BUG: Bad page state in process syz.2.2579  pfn:7b784
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807b784000 pfn:0x7b784
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff88801bbcb000 0000000000000000
raw: ffff88807b784000 3fffffffffffffff 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 16515, tgid 16514 (syz.2.2579), ts 499765023097, free_ts 499581059293
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x1c6/0xc10 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
 page_pool_alloc_frag_netmem+0x21d/0xa00 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
 skb_pp_cow_data+0x5be/0xea0 net/core/skbuff.c:993
 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1027
 netif_skb_check_for_xdp net/core/dev.c:5512 [inline]
 netif_receive_generic_xdp net/core/dev.c:5553 [inline]
 do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 16511 tgid 16507 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 __folio_put+0x3b4/0x540 mm/swap.c:112
 folio_put include/linux/mm.h:1817 [inline]
 put_page include/linux/mm.h:1886 [inline]
 af_alg_free_areq_sgls crypto/af_alg.c:793 [inline]
 af_alg_free_resources+0x735/0x920 crypto/af_alg.c:1130
 _skcipher_recvmsg crypto/algif_skcipher.c:208 [inline]
 skcipher_recvmsg+0xbbc/0x1020 crypto/algif_skcipher.c:221
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0x1a4/0x1f0 net/socket.c:1100
 ____sys_recvmsg+0x218/0x640 net/socket.c:2812
 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854
 __sys_recvmsg+0x16d/0x220 net/socket.c:2887
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 16515 Comm: syz.2.2579 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 bad_page.cold+0xbe/0xdf mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 free_page_is_bad mm/page_alloc.c:1114 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0x825/0x10d0 mm/page_alloc.c:2978
 page_frag_free+0x284/0x2e0 mm/page_frag_cache.c:169
 __xdp_return+0x3cd/0xbb0 net/core/xdp.c:448
 bpf_xdp_shrink_data net/core/filter.c:4212 [inline]
 bpf_xdp_frags_shrink_tail net/core/filter.c:4236 [inline]
 ____bpf_xdp_adjust_tail net/core/filter.c:4258 [inline]
 bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4251
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5443
 netif_receive_generic_xdp net/core/dev.c:5559 [inline]
 do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7904d5cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f7905d02fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7905d036c0 RCX: 00007f7904d5cfce
RDX: 000000000000fef3 RSI: 0000200000000200 RDI: 00000000000000c8
RBP: 00007f7904e32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7905016038 R14: 00007f7905015fa0 R15: 00007ffc137b8038
 </TASK>
BUG: Bad page state in process syz.2.2579  pfn:347ec
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880497324c0 pfn:0x347ec
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff88801bbcb000 0000000000000000
raw: ffff8880497324c0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 16515, tgid 16514 (syz.2.2579), ts 499765016184, free_ts 499581069745
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x1c6/0xc10 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
 skb_pp_cow_data+0x7f9/0xea0 net/core/skbuff.c:993
 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1027
 netif_skb_check_for_xdp net/core/dev.c:5512 [inline]
 netif_receive_generic_xdp net/core/dev.c:5553 [inline]
 do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 16511 tgid 16507 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 __folio_put+0x3b4/0x540 mm/swap.c:112
 folio_put include/linux/mm.h:1817 [inline]
 put_page include/linux/mm.h:1886 [inline]
 af_alg_free_areq_sgls crypto/af_alg.c:793 [inline]
 af_alg_free_resources+0x735/0x920 crypto/af_alg.c:1130
 _skcipher_recvmsg crypto/algif_skcipher.c:208 [inline]
 skcipher_recvmsg+0xbbc/0x1020 crypto/algif_skcipher.c:221
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0x1a4/0x1f0 net/socket.c:1100
 ____sys_recvmsg+0x218/0x640 net/socket.c:2812
 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854
 __sys_recvmsg+0x16d/0x220 net/socket.c:2887
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 16515 Comm: syz.2.2579 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 bad_page.cold+0xbe/0xdf mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 free_page_is_bad mm/page_alloc.c:1114 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0x825/0x10d0 mm/page_alloc.c:2978
 page_frag_free+0x284/0x2e0 mm/page_frag_cache.c:169
 __xdp_return+0x3cd/0xbb0 net/core/xdp.c:448
 bpf_xdp_shrink_data net/core/filter.c:4212 [inline]
 bpf_xdp_frags_shrink_tail net/core/filter.c:4236 [inline]
 ____bpf_xdp_adjust_tail net/core/filter.c:4258 [inline]
 bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4251
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5443
 netif_receive_generic_xdp net/core/dev.c:5559 [inline]
 do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7904d5cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f7905d02fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7905d036c0 RCX: 00007f7904d5cfce
RDX: 000000000000fef3 RSI: 0000200000000200 RDI: 00000000000000c8
RBP: 00007f7904e32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7905016038 R14: 00007f7905015fa0 R15: 00007ffc137b8038
 </TASK>
BUG: Bad page state in process syz.2.2579  pfn:49290
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888049290000 pfn:0x49290
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff88801bbcb000 0000000000000000
raw: ffff888049290000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 16515, tgid 16514 (syz.2.2579), ts 499765009410, free_ts 499581080047
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x1c6/0xc10 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
 skb_pp_cow_data+0x7f9/0xea0 net/core/skbuff.c:993
 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1027
 netif_skb_check_for_xdp net/core/dev.c:5512 [inline]
 netif_receive_generic_xdp net/core/dev.c:5553 [inline]
 do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 16511 tgid 16507 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 __folio_put+0x3b4/0x540 mm/swap.c:112
 folio_put include/linux/mm.h:1817 [inline]
 put_page include/linux/mm.h:1886 [inline]
 af_alg_free_areq_sgls crypto/af_alg.c:793 [inline]
 af_alg_free_resources+0x735/0x920 crypto/af_alg.c:1130
 _skcipher_recvmsg crypto/algif_skcipher.c:208 [inline]
 skcipher_recvmsg+0xbbc/0x1020 crypto/algif_skcipher.c:221
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0x1a4/0x1f0 net/socket.c:1100
 ____sys_recvmsg+0x218/0x640 net/socket.c:2812
 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854
 __sys_recvmsg+0x16d/0x220 net/socket.c:2887
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 16515 Comm: syz.2.2579 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 bad_page.cold+0xbe/0xdf mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 free_page_is_bad mm/page_alloc.c:1114 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0x825/0x10d0 mm/page_alloc.c:2978
 page_frag_free+0x284/0x2e0 mm/page_frag_cache.c:169
 __xdp_return+0x3cd/0xbb0 net/core/xdp.c:448
 bpf_xdp_shrink_data net/core/filter.c:4212 [inline]
 bpf_xdp_frags_shrink_tail net/core/filter.c:4236 [inline]
 ____bpf_xdp_adjust_tail net/core/filter.c:4258 [inline]
 bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4251
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5443
 netif_receive_generic_xdp net/core/dev.c:5559 [inline]
 do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7904d5cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f7905d02fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7905d036c0 RCX: 00007f7904d5cfce
RDX: 000000000000fef3 RSI: 0000200000000200 RDI: 00000000000000c8
RBP: 00007f7904e32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7905016038 R14: 00007f7905015fa0 R15: 00007ffc137b8038
 </TASK>
BUG: Bad page state in process syz.2.2579  pfn:3921f
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888000000000 pfn:0x3921f
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff88801bbcb000 0000000000000000
raw: ffff888000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 16515, tgid 16514 (syz.2.2579), ts 499765002974, free_ts 499581090246
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x1c6/0xc10 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
 skb_pp_cow_data+0x7f9/0xea0 net/core/skbuff.c:993
 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1027
 netif_skb_check_for_xdp net/core/dev.c:5512 [inline]
 netif_receive_generic_xdp net/core/dev.c:5553 [inline]
 do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 16511 tgid 16507 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 __folio_put+0x3b4/0x540 mm/swap.c:112
 folio_put include/linux/mm.h:1817 [inline]
 put_page include/linux/mm.h:1886 [inline]
 af_alg_free_areq_sgls crypto/af_alg.c:793 [inline]
 af_alg_free_resources+0x735/0x920 crypto/af_alg.c:1130
 _skcipher_recvmsg crypto/algif_skcipher.c:208 [inline]
 skcipher_recvmsg+0xbbc/0x1020 crypto/algif_skcipher.c:221
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0x1a4/0x1f0 net/socket.c:1100
 ____sys_recvmsg+0x218/0x640 net/socket.c:2812
 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854
 __sys_recvmsg+0x16d/0x220 net/socket.c:2887
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 16515 Comm: syz.2.2579 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 bad_page.cold+0xbe/0xdf mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 free_page_is_bad mm/page_alloc.c:1114 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0x825/0x10d0 mm/page_alloc.c:2978
 page_frag_free+0x284/0x2e0 mm/page_frag_cache.c:169
 __xdp_return+0x3cd/0xbb0 net/core/xdp.c:448
 bpf_xdp_shrink_data net/core/filter.c:4212 [inline]
 bpf_xdp_frags_shrink_tail net/core/filter.c:4236 [inline]
 ____bpf_xdp_adjust_tail net/core/filter.c:4258 [inline]
 bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4251
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5443
 netif_receive_generic_xdp net/core/dev.c:5559 [inline]
 do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7904d5cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f7905d02fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7905d036c0 RCX: 00007f7904d5cfce
RDX: 000000000000fef3 RSI: 0000200000000200 RDI: 00000000000000c8
RBP: 00007f7904e32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7905016038 R14: 00007f7905015fa0 R15: 00007ffc137b8038
 </TASK>
BUG: Bad page state in process syz.2.2579  pfn:22707
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22707
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff88801bbcb000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 16515, tgid 16514 (syz.2.2579), ts 499764996117, free_ts 499581100253
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x1c6/0xc10 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
 skb_pp_cow_data+0x7f9/0xea0 net/core/skbuff.c:993
 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1027
 netif_skb_check_for_xdp net/core/dev.c:5512 [inline]
 netif_receive_generic_xdp net/core/dev.c:5553 [inline]
 do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 16511 tgid 16507 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 __folio_put+0x3b4/0x540 mm/swap.c:112
 folio_put include/linux/mm.h:1817 [inline]
 put_page include/linux/mm.h:1886 [inline]
 af_alg_free_areq_sgls crypto/af_alg.c:793 [inline]
 af_alg_free_resources+0x735/0x920 crypto/af_alg.c:1130
 _skcipher_recvmsg crypto/algif_skcipher.c:208 [inline]
 skcipher_recvmsg+0xbbc/0x1020 crypto/algif_skcipher.c:221
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0x1a4/0x1f0 net/socket.c:1100
 ____sys_recvmsg+0x218/0x640 net/socket.c:2812
 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854
 __sys_recvmsg+0x16d/0x220 net/socket.c:2887
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 16515 Comm: syz.2.2579 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 bad_page.cold+0xbe/0xdf mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 free_page_is_bad mm/page_alloc.c:1114 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0x825/0x10d0 mm/page_alloc.c:2978
 page_frag_free+0x284/0x2e0 mm/page_frag_cache.c:169
 __xdp_return+0x3cd/0xbb0 net/core/xdp.c:448
 bpf_xdp_shrink_data net/core/filter.c:4212 [inline]
 bpf_xdp_frags_shrink_tail net/core/filter.c:4236 [inline]
 ____bpf_xdp_adjust_tail net/core/filter.c:4258 [inline]
 bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4251
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5443
 netif_receive_generic_xdp net/core/dev.c:5559 [inline]
 do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7904d5cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f7905d02fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7905d036c0 RCX: 00007f7904d5cfce
RDX: 000000000000fef3 RSI: 0000200000000200 RDI: 00000000000000c8
RBP: 00007f7904e32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7905016038 R14: 00007f7905015fa0 R15: 00007ffc137b8038
 </TASK>
BUG: Bad page state in process syz.2.2579  pfn:78f22
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888078f222d0 pfn:0x78f22
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff88801bbcb000 0000000000000000
raw: ffff888078f222d0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 16515, tgid 16514 (syz.2.2579), ts 499764989059, free_ts 499581110635
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x1c6/0xc10 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
 skb_pp_cow_data+0x7f9/0xea0 net/core/skbuff.c:993
 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1027
 netif_skb_check_for_xdp net/core/dev.c:5512 [inline]
 netif_receive_generic_xdp net/core/dev.c:5553 [inline]
 do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 16511 tgid 16507 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 __folio_put+0x3b4/0x540 mm/swap.c:112
 folio_put include/linux/mm.h:1817 [inline]
 put_page include/linux/mm.h:1886 [inline]
 af_alg_free_areq_sgls crypto/af_alg.c:793 [inline]
 af_alg_free_resources+0x735/0x920 crypto/af_alg.c:1130
 _skcipher_recvmsg crypto/algif_skcipher.c:208 [inline]
 skcipher_recvmsg+0xbbc/0x1020 crypto/algif_skcipher.c:221
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0x1a4/0x1f0 net/socket.c:1100
 ____sys_recvmsg+0x218/0x640 net/socket.c:2812
 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854
 __sys_recvmsg+0x16d/0x220 net/socket.c:2887
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:

CPU: 0 UID: 0 PID: 16515 Comm: syz.2.2579 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 bad_page.cold+0xbe/0xdf mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 free_page_is_bad mm/page_alloc.c:1114 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0x825/0x10d0 mm/page_alloc.c:2978
 page_frag_free+0x284/0x2e0 mm/page_frag_cache.c:169
 __xdp_return+0x3cd/0xbb0 net/core/xdp.c:448
 bpf_xdp_shrink_data net/core/filter.c:4212 [inline]
 bpf_xdp_frags_shrink_tail net/core/filter.c:4236 [inline]
 ____bpf_xdp_adjust_tail net/core/filter.c:4258 [inline]
 bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4251
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5443
 netif_receive_generic_xdp net/core/dev.c:5559 [inline]
 do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7904d5cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f7905d02fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7905d036c0 RCX: 00007f7904d5cfce
RDX: 000000000000fef3 RSI: 0000200000000200 RDI: 00000000000000c8
RBP: 00007f7904e32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7905016038 R14: 00007f7905015fa0 R15: 00007ffc137b8038
 </TASK>
BUG: Bad page state in process syz.2.2579  pfn:34eb5
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888034eb5fe0 pfn:0x34eb5
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff88801bbcb000 0000000000000000
raw: ffff888034eb5fe0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 16515, tgid 16514 (syz.2.2579), ts 499764981915, free_ts 499581120740
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x1c6/0xc10 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
 skb_pp_cow_data+0x7f9/0xea0 net/core/skbuff.c:993
 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1027
 netif_skb_check_for_xdp net/core/dev.c:5512 [inline]
 netif_receive_generic_xdp net/core/dev.c:5553 [inline]
 do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 16511 tgid 16507 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 __folio_put+0x3b4/0x540 mm/swap.c:112
 folio_put include/linux/mm.h:1817 [inline]
 put_page include/linux/mm.h:1886 [inline]
 af_alg_free_areq_sgls crypto/af_alg.c:793 [inline]
 af_alg_free_resources+0x735/0x920 crypto/af_alg.c:1130
 _skcipher_recvmsg crypto/algif_skcipher.c:208 [inline]
 skcipher_recvmsg+0xbbc/0x1020 crypto/algif_skcipher.c:221
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0x1a4/0x1f0 net/socket.c:1100
 ____sys_recvmsg+0x218/0x640 net/socket.c:2812
 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854
 __sys_recvmsg+0x16d/0x220 net/socket.c:2887
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 16515 Comm: syz.2.2579 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 bad_page.cold+0xbe/0xdf mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 free_page_is_bad mm/page_alloc.c:1114 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0x825/0x10d0 mm/page_alloc.c:2978
 page_frag_free+0x284/0x2e0 mm/page_frag_cache.c:169
 __xdp_return+0x3cd/0xbb0 net/core/xdp.c:448
 bpf_xdp_shrink_data net/core/filter.c:4212 [inline]
 bpf_xdp_frags_shrink_tail net/core/filter.c:4236 [inline]
 ____bpf_xdp_adjust_tail net/core/filter.c:4258 [inline]
 bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4251
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5443
 netif_receive_generic_xdp net/core/dev.c:5559 [inline]
 do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7904d5cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f7905d02fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7905d036c0 RCX: 00007f7904d5cfce
RDX: 000000000000fef3 RSI: 0000200000000200 RDI: 00000000000000c8
RBP: 00007f7904e32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7905016038 R14: 00007f7905015fa0 R15: 00007ffc137b8038
 </TASK>
BUG: Bad page state in process syz.2.2579  pfn:3ec05
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3ec05
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff88801bbcb000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 16515, tgid 16514 (syz.2.2579), ts 499764974876, free_ts 499581131103
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x1c6/0xc10 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
 skb_pp_cow_data+0x7f9/0xea0 net/core/skbuff.c:993
 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1027
 netif_skb_check_for_xdp net/core/dev.c:5512 [inline]
 netif_receive_generic_xdp net/core/dev.c:5553 [inline]
 do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 16511 tgid 16507 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 __folio_put+0x3b4/0x540 mm/swap.c:112
 folio_put include/linux/mm.h:1817 [inline]
 put_page include/linux/mm.h:1886 [inline]
 af_alg_free_areq_sgls crypto/af_alg.c:793 [inline]
 af_alg_free_resources+0x735/0x920 crypto/af_alg.c:1130
 _skcipher_recvmsg crypto/algif_skcipher.c:208 [inline]
 skcipher_recvmsg+0xbbc/0x1020 crypto/algif_skcipher.c:221
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0x1a4/0x1f0 net/socket.c:1100
 ____sys_recvmsg+0x218/0x640 net/socket.c:2812
 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854
 __sys_recvmsg+0x16d/0x220 net/socket.c:2887
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 16515 Comm: syz.2.2579 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 bad_page.cold+0xbe/0xdf mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 free_page_is_bad mm/page_alloc.c:1114 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0x825/0x10d0 mm/page_alloc.c:2978
 page_frag_free+0x284/0x2e0 mm/page_frag_cache.c:169
 __xdp_return+0x3cd/0xbb0 net/core/xdp.c:448
 bpf_xdp_shrink_data net/core/filter.c:4212 [inline]
 bpf_xdp_frags_shrink_tail net/core/filter.c:4236 [inline]
 ____bpf_xdp_adjust_tail net/core/filter.c:4258 [inline]
 bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4251
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5443
 netif_receive_generic_xdp net/core/dev.c:5559 [inline]
 do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7904d5cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f7905d02fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7905d036c0 RCX: 00007f7904d5cfce
RDX: 000000000000fef3 RSI: 0000200000000200 RDI: 00000000000000c8
RBP: 00007f7904e32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7905016038 R14: 00007f7905015fa0 R15: 00007ffc137b8038
 </TASK>
BUG: Bad page state in process syz.2.2579  pfn:4ae27
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ae27
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff88801bbcb000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 16515, tgid 16514 (syz.2.2579), ts 499764968396, free_ts 499581141833
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x1c6/0xc10 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
 skb_pp_cow_data+0x7f9/0xea0 net/core/skbuff.c:993
 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1027
 netif_skb_check_for_xdp net/core/dev.c:5512 [inline]
 netif_receive_generic_xdp net/core/dev.c:5553 [inline]
 do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 16511 tgid 16507 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 __folio_put+0x3b4/0x540 mm/swap.c:112
 folio_put include/linux/mm.h:1817 [inline]
 put_page include/linux/mm.h:1886 [inline]
 af_alg_free_areq_sgls crypto/af_alg.c:793 [inline]
 af_alg_free_resources+0x735/0x920 crypto/af_alg.c:1130
 _skcipher_recvmsg crypto/algif_skcipher.c:208 [inline]
 skcipher_recvmsg+0xbbc/0x1020 crypto/algif_skcipher.c:221
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0x1a4/0x1f0 net/socket.c:1100
 ____sys_recvmsg+0x218/0x640 net/socket.c:2812
 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854
 __sys_recvmsg+0x16d/0x220 net/socket.c:2887
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 16515 Comm: syz.2.2579 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 bad_page.cold+0xbe/0xdf mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 free_page_is_bad mm/page_alloc.c:1114 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0x825/0x10d0 mm/page_alloc.c:2978
 page_frag_free+0x284/0x2e0 mm/page_frag_cache.c:169
 __xdp_return+0x3cd/0xbb0 net/core/xdp.c:448
 bpf_xdp_shrink_data net/core/filter.c:4212 [inline]
 bpf_xdp_frags_shrink_tail net/core/filter.c:4236 [inline]
 ____bpf_xdp_adjust_tail net/core/filter.c:4258 [inline]
 bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4251
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5443
 netif_receive_generic_xdp net/core/dev.c:5559 [inline]
 do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7904d5cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f7905d02fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7905d036c0 RCX: 00007f7904d5cfce
RDX: 000000000000fef3 RSI: 0000200000000200 RDI: 00000000000000c8
RBP: 00007f7904e32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7905016038 R14: 00007f7905015fa0 R15: 00007ffc137b8038
 </TASK>
BUG: Bad page state in process syz.2.2579  pfn:7665e
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7665e
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff88801bbcb000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 16515, tgid 16514 (syz.2.2579), ts 499764961858, free_ts 499581152698
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x1c6/0xc10 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
 skb_pp_cow_data+0x7f9/0xea0 net/core/skbuff.c:993
 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1027
 netif_skb_check_for_xdp net/core/dev.c:5512 [inline]
 netif_receive_generic_xdp net/core/dev.c:5553 [inline]
 do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 16511 tgid 16507 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 __folio_put+0x3b4/0x540 mm/swap.c:112
 folio_put include/linux/mm.h:1817 [inline]
 put_page include/linux/mm.h:1886 [inline]
 af_alg_free_areq_sgls crypto/af_alg.c:793 [inline]
 af_alg_free_resources+0x735/0x920 crypto/af_alg.c:1130
 _skcipher_recvmsg crypto/algif_skcipher.c:208 [inline]
 skcipher_recvmsg+0xbbc/0x1020 crypto/algif_skcipher.c:221
 sock_recvmsg_nosec net/socket.c:1078 [inline]
 sock_recvmsg+0x1a4/0x1f0 net/socket.c:1100
 ____sys_recvmsg+0x218/0x640 net/socket.c:2812
 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854
 __sys_recvmsg+0x16d/0x220 net/socket.c:2887
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 16515 Comm: syz.2.2579 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 bad_page.cold+0xbe/0xdf mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 free_page_is_bad mm/page_alloc.c:1114 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0x825/0x10d0 mm/page_alloc.c:2978
 page_frag_free+0x284/0x2e0 mm/page_frag_cache.c:169
 __xdp_return+0x3cd/0xbb0 net/core/xdp.c:448
 bpf_xdp_shrink_data net/core/filter.c:4212 [inline]
 bpf_xdp_frags_shrink_tail net/core/filter.c:4236 [inline]
 ____bpf_xdp_adjust_tail net/core/filter.c:4258 [inline]
 bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4251
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5443
 netif_receive_generic_xdp net/core/dev.c:5559 [inline]
 do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7904d5cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f7905d02fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7905d036c0 RCX: 00007f7904d5cfce
RDX: 000000000000fef3 RSI: 0000200000000200 RDI: 00000000000000c8
RBP: 00007f7904e32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7905016038 R14: 00007f7905015fa0 R15: 00007ffc137b8038
 </TASK>
BUG: Bad page state in process syz.2.2579  pfn:4ae25
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ae25
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff88801bbcb000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 16515, tgid 16514 (syz.2.2579), ts 499764955670, free_ts 499760957698
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x782/0x1490 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x1c6/0xc10 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:654
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline]
 skb_pp_cow_data+0x7f9/0xea0 net/core/skbuff.c:993
 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1027
 netif_skb_check_for_xdp net/core/dev.c:5512 [inline]
 netif_receive_generic_xdp net/core/dev.c:5553 [inline]
 do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5621
 tun_get_user+0x1bd2/0x3e10 drivers/net/tun.c:1872
 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 16515 tgid 16514 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 ___free_pages_bulk mm/kasan/shadow.c:333 [inline]
 __kasan_populate_vmalloc_do mm/kasan/shadow.c:385 [inline]
 __kasan_populate_vmalloc+0x164/0x210 mm/kasan/shadow.c:424
 kasan_populate_vmalloc include/linux/kasan.h:580 [inline]
 alloc_vmap_area+0x95d/0x2bd0 mm/vmalloc.c:2129
 __get_vm_area_node+0x1ca/0x330 mm/vmalloc.c:3232
 __vmalloc_node_range_noprof+0x213/0x1530 mm/vmalloc.c:4024
 __vmalloc_node_noprof+0xad/0xf0 mm/vmalloc.c:4124
 bpf_prog_calc_tag+0x69/0x380 kernel/bpf/core.c:308
 resolve_pseudo_ldimm64+0xd2/0x1970 kernel/bpf/verifier.c:21779
 bpf_check+0x7460/0xcd50 kernel/bpf/verifier.c:26035
 bpf_prog_load+0x1c86/0x2c20 kernel/bpf/syscall.c:3089
 __sys_bpf+0x223a/0x4b90 kernel/bpf/syscall.c:6228
 __do_sys_bpf kernel/bpf/syscall.c:6341 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6339 [inline]
 __x64_sys_bpf+0x7b/0xc0 kernel/bpf/syscall.c:6339
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 16515 Comm: syz.2.2579 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 bad_page.cold+0xbe/0xdf mm/page_alloc.c:676