BUG: Bad page state in process syz.1.206  pfn:b1166
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8031166dc0 pfn:0xb1166
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: ffffaf8031166dc0 3fffffffffffffff 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133522760300, free_ts 1131485487500
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_frag_netmem+0x242/0x6ea net/core/page_pool.c:998
 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x718/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
page last free pid 3803 tgid 3803 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 __bpf_prog_free+0x10a/0x168 kernel/bpf/core.c:287
 bpf_prog_unlock_free include/linux/filter.h:1083 [inline]
 bpf_jit_free+0x19c/0x206 arch/riscv/net/bpf_jit_core.c:268
 bpf_prog_free_deferred+0x3d8/0x53c kernel/bpf/core.c:2820
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Not tainted 6.14.0-rc1-syzkaller-g245aece3750d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.1.206  pfn:9ae5b
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf801ae5bdc0 pfn:0x9ae5b
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: ffffaf801ae5bdc0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133522452000, free_ts 1131630564000
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3793 tgid 3793 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3303
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.1.206  pfn:b054c
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf803054cdc0 pfn:0xb054c
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: ffffaf803054cdc0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133522307300, free_ts 1131630886000
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3793 tgid 3793 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3303
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.1.206  pfn:b054d
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf803054db40 pfn:0xb054d
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: ffffaf803054db40 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133522171600, free_ts 1131631118500
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3793 tgid 3793 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3303
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.1.206  pfn:99bc4
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8019bc4dc0 pfn:0x99bc4
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: ffffaf8019bc4dc0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133522039700, free_ts 1131631338800
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3793 tgid 3793 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3303
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.1.206  pfn:99bc5
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8019bc5dc0 pfn:0x99bc5
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: ffffaf8019bc5dc0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133521902800, free_ts 1131631556900
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3793 tgid 3793 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3303
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.1.206  pfn:9b6c6
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf801b6c6000 pfn:0x9b6c6
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: ffffaf801b6c6000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133521723600, free_ts 1131631768000
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3793 tgid 3793 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3303
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.1.206  pfn:9b6c7
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf801b6c7000 pfn:0x9b6c7
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: ffffaf801b6c7000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133521585000, free_ts 1131631992100
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3793 tgid 3793 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3303
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.1.206  pfn:b0934
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb0934
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133521453400, free_ts 1131632215200
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3793 tgid 3793 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3303
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.1.206  pfn:99893
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8019893dc0 pfn:0x99893
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: ffffaf8019893dc0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133521318800, free_ts 1131651965500
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3793 tgid 3793 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3303
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.1.206  pfn:ae915
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf8000000000 pfn:0xae915
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: ffffaf8000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133521170500, free_ts 1131652272500
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3793 tgid 3793 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3303
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
BUG: Bad page state in process syz.1.206  pfn:af9bd
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffaf802f9bd3c0 pfn:0xaf9bd
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ffffaf80115bc000 0000000000000000
raw: ffffaf802f9bd3c0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 4545, tgid 4544 (syz.1.206), ts 1133521036300, free_ts 1131652484100
 __set_page_owner+0xa2/0x710 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xea/0x1e2 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xf78/0x2bd6 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x1e8/0x20fc mm/page_alloc.c:4739
 __alloc_pages_noprof mm/page_alloc.c:4773 [inline]
 alloc_pages_bulk_noprof+0x580/0x10a8 mm/page_alloc.c:4693
 alloc_pages_bulk_node_noprof include/linux/gfp.h:235 [inline]
 __page_pool_alloc_pages_slow+0x18c/0xc4e net/core/page_pool.c:542
 page_pool_alloc_netmems net/core/page_pool.c:593 [inline]
 page_pool_alloc_netmems+0xc0/0x158 net/core/page_pool.c:580
 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline]
 page_pool_alloc include/net/page_pool/helpers.h:160 [inline]
 page_pool_dev_alloc include/net/page_pool/helpers.h:181 [inline]
 skb_pp_cow_data+0x8be/0xfe2 net/core/skbuff.c:983
 skb_cow_data_for_xdp+0x8a/0xbc net/core/skbuff.c:1017
 netif_skb_check_for_xdp net/core/dev.c:5191 [inline]
 netif_receive_generic_xdp net/core/dev.c:5230 [inline]
 do_xdp_generic+0x500/0xf14 net/core/dev.c:5298
 tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
 tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0x56c/0xa9a fs/read_write.c:679
 ksys_write+0x126/0x226 fs/read_write.c:731
 __do_sys_write fs/read_write.c:742 [inline]
 __se_sys_write fs/read_write.c:739 [inline]
 __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
page last free pid 3793 tgid 3793 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x96a/0x155c mm/page_alloc.c:2660
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4838
 vfree+0x1ac/0xd1a mm/vmalloc.c:3383
 delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3303
 process_one_work+0x96a/0x1f3a kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x5be/0xdc6 kernel/workqueue.c:3398
 kthread+0x37e/0x7b6 kernel/kthread.c:464
 ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:327
Modules linked in:
CPU: 0 UID: 0 PID: 4545 Comm: syz.1.206 Tainted: G    B              6.14.0-rc1-syzkaller-g245aece3750d #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80074518>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:132
[<ffffffff80003206>] show_stack+0x30/0x3c arch/riscv/kernel/stacktrace.c:138
[<ffffffff8005fa4c>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff8005fa4c>] dump_stack_lvl+0x12e/0x1a6 lib/dump_stack.c:120
[<ffffffff8005fae0>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff80997d5c>] bad_page+0x266/0x2d8 mm/page_alloc.c:501
[<ffffffff809a627a>] free_page_is_bad_report mm/page_alloc.c:913 [inline]
[<ffffffff809a627a>] free_page_is_bad mm/page_alloc.c:923 [inline]
[<ffffffff809a627a>] free_pages_prepare mm/page_alloc.c:1119 [inline]
[<ffffffff809a627a>] free_frozen_pages+0xb82/0x155c mm/page_alloc.c:2660
[<ffffffff809b5256>] page_frag_free+0x336/0x382 mm/page_frag_cache.c:169
[<ffffffff8507e482>] __xdp_return+0x336/0xa02 net/core/xdp.c:447
[<ffffffff850583d2>] bpf_xdp_shrink_data net/core/filter.c:4155 [inline]
[<ffffffff850583d2>] bpf_xdp_frags_shrink_tail net/core/filter.c:4175 [inline]
[<ffffffff850583d2>] ____bpf_xdp_adjust_tail net/core/filter.c:4200 [inline]
[<ffffffff850583d2>] bpf_xdp_adjust_tail+0x9c8/0xf50 net/core/filter.c:4193
[<ffffffff78001c9c>] bpf_prog_f476d5219b92964a+0x28/0x36
[<ffffffff85027a4a>] bpf_dispatcher_xdp_func+0x22/0x32 net/core/filter.c:11701
[<ffffffff84f96e84>] __bpf_prog_run include/linux/filter.h:692 [inline]
[<ffffffff84f96e84>] bpf_prog_run_xdp include/net/xdp.h:654 [inline]
[<ffffffff84f96e84>] bpf_prog_run_generic_xdp+0xf66/0x166a net/core/dev.c:5123
[<ffffffff84f9824e>] netif_receive_generic_xdp net/core/dev.c:5236 [inline]
[<ffffffff84f9824e>] do_xdp_generic+0x7e2/0xf14 net/core/dev.c:5298
[<ffffffff831b71d4>] tun_get_user+0x1e26/0x41f4 drivers/net/tun.c:1933
[<ffffffff831bb756>] tun_chr_write_iter+0xc4/0x1e2 drivers/net/tun.c:2057
[<ffffffff80b63350>] new_sync_write fs/read_write.c:586 [inline]
[<ffffffff80b63350>] vfs_write+0x56c/0xa9a fs/read_write.c:679
[<ffffffff80b63c5e>] ksys_write+0x126/0x226 fs/read_write.c:731
[<ffffffff80b63dcc>] __do_sys_write fs/read_write.c:742 [inline]
[<ffffffff80b63dcc>] __se_sys_write fs/read_write.c:739 [inline]
[<ffffffff80b63dcc>] __riscv_sys_write+0x6e/0x94 fs/read_write.c:739
[<ffffffff80072b1e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff86242a5a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff86268776>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197