program:
r0 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r0, &(0x7f0000000000)={0x2, 0x0, @loopback}, 0x10)
r1 = openat$kvm(0xffffffffffffff9c, 0x0, 0x48000, 0x0)
ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
r3 = socket$inet6(0xa, 0x3, 0x8000000003c)
sendmmsg$inet6(r3, 0x0, 0x0, 0x4000880)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r2, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
sendmsg$rds(r0, &(0x7f00000012c0)={&(0x7f0000000200)={0x2, 0x0, @local}, 0x10, 0x0, 0x0, &(0x7f0000000cc0)=[@fadd={0x58, 0x114, 0x6, {{0x2, 0x3}, &(0x7f0000000340), 0x0, 0x3, 0x8, 0x7, 0x10001, 0x65, 0x6}}], 0x58, 0x20004814}, 0x0)

[   75.328190][ T4702] Bluetooth: hci0: command tx timeout
[   75.526682][ T5357] BUG: Bad page state in process syz.0.0  pfn:52c01
[   75.530672][ T5357] page does not match folio
[   75.532721][ T5357] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x52c01
[   75.537156][ T5357] ksm flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   75.542463][ T5357] raw: 04fff00000000000 0000000000000000 00000000ffffffff ffffffffffffffff
[   75.546463][ T5357] raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
[   75.551852][ T5357] page dumped because: nonzero pincount
[   75.554841][ T5357] page_owner tracks the page as allocated
[   75.557907][ T5357] page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 5357, tgid 5357 (syz.0.0), ts 75413914149, free_ts 0
[   75.575975][ T5357]  post_alloc_hook+0x240/0x2a0
[   75.578328][ T5357]  get_page_from_freelist+0x21e4/0x22c0
[   75.581265][ T5357]  __alloc_frozen_pages_noprof+0x181/0x370
[   75.583684][ T5357]  alloc_pages_mpol+0x232/0x4a0
[   75.586014][ T5357]  alloc_pages_noprof+0xa9/0x190
[   75.588265][ T5357]  folio_alloc_noprof+0x1e/0x30
[   75.591449][ T5357]  filemap_alloc_folio_noprof+0xdf/0x470
[   75.593936][ T5357]  page_cache_ra_order+0x4de/0xd40
[   75.596413][ T5357]  do_sync_mmap_readahead+0x25e/0x7a0
[   75.600106][ T5357]  filemap_fault+0x62c/0x1200
[   75.602100][ T5357]  __do_fault+0x138/0x390
[   75.604115][ T5357]  __handle_mm_fault+0x1847/0x5440
[   75.606458][ T5357]  handle_mm_fault+0x40a/0x8e0
[   75.609707][ T5357]  do_user_addr_fault+0xa81/0x1390
[   75.612072][ T5357]  exc_page_fault+0x76/0xf0
[   75.614121][ T5357]  asm_exc_page_fault+0x26/0x30
[   75.616269][ T5357] page_owner free stack trace missing
[   75.623535][ T5357] Modules linked in:
[   75.625241][ T5357] CPU: 0 UID: 0 PID: 5357 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   75.625257][ T5357] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.625264][ T5357] Call Trace:
[   75.625269][ T5357]  <TASK>
[   75.625274][ T5357]  dump_stack_lvl+0x189/0x250
[   75.625294][ T5357]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.625307][ T5357]  ? __pfx_print_modules+0x10/0x10
[   75.625319][ T5357]  ? percpu_ref_put+0x19/0x180
[   75.625329][ T5357]  ? percpu_ref_put+0x19/0x180
[   75.625339][ T5357]  ? percpu_ref_put+0xf9/0x180
[   75.625348][ T5357]  bad_page+0x180/0x1c0
[   75.625357][ T5357]  free_tail_page_prepare+0x2c3/0x4f0
[   75.625367][ T5357]  __free_frozen_pages+0x7b7/0xd30
[   75.625380][ T5357]  __folio_put+0x21b/0x2c0
[   75.625391][ T5357]  ? __pfx___folio_put+0x10/0x10
[   75.625405][ T5357]  delete_from_page_cache_batch+0x84c/0x9b0
[   75.625415][ T5357]  ? shmem_mapping+0xd/0x50
[   75.625428][ T5357]  ? __pfx_delete_from_page_cache_batch+0x10/0x10
[   75.625440][ T5357]  ? __filemap_fdatawait_range+0x1d2/0x230
[   75.625454][ T5357]  ? __pfx_workingset_update_node+0x10/0x10
[   75.625470][ T5357]  ? folio_mapping+0x16f/0x240
[   75.625482][ T5357]  ? truncate_cleanup_folio+0x34a/0x430
[   75.625497][ T5357]  truncate_inode_pages_range+0x28a/0xda0
[   75.625517][ T5357]  ? __pfx_truncate_inode_pages_range+0x10/0x10
[   75.625546][ T5357]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.625564][ T5357]  ? __pfx_invalidate_bh_lru+0x10/0x10
[   75.625577][ T5357]  ? smp_call_function_many_cond+0xe4f/0x12d0
[   75.625595][ T5357]  ? __pfx___mutex_lock+0x10/0x10
[   75.625605][ T5357]  ? __pfx_has_bh_in_lru+0x10/0x10
[   75.625617][ T5357]  blkdev_flush_mapping+0x108/0x270
[   75.625628][ T5357]  ? bdev_release+0x40f/0x650
[   75.625639][ T5357]  bdev_release+0x417/0x650
[   75.625655][ T5357]  ? __pfx_blkdev_release+0x10/0x10
[   75.625665][ T5357]  blkdev_release+0x15/0x20
[   75.625675][ T5357]  __fput+0x449/0xa70
[   75.625700][ T5357]  task_work_run+0x1d1/0x260
[   75.625717][ T5357]  ? __pfx_task_work_run+0x10/0x10
[   75.625738][ T5357]  do_exit+0x6b5/0x2300
[   75.625754][ T5357]  ? preempt_schedule_common+0x83/0xd0
[   75.625770][ T5357]  ? preempt_schedule+0xae/0xc0
[   75.625785][ T5357]  ? __pfx_do_exit+0x10/0x10
[   75.625803][ T5357]  ? preempt_schedule_thunk+0x16/0x30
[   75.625818][ T5357]  do_group_exit+0x21c/0x2d0
[   75.625836][ T5357]  __x64_sys_exit_group+0x3f/0x40
[   75.625849][ T5357]  x64_sys_call+0x21f7/0x2200
[   75.625863][ T5357]  do_syscall_64+0xfa/0x3b0
[   75.625873][ T5357]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.625889][ T5357]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.625900][ T5357]  ? clear_bhb_loop+0x60/0xb0
[   75.625914][ T5357]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.625923][ T5357] RIP: 0033:0x7fa93ef8eba9
[   75.625930][ T5357] Code: Unable to access opcode bytes at 0x7fa93ef8eb7f.
[   75.625934][ T5357] RSP: 002b:00007fff2a1ea268 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   75.625942][ T5357] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa93ef8eba9
[   75.625947][ T5357] RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
[   75.625951][ T5357] RBP: 0000000000000003 R08: 0000000a2a1ea35f R09: 00007fa93f1a1280
[   75.625956][ T5357] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[   75.625960][ T5357] R13: 00007fa93f1a1280 R14: 0000000000000003 R15: 00007fff2a1ea320
[   75.625970][ T5357]  </TASK>
[   75.625973][ T5357] Disabling lock debugging due to kernel taint
[   75.787609][ T5357] BUG: Bad page state in process syz.0.0  pfn:52c00
[   75.791981][ T5357] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x52c00
[   75.796045][ T5357] head: order:0 mapcount:0 entire_mapcount:1 nr_pages_mapped:0 pincount:0
[   75.801136][ T5357] flags: 0x4fff0000000004d(locked|referenced|uptodate|head|node=1|zone=1|lastcpupid=0x7ff)
[   75.805723][ T5357] raw: 04fff0000000004d dead000000000100 dead000000000122 0000000000000000
[   75.809916][ T5357] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   75.813647][ T5357] head: 04fff0000000004d dead000000000100 dead000000000122 0000000000000000
[   75.817176][ T5357] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   75.821901][ T5357] head: 04fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
[   75.826155][ T5357] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
[   75.830593][ T5357] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[   75.833689][ T5357] page_owner tracks the page as allocated
[   75.836168][ T5357] page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 5357, tgid 5357 (syz.0.0), ts 75413914149, free_ts 0
[   75.845713][ T5357]  post_alloc_hook+0x240/0x2a0
[   75.847843][ T5357]  get_page_from_freelist+0x21e4/0x22c0
[   75.850904][ T5357]  __alloc_frozen_pages_noprof+0x181/0x370
[   75.853574][ T5357]  alloc_pages_mpol+0x232/0x4a0
[   75.855717][ T5357]  alloc_pages_noprof+0xa9/0x190
[   75.858014][ T5357]  folio_alloc_noprof+0x1e/0x30
[   75.868304][ T5357]  filemap_alloc_folio_noprof+0xdf/0x470
[   75.871118][ T5357]  page_cache_ra_order+0x4de/0xd40
[   75.873523][ T5357]  do_sync_mmap_readahead+0x25e/0x7a0
[   75.876134][ T5357]  filemap_fault+0x62c/0x1200
[   75.878259][ T5357]  __do_fault+0x138/0x390
[   75.881090][ T5357]  __handle_mm_fault+0x1847/0x5440
[   75.883393][ T5357]  handle_mm_fault+0x40a/0x8e0
[   75.885556][ T5357]  do_user_addr_fault+0xa81/0x1390
[   75.887917][ T5357]  exc_page_fault+0x76/0xf0
[   75.891310][ T5357]  asm_exc_page_fault+0x26/0x30
[   75.893474][ T5357] page_owner free stack trace missing
[   75.895778][ T5357] Modules linked in:
[   75.897532][ T5357] CPU: 0 UID: 0 PID: 5357 Comm: syz.0.0 Tainted: G    B               syzkaller #0 PREEMPT(full) 
[   75.897548][ T5357] Tainted: [B]=BAD_PAGE
[   75.897552][ T5357] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.897558][ T5357] Call Trace:
[   75.897565][ T5357]  <TASK>
[   75.897569][ T5357]  dump_stack_lvl+0x189/0x250
[   75.897595][ T5357]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.897607][ T5357]  ? __pfx_print_modules+0x10/0x10
[   75.897626][ T5357]  bad_page+0x180/0x1c0
[   75.897637][ T5357]  __free_frozen_pages+0xce2/0xd30
[   75.897653][ T5357]  __folio_put+0x21b/0x2c0
[   75.897668][ T5357]  ? __pfx___folio_put+0x10/0x10
[   75.897679][ T5357]  delete_from_page_cache_batch+0x84c/0x9b0
[   75.897691][ T5357]  ? shmem_mapping+0xd/0x50
[   75.897701][ T5357]  ? __pfx_delete_from_page_cache_batch+0x10/0x10
[   75.897712][ T5357]  ? __filemap_fdatawait_range+0x1d2/0x230
[   75.897725][ T5357]  ? __pfx_workingset_update_node+0x10/0x10
[   75.897742][ T5357]  ? folio_mapping+0x16f/0x240
[   75.897753][ T5357]  ? truncate_cleanup_folio+0x34a/0x430
[   75.897765][ T5357]  truncate_inode_pages_range+0x28a/0xda0
[   75.897779][ T5357]  ? __pfx_truncate_inode_pages_range+0x10/0x10
[   75.897795][ T5357]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.897810][ T5357]  ? __pfx_invalidate_bh_lru+0x10/0x10
[   75.897825][ T5357]  ? smp_call_function_many_cond+0xe4f/0x12d0
[   75.897843][ T5357]  ? __pfx___mutex_lock+0x10/0x10
[   75.897855][ T5357]  ? __pfx_has_bh_in_lru+0x10/0x10
[   75.897870][ T5357]  blkdev_flush_mapping+0x108/0x270
[   75.897886][ T5357]  ? bdev_release+0x40f/0x650
[   75.897900][ T5357]  bdev_release+0x417/0x650
[   75.897915][ T5357]  ? __pfx_blkdev_release+0x10/0x10
[   75.897925][ T5357]  blkdev_release+0x15/0x20
[   75.897934][ T5357]  __fput+0x449/0xa70
[   75.897951][ T5357]  task_work_run+0x1d1/0x260
[   75.897967][ T5357]  ? __pfx_task_work_run+0x10/0x10
[   75.897983][ T5357]  do_exit+0x6b5/0x2300
[   75.897999][ T5357]  ? preempt_schedule_common+0x83/0xd0
[   75.898013][ T5357]  ? preempt_schedule+0xae/0xc0
[   75.898027][ T5357]  ? __pfx_do_exit+0x10/0x10
[   75.898040][ T5357]  ? preempt_schedule_thunk+0x16/0x30
[   75.898052][ T5357]  do_group_exit+0x21c/0x2d0
[   75.898066][ T5357]  __x64_sys_exit_group+0x3f/0x40
[   75.898079][ T5357]  x64_sys_call+0x21f7/0x2200
[   75.898093][ T5357]  do_syscall_64+0xfa/0x3b0
[   75.898103][ T5357]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.898118][ T5357]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.898128][ T5357]  ? clear_bhb_loop+0x60/0xb0
[   75.898138][ T5357]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.898146][ T5357] RIP: 0033:0x7fa93ef8eba9
[   75.898152][ T5357] Code: Unable to access opcode bytes at 0x7fa93ef8eb7f.
[   75.898157][ T5357] RSP: 002b:00007fff2a1ea268 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   75.898168][ T5357] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa93ef8eba9
[   75.898175][ T5357] RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
[   75.898181][ T5357] RBP: 0000000000000003 R08: 0000000a2a1ea35f R09: 00007fa93f1a1280
[   75.898188][ T5357] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[   75.898194][ T5357] R13: 00007fa93f1a1280 R14: 0000000000000003 R15: 00007fff2a1ea320
[   75.898205][ T5357]  </TASK>