[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.77' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 525.723577] F2FS-fs (loop1): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 525.727751] F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 525.744059] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 525.752461] F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 525.753275] F2FS-fs (loop1): Can't find valid F2FS filesystem in 2th superblock [ 525.763398] F2FS-fs (loop5): Can't find valid F2FS filesystem in 2th superblock [ 525.771110] F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 525.785328] F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 525.790296] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock [ 525.792815] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 526.178399] ================================================================== [ 526.186194] BUG: KASAN: use-after-free in f2fs_evict_inode+0x100b/0x1330 [ 526.193162] Read of size 4 at addr ffff888094fae290 by task syz-executor181/8133 [ 526.200729] [ 526.202375] CPU: 0 PID: 8133 Comm: syz-executor181 Not tainted 4.19.152-syzkaller #0 [ 526.210260] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 526.219796] Call Trace: [ 526.222458] dump_stack+0x1fc/0x2fe [ 526.226671] print_address_description.cold+0x54/0x219 [ 526.231980] kasan_report_error.cold+0x8a/0x1c7 [ 526.236668] ? f2fs_evict_inode+0x100b/0x1330 [ 526.241177] __asan_report_load4_noabort+0x88/0x90 [ 526.246142] ? f2fs_evict_inode+0x100b/0x1330 [ 526.250643] f2fs_evict_inode+0x100b/0x1330 [ 526.255077] ? f2fs_write_inode+0x600/0x600 [ 526.259672] evict+0x2ed/0x760 [ 526.262973] iput+0x4f1/0x860 [ 526.266116] dentry_unlink_inode+0x265/0x320 [ 526.270535] __dentry_kill+0x3c0/0x640 [ 526.274445] dentry_kill+0xc4/0x510 [ 526.278094] shrink_dentry_list+0x2ab/0x6e0 [ 526.282439] shrink_dcache_sb+0x144/0x220 [ 526.286600] ? shrink_dentry_list+0x6e0/0x6e0 [ 526.291198] ? mark_held_locks+0xa6/0xf0 [ 526.295275] ? f2fs_fill_super+0x1439/0x7050 [ 526.299720] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 526.304419] f2fs_fill_super+0x1461/0x7050 [ 526.308890] ? snprintf+0xbb/0xf0 [ 526.312448] ? f2fs_commit_super+0x400/0x400 [ 526.316933] ? wait_for_completion_io+0x10/0x10 [ 526.317384] kasan: CONFIG_KASAN_INLINE enabled [ 526.321665] ? set_blocksize+0x163/0x3f0 [ 526.321745] mount_bdev+0x2fc/0x3b0 [ 526.321761] ? f2fs_commit_super+0x400/0x400 [ 526.321778] mount_fs+0xa3/0x30c [ 526.321796] vfs_kern_mount.part.0+0x68/0x470 [ 526.321812] do_mount+0x113c/0x2f10 [ 526.321830] ? lock_acquire+0x170/0x3c0 [ 526.326971] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 526.330621] ? check_preemption_disabled+0x41/0x280 [ 526.330639] ? copy_mount_string+0x40/0x40 [ 526.337756] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 526.338683] ? copy_mount_options+0x59/0x380 [ 526.342030] CPU: 1 PID: 8122 Comm: syz-executor181 Not tainted 4.19.152-syzkaller #0 [ 526.346562] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 526.350482] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 526.354468] ? kmem_cache_alloc_trace+0x323/0x380 [ 526.361839] RIP: 0010:f2fs_evict_inode+0xe92/0x1330 [ 526.366930] ? copy_mount_options+0x26f/0x380 [ 526.371164] Code: c1 ea 03 80 3c 02 00 0f 85 c6 03 00 00 49 8b 9c 24 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 95 03 00 00 48 8b 7b 30 4c 89 f2 4c 89 f6 e8 a5 [ 526.377696] ksys_mount+0xcf/0x130 [ 526.382098] RSP: 0018:ffff888094eff790 EFLAGS: 00010206 [ 526.389981] __x64_sys_mount+0xba/0x150 [ 526.394973] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83186a17 [ 526.404340] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 526.409176] RDX: 0000000000000006 RSI: ffffffff831873c2 RDI: 0000000000000030 [ 526.414215] do_syscall_64+0xf9/0x620 [ 526.418653] RBP: ffff88808bcf7380 R08: 0000000000000000 R09: 0000000000000000 [ 526.437565] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 526.441077] R10: 0000000000000007 R11: 0000000000000001 R12: ffff8880951f9400 [ 526.446428] RIP: 0033:0x44d83a [ 526.450379] R13: ffff88808bcf7750 R14: 0000000000000003 R15: ffff8880b03e4c78 [ 526.457642] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a a0 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 526.462205] FS: 00007f83c52e0700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000 [ 526.469464] RSP: 002b:00007f83c52dfbf8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 526.473252] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 526.480508] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000044d83a [ 526.485701] CR2: 000056554f94c160 CR3: 0000000097de7000 CR4: 00000000001406e0 [ 526.492960] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f83c52dfc10 [ 526.496137] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 526.503397] RBP: 00007f83c52dfc10 R08: 00007f83c52dfc50 R09: 0000000000000000 [ 526.522295] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 526.530515] R10: 0000000000000000 R11: 0000000000000297 R12: 000000000000000d [ 526.538211] Call Trace: [ 526.544090] R13: 00007f83c52dfc50 R14: 00007f83c52e06d0 R15: 0000000000000003 [ 526.551380] ? f2fs_write_inode+0x600/0x600 [ 526.558648] [ 526.566115] evict+0x2ed/0x760 [ 526.573369] Allocated by task 8133: [ 526.580647] iput+0x4f1/0x860 [ 526.587918] kmem_cache_alloc_trace+0x12f/0x380 [ 526.595182] dentry_unlink_inode+0x265/0x320 [ 526.597748] f2fs_fill_super+0xfd/0x7050 [ 526.605098] __dentry_kill+0x3c0/0x640 [ 526.609507] mount_bdev+0x2fc/0x3b0 [ 526.611135] dentry_kill+0xc4/0x510 [ 526.614334] mount_fs+0xa3/0x30c [ 526.617960] shrink_dentry_list+0x2ab/0x6e0 [ 526.621048] vfs_kern_mount.part.0+0x68/0x470 [ 526.625705] shrink_dcache_sb+0x144/0x220 [ 526.630111] do_mount+0x113c/0x2f10 [ 526.634163] ? shrink_dentry_list+0x6e0/0x6e0 [ 526.638042] ksys_mount+0xcf/0x130 [ 526.641655] ? mark_held_locks+0xa6/0xf0 [ 526.645286] __x64_sys_mount+0xba/0x150 [ 526.648639] ? f2fs_fill_super+0x1439/0x7050 [ 526.652973] do_syscall_64+0xf9/0x620 [ 526.657462] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 526.661611] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 526.665222] f2fs_fill_super+0x1461/0x7050 [ 526.669702] [ 526.673285] ? snprintf+0xbb/0xf0 [ 526.677310] Freed by task 8133: [ 526.681279] ? f2fs_commit_super+0x400/0x400 [ 526.685670] kfree+0xcc/0x210 [ 526.689464] ? wait_for_completion_io+0x10/0x10 [ 526.694050] f2fs_fill_super+0x1439/0x7050 [ 526.699331] ? set_blocksize+0x163/0x3f0 [ 526.703562] mount_bdev+0x2fc/0x3b0 [ 526.705175] mount_bdev+0x2fc/0x3b0 [ 526.708613] mount_fs+0xa3/0x30c [ 526.711896] ? f2fs_commit_super+0x400/0x400 [ 526.716289] vfs_kern_mount.part.0+0x68/0x470 [ 526.719377] mount_fs+0xa3/0x30c [ 526.724032] do_mount+0x113c/0x2f10 [ 526.728255] vfs_kern_mount.part.0+0x68/0x470 [ 526.732318] ksys_mount+0xcf/0x130 [ 526.735938] do_mount+0x113c/0x2f10 [ 526.739571] __x64_sys_mount+0xba/0x150 [ 526.742923] ? lock_acquire+0x170/0x3c0 [ 526.747325] do_syscall_64+0xf9/0x620 [ 526.752605] ? check_preemption_disabled+0x41/0x280 [ 526.755953] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 526.759562] ? copy_mount_string+0x40/0x40 [ 526.764030] [ 526.767587] ? copy_mount_options+0x59/0x380 [ 526.771208] The buggy address belongs to the object at ffff888094fad540 [ 526.771208] which belongs to the cache kmalloc-8192 of size 8192 [ 526.775267] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 526.779219] The buggy address is located 3408 bytes inside of [ 526.779219] 8192-byte region [ffff888094fad540, ffff888094faf540) [ 526.783179] ? kmem_cache_alloc_trace+0x323/0x380 [ 526.788172] The buggy address belongs to the page: [ 526.793362] ? copy_mount_options+0x26f/0x380 [ 526.797591] page:ffffea000253eb00 count:1 mapcount:0 mapping:ffff88813bff2080 index:0x0 compound_mapcount: 0 [ 526.799238] ksys_mount+0xcf/0x130 [ 526.803649] flags: 0xfff00000008100(slab|head) [ 526.816483] __x64_sys_mount+0xba/0x150 [ 526.821486] raw: 00fff00000008100 ffffea0002c04c08 ffff88813bff1b48 ffff88813bff2080 [ 526.833540] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 526.838377] raw: 0000000000000000 ffff888094fad540 0000000100000001 0000000000000000 [ 526.843309] do_syscall_64+0xf9/0x620 [ 526.847804] page dumped because: kasan: bad access detected [ 526.857780] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 526.861308] [ 526.865903] RIP: 0033:0x44d83a [ 526.869888] Memory state around the buggy address: [ 526.877774] Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a a0 fb ff c3 66 0f 1f 84 00 00 00 00 00 [ 526.882338] ffff888094fae180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 526.890217] RSP: 002b:00007f83c52dfbf8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 [ 526.894007] ffff888094fae200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 526.899713] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000044d83a [ 526.904883] >ffff888094fae280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 526.906496] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f83c52dfc10 [ 526.909667] ^ [ 526.914672] RBP: 00007f83c52dfc10 R08: 00007f83c52dfc50 R09: 0000000000000000 [ 526.934540] ffff888094fae300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 526.941985] R10: 0000000000000000 R11: 0000000000000297 R12: 000000000000000d [ 526.950724] ffff888094fae380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 526.958788] R13: 00007f83c52dfc50 R14: 00007f83c52e06d0 R15: 0000000000000003 [ 526.966052] ================================================================== [ 526.973843] Modules linked in: [ 527.034807] kasan: CONFIG_KASAN_INLINE enabled [ 527.043486] Kernel panic - not syncing: panic_on_warn set ... [ 527.043486] [ 527.043648] kasan: CONFIG_KASAN_INLINE enabled [ 527.051385] Kernel Offset: disabled [ 527.059961] Rebooting in 86400 seconds..