F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock ================================================================== BUG: KASAN: use-after-free in f2fs_evict_inode+0x100b/0x1330 fs/f2fs/inode.c:650 Read of size 4 at addr ffff888094fae290 by task syz-executor181/8133 CPU: 0 PID: 8133 Comm: syz-executor181 Not tainted 4.19.152-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2fe lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load4_noabort+0x88/0x90 mm/kasan/report.c:432 f2fs_evict_inode+0x100b/0x1330 fs/f2fs/inode.c:650 evict+0x2ed/0x760 fs/inode.c:559 iput_final fs/inode.c:1555 [inline] iput+0x4f1/0x860 fs/inode.c:1581 dentry_unlink_inode+0x265/0x320 fs/dcache.c:374 __dentry_kill+0x3c0/0x640 fs/dcache.c:566 dentry_kill+0xc4/0x510 fs/dcache.c:685 shrink_dentry_list+0x2ab/0x6e0 fs/dcache.c:1092 shrink_dcache_sb+0x144/0x220 fs/dcache.c:1212 f2fs_fill_super+0x1461/0x7050 fs/f2fs/super.c:3225 kasan: CONFIG_KASAN_INLINE enabled mount_bdev+0x2fc/0x3b0 fs/super.c:1158 mount_fs+0xa3/0x30c fs/super.c:1261 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2469 [inline] do_mount+0x113c/0x2f10 fs/namespace.c:2799 kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8122 Comm: syz-executor181 Not tainted 4.19.152-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:1501 [inline] RIP: 0010:f2fs_evict_inode+0xe92/0x1330 fs/f2fs/inode.c:712 Code: c1 ea 03 80 3c 02 00 0f 85 c6 03 00 00 49 8b 9c 24 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 95 03 00 00 48 8b 7b 30 4c 89 f2 4c 89 f6 e8 a5 ksys_mount+0xcf/0x130 fs/namespace.c:3015 RSP: 0018:ffff888094eff790 EFLAGS: 00010206 __do_sys_mount fs/namespace.c:3029 [inline] __se_sys_mount fs/namespace.c:3026 [inline] __x64_sys_mount+0xba/0x150 fs/namespace.c:3026 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83186a17 RDX: 0000000000000006 RSI: ffffffff831873c2 RDI: 0000000000000030 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 RBP: ffff88808bcf7380 R08: 0000000000000000 R09: 0000000000000000 entry_SYSCALL_64_after_hwframe+0x49/0xbe R10: 0000000000000007 R11: 0000000000000001 R12: ffff8880951f9400 RIP: 0033:0x44d83a R13: ffff88808bcf7750 R14: 0000000000000003 R15: ffff8880b03e4c78 Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a a0 fb ff c3 66 0f 1f 84 00 00 00 00 00 FS: 00007f83c52e0700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000 RSP: 002b:00007f83c52dfbf8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000044d83a CR2: 000056554f94c160 CR3: 0000000097de7000 CR4: 00000000001406e0 RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f83c52dfc10 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 RBP: 00007f83c52dfc10 R08: 00007f83c52dfc50 R09: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 R10: 0000000000000000 R11: 0000000000000297 R12: 000000000000000d Call Trace: R13: 00007f83c52dfc50 R14: 00007f83c52e06d0 R15: 0000000000000003 evict+0x2ed/0x760 fs/inode.c:559 Allocated by task 8133: iput_final fs/inode.c:1555 [inline] iput+0x4f1/0x860 fs/inode.c:1581 kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 dentry_unlink_inode+0x265/0x320 fs/dcache.c:374 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] f2fs_fill_super+0xfd/0x7050 fs/f2fs/super.c:2821 __dentry_kill+0x3c0/0x640 fs/dcache.c:566 mount_bdev+0x2fc/0x3b0 fs/super.c:1158 dentry_kill+0xc4/0x510 fs/dcache.c:685 mount_fs+0xa3/0x30c fs/super.c:1261 shrink_dentry_list+0x2ab/0x6e0 fs/dcache.c:1092 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961 shrink_dcache_sb+0x144/0x220 fs/dcache.c:1212 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2469 [inline] do_mount+0x113c/0x2f10 fs/namespace.c:2799 ksys_mount+0xcf/0x130 fs/namespace.c:3015 __do_sys_mount fs/namespace.c:3029 [inline] __se_sys_mount fs/namespace.c:3026 [inline] __x64_sys_mount+0xba/0x150 fs/namespace.c:3026 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe f2fs_fill_super+0x1461/0x7050 fs/f2fs/super.c:3225 Freed by task 8133: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 f2fs_fill_super+0x1439/0x7050 fs/f2fs/super.c:3220 mount_bdev+0x2fc/0x3b0 fs/super.c:1158 mount_bdev+0x2fc/0x3b0 fs/super.c:1158 mount_fs+0xa3/0x30c fs/super.c:1261 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961 mount_fs+0xa3/0x30c fs/super.c:1261 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2469 [inline] do_mount+0x113c/0x2f10 fs/namespace.c:2799 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961 ksys_mount+0xcf/0x130 fs/namespace.c:3015 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2469 [inline] do_mount+0x113c/0x2f10 fs/namespace.c:2799 __do_sys_mount fs/namespace.c:3029 [inline] __se_sys_mount fs/namespace.c:3026 [inline] __x64_sys_mount+0xba/0x150 fs/namespace.c:3026 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888094fad540 which belongs to the cache kmalloc-8192 of size 8192 The buggy address is located 3408 bytes inside of 8192-byte region [ffff888094fad540, ffff888094faf540) The buggy address belongs to the page: page:ffffea000253eb00 count:1 mapcount:0 mapping:ffff88813bff2080 index:0x0 compound_mapcount: 0 ksys_mount+0xcf/0x130 fs/namespace.c:3015 flags: 0xfff00000008100(slab|head) __do_sys_mount fs/namespace.c:3029 [inline] __se_sys_mount fs/namespace.c:3026 [inline] __x64_sys_mount+0xba/0x150 fs/namespace.c:3026 raw: 00fff00000008100 ffffea0002c04c08 ffff88813bff1b48 ffff88813bff2080 raw: 0000000000000000 ffff888094fad540 0000000100000001 0000000000000000 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 page dumped because: kasan: bad access detected entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x44d83a Memory state around the buggy address: Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a a0 fb ff c3 66 0f 1f 84 00 00 00 00 00 ffff888094fae180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb RSP: 002b:00007f83c52dfbf8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5 ffff888094fae200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000044d83a >ffff888094fae280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f83c52dfc10 ^ RBP: 00007f83c52dfc10 R08: 00007f83c52dfc50 R09: 0000000000000000 ffff888094fae300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb R10: 0000000000000000 R11: 0000000000000297 R12: 000000000000000d ffff888094fae380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb R13: 00007f83c52dfc50 R14: 00007f83c52e06d0 R15: 0000000000000003 ================================================================== Modules linked in: kasan: CONFIG_KASAN_INLINE enabled