syzbot

BUG: Bad page state in process jfsCommit  pfn:2ceb3
page:ffffea0000b3acc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x2ceb3
flags: 0xfff00000002005(locked|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000002005 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff88807ef46000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x40c40(GFP_NOFS|__GFP_COMP), pid 4995, tgid 4995 (syz-executor236), ts 71048448749, free_ts 52261827985
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1731
 prep_new_page mm/page_alloc.c:1738 [inline]
 get_page_from_freelist+0x321c/0x33a0 mm/page_alloc.c:3502
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4768
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2289
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 do_read_cache_folio+0xed/0x820 mm/filemap.c:3644
 do_read_cache_page+0x32/0x220 mm/filemap.c:3746
 read_mapping_page include/linux/pagemap.h:772 [inline]
 __get_metapage+0x330/0x10e0 fs/jfs/jfs_metapage.c:620
 diRead+0x5f4/0xae0 fs/jfs/jfs_imap.c:363
 jfs_iget+0x8c/0x3b0 fs/jfs/inode.c:35
 jfs_fill_super+0x808/0xc50 fs/jfs/super.c:580
 mount_bdev+0x2d0/0x3f0 fs/super.c:1380
 legacy_get_tree+0xef/0x190 fs/fs_context.c:610
 vfs_get_tree+0x8c/0x270 fs/super.c:1510
 do_new_mount+0x28f/0xae0 fs/namespace.c:3039
 do_mount fs/namespace.c:3382 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3568
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1302 [inline]
 free_unref_page_prepare+0x903/0xa30 mm/page_alloc.c:2564
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2659
 discard_slab mm/slub.c:2097 [inline]
 __unfreeze_partials+0x1b1/0x1f0 mm/slub.c:2636
 put_cpu_partial+0x116/0x180 mm/slub.c:2712
 qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:186 [inline]
 slab_post_alloc_hook+0x68/0x3a0 mm/slab.h:711
 slab_alloc_node mm/slub.c:3451 [inline]
 slab_alloc mm/slub.c:3459 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3466 [inline]
 kmem_cache_alloc+0x11f/0x2e0 mm/slub.c:3475
 getname_flags+0xbc/0x4e0 fs/namei.c:140
 do_sys_openat2+0xd6/0x500 fs/open.c:1350
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x247/0x290 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
Modules linked in:
CPU: 1 PID: 107 Comm: jfsCommit Not tainted 6.4.0-rc3-syzkaller-00171-g9db898594c54 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/16/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 bad_page+0x14b/0x170 mm/page_alloc.c:610
 free_page_is_bad mm/page_alloc.c:1130 [inline]
 free_pages_prepare mm/page_alloc.c:1294 [inline]
 free_unref_page_prepare+0x9bc/0xa30 mm/page_alloc.c:2564
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2659
 txUnlock+0x282/0xca0 fs/jfs/jfs_txnmgr.c:927
 txLazyCommit fs/jfs/jfs_txnmgr.c:2677 [inline]
 jfs_lazycommit+0x5d4/0xb70 fs/jfs/jfs_txnmgr.c:2727
 kthread+0x2b8/0x350 kernel/kthread.c:379
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
page:ffffea0000b3acc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x2ceb3
flags: 0xfff00000002005(locked|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000002005 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff88807ef46000 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_FOLIO(((unsigned int) folio_ref_count(folio) + 127u <= 127u))
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x40c40(GFP_NOFS|__GFP_COMP), pid 4995, tgid 4995 (syz-executor236), ts 71048448749, free_ts 52261827985
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1731
 prep_new_page mm/page_alloc.c:1738 [inline]
 get_page_from_freelist+0x321c/0x33a0 mm/page_alloc.c:3502
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4768
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2289
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 do_read_cache_folio+0xed/0x820 mm/filemap.c:3644
 do_read_cache_page+0x32/0x220 mm/filemap.c:3746
 read_mapping_page include/linux/pagemap.h:772 [inline]
 __get_metapage+0x330/0x10e0 fs/jfs/jfs_metapage.c:620
 diRead+0x5f4/0xae0 fs/jfs/jfs_imap.c:363
 jfs_iget+0x8c/0x3b0 fs/jfs/inode.c:35
 jfs_fill_super+0x808/0xc50 fs/jfs/super.c:580
 mount_bdev+0x2d0/0x3f0 fs/super.c:1380
 legacy_get_tree+0xef/0x190 fs/fs_context.c:610
 vfs_get_tree+0x8c/0x270 fs/super.c:1510
 do_new_mount+0x28f/0xae0 fs/namespace.c:3039
 do_mount fs/namespace.c:3382 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3568
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1302 [inline]
 free_unref_page_prepare+0x903/0xa30 mm/page_alloc.c:2564
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2659
 discard_slab mm/slub.c:2097 [inline]
 __unfreeze_partials+0x1b1/0x1f0 mm/slub.c:2636
 put_cpu_partial+0x116/0x180 mm/slub.c:2712
 qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:186 [inline]
 slab_post_alloc_hook+0x68/0x3a0 mm/slab.h:711
 slab_alloc_node mm/slub.c:3451 [inline]
 slab_alloc mm/slub.c:3459 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3466 [inline]
 kmem_cache_alloc+0x11f/0x2e0 mm/slub.c:3475
 getname_flags+0xbc/0x4e0 fs/namei.c:140
 do_sys_openat2+0xd6/0x500 fs/open.c:1350
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x247/0x290 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:1396!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 107 Comm: jfsCommit Tainted: G    B              6.4.0-rc3-syzkaller-00171-g9db898594c54 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/16/2023
RIP: 0010:folio_get include/linux/mm.h:1396 [inline]
RIP: 0010:get_page include/linux/mm.h:1402 [inline]
RIP: 0010:put_metapage+0x2a0/0x350 fs/jfs/jfs_metapage.c:750
Code: 2c 24 49 81 e5 ff 0f 00 00 74 21 e8 1a a5 81 fe e9 a0 00 00 00 e8 10 a5 81 fe 48 8b 3c 24 48 c7 c6 20 66 21 8b e8 a0 56 c1 fe <0f> 0b 48 8b 1c 24 48 89 df be 08 00 00 00 e8 9d 78 d9 fe 48 c1 eb
RSP: 0018:ffffc90002cefcb8 EFLAGS: 00010246
RAX: 269364649aad8f00 RBX: 000000000000007f RCX: ffffffff816b38a0
RDX: 0000000000000000 RSI: ffffffff8b384420 RDI: ffffffff8b3843e0
RBP: ffff88807ef46000 R08: dffffc0000000000 R09: fffffbfff1cab8f6
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffffea0000b3acf4 R14: 1ffff1100fde8c05 R15: ffff88807ef46028
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f17d0b88818 CR3: 000000000cd30000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 txUnlock+0x42f/0xca0 fs/jfs/jfs_txnmgr.c:942
 txLazyCommit fs/jfs/jfs_txnmgr.c:2677 [inline]
 jfs_lazycommit+0x5d4/0xb70 fs/jfs/jfs_txnmgr.c:2727
 kthread+0x2b8/0x350 kernel/kthread.c:379
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:folio_get include/linux/mm.h:1396 [inline]
RIP: 0010:get_page include/linux/mm.h:1402 [inline]
RIP: 0010:put_metapage+0x2a0/0x350 fs/jfs/jfs_metapage.c:750
Code: 2c 24 49 81 e5 ff 0f 00 00 74 21 e8 1a a5 81 fe e9 a0 00 00 00 e8 10 a5 81 fe 48 8b 3c 24 48 c7 c6 20 66 21 8b e8 a0 56 c1 fe <0f> 0b 48 8b 1c 24 48 89 df be 08 00 00 00 e8 9d 78 d9 fe 48 c1 eb
RSP: 0018:ffffc90002cefcb8 EFLAGS: 00010246
RAX: 269364649aad8f00 RBX: 000000000000007f RCX: ffffffff816b38a0
RDX: 0000000000000000 RSI: ffffffff8b384420 RDI: ffffffff8b3843e0
RBP: ffff88807ef46000 R08: dffffc0000000000 R09: fffffbfff1cab8f6
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffffea0000b3acf4 R14: 1ffff1100fde8c05 R15: ffff88807ef46028
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f17d0bbd140 CR3: 000000002acc3000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400