==================================================================
BUG: KASAN: use-after-free in move_expired_inodes+0x17d/0x810
Read of size 8 at addr ffff88806809aee8 by task kworker/u4:3/46

CPU: 0 PID: 46 Comm: kworker/u4:3 Not tainted 6.1.0-rc4-syzkaller-00001-gf6b1a1cf1c3e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: writeback wb_workfn (flush-7:4)
Call Trace:
 <TASK>
 dump_stack_lvl+0x1b1/0x28e
 print_report+0x15f/0x4c0
 kasan_report+0xca/0x100
 move_expired_inodes+0x17d/0x810
 queue_io+0x295/0x6d0
 wb_writeback+0x48f/0x1030
 wb_workfn+0x46c/0x1110
 process_one_work+0x960/0x13d0
 worker_thread+0xa5f/0x1210
 kthread+0x268/0x300
 ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 3692:
 kasan_set_track+0x3c/0x60
 __kasan_slab_alloc+0x65/0x70
 slab_post_alloc_hook+0x50/0x360
 kmem_cache_alloc_lru+0x10c/0x240
 fat_alloc_inode+0x28/0xc0
 new_inode_pseudo+0x61/0x1d0
 new_inode+0x25/0x1d0
 fat_build_inode+0x1f3/0x3c0
 vfat_create+0x1ef/0x2e0
 path_openat+0x12da/0x2e50
 do_filp_open+0x269/0x500
 do_sys_openat2+0x124/0x4e0
 __x64_sys_openat+0x243/0x290
 do_syscall_64+0x3d/0xb0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 15:
 kasan_set_track+0x3c/0x60
 kasan_save_free_info+0x27/0x40
 ____kasan_slab_free+0xd6/0x120
 kmem_cache_free+0x2ad/0x570
 rcu_core+0x9cb/0x16a0
 __do_softirq+0x304/0xaeb

Last potentially related work creation:
 kasan_save_stack+0x2b/0x50
 __kasan_record_aux_stack+0xb0/0xc0
 call_rcu+0x163/0x9c0
 __dentry_kill+0x436/0x650
 dentry_kill+0xbb/0x290
 dput+0x1d4/0x3f0
 __fput+0x5e4/0x890
 task_work_run+0x246/0x300
 exit_to_user_mode_loop+0xd1/0xf0
 exit_to_user_mode_prepare+0xb1/0x140
 syscall_exit_to_user_mode+0x50/0x2b0
 do_syscall_64+0x49/0xb0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88806809ac30
 which belongs to the cache fat_inode_cache of size 1488
The buggy address is located 696 bytes inside of
 1488-byte region [ffff88806809ac30, ffff88806809b200)

The buggy address belongs to the physical page:
page:ffffea0001a02600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x68098
head:ffffea0001a02600 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff88801bc73801
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff8881469a8640
raw: 0000000000000000 0000000080140014 00000001ffffffff ffff88801bc73801
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 3688, tgid 3687 (syz-executor.4), ts 63616351413, free_ts 12711060595
 get_page_from_freelist+0x34b2/0x3640
 __alloc_pages+0x28d/0x7e0
 alloc_slab_page+0x3b/0xe0
 new_slab+0x84/0x2d0
 ___slab_alloc+0x9f3/0xff0
 kmem_cache_alloc_lru+0x18b/0x240
 fat_alloc_inode+0x28/0xc0
 new_inode_pseudo+0x61/0x1d0
 new_inode+0x25/0x1d0
 fat_fill_super+0x36da/0x4d50
 mount_bdev+0x26d/0x3a0
 legacy_get_tree+0xeb/0x180
 vfs_get_tree+0x88/0x270
 do_new_mount+0x28b/0xad0
 __se_sys_mount+0x2c5/0x3b0
 do_syscall_64+0x3d/0xb0
page last free stack trace:
 free_unref_page_prepare+0xfb8/0x1160
 free_unref_page+0x99/0x520
 free_contig_range+0x9a/0x150
 destroy_args+0xfe/0x924
 debug_vm_pgtable+0x457/0x4ac
 do_one_initcall+0x28e/0xa00
 do_initcall_level+0x157/0x207
 do_initcalls+0x49/0x86
 kernel_init_freeable+0x42a/0x5d7
 kernel_init+0x19/0x290
 ret_from_fork+0x1f/0x30

Memory state around the buggy address:
 ffff88806809ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806809ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88806809ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff88806809af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806809af80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
