Extracting prog: 34.406825684s Minimizing prog: 18m44.82228469s Simplifying prog options: 2m15.765978232s Extracting C: 50.158175894s Simplifying C: 0s extracting reproducer from 52 programs first checking the prog from the crash report single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-recvmsg$unix-socketpair$unix-sendmsg$inet-socketpair$unix-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$inet(r0, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r1 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r2 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r2, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program crashed: BUG: Bad page state in xdp_test_run_batch single: successfully extracted reproducer found reproducer with 12 syscalls minimizing guilty program testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-recvmsg$unix-socketpair$unix-sendmsg$inet-socketpair$unix-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$inet(r0, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r1 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-recvmsg$unix-socketpair$unix-sendmsg$inet-socketpair$unix-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$inet(r0, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r1 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={0xffffffffffffffff, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-recvmsg$unix-socketpair$unix-sendmsg$inet-socketpair$unix-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$inet(r0, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r1 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) r2 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r2, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-recvmsg$unix-socketpair$unix-sendmsg$inet-socketpair$unix-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$inet(r0, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r1 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r2 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r2, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-recvmsg$unix-socketpair$unix-sendmsg$inet-socketpair$unix-sendmsg$inet-socket$igmp6-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$inet(r0, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) socket$igmp6(0xa, 0x3, 0x2) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-recvmsg$unix-socketpair$unix-sendmsg$inet-socketpair$unix-sendmsg$inet-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$inet(r0, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$IP6T_SO_SET_REPLACE(0xffffffffffffffff, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-recvmsg$unix-socketpair$unix-sendmsg$inet-socketpair$unix-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$inet(r0, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, 0x0) r1 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r2 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r2, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program crashed: BUG: Bad page state in xdp_test_run_batch testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-recvmsg$unix-socketpair$unix-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$inet(r0, 0x0, 0x0) r1 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r2 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r2, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program crashed: BUG: Bad page state in xdp_test_run_batch testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-recvmsg$unix-socketpair$unix-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-recvmsg$unix-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program crashed: BUG: Bad page state in xdp_test_run_batch testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program crashed: BUG: Bad page state in xdp_test_run_batch testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, 0x0, 0x0) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, 0x0, 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, 0x0, &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, 0x0, 0x0) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0x0, 0x0, 0x0, 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x50) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0x0, 0x0, &(0x7f0000000000), 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x50) program did not crash extracting C reproducer testing compiled C program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN program did not crash simplifying guilty program options testing program (duration=41.959671019s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash testing program (duration=41.959671019s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$alg-sendmsg$inet-socket$igmp6-setsockopt$IP6T_SO_SET_REPLACE-write$cgroup_subtree-bpf$PROG_LOAD_XDP-bpf$PROG_LOAD_XDP-bpf$BPF_PROG_TEST_RUN detailed listing: executing program 0: socket$alg(0x26, 0x5, 0x0) sendmsg$inet(0xffffffffffffffff, 0x0, 0x0) r0 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000000b00)=@raw={'raw\x00', 0x8, 0x3, 0x428, 0xd0, 0xffffffff, 0xffffffff, 0x0, 0xffffffff, 0x358, 0xffffffff, 0xffffffff, 0x358, 0xffffffff, 0x3, 0x0, {[{{@ipv6={@private0, @mcast2, [], [], 'veth0_macvtap\x00', 'dvmrp1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@NFQUEUE0={0x28}}, {{@ipv6={@remote, @ipv4={'\x00', '\xff\xff', @dev}, [], [], 'wg1\x00', 'gre0\x00'}, 0x0, 0x258, 0x288, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'pim6reg\x00', {0x0, 0x0, 0x5, 0x0, 0x0, 0x7, 0x3ff}}}, @common=@inet=@hashlimit3={{0x158}, {'wg1\x00', {0x3, 0x0, 0x41, 0x0, 0x0, 0x1000, 0x6, 0x3}}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28, '\x00', 0x7}}}}, 0x488) write$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000000)=ANY=[@ANYBLOB="8fedcb7907009875f37538e486dd6317ce6203c23c00fe80000000000000875a65969ff57b00000000000000000000000000ac1414aa2c"], 0xfdef) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000140)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000440)={0x6, 0x3, &(0x7f0000000680)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r1, 0x5, 0xb68, 0x0, &(0x7f0000000000)='%', 0x0, 0xd01, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) program did not crash reproducing took 22m25.153294238s repro crashed as (corrupted=false): BUG: Bad page state in process syz.1.132 pfn:303aa page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880303aa3e0 pfn:0x303aa flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880303aa3e0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655604114, free_ts 70606146413 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:31a1f page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031a1fc98 pfn:0x31a1f flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888031a1fc98 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655599221, free_ts 70606149931 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4d463 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4d463 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655594596, free_ts 70606153216 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:24b4a page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888024b4ad00 pfn:0x24b4a flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888024b4ad00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655589868, free_ts 70606156813 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4f733 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4f733 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655585295, free_ts 70606160103 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4f732 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804f732000 pfn:0x4f732 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804f732000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655580102, free_ts 70606163214 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4d461 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4d461 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655575564, free_ts 70606166308 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4d460 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804d461e00 pfn:0x4d460 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804d461e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655570893, free_ts 70606170006 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:29c39 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x29c39 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655566196, free_ts 70606173308 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:29597 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880295971e0 pfn:0x29597 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880295971e0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655561171, free_ts 70606177858 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:31dd7 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031dd7f00 pfn:0x31dd7 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888031dd7f00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655556083, free_ts 70606808309 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4c829 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804c829f00 pfn:0x4c829 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804c829f00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655551403, free_ts 70606813909 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:27f81 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x27f81 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655546485, free_ts 70606818453 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2c67f page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888000000002 pfn:0x2c67f flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655541724, free_ts 70607468704 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4db4b page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4db4b flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655536952, free_ts 70607476740 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4baca page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804bacbe00 pfn:0x4baca flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804bacbe00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655532328, free_ts 70607481630 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:24bbf page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888024bbf7c0 pfn:0x24bbf flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888024bbf7c0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655527568, free_ts 70607485253 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:499e0 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880499e1e00 pfn:0x499e0 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880499e1e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655522707, free_ts 70607488905 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:274a9 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888000000002 pfn:0x274a9 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655517803, free_ts 70607492457 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4c325 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804c325e88 pfn:0x4c325 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804c325e88 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655513138, free_ts 70607497030 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:31822 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031823e00 pfn:0x31822 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888031823e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655508425, free_ts 70607500658 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:32620 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880326202d0 pfn:0x32620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880326202d0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655503717, free_ts 70607504696 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2534e page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802534e1f0 pfn:0x2534e flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88802534e1f0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655499054, free_ts 70607508566 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:3604b page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803604b960 pfn:0x3604b flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88803604b960 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655494309, free_ts 70607512132 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:27e19 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888027e190f0 pfn:0x27e19 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888027e190f0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655489476, free_ts 70607517383 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2cd64 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802cd65e00 pfn:0x2cd64 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88802cd65e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655484744, free_ts 70607748058 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2a224 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802a224780 pfn:0x2a224 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88802a224780 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655479974, free_ts 70607754139 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:28f75 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x28f75 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655475307, free_ts 70607760714 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2f3ae page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802f3ae360 pfn:0x2f3ae flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88802f3ae360 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655470381, free_ts 70607766442 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4dda0 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804dda0000 pfn:0x4dda0 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804dda0000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655465410, free_ts 70607773004 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:24a97 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x24a97 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655460754, free_ts 70607778438 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4c6d3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4c6d3 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655455880, free_ts 70607784574 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:311d2 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880311d3e00 pfn:0x311d2 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880311d3e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655451080, free_ts 70607791619 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:49834 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888049835e00 pfn:0x49834 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888049835e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655446321, free_ts 70607797475 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4bacb page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4bacb flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655441671, free_ts 70607803555 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:256fa page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880256fbe00 pfn:0x256fa flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880256fbe00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655436950, free_ts 70607809220 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:32185 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880321852d0 pfn:0x32185 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880321852d0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655432187, free_ts 70607816255 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:29c3a page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888029c3be00 pfn:0x29c3a flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888029c3be00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655427511, free_ts 70608499423 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:270c5 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880270c54b0 pfn:0x270c5 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880270c54b0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655422728, free_ts 70608508731 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2a25d page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x2a25d flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655417825, free_ts 70608512795 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:31fa4 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031fa4000 pfn:0x31fa4 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888031fa4000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655412945, free_ts 70608516787 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:31ab3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031ab31e0 pfn:0x31ab3 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888031ab31e0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655408009, free_ts 70608522030 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:3174b page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803174b3c0 pfn:0x3174b flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88803174b3c0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655402892, free_ts 70608526634 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4dfdd page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804dfdd0f8 pfn:0x4dfdd flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804dfdd0f8 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655398150, free_ts 70608531032 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:32b88 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888032b88000 pfn:0x32b88 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888032b88000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655393334, free_ts 70608578966 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:311ba page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880311bbe00 pfn:0x311ba flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880311bbe00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655388687, free_ts 70608583782 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4cbd0 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804cbd1e00 pfn:0x4cbd0 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804cbd1e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655383931, free_ts 70608587758 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:317ab page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880317ab1b0 pfn:0x317ab flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880317ab1b0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655379119, free_ts 70608592127 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:24ad1 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x24ad1 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000004 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655373913, free_ts 70609738697 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 vfree+0x17a/0x890 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3282 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4f65c page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804f65de00 pfn:0x4f65c flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804f65de00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655368828, free_ts 70609745082 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 vfree+0x17a/0x890 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3282 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:3263f page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803263f0d8 pfn:0x3263f flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88803263f0d8 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655364093, free_ts 70609748703 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 vfree+0x17a/0x890 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3282 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:3f052 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f39b97ad pfn:0x3f052 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 00000007f39b97ad 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655359026, free_ts 70609752394 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 vfree+0x17a/0x890 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3282 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4e5d1 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4e5d1 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655354043, free_ts 70609756014 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 vfree+0x17a/0x890 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3282 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:28bed page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x28bed flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655348707, free_ts 70609759582 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 final repro crashed as (corrupted=false): BUG: Bad page state in process syz.1.132 pfn:303aa page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880303aa3e0 pfn:0x303aa flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880303aa3e0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655604114, free_ts 70606146413 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:31a1f page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031a1fc98 pfn:0x31a1f flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888031a1fc98 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655599221, free_ts 70606149931 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4d463 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4d463 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655594596, free_ts 70606153216 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:24b4a page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888024b4ad00 pfn:0x24b4a flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888024b4ad00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655589868, free_ts 70606156813 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4f733 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4f733 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655585295, free_ts 70606160103 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4f732 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804f732000 pfn:0x4f732 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804f732000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655580102, free_ts 70606163214 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4d461 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4d461 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655575564, free_ts 70606166308 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4d460 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804d461e00 pfn:0x4d460 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804d461e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655570893, free_ts 70606170006 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:29c39 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x29c39 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655566196, free_ts 70606173308 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:29597 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880295971e0 pfn:0x29597 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880295971e0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655561171, free_ts 70606177858 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:31dd7 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031dd7f00 pfn:0x31dd7 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888031dd7f00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655556083, free_ts 70606808309 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4c829 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804c829f00 pfn:0x4c829 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804c829f00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655551403, free_ts 70606813909 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:27f81 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x27f81 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655546485, free_ts 70606818453 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2c67f page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888000000002 pfn:0x2c67f flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655541724, free_ts 70607468704 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4db4b page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4db4b flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655536952, free_ts 70607476740 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4baca page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804bacbe00 pfn:0x4baca flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804bacbe00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655532328, free_ts 70607481630 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:24bbf page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888024bbf7c0 pfn:0x24bbf flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888024bbf7c0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655527568, free_ts 70607485253 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:499e0 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880499e1e00 pfn:0x499e0 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880499e1e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655522707, free_ts 70607488905 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:274a9 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888000000002 pfn:0x274a9 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655517803, free_ts 70607492457 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4c325 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804c325e88 pfn:0x4c325 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804c325e88 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655513138, free_ts 70607497030 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:31822 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031823e00 pfn:0x31822 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888031823e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655508425, free_ts 70607500658 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:32620 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880326202d0 pfn:0x32620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880326202d0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655503717, free_ts 70607504696 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2534e page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802534e1f0 pfn:0x2534e flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88802534e1f0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655499054, free_ts 70607508566 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:3604b page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803604b960 pfn:0x3604b flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88803604b960 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655494309, free_ts 70607512132 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:27e19 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888027e190f0 pfn:0x27e19 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888027e190f0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655489476, free_ts 70607517383 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2cd64 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802cd65e00 pfn:0x2cd64 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88802cd65e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655484744, free_ts 70607748058 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2a224 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802a224780 pfn:0x2a224 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88802a224780 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655479974, free_ts 70607754139 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:28f75 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x28f75 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655475307, free_ts 70607760714 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2f3ae page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88802f3ae360 pfn:0x2f3ae flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88802f3ae360 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655470381, free_ts 70607766442 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4dda0 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804dda0000 pfn:0x4dda0 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804dda0000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655465410, free_ts 70607773004 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:24a97 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x24a97 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655460754, free_ts 70607778438 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4c6d3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4c6d3 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655455880, free_ts 70607784574 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:311d2 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880311d3e00 pfn:0x311d2 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880311d3e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655451080, free_ts 70607791619 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:49834 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888049835e00 pfn:0x49834 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888049835e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655446321, free_ts 70607797475 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4bacb page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4bacb flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655441671, free_ts 70607803555 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:256fa page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880256fbe00 pfn:0x256fa flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880256fbe00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655436950, free_ts 70607809220 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:32185 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880321852d0 pfn:0x32185 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880321852d0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655432187, free_ts 70607816255 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 34 tgid 34 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:927 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:29c3a page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888029c3be00 pfn:0x29c3a flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888029c3be00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655427511, free_ts 70608499423 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:270c5 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880270c54b0 pfn:0x270c5 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880270c54b0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655422728, free_ts 70608508731 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:2a25d page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x2a25d flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655417825, free_ts 70608512795 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:31fa4 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031fa4000 pfn:0x31fa4 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888031fa4000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655412945, free_ts 70608516787 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:31ab3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031ab31e0 pfn:0x31ab3 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888031ab31e0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655408009, free_ts 70608522030 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:3174b page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803174b3c0 pfn:0x3174b flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88803174b3c0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655402892, free_ts 70608526634 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4dfdd page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804dfdd0f8 pfn:0x4dfdd flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804dfdd0f8 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655398150, free_ts 70608531032 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:32b88 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888032b88000 pfn:0x32b88 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff888032b88000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655393334, free_ts 70608578966 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:311ba page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880311bbe00 pfn:0x311ba flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880311bbe00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655388687, free_ts 70608583782 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4cbd0 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804cbd1e00 pfn:0x4cbd0 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804cbd1e00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655383931, free_ts 70608587758 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 folio_put include/linux/mm.h:1478 [inline] free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:227 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:317ab page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880317ab1b0 pfn:0x317ab flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff8880317ab1b0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655379119, free_ts 70608592127 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 ipv6_get_lladdr+0x299/0x4f0 net/ipv6/addrconf.c:1936 mld_newpack.isra.0+0x3a1/0x790 net/ipv6/mcast.c:1755 add_grhead+0x299/0x340 net/ipv6/mcast.c:1850 add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988 mld_send_cr net/ipv6/mcast.c:2114 [inline] mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:24ad1 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x24ad1 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000004 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655373913, free_ts 70609738697 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 vfree+0x17a/0x890 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3282 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4f65c page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804f65de00 pfn:0x4f65c flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88804f65de00 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655368828, free_ts 70609745082 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 vfree+0x17a/0x890 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3282 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:3263f page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803263f0d8 pfn:0x3263f flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: ffff88803263f0d8 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655364093, free_ts 70609748703 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 vfree+0x17a/0x890 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3282 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:3f052 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f39b97ad pfn:0x3f052 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 00000007f39b97ad 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655359026, free_ts 70609752394 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 vfree+0x17a/0x890 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3282 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:4e5d1 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x4e5d1 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655354043, free_ts 70609756014 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 64 tgid 64 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 vfree+0x17a/0x890 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3282 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CPU: 3 UID: 0 PID: 6492 Comm: syz.1.132 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 bad_page+0xb3/0x1f0 mm/page_alloc.c:501 free_page_is_bad_report mm/page_alloc.c:908 [inline] free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0x657/0xdc0 mm/page_alloc.c:2638 skb_free_frag include/linux/skbuff.h:3399 [inline] skb_free_head+0xa0/0x1d0 net/core/skbuff.c:1096 skb_release_data+0x560/0x730 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x129/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5640 __netif_receive_skb_list_core+0x357/0x950 net/core/dev.c:5741 __netif_receive_skb_list net/core/dev.c:5808 [inline] netif_receive_skb_list_internal+0x753/0xdb0 net/core/dev.c:5899 netif_receive_skb_list+0x4f/0x4a0 net/core/dev.c:5951 xdp_recv_frames net/bpf/test_run.c:279 [inline] xdp_test_run_batch.constprop.0+0x138d/0x1960 net/bpf/test_run.c:360 bpf_test_run_xdp_live+0x365/0x500 net/bpf/test_run.c:389 bpf_prog_test_run_xdp+0x827/0x1580 net/bpf/test_run.c:1317 bpf_prog_test_run kernel/bpf/syscall.c:4266 [inline] __sys_bpf+0xfc6/0x49a0 kernel/bpf/syscall.c:5671 __do_sys_bpf kernel/bpf/syscall.c:5760 [inline] __se_sys_bpf kernel/bpf/syscall.c:5758 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5758 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f475a17e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f475b009038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f475a336058 RCX: 00007f475a17e719 RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a RBP: 00007f475a1f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f475a336058 R15: 00007ffe2d0f8dd8 BUG: Bad page state in process syz.1.132 pfn:28bed page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x28bed flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff88804c173000 0000000000000000 raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 6492, tgid 6486 (syz.1.132), ts 70655348707, free_ts 70609759582 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_bulk_noprof+0x77c/0x1110 mm/page_alloc.c:4681 alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline] __page_pool_alloc_pages_slow+0x18f/0x770 net/core/page_pool.c:538 page_pool_alloc_netmem net/core/page_pool.c:590 [inline] page_pool_alloc_netmem+0xc4/0x160 net/core/page_pool.c:577 page_pool_alloc_pages+0x1a/0x60 net/core/page_pool.c:597 page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline] xdp_test_run_batch.constprop.0+0x3a8/0x1960 net/bpf/test_run.c:305