BUG: Bad rss-counter state mm:ffff88807d6f6e40 type:MM_SHMEMPAGES val:86 Comm:syz.4.4891 Pid:28970
page: refcount:3 mapcount:1 mapping:ffff88802559fbf8 index:0x40 pfn:0x80640
memcg:ffff88801c2edcc0
aops:shmem_aops ino:159
flags: 0xfff7800002022d(locked|referenced|uptodate|lru|workingset|swapbacked|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff7800002022d ffffea0002019048 ffffea0002018fc8 ffff88802559fbf8
raw: 0000000000000040 0000000000000000 0000000300000000 ffff88801c2edcc0
page dumped because: VM_BUG_ON_FOLIO(folio_mapped(folio))
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x1c24ca(GFP_TRANSHUGE), pid 28970, tgid 28956 (syz.4.4891), ts 2132518244322, free_ts 2119675530257
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 __folio_alloc_noprof+0x18/0x120 mm/page_alloc.c:5294
 alloc_charge_folio+0x3c8/0x830 mm/khugepaged.c:1058
 collapse_file mm/khugepaged.c:1865 [inline]
 hpage_collapse_scan_file+0x185a/0x5350 mm/khugepaged.c:2380
 madvise_collapse+0x42f/0xb30 mm/khugepaged.c:2809
 madvise_vma_behavior+0x10ce/0x4300 mm/madvise.c:1370
 madvise_walk_vmas+0x573/0xae0 mm/madvise.c:1719
 madvise_do_behavior+0x386/0x540 mm/madvise.c:1935
 do_madvise+0x1fa/0x2e0 mm/madvise.c:2028
 __do_sys_madvise mm/madvise.c:2037 [inline]
 __se_sys_madvise mm/madvise.c:2035 [inline]
 __ia32_sys_madvise+0xa6/0xc0 mm/madvise.c:2035
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0x229/0x6e0 arch/x86/entry/syscall_32.c:307
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/syscall_32.c:332
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
page last free pid 28805 tgid 28791 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 free_unref_folios+0xecc/0x16e0 mm/page_alloc.c:3040
 folios_put_refs+0x789/0x8d0 mm/swap.c:1002
 folio_batch_release include/linux/pagevec.h:101 [inline]
 shmem_undo_range+0x52c/0x1660 mm/shmem.c:1149
 shmem_truncate_range mm/shmem.c:1277 [inline]
 shmem_evict_inode+0x289/0xae0 mm/shmem.c:1407
 evict+0x61e/0xb10 fs/inode.c:841
 __dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
 finish_dput+0xc9/0x480 fs/dcache.c:879
 __fput+0x691/0xa60 fs/file_table.c:518
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x70f/0x23c0 kernel/exit.c:977
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1119
 get_signal+0x1284/0x1330 kernel/signal.c:3039
 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:328 [inline]
 __do_fast_syscall_32+0x446/0x6e0 arch/x86/entry/syscall_32.c:310
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/syscall_32.c:332
------------[ cut here ]------------
kernel BUG at mm/filemap.c:155!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 28970 Comm: syz.4.4891 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:filemap_unaccount_folio+0x70f/0x790 mm/filemap.c:155
Code: fd c3 ff 48 89 df 48 c7 c6 60 ba d7 8b e8 19 bb 26 ff 90 0f 0b e8 b1 fd c3 ff 48 89 df 48 c7 c6 c0 b7 d7 8b e8 02 bb 26 ff 90 <0f> 0b e8 9a fd c3 ff 48 89 df 48 c7 c6 60 ba d7 8b e8 eb ba 26 ff
RSP: 0000:ffffc90004a370b8 EFLAGS: 00010046
RAX: e172b48f85194500 RBX: ffffea0002019000 RCX: 0000000080000002
RDX: 0000000000000002 RSI: ffffffff8e22a119 RDI: ffff888033708000
RBP: 0000000000000001 R08: ffff8880b86247d3 R09: 1ffff110170c48fa
R10: dffffc0000000000 R11: ffffed10170c48fb R12: ffffea0002019030
R13: ffff88802559fbf8 R14: 1ffffd4000403200 R15: ffffea0002019008
FS:  0000000000000000(0000) GS:ffff888125245000(0000) knlGS:0000000000000000
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000080045000 CR3: 000000005abb2000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __filemap_remove_folio+0xc5/0x530 mm/filemap.c:227
 filemap_remove_folio+0xe6/0x1f0 mm/filemap.c:257
 truncate_inode_folio+0x5d/0x70 mm/truncate.c:176
 shmem_undo_range+0x42f/0x1660 mm/shmem.c:1145
 shmem_truncate_range mm/shmem.c:1277 [inline]
 shmem_evict_inode+0x289/0xae0 mm/shmem.c:1407
 evict+0x61e/0xb10 fs/inode.c:841
 __dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
 finish_dput+0xc9/0x480 fs/dcache.c:879
 __fput+0x691/0xa60 fs/file_table.c:518
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x70f/0x23c0 kernel/exit.c:977
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1119
 get_signal+0x1284/0x1330 kernel/signal.c:3039
 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:328 [inline]
 __do_fast_syscall_32+0x446/0x6e0 arch/x86/entry/syscall_32.c:310
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/syscall_32.c:332
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf704f01c
Code: Unable to access opcode bytes at 0xf704eff2.
RSP: 002b:00000000f541c5bc EFLAGS: 00000206 ORIG_RAX: 00000000000000f0
RAX: fffffffffffffe00 RBX: 00000000f7445020 RCX: 0000000000000080
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000f7445024
RBP: 0000000000000081 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_unaccount_folio+0x70f/0x790 mm/filemap.c:155
Code: fd c3 ff 48 89 df 48 c7 c6 60 ba d7 8b e8 19 bb 26 ff 90 0f 0b e8 b1 fd c3 ff 48 89 df 48 c7 c6 c0 b7 d7 8b e8 02 bb 26 ff 90 <0f> 0b e8 9a fd c3 ff 48 89 df 48 c7 c6 60 ba d7 8b e8 eb ba 26 ff
RSP: 0000:ffffc90004a370b8 EFLAGS: 00010046
RAX: e172b48f85194500 RBX: ffffea0002019000 RCX: 0000000080000002
RDX: 0000000000000002 RSI: ffffffff8e22a119 RDI: ffff888033708000
RBP: 0000000000000001 R08: ffff8880b86247d3 R09: 1ffff110170c48fa
R10: dffffc0000000000 R11: ffffed10170c48fb R12: ffffea0002019030
R13: ffff88802559fbf8 R14: 1ffffd4000403200 R15: ffffea0002019008
FS:  0000000000000000(0000) GS:ffff888125245000(0000) knlGS:0000000000000000
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000080045000 CR3: 000000005abb2000 CR4: 00000000003526f0