================================================================== BUG: KASAN: use-after-free in do_raw_write_trylock+0x72/0x1f0 Read of size 4 at addr ffff888073fdbe00 by task syz-executor.0/5531 CPU: 0 PID: 5531 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 Call Trace: dump_stack_lvl+0x1b5/0x2a0 print_report+0x163/0x4c0 kasan_report+0xce/0x100 kasan_check_range+0x283/0x290 do_raw_write_trylock+0x72/0x1f0 _raw_write_trylock+0x20/0x70 __shrink_extent_tree+0x5e1/0xc50 f2fs_leave_shrinker+0x86/0x260 f2fs_put_super+0x597/0xcb0 generic_shutdown_super+0x134/0x310 kill_block_super+0x7e/0xe0 kill_f2fs_super+0x303/0x3d0 deactivate_locked_super+0xa4/0x110 cleanup_mnt+0x490/0x520 task_work_run+0x24a/0x300 exit_to_user_mode_loop+0xd1/0xf0 exit_to_user_mode_prepare+0xb1/0x140 syscall_exit_to_user_mode+0x54/0x2d0 do_syscall_64+0x4d/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ff73268d537 Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe667cfdc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007ff73268d537 RDX: 00007ffe667cfe9b RSI: 000000000000000a RDI: 00007ffe667cfe90 RBP: 00007ffe667cfe90 R08: 00000000ffffffff R09: 00007ffe667cfc60 R10: 00005555557478b3 R11: 0000000000000246 R12: 00007ff7326e6b24 R13: 00007ffe667d0f50 R14: 0000555555747810 R15: 00007ffe667d0f90 Allocated by task 9054: kasan_set_track+0x40/0x70 __kasan_slab_alloc+0x69/0x80 slab_post_alloc_hook+0x68/0x390 kmem_cache_alloc+0x12c/0x280 __grab_extent_tree+0x183/0x400 f2fs_init_extent_tree+0x214/0x450 f2fs_new_inode+0xdb4/0x1090 __f2fs_tmpfile+0xa5/0x380 f2fs_ioc_start_atomic_write+0x419/0x970 __f2fs_ioctl+0x1ace/0xb2b0 __se_sys_ioctl+0xf1/0x160 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 9059: kasan_set_track+0x40/0x70 kasan_save_free_info+0x2b/0x40 ____kasan_slab_free+0xd6/0x120 kmem_cache_free+0x2b5/0x580 __destroy_extent_tree+0x32a/0x740 f2fs_destroy_extent_tree+0x17/0x30 f2fs_evict_inode+0x467/0x1650 evict+0x2a4/0x620 f2fs_abort_atomic_write+0xda/0x440 __f2fs_ioctl+0x315c/0xb2b0 __se_sys_ioctl+0xf1/0x160 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff888073fdbdd0 which belongs to the cache f2fs_extent_tree of size 144 The buggy address is located 48 bytes inside of 144-byte region [ffff888073fdbdd0, ffff888073fdbe60) The buggy address belongs to the physical page: page:ffffea0001cff6c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73fdb flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffff8881466f2b40 ffffea0001cf8e40 0000000000000004 raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5595, tgid 5594 (syz-executor.0), ts 80035358654, free_ts 79979980358 get_page_from_freelist+0x3403/0x3580 __alloc_pages+0x291/0x7e0 alloc_slab_page+0x6a/0x160 new_slab+0x84/0x2f0 ___slab_alloc+0xa07/0x1000 kmem_cache_alloc+0x1b0/0x280 __grab_extent_tree+0x183/0x400 f2fs_init_extent_tree+0x214/0x450 f2fs_new_inode+0xdb4/0x1090 f2fs_create+0x197/0x530 path_openat+0x12b9/0x2e30 do_filp_open+0x26d/0x500 do_sys_openat2+0x128/0x4f0 __x64_sys_openat+0x247/0x290 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: free_unref_page_prepare+0xf3a/0x1040 free_unref_page+0x37/0x3f0 __unfreeze_partials+0x1b1/0x1f0 put_cpu_partial+0x106/0x170 qlist_free_all+0x22/0x60 kasan_quarantine_reduce+0x15a/0x170 __kasan_slab_alloc+0x23/0x80 slab_post_alloc_hook+0x68/0x390 __kmem_cache_alloc_node+0x14c/0x2a0 __kmalloc_node+0xa2/0x190 kvmalloc_node+0x72/0x180 f2fs_build_node_manager+0xfc5/0x1e20 f2fs_fill_super+0x46f3/0x6f30 mount_bdev+0x271/0x3a0 legacy_get_tree+0xef/0x190 vfs_get_tree+0x8c/0x270 Memory state around the buggy address: ffff888073fdbd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888073fdbd80: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb >ffff888073fdbe00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888073fdbe80: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb ffff888073fdbf00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc ==================================================================