------------[ cut here ]------------
VFS: brelse: Trying to free free buffer
WARNING: CPU: 0 PID: 8 at fs/buffer.c:1235 __brelse fs/buffer.c:1235 [inline]
WARNING: CPU: 0 PID: 8 at fs/buffer.c:1235 brelse include/linux/buffer_head.h:312 [inline]
WARNING: CPU: 0 PID: 8 at fs/buffer.c:1235 __invalidate_bh_lrus fs/buffer.c:1487 [inline]
WARNING: CPU: 0 PID: 8 at fs/buffer.c:1235 invalidate_bh_lru+0x102/0x1b0 fs/buffer.c:1500
Modules linked in:
CPU: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.7.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Workqueue: events nsim_fib_event_work
RIP: 0010:__brelse fs/buffer.c:1235 [inline]
RIP: 0010:brelse include/linux/buffer_head.h:312 [inline]
RIP: 0010:__invalidate_bh_lrus fs/buffer.c:1487 [inline]
RIP: 0010:invalidate_bh_lru+0x102/0x1b0 fs/buffer.c:1500
Code: f4 3f df ff f0 ff 0b eb 25 e8 7a 36 83 ff 41 80 3c 2e 00 75 2a eb 30 e8 6c 36 83 ff 90 48 c7 c7 00 44 78 8b e8 df 13 49 ff 90 <0f> 0b 90 90 48 bd 00 00 00 00 00 fc ff df 41 80 3c 2e 00 74 08 4c
RSP: 0018:ffffc90000007f30 EFLAGS: 00010046
RAX: b9a3320042bdf900 RBX: ffff888077913df8 RCX: ffff88801767d940
RDX: 0000000080010002 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff81545d52 R09: 1ffff11017305172
R10: dffffc0000000000 R11: ffffed1017305173 R12: ffff8880b9837f78
R13: 0000000000000008 R14: 1ffff11017306ff0 R15: ffff8880b9837f80
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc8fae895e8 CR3: 000000000d731000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 csd_do_func kernel/smp.c:133 [inline]
 __flush_smp_call_function_queue+0x3e8/0x15a0 kernel/smp.c:511
 __sysvec_call_function_single+0xa8/0x3e0 arch/x86/kernel/smp.c:267
 sysvec_call_function_single+0x8f/0xb0 arch/x86/kernel/smp.c:262
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:656
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irq+0x29/0x50 kernel/locking/spinlock.c:202
Code: 00 f3 0f 1e fa 53 48 89 fb 48 83 c7 18 48 8b 74 24 08 e8 3a 40 4b f6 48 89 df e8 32 7b 4c f6 e8 6d 4b 73 f6 fb bf 01 00 00 00 <e8> 52 a0 3e f6 65 8b 05 73 ab e1 74 85 c0 74 02 5b c3 e8 40 79 de
RSP: 0018:ffffc900000d75a0 EFLAGS: 00000286
RAX: b9a3320042bdf900 RBX: ffff8880b983bb00 RCX: ffffffff816d97aa
RDX: dffffc0000000000 RSI: ffffffff8b6aaa40 RDI: 0000000000000001
RBP: ffffc900000d76d8 R08: ffffffff90dd9377 R09: 1ffffffff21bb26e
R10: dffffc0000000000 R11: fffffbfff21bb26f R12: dffffc0000000000
R13: ffff88801767d940 R14: ffffffff8b20820e R15: ffff88801767d96c
 sched_submit_work kernel/sched/core.c:6729 [inline]
 schedule+0xe7/0x260 kernel/sched/core.c:6777
 schedule_timeout+0x1bd/0x300 kernel/time/timer.c:2167
 schedule_timeout_uninterruptible kernel/time/timer.c:2201 [inline]
 msleep+0xa1/0xe0 kernel/time/timer.c:2322
 nsim_fib6_rt_add drivers/net/netdevsim/fib.c:693 [inline]
 nsim_fib6_rt_insert drivers/net/netdevsim/fib.c:759 [inline]
 nsim_fib6_event drivers/net/netdevsim/fib.c:856 [inline]
 nsim_fib_event drivers/net/netdevsim/fib.c:889 [inline]
 nsim_fib_event_work+0x2e2c/0x4130 drivers/net/netdevsim/fib.c:1492
 process_one_work kernel/workqueue.c:2627 [inline]
 process_scheduled_works+0x90f/0x1420 kernel/workqueue.c:2700
 worker_thread+0xa5f/0x1000 kernel/workqueue.c:2781
 kthread+0x2d3/0x370 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 f3                	add    %dh,%bl
   2:	0f 1e fa             	nop    %edx
   5:	53                   	push   %rbx
   6:	48 89 fb             	mov    %rdi,%rbx
   9:	48 83 c7 18          	add    $0x18,%rdi
   d:	48 8b 74 24 08       	mov    0x8(%rsp),%rsi
  12:	e8 3a 40 4b f6       	call   0xf64b4051
  17:	48 89 df             	mov    %rbx,%rdi
  1a:	e8 32 7b 4c f6       	call   0xf64c7b51
  1f:	e8 6d 4b 73 f6       	call   0xf6734b91
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 52 a0 3e f6       	call   0xf63ea081 <-- trapping instruction
  2f:	65 8b 05 73 ab e1 74 	mov    %gs:0x74e1ab73(%rip),%eax        # 0x74e1aba9
  36:	85 c0                	test   %eax,%eax
  38:	74 02                	je     0x3c
  3a:	5b                   	pop    %rbx
  3b:	c3                   	ret
  3c:	e8                   	.byte 0xe8
  3d:	40 79 de             	rex jns 0x1e