BUG: spinlock bad magic on CPU#0, kworker/u4:2/39
==================================================================
BUG: KASAN: slab-out-of-bounds in task_pid_nr include/linux/sched.h:1566 [inline]
BUG: KASAN: slab-out-of-bounds in spin_dump+0x1f4/0x208 kernel/locking/spinlock_debug.c:63
Read of size 4 at addr ffff0000f6e786a8 by task kworker/u4:2/39

CPU: 0 PID: 39 Comm: kworker/u4:2 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: btrfs-endio btrfs_end_bio_work
Call trace:
 dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
 print_address_description+0x88/0x218 mm/kasan/report.c:316
 print_report+0x50/0x68 mm/kasan/report.c:420
 kasan_report+0xa8/0xfc mm/kasan/report.c:524
 __asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350
 task_pid_nr include/linux/sched.h:1566 [inline]
 spin_dump+0x1f4/0x208 kernel/locking/spinlock_debug.c:63
 spin_bug kernel/locking/spinlock_debug.c:77 [inline]
 debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
 do_raw_spin_lock+0x1ec/0x2f8 kernel/locking/spinlock_debug.c:114
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
 _raw_spin_lock_irqsave+0x74/0xb0 kernel/locking/spinlock.c:162
 __wake_up_common_lock kernel/sched/wait.c:137 [inline]
 __wake_up+0xe4/0x17c kernel/sched/wait.c:160
 btrfs_encoded_read_endio+0x440/0x584 fs/btrfs/inode.c:10553
 btrfs_end_bio_work+0x48/0x58 fs/btrfs/volumes.c:6843
 process_one_work+0x7f8/0x13a4 kernel/workqueue.c:2292
 worker_thread+0x8c4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850

The buggy address belongs to the object at ffff0000f6e78600
 which belongs to the cache btrfs_extent_state of size 128
The buggy address is located 40 bytes to the right of
 128-byte region [ffff0000f6e78600, ffff0000f6e78680)

The buggy address belongs to the physical page:
page:00000000f478b88d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x136e78
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 0000000000000000 dead000000000122 ffff0000d68b2480
raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000f6e78580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000f6e78600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000f6e78680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                  ^
 ffff0000f6e78700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000f6e78780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
 lock: 0xffff800020cf75b0, .magic: 00000000, .owner: /0, .owner_cpu: 137731608
CPU: 0 PID: 39 Comm: kworker/u4:2 Tainted: G    B              syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: btrfs-endio btrfs_end_bio_work
Call trace:
 dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
 dump_stack+0x1c/0x5c lib/dump_stack.c:113
 spin_dump+0x110/0x208 kernel/locking/spinlock_debug.c:69
 spin_bug kernel/locking/spinlock_debug.c:77 [inline]
 debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
 do_raw_spin_lock+0x1ec/0x2f8 kernel/locking/spinlock_debug.c:114
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
 _raw_spin_lock_irqsave+0x74/0xb0 kernel/locking/spinlock.c:162
 __wake_up_common_lock kernel/sched/wait.c:137 [inline]
 __wake_up+0xe4/0x17c kernel/sched/wait.c:160
 btrfs_encoded_read_endio+0x440/0x584 fs/btrfs/inode.c:10553
 btrfs_end_bio_work+0x48/0x58 fs/btrfs/volumes.c:6843
 process_one_work+0x7f8/0x13a4 kernel/workqueue.c:2292
 worker_thread+0x8c4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850
================================================================================
UBSAN: array-index-out-of-bounds in kernel/locking/qspinlock.c:131:9
index 2098 is out of range for type 'unsigned long[8]'
CPU: 0 PID: 39 Comm: kworker/u4:2 Tainted: G    B              syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: btrfs-endio btrfs_end_bio_work
Call trace:
 dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
 dump_stack+0x1c/0x5c lib/dump_stack.c:113
 ubsan_epilogue+0x14/0x48 lib/ubsan.c:151
 __ubsan_handle_out_of_bounds+0xd0/0xf8 lib/ubsan.c:282
 decode_tail kernel/locking/qspinlock.c:131 [inline]
 queued_spin_lock_slowpath+0x8a8/0xc18 kernel/locking/qspinlock.c:471
 queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
 do_raw_spin_lock+0x2f4/0x2f8 kernel/locking/spinlock_debug.c:115
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
 _raw_spin_lock_irqsave+0x74/0xb0 kernel/locking/spinlock.c:162
 __wake_up_common_lock kernel/sched/wait.c:137 [inline]
 __wake_up+0xe4/0x17c kernel/sched/wait.c:160
 btrfs_encoded_read_endio+0x440/0x584 fs/btrfs/inode.c:10553
 btrfs_end_bio_work+0x48/0x58 fs/btrfs/volumes.c:6843
 process_one_work+0x7f8/0x13a4 kernel/workqueue.c:2292
 worker_thread+0x8c4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850
================================================================================
Unable to handle kernel paging request at virtual address ffff800015189fb0
KASAN: probably user-memory-access in range [0x00000000a8c4fd80-0x00000000a8c4fd87]
Mem abort info:
  ESR = 0x0000000096000047
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x07: level 3 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000047
  CM = 0, WnR = 1
swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000002229cd000
[ffff800015189fb0] pgd=100000023ffff003, p4d=100000023ffff003, pud=100000023fffe003, pmd=100000023fffa003, pte=0000000000000000
Internal error: Oops: 0000000096000047 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 39 Comm: kworker/u4:2 Tainted: G    B              syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: btrfs-endio btrfs_end_bio_work
pstate: 824000c5 (Nzcv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : queued_spin_lock_slowpath+0x598/0xc18 kernel/locking/qspinlock.c:474
lr : decode_tail kernel/locking/qspinlock.c:131 [inline]
lr : queued_spin_lock_slowpath+0x8a8/0xc18 kernel/locking/qspinlock.c:471
sp : ffff80001cee77a0
x29: ffff80001cee7840 x28: ffff800015189fb0 x27: 1ffff0000419eeb6
x26: ffff800015220f40 x25: 1fffe00033ea8bf0 x24: dfff800000000000
x23: ffff7000039dcef8 x22: ffff00019f545f88 x21: ffff800015189fb0
x20: ffff00019f545f80 x19: ffff800020cf75b0 x18: ffff800011b9bf60
x17: 3d3d3d3d3d3d3d3d x16: ffff800008193848 x15: 0000000000000000
x14: ffff700002fc1cbc x13: 1ffff00002fc1cbc x12: 0000000000ff0100
x11: ff008000081938cc x10: ffff800015189f80 x9 : 0000000000000003
x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80001cee71f8 x4 : ffff800015304cc0 x3 : ffff800008193894
x2 : 0000000000000001 x1 : 0000000000000004 x0 : ffff00019f545f88
Call trace:
 queued_spin_lock_slowpath+0x598/0xc18 kernel/locking/qspinlock.c:477
 queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
 do_raw_spin_lock+0x2f4/0x2f8 kernel/locking/spinlock_debug.c:115
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
 _raw_spin_lock_irqsave+0x74/0xb0 kernel/locking/spinlock.c:162
 __wake_up_common_lock kernel/sched/wait.c:137 [inline]
 __wake_up+0xe4/0x17c kernel/sched/wait.c:160
 btrfs_encoded_read_endio+0x440/0x584 fs/btrfs/inode.c:10553
 btrfs_end_bio_work+0x48/0x58 fs/btrfs/volumes.c:6843
 process_one_work+0x7f8/0x13a4 kernel/workqueue.c:2292
 worker_thread+0x8c4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850
Code: aa1503e0 979340ee aa1603e0 52800081 (f90002b4) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	aa1503e0 	mov	x0, x21
   4:	979340ee 	bl	0xfffffffffe4d03bc
   8:	aa1603e0 	mov	x0, x22
   c:	52800081 	mov	w1, #0x4                   	// #4
* 10:	f90002b4 	str	x20, [x21] <-- trapping instruction