BUG: Bad page state in process syz.1.613 pfn:602cb
page:ffffea000180b2c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x2f pfn:0x602cb
flags: 0xfff00000002006(referenced|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002006 ffffea0000a19788 ffffc900064a7980 0000000000000000
raw: 000000000000002f ffff8880580bb2e8 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x140c40(GFP_NOFS|__GFP_COMP|__GFP_HARDWALL), pid 7379, tgid 7378 (syz.1.613), ts 279283889716, free_ts 277242747395
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
prep_new_page mm/page_alloc.c:2539 [inline]
get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
__alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5614
folio_alloc+0x1c/0x60 mm/mempolicy.c:2292
filemap_alloc_folio+0xdb/0x460 mm/filemap.c:999
__filemap_get_folio+0x697/0xdd0 mm/filemap.c:1993
pagecache_get_page+0x26/0x250 mm/folio-compat.c:110
find_or_create_page include/linux/pagemap.h:646 [inline]
grab_cache_page include/linux/pagemap.h:778 [inline]
__get_metapage+0x2a4/0xfa0 fs/jfs/jfs_metapage.c:613
diNewExt+0x9eb/0x2cb0 fs/jfs/jfs_imap.c:2275
diAllocExt fs/jfs/jfs_imap.c:1952 [inline]
diAllocAG+0xde9/0x1c20 fs/jfs/jfs_imap.c:1669
diAlloc+0x1c9/0x1910 fs/jfs/jfs_imap.c:1590
ialloc+0x88/0x950 fs/jfs/jfs_inode.c:56
jfs_mkdir+0x190/0xa70 fs/jfs/namei.c:225
vfs_mkdir+0x387/0x570 fs/namei.c:4106
do_mkdirat+0x1d0/0x430 fs/namei.c:4131
__do_sys_mkdirat fs/namei.c:4146 [inline]
__se_sys_mkdirat fs/namei.c:4144 [inline]
__x64_sys_mkdirat+0x85/0x90 fs/namei.c:4144
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1459 [inline]
free_pcp_prepare mm/page_alloc.c:1509 [inline]
free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
free_pages mm/page_alloc.c:5714 [inline]
free_pages_exact+0x65/0x70 mm/page_alloc.c:5933
snd_pcm_detach_substream+0xbf/0x2a0 sound/core/pcm.c:997
snd_pcm_release+0xb5/0x150 sound/core/pcm_native.c:2910
__fput+0x22c/0x920 fs/file_table.c:320
task_work_run+0x1ca/0x250 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Modules linked in:
CPU: 1 PID: 7395 Comm: syz.1.613 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
bad_page+0x14b/0x170 mm/page_alloc.c:699
free_page_is_bad mm/page_alloc.c:1291 [inline]
free_pages_prepare mm/page_alloc.c:1452 [inline]
free_pcp_prepare mm/page_alloc.c:1509 [inline]
free_unref_page_prepare+0x42a/0x9a0 mm/page_alloc.c:3384
free_unref_page_list+0xbb/0x8e0 mm/page_alloc.c:3525
release_pages+0x1f92/0x2200 mm/swap.c:1035
__pagevec_release+0x6d/0xe0 mm/swap.c:1055
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
truncate_inode_pages_range+0x2f6/0xff0 mm/truncate.c:372
jfs_remount+0x337/0x5a0 fs/jfs/super.c:451
reconfigure_super+0x219/0x880 fs/super.c:977
do_remount fs/namespace.c:2732 [inline]
path_mount+0xdfd/0x1010 fs/namespace.c:3391
do_mount fs/namespace.c:3412 [inline]
__do_sys_mount fs/namespace.c:3620 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3597
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f636399034a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f636475fe68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f636475fef0 RCX: 00007f636399034a
RDX: 0000200000000f40 RSI: 0000200000000f00 RDI: 0000000000000000
RBP: 0000200000000f40 R08: 00007f636475fef0 R09: 0000000001a4a438
R10: 0000000001a4a438 R11: 0000000000000246 R12: 0000200000000f00
R13: 00007f636475feb0 R14: 0000000000000000 R15: 0000200000000100
BUG: Bad page state in process syz.1.613 pfn:2865e
page:ffffea0000a19780 refcount:0 mapcount:0 mapping:0000000000000000 index:0x2e pfn:0x2865e
flags: 0xfff00000002006(referenced|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002006 ffffea00015f8788 ffffc900064a7980 0000000000000000
raw: 000000000000002e ffff8880580bb1f0 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x140c40(GFP_NOFS|__GFP_COMP|__GFP_HARDWALL), pid 7379, tgid 7378 (syz.1.613), ts 279283848242, free_ts 277252679927
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
prep_new_page mm/page_alloc.c:2539 [inline]
get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
__alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5614
folio_alloc+0x1c/0x60 mm/mempolicy.c:2292
filemap_alloc_folio+0xdb/0x460 mm/filemap.c:999
__filemap_get_folio+0x697/0xdd0 mm/filemap.c:1993
pagecache_get_page+0x26/0x250 mm/folio-compat.c:110
find_or_create_page include/linux/pagemap.h:646 [inline]
grab_cache_page include/linux/pagemap.h:778 [inline]
__get_metapage+0x2a4/0xfa0 fs/jfs/jfs_metapage.c:613
diNewExt+0x9eb/0x2cb0 fs/jfs/jfs_imap.c:2275
diAllocExt fs/jfs/jfs_imap.c:1952 [inline]
diAllocAG+0xde9/0x1c20 fs/jfs/jfs_imap.c:1669
diAlloc+0x1c9/0x1910 fs/jfs/jfs_imap.c:1590
ialloc+0x88/0x950 fs/jfs/jfs_inode.c:56
jfs_mkdir+0x190/0xa70 fs/jfs/namei.c:225
vfs_mkdir+0x387/0x570 fs/namei.c:4106
do_mkdirat+0x1d0/0x430 fs/namei.c:4131
__do_sys_mkdirat fs/namei.c:4146 [inline]
__se_sys_mkdirat fs/namei.c:4144 [inline]
__x64_sys_mkdirat+0x85/0x90 fs/namei.c:4144
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1459 [inline]
free_pcp_prepare mm/page_alloc.c:1509 [inline]
free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x76/0xe0 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x144/0x160 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x1e/0x80 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x4b/0x480 mm/slab.h:737
slab_alloc_node mm/slub.c:3359 [inline]
__kmem_cache_alloc_node+0x140/0x260 mm/slub.c:3398
__do_kmalloc_node mm/slab_common.c:935 [inline]
__kmalloc+0xa0/0x240 mm/slab_common.c:949
kmalloc include/linux/slab.h:568 [inline]
tomoyo_realpath_from_path+0xdf/0x5d0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x1fd/0x550 security/tomoyo/file.c:822
security_inode_getattr+0xcf/0x120 security/security.c:1361
vfs_getattr+0x26/0x3a0 fs/stat.c:158
vfs_fstat fs/stat.c:183 [inline]
__do_sys_newfstat fs/stat.c:447 [inline]
__se_sys_newfstat fs/stat.c:444 [inline]
__x64_sys_newfstat+0x102/0x1c0 fs/stat.c:444
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Modules linked in:
CPU: 1 PID: 7395 Comm: syz.1.613 Tainted: G B syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
bad_page+0x14b/0x170 mm/page_alloc.c:699
free_page_is_bad mm/page_alloc.c:1291 [inline]
free_pages_prepare mm/page_alloc.c:1452 [inline]
free_pcp_prepare mm/page_alloc.c:1509 [inline]
free_unref_page_prepare+0x42a/0x9a0 mm/page_alloc.c:3384
free_unref_page_list+0xbb/0x8e0 mm/page_alloc.c:3525
release_pages+0x1f92/0x2200 mm/swap.c:1035
__pagevec_release+0x6d/0xe0 mm/swap.c:1055
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
truncate_inode_pages_range+0x2f6/0xff0 mm/truncate.c:372
jfs_remount+0x337/0x5a0 fs/jfs/super.c:451
reconfigure_super+0x219/0x880 fs/super.c:977
do_remount fs/namespace.c:2732 [inline]
path_mount+0xdfd/0x1010 fs/namespace.c:3391
do_mount fs/namespace.c:3412 [inline]
__do_sys_mount fs/namespace.c:3620 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3597
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f636399034a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f636475fe68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f636475fef0 RCX: 00007f636399034a
RDX: 0000200000000f40 RSI: 0000200000000f00 RDI: 0000000000000000
RBP: 0000200000000f40 R08: 00007f636475fef0 R09: 0000000001a4a438
R10: 0000000001a4a438 R11: 0000000000000246 R12: 0000200000000f00
R13: 00007f636475feb0 R14: 0000000000000000 R15: 0000200000000100
BUG: Bad page state in process syz.1.613 pfn:57e1e
page:ffffea00015f8780 refcount:0 mapcount:0 mapping:0000000000000000 index:0x2d pfn:0x57e1e
flags: 0xfff00000002006(referenced|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002006 ffffea0000bda248 ffffc900064a7980 0000000000000000
raw: 000000000000002d ffff8880580bb0f8 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x140c40(GFP_NOFS|__GFP_COMP|__GFP_HARDWALL), pid 7379, tgid 7378 (syz.1.613), ts 279283790880, free_ts 279278676758
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
prep_new_page mm/page_alloc.c:2539 [inline]
get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
__alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5614
folio_alloc+0x1c/0x60 mm/mempolicy.c:2292
filemap_alloc_folio+0xdb/0x460 mm/filemap.c:999
__filemap_get_folio+0x697/0xdd0 mm/filemap.c:1993
pagecache_get_page+0x26/0x250 mm/folio-compat.c:110
find_or_create_page include/linux/pagemap.h:646 [inline]
grab_cache_page include/linux/pagemap.h:778 [inline]
__get_metapage+0x2a4/0xfa0 fs/jfs/jfs_metapage.c:613
diNewExt+0x9eb/0x2cb0 fs/jfs/jfs_imap.c:2275
diAllocExt fs/jfs/jfs_imap.c:1952 [inline]
diAllocAG+0xde9/0x1c20 fs/jfs/jfs_imap.c:1669
diAlloc+0x1c9/0x1910 fs/jfs/jfs_imap.c:1590
ialloc+0x88/0x950 fs/jfs/jfs_inode.c:56
jfs_mkdir+0x190/0xa70 fs/jfs/namei.c:225
vfs_mkdir+0x387/0x570 fs/namei.c:4106
do_mkdirat+0x1d0/0x430 fs/namei.c:4131
__do_sys_mkdirat fs/namei.c:4146 [inline]
__se_sys_mkdirat fs/namei.c:4144 [inline]
__x64_sys_mkdirat+0x85/0x90 fs/namei.c:4144
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1459 [inline]
free_pcp_prepare mm/page_alloc.c:1509 [inline]
free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
free_unref_page+0x2e/0x3f0 mm/page_alloc.c:3479
free_slab mm/slub.c:2036 [inline]
discard_slab mm/slub.c:2042 [inline]
__unfreeze_partials+0x1a5/0x200 mm/slub.c:2591
put_cpu_partial+0x17c/0x250 mm/slub.c:2667
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x76/0xe0 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x144/0x160 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x1e/0x80 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x4b/0x480 mm/slab.h:737
slab_alloc_node mm/slub.c:3359 [inline]
slab_alloc mm/slub.c:3367 [inline]
__kmem_cache_alloc_lru mm/slub.c:3374 [inline]
kmem_cache_alloc+0x123/0x2f0 mm/slub.c:3383
ptlock_alloc+0x1c/0x60 mm/memory.c:6047
ptlock_init include/linux/mm.h:2426 [inline]
pgtable_pte_page_ctor include/linux/mm.h:2453 [inline]
__pte_alloc_one include/asm-generic/pgalloc.h:66 [inline]
pte_alloc_one+0xc5/0x2f0 arch/x86/mm/pgtable.c:33
__do_fault+0xd7/0x4e0 mm/memory.c:4275
do_shared_fault mm/memory.c:4686 [inline]
do_fault mm/memory.c:4764 [inline]
handle_pte_fault mm/memory.c:5031 [inline]
__handle_mm_fault mm/memory.c:5173 [inline]
handle_mm_fault+0x1a93/0x3e70 mm/memory.c:5294
do_user_addr_fault+0x51f/0xb10 arch/x86/mm/fault.c:1340
handle_page_fault arch/x86/mm/fault.c:1431 [inline]
exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1487
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:608
Modules linked in:
CPU: 1 PID: 7395 Comm: syz.1.613 Tainted: G B syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
bad_page+0x14b/0x170 mm/page_alloc.c:699
free_page_is_bad mm/page_alloc.c:1291 [inline]
free_pages_prepare mm/page_alloc.c:1452 [inline]
free_pcp_prepare mm/page_alloc.c:1509 [inline]
free_unref_page_prepare+0x42a/0x9a0 mm/page_alloc.c:3384
free_unref_page_list+0xbb/0x8e0 mm/page_alloc.c:3525
release_pages+0x1f92/0x2200 mm/swap.c:1035
__pagevec_release+0x6d/0xe0 mm/swap.c:1055
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
truncate_inode_pages_range+0x2f6/0xff0 mm/truncate.c:372
jfs_remount+0x337/0x5a0 fs/jfs/super.c:451
reconfigure_super+0x219/0x880 fs/super.c:977
do_remount fs/namespace.c:2732 [inline]
path_mount+0xdfd/0x1010 fs/namespace.c:3391
do_mount fs/namespace.c:3412 [inline]
__do_sys_mount fs/namespace.c:3620 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3597
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f636399034a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f636475fe68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f636475fef0 RCX: 00007f636399034a
RDX: 0000200000000f40 RSI: 0000200000000f00 RDI: 0000000000000000
RBP: 0000200000000f40 R08: 00007f636475fef0 R09: 0000000001a4a438
R10: 0000000001a4a438 R11: 0000000000000246 R12: 0000200000000f00
R13: 00007f636475feb0 R14: 0000000000000000 R15: 0000200000000100