Warning: Permanently added '10.128.1.179' (ECDSA) to the list of known hosts. syzkaller login: [ 28.110074] IPVS: ftp: loaded support on port[0] = 21 executing program [ 28.285881] F2FS-fs (loop0): Mismatch start address, segment0(512) cp_blkaddr(605) [ 28.293808] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock [ 28.303639] F2FS-fs (loop0): invalid crc value [ 28.311518] F2FS-fs (loop0): Found nat_bits in checkpoint [ 28.357252] F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b [ 28.381156] ================================================================== [ 28.388681] BUG: KASAN: use-after-free in flush_nat_entries+0x2190/0x25e0 [ 28.395598] Read of size 1 at addr ffff8880aacb1610 by task syz-executor477/7971 [ 28.403111] [ 28.404723] CPU: 1 PID: 7971 Comm: syz-executor477 Not tainted 4.14.305-syzkaller #0 [ 28.412579] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 [ 28.421913] Call Trace: [ 28.424485] dump_stack+0x1b2/0x281 [ 28.428108] print_address_description.cold+0x54/0x1d3 [ 28.433382] kasan_report_error.cold+0x8a/0x191 [ 28.438042] ? flush_nat_entries+0x2190/0x25e0 [ 28.442613] __asan_report_load1_noabort+0x68/0x70 [ 28.447542] ? flush_nat_entries+0x2190/0x25e0 [ 28.452103] flush_nat_entries+0x2190/0x25e0 [ 28.456499] ? restore_node_summary+0x700/0x700 [ 28.461169] ? __submit_merged_write_cond+0x1b6/0x570 [ 28.466361] ? lock_downgrade+0x740/0x740 [ 28.470489] ? up_write+0x17/0x60 [ 28.473920] ? __submit_merged_write_cond+0x1b6/0x570 [ 28.479090] write_checkpoint+0x311/0x45f0 [ 28.483393] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 28.488820] ? wait_for_completion_io+0x10/0x10 [ 28.493471] ? sync_inodes_sb+0x60f/0x880 [ 28.497606] f2fs_sync_fs+0x178/0x3f0 [ 28.501390] ? trace_event_raw_event_f2fs__page+0x560/0x560 [ 28.507082] ? dput.part.0+0x56f/0x710 [ 28.510955] ? trace_event_raw_event_f2fs__page+0x560/0x560 [ 28.516644] sync_filesystem+0x185/0x230 [ 28.520685] generic_shutdown_super+0x70/0x370 [ 28.525246] kill_block_super+0x95/0xe0 [ 28.529284] deactivate_locked_super+0x6c/0xd0 [ 28.533845] deactivate_super+0x7f/0xa0 [ 28.537798] cleanup_mnt+0x186/0x2c0 [ 28.541493] task_work_run+0x11f/0x190 [ 28.545361] do_exit+0xa44/0x2850 [ 28.548794] ? __do_page_fault+0x571/0xad0 [ 28.553008] ? mm_update_next_owner+0x5b0/0x5b0 [ 28.557659] ? lock_downgrade+0x740/0x740 [ 28.561794] do_group_exit+0x100/0x2e0 [ 28.565661] SyS_exit_group+0x19/0x20 [ 28.569437] ? do_group_exit+0x2e0/0x2e0 [ 28.573479] do_syscall_64+0x1d5/0x640 [ 28.577351] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 28.582520] RIP: 0033:0x7f3ee670e9d9 [ 28.586236] RSP: 002b:00007ffd3cd3efa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 28.593922] RAX: ffffffffffffffda RBX: 00007f3ee678b330 RCX: 00007f3ee670e9d9 [ 28.601171] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 28.608505] RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f3ee6785e40 [ 28.615755] R10: 00007ffd3cd3eec0 R11: 0000000000000246 R12: 00007f3ee678b330 [ 28.623005] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 28.630258] [ 28.631864] Allocated by task 7931: [ 28.635476] kasan_kmalloc+0xeb/0x160 [ 28.639278] kmem_cache_alloc+0x124/0x3c0 [ 28.643405] getname_flags+0xc8/0x550 [ 28.647183] user_path_at_empty+0x2a/0x50 [ 28.651307] user_statfs+0x78/0x110 [ 28.654911] SyS_statfs+0x65/0xb0 [ 28.658345] do_syscall_64+0x1d5/0x640 [ 28.662209] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 28.667374] [ 28.668995] Freed by task 7931: [ 28.672259] kasan_slab_free+0xc3/0x1a0 [ 28.676214] kmem_cache_free+0x7c/0x2b0 [ 28.680186] putname+0xcd/0x110 [ 28.683453] filename_lookup+0x37b/0x510 [ 28.687489] user_statfs+0x78/0x110 [ 28.691094] SyS_statfs+0x65/0xb0 [ 28.694524] do_syscall_64+0x1d5/0x640 [ 28.698388] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 28.703554] [ 28.705160] The buggy address belongs to the object at ffff8880aacb0b00 [ 28.705160] which belongs to the cache names_cache of size 4096 [ 28.717878] The buggy address is located 2832 bytes inside of [ 28.717878] 4096-byte region [ffff8880aacb0b00, ffff8880aacb1b00) [ 28.729905] The buggy address belongs to the page: [ 28.734811] page:ffffea0002ab2c00 count:1 mapcount:0 mapping:ffff8880aacb0b00 index:0x0 compound_mapcount: 0 [ 28.744758] flags: 0xfff00000008100(slab|head) [ 28.749319] raw: 00fff00000008100 ffff8880aacb0b00 0000000000000000 0000000100000001 [ 28.757202] raw: ffffea0002ab2ca0 ffffea00024eeca0 ffff88823f8c1200 0000000000000000 [ 28.765158] page dumped because: kasan: bad access detected [ 28.770840] [ 28.772442] Memory state around the buggy address: [ 28.777376] ffff8880aacb1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.784712] ffff8880aacb1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.792046] >ffff8880aacb1600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.799381] ^ [ 28.803243] ffff8880aacb1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.810577] ffff8880aacb1700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.817911] ================================================================== [ 28.825251] Disabling lock debugging due to kernel taint [ 28.842710] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 28.842710] [ 28.850696] CPU: 0 PID: 7971 Comm: syz-executor477 Tainted: G B 4.14.305-syzkaller #0 [ 28.859776] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 [ 28.869102] Call Trace: [ 28.871665] dump_stack+0x1b2/0x281 [ 28.875266] panic+0x21d/0x451 [ 28.878433] ? add_taint.cold+0x16/0x16 [ 28.882399] ? ___preempt_schedule+0x16/0x18 [ 28.886790] ? preempt_schedule_common+0x45/0xc0 [ 28.891517] ? ___preempt_schedule+0x16/0x18 [ 28.895897] check_panic_on_warn.cold+0x19/0x35 [ 28.900563] kasan_end_report+0x3a/0x40 [ 28.904510] kasan_report_error.cold+0xa7/0x191 [ 28.909156] ? flush_nat_entries+0x2190/0x25e0 [ 28.913713] __asan_report_load1_noabort+0x68/0x70 [ 28.918616] ? flush_nat_entries+0x2190/0x25e0 [ 28.923170] flush_nat_entries+0x2190/0x25e0 [ 28.927555] ? restore_node_summary+0x700/0x700 [ 28.932196] ? __submit_merged_write_cond+0x1b6/0x570 [ 28.937979] ? lock_downgrade+0x740/0x740 [ 28.942102] ? up_write+0x17/0x60 [ 28.945528] ? __submit_merged_write_cond+0x1b6/0x570 [ 28.950695] write_checkpoint+0x311/0x45f0 [ 28.954906] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 28.960352] ? wait_for_completion_io+0x10/0x10 [ 28.964995] ? sync_inodes_sb+0x60f/0x880 [ 28.969118] f2fs_sync_fs+0x178/0x3f0 [ 28.972893] ? trace_event_raw_event_f2fs__page+0x560/0x560 [ 28.978578] ? dput.part.0+0x56f/0x710 [ 28.982439] ? trace_event_raw_event_f2fs__page+0x560/0x560 [ 28.988141] sync_filesystem+0x185/0x230 [ 28.992266] generic_shutdown_super+0x70/0x370 [ 28.996823] kill_block_super+0x95/0xe0 [ 29.000773] deactivate_locked_super+0x6c/0xd0 [ 29.005330] deactivate_super+0x7f/0xa0 [ 29.009279] cleanup_mnt+0x186/0x2c0 [ 29.012969] task_work_run+0x11f/0x190 [ 29.016855] do_exit+0xa44/0x2850 [ 29.020284] ? __do_page_fault+0x571/0xad0 [ 29.024494] ? mm_update_next_owner+0x5b0/0x5b0 [ 29.029136] ? lock_downgrade+0x740/0x740 [ 29.033262] do_group_exit+0x100/0x2e0 [ 29.037122] SyS_exit_group+0x19/0x20 [ 29.040900] ? do_group_exit+0x2e0/0x2e0 [ 29.044956] do_syscall_64+0x1d5/0x640 [ 29.048818] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.053981] RIP: 0033:0x7f3ee670e9d9 [ 29.057663] RSP: 002b:00007ffd3cd3efa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 29.065342] RAX: ffffffffffffffda RBX: 00007f3ee678b330 RCX: 00007f3ee670e9d9 [ 29.072587] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 29.079830] RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f3ee6785e40 [ 29.087073] R10: 00007ffd3cd3eec0 R11: 0000000000000246 R12: 00007f3ee678b330 [ 29.094315] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 29.101740] Kernel Offset: disabled [ 29.105347] Rebooting in 86400 seconds..