syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
==================================================================
BUG: KASAN: use-after-free in do_raw_write_trylock+0x72/0x1f0
Read of size 4 at addr ffff88807f7585e0 by task syz-executor.0/5544

CPU: 1 PID: 5544 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
 <TASK>
 dump_stack_lvl+0x1b5/0x2a0
 print_report+0x163/0x4c0
 kasan_report+0xce/0x100
 kasan_check_range+0x283/0x290
 do_raw_write_trylock+0x72/0x1f0
 _raw_write_trylock+0x20/0x70
 __shrink_extent_tree+0x5b9/0xc80
 f2fs_leave_shrinker+0x86/0x260
 f2fs_put_super+0x597/0xcb0
 generic_shutdown_super+0x134/0x310
 kill_block_super+0x7e/0xe0
 kill_f2fs_super+0x303/0x3d0
 deactivate_locked_super+0xa4/0x110
 cleanup_mnt+0x490/0x520
 task_work_run+0x24a/0x300
 exit_to_user_mode_loop+0xd1/0xf0
 exit_to_user_mode_prepare+0xb1/0x140
 syscall_exit_to_user_mode+0x54/0x2d0
 do_syscall_64+0x4d/0xc0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fba8688d537
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7567f748 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fba8688d537
RDX: 00007ffc7567f819 RSI: 000000000000000a RDI: 00007ffc7567f810
RBP: 00007ffc7567f810 R08: 00000000ffffffff R09: 00007ffc7567f5e0
R10: 00005555569a08b3 R11: 0000000000000246 R12: 00007fba868e6b24
R13: 00007ffc756808d0 R14: 00005555569a0810 R15: 00007ffc75680910
 </TASK>

Allocated by task 5685:
 kasan_set_track+0x40/0x70
 __kasan_slab_alloc+0x69/0x80
 slab_post_alloc_hook+0x68/0x390
 kmem_cache_alloc+0x12c/0x280
 __grab_extent_tree+0x183/0x400
 f2fs_init_extent_tree+0x214/0x450
 f2fs_new_inode+0xdb4/0x1090
 __f2fs_tmpfile+0xa5/0x380
 f2fs_ioc_start_atomic_write+0x419/0x970
 __f2fs_ioctl+0x1ace/0xb2b0
 __se_sys_ioctl+0xf1/0x160
 do_syscall_64+0x41/0xc0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5702:
 kasan_set_track+0x40/0x70
 kasan_save_free_info+0x2b/0x40
 ____kasan_slab_free+0xd6/0x120
 kmem_cache_free+0x2b5/0x580
 __destroy_extent_tree+0x307/0x730
 f2fs_destroy_extent_tree+0x17/0x30
 f2fs_evict_inode+0x467/0x1650
 evict+0x2a4/0x620
 f2fs_abort_atomic_write+0xda/0x440
 __f2fs_ioctl+0x315c/0xb2b0
 __se_sys_ioctl+0xf1/0x160
 do_syscall_64+0x41/0xc0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88807f7585b0
 which belongs to the cache f2fs_extent_tree of size 144
The buggy address is located 48 bytes inside of
 144-byte region [ffff88807f7585b0, ffff88807f758640)

The buggy address belongs to the physical page:
page:ffffea0001fdd600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f758
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff88814616bdc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5603, tgid 5602 (syz-executor.0), ts 104469031710, free_ts 104442588112
 get_page_from_freelist+0x3403/0x3580
 __alloc_pages+0x291/0x7e0
 alloc_slab_page+0x6a/0x160
 new_slab+0x84/0x2f0
 ___slab_alloc+0xa07/0x1000
 kmem_cache_alloc+0x1b0/0x280
 __grab_extent_tree+0x183/0x400
 f2fs_init_extent_tree+0x214/0x450
 f2fs_new_inode+0xdb4/0x1090
 f2fs_create+0x197/0x530
 path_openat+0x12b9/0x2e30
 do_filp_open+0x26d/0x500
 do_sys_openat2+0x128/0x4f0
 __x64_sys_openat+0x247/0x290
 do_syscall_64+0x41/0xc0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 free_unref_page_prepare+0xf3a/0x1040
 free_unref_page+0x37/0x3f0
 __unfreeze_partials+0x1b1/0x1f0
 put_cpu_partial+0x106/0x170
 qlist_free_all+0x22/0x60
 kasan_quarantine_reduce+0x15a/0x170
 __kasan_slab_alloc+0x23/0x80
 slab_post_alloc_hook+0x68/0x390
 kmem_cache_alloc+0x12c/0x280
 add_free_nid+0xdc/0x700
 f2fs_build_free_nids+0xca3/0x1190
 f2fs_fill_super+0x46f3/0x6f30
 mount_bdev+0x271/0x3a0
 legacy_get_tree+0xef/0x190
 vfs_get_tree+0x8c/0x270
 do_new_mount+0x28f/0xae0

Memory state around the buggy address:
 ffff88807f758480: fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb
 ffff88807f758500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
>ffff88807f758580: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff88807f758600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88807f758680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================