================================================================== BUG: KASAN: use-after-free in strlen+0x53/0x60 lib/string.c:581 Read of size 1 at addr ffff888056624008 by task syz-executor/5100 CPU: 1 PID: 5100 Comm: syz-executor Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106 print_address_description+0x60/0x2d0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0xdf/0x130 mm/kasan/report.c:451 strlen+0x53/0x60 lib/string.c:581 set_de_name_and_namelen fs/reiserfs/namei.c:82 [inline] search_by_entry_key+0xa84/0x1370 fs/reiserfs/namei.c:172 reiserfs_readdir_inode+0x27f/0x1300 fs/reiserfs/dir.c:98 iterate_dir+0x218/0x560 fs/readdir.c:-1 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64+0xf2/0x270 fs/readdir.c:354 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7fe5a85e4873 Code: c7 c0 e8 ff ff ff 64 c7 00 16 00 00 00 31 c0 eb 9e e8 81 9b fd ff 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 e8 ff ff ff f7 d8 RSP: 002b:00007ffd0a0b4848 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 0000555571c21a30 RCX: 00007fe5a85e4873 RDX: 0000000000008000 RSI: 0000555571c21a60 RDI: 0000000000000005 RBP: 0000555571c21a60 R08: 00007fe5a8806cc0 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000293 R12: 0000555571c21a34 R13: ffffffffffffffe8 R14: 0000000000000010 R15: 00007ffd0a0b6af0 The buggy address belongs to the page: page:ffffea0001598900 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x100 pfn:0x56624 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001598a08 ffffea0001597c08 0000000000000000 raw: 0000000000000100 0000000000000002 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x1112c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_MOVABLE|__GFP_SKIP_KASAN_POISON), pid 4664, ts 71555243723, free_ts 111631009344 prep_new_page mm/page_alloc.c:2426 [inline] get_page_from_freelist+0x1bbd/0x1ca0 mm/page_alloc.c:4192 __alloc_pages+0x1ee/0x480 mm/page_alloc.c:5487 __page_cache_alloc+0xce/0x440 mm/filemap.c:1022 page_cache_ra_unbounded+0x25d/0x940 mm/readahead.c:216 page_cache_async_readahead include/linux/pagemap.h:856 [inline] do_async_mmap_readahead mm/filemap.c:3023 [inline] filemap_fault+0x5fa/0x1370 mm/filemap.c:3079 __do_fault+0x141/0x330 mm/memory.c:3928 do_read_fault mm/memory.c:4264 [inline] do_fault mm/memory.c:4392 [inline] handle_pte_fault mm/memory.c:4650 [inline] __handle_mm_fault mm/memory.c:4785 [inline] handle_mm_fault+0x2985/0x4410 mm/memory.c:4883 faultin_page mm/gup.c:976 [inline] __get_user_pages+0x94b/0x11e0 mm/gup.c:1197 __get_user_pages_locked mm/gup.c:1382 [inline] get_dump_page+0x190/0x680 mm/gup.c:1838 dump_user_range+0x54/0x340 fs/coredump.c:1013 elf_core_dump+0x2fbd/0x3500 fs/binfmt_elf.c:2285 do_coredump+0x14c7/0x2ac0 fs/coredump.c:894 get_signal+0x40a/0x12c0 kernel/signal.c:2886 arch_do_signal_or_restart+0xe7/0x12c0 arch/x86/kernel/signal.c:867 handle_signal_work kernel/entry/common.c:154 [inline] exit_to_user_mode_loop+0x9e/0x130 kernel/entry/common.c:178 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1340 [inline] free_pcp_prepare mm/page_alloc.c:1391 [inline] free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317 free_unref_page_list+0x119/0x820 mm/page_alloc.c:3433 release_pages+0x186c/0x1be0 mm/swap.c:963 __pagevec_release+0x6d/0xe0 mm/swap.c:983 pagevec_release include/linux/pagevec.h:81 [inline] __invalidate_mapping_pages+0x570/0x6b0 mm/truncate.c:509 drop_pagecache_sb+0x19a/0x230 fs/drop_caches.c:39 iterate_supers+0x11e/0x1d0 fs/super.c:718 drop_caches_sysctl_handler+0x8e/0x160 fs/drop_caches.c:62 proc_sys_call_handler+0x45e/0x6d0 fs/proc/proc_sysctl.c:588 do_iter_readv_writev+0x47e/0x5f0 fs/read_write.c:-1 do_iter_write+0x205/0x7b0 fs/read_write.c:855 iter_file_splice_write+0x699/0xcc0 fs/splice.c:689 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0xe1/0x130 fs/splice.c:956 splice_direct_to_actor+0x4ea/0xc10 fs/splice.c:902 do_splice_direct+0x1d4/0x2f0 fs/splice.c:1008 do_sendfile+0x5fc/0xeb0 fs/read_write.c:1249 Memory state around the buggy address: ffff888056623f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888056623f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888056624000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888056624080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888056624100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================