BUG: Bad page state in process syz-executor.0  pfn:47cd6
page:0000000053aa6874 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x47cd6
flags: 0x1ffc60000001042(referenced|workingset|reserved|node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 01ffc60000001042 fffffc00001f3588 fffffc00001f3588 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
Modules linked in:
CPU: 0 PID: 32450 Comm: syz-executor.0 Not tainted 6.5.0-rc5-syzkaller-00243-g9106536c1aa3 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x9c/0x11c arch/arm64/kernel/stacktrace.c:233
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xac/0xd4 lib/dump_stack.c:106
 dump_stack+0x1c/0x28 lib/dump_stack.c:113
 bad_page+0xe4/0x22c mm/page_alloc.c:533
 free_page_is_bad_report mm/page_alloc.c:974 [inline]
 free_page_is_bad mm/page_alloc.c:984 [inline]
 free_pages_prepare mm/page_alloc.c:1153 [inline]
 free_unref_page_prepare+0x6ac/0xd68 mm/page_alloc.c:2348
 free_unref_page+0x60/0x3e0 mm/page_alloc.c:2443
 __folio_put_small mm/swap.c:106 [inline]
 __folio_put+0x80/0xdc mm/swap.c:129
 folio_put include/linux/mm.h:1440 [inline]
 put_page include/linux/mm.h:1509 [inline]
 extract_user_to_sg lib/scatterlist.c:1151 [inline]
 extract_iter_to_sg lib/scatterlist.c:1349 [inline]
 extract_iter_to_sg+0xdbc/0x134c lib/scatterlist.c:1339
 hash_sendmsg+0x23c/0xf78 crypto/algif_hash.c:119
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0xc8/0x168 net/socket.c:748
 sock_write_iter+0x1cc/0x300 net/socket.c:1129
 call_write_iter include/linux/fs.h:1877 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x56c/0x74c fs/read_write.c:584
 ksys_write+0x190/0x1dc fs/read_write.c:637
 __do_sys_write fs/read_write.c:649 [inline]
 __se_sys_write fs/read_write.c:646 [inline]
 __arm64_sys_write+0x6c/0x9c fs/read_write.c:646
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:52
 el0_svc_common.constprop.0+0xc4/0x244 arch/arm64/kernel/syscall.c:139
 do_el0_svc_compat+0x40/0x70 arch/arm64/kernel/syscall.c:194
 el0_svc_compat+0x4c/0x134 arch/arm64/kernel/entry-common.c:786
 el0t_32_sync_handler+0x98/0x13c arch/arm64/kernel/entry-common.c:796
 el0t_32_sync+0x194/0x198 arch/arm64/kernel/entry.S:596
page:0000000053aa6874 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x47cd6
flags: 0x1ffc60000001042(referenced|workingset|reserved|node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 01ffc60000001042 fffffc00001f3588 fffffc00001f3588 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:1027!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 32450 Comm: syz-executor.0 Tainted: G    B              6.5.0-rc5-syzkaller-00243-g9106536c1aa3 #0
Hardware name: linux,dummy-virt (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : put_page_testzero include/linux/mm.h:1027 [inline]
pc : folio_put_testzero include/linux/mm.h:1033 [inline]
pc : folio_put include/linux/mm.h:1439 [inline]
pc : put_page include/linux/mm.h:1509 [inline]
pc : extract_user_to_sg lib/scatterlist.c:1151 [inline]
pc : extract_iter_to_sg lib/scatterlist.c:1349 [inline]
pc : extract_iter_to_sg+0xe4c/0x134c lib/scatterlist.c:1339
lr : put_page_testzero include/linux/mm.h:1027 [inline]
lr : folio_put_testzero include/linux/mm.h:1033 [inline]
lr : folio_put include/linux/mm.h:1439 [inline]
lr : put_page include/linux/mm.h:1509 [inline]
lr : extract_user_to_sg lib/scatterlist.c:1151 [inline]
lr : extract_iter_to_sg lib/scatterlist.c:1349 [inline]
lr : extract_iter_to_sg+0xe4c/0x134c lib/scatterlist.c:1339
sp : ffff80008a717770
x29: ffff80008a717770 x28: fffffc00001f35b4 x27: 1fffe00002844401
x26: fffffc00001f3580 x25: dfff800000000000 x24: ffff000014222008
x23: 1ffff000114e2f08 x22: 0000000000000003 x21: ffff600002844401
x20: ffff000014222000 x19: 0000000000000007 x18: ffff00001136dda0
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 205d303534323354 x12: ffff7000114e2e67
x11: 1ffff000114e2e66 x10: ffff7000114e2e66 x9 : dfff800000000000
x8 : 00008fffeeb1d19a x7 : ffff80008a717337 x6 : 0000000000000001
x5 : ffff80008a717330 x4 : 1fffe0000226da69 x3 : 0000000000000000
x2 : 0000000000000000 x1 : ffff00001136d340 x0 : 000000000000003e
Call trace:
 put_page_testzero include/linux/mm.h:1027 [inline]
 folio_put_testzero include/linux/mm.h:1033 [inline]
 folio_put include/linux/mm.h:1439 [inline]
 put_page include/linux/mm.h:1509 [inline]
 extract_user_to_sg lib/scatterlist.c:1151 [inline]
 extract_iter_to_sg lib/scatterlist.c:1349 [inline]
 extract_iter_to_sg+0xe4c/0x134c lib/scatterlist.c:1339
 hash_sendmsg+0x23c/0xf78 crypto/algif_hash.c:119
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0xc8/0x168 net/socket.c:748
 sock_write_iter+0x1cc/0x300 net/socket.c:1129
 call_write_iter include/linux/fs.h:1877 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x56c/0x74c fs/read_write.c:584
 ksys_write+0x190/0x1dc fs/read_write.c:637
 __do_sys_write fs/read_write.c:649 [inline]
 __se_sys_write fs/read_write.c:646 [inline]
 __arm64_sys_write+0x6c/0x9c fs/read_write.c:646
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:52
 el0_svc_common.constprop.0+0xc4/0x244 arch/arm64/kernel/syscall.c:139
 do_el0_svc_compat+0x40/0x70 arch/arm64/kernel/syscall.c:194
 el0_svc_compat+0x4c/0x134 arch/arm64/kernel/entry-common.c:786
 el0t_32_sync_handler+0x98/0x13c arch/arm64/kernel/entry-common.c:796
 el0t_32_sync+0x194/0x198 arch/arm64/kernel/entry.S:596
Code: 91058021 aa1a03e0 91028021 97d6da7f (d4210000) 
---[ end trace 0000000000000000 ]---