000000000a5
RSP: 0018:ffff8800ace46e90 EFLAGS: 00010286
RAX: ffffffffffffffda RBX: 00007fc5a7de2f80 RCX: 00007fc5a826222a
RDX: 00000000200000c0 RSI: 0000000020000100 RDI: 0000000000000000
RAX: ffff88009842efb4 RBX: ffffffffffffffe0 RCX: ffffffff8188d7e9
RBP: 00000000200000c0 R08: 00007fc5a7de2f80 R09: 0000000001a484bc
RDX: fffffffff4e38f60 RSI: ffff8800a35f6004 RDI: ffff8800a35f5ff4
R10: 0000000001a484bc R11: 0000000000000246 R12: 0000000020000100
RBP: ffff8800ace46eb0 R08: 0004000100000000 R09: 0000000000000000
R13: 00007fc5a7de2f40 R14: 0000000000000000 R15: 0000000020000d80
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88009842efb4

R13: ffff88009842efa4 R14: ffff88009842ef84 R15: ffff88009842ef84
The buggy address belongs to the page:
FS:  00007f5f3d3fe6c0(0000) GS:ffff8800bac00000(0000) knlGS:0000000000000000
page:ffffea000266dd00 count:2 mapcount:0 mapping:ffff8800b480a058 index:0x213
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8800a35f6000 CR3: 00000000b47ef000 CR4: 0000000000340ef0
flags: 0xfff00000001064(referenced|lru|active|private)
Call Trace:
raw: 00fff00000001064 ffffea000266cf88 ffffea0002659588 ffff8800b480a058
raw: 0000000000000213 ffff88009d47b1f8 00000002ffffffff ffff8800a8274400
 memmove include/linux/string.h:360 [inline]
 leaf_paste_entries+0x3f9/0xa20 fs/reiserfs/lbalance.c:1378
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff8800a8274400
 balance_leaf_finish_node_paste_dirent fs/reiserfs/do_balan.c:1306 [inline]
 balance_leaf_finish_node_paste.isra.15+0x4b6/0x1300 fs/reiserfs/do_balan.c:1332
page allocated via order 0, migratetype Movable, gfp_mask 0x620848(GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:1906 [inline]
 prep_new_page mm/page_alloc.c:1914 [inline]
 get_page_from_freelist+0x2c5a/0x41b0 mm/page_alloc.c:3345
 __alloc_pages_nodemask+0x390/0x2380 mm/page_alloc.c:4370
 alloc_pages_current+0xfd/0x290 mm/mempolicy.c:2093
 balance_leaf_finish_node fs/reiserfs/do_balan.c:1375 [inline]
 balance_leaf fs/reiserfs/do_balan.c:1463 [inline]
 do_balance+0x2485/0x6cf0 fs/reiserfs/do_balan.c:1899
 alloc_pages include/linux/gfp.h:509 [inline]
 __page_cache_alloc+0x1fb/0x2c0 mm/filemap.c:946
 pagecache_get_page+0x1d5/0x6a0 mm/filemap.c:1577
 find_or_create_page include/linux/pagemap.h:322 [inline]
 grow_dev_page fs/buffer.c:947 [inline]
 grow_buffers fs/buffer.c:1016 [inline]
 __getblk_slow fs/buffer.c:1043 [inline]
 __getblk_gfp+0x1e4/0x6f0 fs/buffer.c:1320
 sb_getblk include/linux/buffer_head.h:325 [inline]
 search_by_key+0x5db/0x42d0 fs/reiserfs/stree.c:648
 reiserfs_read_locked_inode+0x15f/0x26b0 fs/reiserfs/inode.c:1563
 reiserfs_fill_super+0x1476/0x26b0 fs/reiserfs/super.c:2081
 mount_bdev+0x26f/0x330 fs/super.c:1158
 reiserfs_paste_into_item+0x50a/0x630 fs/reiserfs/stree.c:2142
 get_super_block+0x10/0x20 fs/reiserfs/super.c:2605
 mount_fs+0x7f/0x1f0 fs/super.c:1261
 vfs_kern_mount.part.11+0x58/0x3d0 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2457 [inline]
 do_mount+0x376/0x26e0 fs/namespace.c:2787
 reiserfs_add_entry+0x7d2/0xb40 fs/reiserfs/namei.c:563
 ksys_mount+0xb1/0xd0 fs/namespace.c:3003
 __do_sys_mount fs/namespace.c:3017 [inline]
 __se_sys_mount fs/namespace.c:3014 [inline]
 __x64_sys_mount+0xb9/0x150 fs/namespace.c:3014

Memory state around the buggy address:
 ffff880099b74e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 reiserfs_mkdir+0x5a0/0x840 fs/reiserfs/namei.c:855
 ffff880099b74f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff880099b74f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                               ^
 xattr_mkdir.constprop.4+0x91/0xc0 fs/reiserfs/xattr.c:76
 ffff880099b75000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 create_privroot fs/reiserfs/xattr.c:859 [inline]
 reiserfs_xattr_init+0x39c/0xa3c fs/reiserfs/xattr.c:978
 ffff880099b75080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 reiserfs_remount+0xf49/0x1501 fs/reiserfs/super.c:1598
==================================================================
 do_remount_sb+0x158/0x640 fs/super.c:888
 do_remount fs/namespace.c:2278 [inline]
 do_mount+0xfd8/0x26e0 fs/namespace.c:2778
 ksys_mount+0xb1/0xd0 fs/namespace.c:3003
 __do_sys_mount fs/namespace.c:3017 [inline]
 __se_sys_mount fs/namespace.c:3014 [inline]
 __x64_sys_mount+0xb9/0x150 fs/namespace.c:3014
 do_syscall_64+0xca/0x340 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f5f3d87d22a
Code: 48 83 ee 01 d1 ff ff 48 83 7c 24 30 00 74 2e 64 41 c7 04 24 d1 ff ff 48 83 7c 24 30 00 74 2e 64 41 c7 04 24 ef bb 22 00 00 00 <64> 41 c7 04 24 22 00 00 00 e8 ef bb 22 00 00 00 64 41 c7 04 24 22
RSP: 002b:00007f5f3d3fdee8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f5f3d3fdf80 RCX: 00007f5f3d87d22a
RDX: 00000000200000c0 RSI: 0000000020000100 RDI: 0000000000000000
RBP: 00000000200000c0 R08: 00007f5f3d3fdf80 R09: 0000000001a484bc
R10: 0000000001a484bc R11: 0000000000000246 R12: 0000000020000100
R13: 00007f5f3d3fdf40 R14: 0000000000000000 R15: 0000000020000d80
Modules linked in:
CR2: ffff8800a35f6000
---[ end trace 1ab819663c54944d ]---
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
RIP: 0010:__memmove+0x53/0x1a0 arch/x86/lib/memmove_64.S:74
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
Code: fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20 48 83 ea 20 4c 8b 1e 4c 8b 56 08 4c 8b 4e 10 4c 8b 46 18 48 8d 76 20 4c 89 1f <4c> 89 57 08 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20
PGD a6209067 
RSP: 0018:ffff8800ace46e90 EFLAGS: 00010286
P4D a6209067 
PUD 9b9cc067 
RAX: ffff88009842efb4 RBX: ffffffffffffffe0 RCX: ffffffff8188d7e9
PMD ffffea000017cd80 
RDX: fffffffff4e38f60 RSI: ffff8800a35f6004 RDI: ffff8800a35f5ff4
RBP: ffff8800ace46eb0 R08: 0004000100000000 R09: 0000000000000000
Oops: 0010 [#2] PREEMPT SMP KASAN
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88009842efb4
CPU: 1 PID: 5047 Comm: syz-executor.0 Tainted: G    B D           4.19.0-syzkaller #0
R13: ffff88009842efa4 R14: ffff88009842ef84 R15: ffff88009842ef84
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
FS:  00007f5f3d3fe6c0(0000) GS:ffff8800bac00000(0000) knlGS:0000000000000000
RIP: 0010:          (null)
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Code: Bad RIP value.
CR2: ffff8800a35f6000 CR3: 00000000b47ef000 CR4: 0000000000340ef0
RSP: 0018:ffff8800bad07e08 EFLAGS: 00010002
----------------
Code disassembly (best guess):
   0:	fa                   	cli
   1:	a8 02                	test   $0x2,%al
   3:	00 00                	add    %al,(%rax)
   5:	72 05                	jb     0xc
   7:	40 38 fe             	cmp    %dil,%sil
   a:	74 3b                	je     0x47
   c:	48 83 ea 20          	sub    $0x20,%rdx
  10:	48 83 ea 20          	sub    $0x20,%rdx
  14:	4c 8b 1e             	mov    (%rsi),%r11
  17:	4c 8b 56 08          	mov    0x8(%rsi),%r10
  1b:	4c 8b 4e 10          	mov    0x10(%rsi),%r9
  1f:	4c 8b 46 18          	mov    0x18(%rsi),%r8
  23:	48 8d 76 20          	lea    0x20(%rsi),%rsi
  27:	4c 89 1f             	mov    %r11,(%rdi)
* 2a:	4c 89 57 08          	mov    %r10,0x8(%rdi) <-- trapping instruction
  2e:	4c 89 4f 10          	mov    %r9,0x10(%rdi)
  32:	4c 89 47 18          	mov    %r8,0x18(%rdi)
  36:	48 8d 7f 20          	lea    0x20(%rdi),%rdi
  3a:	73 d4                	jae    0x10
  3c:	48 83 c2 20          	add    $0x20,%rdx