BUG: Bad page state in process syz.7.978  pfn:3fc01
page does not match folio
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x3fc01
ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 00000000ffffffff ffffffffffffffff
raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero pincount
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 11198, tgid 11198 (syz.7.978), ts 301189627300, free_ts 285966527926
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507
 folio_alloc_noprof+0x1e/0x30 mm/mempolicy.c:2517
 filemap_alloc_folio_noprof+0xdf/0x470 mm/filemap.c:1007
 ractl_alloc_folio mm/readahead.c:186 [inline]
 ra_alloc_folio mm/readahead.c:441 [inline]
 page_cache_ra_order+0x4de/0xd40 mm/readahead.c:506
 do_sync_mmap_readahead+0x25e/0x7a0 mm/filemap.c:-1
 filemap_fault+0x6b9/0x12b0 mm/filemap.c:3458
 __do_fault+0x138/0x390 mm/memory.c:5280
 do_shared_fault mm/memory.c:5767 [inline]
 do_fault mm/memory.c:5841 [inline]
 do_pte_missing mm/memory.c:4362 [inline]
 handle_pte_fault mm/memory.c:6182 [inline]
 __handle_mm_fault+0x1847/0x5400 mm/memory.c:6323
 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6492
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 10861 tgid 10860 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 free_large_kmalloc+0x13a/0x1f0 mm/slub.c:4805
 xlog_write_log_records+0x349/0x3c0 fs/xfs/xfs_log_recover.c:1582
 xlog_clear_stale_blocks+0x1d9/0x3c0 fs/xfs/xfs_log_recover.c:1677
 xlog_find_tail+0x655/0x840 fs/xfs/xfs_log_recover.c:1361
 xlog_recover+0x4b/0x3e0 fs/xfs/xfs_log_recover.c:3419
 xfs_log_mount+0x253/0x3e0 fs/xfs/xfs_log.c:667
 xfs_mountfs+0xe5e/0x2330 fs/xfs/xfs_mount.c:1031
 xfs_fs_fill_super+0x11b3/0x1600 fs/xfs/xfs_super.c:1965
 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692
 vfs_get_tree+0x92/0x2b0 fs/super.c:1752
 do_new_mount+0x2a2/0xa30 fs/namespace.c:3810
 do_mount fs/namespace.c:4138 [inline]
 __do_sys_mount fs/namespace.c:4349 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4326
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 1 UID: 0 PID: 11200 Comm: syz.7.978 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 bad_page+0x180/0x1c0 mm/page_alloc.c:650
 free_tail_page_prepare+0x2c3/0x4f0 mm/page_alloc.c:-1
 free_pages_prepare mm/page_alloc.c:1368 [inline]
 __free_frozen_pages+0x7b7/0xd30 mm/page_alloc.c:2895
 __folio_put+0x21b/0x2c0 mm/swap.c:112
 delete_from_page_cache_batch+0x84c/0x9b0 mm/filemap.c:339
 truncate_inode_pages_range+0x28a/0xda0 mm/truncate.c:380
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0x108/0x270 block/bdev.c:712
 blkdev_put_whole block/bdev.c:719 [inline]
 bdev_release+0x417/0x650 block/bdev.c:1144
 blkdev_release+0x15/0x20 block/fops.c:699
 __fput+0x449/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 get_signal+0x1286/0x1340 kernel/signal.c:3034
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x130 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7facedb8ebe9
Code: Unable to access opcode bytes at 0x7facedb8ebbf.
RSP: 002b:00007facee95d0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007faceddb5fa8 RCX: 00007facedb8ebe9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007faceddb5fa8
RBP: 00007faceddb5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007faceddb6038 R14: 00007fffa50978b0 R15: 00007fffa5097998
 </TASK>
BUG: Bad page state in process syz.7.978  pfn:3fc00
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3fc00
head: order:0 mapcount:0 entire_mapcount:1 nr_pages_mapped:0 pincount:0
flags: 0xfff1800000024d(locked|referenced|uptodate|workingset|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff1800000024d dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff1800000024d dead000000000100 dead000000000122 0000000000000000
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 11198, tgid 11198 (syz.7.978), ts 301189627300, free_ts 285966527926
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507
 folio_alloc_noprof+0x1e/0x30 mm/mempolicy.c:2517
 filemap_alloc_folio_noprof+0xdf/0x470 mm/filemap.c:1007
 ractl_alloc_folio mm/readahead.c:186 [inline]
 ra_alloc_folio mm/readahead.c:441 [inline]
 page_cache_ra_order+0x4de/0xd40 mm/readahead.c:506
 do_sync_mmap_readahead+0x25e/0x7a0 mm/filemap.c:-1
 filemap_fault+0x6b9/0x12b0 mm/filemap.c:3458
 __do_fault+0x138/0x390 mm/memory.c:5280
 do_shared_fault mm/memory.c:5767 [inline]
 do_fault mm/memory.c:5841 [inline]
 do_pte_missing mm/memory.c:4362 [inline]
 handle_pte_fault mm/memory.c:6182 [inline]
 __handle_mm_fault+0x1847/0x5400 mm/memory.c:6323
 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6492
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 10861 tgid 10860 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 free_large_kmalloc+0x13a/0x1f0 mm/slub.c:4805
 xlog_write_log_records+0x349/0x3c0 fs/xfs/xfs_log_recover.c:1582
 xlog_clear_stale_blocks+0x1d9/0x3c0 fs/xfs/xfs_log_recover.c:1677
 xlog_find_tail+0x655/0x840 fs/xfs/xfs_log_recover.c:1361
 xlog_recover+0x4b/0x3e0 fs/xfs/xfs_log_recover.c:3419
 xfs_log_mount+0x253/0x3e0 fs/xfs/xfs_log.c:667
 xfs_mountfs+0xe5e/0x2330 fs/xfs/xfs_mount.c:1031
 xfs_fs_fill_super+0x11b3/0x1600 fs/xfs/xfs_super.c:1965
 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692
 vfs_get_tree+0x92/0x2b0 fs/super.c:1752
 do_new_mount+0x2a2/0xa30 fs/namespace.c:3810
 do_mount fs/namespace.c:4138 [inline]
 __do_sys_mount fs/namespace.c:4349 [inline]
 __se_sys_mount+0x317/0x410 fs/namespace.c:4326
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 11200 Comm: syz.7.978 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 bad_page+0x180/0x1c0 mm/page_alloc.c:650
 free_page_is_bad mm/page_alloc.c:1083 [inline]
 free_pages_prepare mm/page_alloc.c:1387 [inline]
 __free_frozen_pages+0xce2/0xd30 mm/page_alloc.c:2895
 __folio_put+0x21b/0x2c0 mm/swap.c:112
 delete_from_page_cache_batch+0x84c/0x9b0 mm/filemap.c:339
 truncate_inode_pages_range+0x28a/0xda0 mm/truncate.c:380
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0x108/0x270 block/bdev.c:712
 blkdev_put_whole block/bdev.c:719 [inline]
 bdev_release+0x417/0x650 block/bdev.c:1144
 blkdev_release+0x15/0x20 block/fops.c:699
 __fput+0x449/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 get_signal+0x1286/0x1340 kernel/signal.c:3034
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x130 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7facedb8ebe9
Code: Unable to access opcode bytes at 0x7facedb8ebbf.
RSP: 002b:00007facee95d0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007faceddb5fa8 RCX: 00007facedb8ebe9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007faceddb5fa8
RBP: 00007faceddb5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007faceddb6038 R14: 00007fffa50978b0 R15: 00007fffa5097998
 </TASK>