------------[ cut here ]------------
VFS: brelse: Trying to free free buffer
WARNING: CPU: 1 PID: 5831 at fs/buffer.c:1229 __brelse fs/buffer.c:1229 [inline]
WARNING: CPU: 1 PID: 5831 at fs/buffer.c:1229 __brelse+0x6d/0xb0 fs/buffer.c:1223
Modules linked in:
CPU: 1 UID: 0 PID: 5831 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00161-g63676eefb7a0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__brelse fs/buffer.c:1229 [inline]
RIP: 0010:__brelse+0x6d/0xb0 fs/buffer.c:1223
Code: 84 d2 75 52 44 8b 63 60 31 ff 44 89 e6 e8 fb d5 79 ff 45 85 e4 75 20 e8 b1 d3 79 ff 90 48 c7 c7 e0 24 7f 8b e8 c4 0d 3a ff 90 <0f> 0b 90 90 5b 5d 41 5c e9 96 d3 79 ff e8 91 d3 79 ff be 04 00 00
RSP: 0018:ffffc90000a18f40 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff88805b56bbc8 RCX: ffffffff815a5139
RDX: ffff88802c2c1e00 RSI: ffffffff815a5146 RDI: 0000000000000001
RBP: ffff88805b56bc28 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000008 R12: 0000000000000000
R13: ffff88805b56bbc8 R14: dffffc0000000000 R15: ffffffff82204230
FS:  0000555560340500(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff7f8748178 CR3: 0000000061946000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 brelse include/linux/buffer_head.h:324 [inline]
 __invalidate_bh_lrus fs/buffer.c:1498 [inline]
 invalidate_bh_lru+0xa2/0x190 fs/buffer.c:1511
 csd_do_func kernel/smp.c:134 [inline]
 __flush_smp_call_function_queue+0x27d/0x8c0 kernel/smp.c:540
 __sysvec_call_function_single+0x8c/0x410 arch/x86/kernel/smp.c:271
 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
 sysvec_call_function_single+0x9f/0xc0 arch/x86/kernel/smp.c:266
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709
RIP: 0010:variable_test_bit arch/x86/include/asm/bitops.h:227 [inline]
RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:239 [inline]
RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
RIP: 0010:cpumask_test_cpu include/linux/cpumask.h:570 [inline]
RIP: 0010:cpu_online include/linux/cpumask.h:1117 [inline]
RIP: 0010:trace_lock_release include/trace/events/lock.h:69 [inline]
RIP: 0010:lock_release+0xa9/0x6f0 kernel/locking/lockdep.c:5860
Code: 03 00 65 8b 6d 00 83 fd 07 0f 87 22 05 00 00 89 ed be 08 00 00 00 48 89 e8 48 c1 e8 06 48 8d 3c c5 50 5f 5f 90 e8 07 36 85 00 <48> 0f a3 2d 6f a5 e8 0e 0f 82 26 04 00 00 48 c7 c5 54 92 5f 90 48
RSP: 0018:ffffc90002e67610 EFLAGS: 00000246
RAX: 0000000000000001 RBX: 1ffff920005ccec4 RCX: ffffffff8176b9d9
RDX: fffffbfff20bebeb RSI: 0000000000000008 RDI: ffffffff905f5f50
RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff20bebea
R10: ffffffff905f5f57 R11: 0000000000000007 R12: ffffffff8e1bb840
R13: 0000000000000008 R14: 0000000000000001 R15: 1ffff920005ccee7
 rcu_lock_release include/linux/rcupdate.h:347 [inline]
 rcu_read_unlock_sched include/linux/rcupdate.h:962 [inline]
 pfn_valid include/linux/mmzone.h:2058 [inline]
 page_table_check_set+0x22d/0x9c0 mm/page_table_check.c:110
 __page_table_check_ptes_set+0x2d0/0x3e0 mm/page_table_check.c:225
 page_table_check_ptes_set include/linux/page_table_check.h:74 [inline]
 set_ptes include/linux/pgtable.h:288 [inline]
 __copy_present_ptes mm/memory.c:967 [inline]
 copy_present_ptes mm/memory.c:1050 [inline]
 copy_pte_range mm/memory.c:1173 [inline]
 copy_pmd_range mm/memory.c:1261 [inline]
 copy_pud_range mm/memory.c:1298 [inline]
 copy_p4d_range mm/memory.c:1322 [inline]
 copy_page_range+0x209a/0x5790 mm/memory.c:1420
 dup_mmap kernel/fork.c:748 [inline]
 dup_mm kernel/fork.c:1691 [inline]
 copy_mm kernel/fork.c:1743 [inline]
 copy_process+0x7ef3/0x8e50 kernel/fork.c:2394
 kernel_clone+0xfd/0x960 kernel/fork.c:2806
 __do_sys_clone+0xba/0x100 kernel/fork.c:2949
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff9d297c593
Code: 1f 84 00 00 00 00 00 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 89 c2 85 c0 75 2c 64 48 8b 04 25 10 00 00
RSP: 002b:00007ffe8c54cdf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff9d297c593
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
R10: 00005555603407d0 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000046191 R14: 00007ffe8c54cf80 R15: 000000000000016c
 </TASK>
----------------
Code disassembly (best guess):
   0:	03 00                	add    (%rax),%eax
   2:	65 8b 6d 00          	mov    %gs:0x0(%rbp),%ebp
   6:	83 fd 07             	cmp    $0x7,%ebp
   9:	0f 87 22 05 00 00    	ja     0x531
   f:	89 ed                	mov    %ebp,%ebp
  11:	be 08 00 00 00       	mov    $0x8,%esi
  16:	48 89 e8             	mov    %rbp,%rax
  19:	48 c1 e8 06          	shr    $0x6,%rax
  1d:	48 8d 3c c5 50 5f 5f 	lea    -0x6fa0a0b0(,%rax,8),%rdi
  24:	90
  25:	e8 07 36 85 00       	call   0x853631
* 2a:	48 0f a3 2d 6f a5 e8 	bt     %rbp,0xee8a56f(%rip)        # 0xee8a5a1 <-- trapping instruction
  31:	0e
  32:	0f 82 26 04 00 00    	jb     0x45e
  38:	48 c7 c5 54 92 5f 90 	mov    $0xffffffff905f9254,%rbp
  3f:	48                   	rex.W