Warning: Permanently added '10.128.0.158' (ECDSA) to the list of known hosts. executing program [ 28.536040] hrtimer: interrupt took 25578 ns [ 28.543314] F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 28.551513] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock [ 28.562857] F2FS-fs (loop0): invalid crc value [ 28.824427] F2FS-fs (loop0): Cannot turn on journaled quota: error -2 [ 28.919997] ================================================================== [ 28.927423] BUG: KASAN: use-after-free in f2fs_evict_inode+0xdad/0x1070 [ 28.934149] Read of size 4 at addr ffff888095fc7470 by task syz-executor201/7993 [ 28.941664] [ 28.943285] CPU: 0 PID: 7993 Comm: syz-executor201 Not tainted 4.14.281-syzkaller #0 [ 28.951147] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.960491] Call Trace: [ 28.963072] dump_stack+0x1b2/0x281 [ 28.966691] print_address_description.cold+0x54/0x1d3 [ 28.971957] kasan_report_error.cold+0x8a/0x191 [ 28.976610] ? f2fs_evict_inode+0xdad/0x1070 [ 28.980994] __asan_report_load4_noabort+0x68/0x70 [ 28.985902] ? f2fs_evict_inode+0xdad/0x1070 [ 28.990300] f2fs_evict_inode+0xdad/0x1070 [ 28.994518] ? f2fs_write_inode+0x1d0/0x1d0 [ 28.998815] evict+0x2c8/0x700 [ 29.001985] iput+0x458/0x7e0 [ 29.005078] ? f2fs_show_options+0xdf0/0xdf0 [ 29.009468] dentry_unlink_inode+0x25c/0x310 [ 29.013853] __dentry_kill+0x320/0x550 [ 29.017720] shrink_dentry_list+0x2c2/0xac0 [ 29.022020] ? list_lru_walk_node+0x1b3/0x220 [ 29.026494] ? _find_next_bit+0xdb/0x100 [ 29.030558] shrink_dcache_sb+0x105/0x1b0 [ 29.034692] ? shrink_dentry_list+0xac0/0xac0 [ 29.039185] f2fs_fill_super+0x127f/0x56a0 [ 29.043418] ? snprintf+0xa5/0xd0 [ 29.046847] ? f2fs_commit_super+0x3a0/0x3a0 [ 29.051232] ? ns_test_super+0x50/0x50 [ 29.055094] ? set_blocksize+0x125/0x380 [ 29.059129] mount_bdev+0x2b3/0x360 [ 29.062731] ? f2fs_commit_super+0x3a0/0x3a0 [ 29.067115] mount_fs+0x92/0x2a0 [ 29.070464] vfs_kern_mount.part.0+0x5b/0x470 [ 29.074934] do_mount+0xe65/0x2a30 [ 29.078452] ? retint_kernel+0x2d/0x2d [ 29.082332] ? copy_mount_string+0x40/0x40 [ 29.086547] ? __sanitizer_cov_trace_pc+0x23/0x50 [ 29.091376] ? copy_mount_options+0x1fa/0x2f0 [ 29.095849] ? copy_mnt_ns+0xa30/0xa30 [ 29.099712] SyS_mount+0xa8/0x120 [ 29.103140] ? copy_mnt_ns+0xa30/0xa30 [ 29.107000] do_syscall_64+0x1d5/0x640 [ 29.110886] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.116055] RIP: 0033:0x7fb02ca2c2ea [ 29.119744] RSP: 002b:00007fb02c9d8168 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 29.127427] RAX: ffffffffffffffda RBX: 00007fb02c9d81c0 RCX: 00007fb02ca2c2ea [ 29.134689] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fb02c9d8180 [ 29.141934] RBP: 0000000000000008 R08: 00007fb02c9d81c0 R09: 00007fb02c9d86b8 [ 29.149191] R10: 0000000000000000 R11: 0000000000000286 R12: 00007fb02c9d8180 [ 29.156438] R13: 00000000200002c0 R14: 0000000000000004 R15: 0000000000000005 [ 29.163688] [ 29.165294] Allocated by task 7993: [ 29.168897] kasan_kmalloc+0xeb/0x160 [ 29.172670] kmem_cache_alloc_trace+0x131/0x3d0 [ 29.177314] f2fs_fill_super+0xef/0x56a0 [ 29.181350] mount_bdev+0x2b3/0x360 [ 29.184951] mount_fs+0x92/0x2a0 [ 29.188306] vfs_kern_mount.part.0+0x5b/0x470 [ 29.192775] do_mount+0xe65/0x2a30 [ 29.196288] SyS_mount+0xa8/0x120 [ 29.199736] do_syscall_64+0x1d5/0x640 [ 29.203596] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.208767] [ 29.210374] Freed by task 7993: [ 29.213640] kasan_slab_free+0xc3/0x1a0 [ 29.217594] kfree+0xc9/0x250 [ 29.220675] f2fs_fill_super+0x1263/0x56a0 [ 29.224880] mount_bdev+0x2b3/0x360 [ 29.228481] mount_fs+0x92/0x2a0 [ 29.231823] vfs_kern_mount.part.0+0x5b/0x470 [ 29.236290] do_mount+0xe65/0x2a30 [ 29.239815] SyS_mount+0xa8/0x120 [ 29.243240] do_syscall_64+0x1d5/0x640 [ 29.247100] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.252355] [ 29.253963] The buggy address belongs to the object at ffff888095fc6b40 [ 29.253963] which belongs to the cache kmalloc-4096 of size 4096 [ 29.266772] The buggy address is located 2352 bytes inside of [ 29.266772] 4096-byte region [ffff888095fc6b40, ffff888095fc7b40) [ 29.278798] The buggy address belongs to the page: [ 29.283715] page:ffffea000257f180 count:1 mapcount:0 mapping:ffff888095fc6b40 index:0x0 compound_mapcount: 0 [ 29.293656] flags: 0xfff00000008100(slab|head) [ 29.298214] raw: 00fff00000008100 ffff888095fc6b40 0000000000000000 0000000100000001 [ 29.306068] raw: ffffea0002cc7420 ffffea000257f120 ffff88813fe74dc0 0000000000000000 [ 29.313917] page dumped because: kasan: bad access detected [ 29.319597] [ 29.321198] Memory state around the buggy address: [ 29.326100] ffff888095fc7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.333429] ffff888095fc7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.340771] >ffff888095fc7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.348101] ^ [ 29.355085] ffff888095fc7480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.362417] ffff888095fc7500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.369747] ================================================================== [ 29.377089] Disabling lock debugging due to kernel taint [ 29.386834] Kernel panic - not syncing: panic_on_warn set ... [ 29.386834] [ 29.394200] CPU: 1 PID: 7993 Comm: syz-executor201 Tainted: G B 4.14.281-syzkaller #0 [ 29.403278] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.412613] Call Trace: [ 29.415175] dump_stack+0x1b2/0x281 [ 29.418776] panic+0x1f9/0x42d [ 29.421941] ? add_taint.cold+0x16/0x16 [ 29.425899] ? ___preempt_schedule+0x16/0x18 [ 29.430282] kasan_end_report+0x43/0x49 [ 29.434228] kasan_report_error.cold+0xa7/0x191 [ 29.438870] ? f2fs_evict_inode+0xdad/0x1070 [ 29.443250] __asan_report_load4_noabort+0x68/0x70 [ 29.448151] ? f2fs_evict_inode+0xdad/0x1070 [ 29.452530] f2fs_evict_inode+0xdad/0x1070 [ 29.456738] ? f2fs_write_inode+0x1d0/0x1d0 [ 29.461030] evict+0x2c8/0x700 [ 29.464202] iput+0x458/0x7e0 [ 29.467280] ? f2fs_show_options+0xdf0/0xdf0 [ 29.471658] dentry_unlink_inode+0x25c/0x310 [ 29.476038] __dentry_kill+0x320/0x550 [ 29.479898] shrink_dentry_list+0x2c2/0xac0 [ 29.484201] ? list_lru_walk_node+0x1b3/0x220 [ 29.488668] ? _find_next_bit+0xdb/0x100 [ 29.492703] shrink_dcache_sb+0x105/0x1b0 [ 29.496839] ? shrink_dentry_list+0xac0/0xac0 [ 29.501305] f2fs_fill_super+0x127f/0x56a0 [ 29.505518] ? snprintf+0xa5/0xd0 [ 29.508941] ? f2fs_commit_super+0x3a0/0x3a0 [ 29.513326] ? ns_test_super+0x50/0x50 [ 29.517186] ? set_blocksize+0x125/0x380 [ 29.521218] mount_bdev+0x2b3/0x360 [ 29.524819] ? f2fs_commit_super+0x3a0/0x3a0 [ 29.529201] mount_fs+0x92/0x2a0 [ 29.532543] vfs_kern_mount.part.0+0x5b/0x470 [ 29.537013] do_mount+0xe65/0x2a30 [ 29.540525] ? retint_kernel+0x2d/0x2d [ 29.544387] ? copy_mount_string+0x40/0x40 [ 29.548595] ? __sanitizer_cov_trace_pc+0x23/0x50 [ 29.553409] ? copy_mount_options+0x1fa/0x2f0 [ 29.557877] ? copy_mnt_ns+0xa30/0xa30 [ 29.561734] SyS_mount+0xa8/0x120 [ 29.565158] ? copy_mnt_ns+0xa30/0xa30 [ 29.569016] do_syscall_64+0x1d5/0x640 [ 29.572880] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.578041] RIP: 0033:0x7fb02ca2c2ea [ 29.581743] RSP: 002b:00007fb02c9d8168 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 29.589423] RAX: ffffffffffffffda RBX: 00007fb02c9d81c0 RCX: 00007fb02ca2c2ea [ 29.596679] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fb02c9d8180 [ 29.603920] RBP: 0000000000000008 R08: 00007fb02c9d81c0 R09: 00007fb02c9d86b8 [ 29.611160] R10: 0000000000000000 R11: 0000000000000286 R12: 00007fb02c9d8180 [ 29.618418] R13: 00000000200002c0 R14: 0000000000000004 R15: 0000000000000005 [ 29.625739] Kernel Offset: disabled [ 29.629344] Rebooting in 86400 seconds..