BUG: Bad page state in process syz.1.12644  pfn:46fba
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888046fba500 pfn:0x46fba
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff888022abe000 0000000000000000
raw: ffff888046fba500 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 20449, tgid 20448 (syz.2.3416), ts 467941506635, free_ts 461731894387
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x14c/0x710 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_frag_netmem+0x421/0x9b0 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_alloc_va include/net/page_pool/helpers.h:198 [inline]
 page_pool_dev_alloc_va include/net/page_pool/helpers.h:221 [inline]
 skb_pp_cow_data+0x287/0x1bb0 net/core/skbuff.c:949
 netif_skb_check_for_xdp net/core/dev.c:5528 [inline]
 netif_receive_generic_xdp net/core/dev.c:5569 [inline]
 do_xdp_generic+0x76b/0x12e0 net/core/dev.c:5637
 __netif_receive_skb_core+0x10e5/0x31a0 net/core/dev.c:5990
 __netif_receive_skb_one_core net/core/dev.c:6178 [inline]
 __netif_receive_skb net/core/dev.c:6293 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6644
 __napi_poll+0xae/0x340 net/core/dev.c:7708
 napi_poll net/core/dev.c:7771 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7923
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1f56/0x38d0 net/core/dev.c:4876
page last free pid 20205 tgid 20202 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5532
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
 create_nsproxy kernel/nsproxy.c:57 [inline]
 create_new_namespaces+0x33/0x6a0 kernel/nsproxy.c:94
 prepare_nsset kernel/nsproxy.c:352 [inline]
 __do_sys_setns kernel/nsproxy.c:586 [inline]
 __se_sys_setns+0x2c0/0x1bb0 kernel/nsproxy.c:563
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 28573 Comm: syz.1.12644 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 bad_page+0x17f/0x1c0 mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0xd62/0xdb0 mm/page_alloc.c:2978
 bpf_xdp_shrink_data net/core/filter.c:4203 [inline]
 bpf_xdp_frags_shrink_tail+0x4f7/0x7f0 net/core/filter.c:4227
 ____bpf_xdp_adjust_tail net/core/filter.c:4249 [inline]
 bpf_xdp_adjust_tail+0x1d6/0x220 net/core/filter.c:4242
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x603/0x1490 net/core/dev.c:5459
 netif_receive_generic_xdp net/core/dev.c:5575 [inline]
 do_xdp_generic+0xac5/0x12e0 net/core/dev.c:5637
 tun_get_user+0x247d/0x3dd0 drivers/net/tun.c:1872
 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f188f15cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f188ffd6fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f188ffd76c0 RCX: 00007f188f15cfce
RDX: 0000000000011dc0 RSI: 0000200000001380 RDI: 00000000000000c8
RBP: 00007f188f232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f188f416038 R14: 00007f188f415fa0 R15: 00007ffd38f99838
 </TASK>
BUG: Bad page state in process syz.1.12644  pfn:36ac3
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036ac3d00 pfn:0x36ac3
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff888022abe000 0000000000000000
raw: ffff888036ac3d00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 20449, tgid 20448 (syz.2.3416), ts 467941720393, free_ts 461731878867
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x14c/0x710 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_frag_netmem+0x421/0x9b0 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_alloc_va include/net/page_pool/helpers.h:198 [inline]
 page_pool_dev_alloc_va include/net/page_pool/helpers.h:221 [inline]
 skb_pp_cow_data+0x287/0x1bb0 net/core/skbuff.c:949
 netif_skb_check_for_xdp net/core/dev.c:5528 [inline]
 netif_receive_generic_xdp net/core/dev.c:5569 [inline]
 do_xdp_generic+0x76b/0x12e0 net/core/dev.c:5637
 __netif_receive_skb_core+0x10e5/0x31a0 net/core/dev.c:5990
 __netif_receive_skb_one_core net/core/dev.c:6178 [inline]
 __netif_receive_skb net/core/dev.c:6293 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6644
 __napi_poll+0xae/0x340 net/core/dev.c:7708
 napi_poll net/core/dev.c:7771 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7923
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1f56/0x38d0 net/core/dev.c:4876
page last free pid 20205 tgid 20202 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5532
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
 create_nsproxy kernel/nsproxy.c:57 [inline]
 create_new_namespaces+0x33/0x6a0 kernel/nsproxy.c:94
 prepare_nsset kernel/nsproxy.c:352 [inline]
 __do_sys_setns kernel/nsproxy.c:586 [inline]
 __se_sys_setns+0x2c0/0x1bb0 kernel/nsproxy.c:563
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 28573 Comm: syz.1.12644 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 bad_page+0x17f/0x1c0 mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0xd62/0xdb0 mm/page_alloc.c:2978
 bpf_xdp_shrink_data net/core/filter.c:4203 [inline]
 bpf_xdp_frags_shrink_tail+0x4f7/0x7f0 net/core/filter.c:4227
 ____bpf_xdp_adjust_tail net/core/filter.c:4249 [inline]
 bpf_xdp_adjust_tail+0x1d6/0x220 net/core/filter.c:4242
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x603/0x1490 net/core/dev.c:5459
 netif_receive_generic_xdp net/core/dev.c:5575 [inline]
 do_xdp_generic+0xac5/0x12e0 net/core/dev.c:5637
 tun_get_user+0x247d/0x3dd0 drivers/net/tun.c:1872
 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f188f15cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f188ffd6fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f188ffd76c0 RCX: 00007f188f15cfce
RDX: 0000000000011dc0 RSI: 0000200000001380 RDI: 00000000000000c8
RBP: 00007f188f232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f188f416038 R14: 00007f188f415fa0 R15: 00007ffd38f99838
 </TASK>
BUG: Bad page state in process syz.1.12644  pfn:1cbcc
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88801cbcc100 pfn:0x1cbcc
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff888022abe000 0000000000000000
raw: ffff88801cbcc100 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 20449, tgid 20448 (syz.2.3416), ts 467943127791, free_ts 461731798121
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x14c/0x710 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_frag_netmem+0x421/0x9b0 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_alloc_va include/net/page_pool/helpers.h:198 [inline]
 page_pool_dev_alloc_va include/net/page_pool/helpers.h:221 [inline]
 skb_pp_cow_data+0x287/0x1bb0 net/core/skbuff.c:949
 netif_skb_check_for_xdp net/core/dev.c:5528 [inline]
 netif_receive_generic_xdp net/core/dev.c:5569 [inline]
 do_xdp_generic+0x76b/0x12e0 net/core/dev.c:5637
 __netif_receive_skb_core+0x10e5/0x31a0 net/core/dev.c:5990
 __netif_receive_skb_one_core net/core/dev.c:6178 [inline]
 __netif_receive_skb net/core/dev.c:6293 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6644
 __napi_poll+0xae/0x340 net/core/dev.c:7708
 napi_poll net/core/dev.c:7771 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7923
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1f56/0x38d0 net/core/dev.c:4876
page last free pid 20205 tgid 20202 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5532
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
 create_nsproxy kernel/nsproxy.c:57 [inline]
 create_new_namespaces+0x33/0x6a0 kernel/nsproxy.c:94
 prepare_nsset kernel/nsproxy.c:352 [inline]
 __do_sys_setns kernel/nsproxy.c:586 [inline]
 __se_sys_setns+0x2c0/0x1bb0 kernel/nsproxy.c:563
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 28573 Comm: syz.1.12644 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 bad_page+0x17f/0x1c0 mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0xd62/0xdb0 mm/page_alloc.c:2978
 bpf_xdp_shrink_data net/core/filter.c:4203 [inline]
 bpf_xdp_frags_shrink_tail+0x4f7/0x7f0 net/core/filter.c:4227
 ____bpf_xdp_adjust_tail net/core/filter.c:4249 [inline]
 bpf_xdp_adjust_tail+0x1d6/0x220 net/core/filter.c:4242
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x603/0x1490 net/core/dev.c:5459
 netif_receive_generic_xdp net/core/dev.c:5575 [inline]
 do_xdp_generic+0xac5/0x12e0 net/core/dev.c:5637
 tun_get_user+0x247d/0x3dd0 drivers/net/tun.c:1872
 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f188f15cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f188ffd6fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f188ffd76c0 RCX: 00007f188f15cfce
RDX: 0000000000011dc0 RSI: 0000200000001380 RDI: 00000000000000c8
RBP: 00007f188f232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f188f416038 R14: 00007f188f415fa0 R15: 00007ffd38f99838
 </TASK>
BUG: Bad page state in process syz.1.12644  pfn:52a8c
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888052a8cf00 pfn:0x52a8c
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff888022abe000 0000000000000000
raw: ffff888052a8cf00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 20449, tgid 20448 (syz.2.3416), ts 467942134890, free_ts 461731852241
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x14c/0x710 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_frag_netmem+0x421/0x9b0 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_alloc_va include/net/page_pool/helpers.h:198 [inline]
 page_pool_dev_alloc_va include/net/page_pool/helpers.h:221 [inline]
 skb_pp_cow_data+0x287/0x1bb0 net/core/skbuff.c:949
 netif_skb_check_for_xdp net/core/dev.c:5528 [inline]
 netif_receive_generic_xdp net/core/dev.c:5569 [inline]
 do_xdp_generic+0x76b/0x12e0 net/core/dev.c:5637
 __netif_receive_skb_core+0x10e5/0x31a0 net/core/dev.c:5990
 __netif_receive_skb_one_core net/core/dev.c:6178 [inline]
 __netif_receive_skb net/core/dev.c:6293 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6644
 __napi_poll+0xae/0x340 net/core/dev.c:7708
 napi_poll net/core/dev.c:7771 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7923
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1f56/0x38d0 net/core/dev.c:4876
page last free pid 20205 tgid 20202 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5532
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
 create_nsproxy kernel/nsproxy.c:57 [inline]
 create_new_namespaces+0x33/0x6a0 kernel/nsproxy.c:94
 prepare_nsset kernel/nsproxy.c:352 [inline]
 __do_sys_setns kernel/nsproxy.c:586 [inline]
 __se_sys_setns+0x2c0/0x1bb0 kernel/nsproxy.c:563
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 28573 Comm: syz.1.12644 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 bad_page+0x17f/0x1c0 mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0xd62/0xdb0 mm/page_alloc.c:2978
 bpf_xdp_shrink_data net/core/filter.c:4203 [inline]
 bpf_xdp_frags_shrink_tail+0x4f7/0x7f0 net/core/filter.c:4227
 ____bpf_xdp_adjust_tail net/core/filter.c:4249 [inline]
 bpf_xdp_adjust_tail+0x1d6/0x220 net/core/filter.c:4242
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x603/0x1490 net/core/dev.c:5459
 netif_receive_generic_xdp net/core/dev.c:5575 [inline]
 do_xdp_generic+0xac5/0x12e0 net/core/dev.c:5637
 tun_get_user+0x247d/0x3dd0 drivers/net/tun.c:1872
 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f188f15cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f188ffd6fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f188ffd76c0 RCX: 00007f188f15cfce
RDX: 0000000000011dc0 RSI: 0000200000001380 RDI: 00000000000000c8
RBP: 00007f188f232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f188f416038 R14: 00007f188f415fa0 R15: 00007ffd38f99838
 </TASK>
BUG: Bad page state in process syz.1.12644  pfn:6d15b
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88806d15bf80 pfn:0x6d15b
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff888022abe000 0000000000000000
raw: ffff88806d15bf80 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 20449, tgid 20448 (syz.2.3416), ts 467941927803, free_ts 461731866045
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x14c/0x710 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_frag_netmem+0x421/0x9b0 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_alloc_va include/net/page_pool/helpers.h:198 [inline]
 page_pool_dev_alloc_va include/net/page_pool/helpers.h:221 [inline]
 skb_pp_cow_data+0x287/0x1bb0 net/core/skbuff.c:949
 netif_skb_check_for_xdp net/core/dev.c:5528 [inline]
 netif_receive_generic_xdp net/core/dev.c:5569 [inline]
 do_xdp_generic+0x76b/0x12e0 net/core/dev.c:5637
 __netif_receive_skb_core+0x10e5/0x31a0 net/core/dev.c:5990
 __netif_receive_skb_one_core net/core/dev.c:6178 [inline]
 __netif_receive_skb net/core/dev.c:6293 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6644
 __napi_poll+0xae/0x340 net/core/dev.c:7708
 napi_poll net/core/dev.c:7771 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7923
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1f56/0x38d0 net/core/dev.c:4876
page last free pid 20205 tgid 20202 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5532
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
 create_nsproxy kernel/nsproxy.c:57 [inline]
 create_new_namespaces+0x33/0x6a0 kernel/nsproxy.c:94
 prepare_nsset kernel/nsproxy.c:352 [inline]
 __do_sys_setns kernel/nsproxy.c:586 [inline]
 __se_sys_setns+0x2c0/0x1bb0 kernel/nsproxy.c:563
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 28573 Comm: syz.1.12644 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 bad_page+0x17f/0x1c0 mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0xd62/0xdb0 mm/page_alloc.c:2978
 bpf_xdp_shrink_data net/core/filter.c:4203 [inline]
 bpf_xdp_frags_shrink_tail+0x4f7/0x7f0 net/core/filter.c:4227
 ____bpf_xdp_adjust_tail net/core/filter.c:4249 [inline]
 bpf_xdp_adjust_tail+0x1d6/0x220 net/core/filter.c:4242
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x603/0x1490 net/core/dev.c:5459
 netif_receive_generic_xdp net/core/dev.c:5575 [inline]
 do_xdp_generic+0xac5/0x12e0 net/core/dev.c:5637
 tun_get_user+0x247d/0x3dd0 drivers/net/tun.c:1872
 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f188f15cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f188ffd6fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f188ffd76c0 RCX: 00007f188f15cfce
RDX: 0000000000011dc0 RSI: 0000200000001380 RDI: 00000000000000c8
RBP: 00007f188f232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f188f416038 R14: 00007f188f415fa0 R15: 00007ffd38f99838
 </TASK>
BUG: Bad page state in process syz.1.12644  pfn:55ef7
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888055ef7600 pfn:0x55ef7
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff888022abe000 0000000000000000
raw: ffff888055ef7600 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 20449, tgid 20448 (syz.2.3416), ts 467943346909, free_ts 461731783928
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x14c/0x710 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_frag_netmem+0x421/0x9b0 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_alloc_va include/net/page_pool/helpers.h:198 [inline]
 page_pool_dev_alloc_va include/net/page_pool/helpers.h:221 [inline]
 skb_pp_cow_data+0x287/0x1bb0 net/core/skbuff.c:949
 netif_skb_check_for_xdp net/core/dev.c:5528 [inline]
 netif_receive_generic_xdp net/core/dev.c:5569 [inline]
 do_xdp_generic+0x76b/0x12e0 net/core/dev.c:5637
 __netif_receive_skb_core+0x10e5/0x31a0 net/core/dev.c:5990
 __netif_receive_skb_one_core net/core/dev.c:6178 [inline]
 __netif_receive_skb net/core/dev.c:6293 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6644
 __napi_poll+0xae/0x340 net/core/dev.c:7708
 napi_poll net/core/dev.c:7771 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7923
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1f56/0x38d0 net/core/dev.c:4876
page last free pid 20205 tgid 20202 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5532
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
 create_nsproxy kernel/nsproxy.c:57 [inline]
 create_new_namespaces+0x33/0x6a0 kernel/nsproxy.c:94
 prepare_nsset kernel/nsproxy.c:352 [inline]
 __do_sys_setns kernel/nsproxy.c:586 [inline]
 __se_sys_setns+0x2c0/0x1bb0 kernel/nsproxy.c:563
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 28573 Comm: syz.1.12644 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 bad_page+0x17f/0x1c0 mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0xd62/0xdb0 mm/page_alloc.c:2978
 bpf_xdp_shrink_data net/core/filter.c:4203 [inline]
 bpf_xdp_frags_shrink_tail+0x4f7/0x7f0 net/core/filter.c:4227
 ____bpf_xdp_adjust_tail net/core/filter.c:4249 [inline]
 bpf_xdp_adjust_tail+0x1d6/0x220 net/core/filter.c:4242
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x603/0x1490 net/core/dev.c:5459
 netif_receive_generic_xdp net/core/dev.c:5575 [inline]
 do_xdp_generic+0xac5/0x12e0 net/core/dev.c:5637
 tun_get_user+0x247d/0x3dd0 drivers/net/tun.c:1872
 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f188f15cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f188ffd6fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f188ffd76c0 RCX: 00007f188f15cfce
RDX: 0000000000011dc0 RSI: 0000200000001380 RDI: 00000000000000c8
RBP: 00007f188f232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f188f416038 R14: 00007f188f415fa0 R15: 00007ffd38f99838
 </TASK>
BUG: Bad page state in process syz.1.12644  pfn:1ebab
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88801ebab680 pfn:0x1ebab
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff888022abe000 0000000000000000
raw: ffff88801ebab680 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 20449, tgid 20448 (syz.2.3416), ts 467940806934, free_ts 461731945266
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x14c/0x710 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_frag_netmem+0x421/0x9b0 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_alloc_va include/net/page_pool/helpers.h:198 [inline]
 page_pool_dev_alloc_va include/net/page_pool/helpers.h:221 [inline]
 skb_pp_cow_data+0x287/0x1bb0 net/core/skbuff.c:949
 netif_skb_check_for_xdp net/core/dev.c:5528 [inline]
 netif_receive_generic_xdp net/core/dev.c:5569 [inline]
 do_xdp_generic+0x76b/0x12e0 net/core/dev.c:5637
 __netif_receive_skb_core+0x10e5/0x31a0 net/core/dev.c:5990
 __netif_receive_skb_one_core net/core/dev.c:6178 [inline]
 __netif_receive_skb net/core/dev.c:6293 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6644
 __napi_poll+0xae/0x340 net/core/dev.c:7708
 napi_poll net/core/dev.c:7771 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7923
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1f56/0x38d0 net/core/dev.c:4876
page last free pid 20205 tgid 20202 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5532
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
 create_nsproxy kernel/nsproxy.c:57 [inline]
 create_new_namespaces+0x33/0x6a0 kernel/nsproxy.c:94
 prepare_nsset kernel/nsproxy.c:352 [inline]
 __do_sys_setns kernel/nsproxy.c:586 [inline]
 __se_sys_setns+0x2c0/0x1bb0 kernel/nsproxy.c:563
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 28573 Comm: syz.1.12644 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 bad_page+0x17f/0x1c0 mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0xd62/0xdb0 mm/page_alloc.c:2978
 bpf_xdp_shrink_data net/core/filter.c:4203 [inline]
 bpf_xdp_frags_shrink_tail+0x4f7/0x7f0 net/core/filter.c:4227
 ____bpf_xdp_adjust_tail net/core/filter.c:4249 [inline]
 bpf_xdp_adjust_tail+0x1d6/0x220 net/core/filter.c:4242
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x603/0x1490 net/core/dev.c:5459
 netif_receive_generic_xdp net/core/dev.c:5575 [inline]
 do_xdp_generic+0xac5/0x12e0 net/core/dev.c:5637
 tun_get_user+0x247d/0x3dd0 drivers/net/tun.c:1872
 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f188f15cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f188ffd6fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f188ffd76c0 RCX: 00007f188f15cfce
RDX: 0000000000011dc0 RSI: 0000200000001380 RDI: 00000000000000c8
RBP: 00007f188f232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f188f416038 R14: 00007f188f415fa0 R15: 00007ffd38f99838
 </TASK>
BUG: Bad page state in process syz.1.12644  pfn:34d21
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888034d21f00 pfn:0x34d21
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff888022abe000 0000000000000000
raw: ffff888034d21f00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 20449, tgid 20448 (syz.2.3416), ts 467937103731, free_ts 461732051387
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x14c/0x710 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_frag_netmem+0x421/0x9b0 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_alloc_va include/net/page_pool/helpers.h:198 [inline]
 page_pool_dev_alloc_va include/net/page_pool/helpers.h:221 [inline]
 skb_pp_cow_data+0x287/0x1bb0 net/core/skbuff.c:949
 netif_skb_check_for_xdp net/core/dev.c:5528 [inline]
 netif_receive_generic_xdp net/core/dev.c:5569 [inline]
 do_xdp_generic+0x76b/0x12e0 net/core/dev.c:5637
 __netif_receive_skb_core+0x10e5/0x31a0 net/core/dev.c:5990
 __netif_receive_skb_one_core net/core/dev.c:6178 [inline]
 __netif_receive_skb net/core/dev.c:6293 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6644
 __napi_poll+0xae/0x340 net/core/dev.c:7708
 napi_poll net/core/dev.c:7771 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7923
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1f56/0x38d0 net/core/dev.c:4876
page last free pid 20205 tgid 20202 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5532
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
 create_nsproxy kernel/nsproxy.c:57 [inline]
 create_new_namespaces+0x33/0x6a0 kernel/nsproxy.c:94
 prepare_nsset kernel/nsproxy.c:352 [inline]
 __do_sys_setns kernel/nsproxy.c:586 [inline]
 __se_sys_setns+0x2c0/0x1bb0 kernel/nsproxy.c:563
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 28573 Comm: syz.1.12644 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 bad_page+0x17f/0x1c0 mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0xd62/0xdb0 mm/page_alloc.c:2978
 bpf_xdp_shrink_data net/core/filter.c:4203 [inline]
 bpf_xdp_frags_shrink_tail+0x4f7/0x7f0 net/core/filter.c:4227
 ____bpf_xdp_adjust_tail net/core/filter.c:4249 [inline]
 bpf_xdp_adjust_tail+0x1d6/0x220 net/core/filter.c:4242
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x603/0x1490 net/core/dev.c:5459
 netif_receive_generic_xdp net/core/dev.c:5575 [inline]
 do_xdp_generic+0xac5/0x12e0 net/core/dev.c:5637
 tun_get_user+0x247d/0x3dd0 drivers/net/tun.c:1872
 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f188f15cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f188ffd6fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f188ffd76c0 RCX: 00007f188f15cfce
RDX: 0000000000011dc0 RSI: 0000200000001380 RDI: 00000000000000c8
RBP: 00007f188f232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f188f416038 R14: 00007f188f415fa0 R15: 00007ffd38f99838
 </TASK>
BUG: Bad page state in process syz.1.12644  pfn:34921
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888034921c80 pfn:0x34921
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff888022abe000 0000000000000000
raw: ffff888034921c80 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 20449, tgid 20448 (syz.2.3416), ts 467937321435, free_ts 461732038622
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x14c/0x710 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_frag_netmem+0x421/0x9b0 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_alloc_va include/net/page_pool/helpers.h:198 [inline]
 page_pool_dev_alloc_va include/net/page_pool/helpers.h:221 [inline]
 skb_pp_cow_data+0x287/0x1bb0 net/core/skbuff.c:949
 netif_skb_check_for_xdp net/core/dev.c:5528 [inline]
 netif_receive_generic_xdp net/core/dev.c:5569 [inline]
 do_xdp_generic+0x76b/0x12e0 net/core/dev.c:5637
 __netif_receive_skb_core+0x10e5/0x31a0 net/core/dev.c:5990
 __netif_receive_skb_one_core net/core/dev.c:6178 [inline]
 __netif_receive_skb net/core/dev.c:6293 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6644
 __napi_poll+0xae/0x340 net/core/dev.c:7708
 napi_poll net/core/dev.c:7771 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7923
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1f56/0x38d0 net/core/dev.c:4876
page last free pid 20205 tgid 20202 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5532
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
 create_nsproxy kernel/nsproxy.c:57 [inline]
 create_new_namespaces+0x33/0x6a0 kernel/nsproxy.c:94
 prepare_nsset kernel/nsproxy.c:352 [inline]
 __do_sys_setns kernel/nsproxy.c:586 [inline]
 __se_sys_setns+0x2c0/0x1bb0 kernel/nsproxy.c:563
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 28573 Comm: syz.1.12644 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 bad_page+0x17f/0x1c0 mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0xd62/0xdb0 mm/page_alloc.c:2978
 bpf_xdp_shrink_data net/core/filter.c:4203 [inline]
 bpf_xdp_frags_shrink_tail+0x4f7/0x7f0 net/core/filter.c:4227
 ____bpf_xdp_adjust_tail net/core/filter.c:4249 [inline]
 bpf_xdp_adjust_tail+0x1d6/0x220 net/core/filter.c:4242
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x603/0x1490 net/core/dev.c:5459
 netif_receive_generic_xdp net/core/dev.c:5575 [inline]
 do_xdp_generic+0xac5/0x12e0 net/core/dev.c:5637
 tun_get_user+0x247d/0x3dd0 drivers/net/tun.c:1872
 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f188f15cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f188ffd6fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f188ffd76c0 RCX: 00007f188f15cfce
RDX: 0000000000011dc0 RSI: 0000200000001380 RDI: 00000000000000c8
RBP: 00007f188f232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f188f416038 R14: 00007f188f415fa0 R15: 00007ffd38f99838
 </TASK>
BUG: Bad page state in process syz.1.12644  pfn:7c3e0
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807c3e0e00 pfn:0x7c3e0
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff888022abe000 0000000000000000
raw: ffff88807c3e0e00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 20449, tgid 20448 (syz.2.3416), ts 467939457087, free_ts 461732025511
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x14c/0x710 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_frag_netmem+0x421/0x9b0 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_alloc_va include/net/page_pool/helpers.h:198 [inline]
 page_pool_dev_alloc_va include/net/page_pool/helpers.h:221 [inline]
 skb_pp_cow_data+0x287/0x1bb0 net/core/skbuff.c:949
 netif_skb_check_for_xdp net/core/dev.c:5528 [inline]
 netif_receive_generic_xdp net/core/dev.c:5569 [inline]
 do_xdp_generic+0x76b/0x12e0 net/core/dev.c:5637
 __netif_receive_skb_core+0x10e5/0x31a0 net/core/dev.c:5990
 __netif_receive_skb_one_core net/core/dev.c:6178 [inline]
 __netif_receive_skb net/core/dev.c:6293 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6644
 __napi_poll+0xae/0x340 net/core/dev.c:7708
 napi_poll net/core/dev.c:7771 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7923
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1f56/0x38d0 net/core/dev.c:4876
page last free pid 20205 tgid 20202 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5532
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
 create_nsproxy kernel/nsproxy.c:57 [inline]
 create_new_namespaces+0x33/0x6a0 kernel/nsproxy.c:94
 prepare_nsset kernel/nsproxy.c:352 [inline]
 __do_sys_setns kernel/nsproxy.c:586 [inline]
 __se_sys_setns+0x2c0/0x1bb0 kernel/nsproxy.c:563
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 28573 Comm: syz.1.12644 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 bad_page+0x17f/0x1c0 mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0xd62/0xdb0 mm/page_alloc.c:2978
 bpf_xdp_shrink_data net/core/filter.c:4203 [inline]
 bpf_xdp_frags_shrink_tail+0x4f7/0x7f0 net/core/filter.c:4227
 ____bpf_xdp_adjust_tail net/core/filter.c:4249 [inline]
 bpf_xdp_adjust_tail+0x1d6/0x220 net/core/filter.c:4242
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x603/0x1490 net/core/dev.c:5459
 netif_receive_generic_xdp net/core/dev.c:5575 [inline]
 do_xdp_generic+0xac5/0x12e0 net/core/dev.c:5637
 tun_get_user+0x247d/0x3dd0 drivers/net/tun.c:1872
 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f188f15cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f188ffd6fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f188ffd76c0 RCX: 00007f188f15cfce
RDX: 0000000000011dc0 RSI: 0000200000001380 RDI: 00000000000000c8
RBP: 00007f188f232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f188f416038 R14: 00007f188f415fa0 R15: 00007ffd38f99838
 </TASK>
BUG: Bad page state in process syz.1.12644  pfn:7e055
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807e055c80 pfn:0x7e055
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000040 ffff888022abe000 0000000000000000
raw: ffff88807e055c80 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 20449, tgid 20448 (syz.2.3416), ts 467939676078, free_ts 461732012194
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 __alloc_pages_noprof mm/page_alloc.c:5284 [inline]
 alloc_pages_bulk_noprof+0x558/0x700 mm/page_alloc.c:5204
 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline]
 __page_pool_alloc_netmems_slow+0x14c/0x710 net/core/page_pool.c:616
 page_pool_alloc_netmems net/core/page_pool.c:667 [inline]
 page_pool_alloc_frag_netmem+0x421/0x9b0 net/core/page_pool.c:1076
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:167 [inline]
 page_pool_alloc_va include/net/page_pool/helpers.h:198 [inline]
 page_pool_dev_alloc_va include/net/page_pool/helpers.h:221 [inline]
 skb_pp_cow_data+0x287/0x1bb0 net/core/skbuff.c:949
 netif_skb_check_for_xdp net/core/dev.c:5528 [inline]
 netif_receive_generic_xdp net/core/dev.c:5569 [inline]
 do_xdp_generic+0x76b/0x12e0 net/core/dev.c:5637
 __netif_receive_skb_core+0x10e5/0x31a0 net/core/dev.c:5990
 __netif_receive_skb_one_core net/core/dev.c:6178 [inline]
 __netif_receive_skb net/core/dev.c:6293 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6644
 __napi_poll+0xae/0x340 net/core/dev.c:7708
 napi_poll net/core/dev.c:7771 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7923
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1f56/0x38d0 net/core/dev.c:4876
page last free pid 20205 tgid 20202 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5532
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4501 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
 create_nsproxy kernel/nsproxy.c:57 [inline]
 create_new_namespaces+0x33/0x6a0 kernel/nsproxy.c:94
 prepare_nsset kernel/nsproxy.c:352 [inline]
 __do_sys_setns kernel/nsproxy.c:586 [inline]
 __se_sys_setns+0x2c0/0x1bb0 kernel/nsproxy.c:563
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 0 UID: 0 PID: 28573 Comm: syz.1.12644 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 bad_page+0x17f/0x1c0 mm/page_alloc.c:676
 free_page_is_bad mm/page_alloc.c:1120 [inline]
 __free_pages_prepare mm/page_alloc.c:1424 [inline]
 __free_frozen_pages+0xd62/0xdb0 mm/page_alloc.c:2978
 bpf_xdp_shrink_data net/core/filter.c:4203 [inline]
 bpf_xdp_frags_shrink_tail+0x4f7/0x7f0 net/core/filter.c:4227
 ____bpf_xdp_adjust_tail net/core/filter.c:4249 [inline]
 bpf_xdp_adjust_tail+0x1d6/0x220 net/core/filter.c:4242
 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run_xdp include/net/xdp.h:696 [inline]
 bpf_prog_run_generic_xdp+0x603/0x1490 net/core/dev.c:5459
 netif_receive_generic_xdp net/core/dev.c:5575 [inline]
 do_xdp_generic+0xac5/0x12e0 net/core/dev.c:5637
 tun_get_user+0x247d/0x3dd0 drivers/net/tun.c:1872
 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f188f15cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f188ffd6fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f188ffd76c0 RCX: 00007f188f15cfce
RDX: 0000000000011dc0 RSI: 0000200000001380 RDI: 00000000000000c8
RBP: 00007f188f232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f188f416038 R14: 00007f188f415fa0 R15: 00007ffd38f99838
 </TASK>