BUG: unable to handle kernel paging request in folio_write

metapage_write_end_io: I/O error
ERROR: (device loop2): diWrite: ixpxd invalid
ERROR: (device loop2): remounting filesystem as read-only
ERROR: (device loop2): txAbort: 
Unable to handle kernel paging request at virtual address dfff800000000037
KASAN: null-ptr-deref in range [0x00000000000001b8-0x00000000000001bf]
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000037] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4465 Comm: syz.2.21 Not tainted 6.1.141-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : folio_write_one+0x284/0x5ac mm/page-writeback.c:2543
lr : __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:27 [inline]
lr : arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]
lr : arch_atomic_inc include/linux/atomic/atomic-arch-fallback.h:424 [inline]
lr : atomic_inc include/linux/atomic/atomic-instrumented.h:191 [inline]
lr : page_ref_inc include/linux/page_ref.h:158 [inline]
lr : folio_ref_inc include/linux/page_ref.h:165 [inline]
lr : folio_get include/linux/mm.h:1136 [inline]
lr : folio_write_one+0x274/0x5ac mm/page-writeback.c:2542
sp : ffff800020e07260
x29: ffff800020e07360 x28: 1fffff80006bbd00 x27: 1fffff80006bbd01
x26: dfff800000000000 x25: ffff7000041c0e50 x24: 00000000000001b8
x23: fffffc00035de834 x22: ffff800020e072a0 x21: fffffc00035de808
x20: 0000000000000000 x19: fffffc00035de800 x18: ffff800011a7bce0
x17: 1fffe00033ee2f76 x16: ffff8000082d0750 x15: 0000000040000000
x14: 0000000000000002 x13: 1ffff00002a0e0b1 x12: 0000000000080000
x11: 0000000000025dc8 x10: ffff8000237e9000 x9 : ffff8000086f90a0
x8 : 0000000000000037 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000008 x3 : ffff8000086f9094
x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000001
Call trace:
 folio_write_one+0x284/0x5ac mm/page-writeback.c:2543
 write_one_page include/linux/pagemap.h:1104 [inline]
 force_metapage+0x254/0x5a4 fs/jfs/jfs_metapage.c:703
 txForce fs/jfs/jfs_txnmgr.c:2215 [inline]
 txCommit+0x3578/0x3bec fs/jfs/jfs_txnmgr.c:1315
 duplicateIXtree+0x238/0x3e8 fs/jfs/jfs_imap.c:3019
 diNewIAG fs/jfs/jfs_imap.c:2597 [inline]
 diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
 diAllocAG+0x1314/0x1890 fs/jfs/jfs_imap.c:1669
 diAlloc+0x17c/0x15cc fs/jfs/jfs_imap.c:1590
 ialloc+0x80/0x7b0 fs/jfs/jfs_inode.c:56
 jfs_mkdir+0x170/0x8b4 fs/jfs/namei.c:225
 vfs_mkdir+0x314/0x4d4 fs/namei.c:4106
 do_mkdirat+0x1b4/0x3e0 fs/namei.c:4131
 __do_sys_mkdirat fs/namei.c:4146 [inline]
 __se_sys_mkdirat fs/namei.c:4144 [inline]
 __arm64_sys_mkdirat+0x90/0xa8 fs/namei.c:4144
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: 52800028 b82802ff 9106e318 d343ff08 (387a6908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	52800028 	mov	w8, #0x1                   	// #1
   4:	b82802ff 	stadd	w8, [x23]
   8:	9106e318 	add	x24, x24, #0x1b8
   c:	d343ff08 	lsr	x8, x24, #3
* 10:	387a6908 	ldrb	w8, [x8, x26] <-- trapping instruction