==================================================================
BUG: KASAN: use-after-free in F2FS_SB fs/f2fs/f2fs.h:1997 [inline]
BUG: KASAN: use-after-free in F2FS_I_SB fs/f2fs/f2fs.h:2002 [inline]
BUG: KASAN: use-after-free in F2FS_M_SB fs/f2fs/f2fs.h:2007 [inline]
BUG: KASAN: use-after-free in f2fs_release_folio fs/f2fs/data.c:3747 [inline]
BUG: KASAN: use-after-free in f2fs_release_folio+0x65e/0x710 fs/f2fs/data.c:3739
Read of size 8 at addr ffff8880728c8678 by task kswapd1/111

CPU: 0 PID: 111 Comm: kswapd1 Not tainted 6.3.0-rc7-syzkaller-00060-g789b4a41c247 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:319
 print_report mm/kasan/report.c:430 [inline]
 kasan_report+0x11c/0x130 mm/kasan/report.c:536
 F2FS_SB fs/f2fs/f2fs.h:1997 [inline]
 F2FS_I_SB fs/f2fs/f2fs.h:2002 [inline]
 F2FS_M_SB fs/f2fs/f2fs.h:2007 [inline]
 f2fs_release_folio fs/f2fs/data.c:3747 [inline]
 f2fs_release_folio+0x65e/0x710 fs/f2fs/data.c:3739
 filemap_release_folio+0x13f/0x1b0 mm/filemap.c:4121
 shrink_folio_list+0x1fe3/0x3c80 mm/vmscan.c:2010
 evict_folios+0x794/0x1940 mm/vmscan.c:5121
 try_to_shrink_lruvec+0x82c/0xb90 mm/vmscan.c:5297
 shrink_one+0x46b/0x810 mm/vmscan.c:5341
 shrink_many mm/vmscan.c:5394 [inline]
 lru_gen_shrink_node mm/vmscan.c:5511 [inline]
 shrink_node+0x2064/0x35f0 mm/vmscan.c:6459
 kswapd_shrink_node mm/vmscan.c:7262 [inline]
 balance_pgdat+0xa02/0x1ac0 mm/vmscan.c:7452
 kswapd+0x677/0xd60 mm/vmscan.c:7712
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001ca3200 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x728c8
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea00011fec08 ffffea0001c05408 0000000000000000
raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5784, tgid 5783 (syz-executor.2), ts 2457935067143, free_ts 2459106252856
 prep_new_page mm/page_alloc.c:2553 [inline]
 get_page_from_freelist+0x1190/0x2e20 mm/page_alloc.c:4326
 __alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:5592
 alloc_pages+0x1aa/0x270 mm/mempolicy.c:2283
 alloc_slab_page mm/slub.c:1851 [inline]
 allocate_slab+0x25f/0x390 mm/slub.c:1998
 new_slab mm/slub.c:2051 [inline]
 ___slab_alloc+0xa91/0x1400 mm/slub.c:3193
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
 __slab_alloc_node mm/slub.c:3345 [inline]
 slab_alloc_node mm/slub.c:3442 [inline]
 __kmem_cache_alloc_node+0x136/0x320 mm/slub.c:3491
 kmalloc_trace+0x26/0xe0 mm/slab_common.c:1061
 kmalloc include/linux/slab.h:580 [inline]
 copy_mount_options+0x55/0x180 fs/namespace.c:3250
 __do_sys_mount fs/namespace.c:3589 [inline]
 __se_sys_mount fs/namespace.c:3571 [inline]
 __ia32_sys_mount+0x1ad/0x300 fs/namespace.c:3571
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x70/0x82
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1454 [inline]
 free_pcp_prepare+0x5d5/0xa50 mm/page_alloc.c:1504
 free_unref_page_prepare mm/page_alloc.c:3388 [inline]
 free_unref_page+0x1d/0x490 mm/page_alloc.c:3483
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x192/0x220 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:186 [inline]
 slab_post_alloc_hook mm/slab.h:769 [inline]
 slab_alloc_node mm/slub.c:3452 [inline]
 slab_alloc mm/slub.c:3460 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3467 [inline]
 kmem_cache_alloc+0x17c/0x3b0 mm/slub.c:3476
 ptlock_alloc+0x21/0x70 mm/memory.c:5835
 ptlock_init include/linux/mm.h:2620 [inline]
 pgtable_pte_page_ctor include/linux/mm.h:2647 [inline]
 __pte_alloc_one include/asm-generic/pgalloc.h:66 [inline]
 pte_alloc_one+0x6c/0x230 arch/x86/mm/pgtable.c:33
 __pte_alloc+0x6d/0x260 mm/memory.c:421
 do_anonymous_page mm/memory.c:4034 [inline]
 handle_pte_fault mm/memory.c:4921 [inline]
 __handle_mm_fault+0x3626/0x3e60 mm/memory.c:5065
 handle_mm_fault+0x2ba/0x9c0 mm/memory.c:5211
 do_user_addr_fault+0x475/0x1230 arch/x86/mm/fault.c:1407
 handle_page_fault arch/x86/mm/fault.c:1498 [inline]
 exc_page_fault+0x98/0x170 arch/x86/mm/fault.c:1554
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570

Memory state around the buggy address:
 ffff8880728c8500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880728c8580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880728c8600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                ^
 ffff8880728c8680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880728c8700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================