BUG: Bad page state in process jfsCommit  pfn:28b71
page:ffffea0000a2dc40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x72c pfn:0x28b71
flags: 0xfff18000002047(locked|referenced|uptodate|workingset|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff18000002047 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000072c ffff888074ad99b0 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x140c40(GFP_NOFS|__GFP_COMP|__GFP_HARDWALL), pid 4428, tgid 4428 (syz.0.17), ts 74974847702, free_ts 74751409427
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
 __alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5614
 folio_alloc+0x1c/0x60 mm/mempolicy.c:2292
 filemap_alloc_folio+0xdb/0x460 mm/filemap.c:999
 __filemap_get_folio+0x697/0xdd0 mm/filemap.c:1993
 pagecache_get_page+0x26/0x250 mm/folio-compat.c:110
 find_or_create_page include/linux/pagemap.h:646 [inline]
 grab_cache_page include/linux/pagemap.h:778 [inline]
 __get_metapage+0x2a4/0xfa0 fs/jfs/jfs_metapage.c:613
 dtSplitRoot+0x1de/0x14e0 fs/jfs/jfs_dtree.c:1910
 dtSplitUp fs/jfs/jfs_dtree.c:993 [inline]
 dtInsert+0xe2a/0x58a0 fs/jfs/jfs_dtree.c:871
 jfs_mknod+0x622/0x930 fs/jfs/namei.c:1408
 vfs_mknod+0x424/0x4c0 fs/namei.c:3993
 do_mknodat+0x34e/0x4c0 fs/namei.c:-1
 __do_sys_mknod fs/namei.c:4076 [inline]
 __se_sys_mknod fs/namei.c:4074 [inline]
 __x64_sys_mknod+0x8a/0xa0 fs/namei.c:4074
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1459 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
 free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
 free_slab mm/slub.c:2036 [inline]
 discard_slab mm/slub.c:2042 [inline]
 __unfreeze_partials+0x1a5/0x200 mm/slub.c:2591
 put_cpu_partial+0x17c/0x250 mm/slub.c:2667
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x76/0xe0 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x144/0x160 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x1e/0x80 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook+0x4b/0x480 mm/slab.h:737
 slab_alloc_node mm/slub.c:3359 [inline]
 slab_alloc mm/slub.c:3367 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3374 [inline]
 kmem_cache_alloc+0x123/0x2f0 mm/slub.c:3383
 ptlock_alloc+0x1c/0x60 mm/memory.c:6047
 ptlock_init include/linux/mm.h:2480 [inline]
 pgtable_pte_page_ctor include/linux/mm.h:2507 [inline]
 __pte_alloc_one include/asm-generic/pgalloc.h:66 [inline]
 pte_alloc_one+0xc5/0x2f0 arch/x86/mm/pgtable.c:33
 do_fault_around mm/memory.c:4595 [inline]
 do_read_fault mm/memory.c:4626 [inline]
 do_fault mm/memory.c:4760 [inline]
 handle_pte_fault mm/memory.c:5031 [inline]
 __handle_mm_fault mm/memory.c:5173 [inline]
 handle_mm_fault+0x27ff/0x3e60 mm/memory.c:5294
 do_user_addr_fault+0x51f/0xb10 arch/x86/mm/fault.c:1340
 handle_page_fault arch/x86/mm/fault.c:1431 [inline]
 exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1487
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:608
Modules linked in:
CPU: 1 PID: 108 Comm: jfsCommit Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
 bad_page+0x14b/0x170 mm/page_alloc.c:699
 free_page_is_bad mm/page_alloc.c:1291 [inline]
 free_pages_prepare mm/page_alloc.c:1452 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x42a/0x9a0 mm/page_alloc.c:3384
 free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
 txUnlock+0x27e/0xcb0 fs/jfs/jfs_txnmgr.c:932
 txLazyCommit fs/jfs/jfs_txnmgr.c:2682 [inline]
 jfs_lazycommit+0x56c/0xa50 fs/jfs/jfs_txnmgr.c:2732
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
page:ffffea0000a2dc40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x72c pfn:0x28b71
flags: 0xfff18000002047(locked|referenced|uptodate|workingset|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff18000002047 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000072c ffff888074ad99b0 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_FOLIO(((unsigned int) folio_ref_count(folio) + 127u <= 127u))
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x140c40(GFP_NOFS|__GFP_COMP|__GFP_HARDWALL), pid 4428, tgid 4428 (syz.0.17), ts 74974847702, free_ts 74751409427
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532