program: r0 = socket$rds(0x15, 0x5, 0x0) bind$rds(r0, &(0x7f0000000000)={0x2, 0x0, @loopback}, 0x10) r1 = openat$kvm(0xffffffffffffff9c, 0x0, 0x48000, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0) r3 = socket$inet6(0xa, 0x3, 0x8000000003c) sendmmsg$inet6(r3, 0x0, 0x0, 0x4000880) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r2, 0x0) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe) sendmsg$rds(r0, &(0x7f00000012c0)={&(0x7f0000000200)={0x2, 0x0, @local}, 0x10, 0x0, 0x0, &(0x7f0000000cc0)=[@fadd={0x58, 0x114, 0x6, {{0x2, 0x3}, &(0x7f0000000340), 0x0, 0x3, 0x8, 0x7, 0x10001, 0x65, 0x6}}], 0x58, 0x20004814}, 0x0) [ 74.980579][ T45] Bluetooth: hci0: command tx timeout [ 75.151228][ T5356] BUG: Bad page state in process syz.0.0 pfn:52e01 [ 75.161607][ T5356] page does not match folio [ 75.166249][ T5356] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x52e01 [ 75.170678][ T5356] ksm flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 75.174371][ T5356] raw: 04fff00000000000 0000000000000000 00000000ffffffff ffffffffffffffff [ 75.178117][ T5356] raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000 [ 75.181964][ T5356] page dumped because: nonzero pincount [ 75.185380][ T5356] page_owner tracks the page as allocated [ 75.188027][ T5356] page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 5356, tgid 5356 (syz.0.0), ts 75051634221, free_ts 0 [ 75.197811][ T5356] post_alloc_hook+0x240/0x2a0 [ 75.200198][ T5356] get_page_from_freelist+0x21e4/0x22c0 [ 75.203557][ T5356] __alloc_frozen_pages_noprof+0x181/0x370 [ 75.206191][ T5356] alloc_pages_mpol+0x232/0x4a0 [ 75.208461][ T5356] alloc_pages_noprof+0xa9/0x190 [ 75.210512][ T5356] folio_alloc_noprof+0x1e/0x30 [ 75.212536][ T5356] filemap_alloc_folio_noprof+0xdf/0x470 [ 75.216469][ T5356] page_cache_ra_order+0x4de/0xd40 [ 75.219010][ T5356] do_sync_mmap_readahead+0x25e/0x7a0 [ 75.221403][ T5356] filemap_fault+0x62c/0x1200 [ 75.225465][ T5356] __do_fault+0x138/0x390 [ 75.227521][ T5356] __handle_mm_fault+0x1847/0x5440 [ 75.230051][ T5356] handle_mm_fault+0x40a/0x8e0 [ 75.232313][ T5356] do_user_addr_fault+0xa81/0x1390 [ 75.235239][ T5356] exc_page_fault+0x76/0xf0 [ 75.237367][ T5356] asm_exc_page_fault+0x26/0x30 [ 75.239622][ T5356] page_owner free stack trace missing [ 75.243708][ T5356] Modules linked in: [ 75.245565][ T5356] CPU: 0 UID: 0 PID: 5356 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.245579][ T5356] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.245586][ T5356] Call Trace: [ 75.245592][ T5356] [ 75.245597][ T5356] dump_stack_lvl+0x189/0x250 [ 75.245618][ T5356] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.245632][ T5356] ? __pfx_print_modules+0x10/0x10 [ 75.245650][ T5356] ? percpu_ref_put+0x19/0x180 [ 75.245665][ T5356] ? percpu_ref_put+0x19/0x180 [ 75.245681][ T5356] ? percpu_ref_put+0xf9/0x180 [ 75.245698][ T5356] bad_page+0x180/0x1c0 [ 75.245712][ T5356] free_tail_page_prepare+0x2c3/0x4f0 [ 75.245729][ T5356] __free_frozen_pages+0x7b7/0xd30 [ 75.245750][ T5356] __folio_put+0x21b/0x2c0 [ 75.245769][ T5356] ? __pfx___folio_put+0x10/0x10 [ 75.245792][ T5356] delete_from_page_cache_batch+0x84c/0x9b0 [ 75.245807][ T5356] ? shmem_mapping+0xd/0x50 [ 75.245824][ T5356] ? __pfx_delete_from_page_cache_batch+0x10/0x10 [ 75.245838][ T5356] ? __filemap_fdatawait_range+0x1d2/0x230 [ 75.245854][ T5356] ? __pfx_workingset_update_node+0x10/0x10 [ 75.245872][ T5356] ? folio_mapping+0x16f/0x240 [ 75.245885][ T5356] ? truncate_cleanup_folio+0x34a/0x430 [ 75.245901][ T5356] truncate_inode_pages_range+0x28a/0xda0 [ 75.245924][ T5356] ? __pfx_truncate_inode_pages_range+0x10/0x10 [ 75.245955][ T5356] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.245974][ T5356] ? __pfx_invalidate_bh_lru+0x10/0x10 [ 75.245991][ T5356] ? smp_call_function_many_cond+0xe4f/0x12d0 [ 75.246022][ T5356] ? __pfx___mutex_lock+0x10/0x10 [ 75.246038][ T5356] ? __pfx_has_bh_in_lru+0x10/0x10 [ 75.246059][ T5356] blkdev_flush_mapping+0x108/0x270 [ 75.246076][ T5356] ? bdev_release+0x40f/0x650 [ 75.246094][ T5356] bdev_release+0x417/0x650 [ 75.246116][ T5356] ? __pfx_blkdev_release+0x10/0x10 [ 75.246127][ T5356] blkdev_release+0x15/0x20 [ 75.246138][ T5356] __fput+0x449/0xa70 [ 75.246165][ T5356] task_work_run+0x1d1/0x260 [ 75.246184][ T5356] ? __pfx_task_work_run+0x10/0x10 [ 75.246207][ T5356] do_exit+0x6b5/0x2300 [ 75.246227][ T5356] ? preempt_schedule_common+0x83/0xd0 [ 75.246244][ T5356] ? preempt_schedule+0xae/0xc0 [ 75.246260][ T5356] ? __pfx_do_exit+0x10/0x10 [ 75.246280][ T5356] ? preempt_schedule_thunk+0x16/0x30 [ 75.246296][ T5356] do_group_exit+0x21c/0x2d0 [ 75.246316][ T5356] __x64_sys_exit_group+0x3f/0x40 [ 75.246330][ T5356] x64_sys_call+0x21f7/0x2200 [ 75.246346][ T5356] do_syscall_64+0xfa/0x3b0 [ 75.246356][ T5356] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.246371][ T5356] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.246382][ T5356] ? clear_bhb_loop+0x60/0xb0 [ 75.246399][ T5356] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.246409][ T5356] RIP: 0033:0x7f6f2358eba9 [ 75.246419][ T5356] Code: Unable to access opcode bytes at 0x7f6f2358eb7f. [ 75.246425][ T5356] RSP: 002b:00007ffd85dffa48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 75.246437][ T5356] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6f2358eba9 [ 75.246444][ T5356] RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.246451][ T5356] RBP: 0000000000000003 R08: 0000000a85dffb3f R09: 00007f6f237a1280 [ 75.246458][ T5356] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 [ 75.246464][ T5356] R13: 00007f6f237a1280 R14: 0000000000000003 R15: 00007ffd85dffb00 [ 75.246483][ T5356] [ 75.246488][ T5356] Disabling lock debugging due to kernel taint [ 75.395209][ T5356] BUG: Bad page state in process syz.0.0 pfn:52e00 [ 75.398282][ T5356] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x52e00 [ 75.402296][ T5356] head: order:0 mapcount:0 entire_mapcount:1 nr_pages_mapped:0 pincount:0 [ 75.406763][ T5356] flags: 0x4fff0000000004d(locked|referenced|uptodate|head|node=1|zone=1|lastcpupid=0x7ff) [ 75.411434][ T5356] raw: 04fff0000000004d dead000000000100 dead000000000122 0000000000000000 [ 75.416559][ T5356] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 75.421393][ T5356] head: 04fff0000000004d dead000000000100 dead000000000122 0000000000000000 [ 75.426020][ T5356] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 75.429895][ T5356] head: 04fff00000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 75.434162][ T5356] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000 [ 75.438541][ T5356] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set [ 75.441979][ T5356] page_owner tracks the page as allocated [ 75.445247][ T5356] page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 5356, tgid 5356 (syz.0.0), ts 75051634221, free_ts 0 [ 75.454057][ T5356] post_alloc_hook+0x240/0x2a0 [ 75.456325][ T5356] get_page_from_freelist+0x21e4/0x22c0 [ 75.458779][ T5356] __alloc_frozen_pages_noprof+0x181/0x370 [ 75.461309][ T5356] alloc_pages_mpol+0x232/0x4a0 [ 75.463968][ T5356] alloc_pages_noprof+0xa9/0x190 [ 75.466305][ T5356] folio_alloc_noprof+0x1e/0x30 [ 75.468684][ T5356] filemap_alloc_folio_noprof+0xdf/0x470 [ 75.471345][ T5356] page_cache_ra_order+0x4de/0xd40 [ 75.474069][ T5356] do_sync_mmap_readahead+0x25e/0x7a0 [ 75.476361][ T5356] filemap_fault+0x62c/0x1200 [ 75.478590][ T5356] __do_fault+0x138/0x390 [ 75.480736][ T5356] __handle_mm_fault+0x1847/0x5440