[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.197' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.878390] hrtimer: interrupt took 47424 ns [ 34.896268] F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 34.904332] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock [ 34.921219] F2FS-fs (loop0): invalid crc value [ 34.987812] F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=1, run fsck to fix. [ 34.996626] F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=2, run fsck to fix. [ 35.319870] F2FS-fs (loop0): Cannot turn on quotas: -2 on 1 [ 35.406936] ================================================================== [ 35.414354] BUG: KASAN: use-after-free in f2fs_evict_inode+0x100b/0x1330 [ 35.421172] Read of size 4 at addr ffff88809516cf10 by task syz-executor397/8089 [ 35.428680] [ 35.430293] CPU: 1 PID: 8089 Comm: syz-executor397 Not tainted 4.19.211-syzkaller #0 [ 35.438151] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.447488] Call Trace: [ 35.450059] dump_stack+0x1fc/0x2ef [ 35.453682] print_address_description.cold+0x54/0x219 [ 35.458940] kasan_report_error.cold+0x8a/0x1b9 [ 35.463591] ? f2fs_evict_inode+0x100b/0x1330 [ 35.468089] __asan_report_load4_noabort+0x88/0x90 [ 35.473001] ? f2fs_evict_inode+0x100b/0x1330 [ 35.477504] f2fs_evict_inode+0x100b/0x1330 [ 35.481810] ? f2fs_write_inode+0x600/0x600 [ 35.486112] evict+0x2ed/0x760 [ 35.489290] iput+0x4f1/0x860 [ 35.492382] dentry_unlink_inode+0x265/0x320 [ 35.496771] __dentry_kill+0x3c0/0x640 [ 35.500639] dentry_kill+0xc4/0x510 [ 35.504247] shrink_dentry_list+0x2ab/0x6e0 [ 35.508553] shrink_dcache_sb+0x144/0x220 [ 35.512682] ? shrink_dentry_list+0x6e0/0x6e0 [ 35.517160] ? f2fs_fill_super+0x1448/0x7050 [ 35.521546] ? f2fs_fill_super+0x1458/0x7050 [ 35.525934] f2fs_fill_super+0x1461/0x7050 [ 35.530162] ? snprintf+0xbb/0xf0 [ 35.533596] ? f2fs_commit_super+0x400/0x400 [ 35.537984] ? wait_for_completion_io+0x10/0x10 [ 35.542632] ? set_blocksize+0x163/0x3f0 [ 35.546673] mount_bdev+0x2fc/0x3b0 [ 35.550281] ? f2fs_commit_super+0x400/0x400 [ 35.554669] mount_fs+0xa3/0x310 [ 35.558020] vfs_kern_mount.part.0+0x68/0x470 [ 35.562499] do_mount+0x115c/0x2f50 [ 35.566107] ? rcu_nmi_exit+0xb3/0x180 [ 35.569974] ? copy_mount_string+0x40/0x40 [ 35.574191] ? copy_mount_options+0x1cd/0x380 [ 35.578668] ? copy_mount_options+0x1da/0x380 [ 35.583143] ? copy_mount_options+0x1e9/0x380 [ 35.587634] ? copy_mount_options+0x26f/0x380 [ 35.592110] ksys_mount+0xcf/0x130 [ 35.595634] __x64_sys_mount+0xba/0x150 [ 35.599592] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 35.604154] do_syscall_64+0xf9/0x620 [ 35.607938] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.613107] RIP: 0033:0x7f5e88bb12ea [ 35.616800] Code: 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 35.635679] RSP: 002b:00007f5e88b5d168 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 35.643363] RAX: ffffffffffffffda RBX: 00007f5e88b5d1c0 RCX: 00007f5e88bb12ea [ 35.650610] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f5e88b5d180 [ 35.657859] RBP: 0000000000000008 R08: 00007f5e88b5d1c0 R09: 00007f5e88b5d6b8 [ 35.665105] R10: 0000000000000000 R11: 0000000000000286 R12: 00007f5e88b5d180 [ 35.672352] R13: 00000000200002c0 R14: 0000000000000004 R15: 0000000000000005 [ 35.679604] [ 35.681214] Allocated by task 8089: [ 35.684823] kmem_cache_alloc_trace+0x12f/0x380 [ 35.689476] f2fs_fill_super+0xfd/0x7050 [ 35.693514] mount_bdev+0x2fc/0x3b0 [ 35.697118] mount_fs+0xa3/0x310 [ 35.700464] vfs_kern_mount.part.0+0x68/0x470 [ 35.704938] do_mount+0x115c/0x2f50 [ 35.708544] ksys_mount+0xcf/0x130 [ 35.712063] __x64_sys_mount+0xba/0x150 [ 35.716015] do_syscall_64+0xf9/0x620 [ 35.719795] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.724956] [ 35.726564] Freed by task 8089: [ 35.729821] kfree+0xcc/0x210 [ 35.732903] f2fs_fill_super+0x1439/0x7050 [ 35.737138] mount_bdev+0x2fc/0x3b0 [ 35.740744] mount_fs+0xa3/0x310 [ 35.744176] vfs_kern_mount.part.0+0x68/0x470 [ 35.748648] do_mount+0x115c/0x2f50 [ 35.752255] ksys_mount+0xcf/0x130 [ 35.755774] __x64_sys_mount+0xba/0x150 [ 35.759727] do_syscall_64+0xf9/0x620 [ 35.763506] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.768686] [ 35.770302] The buggy address belongs to the object at ffff88809516c1c0 [ 35.770302] which belongs to the cache kmalloc-8192 of size 8192 [ 35.783108] The buggy address is located 3408 bytes inside of [ 35.783108] 8192-byte region [ffff88809516c1c0, ffff88809516e1c0) [ 35.795130] The buggy address belongs to the page: [ 35.800039] page:ffffea0002545b00 count:1 mapcount:0 mapping:ffff88813bff2080 index:0x0 compound_mapcount: 0 [ 35.809983] flags: 0xfff00000008100(slab|head) [ 35.814546] raw: 00fff00000008100 ffffea0002a3a908 ffff88813bff1b48 ffff88813bff2080 [ 35.822408] raw: 0000000000000000 ffff88809516c1c0 0000000100000001 0000000000000000 [ 35.830262] page dumped because: kasan: bad access detected [ 35.835961] [ 35.837567] Memory state around the buggy address: [ 35.842473] ffff88809516ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.849824] ffff88809516ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.857162] >ffff88809516cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.864496] ^ [ 35.868362] ffff88809516cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.875699] ffff88809516d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.883032] ================================================================== [ 35.890379] Disabling lock debugging due to kernel taint [ 35.896318] Kernel panic - not syncing: panic_on_warn set ... [ 35.896318] [ 35.903690] CPU: 1 PID: 8089 Comm: syz-executor397 Tainted: G B 4.19.211-syzkaller #0 [ 35.912947] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.922291] Call Trace: [ 35.924881] dump_stack+0x1fc/0x2ef [ 35.928508] panic+0x26a/0x50e [ 35.931691] ? __warn_printk+0xf3/0xf3 [ 35.935559] ? preempt_schedule_common+0x45/0xc0 [ 35.940295] ? ___preempt_schedule+0x16/0x18 [ 35.944682] ? trace_hardirqs_on+0x55/0x210 [ 35.948982] kasan_end_report+0x43/0x49 [ 35.952937] kasan_report_error.cold+0xa7/0x1b9 [ 35.957587] ? f2fs_evict_inode+0x100b/0x1330 [ 35.962062] __asan_report_load4_noabort+0x88/0x90 [ 35.966968] ? f2fs_evict_inode+0x100b/0x1330 [ 35.971440] f2fs_evict_inode+0x100b/0x1330 [ 35.975745] ? f2fs_write_inode+0x600/0x600 [ 35.980054] evict+0x2ed/0x760 [ 35.983263] iput+0x4f1/0x860 [ 35.986352] dentry_unlink_inode+0x265/0x320 [ 35.990741] __dentry_kill+0x3c0/0x640 [ 35.994612] dentry_kill+0xc4/0x510 [ 35.998220] shrink_dentry_list+0x2ab/0x6e0 [ 36.002523] shrink_dcache_sb+0x144/0x220 [ 36.006650] ? shrink_dentry_list+0x6e0/0x6e0 [ 36.011125] ? f2fs_fill_super+0x1448/0x7050 [ 36.015512] ? f2fs_fill_super+0x1458/0x7050 [ 36.019898] f2fs_fill_super+0x1461/0x7050 [ 36.024118] ? snprintf+0xbb/0xf0 [ 36.027548] ? f2fs_commit_super+0x400/0x400 [ 36.031937] ? wait_for_completion_io+0x10/0x10 [ 36.036586] ? set_blocksize+0x163/0x3f0 [ 36.040626] mount_bdev+0x2fc/0x3b0 [ 36.044234] ? f2fs_commit_super+0x400/0x400 [ 36.048620] mount_fs+0xa3/0x310 [ 36.051969] vfs_kern_mount.part.0+0x68/0x470 [ 36.056448] do_mount+0x115c/0x2f50 [ 36.060059] ? rcu_nmi_exit+0xb3/0x180 [ 36.063939] ? copy_mount_string+0x40/0x40 [ 36.068155] ? copy_mount_options+0x1cd/0x380 [ 36.072630] ? copy_mount_options+0x1da/0x380 [ 36.077104] ? copy_mount_options+0x1e9/0x380 [ 36.081584] ? copy_mount_options+0x26f/0x380 [ 36.086066] ksys_mount+0xcf/0x130 [ 36.089586] __x64_sys_mount+0xba/0x150 [ 36.093540] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 36.098101] do_syscall_64+0xf9/0x620 [ 36.101894] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.107086] RIP: 0033:0x7f5e88bb12ea [ 36.110779] Code: 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 36.129679] RSP: 002b:00007f5e88b5d168 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 36.137373] RAX: ffffffffffffffda RBX: 00007f5e88b5d1c0 RCX: 00007f5e88bb12ea [ 36.144681] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f5e88b5d180 [ 36.151930] RBP: 0000000000000008 R08: 00007f5e88b5d1c0 R09: 00007f5e88b5d6b8 [ 36.159178] R10: 0000000000000000 R11: 0000000000000286 R12: 00007f5e88b5d180 [ 36.166434] R13: 00000000200002c0 R14: 0000000000000004 R15: 0000000000000005 [ 36.173886] Kernel Offset: disabled [ 36.177499] Rebooting in 86400 seconds..