BUG: spinlock bad magic on CPU#0, jfsCommit/117
==================================================================
BUG: KASAN: slab-out-of-bounds in string_nocheck lib/vsprintf.c:639 [inline]
BUG: KASAN: slab-out-of-bounds in string+0x227/0x2b0 lib/vsprintf.c:721
Read of size 1 at addr ffff8880768fd338 by task jfsCommit/117

CPU: 0 UID: 0 PID: 117 Comm: jfsCommit Not tainted 6.14.0-syzkaller-13524-gf4d2ef48250a #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0x16e/0x5b0 mm/kasan/report.c:521
 kasan_report+0x143/0x180 mm/kasan/report.c:634
 string_nocheck lib/vsprintf.c:639 [inline]
 string+0x227/0x2b0 lib/vsprintf.c:721
 vsnprintf+0x8b6/0x1230 lib/vsprintf.c:2852
 vprintk_store+0x484/0x1240 kernel/printk/printk.c:2279
 vprintk_emit+0x298/0xa40 kernel/printk/printk.c:2426
 _printk+0xd5/0x120 kernel/printk/printk.c:2475
 spin_dump kernel/locking/spinlock_debug.c:64 [inline]
 spin_bug+0x13b/0x1d0 kernel/locking/spinlock_debug.c:78
 debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
 do_raw_spin_lock+0x20d/0x370 kernel/locking/spinlock_debug.c:115
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
 _raw_spin_lock_irqsave+0xe4/0x130 kernel/locking/spinlock.c:162
 __wake_up_common_lock+0x25/0x1e0 kernel/sched/wait.c:105
 unlock_metapage fs/jfs/jfs_metapage.c:39 [inline]
 release_metapage+0x158/0xa90 fs/jfs/jfs_metapage.c:763
 xtTruncate+0x1026/0x32a0 fs/jfs/jfs_xtree.c:-1
 jfs_free_zero_link+0x47f/0x700 fs/jfs/namei.c:759
 jfs_evict_inode+0x362/0x440 fs/jfs/inode.c:153
 evict+0x4f9/0x9b0 fs/inode.c:810
 txUpdateMap+0x948/0xb20 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x49c/0xba0 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x7b7/0x940 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the object at ffff8880768fd2f8
 which belongs to the cache jfs_ip of size 2232
The buggy address is located 64 bytes inside of
 allocated 2232-byte region [ffff8880768fd2f8, ffff8880768fdbb0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x768f8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ef3f640 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801ef3f640 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001da3e01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_RECLAIMABLE|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5830, tgid 5830 (syz-executor219), ts 88126405279, free_ts 30022180788
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1717
 prep_new_page mm/page_alloc.c:1725 [inline]
 get_page_from_freelist+0x351d/0x36b0 mm/page_alloc.c:3652
 __alloc_frozen_pages_noprof+0x211/0x5b0 mm/page_alloc.c:4934
 alloc_pages_mpol+0x339/0x690 mm/mempolicy.c:2301
 alloc_slab_page mm/slub.c:2459 [inline]
 allocate_slab+0x8f/0x3a0 mm/slub.c:2623
 new_slab mm/slub.c:2676 [inline]
 ___slab_alloc+0xc3b/0x1500 mm/slub.c:3862
 __slab_alloc+0x58/0xa0 mm/slub.c:3952
 __slab_alloc_node mm/slub.c:4027 [inline]
 slab_alloc_node mm/slub.c:4188 [inline]
 kmem_cache_alloc_lru_noprof+0x274/0x390 mm/slub.c:4219
 jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
 alloc_inode+0x69/0x1b0 fs/inode.c:346
 new_inode+0x22/0x180 fs/inode.c:1145
 jfs_fill_super+0x570/0xd90 fs/jfs/super.c:511
 get_tree_bdev_flags+0x490/0x5c0 fs/super.c:1636
 vfs_get_tree+0x90/0x2b0 fs/super.c:1759
 do_new_mount+0x2cf/0xb70 fs/namespace.c:3879
 do_mount fs/namespace.c:4219 [inline]
 __do_sys_mount fs/namespace.c:4430 [inline]
 __se_sys_mount+0x38c/0x400 fs/namespace.c:4407
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1262 [inline]
 __free_frozen_pages+0xddf/0x10a0 mm/page_alloc.c:2680
 __free_pages mm/page_alloc.c:5044 [inline]
 free_contig_range+0x154/0x430 mm/page_alloc.c:6900
 destroy_args+0x94/0x4b0 mm/debug_vm_pgtable.c:1017
 debug_vm_pgtable+0x555/0x590 mm/debug_vm_pgtable.c:1397
 do_one_initcall+0x24a/0x940 init/main.c:1257
 do_initcall_level+0x157/0x210 init/main.c:1319
 do_initcalls+0x71/0xd0 init/main.c:1335
 kernel_init_freeable+0x432/0x5d0 init/main.c:1567
 kernel_init+0x1d/0x2b0 init/main.c:1457
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff8880768fd200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
 ffff8880768fd280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880768fd300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                        ^
 ffff8880768fd380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880768fd400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================