------------[ cut here ]------------ VFS: brelse: Trying to free free buffer WARNING: CPU: 1 PID: 11636 at fs/buffer.c:1235 __brelse fs/buffer.c:1235 [inline] WARNING: CPU: 1 PID: 11636 at fs/buffer.c:1235 __brelse+0x6d/0xb0 fs/buffer.c:1229 Modules linked in: CPU: 1 PID: 11636 Comm: syz-executor.3 Not tainted 6.9.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:__brelse fs/buffer.c:1235 [inline] RIP: 0010:__brelse+0x6d/0xb0 fs/buffer.c:1229 Code: 84 d2 75 52 44 8b 63 60 31 ff 44 89 e6 e8 3b 95 81 ff 45 85 e4 75 20 e8 51 9a 81 ff 90 48 c7 c7 20 16 1e 8b e8 04 6f 44 ff 90 <0f> 0b 90 90 5b 5d 41 5c e9 36 9a 81 ff e8 31 9a 81 ff be 04 00 00 RSP: 0000:ffffc90021b0fe88 EFLAGS: 00010086 RAX: 0000000000000000 RBX: ffff8880616792b8 RCX: ffffffff81512be9 RDX: ffff888018b9a440 RSI: ffffffff81512bf6 RDI: 0000000000000001 RBP: ffff888061679318 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880616792b8 R14: dffffc0000000000 R15: ffffffff820cbba0 FS: 0000000000000000(0000) GS:ffff88802c300000(0063) knlGS:0000000057de5400 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000031322000 CR3: 000000005aebc000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: brelse include/linux/buffer_head.h:309 [inline] __invalidate_bh_lrus fs/buffer.c:1487 [inline] invalidate_bh_lru+0xa2/0x190 fs/buffer.c:1500 csd_do_func kernel/smp.c:133 [inline] __flush_smp_call_function_queue+0x27a/0x8c0 kernel/smp.c:511 __sysvec_call_function+0x8c/0x410 arch/x86/kernel/smp.c:262 instr_sysvec_call_function arch/x86/kernel/smp.c:257 [inline] sysvec_call_function+0x43/0xb0 arch/x86/kernel/smp.c:257 asm_sysvec_call_function+0x1a/0x20 arch/x86/include/asm/idtentry.h:710 RIP: 0023:0xf72aee3a Code: 00 00 00 8b 44 24 40 83 c6 01 3b 70 04 0f 83 0c 01 00 00 8b 44 24 40 89 7c 24 08 8b 78 18 8b 44 24 0c 89 fd c1 fd 1f 03 3c f0 <13> 6c f0 04 8b 44 24 04 89 fb 81 e3 00 f0 ff ff 80 b8 c0 20 02 00 RSP: 002b:00000000ffa55fd0 EFLAGS: 00000282 RAX: 00000000f6c88008 RBX: 00000000813cd7f4 RCX: 00000000000017f4 RDX: 00000000813cd7f4 RSI: 0000000000029fff RDI: 00000000813caa19 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 00 8b 44 24 40 83 add %cl,-0x7cbfdbbc(%rbx) 8: c6 01 3b movb $0x3b,(%rcx) b: 70 04 jo 0x11 d: 0f 83 0c 01 00 00 jae 0x11f 13: 8b 44 24 40 mov 0x40(%rsp),%eax 17: 89 7c 24 08 mov %edi,0x8(%rsp) 1b: 8b 78 18 mov 0x18(%rax),%edi 1e: 8b 44 24 0c mov 0xc(%rsp),%eax 22: 89 fd mov %edi,%ebp 24: c1 fd 1f sar $0x1f,%ebp 27: 03 3c f0 add (%rax,%rsi,8),%edi * 2a: 13 6c f0 04 adc 0x4(%rax,%rsi,8),%ebp <-- trapping instruction 2e: 8b 44 24 04 mov 0x4(%rsp),%eax 32: 89 fb mov %edi,%ebx 34: 81 e3 00 f0 ff ff and $0xfffff000,%ebx 3a: 80 .byte 0x80 3b: b8 c0 20 02 00 mov $0x220c0,%eax