blkno = 8ed2c, nblocks = 1
ERROR: (device loop0): dbUpdatePMap: blocks are outside the map
ERROR: (device loop0): remounting filesystem as read-only
JFS: metapage_get_blocks failed
==================================================================
BUG: KFENCE: use-after-free read in release_metapage+0x5ff/0xac0 fs/jfs/jfs_metapage.c:885

Use-after-free read at 0xffff88805b29a098 (in kfence-#76):
 release_metapage+0x5ff/0xac0 fs/jfs/jfs_metapage.c:885
 txUnlock+0x524/0xdf0 fs/jfs/jfs_txnmgr.c:948
 txLazyCommit fs/jfs/jfs_txnmgr.c:2683 [inline]
 jfs_lazycommit+0x584/0xa90 fs/jfs/jfs_txnmgr.c:2734
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

kfence-#76: 0xffff88805b29a000-0xffff88805b29a0b7, size=184, cache=jfs_mp

allocated by task 5341 on cpu 0 at 75.395122s (0.107193s ago):
 mempool_alloc_noprof+0x1c9/0x2f0 mm/mempool.c:567
 alloc_metapage fs/jfs/jfs_metapage.c:264 [inline]
 __get_metapage+0x50c/0xde0 fs/jfs/jfs_metapage.c:760
 dtSplitRoot+0x202/0x16c0 fs/jfs/jfs_dtree.c:1910
 dtSplitUp fs/jfs/jfs_dtree.c:993 [inline]
 dtInsert+0xef8/0x5f40 fs/jfs/jfs_dtree.c:871
 jfs_rename+0x7bc/0x1610 fs/jfs/namei.c:1225
 vfs_rename+0xbb6/0xee0 fs/namei.c:5929
 do_renameat2+0x538/0x8e0 fs/namei.c:6047
 __do_sys_rename fs/namei.c:6090 [inline]
 __se_sys_rename fs/namei.c:6088 [inline]
 __x64_sys_rename+0x82/0x90 fs/namei.c:6088
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

freed by task 77 on cpu 0 at 75.466459s (0.063196s ago):
 mempool_free+0xec/0x130 mm/mempool.c:712
 free_metapage fs/jfs/jfs_metapage.c:279 [inline]
 metapage_release_folio+0x40e/0x540 fs/jfs/jfs_metapage.c:636
 shrink_folio_list+0x20a9/0x4a10 mm/vmscan.c:1483
 evict_folios+0x471e/0x57c0 mm/vmscan.c:4709
 try_to_shrink_lruvec+0x8a3/0xb50 mm/vmscan.c:4872
 shrink_one+0x25c/0x720 mm/vmscan.c:4917
 shrink_many mm/vmscan.c:4980 [inline]
 lru_gen_shrink_node mm/vmscan.c:5058 [inline]
 shrink_node+0x2f7d/0x35b0 mm/vmscan.c:6045
 kswapd_shrink_node mm/vmscan.c:6899 [inline]
 balance_pgdat mm/vmscan.c:7082 [inline]
 kswapd+0x145a/0x2820 mm/vmscan.c:7352
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

CPU: 0 UID: 0 PID: 102 Comm: jfsCommit Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:release_metapage+0x5ff/0xac0 fs/jfs/jfs_metapage.c:885
Code: 8b 74 24 18 4d 8d ae 98 00 00 00 4c 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ef e8 a1 dd dc fe <49> 8b 7d 00 48 c7 c6 20 88 c5 8b e8 c1 69 dc fd eb 28 e8 0a 01 75
RSP: 0018:ffffc90001917af8 EFLAGS: 00010246
RAX: 1ffff1100b653413 RBX: ffffea000048d948 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 00000000fffffffb RDI: 0000000000000000
RBP: 1ffffd4000091b29 R08: ffffea000048d977 R09: 1ffffd4000091b2e
R10: dffffc0000000000 R11: fffff94000091b2f R12: ffff88805b29a028
R13: ffff88805b29a098 R14: ffff88805b29a000 R15: 1ffff1100b653405
FS:  0000000000000000(0000) GS:ffff88808d22f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88805b29a098 CR3: 0000000042112000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 txUnlock+0x524/0xdf0 fs/jfs/jfs_txnmgr.c:948
 txLazyCommit fs/jfs/jfs_txnmgr.c:2683 [inline]
 jfs_lazycommit+0x584/0xa90 fs/jfs/jfs_txnmgr.c:2734
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	8b 74 24 18          	mov    0x18(%rsp),%esi
   4:	4d 8d ae 98 00 00 00 	lea    0x98(%r14),%r13
   b:	4c 89 e8             	mov    %r13,%rax
   e:	48 c1 e8 03          	shr    $0x3,%rax
  12:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  19:	fc ff df
  1c:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1)
  20:	74 08                	je     0x2a
  22:	4c 89 ef             	mov    %r13,%rdi
  25:	e8 a1 dd dc fe       	call   0xfedcddcb
* 2a:	49 8b 7d 00          	mov    0x0(%r13),%rdi <-- trapping instruction
  2e:	48 c7 c6 20 88 c5 8b 	mov    $0xffffffff8bc58820,%rsi
  35:	e8 c1 69 dc fd       	call   0xfddc69fb
  3a:	eb 28                	jmp    0x64
  3c:	e8                   	.byte 0xe8
  3d:	0a 01                	or     (%rcx),%al
  3f:	75                   	.byte 0x75