------------[ cut here ]------------
VFS: brelse: Trying to free free buffer
WARNING: CPU: 1 PID: 11636 at fs/buffer.c:1235 __brelse fs/buffer.c:1235 [inline]
WARNING: CPU: 1 PID: 11636 at fs/buffer.c:1235 __brelse+0x6d/0xb0 fs/buffer.c:1229
Modules linked in:
CPU: 1 PID: 11636 Comm: syz-executor.3 Not tainted 6.9.0-rc4-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:__brelse fs/buffer.c:1235 [inline]
RIP: 0010:__brelse+0x6d/0xb0 fs/buffer.c:1229
Code: 84 d2 75 52 44 8b 63 60 31 ff 44 89 e6 e8 3b 95 81 ff 45 85 e4 75 20 e8 51 9a 81 ff 90 48 c7 c7 20 16 1e 8b e8 04 6f 44 ff 90 <0f> 0b 90 90 5b 5d 41 5c e9 36 9a 81 ff e8 31 9a 81 ff be 04 00 00
RSP: 0000:ffffc90021b0fe88 EFLAGS: 00010086
RAX: 0000000000000000 RBX: ffff8880616792b8 RCX: ffffffff81512be9
RDX: ffff888018b9a440 RSI: ffffffff81512bf6 RDI: 0000000000000001
RBP: ffff888061679318 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880616792b8 R14: dffffc0000000000 R15: ffffffff820cbba0
FS:  0000000000000000(0000) GS:ffff88802c300000(0063) knlGS:0000000057de5400
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000031322000 CR3: 000000005aebc000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 brelse include/linux/buffer_head.h:309 [inline]
 __invalidate_bh_lrus fs/buffer.c:1487 [inline]
 invalidate_bh_lru+0xa2/0x190 fs/buffer.c:1500
 csd_do_func kernel/smp.c:133 [inline]
 __flush_smp_call_function_queue+0x27a/0x8c0 kernel/smp.c:511
 __sysvec_call_function+0x8c/0x410 arch/x86/kernel/smp.c:262
 instr_sysvec_call_function arch/x86/kernel/smp.c:257 [inline]
 sysvec_call_function+0x43/0xb0 arch/x86/kernel/smp.c:257
 asm_sysvec_call_function+0x1a/0x20 arch/x86/include/asm/idtentry.h:710
RIP: 0023:0xf72aee3a
Code: 00 00 00 8b 44 24 40 83 c6 01 3b 70 04 0f 83 0c 01 00 00 8b 44 24 40 89 7c 24 08 8b 78 18 8b 44 24 0c 89 fd c1 fd 1f 03 3c f0 <13> 6c f0 04 8b 44 24 04 89 fb 81 e3 00 f0 ff ff 80 b8 c0 20 02 00
RSP: 002b:00000000ffa55fd0 EFLAGS: 00000282
RAX: 00000000f6c88008 RBX: 00000000813cd7f4 RCX: 00000000000017f4
RDX: 00000000813cd7f4 RSI: 0000000000029fff RDI: 00000000813caa19
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 8b 44 24 40 83    	add    %cl,-0x7cbfdbbc(%rbx)
   8:	c6 01 3b             	movb   $0x3b,(%rcx)
   b:	70 04                	jo     0x11
   d:	0f 83 0c 01 00 00    	jae    0x11f
  13:	8b 44 24 40          	mov    0x40(%rsp),%eax
  17:	89 7c 24 08          	mov    %edi,0x8(%rsp)
  1b:	8b 78 18             	mov    0x18(%rax),%edi
  1e:	8b 44 24 0c          	mov    0xc(%rsp),%eax
  22:	89 fd                	mov    %edi,%ebp
  24:	c1 fd 1f             	sar    $0x1f,%ebp
  27:	03 3c f0             	add    (%rax,%rsi,8),%edi
* 2a:	13 6c f0 04          	adc    0x4(%rax,%rsi,8),%ebp <-- trapping instruction
  2e:	8b 44 24 04          	mov    0x4(%rsp),%eax
  32:	89 fb                	mov    %edi,%ebx
  34:	81 e3 00 f0 ff ff    	and    $0xfffff000,%ebx
  3a:	80                   	.byte 0x80
  3b:	b8 c0 20 02 00       	mov    $0x220c0,%eax