BUG: Bad page state in process jfsCommit  pfn:642c8
page:ffffea000190b200 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x642c8
flags: 0xfff00000002007(locked|referenced|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002007 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff8880610e93e0 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100c40(GFP_NOFS|__GFP_HARDWALL), pid 4469, ts 61636381468, free_ts 60483845833
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x3b78/0x3d40 mm/page_alloc.c:4192
 __alloc_pages+0x272/0x700 mm/page_alloc.c:5464
 __page_cache_alloc+0xd4/0x4a0 mm/filemap.c:1022
 do_read_cache_page+0x1e5/0x1040 mm/filemap.c:3457
 read_mapping_page include/linux/pagemap.h:515 [inline]
 __get_metapage+0x398/0x1070 fs/jfs/jfs_metapage.c:621
 diRead+0x707/0xbb0 fs/jfs/jfs_imap.c:367
 jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
 jfs_fill_super+0x826/0xc70 fs/jfs/super.c:585
 mount_bdev+0x2c9/0x3f0 fs/super.c:1400
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
 vfs_get_tree+0x88/0x270 fs/super.c:1530
 do_new_mount+0x2ba/0xb40 fs/namespace.c:3012
 do_mount fs/namespace.c:3355 [inline]
 __do_sys_mount fs/namespace.c:3563 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3540
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
 kasan_depopulate_vmalloc_pte+0x66/0x80 mm/kasan/shadow.c:375
 apply_to_pte_range mm/memory.c:2573 [inline]
 apply_to_pmd_range mm/memory.c:2617 [inline]
 apply_to_pud_range mm/memory.c:2653 [inline]
 apply_to_p4d_range mm/memory.c:2689 [inline]
 __apply_to_page_range+0x9bf/0xcc0 mm/memory.c:2723
 kasan_release_vmalloc+0x96/0xb0 mm/kasan/shadow.c:485
 __purge_vmap_area_lazy+0x15ae/0x1740 mm/vmalloc.c:1704
 _vm_unmap_aliases+0x453/0x4e0 mm/vmalloc.c:2107
 change_page_attr_set_clr+0x308/0x1050 arch/x86/mm/pat/set_memory.c:1740
 change_page_attr_clear arch/x86/mm/pat/set_memory.c:1797 [inline]
 set_memory_ro+0xa1/0xe0 arch/x86/mm/pat/set_memory.c:1943
 bpf_jit_binary_lock_ro include/linux/filter.h:892 [inline]
 bpf_int_jit_compile+0xbf36/0xc6c0 arch/x86/net/bpf_jit_comp.c:2422
 bpf_prog_select_runtime+0x701/0x9f0 kernel/bpf/core.c:1930
 bpf_migrate_filter net/core/filter.c:1299 [inline]
 bpf_prepare_filter+0x10d0/0x13d0 net/core/filter.c:1347
 sk_attach_filter+0x1e/0x130 net/core/filter.c:1531
 sock_setsockopt+0x19ff/0x2f10 net/core/sock.c:1167
 __sys_setsockopt+0x5dd/0x990 net/socket.c:2199
 __do_sys_setsockopt net/socket.c:2214 [inline]
 __se_sys_setsockopt net/socket.c:2211 [inline]
 __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2211
Modules linked in:
CPU: 1 PID: 276 Comm: jfsCommit Not tainted 5.15.173-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 bad_page+0x14b/0x170 mm/page_alloc.c:652
 check_free_page_bad mm/page_alloc.c:1199 [inline]
 check_free_page mm/page_alloc.c:1209 [inline]
 free_pages_prepare mm/page_alloc.c:1334 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x48d/0xcf0 mm/page_alloc.c:3317
 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
 txUnlock+0x282/0xca0 fs/jfs/jfs_txnmgr.c:932
 txLazyCommit fs/jfs/jfs_txnmgr.c:2716 [inline]
 jfs_lazycommit+0x5cd/0xc30 fs/jfs/jfs_txnmgr.c:2766
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
page:ffffea000190b200 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x642c8
flags: 0xfff00000002007(locked|referenced|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002007 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff8880610e93e0 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u))
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100c40(GFP_NOFS|__GFP_HARDWALL), pid 4469, ts 61636381468, free_ts 60483845833
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x3b78/0x3d40 mm/page_alloc.c:4192
 __alloc_pages+0x272/0x700 mm/page_alloc.c:5464
 __page_cache_alloc+0xd4/0x4a0 mm/filemap.c:1022
 do_read_cache_page+0x1e5/0x1040 mm/filemap.c:3457
 read_mapping_page include/linux/pagemap.h:515 [inline]
 __get_metapage+0x398/0x1070 fs/jfs/jfs_metapage.c:621
 diRead+0x707/0xbb0 fs/jfs/jfs_imap.c:367
 jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
 jfs_fill_super+0x826/0xc70 fs/jfs/super.c:585
 mount_bdev+0x2c9/0x3f0 fs/super.c:1400
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
 vfs_get_tree+0x88/0x270 fs/super.c:1530
 do_new_mount+0x2ba/0xb40 fs/namespace.c:3012
 do_mount fs/namespace.c:3355 [inline]
 __do_sys_mount fs/namespace.c:3563 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3540
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
 kasan_depopulate_vmalloc_pte+0x66/0x80 mm/kasan/shadow.c:375
 apply_to_pte_range mm/memory.c:2573 [inline]
 apply_to_pmd_range mm/memory.c:2617 [inline]
 apply_to_pud_range mm/memory.c:2653 [inline]
 apply_to_p4d_range mm/memory.c:2689 [inline]
 __apply_to_page_range+0x9bf/0xcc0 mm/memory.c:2723
 kasan_release_vmalloc+0x96/0xb0 mm/kasan/shadow.c:485
 __purge_vmap_area_lazy+0x15ae/0x1740 mm/vmalloc.c:1704
 _vm_unmap_aliases+0x453/0x4e0 mm/vmalloc.c:2107
 change_page_attr_set_clr+0x308/0x1050 arch/x86/mm/pat/set_memory.c:1740
 change_page_attr_clear arch/x86/mm/pat/set_memory.c:1797 [inline]
 set_memory_ro+0xa1/0xe0 arch/x86/mm/pat/set_memory.c:1943
 bpf_jit_binary_lock_ro include/linux/filter.h:892 [inline]
 bpf_int_jit_compile+0xbf36/0xc6c0 arch/x86/net/bpf_jit_comp.c:2422
 bpf_prog_select_runtime+0x701/0x9f0 kernel/bpf/core.c:1930
 bpf_migrate_filter net/core/filter.c:1299 [inline]
 bpf_prepare_filter+0x10d0/0x13d0 net/core/filter.c:1347
 sk_attach_filter+0x1e/0x130 net/core/filter.c:1531
 sock_setsockopt+0x19ff/0x2f10 net/core/sock.c:1167
 __sys_setsockopt+0x5dd/0x990 net/socket.c:2199
 __do_sys_setsockopt net/socket.c:2214 [inline]
 __se_sys_setsockopt net/socket.c:2211 [inline]
 __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2211
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:1213!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 276 Comm: jfsCommit Tainted: G    B             5.15.173-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:get_page include/linux/mm.h:1213 [inline]
RIP: 0010:put_metapage+0x283/0x290 fs/jfs/jfs_metapage.c:722
Code: 03 38 c1 0f 8c f8 fe ff ff 4c 89 ff e8 66 6a e5 fe e9 eb fe ff ff e8 2c 92 9b fe 4c 89 e7 48 c7 c6 e0 64 c1 8a e8 3d e4 d1 fe <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 55 41 57 41 56 41 55 41 54
RSP: 0018:ffffc900026b7cc0 EFLAGS: 00010246
RAX: b163462e8d12a400 RBX: 000000000000007f RCX: ffff88801e011dc0
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffff8880610e93e0 R08: ffffffff81d10e84 R09: fffff520004d6e55
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffea000190b200
R13: ffff8880610e9408 R14: 1ffff1100c21d281 R15: ffffea000190b234
FS:  0000000000000000(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000559a3624f098 CR3: 00000000228a0000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 txUnlock+0x42f/0xca0 fs/jfs/jfs_txnmgr.c:947
 txLazyCommit fs/jfs/jfs_txnmgr.c:2716 [inline]
 jfs_lazycommit+0x5cd/0xc30 fs/jfs/jfs_txnmgr.c:2766
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
Modules linked in:
---[ end trace 8efb52a30f863955 ]---
RIP: 0010:get_page include/linux/mm.h:1213 [inline]
RIP: 0010:put_metapage+0x283/0x290 fs/jfs/jfs_metapage.c:722
Code: 03 38 c1 0f 8c f8 fe ff ff 4c 89 ff e8 66 6a e5 fe e9 eb fe ff ff e8 2c 92 9b fe 4c 89 e7 48 c7 c6 e0 64 c1 8a e8 3d e4 d1 fe <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 55 41 57 41 56 41 55 41 54
RSP: 0018:ffffc900026b7cc0 EFLAGS: 00010246
RAX: b163462e8d12a400 RBX: 000000000000007f RCX: ffff88801e011dc0
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffff8880610e93e0 R08: ffffffff81d10e84 R09: fffff520004d6e55
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffea000190b200
R13: ffff8880610e9408 R14: 1ffff1100c21d281 R15: ffffea000190b234
FS:  0000000000000000(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055556258c5c8 CR3: 000000002b54e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400