INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 24.472640] F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 24.479681] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock [ 24.487763] F2FS-fs (loop0): invalid crc value [ 24.493373] ================================================================== [ 24.500729] BUG: KASAN: use-after-free in build_segment_manager+0x962a/0x9d30 [ 24.507973] Read of size 4 at addr ffff8801b9ecab00 by task syzkaller096936/3801 [ 24.515472] [ 24.517080] CPU: 1 PID: 3801 Comm: syzkaller096936 Not tainted 4.9.95-g13cc540 #2 [ 24.525124] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.534451] ffff8801b9d37870 ffffffff81eb0ba9 ffffea0006e7b200 ffff8801b9ecab00 [ 24.542443] 0000000000000000 ffff8801b9ecab00 ffff8801b5b92200 ffff8801b9d378a8 [ 24.550447] ffffffff815653cb ffff8801b9ecab00 0000000000000004 0000000000000000 [ 24.558425] Call Trace: [ 24.560986] [] dump_stack+0xc1/0x128 [ 24.566322] [] print_address_description+0x6c/0x234 [ 24.572958] [] kasan_report.cold.6+0x242/0x2fe [ 24.579162] [] ? build_segment_manager+0x962a/0x9d30 [ 24.585885] [] __asan_report_load4_noabort+0x14/0x20 [ 24.592609] [] build_segment_manager+0x962a/0x9d30 [ 24.599158] [] ? flush_sit_entries+0x2560/0x2560 [ 24.605535] [] ? __raw_spin_lock_init+0x2d/0x100 [ 24.611910] [] f2fs_fill_super+0x1d10/0x5d00 [ 24.617940] [] ? vsnprintf+0x1a8/0x1840 [ 24.623537] [] ? vsprintf+0x40/0x40 [ 24.628786] [] ? f2fs_commit_super+0x3c0/0x3c0 [ 24.634992] [] ? set_blocksize+0x267/0x300 [ 24.640848] [] ? set_bdev_super+0x150/0x150 [ 24.646791] [] mount_bdev+0x2c7/0x390 [ 24.652212] [] ? f2fs_commit_super+0x3c0/0x3c0 [ 24.658412] [] f2fs_mount+0x34/0x40 [ 24.663663] [] mount_fs+0x28c/0x370 [ 24.668908] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 24.675292] [] ? ns_capable_common+0x12a/0x150 [ 24.681497] [] do_mount+0x3c9/0x2740 [ 24.686847] [] ? copy_mount_string+0x40/0x40 [ 24.692889] [] ? kasan_unpoison_shadow+0x35/0x50 [ 24.699275] [] ? kasan_kmalloc+0xc7/0xe0 [ 24.704971] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 24.711537] [] ? copy_mount_options+0x5f/0x320 [ 24.717743] [] ? copy_mount_options+0x1e5/0x320 [ 24.724038] [] SyS_mount+0xfe/0x110 [ 24.729293] [] ? copy_mnt_ns+0x8e0/0x8e0 [ 24.734984] [] do_syscall_64+0x1a6/0x490 [ 24.740665] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.747558] [ 24.749159] Allocated by task 0: [ 24.752496] save_stack_trace+0x16/0x20 [ 24.756442] save_stack+0x43/0xd0 [ 24.759866] kasan_kmalloc+0xc7/0xe0 [ 24.763546] kasan_slab_alloc+0x12/0x20 [ 24.767501] __kmalloc_track_caller+0xdc/0x2b0 [ 24.772234] __kmalloc_reserve.isra.37+0x33/0xc0 [ 24.776960] __alloc_skb+0x11a/0x600 [ 24.780643] tcp_send_ack+0x10c/0x670 [ 24.784412] __tcp_ack_snd_check+0x1bf/0x390 [ 24.788789] tcp_rcv_established+0x610/0x20c0 [ 24.793252] tcp_v4_do_rcv+0x59f/0x950 [ 24.797110] tcp_v4_rcv+0x29c4/0x3110 [ 24.800880] ip_local_deliver_finish+0x257/0xa60 [ 24.805604] ip_local_deliver+0x389/0x4d0 [ 24.809723] ip_rcv_finish+0x6d6/0x1920 [ 24.813667] ip_rcv+0xb0b/0x1370 [ 24.817008] __netif_receive_skb_core+0x12a0/0x2a20 [ 24.821993] __netif_receive_skb+0x5b/0x1b0 [ 24.826288] netif_receive_skb_internal+0xf1/0x3a0 [ 24.831197] napi_gro_receive+0x20c/0x400 [ 24.835318] virtnet_receive+0x71b/0x1c60 [ 24.839436] virtnet_poll+0x26/0x140 [ 24.843122] net_rx_action+0x3c4/0xde0 [ 24.846989] __do_softirq+0x20b/0x937 [ 24.850760] [ 24.852357] Freed by task 0: [ 24.855349] save_stack_trace+0x16/0x20 [ 24.859292] save_stack+0x43/0xd0 [ 24.862712] kasan_slab_free+0x72/0xc0 [ 24.866568] kfree+0xfb/0x310 [ 24.869644] skb_free_head+0x8b/0xb0 [ 24.873327] skb_release_data+0x329/0x400 [ 24.877443] skb_release_all+0x4a/0x60 [ 24.881302] consume_skb+0xc6/0x340 [ 24.884915] __dev_kfree_skb_any+0x58/0x70 [ 24.889122] free_old_xmit_skbs.isra.51+0x1bf/0x2b0 [ 24.894109] start_xmit+0x121/0x1400 [ 24.897799] dev_hard_start_xmit+0x197/0x8b0 [ 24.902188] sch_direct_xmit+0x2bc/0x590 [ 24.906216] __dev_queue_xmit+0x1742/0x2080 [ 24.910514] dev_queue_xmit+0x17/0x20 [ 24.914285] ip_finish_output2+0xcab/0x1110 [ 24.918576] ip_finish_output+0x683/0xac0 [ 24.922695] ip_output+0x1cd/0x550 [ 24.926212] ip_local_out+0x9b/0x180 [ 24.929894] ip_queue_xmit+0x897/0x1b60 [ 24.933849] tcp_transmit_skb+0x168c/0x2e30 [ 24.938142] tcp_send_ack+0x475/0x670 [ 24.941911] __tcp_ack_snd_check+0x1bf/0x390 [ 24.946288] tcp_rcv_established+0x610/0x20c0 [ 24.950751] tcp_v4_do_rcv+0x59f/0x950 [ 24.954608] tcp_v4_rcv+0x29c4/0x3110 [ 24.958381] ip_local_deliver_finish+0x257/0xa60 [ 24.963105] ip_local_deliver+0x389/0x4d0 [ 24.967222] ip_rcv_finish+0x6d6/0x1920 [ 24.971166] ip_rcv+0xb0b/0x1370 [ 24.974502] __netif_receive_skb_core+0x12a0/0x2a20 [ 24.979486] __netif_receive_skb+0x5b/0x1b0 [ 24.983777] netif_receive_skb_internal+0xf1/0x3a0 [ 24.988677] napi_gro_receive+0x20c/0x400 [ 24.992794] virtnet_receive+0x71b/0x1c60 [ 24.996910] virtnet_poll+0x26/0x140 [ 25.000590] net_rx_action+0x3c4/0xde0 [ 25.004445] __do_softirq+0x20b/0x937 [ 25.008209] [ 25.009813] The buggy address belongs to the object at ffff8801b9eca880 [ 25.009813] which belongs to the cache kmalloc-1024 of size 1024 [ 25.022614] The buggy address is located 640 bytes inside of [ 25.022614] 1024-byte region [ffff8801b9eca880, ffff8801b9ecac80) [ 25.034544] The buggy address belongs to the page: [ 25.039447] page:ffffea0006e7b200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 25.049617] flags: 0x8000000000004080(slab|head) [ 25.054342] page dumped because: kasan: bad access detected [ 25.060017] [ 25.061614] Memory state around the buggy address: [ 25.066511] ffff8801b9ecaa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.073850] ffff8801b9ecaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.081183] >ffff8801b9ecab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.088509] ^ [ 25.091844] ffff8801b9ecab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.099183] ffff8801b9ecac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.106510] ================================================================== [ 25.113837] Disabling lock debugging due to kernel taint [ 25.119531] Kernel panic - not syncing: panic_on_warn set ... [ 25.119531] [ 25.126876] CPU: 1 PID: 3801 Comm: syzkaller096936 Tainted: G B 4.9.95-g13cc540 #2 [ 25.135683] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.145009] ffff8801b9d377d0 ffffffff81eb0ba9 ffffffff841c4485 00000000ffffffff [ 25.152998] 0000000000000000 0000000000000001 ffff8801b5b92200 ffff8801b9d37890 [ 25.160970] ffffffff8141f945 0000000041b58ab3 ffffffff841b7b88 ffffffff8141f786 [ 25.168947] Call Trace: [ 25.171511] [] dump_stack+0xc1/0x128 [ 25.176844] [] panic+0x1bf/0x3bc [ 25.181833] [] ? add_taint.cold.6+0x16/0x16 [ 25.187771] [] ? ___preempt_schedule+0x16/0x18 [ 25.193978] [] kasan_end_report+0x47/0x4f [ 25.199747] [] kasan_report.cold.6+0x76/0x2fe [ 25.205866] [] ? build_segment_manager+0x962a/0x9d30 [ 25.212592] [] __asan_report_load4_noabort+0x14/0x20 [ 25.219314] [] build_segment_manager+0x962a/0x9d30 [ 25.225863] [] ? flush_sit_entries+0x2560/0x2560 [ 25.232248] [] ? __raw_spin_lock_init+0x2d/0x100 [ 25.238625] [] f2fs_fill_super+0x1d10/0x5d00 [ 25.244656] [] ? vsnprintf+0x1a8/0x1840 [ 25.250257] [] ? vsprintf+0x40/0x40 [ 25.255515] [] ? f2fs_commit_super+0x3c0/0x3c0 [ 25.261722] [] ? set_blocksize+0x267/0x300 [ 25.267583] [] ? set_bdev_super+0x150/0x150 [ 25.273525] [] mount_bdev+0x2c7/0x390 [ 25.278949] [] ? f2fs_commit_super+0x3c0/0x3c0 [ 25.285151] [] f2fs_mount+0x34/0x40 [ 25.290409] [] mount_fs+0x28c/0x370 [ 25.295655] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 25.302034] [] ? ns_capable_common+0x12a/0x150 [ 25.308244] [] do_mount+0x3c9/0x2740 [ 25.313577] [] ? copy_mount_string+0x40/0x40 [ 25.319614] [] ? kasan_unpoison_shadow+0x35/0x50 [ 25.325988] [] ? kasan_kmalloc+0xc7/0xe0 [ 25.331672] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 25.338226] [] ? copy_mount_options+0x5f/0x320 [ 25.344428] [] ? copy_mount_options+0x1e5/0x320 [ 25.350719] [] SyS_mount+0xfe/0x110 [ 25.355963] [] ? copy_mnt_ns+0x8e0/0x8e0 [ 25.361645] [] do_syscall_64+0x1a6/0x490 [ 25.367324] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 25.374740] Dumping ftrace buffer: [ 25.378259] (ftrace buffer empty) [ 25.381937] Kernel Offset: disabled [ 25.385535] Rebooting in 86400 seconds..