BUG: Bad page state in process syz.3.166  pfn:54201
page does not match folio
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x54201
ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001508000 00000000ffffffff ffffffffffffffff
raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero pincount
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Unmovable, gfp_mask 0x153c40(GFP_NOFS|__GFP_WRITE|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6530, tgid 6529 (syz.2.168), ts 121780217832, free_ts 29892452678
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1848
 prep_new_page mm/page_alloc.c:1856 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3855
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5145
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_frozen_pages_noprof mm/mempolicy.c:2490 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2510
 folio_alloc_noprof+0x1e/0x30 mm/mempolicy.c:2520
 filemap_alloc_folio_noprof+0xdf/0x470 mm/filemap.c:1007
 __filemap_get_folio+0x3f2/0xaf0 mm/filemap.c:1981
 iomap_get_folio fs/iomap/buffered-io.c:606 [inline]
 __iomap_get_folio fs/iomap/buffered-io.c:756 [inline]
 iomap_write_begin+0x660/0x1bc0 fs/iomap/buffered-io.c:821
 iomap_write_iter fs/iomap/buffered-io.c:978 [inline]
 iomap_file_buffered_write+0x438/0x980 fs/iomap/buffered-io.c:1057
 blkdev_buffered_write block/fops.c:714 [inline]
 blkdev_write_iter+0x521/0x710 block/fops.c:779
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x548/0xa90 fs/read_write.c:686
 ksys_write+0x145/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1392 [inline]
 __free_frozen_pages+0xb80/0xd80 mm/page_alloc.c:2892
 __free_pages mm/page_alloc.c:5257 [inline]
 free_contig_range+0x1bd/0x4a0 mm/page_alloc.c:7114
 destroy_args+0x7e/0x5d0 mm/debug_vm_pgtable.c:953
 debug_vm_pgtable+0x3fa/0x430 mm/debug_vm_pgtable.c:1329
 do_one_initcall+0x233/0x820 init/main.c:1269
 do_initcall_level+0x137/0x1f0 init/main.c:1331
 do_initcalls+0x69/0xd0 init/main.c:1347
 kernel_init_freeable+0x3d9/0x570 init/main.c:1579
 kernel_init+0x1d/0x1d0 init/main.c:1469
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 1 UID: 0 PID: 6525 Comm: syz.3.166 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 bad_page+0x180/0x1c0 mm/page_alloc.c:650
 free_tail_page_prepare+0x2c3/0x4f0 mm/page_alloc.c:-1
 free_pages_prepare mm/page_alloc.c:1368 [inline]
 __free_frozen_pages+0x7b9/0xd80 mm/page_alloc.c:2892
 __folio_put+0x21b/0x2c0 mm/swap.c:112
 delete_from_page_cache_batch+0x84c/0x9b0 mm/filemap.c:339
 truncate_inode_pages_range+0x28a/0xda0 mm/truncate.c:380
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0x108/0x270 block/bdev.c:712
 blkdev_put_whole block/bdev.c:719 [inline]
 bdev_release+0x417/0x650 block/bdev.c:1144
 blkdev_release+0x15/0x20 block/fops.c:684
 __fput+0x44c/0xa70 fs/file_table.c:468
 task_work_run+0x1d1/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:959
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1100
 __do_sys_exit_group kernel/exit.c:1111 [inline]
 __se_sys_exit_group kernel/exit.c:1109 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1109
 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc3b798e929
Code: Unable to access opcode bytes at 0x7fc3b798e8ff.
RSP: 002b:00007ffd45051f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc3b798e929
RDX: 00007fc3b67f9000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffd45051ffc R08: 0000000000001110 R09: 00000000000927c0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000029
R13: 00000000000927c0 R14: 000000000001d720 R15: 00007ffd45052050
 </TASK>
BUG: Bad page state in process syz.3.166  pfn:54200
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x54200
head: order:0 mapcount:0 entire_mapcount:1 nr_pages_mapped:0 pincount:0
flags: 0xfff0000000004d(locked|referenced|uptodate|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff0000000004d dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff0000000004d dead000000000100 dead000000000122 0000000000000000
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Unmovable, gfp_mask 0x153c40(GFP_NOFS|__GFP_WRITE|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6530, tgid 6529 (syz.2.168), ts 121780217832, free_ts 29892442944
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1848
 prep_new_page mm/page_alloc.c:1856 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3855
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5145
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_frozen_pages_noprof mm/mempolicy.c:2490 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2510
 folio_alloc_noprof+0x1e/0x30 mm/mempolicy.c:2520
 filemap_alloc_folio_noprof+0xdf/0x470 mm/filemap.c:1007
 __filemap_get_folio+0x3f2/0xaf0 mm/filemap.c:1981
 iomap_get_folio fs/iomap/buffered-io.c:606 [inline]
 __iomap_get_folio fs/iomap/buffered-io.c:756 [inline]
 iomap_write_begin+0x660/0x1bc0 fs/iomap/buffered-io.c:821
 iomap_write_iter fs/iomap/buffered-io.c:978 [inline]
 iomap_file_buffered_write+0x438/0x980 fs/iomap/buffered-io.c:1057
 blkdev_buffered_write block/fops.c:714 [inline]
 blkdev_write_iter+0x521/0x710 block/fops.c:779
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x548/0xa90 fs/read_write.c:686
 ksys_write+0x145/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1392 [inline]
 __free_frozen_pages+0xb80/0xd80 mm/page_alloc.c:2892
 __free_pages mm/page_alloc.c:5257 [inline]
 free_contig_range+0x1bd/0x4a0 mm/page_alloc.c:7114
 destroy_args+0x7e/0x5d0 mm/debug_vm_pgtable.c:953
 debug_vm_pgtable+0x3fa/0x430 mm/debug_vm_pgtable.c:1329
 do_one_initcall+0x233/0x820 init/main.c:1269
 do_initcall_level+0x137/0x1f0 init/main.c:1331
 do_initcalls+0x69/0xd0 init/main.c:1347
 kernel_init_freeable+0x3d9/0x570 init/main.c:1579
 kernel_init+0x1d/0x1d0 init/main.c:1469
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
CPU: 0 UID: 0 PID: 6525 Comm: syz.3.166 Tainted: G    B               6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 bad_page+0x180/0x1c0 mm/page_alloc.c:650
 free_page_is_bad mm/page_alloc.c:1083 [inline]
 free_pages_prepare mm/page_alloc.c:1384 [inline]
 __free_frozen_pages+0xd26/0xd80 mm/page_alloc.c:2892
 __folio_put+0x21b/0x2c0 mm/swap.c:112
 delete_from_page_cache_batch+0x84c/0x9b0 mm/filemap.c:339
 truncate_inode_pages_range+0x28a/0xda0 mm/truncate.c:380
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0x108/0x270 block/bdev.c:712
 blkdev_put_whole block/bdev.c:719 [inline]
 bdev_release+0x417/0x650 block/bdev.c:1144
 blkdev_release+0x15/0x20 block/fops.c:684
 __fput+0x44c/0xa70 fs/file_table.c:468
 task_work_run+0x1d1/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:959
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1100
 __do_sys_exit_group kernel/exit.c:1111 [inline]
 __se_sys_exit_group kernel/exit.c:1109 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1109
 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc3b798e929
Code: Unable to access opcode bytes at 0x7fc3b798e8ff.
RSP: 002b:00007ffd45051f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc3b798e929
RDX: 00007fc3b67f9000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffd45051ffc R08: 0000000000001110 R09: 00000000000927c0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000029
R13: 00000000000927c0 R14: 000000000001d720 R15: 00007ffd45052050
 </TASK>