syzbot

BUG: Bad page state in process jfsCommit  pfn:245bd
page:ffffea0000916f40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x245bd
flags: 0xfff00000002047(locked|referenced|uptodate|workingset|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002047 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff8880784539b0 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x40c40(GFP_NOFS|__GFP_COMP), pid 3547, tgid 3547 (syz-executor813), ts 71112326012, free_ts 34334847206
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
 prep_new_page mm/page_alloc.c:2540 [inline]
 get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
 folio_alloc+0x1a/0x50 mm/mempolicy.c:2290
 filemap_alloc_folio+0xda/0x4f0 mm/filemap.c:971
 do_read_cache_folio+0x2a7/0x810 mm/filemap.c:3499
 do_read_cache_page+0x32/0x220 mm/filemap.c:3577
 read_mapping_page include/linux/pagemap.h:756 [inline]
 __get_metapage+0x32c/0x10e0 fs/jfs/jfs_metapage.c:620
 diRead+0x5e9/0xad0 fs/jfs/jfs_imap.c:363
 jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
 jfs_fill_super+0x804/0xc40 fs/jfs/super.c:580
 mount_bdev+0x2c9/0x3f0 fs/super.c:1423
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:610
 vfs_get_tree+0x88/0x270 fs/super.c:1553
 do_new_mount+0x28b/0xae0 fs/namespace.c:3040
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3568
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1460 [inline]
 free_pcp_prepare mm/page_alloc.c:1510 [inline]
 free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
 free_unref_page+0x98/0x570 mm/page_alloc.c:3484
 free_slab mm/slub.c:2031 [inline]
 discard_slab mm/slub.c:2037 [inline]
 __unfreeze_partials+0x1b7/0x210 mm/slub.c:2586
 put_cpu_partial+0x116/0x180 mm/slub.c:2662
 qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook+0x50/0x370 mm/slab.h:737
 slab_alloc_node mm/slub.c:3398 [inline]
 __kmem_cache_alloc_node+0x137/0x260 mm/slub.c:3437
 __do_kmalloc_node mm/slab_common.c:954 [inline]
 __kmalloc+0xa1/0x230 mm/slab_common.c:968
 kmalloc include/linux/slab.h:558 [inline]
 tomoyo_add_entry security/tomoyo/common.c:2022 [inline]
 tomoyo_supervisor+0xeda/0x12d0 security/tomoyo/common.c:2094
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x174/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x137e/0x1cd0 security/tomoyo/domain.c:879
 tomoyo_bprm_check_security+0xdb/0x120 security/tomoyo/tomoyo.c:101
 security_bprm_check+0x5f/0xa0 security/security.c:869
 search_binary_handler fs/exec.c:1715 [inline]
 exec_binprm fs/exec.c:1768 [inline]
 bprm_execve+0x850/0x1820 fs/exec.c:1837
Modules linked in:
CPU: 1 PID: 133 Comm: jfsCommit Not tainted 6.1.35-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 bad_page+0x14b/0x170 mm/page_alloc.c:719
 free_page_is_bad_report mm/page_alloc.c:1297 [inline]
 free_page_is_bad mm/page_alloc.c:1307 [inline]
 free_pages_prepare mm/page_alloc.c:1453 [inline]
 free_pcp_prepare mm/page_alloc.c:1510 [inline]
 free_unref_page_prepare+0x56b/0x1120 mm/page_alloc.c:3388
 free_unref_page+0x98/0x570 mm/page_alloc.c:3484
 txUnlock+0x282/0xca0 fs/jfs/jfs_txnmgr.c:927
 txLazyCommit fs/jfs/jfs_txnmgr.c:2677 [inline]
 jfs_lazycommit+0x5d0/0xb60 fs/jfs/jfs_txnmgr.c:2727
 kthread+0x26e/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>
page:ffffea0000916f40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x245bd
flags: 0xfff00000002047(locked|referenced|uptodate|workingset|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002047 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff8880784539b0 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_FOLIO(((unsigned int) folio_ref_count(folio) + 127u <= 127u))
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x40c40(GFP_NOFS|__GFP_COMP), pid 3547, tgid 3547 (syz-executor813), ts 71112326012, free_ts 34334847206
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
 prep_new_page mm/page_alloc.c:2540 [inline]
 get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
 folio_alloc+0x1a/0x50 mm/mempolicy.c:2290
 filemap_alloc_folio+0xda/0x4f0 mm/filemap.c:971
 do_read_cache_folio+0x2a7/0x810 mm/filemap.c:3499
 do_read_cache_page+0x32/0x220 mm/filemap.c:3577
 read_mapping_page include/linux/pagemap.h:756 [inline]
 __get_metapage+0x32c/0x10e0 fs/jfs/jfs_metapage.c:620
 diRead+0x5e9/0xad0 fs/jfs/jfs_imap.c:363
 jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
 jfs_fill_super+0x804/0xc40 fs/jfs/super.c:580
 mount_bdev+0x2c9/0x3f0 fs/super.c:1423
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:610
 vfs_get_tree+0x88/0x270 fs/super.c:1553
 do_new_mount+0x28b/0xae0 fs/namespace.c:3040
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3568
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1460 [inline]
 free_pcp_prepare mm/page_alloc.c:1510 [inline]
 free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
 free_unref_page+0x98/0x570 mm/page_alloc.c:3484
 free_slab mm/slub.c:2031 [inline]
 discard_slab mm/slub.c:2037 [inline]
 __unfreeze_partials+0x1b7/0x210 mm/slub.c:2586
 put_cpu_partial+0x116/0x180 mm/slub.c:2662
 qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook+0x50/0x370 mm/slab.h:737
 slab_alloc_node mm/slub.c:3398 [inline]
 __kmem_cache_alloc_node+0x137/0x260 mm/slub.c:3437
 __do_kmalloc_node mm/slab_common.c:954 [inline]
 __kmalloc+0xa1/0x230 mm/slab_common.c:968
 kmalloc include/linux/slab.h:558 [inline]
 tomoyo_add_entry security/tomoyo/common.c:2022 [inline]
 tomoyo_supervisor+0xeda/0x12d0 security/tomoyo/common.c:2094
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x174/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x137e/0x1cd0 security/tomoyo/domain.c:879
 tomoyo_bprm_check_security+0xdb/0x120 security/tomoyo/tomoyo.c:101
 security_bprm_check+0x5f/0xa0 security/security.c:869
 search_binary_handler fs/exec.c:1715 [inline]
 exec_binprm fs/exec.c:1768 [inline]
 bprm_execve+0x850/0x1820 fs/exec.c:1837
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:1129!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 133 Comm: jfsCommit Tainted: G    B              6.1.35-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:folio_get include/linux/mm.h:1129 [inline]
RIP: 0010:get_page include/linux/mm.h:1135 [inline]
RIP: 0010:put_metapage+0x298/0x340 fs/jfs/jfs_metapage.c:721
Code: 2c 24 49 81 e5 ff 0f 00 00 74 21 e8 42 01 84 fe e9 a0 00 00 00 e8 38 01 84 fe 48 8b 3c 24 48 c7 c6 20 5f 24 8b e8 68 dc c2 fe <0f> 0b 48 8b 1c 24 48 89 df be 08 00 00 00 e8 a5 4b da fe 48 c1 eb
RSP: 0018:ffffc90002cffcb8 EFLAGS: 00010246
RAX: 8605592055614000 RBX: 000000000000007f RCX: ffffffff8169f927
RDX: 0000000000000000 RSI: ffffffff8b3ccb40 RDI: ffffffff8b3ccb00
RBP: ffff8880784539b0 R08: dffffc0000000000 R09: fffffbfff1ca654e
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffffea0000916f74 R14: 1ffff1100f08a73b R15: ffff8880784539d8
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2f670647c8 CR3: 000000007ed5b000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 txUnlock+0x42f/0xca0 fs/jfs/jfs_txnmgr.c:942
 txLazyCommit fs/jfs/jfs_txnmgr.c:2677 [inline]
 jfs_lazycommit+0x5d0/0xb60 fs/jfs/jfs_txnmgr.c:2727
 kthread+0x26e/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:folio_get include/linux/mm.h:1129 [inline]
RIP: 0010:get_page include/linux/mm.h:1135 [inline]
RIP: 0010:put_metapage+0x298/0x340 fs/jfs/jfs_metapage.c:721
Code: 2c 24 49 81 e5 ff 0f 00 00 74 21 e8 42 01 84 fe e9 a0 00 00 00 e8 38 01 84 fe 48 8b 3c 24 48 c7 c6 20 5f 24 8b e8 68 dc c2 fe <0f> 0b 48 8b 1c 24 48 89 df be 08 00 00 00 e8 a5 4b da fe 48 c1 eb
RSP: 0018:ffffc90002cffcb8 EFLAGS: 00010246
RAX: 8605592055614000 RBX: 000000000000007f RCX: ffffffff8169f927
RDX: 0000000000000000 RSI: ffffffff8b3ccb40 RDI: ffffffff8b3ccb00
RBP: ffff8880784539b0 R08: dffffc0000000000 R09: fffffbfff1ca654e
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffffea0000916f74 R14: 1ffff1100f08a73b R15: ffff8880784539d8
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555da15de0c8 CR3: 000000007ed5b000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400