BUG: Bad page state in process syz.0.893 pfn:749a0
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xa0 pfn:0x749a0
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: 00000000000000a0 3fffffffffffffff 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941890611, free_ts 210382981319
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_frag_netmem+0x21d/0xa00 net/core/page_pool.c:1096
page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0x5a7/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
BUG: Bad page state in process syz.0.893 pfn:763ee
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2a61 pfn:0x763ee
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: 0000000000002a61 0000000000000001 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941884088, free_ts 210383043071
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
BUG: Bad page state in process syz.0.893 pfn:4be33
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888026813100 pfn:0x4be33
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: ffff888026813100 0000000000000001 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941877768, free_ts 210383059785
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
BUG: Bad page state in process syz.0.893 pfn:6042b
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6042b
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941871186, free_ts 210383066455
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
BUG: Bad page state in process syz.0.893 pfn:6df01
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffff00000000 pfn:0x6df01
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: ffffffff00000000 0000000000000001 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941864953, free_ts 210383071971
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
BUG: Bad page state in process syz.0.893 pfn:719f2
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x719f2
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941858566, free_ts 210383082935
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
BUG: Bad page state in process syz.0.893 pfn:4bab4
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x90 pfn:0x4bab4
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: 0000000000000090 0000000000000001 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941851970, free_ts 210383148118
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
BUG: Bad page state in process syz.0.893 pfn:74fd7
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x187 pfn:0x74fd7
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: 0000000000000187 0000000000000001 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941845464, free_ts 210383562566
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
BUG: Bad page state in process syz.0.893 pfn:4af52
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4af52
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941839290, free_ts 210383744413
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
BUG: Bad page state in process syz.0.893 pfn:7477b
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x165 pfn:0x7477b
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: 0000000000000165 0000000000000001 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941833077, free_ts 210383749954
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
BUG: Bad page state in process syz.0.893 pfn:4bec3
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x145 pfn:0x4bec3
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: 0000000000000145 0000000000000001 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941826236, free_ts 210383904755
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
BUG: Bad page state in process syz.0.893 pfn:6b53c
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x134 pfn:0x6b53c
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f9(unknown)
raw: 04fff00000000000 0000000000000000 ffff8880210cb000 0000000000000000
raw: 0000000000000134 0000000000000001 00000000f9000000 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 8757, tgid 8756 (syz.0.893), ts 210941820147, free_ts 210383987399
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1858
prep_new_page mm/page_alloc.c:1866 [inline]
get_page_from_freelist+0x11a6/0x33b0 mm/page_alloc.c:3946
__alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
__alloc_pages_noprof mm/page_alloc.c:5260 [inline]
alloc_pages_bulk_noprof+0x657/0x1390 mm/page_alloc.c:5180
alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
__page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:616
page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982
skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016
netif_skb_check_for_xdp net/core/dev.c:5557 [inline]
netif_receive_generic_xdp net/core/dev.c:5598 [inline]
do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
page last free pid 53 tgid 53 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1402 [inline]
__free_frozen_pages+0x747/0x1040 mm/page_alloc.c:2943
kasan_depopulate_vmalloc_pte+0x5d/0x80 mm/kasan/shadow.c:484
apply_to_pte_range mm/memory.c:3322 [inline]
apply_to_pmd_range mm/memory.c:3366 [inline]
apply_to_pud_range mm/memory.c:3402 [inline]
apply_to_p4d_range mm/memory.c:3438 [inline]
__apply_to_page_range+0xb1d/0x1520 mm/memory.c:3474
__kasan_release_vmalloc+0xd7/0xe0 mm/kasan/shadow.c:602
kasan_release_vmalloc include/linux/kasan.h:593 [inline]
kasan_release_vmalloc_node mm/vmalloc.c:2284 [inline]
purge_vmap_node+0x210/0xb40 mm/vmalloc.c:2306
__purge_vmap_area_lazy+0x91b/0xc00 mm/vmalloc.c:2396
drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2430
process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
process_scheduled_works kernel/workqueue.c:3385 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 3 UID: 0 PID: 8757 Comm: syz.0.893 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
bad_page.cold+0xbe/0xdf mm/page_alloc.c:632
page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169
__xdp_return+0x3b6/0x990 net/core/xdp.c:448
bpf_xdp_shrink_data net/core/filter.c:4211 [inline]
bpf_xdp_frags_shrink_tail net/core/filter.c:4235 [inline]
____bpf_xdp_adjust_tail net/core/filter.c:4257 [inline]
bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4250
bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
__bpf_prog_run include/linux/filter.h:722 [inline]
bpf_prog_run_xdp include/net/xdp.h:696 [inline]
bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488
netif_receive_generic_xdp net/core/dev.c:5604 [inline]
do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666
tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874
tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
do_int80_emulation+0x141/0x700 arch/x86/entry/syscall_32.c:172
asm_int80_emulation+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0023:0xf712616b
Code: 57 56 53 8b 44 24 14 f6 00 08 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5b> 5e 5f 5d c3 5b 5e 5f 5d e9 f7 a1 ff ff 66 90 66 90 66 90 90 53
RSP: 002b:00000000f53e644c EFLAGS: 00000246 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000080000000
RDX: 000000000000fdef RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
----------------
Code disassembly (best guess):
0: 57 push %rdi
1: 56 push %rsi
2: 53 push %rbx
3: 8b 44 24 14 mov 0x14(%rsp),%eax
7: f6 00 08 testb $0x8,(%rax)
a: 75 23 jne 0x2f
c: 8b 44 24 18 mov 0x18(%rsp),%eax
10: 8b 5c 24 1c mov 0x1c(%rsp),%ebx
14: 8b 4c 24 20 mov 0x20(%rsp),%ecx
18: 8b 54 24 24 mov 0x24(%rsp),%edx
1c: 8b 74 24 28 mov 0x28(%rsp),%esi
20: 8b 7c 24 2c mov 0x2c(%rsp),%edi
24: 8b 6c 24 30 mov 0x30(%rsp),%ebp
28: cd 80 int $0x80
* 2a: 5b pop %rbx <-- trapping instruction
2b: 5e pop %rsi
2c: 5f pop %rdi
2d: 5d pop %rbp
2e: c3 ret
2f: 5b pop %rbx
30: 5e pop %rsi
31: 5f pop %rdi
32: 5d pop %rbp
33: e9 f7 a1 ff ff jmp 0xffffa22f
38: 66 90 xchg %ax,%ax
3a: 66 90 xchg %ax,%ax
3c: 66 90 xchg %ax,%ax
3e: 90 nop
3f: 53 push %rbx