==================================================================
BUG: KASAN: slab-use-after-free in xfs_inode_item_push+0x3c3/0x6d0
Read of size 8 at addr ffff88802aa9f928 by task xfsaild/loop4/12299

CPU: 0 UID: 0 PID: 12299 Comm: xfsaild/loop4 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250
 print_report+0xca/0x240
 kasan_report+0x118/0x150
 xfs_inode_item_push+0x3c3/0x6d0
 xfsaild+0xd95/0x2940
 kthread+0x711/0x8a0
 ret_from_fork+0x47f/0x820
 ret_from_fork_asm+0x1a/0x30
 </TASK>

Allocated by task 9144:
 kasan_save_track+0x3e/0x80
 __kasan_slab_alloc+0x6c/0x80
 kmem_cache_alloc_noprof+0x367/0x6e0
 xfs_inode_item_init+0x33/0xc0
 xfs_trans_ijoin+0xe5/0x130
 xfs_trans_alloc_dir+0x178/0x620
 xfs_remove+0x491/0x960
 xfs_vn_unlink+0xfb/0x210
 vfs_unlink+0x394/0x650
 do_unlinkat+0x345/0x560
 __x64_sys_unlink+0x47/0x50
 do_syscall_64+0xfa/0xfa0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 11960:
 kasan_save_track+0x3e/0x80
 __kasan_save_free_info+0x46/0x50
 __kasan_slab_free+0x5b/0x80
 kmem_cache_free+0x19a/0x690
 xfs_inode_free_callback+0x14f/0x1c0
 rcu_core+0xcab/0x1770
 handle_softirqs+0x286/0x870
 __irq_exit_rcu+0xca/0x1f0
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0xa6/0xc0
 asm_sysvec_apic_timer_interrupt+0x1a/0x20

The buggy address belongs to the object at ffff88802aa9f8f8
 which belongs to the cache xfs_ili of size 264
The buggy address is located 48 bytes inside of
 freed 264-byte region [ffff88802aa9f8f8, ffff88802aa9fa00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802aa9fb88 pfn:0x2aa9f
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801f4438c0 dead000000000122 0000000000000000
raw: ffff88802aa9fb88 00000000800c000a 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x52c50(GFP_NOFS|__GFP_RECLAIMABLE|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6139, tgid 6138 (syz.2.54), ts 85822312126, free_ts 82470837388
 post_alloc_hook+0x240/0x2a0
 get_page_from_freelist+0x21e4/0x22c0
 __alloc_frozen_pages_noprof+0x181/0x370
 alloc_pages_mpol+0x232/0x4a0
 allocate_slab+0x8a/0x330
 ___slab_alloc+0xbd1/0x13f0
 __slab_alloc+0x55/0xa0
 kmem_cache_alloc_noprof+0x3f9/0x6e0
 xfs_inode_item_init+0x33/0xc0
 xfs_trans_ijoin+0xe5/0x130
 xfs_icreate+0xe4/0x160
 xfs_create+0x627/0xad0
 xfs_generic_create+0x3c9/0xad0
 path_openat+0x14f4/0x3830
 do_filp_open+0x1fa/0x410
 do_sys_openat2+0x121/0x1c0
page last free pid 5857 tgid 5857 stack trace:
 __free_frozen_pages+0xbc4/0xd30
 __kmem_cache_shutdown+0x1f4/0x260
 kmem_cache_destroy+0x76/0x160
 f2fs_put_super+0xba1/0x1190
 generic_shutdown_super+0x135/0x2c0
 kill_block_super+0x44/0x90
 kill_f2fs_super+0x399/0x6d0
 deactivate_locked_super+0xbc/0x130
 cleanup_mnt+0x425/0x4c0
 task_work_run+0x1d4/0x260
 exit_to_user_mode_loop+0xec/0x130
 do_syscall_64+0x2bd/0xfa0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88802aa9f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88802aa9f880: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fa
>ffff88802aa9f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff88802aa9f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802aa9fa00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
==================================================================
