------------[ cut here ]------------
VFS: brelse: Trying to free free buffer
WARNING: CPU: 1 PID: 5324 at fs/buffer.c:1148 __brelse fs/buffer.c:1148 [inline]
WARNING: CPU: 1 PID: 5324 at fs/buffer.c:1148 brelse include/linux/buffer_head.h:325 [inline]
WARNING: CPU: 1 PID: 5324 at fs/buffer.c:1148 __invalidate_bh_lrus fs/buffer.c:1394 [inline]
WARNING: CPU: 1 PID: 5324 at fs/buffer.c:1148 invalidate_bh_lru+0xf8/0x1a0 fs/buffer.c:1407
Modules linked in:
CPU: 1 PID: 5324 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:__brelse fs/buffer.c:1148 [inline]
RIP: 0010:brelse include/linux/buffer_head.h:325 [inline]
RIP: 0010:__invalidate_bh_lrus fs/buffer.c:1394 [inline]
RIP: 0010:invalidate_bh_lru+0xf8/0x1a0 fs/buffer.c:1407
Code: 00 e8 bc 55 e6 ff f0 41 ff 0e eb 20 e8 e1 ed a1 ff 80 3c 2b 00 75 25 eb 2b e8 d4 ed a1 ff 48 c7 c7 a0 3c 17 8a e8 08 4b c8 07 <0f> 0b 48 bd 00 00 00 00 00 fc ff df 80 3c 2b 00 74 08 4c 89 ff e8
RSP: 0000:ffffc90000dd0f60 EFLAGS: 00010046
RAX: 26f46d7ee995ea00 RBX: 1ffff11017226ca8 RCX: ffff888020c40000
RDX: 0000000000010000 RSI: 0000000080010002 RDI: 0000000000000000
RBP: 0000000000000000 R08: dffffc0000000000 R09: ffffed1017224f24
R10: ffffed1017224f24 R11: 1ffff11017224f23 R12: ffff8880b9136538
R13: 0000000000000008 R14: ffff88806fc707a0 R15: ffff8880b9136540
FS:  00007fbe1e6706c0(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbe1625c000 CR3: 000000007e05a000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 flush_smp_call_function_queue+0x2a9/0x760 kernel/smp.c:628
 __sysvec_call_function_single+0x98/0x240 arch/x86/kernel/smp.c:248
 instr_sysvec_call_function_single arch/x86/kernel/smp.c:243 [inline]
 sysvec_call_function_single+0x98/0xc0 arch/x86/kernel/smp.c:243
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x16/0x20 arch/x86/include/asm/idtentry.h:684
RIP: 0010:__this_cpu_preempt_check+0xa/0x10 lib/smp_processor_id.c:66
Code: 74 24 30 48 c7 c7 c0 a2 59 8a e8 11 70 f5 ff e8 6c 20 f8 ff eb a8 e8 d5 ee ff ff 0f 1f 44 00 00 48 89 fe 48 c7 c7 40 a2 59 8a <e9> e1 fe ff ff 00 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83
RSP: 0000:ffffc900033efbd0 EFLAGS: 00000296
RAX: ffffffff81718c40 RBX: 0000607f46c38338 RCX: ffff888020c40000
RDX: 0000000000000000 RSI: ffffffff8a15d380 RDI: ffffffff8a59a240
RBP: 0000000000000011 R08: dffffc0000000000 R09: fffff940003a43a1
R10: fffff940003a43a1 R11: 1ffffd40003a43a0 R12: 0000000000000011
R13: 0000000000000001 R14: ffff88807d144000 R15: ffff88807a4680c8
 memcg_rstat_updated mm/memcontrol.c:663 [inline]
 __mod_memcg_lruvec_state+0x109/0x190 mm/memcontrol.c:746
 __mod_lruvec_state mm/memcontrol.c:767 [inline]
 __mod_lruvec_page_state+0x1b6/0x330 mm/memcontrol.c:788
 page_add_new_anon_rmap+0x57d/0x8a0 mm/rmap.c:1203
 do_anonymous_page mm/memory.c:3877 [inline]
 handle_pte_fault mm/memory.c:4648 [inline]
 __handle_mm_fault mm/memory.c:4785 [inline]
 handle_mm_fault+0x37c6/0x43c0 mm/memory.c:4883
 do_user_addr_fault+0x489/0xc80 arch/x86/mm/fault.c:1357
 handle_page_fault arch/x86/mm/fault.c:1445 [inline]
 exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1501
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:606
RIP: 0033:0x7fbe1f2baba3
Code: 1f 84 00 00 00 00 00 3d 00 01 00 00 75 29 45 31 f6 48 83 c4 18 44 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 49 8b 0f <44> 88 34 01 49 83 47 10 01 eb 92 66 90 8d 90 ff fe ff ff 83 fa 1c
RSP: 002b:00007fbe1e66f4a0 EFLAGS: 00010202
RAX: 000000000000c000 RBX: 00007fbe1e66f540 RCX: 00007fbe16250000
RDX: 00007fbe1e66f6e0 RSI: 0000000000000001 RDI: 00007fbe1e66f5e0
RBP: 0000000000000004 R08: 0000000000000007 R09: 000000000000005f
R10: 0000000000000060 R11: 00007fbe1e66f540 R12: 0000000000000201
R13: 00007fbe1f48afe0 R14: 00000000000000b5 R15: 00007fbe1e66f5e0
 </TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	24 30                	and    $0x30,%al
   2:	48 c7 c7 c0 a2 59 8a 	mov    $0xffffffff8a59a2c0,%rdi
   9:	e8 11 70 f5 ff       	call   0xfff5701f
   e:	e8 6c 20 f8 ff       	call   0xfff8207f
  13:	eb a8                	jmp    0xffffffbd
  15:	e8 d5 ee ff ff       	call   0xffffeeef
  1a:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  1f:	48 89 fe             	mov    %rdi,%rsi
  22:	48 c7 c7 40 a2 59 8a 	mov    $0xffffffff8a59a240,%rdi
* 29:	e9 e1 fe ff ff       	jmp    0xffffff0f <-- trapping instruction
  2e:	00 eb                	add    %ch,%bl
  30:	1e                   	(bad)
  31:	0f 1f 00             	nopl   (%rax)
  34:	48 89 f8             	mov    %rdi,%rax
  37:	48 89 d1             	mov    %rdx,%rcx
  3a:	48 c1 e9 03          	shr    $0x3,%rcx
  3e:	83                   	.byte 0x83