F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop0): invalid crc value ================================================================== BUG: KASAN: use-after-free in build_sit_entries fs/f2fs/segment.c:3654 [inline] BUG: KASAN: use-after-free in build_segment_manager+0x962a/0x9d30 fs/f2fs/segment.c:3853 Read of size 4 at addr ffff8801b9ecab00 by task syzkaller096936/3801 CPU: 1 PID: 3801 Comm: syzkaller096936 Not tainted 4.9.95-g13cc540 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b9d37870 ffffffff81eb0ba9 ffffea0006e7b200 ffff8801b9ecab00 0000000000000000 ffff8801b9ecab00 ffff8801b5b92200 ffff8801b9d378a8 ffffffff815653cb ffff8801b9ecab00 0000000000000004 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [] kasan_report_error mm/kasan/report.c:355 [inline] [] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 [] build_sit_entries fs/f2fs/segment.c:3654 [inline] [] build_segment_manager+0x962a/0x9d30 fs/f2fs/segment.c:3853 [] f2fs_fill_super+0x1d10/0x5d00 fs/f2fs/super.c:2807 [] mount_bdev+0x2c7/0x390 fs/super.c:1100 [] f2fs_mount+0x34/0x40 fs/f2fs/super.c:3024 [] mount_fs+0x28c/0x370 fs/super.c:1206 [] vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:991 [] vfs_kern_mount fs/namespace.c:973 [inline] [] do_new_mount fs/namespace.c:2512 [inline] [] do_mount+0x3c9/0x2740 fs/namespace.c:2834 [] SYSC_mount fs/namespace.c:3050 [inline] [] SyS_mount+0xfe/0x110 fs/namespace.c:3027 [] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Allocated by task 0: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xdc/0x2b0 mm/slub.c:4232 __kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x11a/0x600 net/core/skbuff.c:231 alloc_skb include/linux/skbuff.h:919 [inline] tcp_send_ack+0x10c/0x670 net/ipv4/tcp_output.c:3484 __tcp_ack_snd_check+0x1bf/0x390 net/ipv4/tcp_input.c:5124 tcp_ack_snd_check net/ipv4/tcp_input.c:5137 [inline] tcp_rcv_established+0x610/0x20c0 net/ipv4/tcp_input.c:5565 tcp_v4_do_rcv+0x59f/0x950 net/ipv4/tcp_ipv4.c:1414 tcp_v4_rcv+0x29c4/0x3110 net/ipv4/tcp_ipv4.c:1730 ip_local_deliver_finish+0x257/0xa60 net/ipv4/ip_input.c:216 NF_HOOK_THRESH include/linux/netfilter.h:232 [inline] NF_HOOK include/linux/netfilter.h:255 [inline] ip_local_deliver+0x389/0x4d0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:513 [inline] ip_rcv_finish+0x6d6/0x1920 net/ipv4/ip_input.c:396 NF_HOOK_THRESH include/linux/netfilter.h:232 [inline] NF_HOOK include/linux/netfilter.h:255 [inline] ip_rcv+0xb0b/0x1370 net/ipv4/ip_input.c:487 __netif_receive_skb_core+0x12a0/0x2a20 net/core/dev.c:4267 __netif_receive_skb+0x5b/0x1b0 net/core/dev.c:4305 netif_receive_skb_internal+0xf1/0x3a0 net/core/dev.c:4333 napi_skb_finish net/core/dev.c:4691 [inline] napi_gro_receive+0x20c/0x400 net/core/dev.c:4721 receive_buf drivers/net/virtio_net.c:508 [inline] virtnet_receive+0x71b/0x1c60 drivers/net/virtio_net.c:728 virtnet_poll+0x26/0x140 drivers/net/virtio_net.c:746 napi_poll net/core/dev.c:5227 [inline] net_rx_action+0x3c4/0xde0 net/core/dev.c:5292 __do_softirq+0x20b/0x937 kernel/softirq.c:284 Freed by task 0: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xfb/0x310 mm/slub.c:3878 skb_free_head+0x8b/0xb0 net/core/skbuff.c:580 skb_release_data+0x329/0x400 net/core/skbuff.c:611 skb_release_all+0x4a/0x60 net/core/skbuff.c:670 __kfree_skb net/core/skbuff.c:684 [inline] consume_skb+0xc6/0x340 net/core/skbuff.c:757 __dev_kfree_skb_any+0x58/0x70 net/core/dev.c:2389 dev_kfree_skb_any include/linux/netdevice.h:3308 [inline] free_old_xmit_skbs.isra.51+0x1bf/0x2b0 drivers/net/virtio_net.c:830 start_xmit+0x121/0x1400 drivers/net/virtio_net.c:890 __netdev_start_xmit include/linux/netdevice.h:4062 [inline] netdev_start_xmit include/linux/netdevice.h:4071 [inline] xmit_one net/core/dev.c:2955 [inline] dev_hard_start_xmit+0x197/0x8b0 net/core/dev.c:2971 sch_direct_xmit+0x2bc/0x590 net/sched/sch_generic.c:182 __dev_xmit_skb net/core/dev.c:3151 [inline] __dev_queue_xmit+0x1742/0x2080 net/core/dev.c:3419 dev_queue_xmit+0x17/0x20 net/core/dev.c:3484 neigh_hh_output include/net/neighbour.h:468 [inline] dst_neigh_output include/net/dst.h:468 [inline] ip_finish_output2+0xcab/0x1110 net/ipv4/ip_output.c:225 ip_finish_output+0x683/0xac0 net/ipv4/ip_output.c:313 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1cd/0x550 net/ipv4/ip_output.c:401 dst_output include/net/dst.h:507 [inline] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:124 ip_queue_xmit+0x897/0x1b60 net/ipv4/ip_output.c:500 tcp_transmit_skb+0x168c/0x2e30 net/ipv4/tcp_output.c:1036 tcp_send_ack+0x475/0x670 net/ipv4/tcp_output.c:3508 __tcp_ack_snd_check+0x1bf/0x390 net/ipv4/tcp_input.c:5124 tcp_ack_snd_check net/ipv4/tcp_input.c:5137 [inline] tcp_rcv_established+0x610/0x20c0 net/ipv4/tcp_input.c:5565 tcp_v4_do_rcv+0x59f/0x950 net/ipv4/tcp_ipv4.c:1414 tcp_v4_rcv+0x29c4/0x3110 net/ipv4/tcp_ipv4.c:1730 ip_local_deliver_finish+0x257/0xa60 net/ipv4/ip_input.c:216 NF_HOOK_THRESH include/linux/netfilter.h:232 [inline] NF_HOOK include/linux/netfilter.h:255 [inline] ip_local_deliver+0x389/0x4d0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:513 [inline] ip_rcv_finish+0x6d6/0x1920 net/ipv4/ip_input.c:396 NF_HOOK_THRESH include/linux/netfilter.h:232 [inline] NF_HOOK include/linux/netfilter.h:255 [inline] ip_rcv+0xb0b/0x1370 net/ipv4/ip_input.c:487 __netif_receive_skb_core+0x12a0/0x2a20 net/core/dev.c:4267 __netif_receive_skb+0x5b/0x1b0 net/core/dev.c:4305 netif_receive_skb_internal+0xf1/0x3a0 net/core/dev.c:4333 napi_skb_finish net/core/dev.c:4691 [inline] napi_gro_receive+0x20c/0x400 net/core/dev.c:4721 receive_buf drivers/net/virtio_net.c:508 [inline] virtnet_receive+0x71b/0x1c60 drivers/net/virtio_net.c:728 virtnet_poll+0x26/0x140 drivers/net/virtio_net.c:746 napi_poll net/core/dev.c:5227 [inline] net_rx_action+0x3c4/0xde0 net/core/dev.c:5292 __do_softirq+0x20b/0x937 kernel/softirq.c:284 The buggy address belongs to the object at ffff8801b9eca880 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 640 bytes inside of 1024-byte region [ffff8801b9eca880, ffff8801b9ecac80) The buggy address belongs to the page: page:ffffea0006e7b200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x8000000000004080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801b9ecaa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801b9ecaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801b9ecab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801b9ecab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801b9ecac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================