syzbot

BTRFS error (device loop5): open_ctree failed
BTRFS info (device loop5): disk space caching is enabled
BTRFS info (device loop5): has skinny extents
==================================================================
BUG: KASAN: use-after-free in btrfs_printk+0x34f/0x3d0 fs/btrfs/super.c:215
Read of size 8 at addr ffff88809e9ce4e0 by task syz-executor414/9105

CPU: 0 PID: 9105 Comm: syz-executor414 Not tainted 4.19.160-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 btrfs_printk+0x34f/0x3d0 fs/btrfs/super.c:215
 device_list_add.cold+0x1a0/0x376 fs/btrfs/volumes.c:860
 btrfs_scan_one_device+0x33f/0xd00 fs/btrfs/volumes.c:1263
 btrfs_mount_root+0x9df/0x1830 fs/btrfs/super.c:1577
 mount_fs+0xa3/0x30c fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
 btrfs_mount+0x23a/0xa93 fs/btrfs/super.c:1681
 mount_fs+0xa3/0x30c fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2469 [inline]
 do_mount+0x113c/0x2f10 fs/namespace.c:2799
 ksys_mount+0xcf/0x130 fs/namespace.c:3015
 __do_sys_mount fs/namespace.c:3029 [inline]
 __se_sys_mount fs/namespace.c:3026 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3026
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x44e03a
Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a a0 fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007fa01c4cfbf8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000044e03a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fa01c4cfc10
RBP: 00007fa01c4cfc10 R08: 00007fa01c4cfc50 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000001e
R13: 00007fa01c4cfc50 R14: 00007fa01c4d06d0 R15: 0000000000000005

Allocated by task 8822:
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node+0x4c/0x70 mm/slab.c:3696
 kmalloc_node include/linux/slab.h:557 [inline]
 kvmalloc_node+0xb4/0xf0 mm/util.c:423
 kvmalloc include/linux/mm.h:577 [inline]
 kvzalloc include/linux/mm.h:585 [inline]
 btrfs_mount_root+0x13f/0x1830 fs/btrfs/super.c:1556
 mount_fs+0xa3/0x30c fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
 btrfs_mount+0x23a/0xa93 fs/btrfs/super.c:1681
 mount_fs+0xa3/0x30c fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2469 [inline]
 do_mount+0x113c/0x2f10 fs/namespace.c:2799
 ksys_mount+0xcf/0x130 fs/namespace.c:3015
 __do_sys_mount fs/namespace.c:3029 [inline]
 __se_sys_mount fs/namespace.c:3026 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3026
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8822:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 kvfree+0x59/0x60 mm/util.c:452
 deactivate_locked_super+0x94/0x160 fs/super.c:329
 btrfs_mount_root+0x10a0/0x1830 fs/btrfs/super.c:1623
 mount_fs+0xa3/0x30c fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
 btrfs_mount+0x23a/0xa93 fs/btrfs/super.c:1681
 mount_fs+0xa3/0x30c fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2469 [inline]
 do_mount+0x113c/0x2f10 fs/namespace.c:2799
 ksys_mount+0xcf/0x130 fs/namespace.c:3015
 __do_sys_mount fs/namespace.c:3029 [inline]
 __se_sys_mount fs/namespace.c:3026 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3026
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809e9cdec0
 which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 1568 bytes inside of
 8192-byte region [ffff88809e9cdec0, ffff88809e9cfec0)
The buggy address belongs to the page:
page:ffffea00027a7300 count:1 mapcount:0 mapping:ffff88813bff2080 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea0002779308 ffffea0002600208 ffff88813bff2080
raw: 0000000000000000 ffff88809e9cdec0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809e9ce380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809e9ce400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809e9ce480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff88809e9ce500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809e9ce580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================