page:ffffea0000171e00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4080(slab|head)
page dumped because: VM_BUG_ON_PAGE(PageSlab(page))
------------[ cut here ]------------
kernel BUG at ./include/linux/mm.h:533!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 13607 Comm: syz-executor.4 Not tainted 4.9.141+ #23
task: ffff880151c6af80 task.stack: ffff88000f880000
RIP: 0010:[<ffffffff8148381c>]  [<ffffffff8148381c>] page_mapcount include/linux/mm.h:533 [inline]
RIP: 0010:[<ffffffff8148381c>]  [<ffffffff8148381c>] isolate_migratepages_block+0x14dc/0x1af0 mm/compaction.c:818
RSP: 0018:ffff88000f886960  EFLAGS: 00010246
RAX: 00000000006e8000 RBX: ffffea0000171e00 RCX: ffffc900006e8000
RDX: 0000000000040000 RSI: ffffffff814fe94c RDI: ffff880151c6b82c
RBP: ffff88000f886ab0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: dffffc0000000000
R13: 0000000000005c78 R14: ffff88000f886c40 R15: ffffea0000170000
FS:  0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:00000000f55a7b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002de39000 CR3: 0000000012d0c000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffffff833d3b50 ffffffff833d3e60 ffff88000f886988 ffff88000f886c90
 0000000c00000001 1ffff10001f10d3d 0000000000005c00 ffffea0000171e00
 ffffed0001f10d92 ffffea0000171e20 ffffea0000171e18 ffffffff833d3600
Call Trace:
 [<ffffffff81485b0f>] isolate_migratepages mm/compaction.c:1242 [inline]
 [<ffffffff81485b0f>] compact_zone+0x95f/0x2300 mm/compaction.c:1532
 [<ffffffff814875bf>] compact_zone_order+0x10f/0x180 mm/compaction.c:1656
 [<ffffffff81488c14>] try_to_compact_pages+0x214/0x710 mm/compaction.c:1703
 [<ffffffff814273eb>] __alloc_pages_direct_compact+0xbb/0x310 mm/page_alloc.c:3175
 [<ffffffff81428e3e>] __alloc_pages_slowpath mm/page_alloc.c:3703 [inline]
 [<ffffffff81428e3e>] __alloc_pages_nodemask+0xdbe/0x1bd0 mm/page_alloc.c:3862
 [<ffffffff814eb7e7>] __alloc_pages include/linux/gfp.h:433 [inline]
 [<ffffffff814eb7e7>] __alloc_pages_node include/linux/gfp.h:446 [inline]
 [<ffffffff814eb7e7>] alloc_slab_page mm/slub.c:1408 [inline]
 [<ffffffff814eb7e7>] allocate_slab mm/slub.c:1557 [inline]
 [<ffffffff814eb7e7>] new_slab+0x367/0x3d0 mm/slub.c:1635
 [<ffffffff814ed97d>] new_slab_objects mm/slub.c:2419 [inline]
 [<ffffffff814ed97d>] ___slab_alloc.constprop.33+0x2ed/0x470 mm/slub.c:2576
 [<ffffffff814edb50>] __slab_alloc.isra.25.constprop.32+0x50/0xa0 mm/slub.c:2618
 [<ffffffff814f15f6>] slab_alloc_node mm/slub.c:2681 [inline]
 [<ffffffff814f15f6>] slab_alloc mm/slub.c:2723 [inline]
 [<ffffffff814f15f6>] __kmalloc_track_caller+0x236/0x2d0 mm/slub.c:4232
 [<ffffffff822c2ee3>] __kmalloc_reserve.isra.5+0x33/0xc0 net/core/skbuff.c:138
 [<ffffffff822c308a>] __alloc_skb+0x11a/0x5b0 net/core/skbuff.c:231
 [<ffffffff822c35cf>] alloc_skb include/linux/skbuff.h:924 [inline]
 [<ffffffff822c35cf>] alloc_skb_with_frags+0xaf/0x4e0 net/core/skbuff.c:4707
 [<ffffffff822aabee>] sock_alloc_send_pskb+0x59e/0x740 net/core/sock.c:1893
 [<ffffffff81ecd8ba>] tun_alloc_skb drivers/net/tun.c:1166 [inline]
 [<ffffffff81ecd8ba>] tun_get_user+0x53a/0x2460 drivers/net/tun.c:1263
 [<ffffffff81ecf9f5>] tun_chr_write_iter+0xd5/0x190 drivers/net/tun.c:1353
 [<ffffffff81508347>] new_sync_write fs/read_write.c:496 [inline]
 [<ffffffff81508347>] __vfs_write+0x3d7/0x580 fs/read_write.c:509
 [<ffffffff815085e8>] __kernel_write+0xf8/0x350 fs/read_write.c:529
 [<ffffffff815ac79d>] write_pipe_buf+0x15d/0x1f0 fs/splice.c:816
 [<ffffffff815ad926>] splice_from_pipe_feed fs/splice.c:521 [inline]
 [<ffffffff815ad926>] __splice_from_pipe+0x316/0x710 fs/splice.c:645
 [<ffffffff815af439>] splice_from_pipe+0xf9/0x170 fs/splice.c:680
 [<ffffffff815af53c>] default_file_splice_write+0x3c/0x80 fs/splice.c:828
 [<ffffffff815a9ab8>] do_splice_from fs/splice.c:870 [inline]
 [<ffffffff815a9ab8>] direct_splice_actor+0x128/0x190 fs/splice.c:1037
 [<ffffffff815ab6c1>] splice_direct_to_actor+0x2c1/0x7e0 fs/splice.c:992
 [<ffffffff815abd83>] do_splice_direct+0x1a3/0x270 fs/splice.c:1080
 [<ffffffff8150d780>] do_sendfile+0x4f0/0xc30 fs/read_write.c:1393
 [<ffffffff8150f951>] C_SYSC_sendfile fs/read_write.c:1469 [inline]
 [<ffffffff8150f951>] compat_SyS_sendfile+0xd1/0x160 fs/read_write.c:1458
 [<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
 [<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
 [<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137
Code: ff ff e8 68 82 e9 ff 48 8b 85 e8 fe ff ff 48 8d 50 ff e9 f6 f6 ff ff e8 53 82 e9 ff 48 c7 c6 a0 32 aa 82 48 89 df e8 64 b5 00 00 <0f> 0b 48 89 95 e8 fe ff ff e8 36 82 e9 ff 48 8b 95 e8 fe ff ff 
RIP  [<ffffffff8148381c>] page_mapcount include/linux/mm.h:533 [inline]
RIP  [<ffffffff8148381c>] isolate_migratepages_block+0x14dc/0x1af0 mm/compaction.c:818
 RSP <ffff88000f886960>
ip6_tunnel: ip6tnl2 xmit: Local address not yet configured!
---[ end trace 06be764bb377088f ]---