==================================================================
BUG: KASAN: slab-use-after-free in xfs_inode_item_push+0x248/0x290 fs/xfs/xfs_inode_item.c:775
Read of size 8 at addr ffff0000db7797e0 by task xfsaild/loop0/8321

CPU: 1 UID: 0 PID: 8321 Comm: xfsaild/loop0 Not tainted 6.12.0-syzkaller-g7b1d1d4cfac0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:484 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 xfs_inode_item_push+0x248/0x290 fs/xfs/xfs_inode_item.c:775
 xfsaild_push_item fs/xfs/xfs_trans_ail.c:395 [inline]
 xfsaild_push fs/xfs/xfs_trans_ail.c:523 [inline]
 xfsaild+0xb8c/0x2bd4 fs/xfs/xfs_trans_ail.c:705
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862

Allocated by task 8309:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:247 [inline]
 slab_post_alloc_hook mm/slub.c:4085 [inline]
 slab_alloc_node mm/slub.c:4134 [inline]
 kmem_cache_alloc_noprof+0x1c0/0x354 mm/slub.c:4141
 xfs_inode_item_init+0x3c/0xc0 fs/xfs/xfs_inode_item.c:870
 xfs_trans_ijoin+0xe4/0x120 fs/xfs/libxfs/xfs_trans_inode.c:36
 xfs_create+0x878/0xd98 fs/xfs/xfs_inode.c:720
 xfs_generic_create+0x468/0xc78 fs/xfs/xfs_iops.c:213
 xfs_vn_mkdir+0x44/0x58 fs/xfs/xfs_iops.c:306
 vfs_mkdir+0x27c/0x410 fs/namei.c:4257
 do_mkdirat+0x248/0x574 fs/namei.c:4280
 __do_sys_mkdirat fs/namei.c:4295 [inline]
 __se_sys_mkdirat fs/namei.c:4293 [inline]
 __arm64_sys_mkdirat+0x8c/0xa4 fs/namei.c:4293
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Freed by task 16:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2342 [inline]
 slab_free mm/slub.c:4579 [inline]
 kmem_cache_free+0x19c/0x560 mm/slub.c:4681
 xfs_inode_item_destroy+0x80/0x94 fs/xfs/xfs_inode_item.c:892
 xfs_inode_free_callback+0x154/0x1cc fs/xfs/xfs_icache.c:158
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0x898/0x1b5c kernel/rcu/tree.c:2823
 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2840
 handle_softirqs+0x2e0/0xbf8 kernel/softirq.c:554
 run_ksoftirqd+0x70/0xc0 kernel/softirq.c:949
 smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862

The buggy address belongs to the object at ffff0000db7797b0
 which belongs to the cache xfs_ili of size 264
The buggy address is located 48 bytes inside of
 freed 264-byte region [ffff0000db7797b0, ffff0000db7798b8)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11b779
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000000 ffff0000c5352140 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800c000c 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000db779680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000db779700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
>ffff0000db779780: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff0000db779800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000db779880: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa
==================================================================