DUID 00:04:a4:d9:44:a1:3e:a2:79:db:da:6d:5d:0b:f7:25:ed:85 forked to background, child pid 3212 [ 28.013055][ T3213] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.022698][ T3213] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.840764][ T3539] loop0: detected capacity change from 0 to 8192 [ 51.896719][ T3539] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 51.909903][ T3539] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 51.919697][ T3539] REISERFS (device loop0): using ordered data mode [ 51.926248][ T3539] reiserfs: using flush barriers [ 51.932800][ T3539] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 51.949289][ T3539] REISERFS (device loop0): checking transaction log (loop0) [ 51.958864][ T3539] REISERFS (device loop0): Using r5 hash to sort names [ 51.966142][ T3539] ================================================================== [ 51.974206][ T3539] BUG: KASAN: use-after-free in search_by_entry_key+0x575/0x1380 [ 51.981926][ T3539] Read of size 4 at addr ffff888070ae1004 by task syz-executor322/3539 [ 51.990318][ T3539] [ 51.992637][ T3539] CPU: 0 PID: 3539 Comm: syz-executor322 Not tainted 6.1.32-syzkaller #0 [ 52.001029][ T3539] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 [ 52.011067][ T3539] Call Trace: [ 52.014344][ T3539] <TASK> [ 52.017266][ T3539] dump_stack_lvl+0x1e3/0x2cb [ 52.022119][ T3539] ? nf_tcp_handle_invalid+0x642/0x642 [ 52.027915][ T3539] ? panic+0x75d/0x75d [ 52.031987][ T3539] ? _printk+0xd1/0x111 [ 52.036477][ T3539] ? _raw_spin_lock_irqsave+0xac/0x120 [ 52.041935][ T3539] print_report+0x15f/0x4f0 [ 52.046442][ T3539] ? __virt_addr_valid+0x22b/0x2e0 [ 52.051562][ T3539] ? __phys_addr+0xb6/0x170 [ 52.056230][ T3539] ? search_by_entry_key+0x575/0x1380 [ 52.061587][ T3539] kasan_report+0x136/0x160 [ 52.066083][ T3539] ? search_by_entry_key+0x575/0x1380 [ 52.071455][ T3539] search_by_entry_key+0x575/0x1380 [ 52.076653][ T3539] ? pathrelse+0xe9/0x140 [ 52.081075][ T3539] reiserfs_find_entry+0xf47/0x19b0 [ 52.086301][ T3539] ? reiserfs_get_parent+0x2c0/0x2c0 [ 52.091597][ T3539] ? mutex_lock_nested+0x17/0x20 [ 52.096535][ T3539] reiserfs_lookup+0x1e6/0x4b0 [ 52.101293][ T3539] ? reiserfs_find_entry+0x19b0/0x19b0 [ 52.106744][ T3539] ? d_hash_and_lookup+0x1b0/0x1b0 [ 52.111851][ T3539] ? __init_waitqueue_head+0xaa/0x140 [ 52.117212][ T3539] __lookup_slow+0x27e/0x3d0 [ 52.121801][ T3539] ? lookup_one_len+0x2d0/0x2d0 [ 52.126641][ T3539] lookup_one_len+0x187/0x2d0 [ 52.131318][ T3539] ? lookup_one_common+0x460/0x460 [ 52.136417][ T3539] reiserfs_lookup_privroot+0x85/0x1e0 [ 52.141866][ T3539] reiserfs_fill_super+0x1957/0x2620 [ 52.147144][ T3539] ? reiserfs_kill_sb+0x150/0x150 [ 52.152243][ T3539] ? snprintf+0xd6/0x120 [ 52.156742][ T3539] mount_bdev+0x2c9/0x3f0 [ 52.161356][ T3539] ? reiserfs_kill_sb+0x150/0x150 [ 52.166371][ T3539] legacy_get_tree+0xeb/0x180 [ 52.171040][ T3539] ? remove_save_link+0x540/0x540 [ 52.176065][ T3539] vfs_get_tree+0x88/0x270 [ 52.180470][ T3539] do_new_mount+0x28b/0xae0 [ 52.184963][ T3539] ? do_move_mount_old+0x160/0x160 [ 52.190063][ T3539] ? user_path_at_empty+0x12b/0x180 [ 52.195333][ T3539] __se_sys_mount+0x2d5/0x3c0 [ 52.200307][ T3539] ? __x64_sys_mount+0xc0/0xc0 [ 52.205058][ T3539] ? syscall_enter_from_user_mode+0x2e/0x220 [ 52.211025][ T3539] ? lockdep_hardirqs_on+0x94/0x130 [ 52.216483][ T3539] ? __x64_sys_mount+0x1c/0xc0 [ 52.221236][ T3539] do_syscall_64+0x3d/0xb0 [ 52.225642][ T3539] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.231521][ T3539] RIP: 0033:0x7f93cfc2426a [ 52.235929][ T3539] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 98 03 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 52.255629][ T3539] RSP: 002b:00007ffc54c72128 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 52.264027][ T3539] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f93cfc2426a [ 52.271984][ T3539] RDX: 0000000020000140 RSI: 0000000020000340 RDI: 00007ffc54c72130 [ 52.279939][ T3539] RBP: 00007ffc54c72130 R08: 00007ffc54c72170 R09: 0000000000000000 [ 52.287894][ T3539] R10: 000000000120c083 R11: 0000000000000286 R12: 0000000000000004 [ 52.295936][ T3539] R13: 000055555747d2c0 R14: 00007ffc54c72170 R15: 0000000000000000 [ 52.303983][ T3539] </TASK> [ 52.306986][ T3539] [ 52.309289][ T3539] The buggy address belongs to the physical page: [ 52.315685][ T3539] page:ffffea0001c2b840 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x70ae1 [ 52.325828][ T3539] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 52.332942][ T3539] raw: 00fff00000000000 ffffea0001c2b888 ffff8880b98405a0 0000000000000000 [ 52.341512][ T3539] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 52.350087][ T3539] page dumped because: kasan: bad access detected [ 52.356489][ T3539] page_owner tracks the page as freed [ 52.361844][ T3539] page last allocated via order 0, migratetype Movable, gfp_mask 0x8(__GFP_MOVABLE), pid 1, tgid 1 (swapper/0), ts 10137442883, free_ts 11435758549 [ 52.376755][ T3539] post_alloc_hook+0x18d/0x1b0 [ 52.381509][ T3539] split_map_pages+0x246/0x510 [ 52.386269][ T3539] isolate_freepages_range+0x47c/0x4e0 [ 52.391724][ T3539] alloc_contig_range+0x62a/0x990 [ 52.396743][ T3539] alloc_contig_pages+0x3f0/0x4e0 [ 52.401756][ T3539] debug_vm_pgtable_alloc_huge_page+0xb9/0x108 [ 52.407900][ T3539] init_args+0xa7d/0xda4 [ 52.412144][ T3539] debug_vm_pgtable+0xaa/0x46b [ 52.416894][ T3539] do_one_initcall+0x265/0x8f0 [ 52.421644][ T3539] do_initcall_level+0x157/0x207 [ 52.426568][ T3539] do_initcalls+0x49/0x86 [ 52.430969][ T3539] kernel_init_freeable+0x473/0x61f [ 52.436153][ T3539] kernel_init+0x19/0x290 [ 52.440558][ T3539] ret_from_fork+0x1f/0x30 [ 52.444961][ T3539] page last free stack trace: [ 52.449613][ T3539] free_unref_page_prepare+0xf63/0x1120 [ 52.455143][ T3539] free_unref_page+0x98/0x570 [ 52.459807][ T3539] free_contig_range+0x9a/0x150 [ 52.464638][ T3539] destroy_args+0xfe/0x997 [ 52.469033][ T3539] debug_vm_pgtable+0x416/0x46b [ 52.473868][ T3539] do_one_initcall+0x265/0x8f0 [ 52.478628][ T3539] do_initcall_level+0x157/0x207 [ 52.483565][ T3539] do_initcalls+0x49/0x86 [ 52.487890][ T3539] kernel_init_freeable+0x473/0x61f [ 52.493085][ T3539] kernel_init+0x19/0x290 [ 52.497410][ T3539] ret_from_fork+0x1f/0x30 [ 52.501842][ T3539] [ 52.504152][ T3539] Memory state around the buggy address: [ 52.509764][ T3539] ffff888070ae0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 52.517811][ T3539] ffff888070ae0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 52.525852][ T3539] >ffff888070ae1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.533890][ T3539] ^ [ 52.541179][ T3539] ffff888070ae1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.549595][ T3539] ffff888070ae1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.557654][ T3539] ================================================================== [ 52.566138][ T3539] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 52.573352][ T3539] CPU: 0 PID: 3539 Comm: syz-executor322 Not tainted 6.1.32-syzkaller #0 [ 52.581785][ T3539] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 [ 52.591832][ T3539] Call Trace: [ 52.595114][ T3539] <TASK> [ 52.598030][ T3539] dump_stack_lvl+0x1e3/0x2cb [ 52.602702][ T3539] ? nf_tcp_handle_invalid+0x642/0x642 [ 52.608165][ T3539] ? panic+0x75d/0x75d [ 52.612283][ T3539] ? vscnprintf+0x59/0x80 [ 52.616613][ T3539] panic+0x318/0x75d [ 52.620499][ T3539] ? asm_sysvec_apic_timer_interrupt+0x16/0x20 [ 52.626644][ T3539] ? check_panic_on_warn+0x1d/0xa0 [ 52.631752][ T3539] ? memcpy_page_flushcache+0xfc/0xfc [ 52.637130][ T3539] ? _raw_spin_unlock_irqrestore+0x128/0x130 [ 52.643094][ T3539] ? _raw_spin_unlock+0x40/0x40 [ 52.648015][ T3539] check_panic_on_warn+0x7e/0xa0 [ 52.652941][ T3539] ? search_by_entry_key+0x575/0x1380 [ 52.658300][ T3539] end_report+0x66/0x110 [ 52.662532][ T3539] kasan_report+0x143/0x160 [ 52.667023][ T3539] ? search_by_entry_key+0x575/0x1380 [ 52.672376][ T3539] search_by_entry_key+0x575/0x1380 [ 52.677565][ T3539] ? pathrelse+0xe9/0x140 [ 52.681896][ T3539] reiserfs_find_entry+0xf47/0x19b0 [ 52.687088][ T3539] ? reiserfs_get_parent+0x2c0/0x2c0 [ 52.692392][ T3539] ? mutex_lock_nested+0x17/0x20 [ 52.697318][ T3539] reiserfs_lookup+0x1e6/0x4b0 [ 52.702074][ T3539] ? reiserfs_find_entry+0x19b0/0x19b0 [ 52.707522][ T3539] ? d_hash_and_lookup+0x1b0/0x1b0 [ 52.712619][ T3539] ? __init_waitqueue_head+0xaa/0x140 [ 52.717984][ T3539] __lookup_slow+0x27e/0x3d0 [ 52.722570][ T3539] ? lookup_one_len+0x2d0/0x2d0 [ 52.727406][ T3539] lookup_one_len+0x187/0x2d0 [ 52.732073][ T3539] ? lookup_one_common+0x460/0x460 [ 52.737265][ T3539] reiserfs_lookup_privroot+0x85/0x1e0 [ 52.742797][ T3539] reiserfs_fill_super+0x1957/0x2620 [ 52.748159][ T3539] ? reiserfs_kill_sb+0x150/0x150 [ 52.753190][ T3539] ? snprintf+0xd6/0x120 [ 52.757432][ T3539] mount_bdev+0x2c9/0x3f0 [ 52.761758][ T3539] ? reiserfs_kill_sb+0x150/0x150 [ 52.766776][ T3539] legacy_get_tree+0xeb/0x180 [ 52.771438][ T3539] ? remove_save_link+0x540/0x540 [ 52.776448][ T3539] vfs_get_tree+0x88/0x270 [ 52.780850][ T3539] do_new_mount+0x28b/0xae0 [ 52.785339][ T3539] ? do_move_mount_old+0x160/0x160 [ 52.790436][ T3539] ? user_path_at_empty+0x12b/0x180 [ 52.795621][ T3539] __se_sys_mount+0x2d5/0x3c0 [ 52.800285][ T3539] ? __x64_sys_mount+0xc0/0xc0 [ 52.805033][ T3539] ? syscall_enter_from_user_mode+0x2e/0x220 [ 52.811005][ T3539] ? lockdep_hardirqs_on+0x94/0x130 [ 52.816203][ T3539] ? __x64_sys_mount+0x1c/0xc0 [ 52.820979][ T3539] do_syscall_64+0x3d/0xb0 [ 52.825382][ T3539] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.831271][ T3539] RIP: 0033:0x7f93cfc2426a [ 52.835671][ T3539] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 98 03 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 52.856145][ T3539] RSP: 002b:00007ffc54c72128 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 52.864552][ T3539] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f93cfc2426a [ 52.873036][ T3539] RDX: 0000000020000140 RSI: 0000000020000340 RDI: 00007ffc54c72130 [ 52.880996][ T3539] RBP: 00007ffc54c72130 R08: 00007ffc54c72170 R09: 0000000000000000 [ 52.888952][ T3539] R10: 000000000120c083 R11: 0000000000000286 R12: 0000000000000004 [ 52.896910][ T3539] R13: 000055555747d2c0 R14: 00007ffc54c72170 R15: 0000000000000000 [ 52.904890][ T3539] </TASK> [ 52.908153][ T3539] Kernel Offset: disabled [ 52.912465][ T3539] Rebooting in 86400 seconds..