------------[ cut here ]------------
VFS: brelse: Trying to free free buffer
WARNING: CPU: 0 PID: 5075 at fs/buffer.c:1235 __brelse fs/buffer.c:1235 [inline]
WARNING: CPU: 0 PID: 5075 at fs/buffer.c:1235 brelse include/linux/buffer_head.h:309 [inline]
WARNING: CPU: 0 PID: 5075 at fs/buffer.c:1235 __invalidate_bh_lrus fs/buffer.c:1487 [inline]
WARNING: CPU: 0 PID: 5075 at fs/buffer.c:1235 invalidate_bh_lru+0x102/0x1b0 fs/buffer.c:1500
Modules linked in:
CPU: 0 PID: 5075 Comm: udevd Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:__brelse fs/buffer.c:1235 [inline]
RIP: 0010:brelse include/linux/buffer_head.h:309 [inline]
RIP: 0010:__invalidate_bh_lrus fs/buffer.c:1487 [inline]
RIP: 0010:invalidate_bh_lru+0x102/0x1b0 fs/buffer.c:1500
Code: 34 4f dd ff f0 ff 0b eb 25 e8 2a 3b 7c ff 41 80 3c 2e 00 75 2a eb 30 e8 1c 3b 7c ff 90 48 c7 c7 c0 dc d8 8b e8 9f b7 3e ff 90 <0f> 0b 90 90 48 bd 00 00 00 00 00 fc ff df 41 80 3c 2e 00 74 08 4c
RSP: 0000:ffffc90000007f30 EFLAGS: 00010046
RAX: 12af0dae7dbd1700 RBX: ffff8880799b6060 RCX: ffff8880294abc00
RDX: 0000000080010001 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff81587f92 R09: fffffbfff1c39b48
R10: dffffc0000000000 R11: fffffbfff1c39b48 R12: ffff8880b9439370
R13: 0000000000000000 R14: 1ffff1101728726e R15: ffff8880b9439370
FS:  00007fe9540c7c80(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe953db4c20 CR3: 000000007b7e4000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 csd_do_func kernel/smp.c:133 [inline]
 __flush_smp_call_function_queue+0x3fc/0x1690 kernel/smp.c:511
 __sysvec_call_function_single+0xb8/0x430 arch/x86/kernel/smp.c:271
 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
 sysvec_call_function_single+0x9e/0xc0 arch/x86/kernel/smp.c:266
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709
RIP: 0010:rcu_read_unlock include/linux/rcupdate.h:810 [inline]
RIP: 0010:count_memcg_event_mm+0x334/0x420 include/linux/memcontrol.h:1121
Code: f2 5a b6 ff 4c 8b 6c 24 18 eb 1f e8 e6 5a b6 ff e8 61 49 97 09 4d 85 f6 74 84 e8 d7 5a b6 ff fb 49 be 00 00 00 00 00 fc ff df <e8> e7 4f 97 09 89 c3 31 ff 89 c6 e8 fc 5e b6 ff 85 db 74 10 e8 03
RSP: 0000:ffffc9000375fda0 EFLAGS: 00000293
RAX: ffffffff81dfa599 RBX: 0000000000000000 RCX: ffff8880294abc00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000375fe70 R08: ffffffff81dfa509 R09: 1ffffffff25df6b3
R10: dffffc0000000000 R11: fffffbfff25df6b4 R12: 0000000000000046
R13: ffffffff81dfa304 R14: dffffc0000000000 R15: 1ffff920006ebfb8
 mm_account_fault mm/memory.c:5475 [inline]
 handle_mm_fault+0x3d5/0x770 mm/memory.c:5622
 do_user_addr_fault arch/x86/mm/fault.c:1362 [inline]
 handle_page_fault arch/x86/mm/fault.c:1505 [inline]
 exc_page_fault+0x446/0x8e0 arch/x86/mm/fault.c:1563
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fe953ccb481
Code: 1e ff ff ff 48 81 c4 48 08 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 41 57 41 56 41 55 41 54 55 48 89 fd 53 48 81 ec 18 01 00 00 <0f> b6 1e 84 db 0f 84 0f 02 00 00 49 89 f4 89 de e8 ca bd fa ff 48
RSP: 002b:00007ffccec866a0 EFLAGS: 00010206
RAX: 000055d5d918d0f0 RBX: 000055d59bcc172e RCX: 00007fe953d169a4
RDX: 00000000fbad2484 RSI: 00007fe953db4c20 RDI: 000055d59bcc172f
RBP: 000055d59bcc172f R08: 0000000000000004 R09: 0000000000000001
R10: 00000000000001b6 R11: 0000000000000246 R12: 000055d59bcbf185
R13: 000055d5d918d0f0 R14: 0000000000000001 R15: 000055d5d916a910
 </TASK>
----------------
Code disassembly (best guess):
   0:	f2 5a                	repnz pop %rdx
   2:	b6 ff                	mov    $0xff,%dh
   4:	4c 8b 6c 24 18       	mov    0x18(%rsp),%r13
   9:	eb 1f                	jmp    0x2a
   b:	e8 e6 5a b6 ff       	call   0xffb65af6
  10:	e8 61 49 97 09       	call   0x9974976
  15:	4d 85 f6             	test   %r14,%r14
  18:	74 84                	je     0xffffff9e
  1a:	e8 d7 5a b6 ff       	call   0xffb65af6
  1f:	fb                   	sti
  20:	49 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%r14
  27:	fc ff df
* 2a:	e8 e7 4f 97 09       	call   0x9975016 <-- trapping instruction
  2f:	89 c3                	mov    %eax,%ebx
  31:	31 ff                	xor    %edi,%edi
  33:	89 c6                	mov    %eax,%esi
  35:	e8 fc 5e b6 ff       	call   0xffb65f36
  3a:	85 db                	test   %ebx,%ebx
  3c:	74 10                	je     0x4e
  3e:	e8                   	.byte 0xe8
  3f:	03                   	.byte 0x3