BUG: spinlock bad magic on CPU#0, jfsCommit/107
==================================================================
BUG: KASAN: slab-out-of-bounds in string_nocheck lib/vsprintf.c:643 [inline]
BUG: KASAN: slab-out-of-bounds in string+0x223/0x2b0 lib/vsprintf.c:725
Read of size 1 at addr ffff888056b1c0e8 by task jfsCommit/107

CPU: 0 PID: 107 Comm: jfsCommit Not tainted 6.1.141-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0xa8/0x220 mm/kasan/report.c:427
 kasan_report+0x10b/0x140 mm/kasan/report.c:531
 string_nocheck lib/vsprintf.c:643 [inline]
 string+0x223/0x2b0 lib/vsprintf.c:725
 vsnprintf+0xf72/0x1a00 lib/vsprintf.c:2805
 vprintk_store+0x3e0/0xc90 kernel/printk/printk.c:2187
 vprintk_emit+0x11d/0x680 kernel/printk/printk.c:2284
 _printk+0xcc/0x110 kernel/printk/printk.c:2328
 spin_dump+0x101/0x1a0 kernel/locking/spinlock_debug.c:63
 spin_bug kernel/locking/spinlock_debug.c:77 [inline]
 debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
 do_raw_spin_lock+0x1c2/0x280 kernel/locking/spinlock_debug.c:114
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
 _raw_spin_lock_irqsave+0xb0/0xf0 kernel/locking/spinlock.c:162
 __wake_up_common_lock kernel/sched/wait.c:137 [inline]
 __wake_up+0xf4/0x190 kernel/sched/wait.c:160
 unlock_metapage fs/jfs/jfs_metapage.c:38 [inline]
 release_metapage+0xc1/0x980 fs/jfs/jfs_metapage.c:736
 xtTruncate+0xe39/0x2c60 fs/jfs/jfs_xtree.c:-1
 jfs_free_zero_link+0x337/0x490 fs/jfs/namei.c:758
 jfs_evict_inode+0x359/0x430 fs/jfs/inode.c:153
 evict+0x485/0x870 fs/inode.c:705
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x427/0xa50 fs/jfs/jfs_txnmgr.c:2732
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

The buggy address belongs to the object at ffff888056b1c0c0
 which belongs to the cache jfs_ip of size 2240
The buggy address is located 40 bytes inside of
 2240-byte region [ffff888056b1c0c0, ffff888056b1c980)

The buggy address belongs to the physical page:
page:ffffea00015ac600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x56b18
head:ffffea00015ac600 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff88801ca60401
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888146eb5780
raw: 0000000000000000 00000000800d000d 00000001ffffffff ffff88801ca60401
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 4581, tgid 4580 (syz.1.51), ts 103335795157, free_ts 22434071140
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
 __alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5614
 alloc_slab_page+0x5d/0x160 mm/slub.c:1794
 allocate_slab mm/slub.c:1939 [inline]
 new_slab+0x87/0x2c0 mm/slub.c:1992
 ___slab_alloc+0xbc6/0x1220 mm/slub.c:3180
 __slab_alloc mm/slub.c:3279 [inline]
 slab_alloc_node mm/slub.c:3364 [inline]
 slab_alloc mm/slub.c:3406 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
 kmem_cache_alloc_lru+0x1ae/0x2e0 mm/slub.c:3429
 alloc_inode_sb include/linux/fs.h:3245 [inline]
 jfs_alloc_inode+0x24/0x60 fs/jfs/super.c:105
 alloc_inode fs/inode.c:261 [inline]
 new_inode_pseudo+0x5f/0x1c0 fs/inode.c:1063
 new_inode+0x25/0x1c0 fs/inode.c:1091
 jfs_fill_super+0x392/0xac0 fs/jfs/super.c:544
 mount_bdev+0x287/0x3c0 fs/super.c:1443
 legacy_get_tree+0xe6/0x180 fs/fs_context.c:632
 vfs_get_tree+0x88/0x270 fs/super.c:1573
 do_new_mount+0x24a/0xa40 fs/namespace.c:3054
 do_mount fs/namespace.c:3397 [inline]
 __do_sys_mount fs/namespace.c:3605 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3582
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1459 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
 free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
 free_contig_range+0x9d/0x150 mm/page_alloc.c:9574
 destroy_args+0xef/0x8bf mm/debug_vm_pgtable.c:1031
 debug_vm_pgtable+0x32a/0x37e mm/debug_vm_pgtable.c:1354
 do_one_initcall+0x214/0x7a0 init/main.c:1298
 do_initcall_level+0x137/0x1e4 init/main.c:1371
 do_initcalls+0x4b/0x8a init/main.c:1387
 kernel_init_freeable+0x3fa/0x5ac init/main.c:1626
 kernel_init+0x19/0x1b0 init/main.c:1514
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff888056b1bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888056b1c000: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff888056b1c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                          ^
 ffff888056b1c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888056b1c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================