Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.95' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.373072] audit: type=1400 audit(1602926761.007:8): avc: denied { execmem } for pid=6503 comm="syz-executor250" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 40.380498] F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 40.400598] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock [ 40.411926] F2FS-fs (loop0): Fix alignment : done, start(4096) end(147456) block(12288) [ 40.421551] F2FS-fs (loop0): invalid crc value [ 40.430861] ================================================================== [ 40.438340] BUG: KASAN: slab-out-of-bounds in f2fs_build_segment_manager+0x8ed7/0xa980 [ 40.446400] Read of size 8 at addr ffff8880a3b31ba8 by task syz-executor250/6503 [ 40.453944] [ 40.455562] CPU: 0 PID: 6503 Comm: syz-executor250 Not tainted 4.19.150-syzkaller #0 [ 40.463436] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.472770] Call Trace: [ 40.475348] dump_stack+0x22c/0x33e [ 40.478975] print_address_description.cold+0x56/0x25c [ 40.484235] kasan_report_error.cold+0x66/0xb9 [ 40.488822] ? f2fs_build_segment_manager+0x8ed7/0xa980 [ 40.494178] __asan_report_load8_noabort+0x88/0x90 [ 40.499090] ? f2fs_build_segment_manager+0x8ed7/0xa980 [ 40.504437] f2fs_build_segment_manager+0x8ed7/0xa980 [ 40.509639] ? f2fs_flush_sit_entries+0x37c0/0x37c0 [ 40.514638] ? map_id_range_down+0x293/0x340 [ 40.519029] ? debug_mutex_wake_waiter+0x380/0x3e0 [ 40.523938] ? __lockdep_init_map+0x100/0x5c0 [ 40.528431] f2fs_fill_super+0x2173/0x7920 [ 40.532671] ? snprintf+0xbb/0xf0 [ 40.536118] ? f2fs_commit_super+0x400/0x400 [ 40.540511] ? __mutex_add_waiter+0x160/0x160 [ 40.544993] ? set_blocksize+0x163/0x3f0 [ 40.549039] mount_bdev+0x2fc/0x3b0 [ 40.552654] ? f2fs_commit_super+0x400/0x400 [ 40.557047] mount_fs+0xa3/0x318 [ 40.560410] vfs_kern_mount.part.0+0x68/0x470 [ 40.564903] do_mount+0x51c/0x2f10 [ 40.568443] ? check_preemption_disabled+0x41/0x2b0 [ 40.574570] ? copy_mount_string+0x40/0x40 [ 40.578790] ? kmem_cache_alloc_trace+0x379/0x4b0 [ 40.583623] ? _copy_from_user+0xd2/0x130 [ 40.587802] ? copy_mount_options+0x261/0x370 [ 40.592286] ksys_mount+0xcf/0x130 [ 40.595812] __x64_sys_mount+0xba/0x150 [ 40.599794] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 40.604360] do_syscall_64+0xf9/0x670 [ 40.608147] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.613318] RIP: 0033:0x446ffa [ 40.616506] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 40.635389] RSP: 002b:00007ffc8ced3aa8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 40.643078] RAX: ffffffffffffffda RBX: 00007ffc8ced3b00 RCX: 0000000000446ffa [ 40.650330] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc8ced3ac0 [ 40.657594] RBP: 00007ffc8ced3ac0 R08: 00007ffc8ced3b00 R09: 00007ffc00000015 [ 40.664865] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000008 [ 40.672132] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 40.679410] [ 40.681026] Allocated by task 6503: [ 40.684650] __kmalloc_node+0x4c/0x70 [ 40.688442] kvmalloc_node+0x61/0xf0 [ 40.692138] f2fs_build_segment_manager+0xd2e/0xa980 [ 40.697232] f2fs_fill_super+0x2173/0x7920 [ 40.701449] mount_bdev+0x2fc/0x3b0 [ 40.705068] mount_fs+0xa3/0x318 [ 40.708427] vfs_kern_mount.part.0+0x68/0x470 [ 40.712901] do_mount+0x51c/0x2f10 [ 40.716416] ksys_mount+0xcf/0x130 [ 40.719952] __x64_sys_mount+0xba/0x150 [ 40.723909] do_syscall_64+0xf9/0x670 [ 40.727778] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.733043] [ 40.734647] Freed by task 0: [ 40.737637] (stack is not available) [ 40.741327] [ 40.743368] The buggy address belongs to the object at ffff8880a3b31700 [ 40.743368] which belongs to the cache kmalloc-2048 of size 2048 [ 40.756330] The buggy address is located 1192 bytes inside of [ 40.756330] 2048-byte region [ffff8880a3b31700, ffff8880a3b31f00) [ 40.768364] The buggy address belongs to the page: [ 40.773364] page:ffffea00028ecc00 count:1 mapcount:0 mapping:ffff88812c3f6c40 index:0x0 compound_mapcount: 0 [ 40.783312] flags: 0xfffe0000008100(slab|head) [ 40.787909] raw: 00fffe0000008100 ffffea0002588888 ffff88812c3f4948 ffff88812c3f6c40 [ 40.796730] raw: 0000000000000000 ffff8880a3b30600 0000000100000003 0000000000000000 [ 40.804603] page dumped because: kasan: bad access detected [ 40.810303] [ 40.811915] Memory state around the buggy address: [ 40.816848] ffff8880a3b31a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.824191] ffff8880a3b31b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.831530] >ffff8880a3b31b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.838894] ^ [ 40.843549] ffff8880a3b31c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.850896] ffff8880a3b31c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.858236] ================================================================== [ 40.865589] Disabling lock debugging due to kernel taint [ 40.871785] Kernel panic - not syncing: panic_on_warn set ... [ 40.871785] [ 40.879250] CPU: 0 PID: 6503 Comm: syz-executor250 Tainted: G B 4.19.150-syzkaller #0 [ 40.888517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.897864] Call Trace: [ 40.901412] dump_stack+0x22c/0x33e [ 40.905087] panic+0x2ac/0x565 [ 40.908285] ? __warn_printk+0xf3/0xf3 [ 40.912171] ? preempt_schedule_common+0x45/0xc0 [ 40.917618] ? ___preempt_schedule+0x16/0x18 [ 40.922035] ? trace_hardirqs_on+0x55/0x210 [ 40.926340] kasan_end_report+0x43/0x49 [ 40.930310] kasan_report_error.cold+0x83/0xb9 [ 40.934875] ? f2fs_build_segment_manager+0x8ed7/0xa980 [ 40.940227] __asan_report_load8_noabort+0x88/0x90 [ 40.945142] ? f2fs_build_segment_manager+0x8ed7/0xa980 [ 40.950490] f2fs_build_segment_manager+0x8ed7/0xa980 [ 40.955678] ? f2fs_flush_sit_entries+0x37c0/0x37c0 [ 40.960698] ? map_id_range_down+0x293/0x340 [ 40.965093] ? debug_mutex_wake_waiter+0x380/0x3e0 [ 40.970017] ? __lockdep_init_map+0x100/0x5c0 [ 40.974521] f2fs_fill_super+0x2173/0x7920 [ 40.978746] ? snprintf+0xbb/0xf0 [ 40.982182] ? f2fs_commit_super+0x400/0x400 [ 40.986585] ? __mutex_add_waiter+0x160/0x160 [ 40.991067] ? set_blocksize+0x163/0x3f0 [ 40.995117] mount_bdev+0x2fc/0x3b0 [ 40.998737] ? f2fs_commit_super+0x400/0x400 [ 41.003139] mount_fs+0xa3/0x318 [ 41.006496] vfs_kern_mount.part.0+0x68/0x470 [ 41.010983] do_mount+0x51c/0x2f10 [ 41.014511] ? check_preemption_disabled+0x41/0x2b0 [ 41.019527] ? copy_mount_string+0x40/0x40 [ 41.023749] ? kmem_cache_alloc_trace+0x379/0x4b0 [ 41.028576] ? _copy_from_user+0xd2/0x130 [ 41.032709] ? copy_mount_options+0x261/0x370 [ 41.037185] ksys_mount+0xcf/0x130 [ 41.040722] __x64_sys_mount+0xba/0x150 [ 41.045115] ? lockdep_hardirqs_on+0x3c1/0x5e0 [ 41.049684] do_syscall_64+0xf9/0x670 [ 41.053472] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.058643] RIP: 0033:0x446ffa [ 41.061818] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 41.080710] RSP: 002b:00007ffc8ced3aa8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 41.088403] RAX: ffffffffffffffda RBX: 00007ffc8ced3b00 RCX: 0000000000446ffa [ 41.095657] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc8ced3ac0 [ 41.102910] RBP: 00007ffc8ced3ac0 R08: 00007ffc8ced3b00 R09: 00007ffc00000015 [ 41.110160] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000008 [ 41.117410] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 41.125763] Kernel Offset: disabled [ 41.129381] Rebooting in 86400 seconds..