Extracting prog: 1m56.750847344s
Minimizing prog: 21m6.57273877s
Simplifying prog options: 0s
Extracting C: 28.780969788s
Simplifying C: 6m12.805434728s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$sndtimer-migrate_pages-openat$binderfs-openat$rtc-ioctl$RTC_PIE_OFF-socket$nl_route-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
migrate_pages(0x0, 0x5, 0x0, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$RTC_PIE_OFF(r1, 0x7006)
socket$nl_route(0x10, 0x3, 0x0)
r2 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r2, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r2, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program crashed: BUG: Bad page state in page_cache_ra_order
single: successfully extracted reproducer
found reproducer with 12 syscalls
minimizing guilty program
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$sndtimer-migrate_pages-openat$binderfs-openat$rtc-ioctl$RTC_PIE_OFF-socket$nl_route-socket$rds-bind$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
migrate_pages(0x0, 0x5, 0x0, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$RTC_PIE_OFF(r1, 0x7006)
socket$nl_route(0x10, 0x3, 0x0)
r2 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r2, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$sndtimer-migrate_pages-openat$binderfs-openat$rtc-ioctl$RTC_PIE_OFF-socket$nl_route-socket$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
migrate_pages(0x0, 0x5, 0x0, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$RTC_PIE_OFF(r1, 0x7006)
socket$nl_route(0x10, 0x3, 0x0)
r2 = socket$rds(0x15, 0x5, 0x0)
sendmsg$rds(r2, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$sndtimer-migrate_pages-openat$binderfs-openat$rtc-ioctl$RTC_PIE_OFF-socket$nl_route-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
migrate_pages(0x0, 0x5, 0x0, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$RTC_PIE_OFF(r1, 0x7006)
socket$nl_route(0x10, 0x3, 0x0)
bind$rds(0xffffffffffffffff, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(0xffffffffffffffff, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$sndtimer-migrate_pages-openat$binderfs-openat$rtc-ioctl$RTC_PIE_OFF-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
migrate_pages(0x0, 0x5, 0x0, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$RTC_PIE_OFF(r1, 0x7006)
r2 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r2, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r2, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program crashed: BUG: Bad page state in page_cache_ra_order
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$sndtimer-migrate_pages-openat$binderfs-openat$rtc-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
migrate_pages(0x0, 0x5, 0x0, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
openat$rtc(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program crashed: BUG: Bad page state in page_cache_ra_order
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$sndtimer-migrate_pages-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
migrate_pages(0x0, 0x5, 0x0, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program crashed: BUG: Bad page state in page_cache_ra_order
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$sndtimer-migrate_pages-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
migrate_pages(0x0, 0x5, 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$sndtimer-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program crashed: BUG: Bad page state in page_cache_ra_order
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program crashed: BUG: Bad page state in page_cache_ra_order
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r0 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r0, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r0, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, 0xffffffffffffffff, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r0 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r0, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r0, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, 0x0, 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program crashed: BUG: Bad page state in page_cache_ra_order
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, 0x0, 0x0)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, 0x0, 0x0)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={0x0, 0x0, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0}, 0x0)

program did not crash
testing program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, 0x0, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=45.895873786s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
program crashed: BUG: Bad page state in page_cache_ra_order
simplifying C reproducer
testing compiled C program (duration=45.895873786s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
program crashed: BUG: Bad page state in page_cache_ra_order
testing compiled C program (duration=45.895873786s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
program crashed: BUG: Bad page state in page_cache_ra_order
testing compiled C program (duration=45.895873786s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
program crashed: BUG: Bad page state in page_cache_ra_order
testing compiled C program (duration=45.895873786s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
program crashed: BUG: Bad page state in page_cache_ra_order
testing compiled C program (duration=45.895873786s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
program crashed: BUG: Bad page state in page_cache_ra_order
testing compiled C program (duration=45.895873786s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
program crashed: BUG: Bad page state in page_cache_ra_order
testing compiled C program (duration=45.895873786s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
program crashed: BUG: Bad page state in page_cache_ra_order
testing program (duration=45.895873786s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program crashed: BUG: Bad page state in page_cache_ra_order
validation run: crashed=true
testing program (duration=45.895873786s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program crashed: BUG: Bad page state in page_cache_ra_order
validation run: crashed=true
testing program (duration=45.895873786s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-mmap-madvise-openat$binderfs-socket$rds-bind$rds-sendmsg$rds
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0xa4242, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000007, 0x38011, r0, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0xe)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f00000004c0)={&(0x7f0000000740)={0x2, 0x0, @remote}, 0x10, 0x0, 0x0, &(0x7f00000005c0)=[@mask_cswp={0x58, 0x114, 0x9, {{0x4, 0x4}, &(0x7f0000000440)=0x4a78, 0x0, 0x7ff, 0x9, 0x81, 0x2, 0x4, 0x8001}}, @mask_fadd={0x58, 0x114, 0x8, {{0x0, 0x6}, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xf9}}], 0xb0}, 0x0)

program crashed: BUG: Bad page state in page_cache_ra_order
validation run: crashed=true
reproducing took 32m9.991597309s
repro crashed as (corrupted=false):
BUG: Bad page state in process syz.0.17  pfn:5b001
page does not match folio
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x5b001
ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 00000000ffffffff ffffffffffffffff
raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero pincount
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6048, tgid 6048 (syz.0.17), ts 70488575324, free_ts 64998339669
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507
 folio_alloc_noprof+0x1e/0x30 mm/mempolicy.c:2517
 filemap_alloc_folio_noprof+0xdf/0x470 mm/filemap.c:1007
 ractl_alloc_folio mm/readahead.c:186 [inline]
 ra_alloc_folio mm/readahead.c:441 [inline]
 page_cache_ra_order+0x4de/0xd40 mm/readahead.c:506
 do_sync_mmap_readahead+0x25e/0x7a0 mm/filemap.c:-1
 filemap_fault+0x6b9/0x12b0 mm/filemap.c:3458
 __do_fault+0x138/0x390 mm/memory.c:5280
 do_shared_fault mm/memory.c:5767 [inline]
 do_fault mm/memory.c:5841 [inline]
 do_pte_missing mm/memory.c:4362 [inline]
 handle_pte_fault mm/memory.c:6182 [inline]
 __handle_mm_fault+0x1847/0x5400 mm/memory.c:6323
 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6492
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 5921 tgid 5921 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 vfree+0x25a/0x400 mm/vmalloc.c:3434
 kcov_put kernel/kcov.c:439 [inline]
 kcov_close+0x28/0x50 kernel/kcov.c:535
 __fput+0x449/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 get_signal+0x1286/0x1340 kernel/signal.c:3034
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x130 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 1 UID: 0 PID: 6048 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 bad_page+0x180/0x1c0 mm/page_alloc.c:650
 free_tail_page_prepare+0x2c3/0x4f0 mm/page_alloc.c:-1
 free_pages_prepare mm/page_alloc.c:1368 [inline]
 __free_frozen_pages+0x7b7/0xd30 mm/page_alloc.c:2895
 __folio_put+0x21b/0x2c0 mm/swap.c:112
 delete_from_page_cache_batch+0x84c/0x9b0 mm/filemap.c:339
 truncate_inode_pages_range+0x28a/0xda0 mm/truncate.c:380
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0x108/0x270 block/bdev.c:712
 blkdev_put_whole block/bdev.c:719 [inline]
 bdev_release+0x417/0x650 block/bdev.c:1144
 blkdev_release+0x15/0x20 block/fops.c:699
 __fput+0x449/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 __do_sys_exit_group kernel/exit.c:1113 [inline]
 __se_sys_exit_group kernel/exit.c:1111 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6bed18ebe9
Code: Unable to access opcode bytes at 0x7f6bed18ebbf.
RSP: 002b:00007ffef7f4a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6bed18ebe9
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 00000007f7f4a87f R09: 00007f6bed381280
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6bed381280 R14: 0000000000000003 R15: 00007ffef7f4a840
 </TASK>
BUG: Bad page state in process syz.0.17  pfn:5b000
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5b000
head: order:0 mapcount:0 entire_mapcount:1 nr_pages_mapped:0 pincount:0
flags: 0xfff0000000004d(locked|referenced|uptodate|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff0000000004d dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff0000000004d dead000000000100 dead000000000122 0000000000000000
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6048, tgid 6048 (syz.0.17), ts 70488575324, free_ts 64998335504
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507
 folio_alloc_noprof+0x1e/0x30 mm/mempolicy.c:2517
 filemap_alloc_folio_noprof+0xdf/0x470 mm/filemap.c:1007
 ractl_alloc_folio mm/readahead.c:186 [inline]
 ra_alloc_folio mm/readahead.c:441 [inline]
 page_cache_ra_order+0x4de/0xd40 mm/readahead.c:506
 do_sync_mmap_readahead+0x25e/0x7a0 mm/filemap.c:-1
 filemap_fault+0x6b9/0x12b0 mm/filemap.c:3458
 __do_fault+0x138/0x390 mm/memory.c:5280
 do_shared_fault mm/memory.c:5767 [inline]
 do_fault mm/memory.c:5841 [inline]
 do_pte_missing mm/memory.c:4362 [inline]
 handle_pte_fault mm/memory.c:6182 [inline]
 __handle_mm_fault+0x1847/0x5400 mm/memory.c:6323
 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6492
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 5921 tgid 5921 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 vfree+0x25a/0x400 mm/vmalloc.c:3434
 kcov_put kernel/kcov.c:439 [inline]
 kcov_close+0x28/0x50 kernel/kcov.c:535
 __fput+0x449/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 get_signal+0x1286/0x1340 kernel/signal.c:3034
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x130 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 1 UID: 0 PID: 6048 Comm: syz.0.17 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 bad_page+0x180/0x1c0 mm/page_alloc.c:650
 free_page_is_bad mm/page_alloc.c:1083 [inline]
 free_pages_prepare mm/page_alloc.c:1387 [inline]
 __free_frozen_pages+0xce2/0xd30 mm/page_alloc.c:2895
 __folio_put+0x21b/0x2c0 mm/swap.c:112
 delete_from_page_cache_batch+0x84c/0x9b0 mm/filemap.c:339
 truncate_inode_pages_range+0x28a/0xda0 mm/truncate.c:380
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0x108/0x270 block/bdev.c:712
 blkdev_put_whole block/bdev.c:719 [inline]
 bdev_release+0x417/0x650 block/bdev.c:1144
 blkdev_release+0x15/0x20 block/fops.c:699
 __fput+0x449/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 __do_sys_exit_group kernel/exit.c:1113 [inline]
 __se_sys_exit_group kernel/exit.c:1111 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6bed18ebe9
Code: Unable to access opcode bytes at 0x7f6bed18ebbf.
RSP: 002b:00007ffef7f4a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6bed18ebe9
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 00000007f7f4a87f R09: 00007f6bed381280
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6bed381280 R14: 0000000000000003 R15: 00007ffef7f4a840
 </TASK>

final repro crashed as (corrupted=false):
BUG: Bad page state in process syz.0.17  pfn:5b001
page does not match folio
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x5b001
ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 00000000ffffffff ffffffffffffffff
raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero pincount
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6048, tgid 6048 (syz.0.17), ts 70488575324, free_ts 64998339669
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507
 folio_alloc_noprof+0x1e/0x30 mm/mempolicy.c:2517
 filemap_alloc_folio_noprof+0xdf/0x470 mm/filemap.c:1007
 ractl_alloc_folio mm/readahead.c:186 [inline]
 ra_alloc_folio mm/readahead.c:441 [inline]
 page_cache_ra_order+0x4de/0xd40 mm/readahead.c:506
 do_sync_mmap_readahead+0x25e/0x7a0 mm/filemap.c:-1
 filemap_fault+0x6b9/0x12b0 mm/filemap.c:3458
 __do_fault+0x138/0x390 mm/memory.c:5280
 do_shared_fault mm/memory.c:5767 [inline]
 do_fault mm/memory.c:5841 [inline]
 do_pte_missing mm/memory.c:4362 [inline]
 handle_pte_fault mm/memory.c:6182 [inline]
 __handle_mm_fault+0x1847/0x5400 mm/memory.c:6323
 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6492
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 5921 tgid 5921 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 vfree+0x25a/0x400 mm/vmalloc.c:3434
 kcov_put kernel/kcov.c:439 [inline]
 kcov_close+0x28/0x50 kernel/kcov.c:535
 __fput+0x449/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 get_signal+0x1286/0x1340 kernel/signal.c:3034
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x130 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 1 UID: 0 PID: 6048 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 bad_page+0x180/0x1c0 mm/page_alloc.c:650
 free_tail_page_prepare+0x2c3/0x4f0 mm/page_alloc.c:-1
 free_pages_prepare mm/page_alloc.c:1368 [inline]
 __free_frozen_pages+0x7b7/0xd30 mm/page_alloc.c:2895
 __folio_put+0x21b/0x2c0 mm/swap.c:112
 delete_from_page_cache_batch+0x84c/0x9b0 mm/filemap.c:339
 truncate_inode_pages_range+0x28a/0xda0 mm/truncate.c:380
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0x108/0x270 block/bdev.c:712
 blkdev_put_whole block/bdev.c:719 [inline]
 bdev_release+0x417/0x650 block/bdev.c:1144
 blkdev_release+0x15/0x20 block/fops.c:699
 __fput+0x449/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 __do_sys_exit_group kernel/exit.c:1113 [inline]
 __se_sys_exit_group kernel/exit.c:1111 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6bed18ebe9
Code: Unable to access opcode bytes at 0x7f6bed18ebbf.
RSP: 002b:00007ffef7f4a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6bed18ebe9
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 00000007f7f4a87f R09: 00007f6bed381280
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6bed381280 R14: 0000000000000003 R15: 00007ffef7f4a840
 </TASK>
BUG: Bad page state in process syz.0.17  pfn:5b000
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5b000
head: order:0 mapcount:0 entire_mapcount:1 nr_pages_mapped:0 pincount:0
flags: 0xfff0000000004d(locked|referenced|uptodate|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff0000000004d dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff0000000004d dead000000000100 dead000000000122 0000000000000000
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6048, tgid 6048 (syz.0.17), ts 70488575324, free_ts 64998335504
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
 alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507
 folio_alloc_noprof+0x1e/0x30 mm/mempolicy.c:2517
 filemap_alloc_folio_noprof+0xdf/0x470 mm/filemap.c:1007
 ractl_alloc_folio mm/readahead.c:186 [inline]
 ra_alloc_folio mm/readahead.c:441 [inline]
 page_cache_ra_order+0x4de/0xd40 mm/readahead.c:506
 do_sync_mmap_readahead+0x25e/0x7a0 mm/filemap.c:-1
 filemap_fault+0x6b9/0x12b0 mm/filemap.c:3458
 __do_fault+0x138/0x390 mm/memory.c:5280
 do_shared_fault mm/memory.c:5767 [inline]
 do_fault mm/memory.c:5841 [inline]
 do_pte_missing mm/memory.c:4362 [inline]
 handle_pte_fault mm/memory.c:6182 [inline]
 __handle_mm_fault+0x1847/0x5400 mm/memory.c:6323
 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6492
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
page last free pid 5921 tgid 5921 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 vfree+0x25a/0x400 mm/vmalloc.c:3434
 kcov_put kernel/kcov.c:439 [inline]
 kcov_close+0x28/0x50 kernel/kcov.c:535
 __fput+0x449/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 get_signal+0x1286/0x1340 kernel/signal.c:3034
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x130 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 1 UID: 0 PID: 6048 Comm: syz.0.17 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 bad_page+0x180/0x1c0 mm/page_alloc.c:650
 free_page_is_bad mm/page_alloc.c:1083 [inline]
 free_pages_prepare mm/page_alloc.c:1387 [inline]
 __free_frozen_pages+0xce2/0xd30 mm/page_alloc.c:2895
 __folio_put+0x21b/0x2c0 mm/swap.c:112
 delete_from_page_cache_batch+0x84c/0x9b0 mm/filemap.c:339
 truncate_inode_pages_range+0x28a/0xda0 mm/truncate.c:380
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0x108/0x270 block/bdev.c:712
 blkdev_put_whole block/bdev.c:719 [inline]
 bdev_release+0x417/0x650 block/bdev.c:1144
 blkdev_release+0x15/0x20 block/fops.c:699
 __fput+0x449/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 __do_sys_exit_group kernel/exit.c:1113 [inline]
 __se_sys_exit_group kernel/exit.c:1111 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6bed18ebe9
Code: Unable to access opcode bytes at 0x7f6bed18ebbf.
RSP: 002b:00007ffef7f4a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6bed18ebe9
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 00000007f7f4a87f R09: 00007f6bed381280
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6bed381280 R14: 0000000000000003 R15: 00007ffef7f4a840
 </TASK>