NILFS (loop1): unable to write superblock: err=-5
NILFS (loop1): unable to write superblock: err=-5
==================================================================
BUG: KFENCE: use-after-free read in constant_test_bit arch/x86/include/asm/bitops.h:207 [inline]
BUG: KFENCE: use-after-free read in arch_test_bit arch/x86/include/asm/bitops.h:239 [inline]
BUG: KFENCE: use-after-free read in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
BUG: KFENCE: use-after-free read in mapping_unevictable include/linux/pagemap.h:252 [inline]
BUG: KFENCE: use-after-free read in folio_evictable mm/internal.h:138 [inline]
BUG: KFENCE: use-after-free read in lru_add_fn+0x2f3/0x1ac0 mm/swap.c:210

Use-after-free read at 0xffff88823bd88f58 (in kfence-#195):
 constant_test_bit arch/x86/include/asm/bitops.h:207 [inline]
 arch_test_bit arch/x86/include/asm/bitops.h:239 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
 mapping_unevictable include/linux/pagemap.h:252 [inline]
 folio_evictable mm/internal.h:138 [inline]
 lru_add_fn+0x2f3/0x1ac0 mm/swap.c:210
 folio_batch_move_lru+0x31a/0x720 mm/swap.c:246
 lru_add_drain_cpu+0x108/0x8b0 mm/swap.c:669
 lru_add_drain+0x11e/0x3e0 mm/swap.c:773
 __pagevec_release+0x51/0xf0 mm/swap.c:1072
 pagevec_release include/linux/pagevec.h:71 [inline]
 write_cache_pages+0x12bb/0x15c0 mm/page-writeback.c:2399
 generic_writepages mm/page-writeback.c:2451 [inline]
 do_writepages+0x40f/0x670 mm/page-writeback.c:2471
 __writeback_single_inode+0x15d/0x11e0 fs/fs-writeback.c:1612
 writeback_single_inode+0x22c/0x960 fs/fs-writeback.c:1733
 write_inode_now+0x1cf/0x260 fs/fs-writeback.c:2769
 iput_final fs/inode.c:1778 [inline]
 iput+0x616/0x980 fs/inode.c:1817
 nilfs_put_super+0xd3/0x150 fs/nilfs2/super.c:507
 generic_shutdown_super+0x130/0x340 fs/super.c:501
 kill_block_super+0x7a/0xe0 fs/super.c:1459
 deactivate_locked_super+0xa0/0x110 fs/super.c:332
 cleanup_mnt+0x490/0x520 fs/namespace.c:1186
 task_work_run+0x246/0x300 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x60/0x270 kernel/entry/common.c:303
 do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

kfence-#195: 0xffff88823bd88a18-0xffff88823bd88fff, size=1512, cache=nilfs2_inode_cache

allocated by task 12776 on cpu 0 at 482.214633s:
 alloc_inode_sb include/linux/fs.h:3193 [inline]
 nilfs_alloc_inode+0x2a/0xe0 fs/nilfs2/super.c:154
 alloc_inode fs/inode.c:261 [inline]
 iget5_locked+0x9c/0x270 fs/inode.c:1285
 nilfs_iget_locked+0x127/0x180 fs/nilfs2/inode.c:605
 nilfs_ifile_read+0x2e/0x170 fs/nilfs2/ifile.c:187
 nilfs_attach_checkpoint+0x260/0x4d0 fs/nilfs2/super.c:572
 nilfs_fill_super+0x349/0x660 fs/nilfs2/super.c:1095
 nilfs_mount+0x679/0x9a0 fs/nilfs2/super.c:1347
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:632
 vfs_get_tree+0x88/0x270 fs/super.c:1562
 do_new_mount+0x2ba/0xb40 fs/namespace.c:3051
 do_mount fs/namespace.c:3394 [inline]
 __do_sys_mount fs/namespace.c:3602 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

freed by task 12302 on cpu 0 at 482.946391s:
 rcu_do_batch kernel/rcu/tree.c:2296 [inline]
 rcu_core+0xad5/0x1810 kernel/rcu/tree.c:2556
 handle_softirqs+0x2ee/0xa40 kernel/softirq.c:571
 __do_softirq kernel/softirq.c:605 [inline]
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x157/0x240 kernel/softirq.c:654
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:666
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1106
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
 console_emit_next_record+0xd67/0x1000 kernel/printk/printk.c:2786
 console_unlock+0x278/0x7c0 kernel/printk/printk.c:2906
 vprintk_emit+0x523/0x740 kernel/printk/printk.c:2303
 _printk+0xd1/0x111 kernel/printk/printk.c:2328
 __nilfs_msg+0x2a9/0x330 fs/nilfs2/super.c:78
 nilfs_sync_super fs/nilfs2/super.c:188 [inline]
 nilfs_commit_super+0x48f/0x940 fs/nilfs2/super.c:297
 nilfs_cleanup_super+0x562/0x6b0 fs/nilfs2/super.c:328
 nilfs_put_super+0x94/0x150 fs/nilfs2/super.c:502
 generic_shutdown_super+0x130/0x340 fs/super.c:501
 kill_block_super+0x7a/0xe0 fs/super.c:1459
 deactivate_locked_super+0xa0/0x110 fs/super.c:332
 cleanup_mnt+0x490/0x520 fs/namespace.c:1186
 task_work_run+0x246/0x300 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x60/0x270 kernel/entry/common.c:303
 do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

CPU: 0 PID: 12302 Comm: syz-executor.1 Not tainted 6.1.94-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:207 [inline]
RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:239 [inline]
RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
RIP: 0010:mapping_unevictable include/linux/pagemap.h:252 [inline]
RIP: 0010:folio_evictable mm/internal.h:138 [inline]
RIP: 0010:lru_add_fn+0x2f3/0x1ac0 mm/swap.c:210
Code: df be 08 00 00 00 e8 ec c3 25 00 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 48 89 df e8 3d c2 25 00 <48> 8b 1b 48 89 de 48 83 e6 08 31 ff e8 bc 45 ce ff 48 83 e3 08 0f
RSP: 0018:ffffc9000357f340 EFLAGS: 00010046
RAX: 1ffff110477b11eb RBX: ffff88823bd88f58 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88823bd88f58
RBP: 0000000000000000 R08: dffffc0000000000 R09: ffffed10477b11ec
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffffffff81bc5084 R14: ffffea0001824a80 R15: 0000000000000001
FS:  000055555642c480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823bd88f58 CR3: 000000005ef91000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 folio_batch_move_lru+0x31a/0x720 mm/swap.c:246
 lru_add_drain_cpu+0x108/0x8b0 mm/swap.c:669
 lru_add_drain+0x11e/0x3e0 mm/swap.c:773
 __pagevec_release+0x51/0xf0 mm/swap.c:1072
 pagevec_release include/linux/pagevec.h:71 [inline]
 write_cache_pages+0x12bb/0x15c0 mm/page-writeback.c:2399
 generic_writepages mm/page-writeback.c:2451 [inline]
 do_writepages+0x40f/0x670 mm/page-writeback.c:2471
 __writeback_single_inode+0x15d/0x11e0 fs/fs-writeback.c:1612
 writeback_single_inode+0x22c/0x960 fs/fs-writeback.c:1733
 write_inode_now+0x1cf/0x260 fs/fs-writeback.c:2769
 iput_final fs/inode.c:1778 [inline]
 iput+0x616/0x980 fs/inode.c:1817
 nilfs_put_super+0xd3/0x150 fs/nilfs2/super.c:507
 generic_shutdown_super+0x130/0x340 fs/super.c:501
 kill_block_super+0x7a/0xe0 fs/super.c:1459
 deactivate_locked_super+0xa0/0x110 fs/super.c:332
 cleanup_mnt+0x490/0x520 fs/namespace.c:1186
 task_work_run+0x246/0x300 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x60/0x270 kernel/entry/common.c:303
 do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f29bb47e1d7
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd75bd2598 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000064 RCX: 00007f29bb47e1d7
RDX: 0000000000000200 RSI: 0000000000000009 RDI: 00007ffd75bd3740
RBP: 00007f29bb4d9636 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000202 R12: 00007ffd75bd3740
R13: 00007f29bb4d9636 R14: 000055555642c430 R15: 0000000000000007
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	df be 08 00 00 00    	fistpll 0x8(%rsi)
   6:	e8 ec c3 25 00       	call   0x25c3f7
   b:	48 89 d8             	mov    %rbx,%rax
   e:	48 c1 e8 03          	shr    $0x3,%rax
  12:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  19:	fc ff df
  1c:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1)
  20:	74 08                	je     0x2a
  22:	48 89 df             	mov    %rbx,%rdi
  25:	e8 3d c2 25 00       	call   0x25c267
* 2a:	48 8b 1b             	mov    (%rbx),%rbx <-- trapping instruction
  2d:	48 89 de             	mov    %rbx,%rsi
  30:	48 83 e6 08          	and    $0x8,%rsi
  34:	31 ff                	xor    %edi,%edi
  36:	e8 bc 45 ce ff       	call   0xffce45f7
  3b:	48 83 e3 08          	and    $0x8,%rbx
  3f:	0f                   	.byte 0xf