Created attachment 282147 [details] The (compressed) crafted image which causes crash - Overview When mounting attached crafted image , I got kernel read fault. - Produces mkdir test mount -t f2fs tmp.img test - Messages [ 31.646021] F2FS-fs (sdb): Can't find valid F2FS filesystem in 2th superblock [ 31.655120] F2FS-fs (sdb): invalid blkaddr: 14, type: 6, run fsck to fix. [ 31.658834] F2FS-fs (sdb): invalid blkaddr: 14, type: 6, run fsck to fix. [ 31.659908] BUG: unable to handle kernel paging request at ffffa07d48dd12c0 [ 31.660931] #PF error: [normal kernel read fault] [ 31.661614] PGD 1e3c01067 P4D 1e3c01067 PUD 0 [ 31.662258] Oops: 0000 [#1] SMP PTI [ 31.662771] CPU: 0 PID: 1023 Comm: mount Tainted: G W 5.0.0 #3 [ 31.663793] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 31.665129] RIP: 0010:update_sit_entry+0x50/0x420 [ 31.665802] Code: 86 ce 01 00 00 48 8b bf 88 00 00 00 41 be ff ff ff ff 48 bb d8 ff ff ff 27 00 00 00 c7 45 c8 ff ff ff ff 48 8b 07 48 03 58 68 <0f> b7 33 66 c1 ee 06 0f b7 f6 44 01 fe 48 85 ff 48 63 d6 0f 84 03 [ 31.668440] RSP: 0018:ffffb958810bb9c8 EFLAGS: 00010286 [ 31.669188] RAX: ffffa07d2b0c1780 RBX: ffffa07d48dd12c0 RCX: 0000000000000009 [ 31.670201] RDX: 0000000000000000 RSI: ffffa07d37a163a8 RDI: ffffa07d2b0c1240 [ 31.671217] RBP: ffffb958810bba00 R08: 0000000000000001 R09: 000000000000000e [ 31.672230] R10: ffffb9588108b898 R11: ffffb958810bb7bd R12: ffffa07d35644000 [ 31.673245] R13: 00000000007ffff8 R14: 00000000007ffff8 R15: 00000000ffffffff [ 31.674259] FS: 00007f08614c0840(0000) GS:ffffa07d37a00000(0000) knlGS:0000000000000000 [ 31.675412] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 31.676231] CR2: ffffa07d48dd12c0 CR3: 0000000232754003 CR4: 00000000001606f0 [ 31.677246] Call Trace: [ 31.677607] f2fs_do_replace_block+0x1c1/0x510 [ 31.678247] f2fs_replace_block+0x4b/0x80 [ 31.678838] recover_data+0xac9/0x1c90 [ 31.679383] f2fs_recover_fsync_data+0x68f/0x800 [ 31.680047] ? proc_create_single_data+0x41/0x50 [ 31.680708] f2fs_fill_super+0x1bdd/0x1d50 [ 31.681297] ? snprintf+0x45/0x70 [ 31.681781] mount_bdev+0x17b/0x1b0 [ 31.682286] ? f2fs_commit_super+0x190/0x190 [ 31.682905] ? mount_bdev+0x17b/0x1b0 [ 31.683434] ? f2fs_commit_super+0x190/0x190 [ 31.684047] f2fs_mount+0x15/0x20 [ 31.684527] mount_fs+0x51/0x170 [ 31.684996] vfs_kern_mount+0x67/0x120 [ 31.685537] do_mount+0x208/0xd20 [ 31.686019] ? __check_object_size+0x151/0x1b0 [ 31.686661] ? memdup_user+0x4f/0x70 [ 31.687182] ksys_mount+0x83/0xd0 [ 31.687668] __x64_sys_mount+0x25/0x30 [ 31.688208] do_syscall_64+0x5a/0x110 [ 31.688736] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 31.689457] RIP: 0033:0x7f0860d9fb9a [ 31.689972] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 [ 31.692604] RSP: 002b:00007ffd636a5338 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 31.693675] RAX: ffffffffffffffda RBX: 00000000013cd030 RCX: 00007f0860d9fb9a [ 31.694688] RDX: 00000000013cd210 RSI: 00000000013cff40 RDI: 00000000013cd230 [ 31.695699] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 [ 31.696709] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 00000000013cd230 [ 31.697738] R13: 00000000013cd210 R14: 0000000000000000 R15: 0000000000000003 [ 31.698755] Modules linked in: [ 31.699199] CR2: ffffa07d48dd12c0 [ 31.699703] ---[ end trace 7bc8126bd2369784 ]--- [ 31.700410] RIP: 0010:update_sit_entry+0x50/0x420 [ 31.701081] Code: 86 ce 01 00 00 48 8b bf 88 00 00 00 41 be ff ff ff ff 48 bb d8 ff ff ff 27 00 00 00 c7 45 c8 ff ff ff ff 48 8b 07 48 03 58 68 <0f> b7 33 66 c1 ee 06 0f b7 f6 44 01 fe 48 85 ff 48 63 d6 0f 84 03 [ 31.703718] RSP: 0018:ffffb958810bb9c8 EFLAGS: 00010286 [ 31.704464] RAX: ffffa07d2b0c1780 RBX: ffffa07d48dd12c0 RCX: 0000000000000009 [ 31.705474] RDX: 0000000000000000 RSI: ffffa07d37a163a8 RDI: ffffa07d2b0c1240 [ 31.706484] RBP: ffffb958810bba00 R08: 0000000000000001 R09: 000000000000000e [ 31.707502] R10: ffffb9588108b898 R11: ffffb958810bb7bd R12: ffffa07d35644000 [ 31.708512] R13: 00000000007ffff8 R14: 00000000007ffff8 R15: 00000000ffffffff [ 31.709521] FS: 00007f08614c0840(0000) GS:ffffa07d37a00000(0000) knlGS:0000000000000000 [ 31.710667] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 31.711488] CR2: ffffa07d48dd12c0 CR3: 0000000232754003 CR4: 00000000001606f0 -- possible reason It seems that value of se is out of range for reading pages, based on the error messages. fs/f2fs/segment.c │2062 static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del) │ │2063 { │ │2064 struct seg_entry *se; │ │2065 unsigned int segno, offset; │ │2066 long int new_vblocks; │ │2067 bool exist; │ │2068 #ifdef CONFIG_F2FS_CHECK_FS │ │2069 bool mir_exist; │ │2070 #endif │ │2071 │ │2072 segno = GET_SEGNO(sbi, blkaddr); │ │2073 │ │2074 se = get_seg_entry(sbi, segno); │ >│2075 new_vblocks = se->valid_blocks + del; │ │2076 offset = GET_BLKOFF_FROM_SEG0(sbi, blkaddr); │ │2077 │ │2078 f2fs_bug_on(sbi, (new_vblocks >> (sizeof(unsigned short) << 3) || │ │2079 (new_vblocks > sbi->blocks_per_seg))); │ │2080 │ │2081 se->valid_blocks = new_vblocks; │ │2082 se->mtime = get_mtime(sbi, false); │ │2083 if (se->mtime > SIT_I(sbi)->max_mtime) │ │2084 SIT_I(sbi)->max_mtime = se->mtime; │ │2085