syzbot

==================================================================
BUG: KASAN: use-after-free in xfs_iflush_cluster+0xc7/0x12e0 fs/xfs/xfs_inode.c:3653
Read of size 8 at addr ffff88807146d050 by task xfsaild/loop0/6542

CPU: 0 PID: 6542 Comm: xfsaild/loop0 Not tainted 5.15.186-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 xfs_iflush_cluster+0xc7/0x12e0 fs/xfs/xfs_inode.c:3653
 xfs_inode_item_push+0x1cd/0x2c0 fs/xfs/xfs_inode_item.c:567
 xfsaild_push_item fs/xfs/xfs_trans_ail.c:414 [inline]
 xfsaild_push fs/xfs/xfs_trans_ail.c:472 [inline]
 xfsaild+0xce7/0x2780 fs/xfs/xfs_trans_ail.c:657
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

Allocated by task 4321:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x9c/0xd0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519
 slab_alloc_node mm/slub.c:3220 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc+0x100/0x290 mm/slub.c:3233
 kmem_cache_zalloc include/linux/slab.h:725 [inline]
 xfs_inode_item_init+0x2f/0xc0 fs/xfs/xfs_inode_item.c:675
 xfs_trans_ijoin+0xb2/0xe0 fs/xfs/libxfs/xfs_trans_inode.c:36
 xfs_trans_alloc_dir+0x17c/0x5d0 fs/xfs/xfs_trans.c:1246
 xfs_remove+0x361/0x9b0 fs/xfs/xfs_inode.c:2799
 xfs_vn_unlink+0xf8/0x210 fs/xfs/xfs_iops.c:387
 vfs_unlink+0x385/0x600 fs/namei.c:4280
 do_unlinkat+0x382/0x6f0 fs/namei.c:4348
 __do_sys_unlink fs/namei.c:4396 [inline]
 __se_sys_unlink fs/namei.c:4394 [inline]
 __x64_sys_unlink+0x45/0x50 fs/namei.c:4394
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 4322:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kmem_cache_free+0x8f/0x210 mm/slub.c:3515
 xfs_inode_free_callback+0x1bc/0x230 fs/xfs/xfs_icache.c:142
 rcu_do_batch kernel/rcu/tree.c:2523 [inline]
 rcu_core+0x962/0x15d0 kernel/rcu/tree.c:2763
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676

The buggy address belongs to the object at ffff88807146d000
 which belongs to the cache xfs_ili of size 256
The buggy address is located 80 bytes inside of
 256-byte region [ffff88807146d000, ffff88807146d100)
The buggy address belongs to the page:
page:ffffea0001c51b40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7146d
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001c515c0 0000000200000002 ffff88801dbf6500
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 4320, ts 251404997549, free_ts 196009332573
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5474
 alloc_slab_page mm/slub.c:1775 [inline]
 allocate_slab mm/slub.c:1912 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1975
 ___slab_alloc+0x81e/0xdf0 mm/slub.c:3008
 __slab_alloc mm/slub.c:3095 [inline]
 slab_alloc_node mm/slub.c:3186 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc+0x195/0x290 mm/slub.c:3233
 kmem_cache_zalloc include/linux/slab.h:725 [inline]
 xfs_inode_item_init+0x2f/0xc0 fs/xfs/xfs_inode_item.c:675
 xfs_trans_ijoin+0xb2/0xe0 fs/xfs/libxfs/xfs_trans_inode.c:36
 xfs_trans_alloc_dir+0x17c/0x5d0 fs/xfs/xfs_trans.c:1246
 xfs_remove+0x361/0x9b0 fs/xfs/xfs_inode.c:2799
 xfs_vn_unlink+0xf8/0x210 fs/xfs/xfs_iops.c:387
 vfs_unlink+0x385/0x600 fs/namei.c:4280
 do_unlinkat+0x382/0x6f0 fs/namei.c:4348
 __do_sys_unlink fs/namei.c:4396 [inline]
 __se_sys_unlink fs/namei.c:4394 [inline]
 __x64_sys_unlink+0x45/0x50 fs/namei.c:4394
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x94/0x280 mm/page_alloc.c:3396
 free_slab mm/slub.c:2015 [inline]
 discard_slab mm/slub.c:2021 [inline]
 __unfreeze_partials+0x1a5/0x200 mm/slub.c:2507
 put_cpu_partial+0x12d/0x190 mm/slub.c:2587
 qlist_free_all+0x35/0x90 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x150/0x160 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xd0 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519
 slab_alloc_node mm/slub.c:3220 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc_trace+0x103/0x2a0 mm/slub.c:3245
 kmalloc include/linux/slab.h:604 [inline]
 kzalloc include/linux/slab.h:735 [inline]
 nsim_fib4_rt_create drivers/net/netdevsim/fib.c:278 [inline]
 nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:424 [inline]
 nsim_fib4_event drivers/net/netdevsim/fib.c:462 [inline]
 nsim_fib_event drivers/net/netdevsim/fib.c:882 [inline]
 nsim_fib_event_work+0x860/0x3240 drivers/net/netdevsim/fib.c:1483
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 process_scheduled_works kernel/workqueue.c:2373 [inline]
 worker_thread+0xdca/0x12a0 kernel/workqueue.c:2459
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Memory state around the buggy address:
 ffff88807146cf00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
 ffff88807146cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807146d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff88807146d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807146d100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
==================================================================