------------[ cut here ]------------
VFS: brelse: Trying to free free buffer
WARNING: CPU: 1 PID: 5851 at fs/buffer.c:1229 __brelse fs/buffer.c:1229 [inline]
WARNING: CPU: 1 PID: 5851 at fs/buffer.c:1229 __brelse+0x6d/0xb0 fs/buffer.c:1223
Modules linked in:
CPU: 1 UID: 0 PID: 5851 Comm: kworker/1:3 Not tainted 6.13.0-rc5-syzkaller-00012-g0bc21e701a6f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events_power_efficient gc_worker
RIP: 0010:__brelse fs/buffer.c:1229 [inline]
RIP: 0010:__brelse+0x6d/0xb0 fs/buffer.c:1223
Code: 84 d2 75 52 44 8b 63 60 31 ff 44 89 e6 e8 fb d5 79 ff 45 85 e4 75 20 e8 b1 d3 79 ff 90 48 c7 c7 e0 24 7f 8b e8 b4 0d 3a ff 90 <0f> 0b 90 90 5b 5d 41 5c e9 96 d3 79 ff e8 91 d3 79 ff be 04 00 00
RSP: 0018:ffffc90000a18f40 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff888045872000 RCX: ffffffff815a5139
RDX: ffff88805b210000 RSI: ffffffff815a5146 RDI: 0000000000000001
RBP: ffff888045872060 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000000
R13: ffff888045872000 R14: dffffc0000000000 R15: ffffffff82204240
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7dea80d440 CR3: 0000000046116000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 brelse include/linux/buffer_head.h:324 [inline]
 __invalidate_bh_lrus fs/buffer.c:1498 [inline]
 invalidate_bh_lru+0xa2/0x190 fs/buffer.c:1511
 csd_do_func kernel/smp.c:134 [inline]
 __flush_smp_call_function_queue+0x27d/0x8c0 kernel/smp.c:540
 __sysvec_call_function_single+0x8c/0x410 arch/x86/kernel/smp.c:271
 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
 sysvec_call_function_single+0x9f/0xc0 arch/x86/kernel/smp.c:266
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709
RIP: 0010:__seqprop_spinlock_sequence include/linux/seqlock.h:227 [inline]
RIP: 0010:nf_conntrack_get_ht include/net/netfilter/nf_conntrack.h:345 [inline]
RIP: 0010:gc_worker+0x2e1/0x1760 net/netfilter/nf_conntrack_core.c:1534
Code: 00 00 48 c7 c7 c8 0b 60 90 e8 4b 19 26 f8 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 f9 77 49 f8 48 85 db 58 0f 85 3d 10 00 00 <e8> 7a 75 49 f8 eb 07 e8 73 75 49 f8 f3 90 44 8b 35 9a 6b 0f 07 44
RSP: 0018:ffffc900034c7bc8 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8950abca
RDX: ffff88805b210000 RSI: ffffffff8950abd9 RDI: 0000000000000007
RBP: ffff888030c00000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 000000000001d6b9
R13: dffffc0000000000 R14: 000000000003ad71 R15: 0000000000040000
 process_one_work+0x9c8/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c4/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	48 c7 c7 c8 0b 60 90 	mov    $0xffffffff90600bc8,%rdi
   9:	e8 4b 19 26 f8       	call   0xf8261959
   e:	9c                   	pushf
   f:	5b                   	pop    %rbx
  10:	81 e3 00 02 00 00    	and    $0x200,%ebx
  16:	31 ff                	xor    %edi,%edi
  18:	48 89 de             	mov    %rbx,%rsi
  1b:	e8 f9 77 49 f8       	call   0xf8497819
  20:	48 85 db             	test   %rbx,%rbx
  23:	58                   	pop    %rax
  24:	0f 85 3d 10 00 00    	jne    0x1067
* 2a:	e8 7a 75 49 f8       	call   0xf84975a9 <-- trapping instruction
  2f:	eb 07                	jmp    0x38
  31:	e8 73 75 49 f8       	call   0xf84975a9
  36:	f3 90                	pause
  38:	44 8b 35 9a 6b 0f 07 	mov    0x70f6b9a(%rip),%r14d        # 0x70f6bd9
  3f:	44                   	rex.R