[moderation] [mm?] BUG: Bad page state in __set_page_owner
4 views
Skip to first unread message
syzbot
Nov 14, 2024, 4:57:21 AM11/14/24
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 5f153a692bac Merge commit 'bf40167d54d5' into fixes
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=15cc9ea7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=e9590f0cf8cf5dd
dashboard link: https://syzkaller.appspot.com/bug?extid=d6f5b7a41831ca1a99a0
compiler: riscv64-linux-gnu-gcc (Debian 12.2.0-13) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: riscv64
CC: [ak...@linux-foundation.org linux-...@vger.kernel.org linu...@kvack.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-5f153a69.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0e9fe5d6a382/vmlinux-5f153a69.xz
kernel image: https://storage.googleapis.com/syzbot-assets/01e82301190d/Image-5f153a69.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d6f5b7...@syzkaller.appspotmail.com
BUG: Bad page state in process syz.2.1806 pfn:ab652
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002b6529b0 pfn:0xab652
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002b6529b0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942768126800, free_ts 6922500215400
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16342 tgid 16342 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__free_pages+0x13c/0x1bc mm/page_alloc.c:4820
vfree+0x1b6/0xc88 mm/vmalloc.c:3361
delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282
process_one_work+0x956/0x1dae kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391
kthread+0x28c/0x3a6 kernel/kthread.c:389
ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Not tainted 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:ae2f7
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xae2f7
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942768005500, free_ts 6922668954700
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 24 tgid 24 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
run_ksoftirqd kernel/softirq.c:927 [inline]
run_ksoftirqd+0xce/0x144 kernel/softirq.c:919
smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164
kthread+0x28c/0x3a6 kernel/kthread.c:389
ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:ae2f6
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002e2f6600 pfn:0xae2f6
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002e2f6600 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767887000, free_ts 6922912620400
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18905 tgid 18905 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__free_pages+0x13c/0x1bc mm/page_alloc.c:4820
free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
free_pages+0xe/0x18 mm/page_alloc.c:4830
tlb_batch_list_free mm/mmu_gather.c:159 [inline]
tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
exit_mmap+0x36c/0xbea mm/mmap.c:1877
__mmput kernel/fork.c:1347 [inline]
mmput+0x122/0x3e2 kernel/fork.c:1369
exit_mm kernel/exit.c:571 [inline]
do_exit+0x902/0x2986 kernel/exit.c:926
do_group_exit+0xd4/0x26c kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:98b0f
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x98b0f
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767768400, free_ts 6922499537000
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16342 tgid 16342 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__free_pages+0x13c/0x1bc mm/page_alloc.c:4820
vfree+0x1b6/0xc88 mm/vmalloc.c:3361
delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282
process_one_work+0x956/0x1dae kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391
kthread+0x28c/0x3a6 kernel/kthread.c:389
ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:98b0e
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x98b0e
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767649200, free_ts 6922935139100
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:9aa97
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9aa97
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767531800, free_ts 6922937997000
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:9aa96
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9aa96
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767412800, free_ts 6922933818500
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:af1f5
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaf1f5
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767292300, free_ts 6922669162900
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 24 tgid 24 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
run_ksoftirqd kernel/softirq.c:927 [inline]
run_ksoftirqd+0xce/0x144 kernel/softirq.c:919
smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164
kthread+0x28c/0x3a6 kernel/kthread.c:389
ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:af1f4
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002f1f4f50 pfn:0xaf1f4
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002f1f4f50 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767168100, free_ts 6922942911100
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:aea9d
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xaea9d
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767048800, free_ts 6922912807500
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18905 tgid 18905 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__free_pages+0x13c/0x1bc mm/page_alloc.c:4820
free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
free_pages+0xe/0x18 mm/page_alloc.c:4830
tlb_batch_list_free mm/mmu_gather.c:159 [inline]
tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
exit_mmap+0x36c/0xbea mm/mmap.c:1877
__mmput kernel/fork.c:1347 [inline]
mmput+0x122/0x3e2 kernel/fork.c:1369
exit_mm kernel/exit.c:571 [inline]
do_exit+0x902/0x2986 kernel/exit.c:926
do_group_exit+0xd4/0x26c kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:aea9c
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002ea9de00 pfn:0xaea9c
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002ea9de00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766928100, free_ts 6923527240100
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__free_pages+0x13c/0x1bc mm/page_alloc.c:4820
free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
free_pages+0xe/0x18 mm/page_alloc.c:4830
tlb_batch_list_free mm/mmu_gather.c:159 [inline]
tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
exit_mmap+0x36c/0xbea mm/mmap.c:1877
__mmput kernel/fork.c:1347 [inline]
mmput+0x122/0x3e2 kernel/fork.c:1369
exit_mm kernel/exit.c:571 [inline]
do_exit+0x902/0x2986 kernel/exit.c:926
do_group_exit+0xd4/0x26c kernel/exit.c:1088
get_signal+0x1e98/0x23b0 kernel/signal.c:2917
arch_do_signal_or_restart+0x8d6/0x1190 arch/riscv/kernel/signal.c:437
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x2a6/0x31e kernel/entry/common.c:218
do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
_new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:9daad
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x9daad
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000004 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766810000, free_ts 6922912977000
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18905 tgid 18905 stack trace:
__reset_page_owner+0x8c/0x400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 5f153a692bac Merge commit 'bf40167d54d5' into fixes
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=15cc9ea7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=e9590f0cf8cf5dd
dashboard link: https://syzkaller.appspot.com/bug?extid=d6f5b7a41831ca1a99a0
compiler: riscv64-linux-gnu-gcc (Debian 12.2.0-13) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: riscv64
CC: [ak...@linux-foundation.org linux-...@vger.kernel.org linu...@kvack.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-5f153a69.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0e9fe5d6a382/vmlinux-5f153a69.xz
kernel image: https://storage.googleapis.com/syzbot-assets/01e82301190d/Image-5f153a69.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d6f5b7...@syzkaller.appspotmail.com
BUG: Bad page state in process syz.2.1806 pfn:ab652
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002b6529b0 pfn:0xab652
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002b6529b0 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942768126800, free_ts 6922500215400
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16342 tgid 16342 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__free_pages+0x13c/0x1bc mm/page_alloc.c:4820
vfree+0x1b6/0xc88 mm/vmalloc.c:3361
delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282
process_one_work+0x956/0x1dae kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391
kthread+0x28c/0x3a6 kernel/kthread.c:389
ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Not tainted 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:ae2f7
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xae2f7
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942768005500, free_ts 6922668954700
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 24 tgid 24 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
run_ksoftirqd kernel/softirq.c:927 [inline]
run_ksoftirqd+0xce/0x144 kernel/softirq.c:919
smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164
kthread+0x28c/0x3a6 kernel/kthread.c:389
ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:ae2f6
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002e2f6600 pfn:0xae2f6
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002e2f6600 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767887000, free_ts 6922912620400
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18905 tgid 18905 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__free_pages+0x13c/0x1bc mm/page_alloc.c:4820
free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
free_pages+0xe/0x18 mm/page_alloc.c:4830
tlb_batch_list_free mm/mmu_gather.c:159 [inline]
tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
exit_mmap+0x36c/0xbea mm/mmap.c:1877
__mmput kernel/fork.c:1347 [inline]
mmput+0x122/0x3e2 kernel/fork.c:1369
exit_mm kernel/exit.c:571 [inline]
do_exit+0x902/0x2986 kernel/exit.c:926
do_group_exit+0xd4/0x26c kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:98b0f
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x98b0f
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767768400, free_ts 6922499537000
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 16342 tgid 16342 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__free_pages+0x13c/0x1bc mm/page_alloc.c:4820
vfree+0x1b6/0xc88 mm/vmalloc.c:3361
delayed_vfree_work+0x58/0x7a mm/vmalloc.c:3282
process_one_work+0x956/0x1dae kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x5be/0xdc6 kernel/workqueue.c:3391
kthread+0x28c/0x3a6 kernel/kthread.c:389
ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:98b0e
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x98b0e
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767649200, free_ts 6922935139100
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:9aa97
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9aa97
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767531800, free_ts 6922937997000
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:9aa96
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9aa96
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767412800, free_ts 6922933818500
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:af1f5
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaf1f5
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000000 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767292300, free_ts 6922669162900
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 24 tgid 24 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
run_ksoftirqd kernel/softirq.c:927 [inline]
run_ksoftirqd+0xce/0x144 kernel/softirq.c:919
smpboot_thread_fn+0x654/0xb98 kernel/smpboot.c:164
kthread+0x28c/0x3a6 kernel/kthread.c:389
ret_from_fork+0xe/0x18 arch/riscv/kernel/entry.S:326
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:af1f4
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002f1f4f50 pfn:0xaf1f4
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002f1f4f50 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767168100, free_ts 6922942911100
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__folio_put+0x1ae/0x22e mm/swap.c:126
folio_put include/linux/mm.h:1478 [inline]
free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:308
__tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xa24/0x1eac kernel/rcu/tree.c:2823
rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2840
handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0x188/0x372 kernel/softirq.c:637
irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:aea9d
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0xaea9d
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000002 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942767048800, free_ts 6922912807500
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18905 tgid 18905 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__free_pages+0x13c/0x1bc mm/page_alloc.c:4820
free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
free_pages+0xe/0x18 mm/page_alloc.c:4830
tlb_batch_list_free mm/mmu_gather.c:159 [inline]
tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
exit_mmap+0x36c/0xbea mm/mmap.c:1877
__mmput kernel/fork.c:1347 [inline]
mmput+0x122/0x3e2 kernel/fork.c:1369
exit_mm kernel/exit.c:571 [inline]
do_exit+0x902/0x2986 kernel/exit.c:926
do_group_exit+0xd4/0x26c kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__riscv_sys_exit_group+0x4a/0x54 kernel/exit.c:1097
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:aea9c
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xff6000002ea9de00 pfn:0xaea9c
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: ff6000002ea9de00 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766928100, free_ts 6923527240100
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18907 tgid 18901 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x592/0xf08 mm/page_alloc.c:2638
__free_pages+0x13c/0x1bc mm/page_alloc.c:4820
free_pages.part.0+0x26a/0x4cc mm/page_alloc.c:4833
free_pages+0xe/0x18 mm/page_alloc.c:4830
tlb_batch_list_free mm/mmu_gather.c:159 [inline]
tlb_finish_mmu+0x20c/0x7e6 mm/mmu_gather.c:468
exit_mmap+0x36c/0xbea mm/mmap.c:1877
__mmput kernel/fork.c:1347 [inline]
mmput+0x122/0x3e2 kernel/fork.c:1369
exit_mm kernel/exit.c:571 [inline]
do_exit+0x902/0x2986 kernel/exit.c:926
do_group_exit+0xd4/0x26c kernel/exit.c:1088
get_signal+0x1e98/0x23b0 kernel/signal.c:2917
arch_do_signal_or_restart+0x8d6/0x1190 arch/riscv/kernel/signal.c:437
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x2a6/0x31e kernel/entry/common.c:218
do_trap_ecall_u+0x86/0x216 arch/riscv/kernel/traps.c:345
_new_vmalloc_restore_context_a0+0xc2/0xce
Modules linked in:
CPU: 0 UID: 0 PID: 18955 Comm: syz.2.1806 Tainted: G B 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85fd7a0a>] dump_stack+0x1c/0x24 lib/dump_stack.c:129
[<ffffffff808b0b06>] bad_page+0x268/0x2da mm/page_alloc.c:501
[<ffffffff808bcb18>] free_page_is_bad_report mm/page_alloc.c:908 [inline]
[<ffffffff808bcb18>] free_page_is_bad mm/page_alloc.c:918 [inline]
[<ffffffff808bcb18>] free_pages_prepare mm/page_alloc.c:1100 [inline]
[<ffffffff808bcb18>] free_unref_page+0x78a/0xf08 mm/page_alloc.c:2638
[<ffffffff808be53a>] page_frag_free+0x21c/0x268 mm/page_alloc.c:4971
[<ffffffff84c97152>] skb_free_frag include/linux/skbuff.h:3399 [inline]
[<ffffffff84c97152>] skb_free_head+0x1ce/0x2ec net/core/skbuff.c:1096
[<ffffffff84ca2952>] skb_release_data+0x6ec/0x86a net/core/skbuff.c:1125
[<ffffffff84cac65c>] skb_release_all net/core/skbuff.c:1190 [inline]
[<ffffffff84cac65c>] __kfree_skb net/core/skbuff.c:1204 [inline]
[<ffffffff84cac65c>] sk_skb_reason_drop+0x130/0x180 net/core/skbuff.c:1242
[<ffffffff84d1d4cc>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff84d1d4cc>] __netif_receive_skb_core.constprop.0+0x650/0x4374 net/core/dev.c:5636
[<ffffffff84d213ae>] __netif_receive_skb_list_core+0x1be/0x75e net/core/dev.c:5737
[<ffffffff84d24b66>] __netif_receive_skb_list net/core/dev.c:5804 [inline]
[<ffffffff84d24b66>] netif_receive_skb_list_internal+0x64e/0xc36 net/core/dev.c:5895
[<ffffffff84d251ae>] netif_receive_skb_list net/core/dev.c:5947 [inline]
[<ffffffff84d251ae>] netif_receive_skb_list+0x60/0x634 net/core/dev.c:5937
[<ffffffff850c688a>] xdp_recv_frames net/bpf/test_run.c:279 [inline]
[<ffffffff850c688a>] xdp_test_run_batch.constprop.0+0x1244/0x1816 net/bpf/test_run.c:360
[<ffffffff850c7152>] bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
[<ffffffff850cb85c>] bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
[<ffffffff804ef2e2>] bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
[<ffffffff804ef2e2>] __sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
[<ffffffff804f35f2>] __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
[<ffffffff804f35f2>] __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
[<ffffffff804f35f2>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce
BUG: Bad page state in process syz.2.1806 pfn:9daad
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x9daad
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 dead000000000040 ff6000002b4ee000 0000000000000000
raw: 0000000000000004 0000000000000001 00000000ffffffff 0000000000000000
page dumped because: page_pool leak
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 18955, tgid 18954 (syz.2.1806), ts 6942766810000, free_ts 6922912977000
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xdaa/0x295a mm/page_alloc.c:3457
__alloc_pages_noprof+0x1e2/0x1eb6 mm/page_alloc.c:4733
alloc_pages_bulk_noprof+0x252/0x13d8 mm/page_alloc.c:4681
alloc_pages_bulk_array_node_noprof include/linux/gfp.h:239 [inline]
__page_pool_alloc_pages_slow+0x18e/0xc50 net/core/page_pool.c:538
page_pool_alloc_netmem net/core/page_pool.c:590 [inline]
page_pool_alloc_netmem+0xc0/0x158 net/core/page_pool.c:577
page_pool_alloc_pages+0x20/0x62 net/core/page_pool.c:597
page_pool_dev_alloc_pages include/net/page_pool/helpers.h:96 [inline]
xdp_test_run_batch.constprop.0+0x362/0x1816 net/bpf/test_run.c:305
bpf_test_run_xdp_live+0x2f6/0x49e net/bpf/test_run.c:389
bpf_prog_test_run_xdp+0x7f6/0x15a8 net/bpf/test_run.c:1317
bpf_prog_test_run kernel/bpf/syscall.c:4247 [inline]
__sys_bpf+0xd14/0x42cc kernel/bpf/syscall.c:5652
__do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
__riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5739
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
_new_vmalloc_restore_context_a0+0xc2/0xce
page last free pid 18905 tgid 18905 stack trace:
__reset_page_owner+0x8c/0x400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Dmitry Vyukov
Nov 15, 2024, 5:44:20 AM11/15/24
to syzbot, syzkaller-upst...@googlegroups.com
#syz dup: BUG: Bad page state in xdp_test_run_batch
Sent https://github.com/google/syzkaller/pull/5512 to fix parsing.
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/6735c97f.050a0220.1324f8.0095.GAE%40google.com.
Sent https://github.com/google/syzkaller/pull/5512 to fix parsing.
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/6735c97f.050a0220.1324f8.0095.GAE%40google.com.
Reply all
Reply to author
Forward
0 new messages