Extracting prog: 2m8.831767701s Minimizing prog: 16m3.095136509s Simplifying prog options: 0s Extracting C: 53.469845477s Simplifying C: 14m8.495735038s extracting reproducer from 1 programs testing a last program of every proc single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NL80211_CMD_SET_WDS_PEER-socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: sendmsg$NL80211_CMD_SET_WDS_PEER(0xffffffffffffffff, 0x0, 0x4040040) r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program crashed: BUG: Bad page state in skb_pp_cow_data single: successfully extracted reproducer found reproducer with 6 syscalls minimizing guilty program testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NL80211_CMD_SET_WDS_PEER-socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP detailed listing: executing program 0: sendmsg$NL80211_CMD_SET_WDS_PEER(0xffffffffffffffff, 0x0, 0x4040040) r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) program did not crash testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NL80211_CMD_SET_WDS_PEER-socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-syz_emit_ethernet detailed listing: executing program 0: sendmsg$NL80211_CMD_SET_WDS_PEER(0xffffffffffffffff, 0x0, 0x4040040) r0 = socket$inet_tcp(0x2, 0x1, 0x0) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00'}) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program did not crash testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NL80211_CMD_SET_WDS_PEER-socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: sendmsg$NL80211_CMD_SET_WDS_PEER(0xffffffffffffffff, 0x0, 0x4040040) socket$inet_tcp(0x2, 0x1, 0x0) r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r0, 0x0, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program did not crash testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NL80211_CMD_SET_WDS_PEER-socket$inet_tcp-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: sendmsg$NL80211_CMD_SET_WDS_PEER(0xffffffffffffffff, 0x0, 0x4040040) r0 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={0xffffffffffffffff, r1, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program did not crash testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NL80211_CMD_SET_WDS_PEER-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: sendmsg$NL80211_CMD_SET_WDS_PEER(0xffffffffffffffff, 0x0, 0x4040040) r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r0, r1, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program did not crash testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program crashed: BUG: Bad page state in skb_pp_cow_data testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program did not crash testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, 0x0, &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program did not crash testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program did not crash testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program did not crash testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, 0x0) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, 0x0, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program did not crash testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00'}) bpf$BPF_LINK_CREATE_XDP(0x1c, 0x0, 0x0) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program did not crash testing program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, 0x0, 0x0) program did not crash extracting C reproducer testing compiled C program (duration=48.039901045s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data simplifying C reproducer testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program did not crash testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program did not crash testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing compiled C program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet program crashed: BUG: Bad page state in skb_pp_cow_data testing program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program crashed: BUG: Bad page state in skb_pp_cow_data validation run: crashed=true testing program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program crashed: BUG: Bad page state in skb_pp_cow_data validation run: crashed=true testing program (duration=48.039901045s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-syz_emit_ethernet detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180200002343ffff0000000000000000850000004100000095"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x67}, 0x94) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r2, 0x25, 0x4, @void}, 0x10) syz_emit_ethernet(0xfe54, &(0x7f0000001b00)=ANY=[], 0x0) program crashed: BUG: Bad page state in skb_pp_cow_data validation run: crashed=true reproducing took 38m40.164575238s repro crashed as (corrupted=false): BUG: Bad page state in process syz.0.17 pfn:32920 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888032920780 pfn:0x32920 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff888032920780 3fffffffffffffff 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790666706, free_ts 80643877656 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmems net/core/page_pool.c:670 [inline] page_pool_alloc_frag_netmem+0x563/0x9b0 net/core/page_pool.c:1079 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcf6/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:35169 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888035169e70 pfn:0x35169 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff888035169e70 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790653469, free_ts 80643887621 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:7f5c9 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807f5c9528 pfn:0x7f5c9 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff88807f5c9528 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790642116, free_ts 80643920044 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:34640 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888034640c80 pfn:0x34640 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff888034640c80 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790630226, free_ts 80643931095 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:341ac page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880341acc80 pfn:0x341ac flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff8880341acc80 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790618744, free_ts 80643942751 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:34641 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880346418c0 pfn:0x34641 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff8880346418c0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790606934, free_ts 80643953441 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:79889 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880798898c0 pfn:0x79889 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff8880798898c0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790594976, free_ts 80643971015 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:7988a page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807988adc0 pfn:0x7988a flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff88807988adc0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790583005, free_ts 80643981491 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:7988b page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807988b640 pfn:0x7988b flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff88807988b640 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790571274, free_ts 80643991152 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:213a2 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880213a2640 pfn:0x213a2 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff8880213a2640 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790559374, free_ts 80644001406 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:77f8c page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888077f8c500 pfn:0x77f8c flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff888077f8c500 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790546919, free_ts 80644012462 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:123d7 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880123d7210 pfn:0x123d7 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff8880123d7210 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790535005, free_ts 80644023521 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 final repro crashed as (corrupted=false): BUG: Bad page state in process syz.0.17 pfn:32920 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888032920780 pfn:0x32920 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff888032920780 3fffffffffffffff 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790666706, free_ts 80643877656 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmems net/core/page_pool.c:670 [inline] page_pool_alloc_frag_netmem+0x563/0x9b0 net/core/page_pool.c:1079 page_pool_alloc_netmem include/net/page_pool/helpers.h:131 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcf6/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:35169 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888035169e70 pfn:0x35169 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff888035169e70 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790653469, free_ts 80643887621 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:7f5c9 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807f5c9528 pfn:0x7f5c9 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff88807f5c9528 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790642116, free_ts 80643920044 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:34640 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888034640c80 pfn:0x34640 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff888034640c80 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790630226, free_ts 80643931095 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:341ac page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880341acc80 pfn:0x341ac flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff8880341acc80 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790618744, free_ts 80643942751 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:34641 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880346418c0 pfn:0x34641 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff8880346418c0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790606934, free_ts 80643953441 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:79889 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880798898c0 pfn:0x79889 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff8880798898c0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790594976, free_ts 80643971015 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:7988a page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807988adc0 pfn:0x7988a flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff88807988adc0 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790583005, free_ts 80643981491 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:7988b page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807988b640 pfn:0x7988b flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff88807988b640 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790571274, free_ts 80643991152 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:213a2 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880213a2640 pfn:0x213a2 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff8880213a2640 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790559374, free_ts 80644001406 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:77f8c page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888077f8c500 pfn:0x77f8c flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff888077f8c500 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790546919, free_ts 80644012462 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0 BUG: Bad page state in process syz.0.17 pfn:123d7 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880123d7210 pfn:0x123d7 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000040 ffff888022aed000 0000000000000000 raw: ffff8880123d7210 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2820(GFP_ATOMIC|__GFP_NOWARN), pid 5840, tgid 5840 (syz.0.17), ts 80790535005, free_ts 80644023521 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x22d/0x280 mm/page_alloc.c:1853 prep_new_page mm/page_alloc.c:1861 [inline] get_page_from_freelist+0x24ae/0x2530 mm/page_alloc.c:3941 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5221 __alloc_pages_noprof+0x10/0x100 mm/page_alloc.c:5255 alloc_pages_bulk_noprof+0x5ff/0x7c0 mm/page_alloc.c:5175 alloc_pages_bulk_node_noprof include/linux/gfp.h:259 [inline] __page_pool_alloc_netmems_slow+0x14f/0x720 net/core/page_pool.c:619 page_pool_alloc_netmem include/net/page_pool/helpers.h:128 [inline] page_pool_alloc include/net/page_pool/helpers.h:167 [inline] page_pool_dev_alloc include/net/page_pool/helpers.h:188 [inline] skb_pp_cow_data+0xcd0/0x19a0 net/core/skbuff.c:984 netif_skb_check_for_xdp net/core/dev.c:5561 [inline] netif_receive_generic_xdp net/core/dev.c:5602 [inline] do_xdp_generic+0x770/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1397 [inline] __free_frozen_pages+0xc0d/0xd20 mm/page_alloc.c:2938 rcu_do_batch kernel/rcu/tree.c:2645 [inline] rcu_core+0x78b/0x10a0 kernel/rcu/tree.c:2897 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 Modules linked in: CPU: 0 UID: 0 PID: 5840 Comm: syz.0.17 Tainted: G B syzkaller #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 bad_page+0x17f/0x1c0 mm/page_alloc.c:632 free_page_is_bad mm/page_alloc.c:1076 [inline] __free_pages_prepare mm/page_alloc.c:1388 [inline] __free_frozen_pages+0xcca/0xd20 mm/page_alloc.c:2938 bpf_xdp_shrink_data net/core/filter.c:4247 [inline] bpf_xdp_frags_shrink_tail+0x4ed/0x800 net/core/filter.c:4271 ____bpf_xdp_adjust_tail net/core/filter.c:4293 [inline] bpf_xdp_adjust_tail+0x1ce/0x210 net/core/filter.c:4286 bpf_prog_5d7dc57dfd7f985a+0x1e/0x24 __bpf_prog_run include/linux/filter.h:722 [inline] bpf_prog_run_xdp include/net/xdp.h:696 [inline] bpf_prog_run_generic_xdp+0x5e3/0x14b0 net/core/dev.c:5492 netif_receive_generic_xdp net/core/dev.c:5608 [inline] do_xdp_generic+0xac2/0x12d0 net/core/dev.c:5670 tun_get_user+0x24a0/0x4350 drivers/net/tun.c:1905 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:2032 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x612/0xba0 fs/read_write.c:687 ksys_write+0x150/0x270 fs/read_write.c:739 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f980b75d68e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007ffe26ab8ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055556b38e500 RCX: 00007f980b75d68e RDX: 000000000000fe54 RSI: 0000200000001b00 RDI: 00000000000000c8 RBP: 00007f980b832e6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f980ba15fac R14: 00007f980ba15fa0 R15: 00007f980ba15fa0