------------[ cut here ]------------ VFS: brelse: Trying to free free buffer WARNING: CPU: 0 PID: 6027 at fs/buffer.c:1177 __brelse fs/buffer.c:1177 [inline] WARNING: CPU: 0 PID: 6027 at fs/buffer.c:1177 __brelse+0x4f/0x80 fs/buffer.c:1171 Modules linked in: CPU: 0 PID: 6027 Comm: rm Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 RIP: 0010:__brelse fs/buffer.c:1177 [inline] RIP: 0010:__brelse+0x4f/0x80 fs/buffer.c:1171 Code: ea 03 0f b6 14 02 48 89 e8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 2c 8b 43 60 85 c0 75 11 48 c7 c7 60 d2 97 88 e8 c2 fa 34 06 <0f> 0b 5b 5d c3 be 04 00 00 00 48 89 ef e8 ff 4d e9 ff f0 ff 4b 60 RSP: 0018:ffffc90000007f68 EFLAGS: 00010086 RAX: 0000000000000000 RBX: ffff8880302d5740 RCX: 0000000000000000 RDX: 0000000000010003 RSI: 0000000000000004 RDI: fffff52000000fdf RBP: ffff8880302d57a0 R08: 0000000000000001 R09: ffff8880b9e2015b R10: ffffed10173c402b R11: 000000003a534656 R12: ffff8880b9e4dd40 R13: 0000000000000000 R14: ffffc9000179fc68 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd086b6fc0 CR3: 00000000146fe000 CR4: 0000000000350ef0 Call Trace: brelse include/linux/buffer_head.h:289 [inline] invalidate_bh_lru+0x7b/0xf0 fs/buffer.c:1418 flush_smp_call_function_queue+0x190/0x5a0 kernel/smp.c:394 __sysvec_call_function_single+0x95/0x3d0 arch/x86/kernel/smp.c:248 asm_call_irq_on_stack+0xf/0x20 __run_sysvec_on_irqstack arch/x86/include/asm/irq_stack.h:37 [inline] run_sysvec_on_irqstack_cond arch/x86/include/asm/irq_stack.h:89 [inline] sysvec_call_function_single+0xbd/0x100 arch/x86/kernel/smp.c:243 asm_sysvec_call_function_single+0x12/0x20 arch/x86/include/asm/idtentry.h:637 RIP: 0010:unwind_next_frame+0x367/0x1f90 arch/x86/kernel/unwind_orc.c:456 Code: e8 7e f5 ff ff 49 89 c0 4d 85 c0 0f 84 56 02 00 00 4d 8d 48 04 48 b8 00 00 00 00 00 fc ff df 4c 89 ca 48 c1 ea 03 0f b6 04 02 <4c> 89 ca 83 e2 07 38 d0 7f 08 84 c0 0f 85 6f 08 00 00 41 0f b6 40 RSP: 0018:ffffc900016af800 EFLAGS: 00000213 RAX: 0000000000000000 RBX: 1ffff920002d5f08 RCX: ffffffff81947ff3 RDX: 1ffffffff1962968 RSI: ffffffff8cb14b0a RDI: ffffffff8c41d594 RBP: 0000000000000001 R08: ffffffff8cb14b40 R09: ffffffff8cb14b44 R10: 0000000000076081 R11: 0000000000026fed R12: ffffc900016af920 R13: ffffc900016af90d R14: ffffc900016af928 R15: ffffc900016af8d8 arch_stack_walk+0x7d/0xe0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:121 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:401 [inline] ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429 kasan_slab_alloc include/linux/kasan.h:209 [inline] slab_post_alloc_hook mm/slab.h:512 [inline] slab_alloc_node mm/slub.c:2892 [inline] slab_alloc mm/slub.c:2900 [inline] kmem_cache_alloc+0x1c6/0x440 mm/slub.c:2905 vm_area_alloc+0x17/0xf0 kernel/fork.c:348 mmap_region+0x783/0x14a0 mm/mmap.c:1777 do_mmap+0x911/0x1030 mm/mmap.c:1583 vm_mmap_pgoff+0x163/0x220 mm/util.c:519 ksys_mmap_pgoff+0x94/0x5f0 mm/mmap.c:1634 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f6826aba1f2 Code: 04 00 00 5b 5d 41 5c c3 41 f7 c1 ff 0f 00 00 75 27 55 48 89 fd 53 89 cb 48 85 ff 74 33 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d c3 0f 1f 00 c7 05 9e 1f 01 00 16 00 RSP: 002b:00007ffd086b6d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 0000000000000022 RCX: 00007f6826aba1f2 RDX: 0000000000000003 RSI: 0000000000002000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000000 R10: 0000000000000022 R11: 0000000000000246 R12: 0000562754ff8533 R13: 00007f6826acc1e0 R14: 0000000000000014 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: e8 7e f5 ff ff callq 0xfffff583 5: 49 89 c0 mov %rax,%r8 8: 4d 85 c0 test %r8,%r8 b: 0f 84 56 02 00 00 je 0x267 11: 4d 8d 48 04 lea 0x4(%r8),%r9 15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1c: fc ff df 1f: 4c 89 ca mov %r9,%rdx 22: 48 c1 ea 03 shr $0x3,%rdx 26: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax * 2a: 4c 89 ca mov %r9,%rdx <-- trapping instruction 2d: 83 e2 07 and $0x7,%edx 30: 38 d0 cmp %dl,%al 32: 7f 08 jg 0x3c 34: 84 c0 test %al,%al 36: 0f 85 6f 08 00 00 jne 0x8ab 3c: 41 rex.B 3d: 0f .byte 0xf 3e: b6 40 mov $0x40,%dh