R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe8e6cac00
R13: 00007f01b8210854 R14: 000000000000ddf5 R15: 00007ffe8e6cbcd0
 </TASK>
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
Read of size 8 at addr ffff8881005b7228 by task syz-executor/432

CPU: 0 PID: 432 Comm: syz-executor Tainted: G        W          6.1.134-syzkaller-1169249-gca2f65da73b1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Call Trace:
 <TASK>
 __dump_stack+0x21/0x24 lib/dump_stack.c:88
 dump_stack_lvl+0xee/0x150 lib/dump_stack.c:106
 print_address_description+0x71/0x210 mm/kasan/report.c:316
 print_report+0x4a/0x60 mm/kasan/report.c:427
 kasan_report+0x122/0x150 mm/kasan/report.c:531
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351
 __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
 __list_del_entry include/linux/list.h:134 [inline]
 list_del_init include/linux/list.h:206 [inline]
 f2fs_inode_synced+0xf7/0x2e0 fs/f2fs/super.c:1553
 f2fs_update_inode+0x74/0x1c30 fs/f2fs/inode.c:588
 f2fs_update_inode_page+0x137/0x170 fs/f2fs/inode.c:706
 f2fs_write_inode+0x40f/0x780 fs/f2fs/inode.c:734
 write_inode fs/fs-writeback.c:1460 [inline]
 __writeback_single_inode+0x4b1/0xad0 fs/fs-writeback.c:1677
 writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1733
 sync_inode_metadata+0xb6/0x110 fs/fs-writeback.c:2795
 f2fs_sync_inode_meta fs/f2fs/checkpoint.c:1162 [inline]
 block_operations fs/f2fs/checkpoint.c:1272 [inline]
 f2fs_write_checkpoint+0xec3/0x25c0 fs/f2fs/checkpoint.c:1660
 kill_f2fs_super+0x231/0x390 fs/f2fs/super.c:4769
 deactivate_locked_super+0xb5/0x120 fs/super.c:334
 deactivate_super+0xaf/0xe0 fs/super.c:365
 cleanup_mnt+0x45f/0x4e0 fs/namespace.c:1186
 __cleanup_mnt+0x19/0x20 fs/namespace.c:1193
 task_work_run+0x1db/0x240 kernel/task_work.c:203
 exit_task_work include/linux/task_work.h:39 [inline]
 do_exit+0xa1d/0x2650 kernel/exit.c:877
 do_group_exit+0x210/0x2d0 kernel/exit.c:1027
 __do_sys_exit_group kernel/exit.c:1038 [inline]
 __se_sys_exit_group kernel/exit.c:1036 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
 x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f01b818e169
Code: Unable to access opcode bytes at 0x7f01b818e13f.
RSP: 002b:00007ffe8e6c8858 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f01b8210879 RCX: 00007f01b818e169
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000002 R08: 00007ffe8e6c65f7 R09: 00007ffe8e6c9b10
R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffe8e6c9b10
R13: 00007f01b8210854 R14: 000000000000ddf5 R15: 00007ffe8e6cbcd0
 </TASK>

Allocated by task 437:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
 __kasan_slab_alloc+0x72/0x80 mm/kasan/common.c:333
 kasan_slab_alloc include/linux/kasan.h:202 [inline]
 slab_post_alloc_hook+0x4f/0x2d0 mm/slab.h:768
 slab_alloc_node mm/slub.c:3421 [inline]
 slab_alloc mm/slub.c:3431 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3438 [inline]
 kmem_cache_alloc_lru+0x104/0x280 mm/slub.c:3454
 alloc_inode_sb include/linux/fs.h:3255 [inline]
 f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1437
 alloc_inode fs/inode.c:261 [inline]
 iget_locked+0x198/0x8b0 fs/inode.c:1373
 f2fs_iget+0x55/0x4cb0 fs/f2fs/inode.c:486
 f2fs_lookup+0x366/0xab0 fs/f2fs/namei.c:484
 __lookup_slow+0x2c7/0x3f0 fs/namei.c:1689
 lookup_slow+0x57/0x70 fs/namei.c:1706
 walk_component+0x2f4/0x420 fs/namei.c:1997
 lookup_last fs/namei.c:2454 [inline]
 path_lookupat+0x180/0x490 fs/namei.c:2478
 filename_lookup+0x1f0/0x500 fs/namei.c:2507
 vfs_statx+0x10b/0x660 fs/stat.c:229
 vfs_fstatat fs/stat.c:267 [inline]
 vfs_lstat include/linux/fs.h:3436 [inline]
 __do_sys_newlstat fs/stat.c:423 [inline]
 __se_sys_newlstat+0xd5/0x350 fs/stat.c:417
 __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417
 x64_sys_call+0x393/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 0:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
 ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:241
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249
 kasan_slab_free include/linux/kasan.h:178 [inline]
 slab_free_hook mm/slub.c:1745 [inline]
 slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1771
 slab_free mm/slub.c:3686 [inline]
 kmem_cache_free+0x12d/0x300 mm/slub.c:3711
 f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1584
 i_callback+0x5a/0x80 fs/inode.c:250
 rcu_do_batch+0x515/0xb90 kernel/rcu/tree.c:2297
 rcu_core+0x5a5/0xe70 kernel/rcu/tree.c:2557
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574
 handle_softirqs+0x1d7/0x600 kernel/softirq.c:624
 __do_softirq kernel/softirq.c:662 [inline]
 invoke_softirq kernel/softirq.c:479 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:711
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:723
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691

Last potentially related work creation:
 kasan_save_stack+0x3a/0x60 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xb6/0xc0 mm/kasan/generic.c:486
 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496
 __call_rcu_common kernel/rcu/tree.c:2807 [inline]
 call_rcu+0xd4/0xf90 kernel/rcu/tree.c:2926
 destroy_inode fs/inode.c:316 [inline]
 evict+0x7f6/0x890 fs/inode.c:720
 iput_final fs/inode.c:1834 [inline]
 iput+0x620/0x670 fs/inode.c:1860
 do_unlinkat+0x375/0x6b0 fs/namei.c:4396
 __do_sys_unlink fs/namei.c:4437 [inline]
 __se_sys_unlink fs/namei.c:4435 [inline]
 __x64_sys_unlink+0x49/0x50 fs/namei.c:4435
 x64_sys_call+0x958/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff8881005b6e70
 which belongs to the cache f2fs_inode_cache of size 1360
The buggy address is located 952 bytes inside of
 1360-byte region [ffff8881005b6e70, ffff8881005b73c0)

The buggy address belongs to the physical page:
page:ffffea0004016c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1005b0
head:ffffea0004016c00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100bbaa80
raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 437, tgid 436 (syz.2.16), ts 56846903291, free_ts 0
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2637
 prep_new_page+0x1c/0x110 mm/page_alloc.c:2644
 get_page_from_freelist+0x2c6e/0x2ce0 mm/page_alloc.c:4539
 __alloc_pages+0x19e/0x3a0 mm/page_alloc.c:5838
 alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1
 allocate_slab mm/slub.c:1962 [inline]
 new_slab+0x98/0x3d0 mm/slub.c:2015
 ___slab_alloc+0x6f6/0xb50 mm/slub.c:3203
 __slab_alloc+0x5e/0xa0 mm/slub.c:3302
 slab_alloc_node mm/slub.c:3387 [inline]
 slab_alloc mm/slub.c:3431 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3438 [inline]
 kmem_cache_alloc_lru+0x144/0x280 mm/slub.c:3454
 alloc_inode_sb include/linux/fs.h:3255 [inline]
 f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1437
 alloc_inode fs/inode.c:261 [inline]
 iget_locked+0x198/0x8b0 fs/inode.c:1373
 f2fs_iget+0x55/0x4cb0 fs/f2fs/inode.c:486
 f2fs_lookup+0x366/0xab0 fs/f2fs/namei.c:484
 __lookup_slow+0x2c7/0x3f0 fs/namei.c:1689
 lookup_slow+0x57/0x70 fs/namei.c:1706
 walk_component+0x2f4/0x420 fs/namei.c:1997
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881005b7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881005b7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881005b7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8881005b7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881005b7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================