syzbot


BUG: Bad page state in __set_page_owner

Status: closed as dup on 2024/11/15 10:44
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+d6f5b7a41831ca1a99a0@syzkaller.appspotmail.com
First crash: 28d, last: 28d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
BUG: Bad page state in xdp_test_run_batch net C 19 37d 36d

Sample crash report:
BUG: Bad page state in process syz.2.1806  pfn:ab652
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002b6529b0 pfn:0xab652
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002b6529b0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942768126800, free_ts 6922500215400
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16342 tgid 16342 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 vfree+0x1b6/0xc88 mm/vmalloc.c:3361
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282
 process_one_work+0x956/0x1dae kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391
 kthread+0x28c/0x3a6 kernel/kthread.c:389
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Not tainted 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ae2f7
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xae2f7
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942768005500, free_ts 6922668954700
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 24 tgid 24 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 run_ksoftirqd kernel/softirq.c:927 [inline]
 run_ksoftirqd+0xce/0x144 kernel/softirq.c:919
 smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164
 kthread+0x28c/0x3a6 kernel/kthread.c:389
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ae2f6
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002e2f6600 pfn:0xae2f6
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002e2f6600 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767887000, free_ts 6922912620400
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18905 tgid 18905 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
 free_pages+0xe/0x18 mm/page_alloc.c:4830
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
 exit_mmap+0x36c/0xbea mm/mmap.c:1877
 __mmput kernel/fork.c:1347 [inline]
 mmput+0x122/0x3e2 kernel/fork.c:1369
 exit_mm kernel/exit.c:571 [inline]
 do_exit+0x902/0x2986 kernel/exit.c:926
 do_group_exit+0xd4/0x26c kernel/exit.c:1088
 __do_sys_exit_group kernel/exit.c:1099 [inline]
 __se_sys_exit_group kernel/exit.c:1097 [inline]
 __riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:98b0f
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x98b0f
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767768400, free_ts 6922499537000
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16342 tgid 16342 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 vfree+0x1b6/0xc88 mm/vmalloc.c:3361
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282
 process_one_work+0x956/0x1dae kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391
 kthread+0x28c/0x3a6 kernel/kthread.c:389
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:98b0e
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x98b0e
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767649200, free_ts 6922935139100
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9aa97
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9aa97
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767531800, free_ts 6922937997000
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9aa96
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9aa96
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767412800, free_ts 6922933818500
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:af1f5
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaf1f5
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767292300, free_ts 6922669162900
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 24 tgid 24 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 run_ksoftirqd kernel/softirq.c:927 [inline]
 run_ksoftirqd+0xce/0x144 kernel/softirq.c:919
 smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164
 kthread+0x28c/0x3a6 kernel/kthread.c:389
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:af1f4
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002f1f4f50 pfn:0xaf1f4
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002f1f4f50 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767168100, free_ts 6922942911100
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:aea9d
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xaea9d
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767048800, free_ts 6922912807500
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18905 tgid 18905 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
 free_pages+0xe/0x18 mm/page_alloc.c:4830
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
 exit_mmap+0x36c/0xbea mm/mmap.c:1877
 __mmput kernel/fork.c:1347 [inline]
 mmput+0x122/0x3e2 kernel/fork.c:1369
 exit_mm kernel/exit.c:571 [inline]
 do_exit+0x902/0x2986 kernel/exit.c:926
 do_group_exit+0xd4/0x26c kernel/exit.c:1088
 __do_sys_exit_group kernel/exit.c:1099 [inline]
 __se_sys_exit_group kernel/exit.c:1097 [inline]
 __riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:aea9c
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002ea9de00 pfn:0xaea9c
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002ea9de00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766928100, free_ts 6923527240100
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
 free_pages+0xe/0x18 mm/page_alloc.c:4830
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
 exit_mmap+0x36c/0xbea mm/mmap.c:1877
 __mmput kernel/fork.c:1347 [inline]
 mmput+0x122/0x3e2 kernel/fork.c:1369
 exit_mm kernel/exit.c:571 [inline]
 do_exit+0x902/0x2986 kernel/exit.c:926
 do_group_exit+0xd4/0x26c kernel/exit.c:1088
 get_signal+0x1e98/0x23b0 kernel/signal.c:2917
 arch_do_signal_or_restart+0x8d6/0x1190 arch/riscv/kernel/signal.c:437
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x2a6/0x31e kernel/entry/common.c:218
 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
 _new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9daad
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x9daad
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000004 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766810000, free_ts 6922912977000
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18905 tgid 18905 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
 free_pages+0xe/0x18 mm/page_alloc.c:4830
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
 exit_mmap+0x36c/0xbea mm/mmap.c:1877
 __mmput kernel/fork.c:1347 [inline]
 mmput+0x122/0x3e2 kernel/fork.c:1369
 exit_mm kernel/exit.c:571 [inline]
 do_exit+0x902/0x2986 kernel/exit.c:926
 do_group_exit+0xd4/0x26c kernel/exit.c:1088
 __do_sys_exit_group kernel/exit.c:1099 [inline]
 __se_sys_exit_group kernel/exit.c:1097 [inline]
 __riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9daac
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001daacdc0 pfn:0x9daac
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000001daacdc0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766691000, free_ts 6923527489100
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
 free_pages+0xe/0x18 mm/page_alloc.c:4830
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
 exit_mmap+0x36c/0xbea mm/mmap.c:1877
 __mmput kernel/fork.c:1347 [inline]
 mmput+0x122/0x3e2 kernel/fork.c:1369
 exit_mm kernel/exit.c:571 [inline]
 do_exit+0x902/0x2986 kernel/exit.c:926
 do_group_exit+0xd4/0x26c kernel/exit.c:1088
 get_signal+0x1e98/0x23b0 kernel/signal.c:2917
 arch_do_signal_or_restart+0x8d6/0x1190 arch/riscv/kernel/signal.c:437
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x2a6/0x31e kernel/entry/common.c:218
 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
 _new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:adfff
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002dfffc80 pfn:0xadfff
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002dfffc80 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766573000, free_ts 6922196654300
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18908 tgid 18908 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 __free_slab+0xc8/0x16e mm/slub.c:2649
 free_slab+0x38/0x1ae mm/slub.c:2672
 discard_slab+0x42/0x5a mm/slub.c:2678
 __slab_free+0x346/0x3f6 mm/slub.c:4491
 do_slab_free mm/slub.c:4532 [inline]
 ___cache_free+0x1a6/0x1e0 mm/slub.c:4638
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x76/0x16c mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x158/0x1ba mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x5c/0x82 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:247 [inline]
 slab_post_alloc_hook mm/slub.c:4086 [inline]
 slab_alloc_node mm/slub.c:4135 [inline]
 __do_kmalloc_node mm/slub.c:4264 [inline]
 __kmalloc_noprof+0x24a/0x4e4 mm/slub.c:4277
 kmalloc_noprof include/linux/slab.h:882 [inline]
 tomoyo_realpath_from_path+0xb8/0x64a security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x28e/0x45e security/tomoyo/file.c:822
 tomoyo_inode_getattr+0x1e/0x28 security/tomoyo/hooks.h:97
 security_inode_getattr+0x12a/0x2fe security/security.c:2371
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:adffe
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002dfffc00 pfn:0xadffe
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002dfffc00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766452800, free_ts 6923544377300
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18388 tgid 18388 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ace27
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xace27
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766332200, free_ts 6922499651500
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16342 tgid 16342 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 vfree+0x1b6/0xc88 mm/vmalloc.c:3361
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282
 process_one_work+0x956/0x1dae kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391
 kthread+0x28c/0x3a6 kernel/kthread.c:389
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ace26
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xace26
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766201400, free_ts 6923545200600
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18388 tgid 18388 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9dec5
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x9dec5
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000004 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766075600, free_ts 6923546529800
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18388 tgid 18388 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9dec4
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001dec5080 pfn:0x9dec4
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000001dec5080 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765929200, free_ts 6923547349200
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18388 tgid 18388 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9d607
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001d6079b0 pfn:0x9d607
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000001d6079b0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765812300, free_ts 6925915629200
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18910 tgid 18910 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9d606
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001d606440 pfn:0x9d606
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000001d606440 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765695000, free_ts 6922499989500
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16342 tgid 16342 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 vfree+0x1b6/0xc88 mm/vmalloc.c:3361
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282
 process_one_work+0x956/0x1dae kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391
 kthread+0x28c/0x3a6 kernel/kthread.c:389
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:a8ee9
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000000000002 pfn:0xa8ee9
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff60000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765575900, free_ts 6925948942300
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17001 tgid 17001 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 vfree+0x1b6/0xc88 mm/vmalloc.c:3361
 copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:882 [inline]
 get_entries net/ipv6/netfilter/ip6_tables.c:1039 [inline]
 do_ip6t_get_ctl+0x76c/0x91e net/ipv6/netfilter/ip6_tables.c:1677
 nf_getsockopt+0x6e/0xd2 net/netfilter/nf_sockopt.c:116
 ipv6_getsockopt+0x240/0x2ce net/ipv6/ipv6_sockglue.c:1493
 tcp_getsockopt+0x84/0xd6 net/ipv4/tcp.c:4670
 sock_common_getsockopt+0x86/0xb8 net/core/sock.c:3776
 do_sock_getsockopt+0x37a/0x5ea net/socket.c:2391
 __sys_getsockopt+0x100/0x1b6 net/socket.c:2420
 __do_sys_getsockopt net/socket.c:2430 [inline]
 __se_sys_getsockopt net/socket.c:2427 [inline]
 __riscv_sys_getsockopt+0xa6/0x114 net/socket.c:2427
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:a8ee8
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000028ee9e00 pfn:0xa8ee8
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff60000028ee9e00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765458100, free_ts 6922940797600
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:a9217
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xa9217
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765338600, free_ts 6933702538200
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18388 tgid 18388 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:a9216
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000029217e00 pfn:0xa9216
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff60000029217e00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765211900, free_ts 6935903750800
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18891 tgid 18891 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9aa93
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x9aa93
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765092800, free_ts 6932779102600
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18939 tgid 18939 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 __free_slab+0xc8/0x16e mm/slub.c:2649
 free_slab+0x38/0x1ae mm/slub.c:2672
 discard_slab+0x42/0x5a mm/slub.c:2678
 __slab_free+0x346/0x3f6 mm/slub.c:4491
 do_slab_free mm/slub.c:4532 [inline]
 ___cache_free+0x1a6/0x1e0 mm/slub.c:4638
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x76/0x16c mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x158/0x1ba mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x5c/0x82 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:247 [inline]
 slab_post_alloc_hook mm/slub.c:4086 [inline]
 slab_alloc_node mm/slub.c:4135 [inline]
 __do_kmalloc_node mm/slub.c:4264 [inline]
 __kmalloc_node_noprof+0x232/0x522 mm/slub.c:4271
 kmalloc_node_noprof include/linux/slab.h:905 [inline]
 __vmalloc_area_node mm/vmalloc.c:3624 [inline]
 __vmalloc_node_range_noprof+0x36e/0x1450 mm/vmalloc.c:3828
 alloc_thread_stack_node kernel/fork.c:314 [inline]
 dup_task_struct kernel/fork.c:1115 [inline]
 copy_process+0x365c/0x8e32 kernel/fork.c:2206
 kernel_clone+0x11e/0x92c kernel/fork.c:2787
 __do_sys_clone+0xe4/0x118 kernel/fork.c:2930
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9aa92
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001aa93e00 pfn:0x9aa92
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000001aa93e00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764968900, free_ts 6932779102600
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18939 tgid 18939 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 __free_slab+0xc8/0x16e mm/slub.c:2649
 free_slab+0x38/0x1ae mm/slub.c:2672
 discard_slab+0x42/0x5a mm/slub.c:2678
 __slab_free+0x346/0x3f6 mm/slub.c:4491
 do_slab_free mm/slub.c:4532 [inline]
 ___cache_free+0x1a6/0x1e0 mm/slub.c:4638
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x76/0x16c mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x158/0x1ba mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x5c/0x82 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:247 [inline]
 slab_post_alloc_hook mm/slub.c:4086 [inline]
 slab_alloc_node mm/slub.c:4135 [inline]
 __do_kmalloc_node mm/slub.c:4264 [inline]
 __kmalloc_node_noprof+0x232/0x522 mm/slub.c:4271
 kmalloc_node_noprof include/linux/slab.h:905 [inline]
 __vmalloc_area_node mm/vmalloc.c:3624 [inline]
 __vmalloc_node_range_noprof+0x36e/0x1450 mm/vmalloc.c:3828
 alloc_thread_stack_node kernel/fork.c:314 [inline]
 dup_task_struct kernel/fork.c:1115 [inline]
 copy_process+0x365c/0x8e32 kernel/fork.c:2206
 kernel_clone+0x11e/0x92c kernel/fork.c:2787
 __do_sys_clone+0xe4/0x118 kernel/fork.c:2930
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:97efd
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x97efd
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764850600, free_ts 6932779866500
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18939 tgid 18939 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 __free_slab+0xc8/0x16e mm/slub.c:2649
 free_slab+0x38/0x1ae mm/slub.c:2672
 discard_slab+0x42/0x5a mm/slub.c:2678
 __slab_free+0x346/0x3f6 mm/slub.c:4491
 do_slab_free mm/slub.c:4532 [inline]
 ___cache_free+0x1a6/0x1e0 mm/slub.c:4638
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x76/0x16c mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x158/0x1ba mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x5c/0x82 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:247 [inline]
 slab_post_alloc_hook mm/slub.c:4086 [inline]
 slab_alloc_node mm/slub.c:4135 [inline]
 __do_kmalloc_node mm/slub.c:4264 [inline]
 __kmalloc_node_noprof+0x232/0x522 mm/slub.c:4271
 kmalloc_node_noprof include/linux/slab.h:905 [inline]
 __vmalloc_area_node mm/vmalloc.c:3624 [inline]
 __vmalloc_node_range_noprof+0x36e/0x1450 mm/vmalloc.c:3828
 alloc_thread_stack_node kernel/fork.c:314 [inline]
 dup_task_struct kernel/fork.c:1115 [inline]
 copy_process+0x365c/0x8e32 kernel/fork.c:2206
 kernel_clone+0x11e/0x92c kernel/fork.c:2787
 __do_sys_clone+0xe4/0x118 kernel/fork.c:2930
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:97efc
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000017efde00 pfn:0x97efc
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff60000017efde00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764731300, free_ts 6932779866500
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18939 tgid 18939 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 __free_slab+0xc8/0x16e mm/slub.c:2649
 free_slab+0x38/0x1ae mm/slub.c:2672
 discard_slab+0x42/0x5a mm/slub.c:2678
 __slab_free+0x346/0x3f6 mm/slub.c:4491
 do_slab_free mm/slub.c:4532 [inline]
 ___cache_free+0x1a6/0x1e0 mm/slub.c:4638
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x76/0x16c mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x158/0x1ba mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x5c/0x82 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:247 [inline]
 slab_post_alloc_hook mm/slub.c:4086 [inline]
 slab_alloc_node mm/slub.c:4135 [inline]
 __do_kmalloc_node mm/slub.c:4264 [inline]
 __kmalloc_node_noprof+0x232/0x522 mm/slub.c:4271
 kmalloc_node_noprof include/linux/slab.h:905 [inline]
 __vmalloc_area_node mm/vmalloc.c:3624 [inline]
 __vmalloc_node_range_noprof+0x36e/0x1450 mm/vmalloc.c:3828
 alloc_thread_stack_node kernel/fork.c:314 [inline]
 dup_task_struct kernel/fork.c:1115 [inline]
 copy_process+0x365c/0x8e32 kernel/fork.c:2206
 kernel_clone+0x11e/0x92c kernel/fork.c:2787
 __do_sys_clone+0xe4/0x118 kernel/fork.c:2930
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:a9e8d
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x31 pfn:0xa9e8d
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000031 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764612700, free_ts 6940797167800
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16932 tgid 16932 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:a9e8c
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x30 pfn:0xa9e8c
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000030 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764495000, free_ts 6940797650600
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16932 tgid 16932 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ae1f3
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002e1f3000 pfn:0xae1f3
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002e1f3000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764377100, free_ts 6940798494500
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16932 tgid 16932 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ae1f2
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002e1f2dc0 pfn:0xae1f2
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002e1f2dc0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764251800, free_ts 6940303820200
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 24 tgid 24 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 run_ksoftirqd kernel/softirq.c:927 [inline]
 run_ksoftirqd+0xce/0x144 kernel/softirq.c:919
 smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164
 kthread+0x28c/0x3a6 kernel/kthread.c:389
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ad2e1
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002d2e1e58 pfn:0xad2e1
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002d2e1e58 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764133900, free_ts 6940798084500
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16932 tgid 16932 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ad2e0
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002d2e0d90 pfn:0xad2e0
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002d2e0d90 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764012100, free_ts 6940798882400
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16932 tgid 16932 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ac2d3
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x21 pfn:0xac2d3
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000021 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763892100, free_ts 6940802634600
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16932 tgid 16932 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ac2d2
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x20 pfn:0xac2d2
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000020 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763772200, free_ts 6940799262400
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16932 tgid 16932 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9de23
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x9de23
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763651500, free_ts 6941283772200
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 3146 tgid 3146 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
 skb_free_frag include/linux/skbuff.h:3399 [inline]
 skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
 skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
 skb_release_all net/core/skbuff.c:1190 [inline]
 __kfree_skb+0x46/0x68 net/core/skbuff.c:1204
 tcp_rcv_established+0xff2/0x2592 net/ipv4/tcp_input.c:6147
 tcp_v4_do_rcv+0x68a/0xbaa net/ipv4/tcp_ipv4.c:1915
 sk_backlog_rcv include/net/sock.h:1113 [inline]
 __release_sock+0x106/0x36e net/core/sock.c:3072
 release_sock+0x5c/0x1c8 net/core/sock.c:3626
 tcp_sendmsg+0x3e/0x4e net/ipv4/tcp.c:1358
 inet_sendmsg+0x9c/0xda net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0xcc/0x160 net/socket.c:744
 sock_write_iter+0x2a0/0x3ba net/socket.c:1165
 new_sync_write fs/read_write.c:590 [inline]
 vfs_write+0x4d4/0x9b4 fs/read_write.c:683
 ksys_write+0x1f0/0x266 fs/read_write.c:736
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9de22
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001de22c00 pfn:0x9de22
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000001de22c00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763526500, free_ts 6940305420800
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 24 tgid 24 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 run_ksoftirqd kernel/softirq.c:927 [inline]
 run_ksoftirqd+0xce/0x144 kernel/softirq.c:919
 smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164
 kthread+0x28c/0x3a6 kernel/kthread.c:389
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ac193
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2cf pfn:0xac193
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 00000000000002cf 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763405400, free_ts 6941446538700
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 3146 tgid 3146 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
 skb_free_frag include/linux/skbuff.h:3399 [inline]
 skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
 skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
 skb_release_all net/core/skbuff.c:1190 [inline]
 __kfree_skb+0x46/0x68 net/core/skbuff.c:1204
 tcp_rcv_established+0xff2/0x2592 net/ipv4/tcp_input.c:6147
 tcp_v4_do_rcv+0x68a/0xbaa net/ipv4/tcp_ipv4.c:1915
 sk_backlog_rcv include/net/sock.h:1113 [inline]
 __release_sock+0x106/0x36e net/core/sock.c:3072
 release_sock+0x5c/0x1c8 net/core/sock.c:3626
 tcp_sendmsg+0x3e/0x4e net/ipv4/tcp.c:1358
 inet_sendmsg+0x9c/0xda net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0xcc/0x160 net/socket.c:744
 sock_write_iter+0x2a0/0x3ba net/socket.c:1165
 new_sync_write fs/read_write.c:590 [inline]
 vfs_write+0x4d4/0x9b4 fs/read_write.c:683
 ksys_write+0x1f0/0x266 fs/read_write.c:736
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ae1f1
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002e1f1c80 pfn:0xae1f1
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002e1f1c80 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763283200, free_ts 6940813897500
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18914 tgid 18914 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
 free_pages+0xe/0x18 mm/page_alloc.c:4830
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
 exit_mmap+0x36c/0xbea mm/mmap.c:1877
 __mmput kernel/fork.c:1347 [inline]
 mmput+0x122/0x3e2 kernel/fork.c:1369
 exit_mm kernel/exit.c:571 [inline]
 do_exit+0x902/0x2986 kernel/exit.c:926
 do_group_exit+0xd4/0x26c kernel/exit.c:1088
 __do_sys_exit_group kernel/exit.c:1099 [inline]
 __se_sys_exit_group kernel/exit.c:1097 [inline]
 __riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:97eff
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000017effc80 pfn:0x97eff
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff60000017effc80 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763154100, free_ts 6940803461300
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16932 tgid 16932 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:aaf87
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xaaf87
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763030800, free_ts 6940304808900
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 24 tgid 24 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 run_ksoftirqd kernel/softirq.c:927 [inline]
 run_ksoftirqd+0xce/0x144 kernel/softirq.c:919
 smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164
 kthread+0x28c/0x3a6 kernel/kthread.c:389
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:aaf83
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xaaf83
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942762892700, free_ts 6925915425900
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18910 tgid 18910 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ab091
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002b091e88 pfn:0xab091
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002b091e88 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942762468000, free_ts 6923527716600
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820
 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
 free_pages+0xe/0x18 mm/page_alloc.c:4830
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
 exit_mmap+0x36c/0xbea mm/mmap.c:1877
 __mmput kernel/fork.c:1347 [inline]
 mmput+0x122/0x3e2 kernel/fork.c:1369
 exit_mm kernel/exit.c:571 [inline]
 do_exit+0x902/0x2986 kernel/exit.c:926
 do_group_exit+0xd4/0x26c kernel/exit.c:1088
 get_signal+0x1e98/0x23b0 kernel/signal.c:2917
 arch_do_signal_or_restart+0x8d6/0x1190 arch/riscv/kernel/signal.c:437
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x2a6/0x31e kernel/entry/common.c:218
 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
 _new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9daf5
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001daf5dc0 pfn:0x9daf5
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000001daf5dc0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942762073900, free_ts 6937445753000
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:af05c
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002f05cc98 pfn:0xaf05c
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002f05cc98 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942761890300, free_ts 6937446318600
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:aea0c
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002ea0c0d8 pfn:0xaea0c
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002ea0c0d8 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942761767100, free_ts 6937446732200
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:adffd
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0xadffd
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000004 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942761636500, free_ts 6937447140300
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:92e90
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000012e90000 pfn:0x92e90
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff60000012e90000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760798600, free_ts 6937447551300
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ad24d
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002d24ddc0 pfn:0xad24d
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002d24ddc0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760668500, free_ts 6937447952200
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:a96fe
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff600000296fe400 pfn:0xa96fe
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff600000296fe400 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760546300, free_ts 6937448369400
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:a96ff
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xa96ff
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760419600, free_ts 6937448810500
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:ab650
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002b6505d0 pfn:0xab650
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002b6505d0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760297400, free_ts 6937449247400
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:a0071
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000020071000 pfn:0xa0071
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff60000020071000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760163400, free_ts 6937449676900
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9dec2
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9dec2
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760037900, free_ts 6937450131300
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9d513
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001d513220 pfn:0x9d513
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000001d513220 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942759913000, free_ts 6937450552800
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:adf81
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002df81ca8 pfn:0xadf81
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002df81ca8 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942759792600, free_ts 6937452060400
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:acee6
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff pfn:0xacee6
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 00000000000000ff 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942759671900, free_ts 6937452544100
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 17449 tgid 17449 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
 __folio_put+0x1ae/0x22e mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
 __do_softirq+0x12/0x1a kernel/softirq.c:588
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G    B              6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806  pfn:9bcfa
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001bcfa6c8 pfn:0x9bcfa
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000001bcfa6c8 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942759550900, free_ts 6937452958700
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
 __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
 page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
 page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
 xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
 __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
 _new_vmall