BUG: Bad page state in process sshd  pfn:98e6a
page:ffffea0002639a80 refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888098e6a480 head:ffffea0002639a80 order:1 compound_mapcount:0
flags: 0xfffe0000010000(head)
raw: 00fffe0000010000 dead000000000100 dead000000000122 0000000000000000
raw: ffff888098e6a480 ffff888098e6a480 00000000ffffffff ffff88809e64e601
page dumped because: page still charged to cgroup
page->mem_cgroup:ffff88809e64e601
Modules linked in:
CPU: 0 PID: 6775 Comm: sshd Not tainted 5.8.0-rc3-next-20200703-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 bad_page.cold+0x9c/0xbd mm/page_alloc.c:638
 check_free_page_bad mm/page_alloc.c:1094 [inline]
 check_free_page mm/page_alloc.c:1104 [inline]
 free_pages_prepare mm/page_alloc.c:1208 [inline]
 __free_pages_ok+0x52f/0xc90 mm/page_alloc.c:1471
 slab_destroy mm/slab.c:1625 [inline]
 slabs_destroy+0x89/0xc0 mm/slab.c:1641
 cache_flusharray mm/slab.c:3409 [inline]
 ___cache_free+0x516/0x750 mm/slab.c:3459
 qlink_free mm/kasan/quarantine.c:148 [inline]
 qlist_free_all+0x79/0x140 mm/kasan/quarantine.c:167
 quarantine_reduce+0x17e/0x200 mm/kasan/quarantine.c:260
 __kasan_kmalloc.constprop.0+0x9e/0xd0 mm/kasan/common.c:475
 slab_post_alloc_hook mm/slab.h:535 [inline]
 slab_alloc_node mm/slab.c:3258 [inline]
 kmem_cache_alloc_node+0x14b/0x580 mm/slab.c:3578
 __alloc_skb+0x71/0x550 net/core/skbuff.c:198
 alloc_skb_fclone include/linux/skbuff.h:1134 [inline]
 sk_stream_alloc_skb+0x109/0xc30 net/ipv4/tcp.c:884
 tcp_sendmsg_locked+0xbb7/0x2d00 net/ipv4/tcp.c:1291
 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1441
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:814
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 sock_write_iter+0x28c/0x3c0 net/socket.c:999
 call_write_iter include/linux/fs.h:1877 [inline]
 new_sync_write+0x422/0x650 fs/read_write.c:484
 __vfs_write+0xc9/0x100 fs/read_write.c:497
 vfs_write+0x268/0x5d0 fs/read_write.c:559
 ksys_write+0x1ee/0x250 fs/read_write.c:612
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:367
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f8654b41970
Code: Bad RIP value.
RSP: 002b:00007ffcce9c7ed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000001794 RCX: 00007f8654b41970
RDX: 0000000000001794 RSI: 000056180d4e38ec RDI: 0000000000000003
RBP: 000056180d4bc1c0 R08: 00007ffcce9c7f90 R09: 00007ffcce9e00f0
R10: 000000000005e02a R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffcce9c7f6f R14: 000056180b58ebe7 R15: 0000000000000003
BUG: Bad page state in process sshd  pfn:12d56
page:ffffea00004b5580 refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888012d563c0 head:ffffea00004b5580 order:1 compound_mapcount:0
flags: 0xfffe0000010000(head)
raw: 00fffe0000010000 dead000000000100 dead000000000122 0000000000000000
raw: ffff888012d563c0 ffff888012d563c0 00000000ffffffff ffff8880a3256ac1
page dumped because: page still charged to cgroup
page->mem_cgroup:ffff8880a3256ac1
Modules linked in:
CPU: 0 PID: 6775 Comm: sshd Tainted: G    B             5.8.0-rc3-next-20200703-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 bad_page.cold+0x9c/0xbd mm/page_alloc.c:638
 check_free_page_bad mm/page_alloc.c:1094 [inline]
 check_free_page mm/page_alloc.c:1104 [inline]
 free_pages_prepare mm/page_alloc.c:1208 [inline]
 __free_pages_ok+0x52f/0xc90 mm/page_alloc.c:1471
 slab_destroy mm/slab.c:1625 [inline]
 slabs_destroy+0x89/0xc0 mm/slab.c:1641
 cache_flusharray mm/slab.c:3409 [inline]
 ___cache_free+0x516/0x750 mm/slab.c:3459
 qlink_free mm/kasan/quarantine.c:148 [inline]
 qlist_free_all+0x79/0x140 mm/kasan/quarantine.c:167
 quarantine_reduce+0x17e/0x200 mm/kasan/quarantine.c:260
 __kasan_kmalloc.constprop.0+0x9e/0xd0 mm/kasan/common.c:475
 slab_post_alloc_hook mm/slab.h:535 [inline]
 slab_alloc_node mm/slab.c:3258 [inline]
 kmem_cache_alloc_node+0x14b/0x580 mm/slab.c:3578
 __alloc_skb+0x71/0x550 net/core/skbuff.c:198
 alloc_skb_fclone include/linux/skbuff.h:1134 [inline]
 sk_stream_alloc_skb+0x109/0xc30 net/ipv4/tcp.c:884
 tcp_sendmsg_locked+0xbb7/0x2d00 net/ipv4/tcp.c:1291
 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1441
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:814
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 sock_write_iter+0x28c/0x3c0 net/socket.c:999
 call_write_iter include/linux/fs.h:1877 [inline]
 new_sync_write+0x422/0x650 fs/read_write.c:484
 __vfs_write+0xc9/0x100 fs/read_write.c:497
 vfs_write+0x268/0x5d0 fs/read_write.c:559
 ksys_write+0x1ee/0x250 fs/read_write.c:612
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:367
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f8654b41970
Code: Bad RIP value.
RSP: 002b:00007ffcce9c7ed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000001794 RCX: 00007f8654b41970
RDX: 0000000000001794 RSI: 000056180d4e38ec RDI: 0000000000000003
RBP: 000056180d4bc1c0 R08: 00007ffcce9c7f90 R09: 00007ffcce9e00f0
R10: 000000000005e02a R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffcce9c7f6f R14: 000056180b58ebe7 R15: 0000000000000003