syzbot

BUG: Bad page state in process jfsCommit  pfn:30bb8
page:ffffea0000c2ee00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x72c pfn:0x30bb8
flags: 0xfff18000002047(locked|referenced|uptodate|workingset|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff18000002047 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000072c ffff88802cd11ba0 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x140c40(GFP_NOFS|__GFP_COMP|__GFP_HARDWALL), pid 4428, tgid 4428 (syz.0.17), ts 74750172053, free_ts 74334190609
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
 __alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5614
 folio_alloc+0x1c/0x60 mm/mempolicy.c:2292
 filemap_alloc_folio+0xdb/0x460 mm/filemap.c:999
 __filemap_get_folio+0x697/0xdd0 mm/filemap.c:1993
 pagecache_get_page+0x26/0x250 mm/folio-compat.c:110
 find_or_create_page include/linux/pagemap.h:646 [inline]
 grab_cache_page include/linux/pagemap.h:778 [inline]
 __get_metapage+0x2a4/0xfa0 fs/jfs/jfs_metapage.c:613
 dtSplitRoot+0x1de/0x14e0 fs/jfs/jfs_dtree.c:1910
 dtSplitUp fs/jfs/jfs_dtree.c:993 [inline]
 dtInsert+0xe2a/0x58a0 fs/jfs/jfs_dtree.c:871
 jfs_mknod+0x622/0x930 fs/jfs/namei.c:1408
 vfs_mknod+0x424/0x4c0 fs/namei.c:3993
 do_mknodat+0x34e/0x4c0 fs/namei.c:-1
 __do_sys_mknod fs/namei.c:4076 [inline]
 __se_sys_mknod fs/namei.c:4074 [inline]
 __x64_sys_mknod+0x8a/0xa0 fs/namei.c:4074
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1459 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
 free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
 free_slab mm/slub.c:2036 [inline]
 discard_slab mm/slub.c:2042 [inline]
 __unfreeze_partials+0x1a5/0x200 mm/slub.c:2591
 put_cpu_partial+0x17c/0x250 mm/slub.c:2667
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x76/0xe0 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x144/0x160 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x1e/0x80 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook+0x4b/0x480 mm/slab.h:737
 slab_alloc_node mm/slub.c:3359 [inline]
 __kmem_cache_alloc_node+0x140/0x260 mm/slub.c:3398
 kmalloc_trace+0x26/0xe0 mm/slab_common.c:1026
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 nsim_fib4_rt_create drivers/net/netdevsim/fib.c:280 [inline]
 nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:426 [inline]
 nsim_fib4_event drivers/net/netdevsim/fib.c:464 [inline]
 nsim_fib_event drivers/net/netdevsim/fib.c:884 [inline]
 nsim_fib_event_work+0x848/0x32b0 drivers/net/netdevsim/fib.c:1494
 process_one_work+0x898/0x1160 kernel/workqueue.c:2292
 process_scheduled_works kernel/workqueue.c:2355 [inline]
 worker_thread+0xd62/0x1250 kernel/workqueue.c:2441
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
CPU: 1 PID: 107 Comm: jfsCommit Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
 bad_page+0x14b/0x170 mm/page_alloc.c:699
 free_page_is_bad mm/page_alloc.c:1291 [inline]
 free_pages_prepare mm/page_alloc.c:1452 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x42a/0x9a0 mm/page_alloc.c:3384
 free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
 txUnlock+0x27e/0xcb0 fs/jfs/jfs_txnmgr.c:932
 txLazyCommit fs/jfs/jfs_txnmgr.c:2682 [inline]
 jfs_lazycommit+0x56c/0xa50 fs/jfs/jfs_txnmgr.c:2732
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
page:ffffea0000c2ee00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x72c pfn:0x30bb8
flags: 0xfff18000002047(locked|referenced|uptodate|workingset|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff18000002047 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000072c ffff88802cd11ba0 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_FOLIO(((unsigned int) folio_ref_count(folio) + 127u <= 127u))