[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.68' (ECDSA) to the list of known hosts. syzkaller login: [ 32.711830] IPVS: ftp: loaded support on port[0] = 21 executing program [ 32.770736] F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 32.778223] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock [ 32.787427] F2FS-fs (loop0): invalid crc value [ 32.797945] ================================================================== [ 32.805388] BUG: KASAN: slab-out-of-bounds in f2fs_build_segment_manager+0xa926/0xad90 [ 32.813421] Read of size 4 at addr ffff8880af308ca4 by task syz-executor929/8109 [ 32.820947] [ 32.822577] CPU: 1 PID: 8109 Comm: syz-executor929 Not tainted 4.19.211-syzkaller #0 [ 32.830439] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 32.839877] Call Trace: [ 32.842453] dump_stack+0x1fc/0x2ef [ 32.846075] print_address_description.cold+0x54/0x219 [ 32.851337] kasan_report_error.cold+0x8a/0x1b9 [ 32.855994] ? f2fs_build_segment_manager+0xa926/0xad90 [ 32.861342] __asan_report_load4_noabort+0x88/0x90 [ 32.866278] ? f2fs_build_segment_manager+0xa926/0xad90 [ 32.871719] f2fs_build_segment_manager+0xa926/0xad90 [ 32.876907] ? f2fs_flush_sit_entries+0x33a0/0x33a0 [ 32.881910] ? map_id_range_down+0x1c4/0x340 [ 32.886321] ? __cpuusage_read+0x160/0x1f0 [ 32.890552] ? __lockdep_init_map+0x100/0x5a0 [ 32.895042] f2fs_fill_super+0x31d9/0x7050 [ 32.899276] ? snprintf+0xbb/0xf0 [ 32.902710] ? f2fs_commit_super+0x400/0x400 [ 32.907123] ? wait_for_completion_io+0x10/0x10 [ 32.911783] ? set_blocksize+0x163/0x3f0 [ 32.915832] mount_bdev+0x2fc/0x3b0 [ 32.919442] ? f2fs_commit_super+0x400/0x400 [ 32.923850] mount_fs+0xa3/0x310 [ 32.927215] vfs_kern_mount.part.0+0x68/0x470 [ 32.931696] do_mount+0x115c/0x2f50 [ 32.935305] ? do_raw_spin_unlock+0x171/0x230 [ 32.939783] ? check_preemption_disabled+0x41/0x280 [ 32.944780] ? copy_mount_string+0x40/0x40 [ 32.948996] ? copy_mount_options+0x59/0x380 [ 32.953390] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 32.958404] ? kmem_cache_alloc_trace+0x323/0x380 [ 32.963230] ? copy_mount_options+0x26f/0x380 [ 32.967723] ksys_mount+0xcf/0x130 [ 32.971253] __x64_sys_mount+0xba/0x150 [ 32.975224] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 32.979791] do_syscall_64+0xf9/0x620 [ 32.983583] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.988806] RIP: 0033:0x7f1a9456f99a [ 32.992504] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 d8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 33.011386] RSP: 002b:00007fff5803b418 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 33.019073] RAX: ffffffffffffffda RBX: 00007fff5803b470 RCX: 00007f1a9456f99a [ 33.026321] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff5803b430 [ 33.033579] RBP: 00007fff5803b430 R08: 00007fff5803b470 R09: 0000000000000000 [ 33.040838] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000200002a8 [ 33.048180] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000007 [ 33.055466] [ 33.057076] Allocated by task 8109: [ 33.060688] __kmalloc_node+0x4c/0x70 [ 33.064470] kvmalloc_node+0x61/0xf0 [ 33.068172] f2fs_build_segment_manager+0x213d/0xad90 [ 33.073362] f2fs_fill_super+0x31d9/0x7050 [ 33.077586] mount_bdev+0x2fc/0x3b0 [ 33.081200] mount_fs+0xa3/0x310 [ 33.084563] vfs_kern_mount.part.0+0x68/0x470 [ 33.089046] do_mount+0x115c/0x2f50 [ 33.092656] ksys_mount+0xcf/0x130 [ 33.096177] __x64_sys_mount+0xba/0x150 [ 33.100131] do_syscall_64+0xf9/0x620 [ 33.103915] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.109084] [ 33.110693] Freed by task 0: [ 33.113702] (stack is not available) [ 33.117390] [ 33.118998] The buggy address belongs to the object at ffff8880af308c80 [ 33.118998] which belongs to the cache kmalloc-64 of size 64 [ 33.131500] The buggy address is located 36 bytes inside of [ 33.131500] 64-byte region [ffff8880af308c80, ffff8880af308cc0) [ 33.143182] The buggy address belongs to the page: [ 33.148107] page:ffffea0002bcc200 count:1 mapcount:0 mapping:ffff88813bff0340 index:0x0 [ 33.156252] flags: 0xfff00000000100(slab) [ 33.160419] raw: 00fff00000000100 ffffea0002a90248 ffff88813bff1348 ffff88813bff0340 [ 33.168297] raw: 0000000000000000 ffff8880af308000 0000000100000020 0000000000000000 [ 33.176157] page dumped because: kasan: bad access detected [ 33.181841] [ 33.183444] Memory state around the buggy address: [ 33.188353] ffff8880af308b80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 33.195693] ffff8880af308c00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 33.203032] >ffff8880af308c80: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc [ 33.210367] ^ [ 33.214771] ffff8880af308d00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 33.222196] ffff8880af308d80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 33.229546] ================================================================== [ 33.236880] Disabling lock debugging due to kernel taint [ 33.245354] Kernel panic - not syncing: panic_on_warn set ... [ 33.245354] [ 33.252732] CPU: 1 PID: 8109 Comm: syz-executor929 Tainted: G B 4.19.211-syzkaller #0 [ 33.262020] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 33.271358] Call Trace: [ 33.273927] dump_stack+0x1fc/0x2ef [ 33.277538] panic+0x26a/0x50e [ 33.280728] ? __warn_printk+0xf3/0xf3 [ 33.284602] ? preempt_schedule_common+0x45/0xc0 [ 33.289340] ? ___preempt_schedule+0x16/0x18 [ 33.293732] ? trace_hardirqs_on+0x55/0x210 [ 33.298039] kasan_end_report+0x43/0x49 [ 33.301997] kasan_report_error.cold+0xa7/0x1b9 [ 33.306648] ? f2fs_build_segment_manager+0xa926/0xad90 [ 33.311993] __asan_report_load4_noabort+0x88/0x90 [ 33.316906] ? f2fs_build_segment_manager+0xa926/0xad90 [ 33.322249] f2fs_build_segment_manager+0xa926/0xad90 [ 33.327423] ? f2fs_flush_sit_entries+0x33a0/0x33a0 [ 33.332417] ? map_id_range_down+0x1c4/0x340 [ 33.336808] ? __cpuusage_read+0x160/0x1f0 [ 33.341020] ? __lockdep_init_map+0x100/0x5a0 [ 33.345502] f2fs_fill_super+0x31d9/0x7050 [ 33.349719] ? snprintf+0xbb/0xf0 [ 33.353151] ? f2fs_commit_super+0x400/0x400 [ 33.357538] ? wait_for_completion_io+0x10/0x10 [ 33.362188] ? set_blocksize+0x163/0x3f0 [ 33.366243] mount_bdev+0x2fc/0x3b0 [ 33.369853] ? f2fs_commit_super+0x400/0x400 [ 33.374243] mount_fs+0xa3/0x310 [ 33.377615] vfs_kern_mount.part.0+0x68/0x470 [ 33.382100] do_mount+0x115c/0x2f50 [ 33.385714] ? do_raw_spin_unlock+0x171/0x230 [ 33.390196] ? check_preemption_disabled+0x41/0x280 [ 33.395192] ? copy_mount_string+0x40/0x40 [ 33.399408] ? copy_mount_options+0x59/0x380 [ 33.403799] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 33.408794] ? kmem_cache_alloc_trace+0x323/0x380 [ 33.413620] ? copy_mount_options+0x26f/0x380 [ 33.418097] ksys_mount+0xcf/0x130 [ 33.421617] __x64_sys_mount+0xba/0x150 [ 33.425573] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 33.430139] do_syscall_64+0xf9/0x620 [ 33.433923] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.439103] RIP: 0033:0x7f1a9456f99a [ 33.442797] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 d8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 33.461688] RSP: 002b:00007fff5803b418 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 33.469379] RAX: ffffffffffffffda RBX: 00007fff5803b470 RCX: 00007f1a9456f99a [ 33.476626] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fff5803b430 [ 33.483876] RBP: 00007fff5803b430 R08: 00007fff5803b470 R09: 0000000000000000 [ 33.491226] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000200002a8 [ 33.498490] R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000007 [ 33.505908] Kernel Offset: disabled [ 33.509519] Rebooting in 86400 seconds..