BUG: Bad page state in process syz-executor.0  pfn:47cd6
page:00000000328442ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x47cd6
flags: 0x1ffc60000001042(referenced|workingset|reserved|node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 01ffc60000001042 fffffc00001f3588 fffffc00001f3588 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
Modules linked in:
CPU: 0 PID: 14404 Comm: syz-executor.0 Not tainted 6.5.0-rc5-syzkaller-00182-g25aa0bebba72 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x9c/0x11c arch/arm64/kernel/stacktrace.c:233
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xac/0xd4 lib/dump_stack.c:106
 dump_stack+0x1c/0x28 lib/dump_stack.c:113
 bad_page+0xe4/0x22c mm/page_alloc.c:533
 free_page_is_bad_report mm/page_alloc.c:974 [inline]
 free_page_is_bad mm/page_alloc.c:984 [inline]
 free_pages_prepare mm/page_alloc.c:1153 [inline]
 free_unref_page_prepare+0x6ac/0xd68 mm/page_alloc.c:2348
 free_unref_page+0x60/0x3e0 mm/page_alloc.c:2443
 __folio_put_small mm/swap.c:106 [inline]
 __folio_put+0x80/0xdc mm/swap.c:129
 folio_put include/linux/mm.h:1440 [inline]
 put_page include/linux/mm.h:1509 [inline]
 extract_user_to_sg lib/scatterlist.c:1151 [inline]
 extract_iter_to_sg lib/scatterlist.c:1349 [inline]
 extract_iter_to_sg+0xdbc/0x134c lib/scatterlist.c:1339
 hash_sendmsg+0x23c/0xf78 crypto/algif_hash.c:119
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0xc8/0x168 net/socket.c:748
 ____sys_sendmsg+0x550/0x6e0 net/socket.c:2494
 ___sys_sendmsg+0x11c/0x19c net/socket.c:2548
 __sys_sendmsg+0xe0/0x174 net/socket.c:2577
 __do_sys_sendmsg net/socket.c:2586 [inline]
 __se_sys_sendmsg net/socket.c:2584 [inline]
 __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2584
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:52
 el0_svc_common.constprop.0+0xc4/0x244 arch/arm64/kernel/syscall.c:139
 do_el0_svc+0x50/0x11c arch/arm64/kernel/syscall.c:188
 el0_svc+0x4c/0x134 arch/arm64/kernel/entry-common.c:647
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:665
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
page:00000000328442ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x47cd6
flags: 0x1ffc60000001042(referenced|workingset|reserved|node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 01ffc60000001042 fffffc00001f3588 fffffc00001f3588 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:1027!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 14404 Comm: syz-executor.0 Tainted: G    B              6.5.0-rc5-syzkaller-00182-g25aa0bebba72 #0
Hardware name: linux,dummy-virt (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : put_page_testzero include/linux/mm.h:1027 [inline]
pc : folio_put_testzero include/linux/mm.h:1033 [inline]
pc : folio_put include/linux/mm.h:1439 [inline]
pc : put_page include/linux/mm.h:1509 [inline]
pc : extract_user_to_sg lib/scatterlist.c:1151 [inline]
pc : extract_iter_to_sg lib/scatterlist.c:1349 [inline]
pc : extract_iter_to_sg+0xe4c/0x134c lib/scatterlist.c:1339
lr : put_page_testzero include/linux/mm.h:1027 [inline]
lr : folio_put_testzero include/linux/mm.h:1033 [inline]
lr : folio_put include/linux/mm.h:1439 [inline]
lr : put_page include/linux/mm.h:1509 [inline]
lr : extract_user_to_sg lib/scatterlist.c:1151 [inline]
lr : extract_iter_to_sg lib/scatterlist.c:1349 [inline]
lr : extract_iter_to_sg+0xe4c/0x134c lib/scatterlist.c:1339
sp : ffff800089f87660
x29: ffff800089f87660 x28: fffffc00001f35b4 x27: 1fffe000028f8d01
x26: fffffc00001f3580 x25: dfff800000000000 x24: ffff0000147c6808
x23: 1ffff000113f0ee6 x22: 0000000000000003 x21: ffff6000028f8d01
x20: ffff0000147c6800 x19: 0000000000000007 x18: ffff00000ec90a60
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 205d343034343154 x12: ffff7000113f0e45
x11: 1ffff000113f0e44 x10: ffff7000113f0e44 x9 : dfff800000000000
x8 : 00008fffeec0f1bc x7 : ffff800089f87227 x6 : 0000000000000001
x5 : ffff800089f87220 x4 : 1fffe00001d92001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : ffff00000ec90000 x0 : 000000000000003e
Call trace:
 put_page_testzero include/linux/mm.h:1027 [inline]
 folio_put_testzero include/linux/mm.h:1033 [inline]
 folio_put include/linux/mm.h:1439 [inline]
 put_page include/linux/mm.h:1509 [inline]
 extract_user_to_sg lib/scatterlist.c:1151 [inline]
 extract_iter_to_sg lib/scatterlist.c:1349 [inline]
 extract_iter_to_sg+0xe4c/0x134c lib/scatterlist.c:1339
 hash_sendmsg+0x23c/0xf78 crypto/algif_hash.c:119
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0xc8/0x168 net/socket.c:748
 ____sys_sendmsg+0x550/0x6e0 net/socket.c:2494
 ___sys_sendmsg+0x11c/0x19c net/socket.c:2548
 __sys_sendmsg+0xe0/0x174 net/socket.c:2577
 __do_sys_sendmsg net/socket.c:2586 [inline]
 __se_sys_sendmsg net/socket.c:2584 [inline]
 __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2584
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:52
 el0_svc_common.constprop.0+0xc4/0x244 arch/arm64/kernel/syscall.c:139
 do_el0_svc+0x50/0x11c arch/arm64/kernel/syscall.c:188
 el0_svc+0x4c/0x134 arch/arm64/kernel/entry-common.c:647
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:665
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
Code: 91058021 aa1a03e0 91028021 97d6da7f (d4210000) 
---[ end trace 0000000000000000 ]---