Extracting prog: 1m26.442932263s Minimizing prog: 10m20.622294069s Simplifying prog options: 0s Extracting C: 43.850345688s Simplifying C: 10m1.669469679s extracting reproducer from 1 programs testing a last program of every proc single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program crashed: BUG: Bad page state in skb_pp_cow_data single: successfully extracted reproducer found reproducer with 5 syscalls minimizing guilty program testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) program did not crash testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00'}) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program did not crash testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: socket$inet_tcp(0x2, 0x1, 0x0) r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r0, 0x0, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program crashed: lost connection to test machine ignore low priority crash: lost connection to test machine testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={0xffffffffffffffff, r1, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program crashed: lost connection to test machine ignore low priority crash: lost connection to test machine testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r0, r1, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program did not crash testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program did not crash testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, 0x0, &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program did not crash testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program crashed: lost connection to test machine ignore low priority crash: lost connection to test machine testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], 0x0, 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program crashed: lost connection to test machine ignore low priority crash: lost connection to test machine testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, 0x0) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, 0x0, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program did not crash testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00'}) bpf$BPF_LINK_CREATE_XDP(0x1c, 0x0, 0x0) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program did not crash testing program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, 0x0, 0x0) program crashed: lost connection to test machine ignore low priority crash: lost connection to test machine extracting C reproducer testing compiled C program (duration=37.806339451s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data simplifying C reproducer testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program did not crash testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program did not crash testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program did not crash testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program did not crash testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program did not crash testing compiled C program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program did not crash validation run: crashed=false testing program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program crashed: BUG: Bad page state in skb_pp_cow_data validation run: crashed=true testing program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program crashed: BUG: Bad page state in skb_pp_cow_data validation run: crashed=true testing program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program crashed: lost connection to test machine ignore low priority crash: lost connection to test machine validation run: crashed=false testing program (duration=37.806339451s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x64}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000000)=ANY=[], 0x0) program crashed: BUG: Bad page state in skb_pp_cow_data validation run: crashed=true reproducing took 26m33.513120337s repro crashed as (corrupted=false): BUG: Bad page state in process syz.0.17 pfn:5abcf page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5abcf flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: 0000000000000000 3fffffffffffffff 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252831745, free_ts 71561376239 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_frag_netmem+0x21d/0xa00 net/core/page_pool.c:1081 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0x5a7/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 28 tgid 28 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 __pagetable_free include/linux/mm.h:3661 [inline] pagetable_free include/linux/mm.h:3685 [inline] pagetable_dtor_free include/linux/mm.h:3784 [inline] __tlb_remove_table include/asm-generic/tlb.h:221 [inline] __tlb_remove_table_free mm/mmu_gather.c:228 [inline] tlb_remove_table_rcu+0x2cf/0x380 mm/mmu_gather.c:291 rcu_do_batch kernel/rcu/tree.c:2617 [inline] rcu_core+0x5a2/0x10d0 kernel/rcu/tree.c:2869 handle_softirqs+0x1ea/0xa00 kernel/softirq.c:622 run_ksoftirqd kernel/softirq.c:1076 [inline] run_ksoftirqd+0x38/0x60 kernel/softirq.c:1068 smpboot_thread_fn+0x3d3/0xaa0 kernel/smpboot.c:160 kthread+0x370/0x450 kernel/kthread.c:436 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:22397 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888000000000 pfn:0x22397 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252819304, free_ts 71561384999 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 28 tgid 28 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 __pagetable_free include/linux/mm.h:3661 [inline] pagetable_free include/linux/mm.h:3685 [inline] pagetable_dtor_free include/linux/mm.h:3784 [inline] __tlb_remove_table include/asm-generic/tlb.h:221 [inline] __tlb_remove_table_free mm/mmu_gather.c:228 [inline] tlb_remove_table_rcu+0x2cf/0x380 mm/mmu_gather.c:291 rcu_do_batch kernel/rcu/tree.c:2617 [inline] rcu_core+0x5a2/0x10d0 kernel/rcu/tree.c:2869 handle_softirqs+0x1ea/0xa00 kernel/softirq.c:622 run_ksoftirqd kernel/softirq.c:1076 [inline] run_ksoftirqd+0x38/0x60 kernel/softirq.c:1068 smpboot_thread_fn+0x3d3/0xaa0 kernel/smpboot.c:160 kthread+0x370/0x450 kernel/kthread.c:436 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:22392 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888000000000 pfn:0x22392 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252812752, free_ts 71561400201 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 28 tgid 28 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 __pagetable_free include/linux/mm.h:3661 [inline] pagetable_free include/linux/mm.h:3685 [inline] pagetable_dtor_free include/linux/mm.h:3784 [inline] __tlb_remove_table include/asm-generic/tlb.h:221 [inline] __tlb_remove_table_free mm/mmu_gather.c:228 [inline] tlb_remove_table_rcu+0x2cf/0x380 mm/mmu_gather.c:291 rcu_do_batch kernel/rcu/tree.c:2617 [inline] rcu_core+0x5a2/0x10d0 kernel/rcu/tree.c:2869 handle_softirqs+0x1ea/0xa00 kernel/softirq.c:622 run_ksoftirqd kernel/softirq.c:1076 [inline] run_ksoftirqd+0x38/0x60 kernel/softirq.c:1068 smpboot_thread_fn+0x3d3/0xaa0 kernel/smpboot.c:160 kthread+0x370/0x450 kernel/kthread.c:436 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:264a5 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880264a5000 pfn:0x264a5 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff8880264a5000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252806412, free_ts 72008952299 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] __do_kmalloc_node mm/slub.c:5295 [inline] __kmalloc_node_track_caller_noprof+0x2ba/0x850 mm/slub.c:5408 kmalloc_reserve+0xe8/0x350 net/core/skbuff.c:635 __alloc_skb+0x185/0x710 net/core/skbuff.c:713 alloc_skb include/linux/skbuff.h:1385 [inline] nlmsg_new include/net/netlink.h:1055 [inline] rtmsg_ifinfo_build_skb+0x81/0x260 net/core/rtnetlink.c:4445 rtmsg_ifinfo_event net/core/rtnetlink.c:4487 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:4477 [inline] rtnetlink_event+0x137/0x1f0 net/core/rtnetlink.c:7057 notifier_call_chain+0x99/0x400 kernel/notifier.c:85 call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2249 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] netif_set_mac_address+0x370/0x4a0 net/core/dev.c:9999 do_setlink.isra.0+0x75f/0x3e60 net/core/rtnetlink.c:3133 rtnl_changelink net/core/rtnetlink.c:3800 [inline] __rtnl_newlink net/core/rtnetlink.c:3973 [inline] rtnl_newlink+0x11c2/0x2380 net/core/rtnetlink.c:4110 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6997 netlink_rcv_skb+0x159/0x420 net/netlink/af_netlink.c:2555 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:27db2 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888027db2f18 pfn:0x27db2 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888027db2f18 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252800298, free_ts 72018680180 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_lru_noprof+0x246/0x6e0 mm/slub.c:4918 sock_alloc_inode+0x26/0x290 net/socket.c:328 alloc_inode+0x68/0x250 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3015 [inline] sock_alloc+0x44/0x280 net/socket.c:697 __sock_create+0xc2/0x860 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0x14d/0x260 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:37c60 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888037c60e88 pfn:0x37c60 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888037c60e88 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252794195, free_ts 72018744882 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_lru_noprof+0x246/0x6e0 mm/slub.c:4918 sock_alloc_inode+0x26/0x290 net/socket.c:328 alloc_inode+0x68/0x250 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3015 [inline] sock_alloc+0x44/0x280 net/socket.c:697 __sock_create+0xc2/0x860 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0x14d/0x260 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:2a57f page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802a57f5d0 pfn:0x2a57f flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff88802a57f5d0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252787700, free_ts 72018769589 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_lru_noprof+0x246/0x6e0 mm/slub.c:4918 sock_alloc_inode+0x26/0x290 net/socket.c:328 alloc_inode+0x68/0x250 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3015 [inline] sock_alloc+0x44/0x280 net/socket.c:697 __sock_create+0xc2/0x860 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0x14d/0x260 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:37a49 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888037a49e88 pfn:0x37a49 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888037a49e88 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252781428, free_ts 72018833522 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_lru_noprof+0x246/0x6e0 mm/slub.c:4918 sock_alloc_inode+0x26/0x290 net/socket.c:328 alloc_inode+0x68/0x250 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3015 [inline] sock_alloc+0x44/0x280 net/socket.c:697 __sock_create+0xc2/0x860 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0x14d/0x260 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:2d546 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802d546b00 pfn:0x2d546 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff88802d546b00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252775196, free_ts 72018942803 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_lru_noprof+0x246/0x6e0 mm/slub.c:4918 sock_alloc_inode+0x26/0x290 net/socket.c:328 alloc_inode+0x68/0x250 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3015 [inline] sock_alloc+0x44/0x280 net/socket.c:697 __sock_create+0xc2/0x860 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0x14d/0x260 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:2a8b6 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802a8b69a0 pfn:0x2a8b6 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff88802a8b69a0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252768968, free_ts 72020085943 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] __kmalloc_cache_noprof+0x243/0x6f0 mm/slub.c:5415 kmalloc_noprof include/linux/slab.h:950 [inline] netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:663 [inline] netdevice_event+0x308/0x9a0 drivers/infiniband/core/roce_gid_mgmt.c:822 notifier_call_chain+0x99/0x400 kernel/notifier.c:85 call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2249 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9797 netif_change_flags+0x108/0x160 net/core/dev.c:9826 do_setlink.isra.0+0x1ac4/0x3e60 net/core/rtnetlink.c:3181 rtnl_changelink net/core/rtnetlink.c:3800 [inline] __rtnl_newlink net/core/rtnetlink.c:3973 [inline] rtnl_newlink+0x11c2/0x2380 net/core/rtnetlink.c:4110 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6997 netlink_rcv_skb+0x159/0x420 net/netlink/af_netlink.c:2555 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x585/0x850 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8b0/0xda0 net/netlink/af_netlink.c:1899 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:59f40 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888059f401e0 pfn:0x59f40 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888059f401e0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252762697, free_ts 72020222689 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] __kmalloc_cache_noprof+0x243/0x6f0 mm/slub.c:5415 kmalloc_noprof include/linux/slab.h:950 [inline] netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:663 [inline] netdevice_event+0x308/0x9a0 drivers/infiniband/core/roce_gid_mgmt.c:822 notifier_call_chain+0x99/0x400 kernel/notifier.c:85 call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2249 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9797 netif_change_flags+0x108/0x160 net/core/dev.c:9826 do_setlink.isra.0+0x1ac4/0x3e60 net/core/rtnetlink.c:3181 rtnl_changelink net/core/rtnetlink.c:3800 [inline] __rtnl_newlink net/core/rtnetlink.c:3973 [inline] rtnl_newlink+0x11c2/0x2380 net/core/rtnetlink.c:4110 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6997 netlink_rcv_skb+0x159/0x420 net/netlink/af_netlink.c:2555 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x585/0x850 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8b0/0xda0 net/netlink/af_netlink.c:1899 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:59f49 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888059f49000 pfn:0x59f49 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888059f49000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252756502, free_ts 72020230070 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] __kmalloc_cache_noprof+0x243/0x6f0 mm/slub.c:5415 kmalloc_noprof include/linux/slab.h:950 [inline] netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:663 [inline] netdevice_event+0x308/0x9a0 drivers/infiniband/core/roce_gid_mgmt.c:822 notifier_call_chain+0x99/0x400 kernel/notifier.c:85 call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2249 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9797 netif_change_flags+0x108/0x160 net/core/dev.c:9826 do_setlink.isra.0+0x1ac4/0x3e60 net/core/rtnetlink.c:3181 rtnl_changelink net/core/rtnetlink.c:3800 [inline] __rtnl_newlink net/core/rtnetlink.c:3973 [inline] rtnl_newlink+0x11c2/0x2380 net/core/rtnetlink.c:4110 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6997 netlink_rcv_skb+0x159/0x420 net/netlink/af_netlink.c:2555 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x585/0x850 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8b0/0xda0 net/netlink/af_netlink.c:1899 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 final repro crashed as (corrupted=false): BUG: Bad page state in process syz.0.17 pfn:5abcf page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5abcf flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: 0000000000000000 3fffffffffffffff 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252831745, free_ts 71561376239 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_frag_netmem+0x21d/0xa00 net/core/page_pool.c:1081 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0x5a7/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 28 tgid 28 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 __pagetable_free include/linux/mm.h:3661 [inline] pagetable_free include/linux/mm.h:3685 [inline] pagetable_dtor_free include/linux/mm.h:3784 [inline] __tlb_remove_table include/asm-generic/tlb.h:221 [inline] __tlb_remove_table_free mm/mmu_gather.c:228 [inline] tlb_remove_table_rcu+0x2cf/0x380 mm/mmu_gather.c:291 rcu_do_batch kernel/rcu/tree.c:2617 [inline] rcu_core+0x5a2/0x10d0 kernel/rcu/tree.c:2869 handle_softirqs+0x1ea/0xa00 kernel/softirq.c:622 run_ksoftirqd kernel/softirq.c:1076 [inline] run_ksoftirqd+0x38/0x60 kernel/softirq.c:1068 smpboot_thread_fn+0x3d3/0xaa0 kernel/smpboot.c:160 kthread+0x370/0x450 kernel/kthread.c:436 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:22397 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888000000000 pfn:0x22397 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252819304, free_ts 71561384999 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 28 tgid 28 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 __pagetable_free include/linux/mm.h:3661 [inline] pagetable_free include/linux/mm.h:3685 [inline] pagetable_dtor_free include/linux/mm.h:3784 [inline] __tlb_remove_table include/asm-generic/tlb.h:221 [inline] __tlb_remove_table_free mm/mmu_gather.c:228 [inline] tlb_remove_table_rcu+0x2cf/0x380 mm/mmu_gather.c:291 rcu_do_batch kernel/rcu/tree.c:2617 [inline] rcu_core+0x5a2/0x10d0 kernel/rcu/tree.c:2869 handle_softirqs+0x1ea/0xa00 kernel/softirq.c:622 run_ksoftirqd kernel/softirq.c:1076 [inline] run_ksoftirqd+0x38/0x60 kernel/softirq.c:1068 smpboot_thread_fn+0x3d3/0xaa0 kernel/smpboot.c:160 kthread+0x370/0x450 kernel/kthread.c:436 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:22392 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888000000000 pfn:0x22392 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888000000000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252812752, free_ts 71561400201 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 28 tgid 28 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 __pagetable_free include/linux/mm.h:3661 [inline] pagetable_free include/linux/mm.h:3685 [inline] pagetable_dtor_free include/linux/mm.h:3784 [inline] __tlb_remove_table include/asm-generic/tlb.h:221 [inline] __tlb_remove_table_free mm/mmu_gather.c:228 [inline] tlb_remove_table_rcu+0x2cf/0x380 mm/mmu_gather.c:291 rcu_do_batch kernel/rcu/tree.c:2617 [inline] rcu_core+0x5a2/0x10d0 kernel/rcu/tree.c:2869 handle_softirqs+0x1ea/0xa00 kernel/softirq.c:622 run_ksoftirqd kernel/softirq.c:1076 [inline] run_ksoftirqd+0x38/0x60 kernel/softirq.c:1068 smpboot_thread_fn+0x3d3/0xaa0 kernel/smpboot.c:160 kthread+0x370/0x450 kernel/kthread.c:436 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:264a5 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880264a5000 pfn:0x264a5 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff8880264a5000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252806412, free_ts 72008952299 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] __do_kmalloc_node mm/slub.c:5295 [inline] __kmalloc_node_track_caller_noprof+0x2ba/0x850 mm/slub.c:5408 kmalloc_reserve+0xe8/0x350 net/core/skbuff.c:635 __alloc_skb+0x185/0x710 net/core/skbuff.c:713 alloc_skb include/linux/skbuff.h:1385 [inline] nlmsg_new include/net/netlink.h:1055 [inline] rtmsg_ifinfo_build_skb+0x81/0x260 net/core/rtnetlink.c:4445 rtmsg_ifinfo_event net/core/rtnetlink.c:4487 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:4477 [inline] rtnetlink_event+0x137/0x1f0 net/core/rtnetlink.c:7057 notifier_call_chain+0x99/0x400 kernel/notifier.c:85 call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2249 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] netif_set_mac_address+0x370/0x4a0 net/core/dev.c:9999 do_setlink.isra.0+0x75f/0x3e60 net/core/rtnetlink.c:3133 rtnl_changelink net/core/rtnetlink.c:3800 [inline] __rtnl_newlink net/core/rtnetlink.c:3973 [inline] rtnl_newlink+0x11c2/0x2380 net/core/rtnetlink.c:4110 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6997 netlink_rcv_skb+0x159/0x420 net/netlink/af_netlink.c:2555 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:27db2 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888027db2f18 pfn:0x27db2 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888027db2f18 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252800298, free_ts 72018680180 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_lru_noprof+0x246/0x6e0 mm/slub.c:4918 sock_alloc_inode+0x26/0x290 net/socket.c:328 alloc_inode+0x68/0x250 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3015 [inline] sock_alloc+0x44/0x280 net/socket.c:697 __sock_create+0xc2/0x860 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0x14d/0x260 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:37c60 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888037c60e88 pfn:0x37c60 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888037c60e88 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252794195, free_ts 72018744882 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_lru_noprof+0x246/0x6e0 mm/slub.c:4918 sock_alloc_inode+0x26/0x290 net/socket.c:328 alloc_inode+0x68/0x250 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3015 [inline] sock_alloc+0x44/0x280 net/socket.c:697 __sock_create+0xc2/0x860 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0x14d/0x260 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:2a57f page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802a57f5d0 pfn:0x2a57f flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff88802a57f5d0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252787700, free_ts 72018769589 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_lru_noprof+0x246/0x6e0 mm/slub.c:4918 sock_alloc_inode+0x26/0x290 net/socket.c:328 alloc_inode+0x68/0x250 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3015 [inline] sock_alloc+0x44/0x280 net/socket.c:697 __sock_create+0xc2/0x860 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0x14d/0x260 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:37a49 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888037a49e88 pfn:0x37a49 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888037a49e88 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252781428, free_ts 72018833522 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_lru_noprof+0x246/0x6e0 mm/slub.c:4918 sock_alloc_inode+0x26/0x290 net/socket.c:328 alloc_inode+0x68/0x250 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3015 [inline] sock_alloc+0x44/0x280 net/socket.c:697 __sock_create+0xc2/0x860 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0x14d/0x260 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:2d546 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802d546b00 pfn:0x2d546 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff88802d546b00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252775196, free_ts 72018942803 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] kmem_cache_alloc_lru_noprof+0x246/0x6e0 mm/slub.c:4918 sock_alloc_inode+0x26/0x290 net/socket.c:328 alloc_inode+0x68/0x250 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3015 [inline] sock_alloc+0x44/0x280 net/socket.c:697 __sock_create+0xc2/0x860 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0x14d/0x260 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:2a8b6 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802a8b69a0 pfn:0x2a8b6 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff88802a8b69a0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252768968, free_ts 72020085943 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] __kmalloc_cache_noprof+0x243/0x6f0 mm/slub.c:5415 kmalloc_noprof include/linux/slab.h:950 [inline] netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:663 [inline] netdevice_event+0x308/0x9a0 drivers/infiniband/core/roce_gid_mgmt.c:822 notifier_call_chain+0x99/0x400 kernel/notifier.c:85 call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2249 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9797 netif_change_flags+0x108/0x160 net/core/dev.c:9826 do_setlink.isra.0+0x1ac4/0x3e60 net/core/rtnetlink.c:3181 rtnl_changelink net/core/rtnetlink.c:3800 [inline] __rtnl_newlink net/core/rtnetlink.c:3973 [inline] rtnl_newlink+0x11c2/0x2380 net/core/rtnetlink.c:4110 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6997 netlink_rcv_skb+0x159/0x420 net/netlink/af_netlink.c:2555 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x585/0x850 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8b0/0xda0 net/netlink/af_netlink.c:1899 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:59f40 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888059f401e0 pfn:0x59f40 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888059f401e0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252762697, free_ts 72020222689 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] __kmalloc_cache_noprof+0x243/0x6f0 mm/slub.c:5415 kmalloc_noprof include/linux/slab.h:950 [inline] netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:663 [inline] netdevice_event+0x308/0x9a0 drivers/infiniband/core/roce_gid_mgmt.c:822 notifier_call_chain+0x99/0x400 kernel/notifier.c:85 call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2249 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9797 netif_change_flags+0x108/0x160 net/core/dev.c:9826 do_setlink.isra.0+0x1ac4/0x3e60 net/core/rtnetlink.c:3181 rtnl_changelink net/core/rtnetlink.c:3800 [inline] __rtnl_newlink net/core/rtnetlink.c:3973 [inline] rtnl_newlink+0x11c2/0x2380 net/core/rtnetlink.c:4110 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6997 netlink_rcv_skb+0x159/0x420 net/netlink/af_netlink.c:2555 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x585/0x850 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8b0/0xda0 net/netlink/af_netlink.c:1899 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0 BUG: Bad page state in process syz.0.17 pfn:59f49 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888059f49000 pfn:0x59f49 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888023212000 0000000000000000 raw: ffff888059f49000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5922, tgid 5922 (syz.0.17), ts 72252756502, free_ts 72020230070 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x11a6/0x3410 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5221 __alloc_pages_noprof mm/page_alloc.c:5255 [inline] alloc_pages_bulk_noprof+0x649/0x1360 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x1c6/0xa60 net/core/page_pool.c:621 page_pool_alloc_netmems net/core/page_pool.c:672 [inline] page_pool_alloc_netmems+0xc4/0x1a0 net/core/page_pool.c:659 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xa15/0x1220 net/core/skbuff.c:982 skb_cow_data_for_xdp+0x88/0xb0 net/core/skbuff.c:1016 netif_skb_check_for_xdp net/core/dev.c:5557 [inline] netif_receive_generic_xdp net/core/dev.c:5598 [inline] do_xdp_generic+0x56b/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5867 tgid 5867 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0x794/0x10a0 mm/page_alloc.c:2938 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xf0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4570 [inline] slab_alloc_node mm/slub.c:4899 [inline] __kmalloc_cache_noprof+0x243/0x6f0 mm/slub.c:5415 kmalloc_noprof include/linux/slab.h:950 [inline] netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:663 [inline] netdevice_event+0x308/0x9a0 drivers/infiniband/core/roce_gid_mgmt.c:822 notifier_call_chain+0x99/0x400 kernel/notifier.c:85 call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2249 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9797 netif_change_flags+0x108/0x160 net/core/dev.c:9826 do_setlink.isra.0+0x1ac4/0x3e60 net/core/rtnetlink.c:3181 rtnl_changelink net/core/rtnetlink.c:3800 [inline] __rtnl_newlink net/core/rtnetlink.c:3973 [inline] rtnl_newlink+0x11c2/0x2380 net/core/rtnetlink.c:4110 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6997 netlink_rcv_skb+0x159/0x420 net/netlink/af_netlink.c:2555 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x585/0x850 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8b0/0xda0 net/netlink/af_netlink.c:1899 Modules linked in: CPU: 1 UID: 0 PID: 5922 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 bad_page.cold+0xbe/0xdf mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] free_page_is_bad mm/page_alloc.c:1070 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0x7d6/0x10a0 mm/page_alloc.c:2938 page_frag_free+0x199/0x1f0 mm/page_frag_cache.c:169 __xdp_return+0x3b6/0x990 net/core/xdp.c:448 bpf_xdp_shrink_data net/core/filter.c:4220 [inline] bpf_xdp_frags_shrink_tail net/core/filter.c:4244 [inline] ____bpf_xdp_adjust_tail net/core/filter.c:4266 [inline] bpf_xdp_adjust_tail+0x8a1/0xbb0 net/core/filter.c:4259 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x614/0x1610 net/core/dev.c:5488 netif_receive_generic_xdp net/core/dev.c:5604 [inline] do_xdp_generic+0x92e/0x12c0 net/core/dev.c:5666 tun_get_user+0x1c1c/0x3c20 drivers/net/tun.c:1874 tun_chr_write_iter+0xdc/0x200 drivers/net/tun.c:2001 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc12f5d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe9dd61d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055555e953500 RCX: 00007efc12f5d68e RDX: 000000000000fdef RSI: 0000200000000000 RDI: 00000000000000c8 RBP: 00007efc13032d6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc13215fac R14: 00007efc13215fa0 R15: 00007efc13215fa0