BUG: Bad rss-counter state mm:ffff888066820000 type:MM_SHMEMPAGES val:2162 Comm:syz.5.6345 Pid:27762
BUG: non-zero pgtables_bytes on freeing mm: 16384
page: refcount:3 mapcount:1 mapping:ffff88807b7d8fd0 index:0x470 pfn:0x8cf3c
memcg:ffff888031d02f80
aops:shmem_aops ino:f9
flags: 0xfff60000020029(locked|uptodate|lru|swapbacked|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff60000020029 ffffea000233cf48 ffffea000233cec8 ffff88807b7d8fd0
raw: 0000000000000470 0000000000000000 0000000300000000 ffff888031d02f80
page dumped because: VM_BUG_ON_FOLIO(folio_mapped(folio))
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 27761, tgid 27760 (syz.5.6345), ts 1130880253920, free_ts 1123296830725
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1857
 prep_new_page mm/page_alloc.c:1865 [inline]
 get_page_from_freelist+0x2418/0x24b0 mm/page_alloc.c:3924
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5211
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2484
 folio_alloc_mpol_noprof+0x39/0x160 mm/mempolicy.c:2503
 shmem_alloc_folio mm/shmem.c:1933 [inline]
 shmem_mfill_folio_alloc+0x196/0x370 mm/shmem.c:3181
 __mfill_atomic_pte+0xe8/0x5f0 mm/userfaultfd.c:486
 mfill_atomic_pte_zeroed_folio mm/userfaultfd.c:564 [inline]
 mfill_atomic_pte_zeropage+0x3a7/0x640 mm/userfaultfd.c:578
 mfill_atomic_pte mm/userfaultfd.c:867 [inline]
 mfill_atomic mm/userfaultfd.c:923 [inline]
 mfill_atomic_zeropage+0x362/0x890 mm/userfaultfd.c:958
 userfaultfd_zeropage fs/userfaultfd.c:1696 [inline]
 userfaultfd_ioctl+0x2865/0x4b00 fs/userfaultfd.c:2062
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 27533 tgid 27531 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1401 [inline]
 free_unref_folios+0xd0c/0x1450 mm/page_alloc.c:3003
 folios_put_refs+0x9ff/0xb40 mm/swap.c:1008
 folio_batch_release include/linux/folio_batch.h:101 [inline]
 shmem_undo_range+0x52c/0x1660 mm/shmem.c:1149
 shmem_truncate_range mm/shmem.c:1277 [inline]
 shmem_evict_inode+0x289/0xae0 mm/shmem.c:1407
 evict+0x61e/0xb10 fs/inode.c:846
 __dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
 finish_dput+0xc9/0x480 fs/dcache.c:879
 __fput+0x691/0xa70 fs/file_table.c:477
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x926/0x2490 kernel/exit.c:974
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1116
 get_signal+0x1284/0x1330 kernel/signal.c:3035
 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:269 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
------------[ cut here ]------------
kernel BUG at mm/filemap.c:155!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 27762 Comm: syz.5.6345 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/27/2026
RIP: 0010:filemap_unaccount_folio+0x70f/0x790 mm/filemap.c:155
Code: 53 c5 ff 48 89 df 48 c7 c6 60 b9 f7 8b e8 b9 84 26 ff 90 0f 0b e8 d1 53 c5 ff 48 89 df 48 c7 c6 c0 b6 f7 8b e8 a2 84 26 ff 90 <0f> 0b e8 ba 53 c5 ff 48 89 df 48 c7 c6 60 b9 f7 8b e8 8b 84 26 ff
RSP: 0018:ffffc900062170f8 EFLAGS: 00010046
RAX: 9e567158b7625900 RBX: ffffea000233cf00 RCX: 0000000080000002
RDX: 0000000000000002 RSI: ffffffff8e4a7f19 RDI: ffff88801de85b80
RBP: 0000000000000001 R08: ffff8880b85247d3 R09: 1ffff110170a48fa
R10: dffffc0000000000 R11: ffffed10170a48fb R12: ffffea000233cf30
R13: ffff88807b7d8fd0 R14: 1ffffd40004679e0 R15: ffffea000233cf08
FS:  0000000000000000(0000) GS:ffff888124ee8000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f66781e9e80 CR3: 000000000e94c000 CR4: 00000000003526f0
DR0: 0000000000000004 DR1: 0000000000000003 DR2: 000000007fffdffd
DR3: 0000800000000005 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __filemap_remove_folio+0xc5/0x530 mm/filemap.c:227
 filemap_remove_folio+0xe6/0x1f0 mm/filemap.c:257
 truncate_inode_folio+0x5d/0x70 mm/truncate.c:176
 shmem_undo_range+0x42f/0x1660 mm/shmem.c:1145
 shmem_truncate_range mm/shmem.c:1277 [inline]
 shmem_evict_inode+0x289/0xae0 mm/shmem.c:1407
 evict+0x61e/0xb10 fs/inode.c:846
 __dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
 finish_dput+0xc9/0x480 fs/dcache.c:879
 __fput+0x691/0xa70 fs/file_table.c:477
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x926/0x2490 kernel/exit.c:974
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1116
 get_signal+0x1284/0x1330 kernel/signal.c:3035
 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:269 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f667819c799
Code: Unable to access opcode bytes at 0x7f667819c76f.
RSP: 002b:00007f6678fa00e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f6678416098 RCX: 00007f667819c799
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6678416098
RBP: 00007f6678416090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6678416128 R14: 00007fffecf044a0 R15: 00007fffecf04588
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_unaccount_folio+0x70f/0x790 mm/filemap.c:155
Code: 53 c5 ff 48 89 df 48 c7 c6 60 b9 f7 8b e8 b9 84 26 ff 90 0f 0b e8 d1 53 c5 ff 48 89 df 48 c7 c6 c0 b6 f7 8b e8 a2 84 26 ff 90 <0f> 0b e8 ba 53 c5 ff 48 89 df 48 c7 c6 60 b9 f7 8b e8 8b 84 26 ff
RSP: 0018:ffffc900062170f8 EFLAGS: 00010046
RAX: 9e567158b7625900 RBX: ffffea000233cf00 RCX: 0000000080000002
RDX: 0000000000000002 RSI: ffffffff8e4a7f19 RDI: ffff88801de85b80
RBP: 0000000000000001 R08: ffff8880b85247d3 R09: 1ffff110170a48fa
R10: dffffc0000000000 R11: ffffed10170a48fb R12: ffffea000233cf30
R13: ffff88807b7d8fd0 R14: 1ffffd40004679e0 R15: ffffea000233cf08
FS:  0000000000000000(0000) GS:ffff888124ee8000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f66781e9e80 CR3: 000000000e94c000 CR4: 00000000003526f0
DR0: 0000000000000004 DR1: 0000000000000003 DR2: 000000007fffdffd
DR3: 0000800000000005 DR6: 00000000ffff0ff0 DR7: 0000000000000400