BUG: Bad rss-counter state mm:ffff888024388980 type:MM_SHMEMPAGES val:236
page: refcount:749 mapcount:0 mapping:ffff88802258f930 index:0x0 pfn:0x71600
head: order:9 mapcount:236 entire_mapcount:0 nr_pages_mapped:236 pincount:0
memcg:ffff8880162e4000
aops:shmem_aops ino:46c
flags: 0xfff7800004026d(locked|referenced|uptodate|lru|workingset|head|swapbacked|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff7800004026d ffffea0001d77288 ffff8880150a3290 ffff88802258f930
raw: 0000000000000000 0000000000000000 000002edffffffff ffff8880162e4000
head: 00fff7800004026d ffffea0001d77288 ffff8880150a3290 ffff88802258f930
head: 0000000000000000 0000000000000000 000002edffffffff ffff8880162e4000
head: 00fff00000000209 ffffea0001c58001 ffffffff000000eb 00000000000000ec
head: 0000000000000200 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_FOLIO(folio_mapped(folio))
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Movable, gfp_mask 0x1c24ca(GFP_TRANSHUGE), pid 5798, tgid 5786 (syz-executor288), ts 139336894158, free_ts 137227623198
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1470
 prep_new_page mm/page_alloc.c:1478 [inline]
 get_page_from_freelist+0x2cbd/0x2d70 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4715
 __folio_alloc_noprof+0x18/0x210 mm/page_alloc.c:4747
 alloc_charge_folio+0x4a2/0xa10 mm/khugepaged.c:1053
 collapse_file mm/khugepaged.c:1801 [inline]
 hpage_collapse_scan_file+0x12a4/0x61f0 mm/khugepaged.c:2299
 madvise_collapse+0x5e0/0xcf0 mm/khugepaged.c:2742
 madvise_vma_behavior mm/madvise.c:1094 [inline]
 madvise_walk_vmas mm/madvise.c:1268 [inline]
 do_madvise+0xc5f/0x4590 mm/madvise.c:1464
 __do_sys_madvise mm/madvise.c:1481 [inline]
 __se_sys_madvise mm/madvise.c:1479 [inline]
 __x64_sys_madvise+0xa6/0xc0 mm/madvise.c:1479
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5751 tgid 5750 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1089 [inline]
 free_unref_folios+0x103a/0x1b00 mm/page_alloc.c:2669
 folios_put_refs+0x76e/0x860 mm/swap.c:1020
 folio_batch_release include/linux/pagevec.h:101 [inline]
 shmem_undo_range+0x6de/0x1df0 mm/shmem.c:1013
 shmem_truncate_range mm/shmem.c:1122 [inline]
 shmem_evict_inode+0x29b/0xa80 mm/shmem.c:1250
 evict+0x2a8/0x630 fs/inode.c:667
 __dentry_kill+0x20d/0x630 fs/dcache.c:603
 dput+0x19f/0x2b0 fs/dcache.c:845
 __fput+0x68c/0x8b0 fs/file_table.c:430
 task_work_run+0x24f/0x310 kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xa27/0x28e0 kernel/exit.c:874
 do_group_exit+0x207/0x2c0 kernel/exit.c:1023
 get_signal+0x16a1/0x1740 kernel/signal.c:2909
 arch_do_signal_or_restart+0x96/0x830 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
------------[ cut here ]------------
kernel BUG at mm/filemap.c:162!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 5787 Comm: syz-executor288 Not tainted 6.10.0-rc2-next-20240607-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:filemap_unaccount_folio+0x80d/0xe40 mm/filemap.c:162
Code: 25 ff 0f 00 00 0f 84 f0 00 00 00 e8 4d 6c ca ff e9 6c f8 ff ff e8 43 6c ca ff 4c 89 ef 48 c7 c6 20 a3 d3 8b e8 44 53 14 00 90 <0f> 0b e8 2c 6c ca ff 4c 89 ef 48 c7 c6 60 a4 d3 8b e8 2d 53 14 00
RSP: 0018:ffffc90004787138 EFLAGS: 00010046
RAX: fc373135a290ce00 RBX: 0000000000000040 RCX: ffffc90004786d03
RDX: 0000000000000002 RSI: ffffffff8bcad360 RDI: ffffffff8c200e00
RBP: 00000000000000ec R08: ffffffff8fae026f R09: 1ffffffff1f5c04d
R10: dffffc0000000000 R11: fffffbfff1f5c04e R12: 1ffffd400038b000
R13: ffffea0001c58000 R14: 1ffffd400038b001 R15: ffffea0001c58008
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000011b56000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __filemap_remove_folio+0xc4/0x9e0 mm/filemap.c:231
 filemap_remove_folio+0x108/0x2e0 mm/filemap.c:264
 truncate_inode_folio+0x5d/0x70 mm/truncate.c:195
 shmem_undo_range+0x45d/0x1df0 mm/shmem.c:1009
 shmem_truncate_range mm/shmem.c:1122 [inline]
 shmem_evict_inode+0x29b/0xa80 mm/shmem.c:1250
 evict+0x2a8/0x630 fs/inode.c:667
 __dentry_kill+0x20d/0x630 fs/dcache.c:603
 dput+0x19f/0x2b0 fs/dcache.c:845
 __fput+0x68c/0x8b0 fs/file_table.c:430
 task_work_run+0x24f/0x310 kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xa27/0x28e0 kernel/exit.c:874
 do_group_exit+0x207/0x2c0 kernel/exit.c:1023
 get_signal+0x16a1/0x1740 kernel/signal.c:2909
 arch_do_signal_or_restart+0x96/0x830 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbaf7aed399
Code: Unable to access opcode bytes at 0x7fbaf7aed36f.
RSP: 002b:00007fbaf7aa8238 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fbaf7b77308 RCX: 00007fbaf7aed399
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fbaf7b77308
RBP: 00007fbaf7b77300 R08: 00007fbaf7aa86c0 R09: 00007fbaf7aa86c0
R10: 0000000000000000 R11: 0000000000000246 R12: b635773f06ebbeee
R13: 0000000000000000 R14: 00007ffd7009ea30 R15: 00007ffd7009eb18
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_unaccount_folio+0x80d/0xe40 mm/filemap.c:162
Code: 25 ff 0f 00 00 0f 84 f0 00 00 00 e8 4d 6c ca ff e9 6c f8 ff ff e8 43 6c ca ff 4c 89 ef 48 c7 c6 20 a3 d3 8b e8 44 53 14 00 90 <0f> 0b e8 2c 6c ca ff 4c 89 ef 48 c7 c6 60 a4 d3 8b e8 2d 53 14 00
RSP: 0018:ffffc90004787138 EFLAGS: 00010046
RAX: fc373135a290ce00 RBX: 0000000000000040 RCX: ffffc90004786d03
RDX: 0000000000000002 RSI: ffffffff8bcad360 RDI: ffffffff8c200e00
RBP: 00000000000000ec R08: ffffffff8fae026f R09: 1ffffffff1f5c04d
R10: dffffc0000000000 R11: fffffbfff1f5c04e R12: 1ffffd400038b000
R13: ffffea0001c58000 R14: 1ffffd400038b001 R15: ffffea0001c58008
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000011b56000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400