================================================================== BUG: KASAN: use-after-free in data_blkaddr fs/f2fs/f2fs.h:2782 [inline] BUG: KASAN: use-after-free in is_alive fs/f2fs/gc.c:1029 [inline] BUG: KASAN: use-after-free in gc_data_segment+0x29fd/0x3040 fs/f2fs/gc.c:1448 Read of size 4 at addr ffff88810c7fd150 by task kworker/u4:1/9 CPU: 0 PID: 9 Comm: kworker/u4:1 Not tainted 5.10.149-syzkaller-01403-g2498b03977b3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Workqueue: writeback wb_workfn (flush-7:3) Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118 print_address_description+0x81/0x3c0 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 data_blkaddr fs/f2fs/f2fs.h:2782 [inline] is_alive fs/f2fs/gc.c:1029 [inline] gc_data_segment+0x29fd/0x3040 fs/f2fs/gc.c:1448 do_garbage_collect+0xd3a/0x1de0 fs/f2fs/gc.c:1652 f2fs_gc+0x89e/0x19c0 fs/f2fs/gc.c:1745 f2fs_balance_fs+0x339/0x3e0 fs/f2fs/segment.c:528 f2fs_write_inode+0x66f/0x720 fs/f2fs/inode.c:720 write_inode+0xf8/0x2a0 fs/fs-writeback.c:1326 __writeback_single_inode+0x37a/0x6e0 fs/fs-writeback.c:1524 writeback_sb_inodes+0x999/0x1700 fs/fs-writeback.c:1730 wb_writeback+0x42f/0xc20 fs/fs-writeback.c:1905 wb_do_writeback+0x222/0xbd0 fs/fs-writeback.c:2050 wb_workfn+0xf8/0x3f0 fs/fs-writeback.c:2091 process_one_work+0x726/0xc10 kernel/workqueue.c:2296 worker_thread+0xb27/0x1550 kernel/workqueue.c:2442 kthread+0x349/0x3d0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299 The buggy address belongs to the page: page:ffffea000431ff40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10c7fd flags: 0x8000000000000000() raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1528c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 5019, ts 878574603180, free_ts 878639335070 set_page_owner include/linux/page_owner.h:35 [inline] post_alloc_hook mm/page_alloc.c:2386 [inline] prep_new_page mm/page_alloc.c:2392 [inline] get_page_from_freelist+0x755/0x810 mm/page_alloc.c:4073 __alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5160 __alloc_pages include/linux/gfp.h:529 [inline] __alloc_pages_node include/linux/gfp.h:542 [inline] alloc_pages_node include/linux/gfp.h:556 [inline] alloc_pages include/linux/gfp.h:575 [inline] skb_page_frag_refill+0x1ed/0x3a0 net/core/sock.c:2480 sk_page_frag_refill+0x4c/0x230 net/core/sock.c:2500 tcp_sendmsg_locked+0x1155/0x3c00 net/ipv4/tcp.c:1334 tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1451 inet_sendmsg+0xa1/0xc0 net/ipv4/af_inet.c:821 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg net/socket.c:672 [inline] __sys_sendto+0x541/0x700 net/socket.c:1982 __do_sys_sendto net/socket.c:1994 [inline] __se_sys_sendto net/socket.c:1990 [inline] __x64_sys_sendto+0xe5/0x100 net/socket.c:1990 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xc6 page last free stack trace: reset_page_owner include/linux/page_owner.h:28 [inline] free_pages_prepare mm/page_alloc.c:1332 [inline] __free_pages_ok+0x7f8/0x830 mm/page_alloc.c:1612 free_compound_page+0x72/0x90 mm/page_alloc.c:717 destroy_compound_page include/linux/mm.h:959 [inline] __put_compound_page+0x72/0xb0 mm/swap.c:115 __put_page+0xc0/0xd0 mm/swap.c:131 put_page include/linux/mm.h:1255 [inline] __skb_frag_unref include/linux/skbuff.h:3050 [inline] skb_release_data+0x22d/0x630 net/core/skbuff.c:619 skb_release_all net/core/skbuff.c:680 [inline] __kfree_skb+0x59/0x1c0 net/core/skbuff.c:694 sk_wmem_free_skb+0x126/0x6b0 include/net/sock.h:1589 tcp_rtx_queue_unlink_and_free include/net/tcp.h:1868 [inline] tcp_clean_rtx_queue net/ipv4/tcp_input.c:3305 [inline] tcp_ack+0x2396/0x6990 net/ipv4/tcp_input.c:3852 tcp_rcv_established+0xd49/0x1a10 net/ipv4/tcp_input.c:5852 tcp_v4_do_rcv+0x3cc/0x7c0 net/ipv4/tcp_ipv4.c:1684 sk_backlog_rcv include/net/sock.h:1058 [inline] __release_sock+0x162/0x430 net/core/sock.c:2543 release_sock net/core/sock.c:3085 [inline] sk_wait_data+0x24c/0x560 net/core/sock.c:2585 tcp_recvmsg+0x1054/0x35a0 net/ipv4/tcp.c:2248 inet_recvmsg+0x157/0x500 net/ipv4/af_inet.c:852 sock_recvmsg_nosec net/socket.c:886 [inline] sock_recvmsg net/socket.c:904 [inline] __sys_recvfrom+0x403/0x5b0 net/socket.c:2039 __do_sys_recvfrom net/socket.c:2057 [inline] __se_sys_recvfrom net/socket.c:2053 [inline] __x64_sys_recvfrom+0xe5/0x100 net/socket.c:2053 Memory state around the buggy address: ffff88810c7fd000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88810c7fd080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88810c7fd100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88810c7fd180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88810c7fd200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================