BUG: Bad page state in process syz.2.552  pfn:9bc3c
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8000000000 pfn:0x9bc3c
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: ffffaf8000000000 3fffffffffffffff 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635432186300, free_ts 627994175100
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3856 tgid 3856 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 pagetable_free include/linux/mm.h:2917 [inline]
 pagetable_dtor_free include/linux/mm.h:3015 [inline]
 __tlb_remove_table include/asm-generic/tlb.h:216 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0xde/0x160 mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2546 [inline]
 rcu_core+0xa24/0x1ea0 kernel/rcu/tree.c:2802
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2819
 handle_softirqs+0x4b2/0x132e kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0x18c/0x550 kernel/softirq.c:662
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:678
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:356
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Not tainted 6.14.0-rc1-syzkaller-g245aece3750d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.2.552  pfn:94307
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8014307500 pfn:0x94307
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: ffffaf8014307500 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635432338300, free_ts 627993796300
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3856 tgid 3856 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 pagetable_free include/linux/mm.h:2917 [inline]
 pagetable_dtor_free include/linux/mm.h:3015 [inline]
 __tlb_remove_table include/asm-generic/tlb.h:216 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0xde/0x160 mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2546 [inline]
 rcu_core+0xa24/0x1ea0 kernel/rcu/tree.c:2802
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2819
 handle_softirqs+0x4b2/0x132e kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0x18c/0x550 kernel/softirq.c:662
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:678
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:356
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.2.552  pfn:9d46c
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf801d46c280 pfn:0x9d46c
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: ffffaf801d46c280 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635432477100, free_ts 627993335600
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3856 tgid 3856 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 pagetable_free include/linux/mm.h:2917 [inline]
 pagetable_dtor_free include/linux/mm.h:3015 [inline]
 __tlb_remove_table include/asm-generic/tlb.h:216 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0xde/0x160 mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2546 [inline]
 rcu_core+0xa24/0x1ea0 kernel/rcu/tree.c:2802
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2819
 handle_softirqs+0x4b2/0x132e kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0x18c/0x550 kernel/softirq.c:662
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:678
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:356
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.2.552  pfn:99007
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8000000000 pfn:0x99007
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: ffffaf8000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635432611300, free_ts 627992857700
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3856 tgid 3856 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 pagetable_free include/linux/mm.h:2917 [inline]
 pagetable_dtor_free include/linux/mm.h:3015 [inline]
 __tlb_remove_table include/asm-generic/tlb.h:216 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0xde/0x160 mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2546 [inline]
 rcu_core+0xa24/0x1ea0 kernel/rcu/tree.c:2802
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2819
 handle_softirqs+0x4b2/0x132e kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0x18c/0x550 kernel/softirq.c:662
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:678
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:356
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.2.552  pfn:a0e2e
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa0e2e
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635432746300, free_ts 627992234500
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3856 tgid 3856 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 pagetable_free include/linux/mm.h:2917 [inline]
 pagetable_dtor_free include/linux/mm.h:3015 [inline]
 __tlb_remove_table include/asm-generic/tlb.h:216 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0xde/0x160 mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2546 [inline]
 rcu_core+0xa24/0x1ea0 kernel/rcu/tree.c:2802
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2819
 handle_softirqs+0x4b2/0x132e kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0x18c/0x550 kernel/softirq.c:662
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:678
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:356
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.2.552  pfn:98ab4
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8000000000 pfn:0x98ab4
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: ffffaf8000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635432879200, free_ts 627944564200
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 4071 tgid 4070 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 free_pages.part.0+0x268/0x4c6 mm/page_alloc.c:4851
 free_pages+0xe/0x18 mm/page_alloc.c:4848
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e4 mm/mmu_gather.c:491
 exit_mmap+0x394/0xcf4 mm/mmap.c:1297
 __mmput+0xfe/0x3ac kernel/fork.c:1356
 mmput+0x74/0x88 kernel/fork.c:1378
 exit_mm kernel/exit.c:570 [inline]
 do_exit+0x8fc/0x2966 kernel/exit.c:925
 do_group_exit+0xd4/0x26c kernel/exit.c:1087
 get_signal+0x1f4e/0x22e0 kernel/signal.c:3036
 arch_do_signal_or_restart+0x77c/0x207a arch/riscv/kernel/signal.c:431
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x222/0x2a4 kernel/entry/common.c:218
 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
 handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.2.552  pfn:98da4
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8018da4dc0 pfn:0x98da4
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: ffffaf8018da4dc0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635433014000, free_ts 627944445400
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 4071 tgid 4070 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 free_pages.part.0+0x268/0x4c6 mm/page_alloc.c:4851
 free_pages+0xe/0x18 mm/page_alloc.c:4848
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e4 mm/mmu_gather.c:491
 exit_mmap+0x394/0xcf4 mm/mmap.c:1297
 __mmput+0xfe/0x3ac kernel/fork.c:1356
 mmput+0x74/0x88 kernel/fork.c:1378
 exit_mm kernel/exit.c:570 [inline]
 do_exit+0x8fc/0x2966 kernel/exit.c:925
 do_group_exit+0xd4/0x26c kernel/exit.c:1087
 get_signal+0x1f4e/0x22e0 kernel/signal.c:3036
 arch_do_signal_or_restart+0x77c/0x207a arch/riscv/kernel/signal.c:431
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x222/0x2a4 kernel/entry/common.c:218
 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
 handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.2.552  pfn:9b278
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8000000000 pfn:0x9b278
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: ffffaf8000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635433184900, free_ts 627944325800
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 4071 tgid 4070 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 free_pages.part.0+0x268/0x4c6 mm/page_alloc.c:4851
 free_pages+0xe/0x18 mm/page_alloc.c:4848
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e4 mm/mmu_gather.c:491
 exit_mmap+0x394/0xcf4 mm/mmap.c:1297
 __mmput+0xfe/0x3ac kernel/fork.c:1356
 mmput+0x74/0x88 kernel/fork.c:1378
 exit_mm kernel/exit.c:570 [inline]
 do_exit+0x8fc/0x2966 kernel/exit.c:925
 do_group_exit+0xd4/0x26c kernel/exit.c:1087
 get_signal+0x1f4e/0x22e0 kernel/signal.c:3036
 arch_do_signal_or_restart+0x77c/0x207a arch/riscv/kernel/signal.c:431
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x222/0x2a4 kernel/entry/common.c:218
 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
 handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.2.552  pfn:a0619
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8000000000 pfn:0xa0619
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: ffffaf8000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635433459400, free_ts 627944075800
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 4071 tgid 4070 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 free_pages.part.0+0x268/0x4c6 mm/page_alloc.c:4851
 free_pages+0xe/0x18 mm/page_alloc.c:4848
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e4 mm/mmu_gather.c:491
 exit_mmap+0x394/0xcf4 mm/mmap.c:1297
 __mmput+0xfe/0x3ac kernel/fork.c:1356
 mmput+0x74/0x88 kernel/fork.c:1378
 exit_mm kernel/exit.c:570 [inline]
 do_exit+0x8fc/0x2966 kernel/exit.c:925
 do_group_exit+0xd4/0x26c kernel/exit.c:1087
 get_signal+0x1f4e/0x22e0 kernel/signal.c:3036
 arch_do_signal_or_restart+0x77c/0x207a arch/riscv/kernel/signal.c:431
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x222/0x2a4 kernel/entry/common.c:218
 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
 handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.2.552  pfn:9c75f
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8000000000 pfn:0x9c75f
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: ffffaf8000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635433612600, free_ts 627943950700
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 4071 tgid 4070 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 free_pages.part.0+0x268/0x4c6 mm/page_alloc.c:4851
 free_pages+0xe/0x18 mm/page_alloc.c:4848
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e4 mm/mmu_gather.c:491
 exit_mmap+0x394/0xcf4 mm/mmap.c:1297
 __mmput+0xfe/0x3ac kernel/fork.c:1356
 mmput+0x74/0x88 kernel/fork.c:1378
 exit_mm kernel/exit.c:570 [inline]
 do_exit+0x8fc/0x2966 kernel/exit.c:925
 do_group_exit+0xd4/0x26c kernel/exit.c:1087
 get_signal+0x1f4e/0x22e0 kernel/signal.c:3036
 arch_do_signal_or_restart+0x77c/0x207a arch/riscv/kernel/signal.c:431
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x222/0x2a4 kernel/entry/common.c:218
 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
 handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.2.552  pfn:9bc90
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8000000000 pfn:0x9bc90
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: ffffaf8000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635433793200, free_ts 627943784700
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 4071 tgid 4070 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 free_pages.part.0+0x268/0x4c6 mm/page_alloc.c:4851
 free_pages+0xe/0x18 mm/page_alloc.c:4848
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e4 mm/mmu_gather.c:491
 exit_mmap+0x394/0xcf4 mm/mmap.c:1297
 __mmput+0xfe/0x3ac kernel/fork.c:1356
 mmput+0x74/0x88 kernel/fork.c:1378
 exit_mm kernel/exit.c:570 [inline]
 do_exit+0x8fc/0x2966 kernel/exit.c:925
 do_group_exit+0xd4/0x26c kernel/exit.c:1087
 get_signal+0x1f4e/0x22e0 kernel/signal.c:3036
 arch_do_signal_or_restart+0x77c/0x207a arch/riscv/kernel/signal.c:431
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x222/0x2a4 kernel/entry/common.c:218
 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
 handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.2.552  pfn:9d9de
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8000000000 pfn:0x9d9de
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf8011f15000 0000000000000000
raw: ffffaf8000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4089, tgid 4087 (syz.0.72), ts 635433936900, free_ts 627929977700
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 4071 tgid 4070 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 free_pages.part.0+0x268/0x4c6 mm/page_alloc.c:4851
 free_pages+0xe/0x18 mm/page_alloc.c:4848
 tlb_batch_list_free mm/mmu_gather.c:159 [inline]
 tlb_finish_mmu+0x20c/0x7e4 mm/mmu_gather.c:491
 exit_mmap+0x394/0xcf4 mm/mmap.c:1297
 __mmput+0xfe/0x3ac kernel/fork.c:1356
 mmput+0x74/0x88 kernel/fork.c:1378
 exit_mm kernel/exit.c:570 [inline]
 do_exit+0x8fc/0x2966 kernel/exit.c:925
 do_group_exit+0xd4/0x26c kernel/exit.c:1087
 get_signal+0x1f4e/0x22e0 kernel/signal.c:3036
 arch_do_signal_or_restart+0x77c/0x207a arch/riscv/kernel/signal.c:431
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x222/0x2a4 kernel/entry/common.c:218
 do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
 handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz.2.552 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff780080f8>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f965d8>] __bpf_prog_run include/linux/filter.h:701 [inline]
[<ffffffff84f965d8>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f965d8>] bpf_prog_run_generic_xdp+0x6ba/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197