==================================================================
BUG: KASAN: slab-out-of-bounds in data_blkaddr fs/f2fs/f2fs.h:2782 [inline]
BUG: KASAN: slab-out-of-bounds in is_alive fs/f2fs/gc.c:1030 [inline]
BUG: KASAN: slab-out-of-bounds in gc_data_segment+0x29fd/0x3040 fs/f2fs/gc.c:1449
Read of size 4 at addr ffff8881085f5568 by task kworker/u4:0/7

CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.10.149-syzkaller-01350-g0118fb827bc7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 print_address_description+0x81/0x3c0 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 data_blkaddr fs/f2fs/f2fs.h:2782 [inline]
 is_alive fs/f2fs/gc.c:1030 [inline]
 gc_data_segment+0x29fd/0x3040 fs/f2fs/gc.c:1449
 do_garbage_collect+0xd3f/0x1de0 fs/f2fs/gc.c:1654
 f2fs_gc+0x89e/0x19c0 fs/f2fs/gc.c:1747
 f2fs_balance_fs+0x339/0x3e0 fs/f2fs/segment.c:528
 f2fs_write_inode+0x672/0x720 fs/f2fs/inode.c:721
 write_inode+0xf8/0x2a0 fs/fs-writeback.c:1326
 __writeback_single_inode+0x37a/0x6e0 fs/fs-writeback.c:1524
 writeback_sb_inodes+0x999/0x1700 fs/fs-writeback.c:1730
 wb_writeback+0x42f/0xc20 fs/fs-writeback.c:1905
 wb_do_writeback+0x222/0xbd0 fs/fs-writeback.c:2050
 wb_workfn+0xf8/0x3f0 fs/fs-writeback.c:2091
 process_one_work+0x726/0xc10 kernel/workqueue.c:2296
 worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
 kthread+0x349/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299

Allocated by task 1:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:428 [inline]
 __kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:461
 kasan_slab_alloc include/linux/kasan.h:259 [inline]
 slab_post_alloc_hook include/../mm/slab.h:583 [inline]
 slab_alloc_node mm/slub.c:2956 [inline]
 slab_alloc mm/slub.c:2964 [inline]
 kmem_cache_alloc+0x16c/0x300 mm/slub.c:2969
 kmem_cache_zalloc include/linux/slab.h:654 [inline]
 __kernfs_new_node+0xdb/0x6e0 fs/kernfs/dir.c:635
 kernfs_new_node fs/kernfs/dir.c:697 [inline]
 kernfs_create_dir_ns+0x9b/0x230 fs/kernfs/dir.c:1033
 internal_create_group+0x29d/0xf50 fs/sysfs/group.c:137
 sysfs_create_group+0x1f/0x30 fs/sysfs/group.c:175
 dpm_sysfs_add+0x5d/0x290 drivers/base/power/sysfs.c:702
 device_add+0x52c/0xbd0 drivers/base/core.c:3205
 acpi_device_add+0x973/0xd60 drivers/acpi/scan.c:727
 acpi_add_single_object+0x1191/0x18d0 drivers/acpi/scan.c:1684
 acpi_bus_check_add+0x42b/0xef0 drivers/acpi/scan.c:1924
 acpi_ns_walk_namespace+0x242/0x4ad drivers/acpi/acpica/nswalk.c:231
 acpi_walk_namespace+0xf2/0x121 drivers/acpi/acpica/nsxfeval.c:606
 acpi_bus_scan+0xd1/0x150 drivers/acpi/scan.c:2105
 acpi_scan_init+0x261/0x7fe drivers/acpi/scan.c:2274
 acpi_init+0x173/0x226 drivers/acpi/bus.c:1255
 do_one_initcall+0x1b5/0x610 init/main.c:1206
 do_initcall_level+0x192/0x2f0 init/main.c:1279
 do_initcalls+0x50/0x94 init/main.c:1295
 do_basic_setup+0x88/0x91 init/main.c:1315
 kernel_init_freeable+0x2ba/0x3f1 init/main.c:1519
 kernel_init+0x11/0x290 init/main.c:1406
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299

The buggy address belongs to the object at ffff8881085f54b0
 which belongs to the cache kernfs_node_cache of size 136
The buggy address is located 48 bytes to the right of
 136-byte region [ffff8881085f54b0, ffff8881085f5538)
The buggy address belongs to the page:
page:ffffea0004217d40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1085f5
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff88810017c180
raw: 0000000000000000 0000000000140014 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 1118880235, free_ts 1088263818
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2386 [inline]
 prep_new_page mm/page_alloc.c:2392 [inline]
 get_page_from_freelist+0x755/0x810 mm/page_alloc.c:4073
 __alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5160
 alloc_slab_page mm/slub.c:1815 [inline]
 allocate_slab+0x78/0x540 mm/slub.c:1817
 new_slab mm/slub.c:1878 [inline]
 new_slab_objects mm/slub.c:2636 [inline]
 ___slab_alloc+0x131/0x2e0 mm/slub.c:2800
 __slab_alloc+0x63/0xa0 mm/slub.c:2840
 slab_alloc_node mm/slub.c:2922 [inline]
 slab_alloc mm/slub.c:2964 [inline]
 kmem_cache_alloc+0x1ef/0x300 mm/slub.c:2969
 kmem_cache_zalloc include/linux/slab.h:654 [inline]
 __kernfs_new_node+0xdb/0x6e0 fs/kernfs/dir.c:635
 kernfs_new_node+0x97/0x170 fs/kernfs/dir.c:697
 __kernfs_create_file+0x4a/0x270 fs/kernfs/file.c:985
 sysfs_add_file_mode_ns+0x273/0x320 fs/sysfs/file.c:306
 sysfs_merge_group+0x207/0x460 fs/sysfs/group.c:343
 dpm_sysfs_add+0xcf/0x290 drivers/base/power/sysfs.c:707
 device_add+0x52c/0xbd0 drivers/base/core.c:3205
 acpi_device_add+0x973/0xd60 drivers/acpi/scan.c:727
 acpi_add_single_object+0x1191/0x18d0 drivers/acpi/scan.c:1684
 acpi_bus_check_add+0x42b/0xef0 drivers/acpi/scan.c:1924
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1332 [inline]
 free_pcp_prepare+0x18c/0x1c0 mm/page_alloc.c:1406
 free_unref_page_prepare mm/page_alloc.c:3293 [inline]
 free_unref_page mm/page_alloc.c:3347 [inline]
 free_the_page mm/page_alloc.c:5219 [inline]
 __free_pages+0x390/0x570 mm/page_alloc.c:5228
 __free_slab+0xd3/0x190 mm/slub.c:1903
 free_slab mm/slub.c:1918 [inline]
 discard_slab mm/slub.c:1924 [inline]
 unfreeze_partials+0x17d/0x1b0 mm/slub.c:2419
 __flush_cpu_slab mm/slub.c:2502 [inline]
 flush_cpu_slab+0x4b/0x70 mm/slub.c:2509
 flush_smp_call_function_queue+0x21b/0x690 kernel/smp.c:396
 generic_smp_call_function_single_interrupt+0x13/0x20 kernel/smp.c:318
 __sysvec_call_function_single+0x66/0x1b0 arch/x86/kernel/smp.c:248
 asm_call_irq_on_stack+0xf/0x20
 __run_sysvec_on_irqstack arch/x86/include/asm/irq_stack.h:37 [inline]
 run_sysvec_on_irqstack_cond arch/x86/include/asm/irq_stack.h:89 [inline]
 sysvec_call_function_single+0x85/0xe0 arch/x86/kernel/smp.c:243
 asm_sysvec_call_function_single+0x12/0x20 arch/x86/include/asm/idtentry.h:643
 native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline]
 arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline]
 default_idle+0x12/0x20 arch/x86/kernel/process.c:689
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:681
 default_idle_call+0x72/0x1d0 kernel/sched/idle.c:114
 cpuidle_idle_call kernel/sched/idle.c:196 [inline]
 do_idle+0x1fc/0x5d0 kernel/sched/idle.c:302
 cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:398

Memory state around the buggy address:
 ffff8881085f5400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
 ffff8881085f5480: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00
>ffff8881085f5500: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc 00
                                                          ^
 ffff8881085f5580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881085f5600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================