==================================================================
BUG: KASAN: use-after-free in data_blkaddr fs/f2fs/f2fs.h:2506 [inline]
BUG: KASAN: use-after-free in is_alive fs/f2fs/gc.c:990 [inline]
BUG: KASAN: use-after-free in gc_data_segment fs/f2fs/gc.c:1407 [inline]
BUG: KASAN: use-after-free in do_garbage_collect+0x2c23/0x3480 fs/f2fs/gc.c:1610
Read of size 4 at addr ffff88801517f568 by task syz-executor.0/6037

CPU: 1 PID: 6037 Comm: syz-executor.0 Not tainted 5.11.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x9a/0xcc lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
 data_blkaddr fs/f2fs/f2fs.h:2506 [inline]
 is_alive fs/f2fs/gc.c:990 [inline]
 gc_data_segment fs/f2fs/gc.c:1407 [inline]
 do_garbage_collect+0x2c23/0x3480 fs/f2fs/gc.c:1610
 f2fs_gc+0x657/0x1360 fs/f2fs/gc.c:1701
 f2fs_write_single_data_page+0xb9a/0x14a0 fs/f2fs/data.c:2885
 f2fs_write_cache_pages+0x7ee/0x15d0 fs/f2fs/data.c:3098
 __f2fs_write_data_pages fs/f2fs/data.c:3244 [inline]
 f2fs_write_data_pages+0x3e3/0xe80 fs/f2fs/data.c:3271
 do_writepages+0xca/0x240 mm/page-writeback.c:2352
 __filemap_fdatawrite_range+0x243/0x320 mm/filemap.c:422
 file_write_and_wait_range+0x115/0x1a0 mm/filemap.c:761
 f2fs_do_sync_file+0x330/0x1c30 fs/f2fs/file.c:271
 generic_write_sync include/linux/fs.h:2737 [inline]
 f2fs_file_write_iter+0x5d7/0xc70 fs/f2fs/file.c:4421
 call_write_iter include/linux/fs.h:1901 [inline]
 do_iter_readv_writev+0x333/0x6d0 fs/read_write.c:740
 do_iter_write+0x12a/0x5b0 fs/read_write.c:866
 iter_file_splice_write+0x58d/0xad0 fs/splice.c:686
 do_splice_from fs/splice.c:764 [inline]
 direct_splice_actor+0xfb/0x1c0 fs/splice.c:933
 splice_direct_to_actor+0x323/0x8a0 fs/splice.c:888
 do_splice_direct+0x154/0x260 fs/splice.c:976
 do_sendfile+0x478/0x1010 fs/read_write.c:1257
 __do_sys_sendfile64 fs/read_write.c:1318 [inline]
 __se_sys_sendfile64 fs/read_write.c:1304 [inline]
 __x64_sys_sendfile64+0x186/0x1d0 fs/read_write.c:1304
 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f95e1929639
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f95e0c9c168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f95e1a49f80 RCX: 00007f95e1929639
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 00007f95e19847e1 R08: 0000000000000000 R09: 0000000000000000
R10: 0001000000201005 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd2d1a36ef R14: 00007f95e0c9c300 R15: 0000000000022000

Allocated by task 6162:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:401 [inline]
 ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429
 kasan_slab_alloc include/linux/kasan.h:209 [inline]
 slab_post_alloc_hook mm/slab.h:512 [inline]
 slab_alloc_node mm/slub.c:2892 [inline]
 slab_alloc mm/slub.c:2900 [inline]
 kmem_cache_alloc+0x1c6/0x440 mm/slub.c:2905
 vm_area_dup+0x83/0x290 kernel/fork.c:356
 dup_mmap kernel/fork.c:533 [inline]
 dup_mm+0x45e/0x1090 kernel/fork.c:1360
 copy_mm kernel/fork.c:1416 [inline]
 copy_process+0x26b5/0x6770 kernel/fork.c:2097
 kernel_clone+0xb8/0x7f0 kernel/fork.c:2462
 __do_sys_clone+0xaf/0xf0 kernel/fork.c:2579
 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 6178:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356
 ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362
 kasan_slab_free include/linux/kasan.h:192 [inline]
 slab_free_hook mm/slub.c:1547 [inline]
 slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580
 slab_free mm/slub.c:3143 [inline]
 kmem_cache_free+0x82/0x350 mm/slub.c:3159
 remove_vma+0xfe/0x140 mm/mmap.c:184
 exit_mmap+0x2c3/0x4c0 mm/mmap.c:3231
 __mmput+0xeb/0x3e0 kernel/fork.c:1082
 exit_mm kernel/exit.c:501 [inline]
 do_exit+0x9e9/0x2570 kernel/exit.c:812
 do_group_exit+0xe7/0x290 kernel/exit.c:922
 __do_sys_exit_group kernel/exit.c:933 [inline]
 __se_sys_exit_group kernel/exit.c:931 [inline]
 __x64_sys_exit_group+0x35/0x40 kernel/exit.c:931
 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88801517f528
 which belongs to the cache vm_area_struct of size 200
The buggy address is located 64 bytes inside of
 200-byte region [ffff88801517f528, ffff88801517f5f0)
The buggy address belongs to the page:
page:00000000af823ada refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1517f
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea000057f840 0000000700000007 ffff88800f5b7780
raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 5793, ts 50959274606
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x144/0x1c0 mm/page_alloc.c:2297
 prep_new_page mm/page_alloc.c:2306 [inline]
 get_page_from_freelist+0x1c6e/0x3f80 mm/page_alloc.c:3945
 __alloc_pages_nodemask+0x2d6/0x730 mm/page_alloc.c:4995
 alloc_pages include/linux/gfp.h:547 [inline]
 alloc_slab_page mm/slub.c:1618 [inline]
 allocate_slab+0x2b6/0x4a0 mm/slub.c:1758
 new_slab mm/slub.c:1821 [inline]
 new_slab_objects mm/slub.c:2578 [inline]
 ___slab_alloc+0x476/0x790 mm/slub.c:2741
 __slab_alloc.constprop.0+0x95/0xe0 mm/slub.c:2781
 slab_alloc_node mm/slub.c:2857 [inline]
 slab_alloc mm/slub.c:2900 [inline]
 kmem_cache_alloc+0x36e/0x440 mm/slub.c:2905
 vm_area_dup+0x83/0x290 kernel/fork.c:356
 dup_mmap kernel/fork.c:533 [inline]
 dup_mm+0x45e/0x1090 kernel/fork.c:1360
 copy_mm kernel/fork.c:1416 [inline]
 copy_process+0x26b5/0x6770 kernel/fork.c:2097
 kernel_clone+0xb8/0x7f0 kernel/fork.c:2462
 __do_sys_clone+0xaf/0xf0 kernel/fork.c:2579
 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1271 [inline]
 free_pcp_prepare+0x2cb/0x410 mm/page_alloc.c:1306
 free_unref_page_prepare mm/page_alloc.c:3200 [inline]
 free_unref_page_list+0x19b/0x750 mm/page_alloc.c:3268
 release_pages+0xbee/0x1400 mm/swap.c:934
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
 tlb_flush_mmu mm/mmu_gather.c:249 [inline]
 tlb_finish_mmu+0x127/0x790 mm/mmu_gather.c:328
 exit_mmap+0x265/0x4c0 mm/mmap.c:3222
 __mmput+0xeb/0x3e0 kernel/fork.c:1082
 exit_mm kernel/exit.c:501 [inline]
 do_exit+0x9e9/0x2570 kernel/exit.c:812
 do_group_exit+0xe7/0x290 kernel/exit.c:922
 __do_sys_exit_group kernel/exit.c:933 [inline]
 __se_sys_exit_group kernel/exit.c:931 [inline]
 __x64_sys_exit_group+0x35/0x40 kernel/exit.c:931
 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Memory state around the buggy address:
 ffff88801517f400: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb
 ffff88801517f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
>ffff88801517f500: fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff88801517f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
 ffff88801517f600: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb
==================================================================