BUG: Bad page state in process syz.2.1806 pfn:ab652 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002b6529b0 pfn:0xab652 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002b6529b0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942768126800, free_ts 6922500215400 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16342 tgid 16342 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 vfree+0x1b6/0xc88 mm/vmalloc.c:3361 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282 process_one_work+0x956/0x1dae kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391 kthread+0x28c/0x3a6 kernel/kthread.c:389 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Not tainted 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ae2f7 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xae2f7 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942768005500, free_ts 6922668954700 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 24 tgid 24 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0xce/0x144 kernel/softirq.c:919 smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164 kthread+0x28c/0x3a6 kernel/kthread.c:389 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ae2f6 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002e2f6600 pfn:0xae2f6 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002e2f6600 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767887000, free_ts 6922912620400 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18905 tgid 18905 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833 free_pages+0xe/0x18 mm/page_alloc.c:4830 tlb_batch_list_free mm/mmu_gather.c:159 [inline] tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468 exit_mmap+0x36c/0xbea mm/mmap.c:1877 __mmput kernel/fork.c:1347 [inline] mmput+0x122/0x3e2 kernel/fork.c:1369 exit_mm kernel/exit.c:571 [inline] do_exit+0x902/0x2986 kernel/exit.c:926 do_group_exit+0xd4/0x26c kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:98b0f page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x98b0f flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767768400, free_ts 6922499537000 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16342 tgid 16342 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 vfree+0x1b6/0xc88 mm/vmalloc.c:3361 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282 process_one_work+0x956/0x1dae kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391 kthread+0x28c/0x3a6 kernel/kthread.c:389 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:98b0e page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x98b0e flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767649200, free_ts 6922935139100 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18907 tgid 18901 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9aa97 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9aa97 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767531800, free_ts 6922937997000 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18907 tgid 18901 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9aa96 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9aa96 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767412800, free_ts 6922933818500 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18907 tgid 18901 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:af1f5 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaf1f5 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767292300, free_ts 6922669162900 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 24 tgid 24 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0xce/0x144 kernel/softirq.c:919 smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164 kthread+0x28c/0x3a6 kernel/kthread.c:389 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:af1f4 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002f1f4f50 pfn:0xaf1f4 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002f1f4f50 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767168100, free_ts 6922942911100 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18907 tgid 18901 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:aea9d page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xaea9d flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767048800, free_ts 6922912807500 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18905 tgid 18905 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833 free_pages+0xe/0x18 mm/page_alloc.c:4830 tlb_batch_list_free mm/mmu_gather.c:159 [inline] tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468 exit_mmap+0x36c/0xbea mm/mmap.c:1877 __mmput kernel/fork.c:1347 [inline] mmput+0x122/0x3e2 kernel/fork.c:1369 exit_mm kernel/exit.c:571 [inline] do_exit+0x902/0x2986 kernel/exit.c:926 do_group_exit+0xd4/0x26c kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:aea9c page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002ea9de00 pfn:0xaea9c flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002ea9de00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766928100, free_ts 6923527240100 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18907 tgid 18901 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833 free_pages+0xe/0x18 mm/page_alloc.c:4830 tlb_batch_list_free mm/mmu_gather.c:159 [inline] tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468 exit_mmap+0x36c/0xbea mm/mmap.c:1877 __mmput kernel/fork.c:1347 [inline] mmput+0x122/0x3e2 kernel/fork.c:1369 exit_mm kernel/exit.c:571 [inline] do_exit+0x902/0x2986 kernel/exit.c:926 do_group_exit+0xd4/0x26c kernel/exit.c:1088 get_signal+0x1e98/0x23b0 kernel/signal.c:2917 arch_do_signal_or_restart+0x8d6/0x1190 arch/riscv/kernel/signal.c:437 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x2a6/0x31e kernel/entry/common.c:218 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345 _new_vmalloc_restore_context_a0+0xc2/0xce Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9daad page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x9daad flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000004 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766810000, free_ts 6922912977000 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18905 tgid 18905 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833 free_pages+0xe/0x18 mm/page_alloc.c:4830 tlb_batch_list_free mm/mmu_gather.c:159 [inline] tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468 exit_mmap+0x36c/0xbea mm/mmap.c:1877 __mmput kernel/fork.c:1347 [inline] mmput+0x122/0x3e2 kernel/fork.c:1369 exit_mm kernel/exit.c:571 [inline] do_exit+0x902/0x2986 kernel/exit.c:926 do_group_exit+0xd4/0x26c kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9daac page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001daacdc0 pfn:0x9daac flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000001daacdc0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766691000, free_ts 6923527489100 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18907 tgid 18901 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833 free_pages+0xe/0x18 mm/page_alloc.c:4830 tlb_batch_list_free mm/mmu_gather.c:159 [inline] tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468 exit_mmap+0x36c/0xbea mm/mmap.c:1877 __mmput kernel/fork.c:1347 [inline] mmput+0x122/0x3e2 kernel/fork.c:1369 exit_mm kernel/exit.c:571 [inline] do_exit+0x902/0x2986 kernel/exit.c:926 do_group_exit+0xd4/0x26c kernel/exit.c:1088 get_signal+0x1e98/0x23b0 kernel/signal.c:2917 arch_do_signal_or_restart+0x8d6/0x1190 arch/riscv/kernel/signal.c:437 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x2a6/0x31e kernel/entry/common.c:218 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345 _new_vmalloc_restore_context_a0+0xc2/0xce Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:adfff page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002dfffc80 pfn:0xadfff flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002dfffc80 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766573000, free_ts 6922196654300 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18908 tgid 18908 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 __free_slab+0xc8/0x16e mm/slub.c:2649 free_slab+0x38/0x1ae mm/slub.c:2672 discard_slab+0x42/0x5a mm/slub.c:2678 __slab_free+0x346/0x3f6 mm/slub.c:4491 do_slab_free mm/slub.c:4532 [inline] ___cache_free+0x1a6/0x1e0 mm/slub.c:4638 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x76/0x16c mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x158/0x1ba mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x5c/0x82 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_noprof+0x24a/0x4e4 mm/slub.c:4277 kmalloc_noprof include/linux/slab.h:882 [inline] tomoyo_realpath_from_path+0xb8/0x64a security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x28e/0x45e security/tomoyo/file.c:822 tomoyo_inode_getattr+0x1e/0x28 security/tomoyo/hooks.h:97 security_inode_getattr+0x12a/0x2fe security/security.c:2371 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:adffe page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002dfffc00 pfn:0xadffe flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002dfffc00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766452800, free_ts 6923544377300 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18388 tgid 18388 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ace27 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xace27 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766332200, free_ts 6922499651500 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16342 tgid 16342 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 vfree+0x1b6/0xc88 mm/vmalloc.c:3361 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282 process_one_work+0x956/0x1dae kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391 kthread+0x28c/0x3a6 kernel/kthread.c:389 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ace26 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xace26 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766201400, free_ts 6923545200600 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18388 tgid 18388 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9dec5 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x9dec5 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000004 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766075600, free_ts 6923546529800 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18388 tgid 18388 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9dec4 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001dec5080 pfn:0x9dec4 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000001dec5080 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765929200, free_ts 6923547349200 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18388 tgid 18388 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9d607 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001d6079b0 pfn:0x9d607 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000001d6079b0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765812300, free_ts 6925915629200 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18910 tgid 18910 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9d606 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001d606440 pfn:0x9d606 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000001d606440 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765695000, free_ts 6922499989500 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16342 tgid 16342 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 vfree+0x1b6/0xc88 mm/vmalloc.c:3361 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282 process_one_work+0x956/0x1dae kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391 kthread+0x28c/0x3a6 kernel/kthread.c:389 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:a8ee9 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000000000002 pfn:0xa8ee9 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff60000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765575900, free_ts 6925948942300 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17001 tgid 17001 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 vfree+0x1b6/0xc88 mm/vmalloc.c:3361 copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:882 [inline] get_entries net/ipv6/netfilter/ip6_tables.c:1039 [inline] do_ip6t_get_ctl+0x76c/0x91e net/ipv6/netfilter/ip6_tables.c:1677 nf_getsockopt+0x6e/0xd2 net/netfilter/nf_sockopt.c:116 ipv6_getsockopt+0x240/0x2ce net/ipv6/ipv6_sockglue.c:1493 tcp_getsockopt+0x84/0xd6 net/ipv4/tcp.c:4670 sock_common_getsockopt+0x86/0xb8 net/core/sock.c:3776 do_sock_getsockopt+0x37a/0x5ea net/socket.c:2391 __sys_getsockopt+0x100/0x1b6 net/socket.c:2420 __do_sys_getsockopt net/socket.c:2430 [inline] __se_sys_getsockopt net/socket.c:2427 [inline] __riscv_sys_getsockopt+0xa6/0x114 net/socket.c:2427 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:a8ee8 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000028ee9e00 pfn:0xa8ee8 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff60000028ee9e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765458100, free_ts 6922940797600 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18907 tgid 18901 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:a9217 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xa9217 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765338600, free_ts 6933702538200 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18388 tgid 18388 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:a9216 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000029217e00 pfn:0xa9216 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff60000029217e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765211900, free_ts 6935903750800 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18891 tgid 18891 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9aa93 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x9aa93 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942765092800, free_ts 6932779102600 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18939 tgid 18939 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 __free_slab+0xc8/0x16e mm/slub.c:2649 free_slab+0x38/0x1ae mm/slub.c:2672 discard_slab+0x42/0x5a mm/slub.c:2678 __slab_free+0x346/0x3f6 mm/slub.c:4491 do_slab_free mm/slub.c:4532 [inline] ___cache_free+0x1a6/0x1e0 mm/slub.c:4638 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x76/0x16c mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x158/0x1ba mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x5c/0x82 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_node_noprof+0x232/0x522 mm/slub.c:4271 kmalloc_node_noprof include/linux/slab.h:905 [inline] __vmalloc_area_node mm/vmalloc.c:3624 [inline] __vmalloc_node_range_noprof+0x36e/0x1450 mm/vmalloc.c:3828 alloc_thread_stack_node kernel/fork.c:314 [inline] dup_task_struct kernel/fork.c:1115 [inline] copy_process+0x365c/0x8e32 kernel/fork.c:2206 kernel_clone+0x11e/0x92c kernel/fork.c:2787 __do_sys_clone+0xe4/0x118 kernel/fork.c:2930 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9aa92 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001aa93e00 pfn:0x9aa92 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000001aa93e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764968900, free_ts 6932779102600 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18939 tgid 18939 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 __free_slab+0xc8/0x16e mm/slub.c:2649 free_slab+0x38/0x1ae mm/slub.c:2672 discard_slab+0x42/0x5a mm/slub.c:2678 __slab_free+0x346/0x3f6 mm/slub.c:4491 do_slab_free mm/slub.c:4532 [inline] ___cache_free+0x1a6/0x1e0 mm/slub.c:4638 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x76/0x16c mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x158/0x1ba mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x5c/0x82 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_node_noprof+0x232/0x522 mm/slub.c:4271 kmalloc_node_noprof include/linux/slab.h:905 [inline] __vmalloc_area_node mm/vmalloc.c:3624 [inline] __vmalloc_node_range_noprof+0x36e/0x1450 mm/vmalloc.c:3828 alloc_thread_stack_node kernel/fork.c:314 [inline] dup_task_struct kernel/fork.c:1115 [inline] copy_process+0x365c/0x8e32 kernel/fork.c:2206 kernel_clone+0x11e/0x92c kernel/fork.c:2787 __do_sys_clone+0xe4/0x118 kernel/fork.c:2930 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:97efd page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x97efd flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764850600, free_ts 6932779866500 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18939 tgid 18939 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 __free_slab+0xc8/0x16e mm/slub.c:2649 free_slab+0x38/0x1ae mm/slub.c:2672 discard_slab+0x42/0x5a mm/slub.c:2678 __slab_free+0x346/0x3f6 mm/slub.c:4491 do_slab_free mm/slub.c:4532 [inline] ___cache_free+0x1a6/0x1e0 mm/slub.c:4638 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x76/0x16c mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x158/0x1ba mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x5c/0x82 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_node_noprof+0x232/0x522 mm/slub.c:4271 kmalloc_node_noprof include/linux/slab.h:905 [inline] __vmalloc_area_node mm/vmalloc.c:3624 [inline] __vmalloc_node_range_noprof+0x36e/0x1450 mm/vmalloc.c:3828 alloc_thread_stack_node kernel/fork.c:314 [inline] dup_task_struct kernel/fork.c:1115 [inline] copy_process+0x365c/0x8e32 kernel/fork.c:2206 kernel_clone+0x11e/0x92c kernel/fork.c:2787 __do_sys_clone+0xe4/0x118 kernel/fork.c:2930 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:97efc page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000017efde00 pfn:0x97efc flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff60000017efde00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764731300, free_ts 6932779866500 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18939 tgid 18939 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 __free_slab+0xc8/0x16e mm/slub.c:2649 free_slab+0x38/0x1ae mm/slub.c:2672 discard_slab+0x42/0x5a mm/slub.c:2678 __slab_free+0x346/0x3f6 mm/slub.c:4491 do_slab_free mm/slub.c:4532 [inline] ___cache_free+0x1a6/0x1e0 mm/slub.c:4638 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x76/0x16c mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x158/0x1ba mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x5c/0x82 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_node_noprof+0x232/0x522 mm/slub.c:4271 kmalloc_node_noprof include/linux/slab.h:905 [inline] __vmalloc_area_node mm/vmalloc.c:3624 [inline] __vmalloc_node_range_noprof+0x36e/0x1450 mm/vmalloc.c:3828 alloc_thread_stack_node kernel/fork.c:314 [inline] dup_task_struct kernel/fork.c:1115 [inline] copy_process+0x365c/0x8e32 kernel/fork.c:2206 kernel_clone+0x11e/0x92c kernel/fork.c:2787 __do_sys_clone+0xe4/0x118 kernel/fork.c:2930 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:a9e8d page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x31 pfn:0xa9e8d flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000031 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764612700, free_ts 6940797167800 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16932 tgid 16932 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:a9e8c page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x30 pfn:0xa9e8c flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000030 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764495000, free_ts 6940797650600 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16932 tgid 16932 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ae1f3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002e1f3000 pfn:0xae1f3 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002e1f3000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764377100, free_ts 6940798494500 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16932 tgid 16932 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ae1f2 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002e1f2dc0 pfn:0xae1f2 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002e1f2dc0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764251800, free_ts 6940303820200 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 24 tgid 24 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0xce/0x144 kernel/softirq.c:919 smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164 kthread+0x28c/0x3a6 kernel/kthread.c:389 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ad2e1 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002d2e1e58 pfn:0xad2e1 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002d2e1e58 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764133900, free_ts 6940798084500 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16932 tgid 16932 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ad2e0 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002d2e0d90 pfn:0xad2e0 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002d2e0d90 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942764012100, free_ts 6940798882400 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16932 tgid 16932 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ac2d3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x21 pfn:0xac2d3 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000021 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763892100, free_ts 6940802634600 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16932 tgid 16932 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ac2d2 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x20 pfn:0xac2d2 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000020 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763772200, free_ts 6940799262400 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16932 tgid 16932 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9de23 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x9de23 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763651500, free_ts 6941283772200 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 3146 tgid 3146 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb+0x46/0x68 net/core/skbuff.c:1204 tcp_rcv_established+0xff2/0x2592 net/ipv4/tcp_input.c:6147 tcp_v4_do_rcv+0x68a/0xbaa net/ipv4/tcp_ipv4.c:1915 sk_backlog_rcv include/net/sock.h:1113 [inline] __release_sock+0x106/0x36e net/core/sock.c:3072 release_sock+0x5c/0x1c8 net/core/sock.c:3626 tcp_sendmsg+0x3e/0x4e net/ipv4/tcp.c:1358 inet_sendmsg+0x9c/0xda net/ipv4/af_inet.c:853 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0xcc/0x160 net/socket.c:744 sock_write_iter+0x2a0/0x3ba net/socket.c:1165 new_sync_write fs/read_write.c:590 [inline] vfs_write+0x4d4/0x9b4 fs/read_write.c:683 ksys_write+0x1f0/0x266 fs/read_write.c:736 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9de22 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001de22c00 pfn:0x9de22 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000001de22c00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763526500, free_ts 6940305420800 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 24 tgid 24 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0xce/0x144 kernel/softirq.c:919 smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164 kthread+0x28c/0x3a6 kernel/kthread.c:389 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ac193 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2cf pfn:0xac193 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 00000000000002cf 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763405400, free_ts 6941446538700 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 3146 tgid 3146 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb+0x46/0x68 net/core/skbuff.c:1204 tcp_rcv_established+0xff2/0x2592 net/ipv4/tcp_input.c:6147 tcp_v4_do_rcv+0x68a/0xbaa net/ipv4/tcp_ipv4.c:1915 sk_backlog_rcv include/net/sock.h:1113 [inline] __release_sock+0x106/0x36e net/core/sock.c:3072 release_sock+0x5c/0x1c8 net/core/sock.c:3626 tcp_sendmsg+0x3e/0x4e net/ipv4/tcp.c:1358 inet_sendmsg+0x9c/0xda net/ipv4/af_inet.c:853 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0xcc/0x160 net/socket.c:744 sock_write_iter+0x2a0/0x3ba net/socket.c:1165 new_sync_write fs/read_write.c:590 [inline] vfs_write+0x4d4/0x9b4 fs/read_write.c:683 ksys_write+0x1f0/0x266 fs/read_write.c:736 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ae1f1 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002e1f1c80 pfn:0xae1f1 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002e1f1c80 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763283200, free_ts 6940813897500 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18914 tgid 18914 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833 free_pages+0xe/0x18 mm/page_alloc.c:4830 tlb_batch_list_free mm/mmu_gather.c:159 [inline] tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468 exit_mmap+0x36c/0xbea mm/mmap.c:1877 __mmput kernel/fork.c:1347 [inline] mmput+0x122/0x3e2 kernel/fork.c:1369 exit_mm kernel/exit.c:571 [inline] do_exit+0x902/0x2986 kernel/exit.c:926 do_group_exit+0xd4/0x26c kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:97eff page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000017effc80 pfn:0x97eff flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff60000017effc80 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763154100, free_ts 6940803461300 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 16932 tgid 16932 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:aaf87 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xaaf87 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942763030800, free_ts 6940304808900 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 24 tgid 24 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0xce/0x144 kernel/softirq.c:919 smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164 kthread+0x28c/0x3a6 kernel/kthread.c:389 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:aaf83 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xaaf83 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942762892700, free_ts 6925915425900 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18910 tgid 18910 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x188/0x372 kernel/softirq.c:637 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ab091 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002b091e88 pfn:0xab091 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002b091e88 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942762468000, free_ts 6923527716600 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 18907 tgid 18901 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __free_pages+0x13c/0x1bc mm/page_alloc.c:4820 free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833 free_pages+0xe/0x18 mm/page_alloc.c:4830 tlb_batch_list_free mm/mmu_gather.c:159 [inline] tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468 exit_mmap+0x36c/0xbea mm/mmap.c:1877 __mmput kernel/fork.c:1347 [inline] mmput+0x122/0x3e2 kernel/fork.c:1369 exit_mm kernel/exit.c:571 [inline] do_exit+0x902/0x2986 kernel/exit.c:926 do_group_exit+0xd4/0x26c kernel/exit.c:1088 get_signal+0x1e98/0x23b0 kernel/signal.c:2917 arch_do_signal_or_restart+0x8d6/0x1190 arch/riscv/kernel/signal.c:437 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x2a6/0x31e kernel/entry/common.c:218 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345 _new_vmalloc_restore_context_a0+0xc2/0xce Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9daf5 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001daf5dc0 pfn:0x9daf5 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000001daf5dc0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942762073900, free_ts 6937445753000 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:af05c page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002f05cc98 pfn:0xaf05c flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002f05cc98 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942761890300, free_ts 6937446318600 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:aea0c page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002ea0c0d8 pfn:0xaea0c flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002ea0c0d8 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942761767100, free_ts 6937446732200 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:adffd page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0xadffd flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000004 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942761636500, free_ts 6937447140300 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:92e90 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000012e90000 pfn:0x92e90 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff60000012e90000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760798600, free_ts 6937447551300 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ad24d page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002d24ddc0 pfn:0xad24d flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002d24ddc0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760668500, free_ts 6937447952200 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:a96fe page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff600000296fe400 pfn:0xa96fe flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff600000296fe400 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760546300, free_ts 6937448369400 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:a96ff page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xa96ff flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760419600, free_ts 6937448810500 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:ab650 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002b6505d0 pfn:0xab650 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002b6505d0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760297400, free_ts 6937449247400 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:a0071 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff60000020071000 pfn:0xa0071 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff60000020071000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760163400, free_ts 6937449676900 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9dec2 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9dec2 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942760037900, free_ts 6937450131300 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9d513 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001d513220 pfn:0x9d513 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000001d513220 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942759913000, free_ts 6937450552800 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:adf81 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002df81ca8 pfn:0xadf81 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000002df81ca8 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942759792600, free_ts 6937452060400 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:acee6 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff pfn:0xacee6 flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: 00000000000000ff 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942759671900, free_ts 6937452544100 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce BUG: Bad page state in process syz.2.1806 pfn:9bcfa page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000001bcfa6c8 pfn:0x9bcfa flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000 raw: ff6000001bcfa6c8 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942759550900, free_ts 6937452958700 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457 __alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577 page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 _new_vmalloc_restore_context_a0+0xc2/0xce page last free pid 17449 tgid 17449 stack trace: __reset_page_owner+0x8c/0x400 mm/page_owner.c:297 reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x592/0xf08 mm/page_alloc.c:2638 __folio_put+0x1ae/0x22e mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840 handle_softirqs+0x4a6/0x10de kernel/softirq.c:554 __do_softirq+0x12/0x1a kernel/softirq.c:588 Modules linked in: CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0 Tainted: [B]=BAD_PAGE Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:94 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120 [] dump_stack+0x1c/0x24 lib/dump_stack.c:129 [] bad_page+0x268/0x2da mm/page_alloc.c:501 [] free_page_is_bad_report mm/page_alloc.c:908 [inline] [] free_page_is_bad mm/page_alloc.c:918 [inline] [] free_pages_prepare mm/page_alloc.c:1100 [inline] [] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638 [] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971 [] skb_free_frag include/linux/skbuff.h:3399 [inline] [] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096 [] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125 [] skb_release_all net/core/skbuff.c:1190 [inline] [] __kfree_skb net/core/skbuff.c:1204 [inline] [] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242 [] kfree_skb_reason include/linux/skbuff.h:1262 [inline] [] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636 [] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737 [] __netif_receive_skb_list net/core/dev.c:5804 [inline] [] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895 [] netif_receive_skb_list net/core/dev.c:5947 [inline] [] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937 [] xdp_recv_frames net/bpf/test_run.c:279 [inline] [] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360 [] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389 [] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317 [] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline] [] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652 [] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline] [] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline] [] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331 [] _new_vmalloc_restore_context_a0+0xc2/0xce