Created attachment 282147 [details]
The (compressed) crafted image which causes crash

- Overview
When mounting attached crafted image , I got kernel read fault.

- Produces
mkdir test
mount -t f2fs tmp.img test

- Messages
[ 31.646021] F2FS-fs (sdb): Can't find valid F2FS filesystem in 2th superblock
[ 31.655120] F2FS-fs (sdb): invalid blkaddr: 14, type: 6, run fsck to fix.
[ 31.658834] F2FS-fs (sdb): invalid blkaddr: 14, type: 6, run fsck to fix.
[ 31.659908] BUG: unable to handle kernel paging request at ffffa07d48dd12c0
[ 31.660931] #PF error: [normal kernel read fault]
[ 31.661614] PGD 1e3c01067 P4D 1e3c01067 PUD 0 
[ 31.662258] Oops: 0000 [#1] SMP PTI
[ 31.662771] CPU: 0 PID: 1023 Comm: mount Tainted: G W 5.0.0 #3
[ 31.663793] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 31.665129] RIP: 0010:update_sit_entry+0x50/0x420
[ 31.665802] Code: 86 ce 01 00 00 48 8b bf 88 00 00 00 41 be ff ff ff ff 48 bb d8 ff ff ff 27 00 00 00 c7 45 c8 ff ff ff ff 48 8b 07 48 03 58 68 <0f> b7 33 66 c1 ee 06 0f b7 f6 44 01 fe 48 85 ff 48 63 d6 0f 84 03
[ 31.668440] RSP: 0018:ffffb958810bb9c8 EFLAGS: 00010286
[ 31.669188] RAX: ffffa07d2b0c1780 RBX: ffffa07d48dd12c0 RCX: 0000000000000009
[ 31.670201] RDX: 0000000000000000 RSI: ffffa07d37a163a8 RDI: ffffa07d2b0c1240
[ 31.671217] RBP: ffffb958810bba00 R08: 0000000000000001 R09: 000000000000000e
[ 31.672230] R10: ffffb9588108b898 R11: ffffb958810bb7bd R12: ffffa07d35644000
[ 31.673245] R13: 00000000007ffff8 R14: 00000000007ffff8 R15: 00000000ffffffff
[ 31.674259] FS: 00007f08614c0840(0000) GS:ffffa07d37a00000(0000) knlGS:0000000000000000
[ 31.675412] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 31.676231] CR2: ffffa07d48dd12c0 CR3: 0000000232754003 CR4: 00000000001606f0
[ 31.677246] Call Trace:
[ 31.677607] f2fs_do_replace_block+0x1c1/0x510
[ 31.678247] f2fs_replace_block+0x4b/0x80
[ 31.678838] recover_data+0xac9/0x1c90
[ 31.679383] f2fs_recover_fsync_data+0x68f/0x800
[ 31.680047] ? proc_create_single_data+0x41/0x50
[ 31.680708] f2fs_fill_super+0x1bdd/0x1d50
[ 31.681297] ? snprintf+0x45/0x70
[ 31.681781] mount_bdev+0x17b/0x1b0
[ 31.682286] ? f2fs_commit_super+0x190/0x190
[ 31.682905] ? mount_bdev+0x17b/0x1b0
[ 31.683434] ? f2fs_commit_super+0x190/0x190
[ 31.684047] f2fs_mount+0x15/0x20
[ 31.684527] mount_fs+0x51/0x170
[ 31.684996] vfs_kern_mount+0x67/0x120
[ 31.685537] do_mount+0x208/0xd20
[ 31.686019] ? __check_object_size+0x151/0x1b0
[ 31.686661] ? memdup_user+0x4f/0x70
[ 31.687182] ksys_mount+0x83/0xd0
[ 31.687668] __x64_sys_mount+0x25/0x30
[ 31.688208] do_syscall_64+0x5a/0x110
[ 31.688736] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 31.689457] RIP: 0033:0x7f0860d9fb9a
[ 31.689972] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[ 31.692604] RSP: 002b:00007ffd636a5338 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[ 31.693675] RAX: ffffffffffffffda RBX: 00000000013cd030 RCX: 00007f0860d9fb9a
[ 31.694688] RDX: 00000000013cd210 RSI: 00000000013cff40 RDI: 00000000013cd230
[ 31.695699] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
[ 31.696709] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 00000000013cd230
[ 31.697738] R13: 00000000013cd210 R14: 0000000000000000 R15: 0000000000000003
[ 31.698755] Modules linked in:
[ 31.699199] CR2: ffffa07d48dd12c0
[ 31.699703] ---[ end trace 7bc8126bd2369784 ]---
[ 31.700410] RIP: 0010:update_sit_entry+0x50/0x420
[ 31.701081] Code: 86 ce 01 00 00 48 8b bf 88 00 00 00 41 be ff ff ff ff 48 bb d8 ff ff ff 27 00 00 00 c7 45 c8 ff ff ff ff 48 8b 07 48 03 58 68 <0f> b7 33 66 c1 ee 06 0f b7 f6 44 01 fe 48 85 ff 48 63 d6 0f 84 03
[ 31.703718] RSP: 0018:ffffb958810bb9c8 EFLAGS: 00010286
[ 31.704464] RAX: ffffa07d2b0c1780 RBX: ffffa07d48dd12c0 RCX: 0000000000000009
[ 31.705474] RDX: 0000000000000000 RSI: ffffa07d37a163a8 RDI: ffffa07d2b0c1240
[ 31.706484] RBP: ffffb958810bba00 R08: 0000000000000001 R09: 000000000000000e
[ 31.707502] R10: ffffb9588108b898 R11: ffffb958810bb7bd R12: ffffa07d35644000
[ 31.708512] R13: 00000000007ffff8 R14: 00000000007ffff8 R15: 00000000ffffffff
[ 31.709521] FS: 00007f08614c0840(0000) GS:ffffa07d37a00000(0000) knlGS:0000000000000000
[ 31.710667] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 31.711488] CR2: ffffa07d48dd12c0 CR3: 0000000232754003 CR4: 00000000001606f0

-- possible reason
It seems that value of se is out of range for reading pages, based on the error messages.

fs/f2fs/segment.c
│2062 static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del) │
│2063 { │
│2064 struct seg_entry *se; │
│2065 unsigned int segno, offset; │
│2066 long int new_vblocks; │
│2067 bool exist; │
│2068 #ifdef CONFIG_F2FS_CHECK_FS │
│2069 bool mir_exist; │
│2070 #endif │
│2071 │
│2072 segno = GET_SEGNO(sbi, blkaddr); │
│2073 │
│2074 se = get_seg_entry(sbi, segno); │
>│2075 new_vblocks = se->valid_blocks + del; │
│2076 offset = GET_BLKOFF_FROM_SEG0(sbi, blkaddr); │
│2077 │
│2078 f2fs_bug_on(sbi, (new_vblocks >> (sizeof(unsigned short) << 3) || │
│2079 (new_vblocks > sbi->blocks_per_seg))); │
│2080 │
│2081 se->valid_blocks = new_vblocks; │
│2082 se->mtime = get_mtime(sbi, false); │
│2083 if (se->mtime > SIT_I(sbi)->max_mtime) │
│2084 SIT_I(sbi)->max_mtime = se->mtime; │
│2085