kernel BUG in reiserfs_update_sd_size

kernel BUG in reiserfs_update_sd_size

[Hui Guo]

Hi Kernel Maintainers,
we found a crash "kernel BUG in reiserfs_update_sd_size" in upstream,
and reproduced it successfully:
by this report "https://groups.google.com/g/syzkaller-bugs/c/3HUP6xnzjo0/m/bP0j4x9rBAAJ",
this bug have been triggered before and fixed, but it can still be
triggered now, .

HEAD Commit: 88fac17500f4ea49c7bac136cf1b27e7b9980075(Merge tag
'fuse-fixes-6.11-rc7')
kernel config: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/6.11.config
console output:
https://github.com/androidAppGuard/KernelBugs/blob/main/88fac17500f4ea49c7bac136cf1b27e7b9980075/331f477773da9111eed5fd0f8bb94f7655b2384c/log0
repro report: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/88fac17500f4ea49c7bac136cf1b27e7b9980075/331f477773da9111eed5fd0f8bb94f7655b2384c/repro.report
syz reproducer:
https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/88fac17500f4ea49c7bac136cf1b27e7b9980075/331f477773da9111eed5fd0f8bb94f7655b2384c/repro.prog
C reproducer: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/88fac17500f4ea49c7bac136cf1b27e7b9980075/331f477773da9111eed5fd0f8bb94f7655b2384c/repro.cprog


Please let me know if there is anything I can help.
Best,
Hui Guo

This is the crash log I got by reproducing the bug based on the above
environment，
I have piped this log through decode_stacktrace.sh for better
understand the cause of the bug.
================================================================================
2024/09/06 01:38:39 executed programs: 0
[ 683.192926][ T8481] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 683.195893][ T8481] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 683.198219][ T8481] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 683.201223][ T8481] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 683.204054][ T8481] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 683.205951][ T8481] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 683.376251][T14942] chnl_net:caif_netlink_parms(): no params data found
[ 683.462697][T14942] bridge0: port 1(bridge_slave_0) entered blocking state
[ 683.463612][T14942] bridge0: port 1(bridge_slave_0) entered disabled state
[ 683.464441][T14942] bridge_slave_0: entered allmulticast mode
[ 683.465813][T14942] bridge_slave_0: entered promiscuous mode
[ 683.468075][T14942] bridge0: port 2(bridge_slave_1) entered blocking state
[ 683.468929][T14942] bridge0: port 2(bridge_slave_1) entered disabled state
[ 683.469872][T14942] bridge_slave_1: entered allmulticast mode
[ 683.471199][T14942] bridge_slave_1: entered promiscuous mode
[ 683.520982][T14942] bond0: (slave bond_slave_0): Enslaving as an
active interface with an up link
[ 683.526567][T14942] bond0: (slave bond_slave_1): Enslaving as an
active interface with an up link
[ 683.580532][T14942] team0: Port device team_slave_0 added
[ 683.585273][T14942] team0: Port device team_slave_1 added
[ 683.629086][T14942] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 683.629913][T14942] batman_adv: batadv0: The MTU of interface
batadv_slave_0 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this interface will be
fragmented on layer2 which could impact the performance. Setting the
MTU to 1560 would solve the problem.
[ 683.633024][T14942] batman_adv: batadv0: Not using interface
batadv_slave_0 (retrying later): interface not active
[ 683.635746][T14942] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 683.636554][T14942] batman_adv: batadv0: The MTU of interface
batadv_slave_1 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this interface will be
fragmented on layer2 which could impact the performance. Setting the
MTU to 1560 would solve the problem.
[ 683.639365][T14942] batman_adv: batadv0: Not using interface
batadv_slave_1 (retrying later): interface not active
[ 683.642514][ T85] Bluetooth: hci0: command tx timeout
[ 683.691138][T14942] hsr_slave_0: entered promiscuous mode
[ 683.692989][T14942] hsr_slave_1: entered promiscuous mode
[ 683.694372][T14942] debugfs: Directory 'hsr0' with parent 'hsr'
already present!
[ 683.695420][T14942] Cannot create hsr debugfs directory
[ 684.271349][T14942] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 684.276016][T14942] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 684.280518][T14942] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 684.284741][T14942] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 684.356209][T14942] 8021q: adding VLAN 0 to HW filter on device bond0
[ 684.370383][T14942] 8021q: adding VLAN 0 to HW filter on device team0
[ 684.377190][T11305] bridge0: port 1(bridge_slave_0) entered blocking state
[ 684.378168][T11305] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 684.385531][T11305] bridge0: port 2(bridge_slave_1) entered blocking state
[ 684.386565][T11305] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 684.544722][T14942] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 684.581029][T14942] veth0_vlan: entered promiscuous mode
[ 684.585972][T14942] veth1_vlan: entered promiscuous mode
[ 684.604990][T14942] veth0_macvtap: entered promiscuous mode
[ 684.608466][T14942] veth1_macvtap: entered promiscuous mode
[ 684.616148][T14942] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
[ 684.617444][T14942] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 684.619483][T14942] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 684.625191][T14942] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
[ 684.626479][T14942] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 684.628458][T14942] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 684.632383][T14942] netdevsim netdevsim0 netdevsim0: set [1, 0] type
2 family 0 port 6081 - 0
[ 684.633521][T14942] netdevsim netdevsim0 netdevsim1: set [1, 0] type
2 family 0 port 6081 - 0
[ 684.634619][T14942] netdevsim netdevsim0 netdevsim2: set [1, 0] type
2 family 0 port 6081 - 0
[ 684.635713][T14942] netdevsim netdevsim0 netdevsim3: set [1, 0] type
2 family 0 port 6081 - 0
[ 684.669845][ T94] wlan0: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 684.671662][ T94] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 684.685104][T11451] wlan1: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 684.686146][T11451] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 684.759342][T15978] loop0: detected capacity change from 0 to 8192
[ 684.763131][T15978] REISERFS warning: read_super_block: reiserfs
filesystem is deprecated and scheduled to be removed from the kernel
in 2025
[ 684.764879][T15978] REISERFS (device loop0): found reiserfs format
"3.6" with non-standard journal
[ 684.766145][T15978] REISERFS (device loop0): using ordered data mode
[ 684.767026][T15978] reiserfs: using flush barriers
[ 684.768944][T15978] REISERFS (device loop0): journal params: device
loop0, size 512, journal first block 18, max trans len 256, max batch
225, max commit age 30, max trans age 30
[ 684.771427][T15978] REISERFS (device loop0): checking transaction log (loop0)
[ 684.815148][T15978] REISERFS (device loop0): Using tea hash to sort names
[ 684.817613][T15978] REISERFS panic (device loop0): vs-13065
update_stat_data: key [1 2 0x0 SD], found item *3.5*[1 2 0(0) DIR],
item_len 80, item_location 3972, free_space(entry_count) 3
[ 684.822115][T15978] ------------[ cut here ]------------
[ 684.823561][T15978] kernel BUG at fs/reiserfs/prints.c:390!
[ 684.825009][T15978] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 684.827201][T15978] CPU: 1 UID: 0 PID: 15978 Comm: syz.0.15 Not
tainted 6.11.0-rc6-00026-g88fac17500f4-dirty #1
[ 684.830348][T15978] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014
[684.833199][T15978] RIP: 0010:__reiserfs_panic
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/prints.c:390)
[ 684.834855][T15978] Code: 54 ff 4d 89 e8 4c 89 f1 4c 89 e2 48 8d b3
68 06 00 00 49 c7 c1 60 7e 6b 94 48 c7 c7 00 0e 04 8b e8 b2 38 35 ff
e8 ed 4e 54 ff <0f> 0b 49 c7 c6 a0 0c 04 8b 4d 89 f4 eb c5 e8 da 4e 54
ff 4d 85 e4
All code
========
0: 54 push %rsp
1: ff 4d 89 decl -0x77(%rbp)
4: e8 4c 89 f1 4c call 0x4cf18955
9: 89 e2 mov %esp,%edx
b: 48 8d b3 68 06 00 00 lea 0x668(%rbx),%rsi
12: 49 c7 c1 60 7e 6b 94 mov $0xffffffff946b7e60,%r9
19: 48 c7 c7 00 0e 04 8b mov $0xffffffff8b040e00,%rdi
20: e8 b2 38 35 ff call 0xffffffffff3538d7
25: e8 ed 4e 54 ff call 0xffffffffff544f17
2a:* 0f 0b ud2 <-- trapping instruction
2c: 49 c7 c6 a0 0c 04 8b mov $0xffffffff8b040ca0,%r14
33: 4d 89 f4 mov %r14,%r12
36: eb c5 jmp 0xfffffffffffffffd
38: e8 da 4e 54 ff call 0xffffffffff544f17
3d: 4d 85 e4 test %r12,%r12

Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 49 c7 c6 a0 0c 04 8b mov $0xffffffff8b040ca0,%r14
9: 4d 89 f4 mov %r14,%r12
c: eb c5 jmp 0xffffffffffffffd3
e: e8 da 4e 54 ff call 0xffffffffff544eed
13: 4d 85 e4 test %r12,%r12
[ 684.840498][T15978] RSP: 0018:ffffc9000c05f650 EFLAGS: 00010293
[ 684.842101][T15978] RAX: 0000000000000000 RBX: ffff88807daaa000 RCX:
ffffffff816af049
[ 684.844484][T15978] RDX: ffff88802f129cc0 RSI: ffffffff8235abd3 RDI:
0000000000000005
[ 684.846937][T15978] RBP: ffffc9000c05f720 R08: 0000000000000001 R09:
ffffed1047785179
[ 684.849278][T15978] R10: 0000000080000000 R11: 0000000000000001 R12:
ffffffff8b039ee0
[ 684.851698][T15978] R13: ffffffff8b03aba0 R14: ffffffff8b040c60 R15:
ffff888073e536a8
[ 684.854093][T15978] FS: 00007f8329000640(0000)
GS:ffff88823bc00000(0000) knlGS:0000000000000000
[ 684.856853][T15978] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 684.858846][T15978] CR2: 00007f8328367a8c CR3: 000000005b9f4000 CR4:
00000000000006f0
[ 684.861297][T15978] Call Trace:
[ 684.862298][T15978] <TASK>
[684.863253][T15978] ? show_regs
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/dumpstack.c:479)
[684.864580][T15978] ? die
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/dumpstack.c:421
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/dumpstack.c:434
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/dumpstack.c:447)
[684.865738][T15978] ? do_trap
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/traps.c:114
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/traps.c:155)
[684.867020][T15978] ? __reiserfs_panic
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/prints.c:390)
[684.868583][T15978] ? do_error_trap
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/./arch/x86/include/asm/traps.h:58
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/traps.c:176)
[684.870074][T15978] ? __reiserfs_panic
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/prints.c:390)
[684.871617][T15978] ? __reiserfs_panic
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/prints.c:390)
[684.873167][T15978] ? handle_invalid_op
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/traps.c:214)
[684.874679][T15978] ? __reiserfs_panic
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/prints.c:390)
[684.876222][T15978] ? exc_invalid_op
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/traps.c:267)
[684.877685][T15978] ? asm_exc_invalid_op
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/./arch/x86/include/asm/idtentry.h:621)
[684.879259][T15978] ? __wake_up_klogd.part.0
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/printk/printk.c:4011)
[684.880688][T15978] ? __reiserfs_panic
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/prints.c:390)
[684.881968][T15978] ? __reiserfs_panic
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/prints.c:390)
[684.883218][T15978] ? __pfx___reiserfs_panic
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/prints.c:377)
[684.884570][T15978] reiserfs_update_sd_size
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/reiserfs.h:1487
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/reiserfs.h:1484
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/reiserfs.h:1556
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/reiserfs.h:1577
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/inode.c:1417
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/inode.c:1491)
[684.885910][T15978] ? __pfx_reiserfs_update_sd_size
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/inode.c:1433)
[684.887352][T15978] ? reiserfs_mkdir
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/namei.c:870)
[684.888568][T15978] reiserfs_mkdir
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/namei.c:870)
[684.889691][T15978] ? __pfx_reiserfs_mkdir
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/namei.c:780)
[684.890953][T15978] ? __pfx_down_write
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/locking/rwsem.c:1577)
[684.891730][T15978] reiserfs_xattr_init
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/xattr.c:892
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/xattr.c:1007)
[684.892412][T15978] reiserfs_fill_super
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/super.c:2173
(discriminator 1))
[684.893099][T15978] ? __pfx_reiserfs_fill_super
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/super.c:1888)
[684.893814][T15978] ? snprintf
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/vsprintf.c:2954)
[684.894375][T15978] ? __pfx_snprintf
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/lib/vsprintf.c:2954)
[684.895014][T15978] ? do_raw_spin_lock
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/./arch/x86/include/asm/atomic.h:107
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/./include/linux/atomic/atomic-arch-fallback.h:2170
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/./include/linux/atomic/atomic-instrumented.h:1302
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/./include/asm-generic/qspinlock.h:111
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/locking/spinlock_debug.c:116)
[684.895653][T15978] ? set_blocksize
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/block/bdev.c:175)
[684.896273][T15978] ? setup_bdev_super
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/super.c:1595)
[684.896935][T15978] mount_bdev
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/super.c:1680)
[684.897496][T15978] ? __pfx_reiserfs_fill_super
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/super.c:1888)
[684.898260][T15978] ? __pfx_mount_bdev
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/super.c:1657)
[684.898894][T15978] ? apparmor_capable
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/security/apparmor/lsm.c:208)
[684.899534][T15978] ? __pfx_get_super_block
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/super.c:2599)
[684.900220][T15978] legacy_get_tree
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/fs_context.c:664)
[684.900852][T15978] vfs_get_tree
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/super.c:1801)
[684.901421][T15978] path_mount
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:3473
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:3799)
[684.901988][T15978] ? __pfx_path_mount
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:3726)
[684.902624][T15978] ? putname
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namei.c:281)
[684.903152][T15978] ? putname
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namei.c:281)
[684.903703][T15978] __x64_sys_mount
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:3813
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:4020
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:3997
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:3997)
[684.904368][T15978] ? __pfx___x64_sys_mount
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:3997)
[684.905035][T15978] do_syscall_64
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/common.c:52
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/common.c:83)
[684.905630][T15978] entry_SYSCALL_64_after_hwframe
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/entry_64.S:130)
[ 684.906398][T15978] RIP: 0033:0x7f832819e49e
[ 684.906946][T15978] Code: 48 c7 c0 ff ff ff ff eb aa e8 5e 20 00 00
66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5
00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8
64 89 01 48
All code
========
0: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
7: eb aa jmp 0xffffffffffffffb3
9: e8 5e 20 00 00 call 0x206c
e: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
15: 00 00 00
18: 0f 1f 40 00 nopl 0x0(%rax)
1c: f3 0f 1e fa endbr64
20: 49 89 ca mov %rcx,%r10
23: b8 a5 00 00 00 mov $0xa5,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 c7 c1 a8 ff ff ff mov $0xffffffffffffffa8,%rcx
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W

Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 c7 c1 a8 ff ff ff mov $0xffffffffffffffa8,%rcx
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 684.909428][T15978] RSP: 002b:00007f8328fffda8 EFLAGS: 00000246
ORIG_RAX: 00000000000000a5
[ 684.910471][T15978] RAX: ffffffffffffffda RBX: 00000000000010f2 RCX:
00007f832819e49e
[ 684.911528][T15978] RDX: 0000000020001100 RSI: 0000000020001140 RDI:
00007f8328fffe00
[ 684.912521][T15978] RBP: 00007f8328fffe40 R08: 00007f8328fffe40 R09:
0000000000000000
[ 684.913548][T15978] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000020001100
[ 684.914583][T15978] R13: 0000000020001140 R14: 00007f8328fffe00 R15:
0000000020001180
[ 684.915585][T15978] </TASK>
[ 684.915988][T15978] Modules linked in:
[ 684.916687][T15978] ---[ end trace 0000000000000000 ]---
[684.917396][T15978] RIP: 0010:__reiserfs_panic
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/reiserfs/prints.c:390)
[ 684.918146][T15978] Code: 54 ff 4d 89 e8 4c 89 f1 4c 89 e2 48 8d b3
68 06 00 00 49 c7 c1 60 7e 6b 94 48 c7 c7 00 0e 04 8b e8 b2 38 35 ff
e8 ed 4e 54 ff <0f> 0b 49 c7 c6 a0 0c 04 8b 4d 89 f4 eb c5 e8 da 4e 54
ff 4d 85 e4
All code
========
0: 54 push %rsp
1: ff 4d 89 decl -0x77(%rbp)
4: e8 4c 89 f1 4c call 0x4cf18955
9: 89 e2 mov %esp,%edx
b: 48 8d b3 68 06 00 00 lea 0x668(%rbx),%rsi
12: 49 c7 c1 60 7e 6b 94 mov $0xffffffff946b7e60,%r9
19: 48 c7 c7 00 0e 04 8b mov $0xffffffff8b040e00,%rdi
20: e8 b2 38 35 ff call 0xffffffffff3538d7
25: e8 ed 4e 54 ff call 0xffffffffff544f17
2a:* 0f 0b ud2 <-- trapping instruction
2c: 49 c7 c6 a0 0c 04 8b mov $0xffffffff8b040ca0,%r14
33: 4d 89 f4 mov %r14,%r12
36: eb c5 jmp 0xfffffffffffffffd
38: e8 da 4e 54 ff call 0xffffffffff544f17
3d: 4d 85 e4 test %r12,%r12

Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 49 c7 c6 a0 0c 04 8b mov $0xffffffff8b040ca0,%r14
9: 4d 89 f4 mov %r14,%r12
c: eb c5 jmp 0xffffffffffffffd3
e: e8 da 4e 54 ff call 0xffffffffff544eed
13: 4d 85 e4 test %r12,%r12
[ 684.920604][T15978] RSP: 0018:ffffc9000c05f650 EFLAGS: 00010293
[ 684.921405][T15978] RAX: 0000000000000000 RBX: ffff88807daaa000 RCX:
ffffffff816af049
[ 684.922419][T15978] RDX: ffff88802f129cc0 RSI: ffffffff8235abd3 RDI:
0000000000000005
[ 684.923460][T15978] RBP: ffffc9000c05f720 R08: 0000000000000001 R09:
ffffed1047785179
[ 684.924446][T15978] R10: 0000000080000000 R11: 0000000000000001 R12:
ffffffff8b039ee0
[ 684.925462][T15978] R13: ffffffff8b03aba0 R14: ffffffff8b040c60 R15:
ffff888073e536a8
[ 684.926492][T15978] FS: 00007f8329000640(0000)
GS:ffff88823bc00000(0000) knlGS:0000000000000000
[ 684.927600][T15978] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 684.928444][T15978] CR2: 00007f8328367a8c CR3: 000000005b9f4000 CR4:
00000000000006f0
[ 684.929474][T15978] Kernel panic - not syncing: Fatal exception
[ 684.930460][T15978] Kernel Offset: disabled
[  684.930979][T15978] Rebooting in 86400 seconds..

Re: kernel BUG in reiserfs_update_sd_size

[Matthew Wilcox]

On Fri, Sep 06, 2024 at 10:30:58AM +0800, Hui Guo wrote:
> Hi Kernel Maintainers,
> we found a crash "kernel BUG in reiserfs_update_sd_size" in upstream,
> and reproduced it successfully:
> by this report "https://groups.google.com/g/syzkaller-bugs/c/3HUP6xnzjo0/m/bP0j4x9rBAAJ",
> this bug have been triggered before and fixed, but it can still be
> triggered now, .

Nobody cares.  It's a reiserfs bug on a corrupted filesystem.  Don't
waste anybody's time with reiserfs.

kernel BUG in reiserfs_update_sd_size

[Wei Chen]

Dear Linux Developer,

Recently when using our tool to fuzz kernel, the following crash was triggered:

HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1laVB52iSmAz7ATjvqKgcZw9Qf3pVh50t/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@gmail.com>

REISERFS (device loop0): Using rupasov hash to sort names
REISERFS panic (device loop0): vs-13065 update_stat_data: key [1 2 0x0
IND], found item *3.6* [1 2 0x0 IND], item_len 44, item_location 4052,
free_space(entry_count) 0
------------[ cut here ]------------
kernel BUG at fs/reiserfs/prints.c:390!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 12506 Comm: syz-executor.0 Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:__reiserfs_panic.cold.17+0x37/0x8c
Code: d1 85 74 63 e8 e6 f4 9f fc 4c 89 f1 48 89 da 4c 89 ee 49 c7 c0
a0 30 29 89 48 c7 c7 04 8f c0 85 e8 f1 60 fe ff e8 c5 f4 9f fc <0f> 0b
e8 be f4 9f fc 4d 85 ed 49 c7 c4 26 a6 d1 85 74 36 e8 ad f4
RSP: 0018:ffffc900020b7aa0 EFLAGS: 00010216
RAX: 0000000000013eb9 RBX: ffff888016c8a000 RCX: 0000000000040000
RDX: ffffc9000226d000 RSI: ffff888111950000 RDI: 0000000000000002
RBP: ffffc900020b7b10 R08: ffffffff849d7e9b R09: 0000000000000000
R10: 0000000000000005 R11: 0000000080000000 R12: ffffffff85d1a626
R13: ffffffff85c07963 R14: ffffffff85079d30 R15: ffffc900020b7c60
FS:  00007f3386280700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000525b40 CR3: 0000000011cfd000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 reiserfs_update_sd_size+0x33b/0x450
 reiserfs_mkdir+0x2db/0x3c0
 reiserfs_xattr_init+0x1be/0x330
 reiserfs_fill_super+0x110e/0x1620
 mount_bdev+0x23d/0x280
 legacy_get_tree+0x2e/0x90
 vfs_get_tree+0x29/0x100
 path_mount+0x58e/0x10a0
 do_mount+0x9b/0xb0
 __x64_sys_mount+0x13a/0x150
 do_syscall_64+0x34/0xb0
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x46abda
Code: 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f
84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f338627fa48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f338627faf0 RCX: 000000000046abda
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f338627fab0
RBP: 0000000020000000 R08: 00007f338627faf0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000100
R13: 00007f338627fab0 R14: 0000000000000001 R15: 0000000020011500
Modules linked in:
---[ end trace 15f12b9b91cc8105 ]---
RIP: 0010:__reiserfs_panic.cold.17+0x37/0x8c
Code: d1 85 74 63 e8 e6 f4 9f fc 4c 89 f1 48 89 da 4c 89 ee 49 c7 c0
a0 30 29 89 48 c7 c7 04 8f c0 85 e8 f1 60 fe ff e8 c5 f4 9f fc <0f> 0b
e8 be f4 9f fc 4d 85 ed 49 c7 c4 26 a6 d1 85 74 36 e8 ad f4
RSP: 0018:ffffc900020b7aa0 EFLAGS: 00010216
RAX: 0000000000013eb9 RBX: ffff888016c8a000 RCX: 0000000000040000
RDX: ffffc9000226d000 RSI: ffff888111950000 RDI: 0000000000000002
RBP: ffffc900020b7b10 R08: ffffffff849d7e9b R09: 0000000000000000
R10: 0000000000000005 R11: 0000000080000000 R12: ffffffff85d1a626
R13: ffffffff85c07963 R14: ffffffff85079d30 R15: ffffc900020b7c60
FS:  00007f3386280700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000525b40 CR3: 0000000011cfd000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Best,
Wei

Re: kernel BUG in reiserfs_update_sd_size

[Wei Chen]

Dear Linux developers,

Here is the link to the reproducers.

C reproducer: https://drive.google.com/file/d/1Zpylo9ayWUtnFSkdTS2qszoAxomB_h5P/view?usp=share_link
Syz reproducer:
https://drive.google.com/file/d/1wW_xyEfybUkYVK-By0qNqsSosIsWRmqJ/view?usp=share_link

The bug persists in Linux v6.0.0. I hope it is helpful to you.

[   51.239162][ T6622] kernel BUG at fs/reiserfs/prints.c:390!
[   51.239539][ T6622] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[   51.239948][ T6622] CPU: 0 PID: 6622 Comm: a.out Not tainted 6.0.0 #38
[   51.240371][ T6622] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   51.240998][ T6622] RIP: 0010:__reiserfs_panic+0x12f/0x140
[   51.241373][ T6622] Code: 40 fa a7 8a 48 0f 44 c8 48 0f 44 d8 48 c7
c7 40 fb a7 8a 4c 89 fe 48 89 da 4d 89 f0 49 c7 c1 a0 3e 0f 91 31 c0
e8 10 73 0a 08 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55
48 89 e5 41
[   51.242602][ T6622] RSP: 0018:ffffc90009997380 EFLAGS: 00010246
[   51.242995][ T6622] RAX: 00000000000000a7 RBX: ffffffff8aa789e0
RCX: 46d2c6edc7752800
[   51.243496][ T6622] RDX: 0000000000000000 RSI: 0000000080000000
RDI: 0000000000000000
[   51.244008][ T6622] RBP: ffffc90009997470 R08: ffffffff816b75fc
R09: ffffed100c7867e1
[   51.244504][ T6622] R10: ffffed100c7867e1 R11: 0000000000000000
R12: ffffffff8aa78a20
[   51.245015][ T6622] R13: ffffc900099973a0 R14: ffffffff8c6888a2
R15: ffff888014d8e6a8
[   51.245518][ T6622] FS:  00007f1e44cb9700(0000)
GS:ffff888063c00000(0000) knlGS:0000000000000000
[   51.246087][ T6622] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   51.246502][ T6622] CR2: 000055af26e96c80 CR3: 0000000021e44000
CR4: 0000000000750ef0
[   51.247008][ T6622] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[   51.247510][ T6622] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[   51.248009][ T6622] PKRU: 55555554
[   51.248239][ T6622] Call Trace:
[   51.248457][ T6622]  <TASK>
[   51.248645][ T6622]  ? reiserfs_debug+0x10/0x10
[   51.248941][ T6622]  reiserfs_update_sd_size+0xf98/0x1080
[   51.249285][ T6622]  ? restart_transaction+0x1d0/0x1d0
[   51.249648][ T6622]  ? journal_begin+0x1f1/0x350
[   51.249964][ T6622]  reiserfs_mkdir+0x715/0x8b0
[   51.250257][ T6622]  ? reiserfs_symlink+0x850/0x850
[   51.250569][ T6622]  ? down_write+0x10d/0x170
[   51.250854][ T6622]  ? down_read_killable+0x80/0x80
[   51.251166][ T6622]  ? __up_read+0x7a0/0x7a0
[   51.251442][ T6622]  reiserfs_xattr_init+0x34b/0x730
[   51.251786][ T6622]  reiserfs_fill_super+0x31bd/0x37d0
[   51.252118][ T6622]  ? widen_string+0x3a/0x340
[   51.252411][ T6622]  ? reiserfs_kill_sb+0x150/0x150
[   51.252722][ T6622]  ? string+0x2b0/0x2b0
[   51.252983][ T6622]  ? vsnprintf+0x1cd0/0x1cd0
[   51.253269][ T6622]  ? vsnprintf+0x1bf4/0x1cd0
[   51.253566][ T6622]  ? __ptr_to_hashval+0x2f0/0x2f0
[   51.253886][ T6622]  ? snprintf+0xc0/0x110
[   51.254150][ T6622]  ? vscnprintf+0x80/0x80
[   51.254423][ T6622]  ? set_blocksize+0x1d5/0x360
[   51.254733][ T6622]  mount_bdev+0x26c/0x3a0
[   51.254996][ T6622]  ? reiserfs_kill_sb+0x150/0x150
[   51.255303][ T6622]  legacy_get_tree+0xea/0x180
[   51.255590][ T6622]  ? remove_save_link+0x4a0/0x4a0
[   51.255895][ T6622]  vfs_get_tree+0x86/0x270
[   51.256166][ T6622]  path_mount+0x1a09/0x2c10
[   51.256461][ T6622]  ? kasan_quarantine_put+0xc0/0x210
[   51.256790][ T6622]  ? slab_free_freelist_hook+0x12e/0x1a0
[   51.257137][ T6622]  ? mark_mounts_for_expiry+0x520/0x520
[   51.257478][ T6622]  ? user_path_at_empty+0x149/0x1a0
[   51.257812][ T6622]  ? kmem_cache_free+0x95/0x1d0
[   51.258119][ T6622]  ? user_path_at_empty+0x149/0x1a0
[   51.258446][ T6622]  __se_sys_mount+0x2f9/0x3b0
[   51.258738][ T6622]  ? vtime_user_exit+0x2b2/0x3e0
[   51.259032][ T6622]  ? __x64_sys_mount+0xc0/0xc0
[   51.259315][ T6622]  ? syscall_enter_from_user_mode+0x2e/0x1d0
[   51.259666][ T6622]  ? lockdep_hardirqs_on+0x8d/0x130
[   51.259990][ T6622]  ? __x64_sys_mount+0x1c/0xc0
[   51.260272][ T6622]  do_syscall_64+0x3d/0x90
[   51.260538][ T6622]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   51.260886][ T6622] RIP: 0033:0x7f1e442e948a
[   51.261154][ T6622] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83
c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5
00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d de f9 2a 00 f7 d8
64 89 01 48
[   51.262264][ T6622] RSP: 002b:00007f1e44cb8d38 EFLAGS: 00000286
ORIG_RAX: 00000000000000a5
[   51.262750][ T6622] RAX: ffffffffffffffda RBX: 0000000000000000
RCX: 00007f1e442e948a
[   51.263207][ T6622] RDX: 0000000020000000 RSI: 0000000020000100
RDI: 00007f1e44cb8e70
[   51.263663][ T6622] RBP: 00007f1e44cb8ef0 R08: 00007f1e44cb8d70
R09: 0000000000000030
[   51.264120][ T6622] R10: 0000000000000000 R11: 0000000000000286
R12: 00007fff8eeaa83e
[   51.264576][ T6622] R13: 00007fff8eeaa83f R14: 00007f1e44c99000
R15: 0000000000000003
[   51.265036][ T6622]  </TASK>
[   51.265215][ T6622] Modules linked in:
[   51.277512][ T6622] ---[ end trace 0000000000000000 ]---
[   51.277881][ T6622] RIP: 0010:__reiserfs_panic+0x12f/0x140
[   51.278221][ T6622] Code: 40 fa a7 8a 48 0f 44 c8 48 0f 44 d8 48 c7
c7 40 fb a7 8a 4c 89 fe 48 89 da 4d 89 f0 49 c7 c1 a0 3e 0f 91 31 c0
e8 10 73 0a 08 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55
48 89 e5 41
[   51.279354][ T6622] RSP: 0018:ffffc90009997380 EFLAGS: 00010246
[   51.279728][ T6622] RAX: 00000000000000a7 RBX: ffffffff8aa789e0
RCX: 46d2c6edc7752800
[   51.280214][ T6622] RDX: 0000000000000000 RSI: 0000000080000000
RDI: 0000000000000000
[   51.280695][ T6622] RBP: ffffc90009997470 R08: ffffffff816b75fc
R09: ffffed100c7867e1
[   51.281164][ T6622] R10: ffffed100c7867e1 R11: 0000000000000000
R12: ffffffff8aa78a20
[   51.282917][ T6622] R13: ffffc900099973a0 R14: ffffffff8c6888a2
R15: ffff888014d8e6a8
[   51.283402][ T6622] FS:  00007f1e44cb9700(0000)
GS:ffff888063c00000(0000) knlGS:0000000000000000
[   51.283948][ T6622] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   51.284340][ T6622] CR2: 00007efcd65b9520 CR3: 0000000021e44000
CR4: 0000000000750ef0
[   51.284807][ T6622] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[   51.285295][ T6622] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[   51.285775][ T6622] PKRU: 55555554
[   51.285992][ T6622] Kernel panic - not syncing: Fatal exception
[   51.286478][ T6622] Kernel Offset: disabled
[   51.286740][ T6622] Rebooting in 86400 seconds..

Best,
Wei

On Sun, 30 Oct 2022 at 18:25, Wei Chen <harperchen1110@gmail.com> wrote:
>
> Dear Linux Developer,
>
> Recently when using our tool to fuzz kernel, the following crash was triggered:
>
> HEAD commit: 64570fbc14f8 Linux 5.15-rc5
> git tree: upstream
> compiler: gcc 8.0.1
> console output:
> https://drive.google.com/file/d/1laVB52iSmAz7ATjvqKgcZw9Qf3pVh50t/view?usp=share_link
> kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: Wei Chen <harperchen1110@gmail.com>
>
> REISERFS (device loop0): Using rupasov hash to sort names
> REISERFS panic (device loop0): vs-13065 update_stat_data: key [1 2 0x0
> IND], found item *3.6* [1 2 0x0 IND], item_len 44, item_location 4052,
> free_space(entry_count) 0
> ------------[ cut here ]------------
> kernel BUG at fs/reiserfs/prints.c:390!
> invalid opcode: 0000 [#1] PREEMPT SMP
> CPU: 0 PID: 12506 Comm: syz-executor.0 Not tainted 5.15.0-rc5 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
> RIP: 0010:__reiserfs_panic.cold.17+0x37/0x8c
> Code: d1 85 74 63 e8 e6 f4 9f fc 4c 89 f1 48 89 da 4c 89 ee 49 c7 c0
> a0 30 29 89 48 c7 c7 04 8f c0 85 e8 f1 60 fe ff e8 c5 f4 9f fc <0f> 0b
> e8 be f4 9f fc 4d 85 ed 49 c7 c4 26 a6 d1 85 74 36 e8 ad f4
> RSP: 0018:ffffc900020b7aa0 EFLAGS: 00010216
> RAX: 0000000000013eb9 RBX: ffff888016c8a000 RCX: 0000000000040000
> RDX: ffffc9000226d000 RSI: ffff888111950000 RDI: 0000000000000002
> RBP: ffffc900020b7b10 R08: ffffffff849d7e9b R09: 0000000000000000
> R10: 0000000000000005 R11: 0000000080000000 R12: ffffffff85d1a626
> R13: ffffffff85c07963 R14: ffffffff85079d30 R15: ffffc900020b7c60
> FS:  00007f3386280700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000525b40 CR3: 0000000011cfd000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  reiserfs_update_sd_size+0x33b/0x450
>  reiserfs_mkdir+0x2db/0x3c0
>  reiserfs_xattr_init+0x1be/0x330
>  reiserfs_fill_super+0x110e/0x1620
>  mount_bdev+0x23d/0x280
>  legacy_get_tree+0x2e/0x90
>  vfs_get_tree+0x29/0x100
>  path_mount+0x58e/0x10a0
>  do_mount+0x9b/0xb0
>  __x64_sys_mount+0x13a/0x150
>  do_syscall_64+0x34/0xb0
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x46abda
> Code: 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f
> 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f338627fa48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 00007f338627faf0 RCX: 000000000046abda
> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f338627fab0
> RBP: 0000000020000000 R08: 00007f338627faf0 R09: 0000000020000000
> R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000100
> R13: 00007f338627fab0 R14: 0000000000000001 R15: 0000000020011500
> Modules linked in:
> ---[ end trace 15f12b9b91cc8105 ]---
> RIP: 0010:__reiserfs_panic.cold.17+0x37/0x8c
> Code: d1 85 74 63 e8 e6 f4 9f fc 4c 89 f1 48 89 da 4c 89 ee 49 c7 c0
> a0 30 29 89 48 c7 c7 04 8f c0 85 e8 f1 60 fe ff e8 c5 f4 9f fc <0f> 0b
> e8 be f4 9f fc 4d 85 ed 49 c7 c4 26 a6 d1 85 74 36 e8 ad f4
> RSP: 0018:ffffc900020b7aa0 EFLAGS: 00010216
> RAX: 0000000000013eb9 RBX: ffff888016c8a000 RCX: 0000000000040000
> RDX: ffffc9000226d000 RSI: ffff888111950000 RDI: 0000000000000002
> RBP: ffffc900020b7b10 R08: ffffffff849d7e9b R09: 0000000000000000
> R10: 0000000000000005 R11: 0000000080000000 R12: ffffffff85d1a626
> R13: ffffffff85c07963 R14: ffffffff85079d30 R15: ffffc900020b7c60
> FS:  00007f3386280700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000525b40 CR3: 0000000011cfd000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
> Best,
> Wei