------------[ cut here ]------------
VFS: brelse: Trying to free free buffer
WARNING: CPU: 1 PID: 11897 at fs/buffer.c:1229 __brelse fs/buffer.c:1229 [inline]
WARNING: CPU: 1 PID: 11897 at fs/buffer.c:1229 __brelse+0x6d/0xb0 fs/buffer.c:1223
Modules linked in:
CPU: 1 UID: 0 PID: 11897 Comm: syz.2.1320 Not tainted 6.13.0-rc5-syzkaller-00006-g56e6a3499e14 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__brelse fs/buffer.c:1229 [inline]
RIP: 0010:__brelse+0x6d/0xb0 fs/buffer.c:1223
Code: 84 d2 75 52 44 8b 63 60 31 ff 44 89 e6 e8 fb d5 79 ff 45 85 e4 75 20 e8 b1 d3 79 ff 90 48 c7 c7 e0 24 7f 8b e8 b4 0d 3a ff 90 <0f> 0b 90 90 5b 5d 41 5c e9 96 d3 79 ff e8 91 d3 79 ff be 04 00 00
RSP: 0018:ffffc90000a18f40 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff88807eb3d740 RCX: ffffffff815a5139
RDX: ffff88805b2f1e00 RSI: ffffffff815a5146 RDI: 0000000000000001
RBP: ffff88807eb3d7a0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff88807eb3d740 R14: dffffc0000000000 R15: ffffffff82204240
FS:  00007f2c270a46c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c2f099a CR3: 00000000320a6000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 brelse include/linux/buffer_head.h:324 [inline]
 __invalidate_bh_lrus fs/buffer.c:1498 [inline]
 invalidate_bh_lru+0xa2/0x190 fs/buffer.c:1511
 csd_do_func kernel/smp.c:134 [inline]
 __flush_smp_call_function_queue+0x27d/0x8c0 kernel/smp.c:540
 __sysvec_call_function_single+0x8c/0x410 arch/x86/kernel/smp.c:271
 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
 sysvec_call_function_single+0x9f/0xc0 arch/x86/kernel/smp.c:266
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709
RIP: 0010:instrument_atomic_read include/linux/instrumented.h:68 [inline]
RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
RIP: 0010:cpumask_test_cpu include/linux/cpumask.h:570 [inline]
RIP: 0010:cpu_online include/linux/cpumask.h:1117 [inline]
RIP: 0010:trace_rss_stat+0x42/0x220 include/trace/events/kmem.h:384
Code: c7 c3 4c da 03 00 e8 4d 55 b8 ff 65 8b 1b bf 07 00 00 00 89 de e8 7e 57 b8 ff 83 fb 07 0f 87 a9 01 00 00 e8 30 55 b8 ff 89 db <be> 08 00 00 00 48 89 d8 48 c1 e8 06 48 8d 3c c5 d0 5c 5f 90 e8 75
RSP: 0018:ffffc900034977a8 EFLAGS: 00000246
RAX: 0000000000080000 RBX: 0000000000000001 RCX: ffffc9000c8b3000
RDX: 0000000000080000 RSI: ffffffff81e1c060 RDI: 0000000000000005
RBP: 0000000000000003 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000001 R11: 0000000000000003 R12: ffff888024d4e180
R13: ffff888024d4e180 R14: 0000000000000000 R15: ffff8880562595d0
 mm_trace_rss_stat mm/memory.c:180 [inline]
 add_mm_counter include/linux/mm.h:2614 [inline]
 finish_fault+0x9bb/0x1010 mm/memory.c:5188
 do_read_fault mm/memory.c:5326 [inline]
 do_fault mm/memory.c:5456 [inline]
 do_pte_missing+0xee6/0x3e00 mm/memory.c:3979
 handle_pte_fault mm/memory.c:5801 [inline]
 __handle_mm_fault+0x103c/0x2a40 mm/memory.c:5944
 handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6112
 faultin_page mm/gup.c:1196 [inline]
 __get_user_pages+0x8d9/0x3b50 mm/gup.c:1494
 populate_vma_page_range+0x27f/0x3a0 mm/gup.c:1932
 __mm_populate+0x1d6/0x380 mm/gup.c:2035
 mm_populate include/linux/mm.h:3396 [inline]
 vm_mmap_pgoff+0x293/0x360 mm/util.c:585
 ksys_mmap_pgoff+0x7d/0x5c0 mm/mmap.c:542
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
 __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2c26185d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2c270a4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f2c26375fa0 RCX: 00007f2c26185d29
RDX: b635773f06ebbeef RSI: 0000000000b36000 RDI: 0000000020000000
RBP: 00007f2c26201b08 R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000008031 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f2c26375fa0 R15: 00007ffd3334baa8
 </TASK>
----------------
Code disassembly (best guess):
   0:	c7 c3 4c da 03 00    	mov    $0x3da4c,%ebx
   6:	e8 4d 55 b8 ff       	call   0xffb85558
   b:	65 8b 1b             	mov    %gs:(%rbx),%ebx
   e:	bf 07 00 00 00       	mov    $0x7,%edi
  13:	89 de                	mov    %ebx,%esi
  15:	e8 7e 57 b8 ff       	call   0xffb85798
  1a:	83 fb 07             	cmp    $0x7,%ebx
  1d:	0f 87 a9 01 00 00    	ja     0x1cc
  23:	e8 30 55 b8 ff       	call   0xffb85558
  28:	89 db                	mov    %ebx,%ebx
* 2a:	be 08 00 00 00       	mov    $0x8,%esi <-- trapping instruction
  2f:	48 89 d8             	mov    %rbx,%rax
  32:	48 c1 e8 06          	shr    $0x6,%rax
  36:	48 8d 3c c5 d0 5c 5f 	lea    -0x6fa0a330(,%rax,8),%rdi
  3d:	90
  3e:	e8                   	.byte 0xe8
  3f:	75                   	.byte 0x75