last executing test programs: 201.491637ms ago: executing program 1 (id=2): r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) setsockopt$inet6_IPV6_HOPOPTS(r0, 0x29, 0x36, &(0x7f0000000180)=ANY=[], 0x8) connect$inet6(r0, &(0x7f00000004c0)={0xa, 0x0, 0x0, @mcast2, 0x7}, 0x1c) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000080)='bridge0\x00', 0x10) r1 = openat$udambuf(0xffffffffffffff9c, &(0x7f0000000040), 0x2) r2 = socket$can_raw(0x1d, 0x3, 0x1) setsockopt$CAN_RAW_RECV_OWN_MSGS(r2, 0x65, 0x8, &(0x7f0000000200), 0x4) r3 = memfd_create(&(0x7f0000000280)='y\x105\xfb\xf7u\x83%:r\xc2\xb9x\xa4q\xc1\xea_\x8cZ7\xcda\x9b\x11X\x0e\xa1\xcf\x1a\x98S\x17\xc9\x00\x00\x00\x00\x00\x00)e\xa6\xec\x8f,\x84$*\xa9a\x12\xbfZ\xb1,\x82\xb0FC\xa7\xa6\xf7!<\x9e\xc07\x00\x00\xe1),03oc\xfe\xc5\x00\x00\x00', 0x2) ftruncate(r3, 0xffff) fcntl$addseals(r3, 0x409, 0x7) r4 = ioctl$UDMABUF_CREATE(r1, 0x40187542, &(0x7f0000000000)={r3, 0x0, 0x0, 0x8000}) ioctl$DMA_BUF_SET_NAME_A(r4, 0x40046201, &(0x7f0000000440)='\x00') sendmmsg$inet6(r0, &(0x7f0000000040)=[{{0x0, 0x0, &(0x7f0000000180)=[{&(0x7f0000000500)}, {&(0x7f00000000c0)="bd91bdb6cd16efd9fbde415dcd0f300533799a157a685e03830d7def36985a950f758ea6db72b31e52ac11f32acabf77a88e16566fe1eb30474e953919195536fc1e1cf2b625cef148a7e712526edd8da36f04192c7569449a30769920245e88f0aa26765997fd61dc807256d9bbd55ff1ff000000310186fa0179fb9c48de277f807910db89eeb3ec9827a85e18001bb0a84917ebaa8c1e27925a308391e47f850d330181d217ffcbd6ae9624f007a19506485fc967e96ca9101b2441c514", 0xbf}], 0x2}}], 0x1, 0x4400c800) mkdir(&(0x7f0000000300)='./bus\x00', 0x0) r5 = syz_usb_connect$hid(0x1, 0x36, &(0x7f0000000080)=ANY=[@ANYBLOB="120100020000000879215300000000000001090224000100000000090401130103000100092100000001220b0009058103"], 0x0) syz_usb_control_io(r5, 0x0, 0x0) syz_usb_control_io(r5, &(0x7f0000000780)={0x2c, &(0x7f0000002300)=ANY=[@ANYBLOB="20020b"], 0x0, 0x0, 0x0, 0x0}, 0x0) syz_usb_control_io$hid(r5, &(0x7f0000000040)={0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="20112b0000002b2224bb203468a4b8be0500000033828e7aa547c9"], 0x0, 0x0, 0x0}, 0x0) sendto$inet6(r0, &(0x7f0000000300), 0x16, 0x3b00, 0x0, 0xfffffffffffffdfd) 178.802728ms ago: executing program 0 (id=1): r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) ioctl$KVM_SET_MSRS(r1, 0xc008ae88, 0x0) syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000100)={0x0, &(0x7f00000004c0)=[@code={0xa, 0x84, {"c4c1fc50c6c46379179e8d4612ca0066baf80cb844fe338bef66bafc0ced0f01d166b8f2000f00d866b8ec008ec8c744240000000000c744240200900000c7442406000000000f011c24b8010000000f01c166baf80cb834234b8cef66bafc0c66ed66baf80cb80d847287ef66bafc0cb082ee"}}], 0x84}) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x101000, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r3, 0xae60) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f00000000c0)={0x1fd, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_SREGS(0xffffffffffffffff, 0x4138ae84, &(0x7f0000000300)={{0xeeef0000, 0xdddd1000, 0x10, 0x2, 0x8, 0x0, 0x0, 0x2, 0x0, 0x8, 0x9, 0x10}, {0xffff1000, 0xd000, 0xc, 0x9, 0x33, 0x0, 0x0, 0xfd, 0x8, 0x7, 0x0, 0xff}, {0x3000, 0x0, 0xc, 0x0, 0x7, 0x4, 0x0, 0x0, 0x3, 0xfe, 0x0, 0xfe}, {0x3000, 0xd000, 0x4, 0x0, 0x0, 0x0, 0xff, 0x0, 0xfe, 0x0, 0x4}, {0xdddd0000, 0x2000, 0x9, 0x0, 0xff, 0x4, 0x6, 0xe, 0x0, 0x7f}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0xfe, 0x0, 0x80}, {0xdddd1000, 0x0, 0xa, 0x6, 0x0, 0x0, 0x3, 0xfe}, {0x0, 0x8000000, 0x8, 0x0, 0x1, 0x1, 0x83, 0xa, 0x26, 0x5}, {0x4000}, {0xdddd1000, 0xff}, 0xddf8ffdb, 0x0, 0x0, 0x70, 0x9, 0xd801, 0x0, [0x0, 0x0, 0x1, 0x2000000]}) ioctl$KVM_SET_IRQCHIP(r3, 0x8208ae63, &(0x7f0000000600)={0x0, 0x0, @ioapic={0x2000, 0x8000, 0x0, 0x1, 0x0, [{0x1, 0x3, 0x6, '\x00', 0x91}, {0x6c, 0xbc, 0x15, '\x00', 0xf}, {0x5, 0x83, 0x6, '\x00', 0x95}, {0x0, 0x9, 0x8, '\x00', 0xd7}, {0x3, 0x5, 0x7, '\x00', 0x2}, {0x3, 0x3, 0x7f, '\x00', 0x89}, {0xb, 0x2, 0xb4, '\x00', 0x9}, {0x6, 0x0, 0x80, '\x00', 0x3}, {0xb, 0x4, 0x4, '\x00', 0xd}, {0x2, 0x7, 0x1, '\x00', 0x3a}, {0x5, 0xff, 0xc, '\x00', 0x5}, {0x3, 0xf2, 0x3, '\x00', 0x1e}, {0x8, 0x9, 0x8, '\x00', 0x3}, {0x2, 0x7, 0xa8}, {0x1, 0x40, 0x6, '\x00', 0x20}, {0xe, 0x4, 0xb, '\x00', 0x1}, {0x4d, 0xe, 0x6d}, {0xe, 0x8, 0x8, '\x00', 0xd3}, {0x0, 0x5, 0x2, '\x00', 0x2}, {0x7f, 0x0, 0x72, '\x00', 0x5}, {0x9, 0x4, 0x9, '\x00', 0x7}, {0x1, 0xe, 0x1, '\x00', 0x2}, {0x72, 0xe, 0x5}, {0x80, 0xd, 0x40}]}}) ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000000)={[0x6e, 0x0, 0x0, 0x20, 0x3, 0x0, 0x106c, 0x80000001, 0x8000000000000, 0x80000004000080, 0x0, 0x8, 0x0, 0x4, 0x9, 0x8001], 0x1, 0x3c4210}) ioctl$KVM_RUN(r4, 0xae80, 0x0) 56.259676ms ago: executing program 2 (id=3): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000001c0)='./binderfs/binder1\x00', 0x800, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x8, 0x0, &(0x7f0000000900)=[@dead_binder_done, @reply_sg={0x40486312, {0x0, 0x0, 0x0, 0x0, 0x31, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280)={@flat=@weak_binder={0x77622a85, 0x100, 0x2}, @fd, @fd}, &(0x7f0000000300)}, 0x1000}, @transaction={0x40406300, {0x2, 0x0, 0x0, 0x0, 0x21, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000540)={@ptr={0x70742a85, 0x1, &(0x7f0000000340)=""/144, 0x0, 0x0, 0x10}, @fd, @fd}, &(0x7f00000005c0)}}, @free_buffer, @increfs_done={0x40106308, 0x3}, @transaction_sg={0x40486311, {0x2, 0x0, 0x0, 0x0, 0x31, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000600)={@fda={0x66646185, 0x7, 0x2, 0x22}, @flat=@binder={0x73622a85, 0x100, 0x1}, @fda={0x66646185, 0x5, 0x1, 0x8}}, &(0x7f0000000680)}, 0x40}], 0x49, 0x0, 0x0}) r1 = socket$inet(0x2, 0x3, 0x4) setsockopt$inet_opts(r1, 0x0, 0x4, &(0x7f0000000000)="8907040400", 0x5) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='ip6_vti0\x00', 0x10) connect$inet(r1, &(0x7f0000000080)={0x2, 0x4e20, @private=0xa010100}, 0x10) setsockopt$inet_mreqn(r1, 0x0, 0x23, &(0x7f0000000080)={@multicast2, @loopback}, 0xc) dup3(r0, r1, 0x0) 37.974168ms ago: executing program 3 (id=4): mkdir(&(0x7f00000000c0)='./bus\x00', 0x0) creat(&(0x7f0000000000)='./file0\x00', 0x103) mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) chdir(&(0x7f00000003c0)='./bus\x00') stat(&(0x7f0000000500)='./file0\x00', &(0x7f0000000540)) 1.0922ms ago: executing program 2 (id=5): mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./file1\x00', 0x100) mkdir(&(0x7f0000000000)='./file0\x00', 0x0) mkdir(&(0x7f0000000000)='./bus\x00', 0x0) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000380)={[{@upperdir={'upperdir', 0x3d, './file1'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './bus'}}]}) chdir(&(0x7f0000000140)='./bus\x00') mknod$loop(&(0x7f0000000180)='./file0\x00', 0x6000, 0x0) io_setup(0x7f, &(0x7f0000000000)=0x0) io_submit(r0, 0x2000007b, &(0x7f0000000000)) madvise(&(0x7f0000000000/0x3000)=nil, 0x7fffffffffffffff, 0x15) 0s ago: executing program 3 (id=6): openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000180)='cgroup.events\x00', 0x26e1, 0x0) socketpair$tipc(0x1e, 0x1, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) recvmsg(r0, &(0x7f0000000500)={&(0x7f0000000040)=@hci, 0x80, &(0x7f0000000100)=[{&(0x7f0000000400)=""/248, 0x70cb0}], 0xc}, 0x1f00) sendmsg$tipc(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)=[{&(0x7f0000000140)="a2", 0xfffffdef}], 0x1}, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.244' (ED25519) to the list of known hosts. [ 23.660257][ T36] audit: type=1400 audit(1775566399.600:64): avc: denied { mounton } for pid=283 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2022 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 23.661490][ T283] cgroup: Unknown subsys name 'net' [ 23.683503][ T36] audit: type=1400 audit(1775566399.600:65): avc: denied { mount } for pid=283 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.711176][ T36] audit: type=1400 audit(1775566399.630:66): avc: denied { unmount } for pid=283 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 23.711318][ T283] cgroup: Unknown subsys name 'devices' [ 23.936549][ T283] cgroup: Unknown subsys name 'hugetlb' [ 23.942317][ T283] cgroup: Unknown subsys name 'rlimit' [ 24.036537][ T36] audit: type=1400 audit(1775566399.980:67): avc: denied { setattr } for pid=283 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=190 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 24.060637][ T36] audit: type=1400 audit(1775566399.980:68): avc: denied { mounton } for pid=283 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 24.086206][ T36] audit: type=1400 audit(1775566399.980:69): avc: denied { mount } for pid=283 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 24.095277][ T285] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 24.119113][ T36] audit: type=1400 audit(1775566400.060:70): avc: denied { relabelto } for pid=285 comm="mkswap" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 24.145748][ T36] audit: type=1400 audit(1775566400.060:71): avc: denied { write } for pid=285 comm="mkswap" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 24.199656][ T36] audit: type=1400 audit(1775566400.140:72): avc: denied { read } for pid=283 comm="syz-executor" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 24.200257][ T283] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 24.226625][ T36] audit: type=1400 audit(1775566400.140:73): avc: denied { open } for pid=283 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 25.134389][ T290] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.141764][ T290] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.149887][ T290] bridge_slave_0: entered allmulticast mode [ 25.156479][ T290] bridge_slave_0: entered promiscuous mode [ 25.163075][ T290] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.170646][ T290] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.178697][ T290] bridge_slave_1: entered allmulticast mode [ 25.185087][ T290] bridge_slave_1: entered promiscuous mode [ 25.287972][ T295] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.295057][ T295] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.302318][ T295] bridge_slave_0: entered allmulticast mode [ 25.309195][ T295] bridge_slave_0: entered promiscuous mode [ 25.318488][ T295] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.325901][ T295] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.333239][ T295] bridge_slave_1: entered allmulticast mode [ 25.339720][ T295] bridge_slave_1: entered promiscuous mode [ 25.385549][ T294] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.392890][ T294] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.401055][ T294] bridge_slave_0: entered allmulticast mode [ 25.407855][ T294] bridge_slave_0: entered promiscuous mode [ 25.416561][ T294] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.423884][ T294] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.431393][ T294] bridge_slave_1: entered allmulticast mode [ 25.437780][ T294] bridge_slave_1: entered promiscuous mode [ 25.500465][ T296] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.507751][ T296] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.515019][ T296] bridge_slave_0: entered allmulticast mode [ 25.521316][ T296] bridge_slave_0: entered promiscuous mode [ 25.527848][ T296] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.535207][ T296] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.542458][ T296] bridge_slave_1: entered allmulticast mode [ 25.548815][ T296] bridge_slave_1: entered promiscuous mode [ 25.605468][ T290] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.612627][ T290] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.620461][ T290] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.627737][ T290] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.667798][ T294] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.675144][ T294] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.682810][ T294] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.690643][ T294] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.705766][ T295] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.713066][ T295] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.720929][ T295] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.728250][ T295] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.762315][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.770077][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.778158][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.785962][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.793744][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 25.802400][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 25.820479][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.827756][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.845035][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.852470][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.860212][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.867493][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.880552][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.887918][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.914979][ T128] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.922691][ T128] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.939228][ T290] veth0_vlan: entered promiscuous mode [ 25.947374][ T128] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.954567][ T128] bridge0: port 2(bridge_slave_1) entered forwarding state [ 25.973614][ T128] bridge0: port 1(bridge_slave_0) entered blocking state [ 25.980725][ T128] bridge0: port 1(bridge_slave_0) entered forwarding state [ 25.988871][ T128] bridge0: port 2(bridge_slave_1) entered blocking state [ 25.996347][ T128] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.008843][ T294] veth0_vlan: entered promiscuous mode [ 26.020412][ T290] veth1_macvtap: entered promiscuous mode [ 26.066744][ T290] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 26.072005][ T296] veth0_vlan: entered promiscuous mode [ 26.093336][ T294] veth1_macvtap: entered promiscuous mode [ 26.140342][ T295] veth0_vlan: entered promiscuous mode [ 26.147738][ T310] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 26.158629][ T295] veth1_macvtap: entered promiscuous mode [ 26.181316][ T296] veth1_macvtap: entered promiscuous mode [ 26.210907][ T310] kvm: pic: non byte write [ 26.216179][ T310] kvm: pic: non byte write [ 26.221608][ T310] kvm: pic: non byte write [ 26.227323][ T310] kvm: pic: non byte write [ 26.232439][ T310] kvm: pic: non byte write [ 26.239764][ T310] kvm: pic: non byte write [ 26.246056][ T310] kvm: pic: non byte write [ 26.251720][ T310] kvm: pic: non byte write [ 26.258411][ T310] kvm: pic: non byte write [ 26.264542][ T310] kvm: pic: non byte write [ 26.271822][ T317] rust_binder: Write failure EFAULT in pid:2 [ 26.305679][ T295] ------------[ cut here ]------------ [ 26.317630][ T295] WARNING: CPU: 0 PID: 295 at fs/inode.c:340 drop_nlink+0xce/0x110 [ 26.325731][ T295] Modules linked in: [ 26.330102][ T295] CPU: 0 UID: 0 PID: 295 Comm: syz-executor Not tainted syzkaller #0 916f3d974aa0fa32e8d6ac226cea77ce335b314b [ 26.342203][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 26.352377][ T295] RIP: 0010:drop_nlink+0xce/0x110 [ 26.357658][ T295] Code: 04 00 00 be 08 00 00 00 e8 df 15 ee ff f0 48 ff 83 b8 04 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d e9 98 d4 b1 03 cc e8 d2 dc 95 ff <0f> 0b eb 81 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 59 ff ff ff 4c [ 26.378663][ T295] RSP: 0018:ffffc9000b677c60 EFLAGS: 00010293 [ 26.385124][ T295] RAX: ffffffff81f1ce0e RBX: ffff88810efb4f50 RCX: ffff88812eac5f00 [ 26.393457][ T295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 26.402213][ T295] RBP: ffffc9000b677c88 R08: 0000000000000003 R09: 0000000000000004 [ 26.410694][ T295] R10: dffffc0000000000 R11: fffff520016cef7c R12: dffffc0000000000 [ 26.418854][ T295] R13: 1ffff11021df69f3 R14: ffff88810efb4f98 R15: 0000000000000000 [ 26.427082][ T295] FS: 0000555562cb7500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 26.436405][ T295] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.443352][ T295] CR2: 00007f83f99f3000 CR3: 000000012d27c000 CR4: 00000000003526b0 [ 26.451789][ T295] Call Trace: [ 26.455311][ T295] [ 26.458327][ T295] shmem_rmdir+0x5f/0x90 [ 26.462700][ T295] vfs_rmdir+0x3e3/0x560 [ 26.467282][ T295] incfs_kill_sb+0x109/0x230 [ 26.472106][ T295] deactivate_locked_super+0xd8/0x2a0 [ 26.477857][ T295] deactivate_super+0xb8/0xe0 [ 26.482730][ T295] cleanup_mnt+0x406/0x4a0 [ 26.487712][ T295] __cleanup_mnt+0x1d/0x40 [ 26.492338][ T295] task_work_run+0x1e8/0x260 [ 26.497118][ T295] ? __cfi_task_work_run+0x10/0x10 [ 26.502510][ T295] ? __x64_sys_umount+0x12e/0x180 [ 26.507621][ T295] ? __cfi___x64_sys_umount+0x10/0x10 [ 26.513533][ T295] ? __kasan_check_read+0x15/0x20 [ 26.519141][ T295] resume_user_mode_work+0x35/0x50 [ 26.524845][ T295] syscall_exit_to_user_mode+0x63/0xb0 [ 26.530668][ T295] do_syscall_64+0x63/0xf0 [ 26.535326][ T295] ? clear_bhb_loop+0x50/0xa0 [ 26.540108][ T295] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 26.546260][ T295] RIP: 0033:0x7f919cf9da57 [ 26.550880][ T295] Code: a2 c7 05 9c fc 24 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 [ 26.572137][ T295] RSP: 002b:00007ffce655bad8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 26.581410][ T295] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f919cf9da57 [ 26.589730][ T295] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffce655bb90 [ 26.598125][ T295] RBP: 00007ffce655bb90 R08: 00007ffce655cb90 R09: 00000000ffffffff [ 26.606637][ T295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffce655cc20 [ 26.615232][ T295] R13: 00007f919d032048 R14: 0000000000006692 R15: 00007ffce655cc60 [ 26.623789][ T295] [ 26.627891][ T295] ---[ end trace 0000000000000000 ]--- [ 26.633725][ T295] ================================================================== [ 26.641913][ T295] BUG: KASAN: null-ptr-deref in ihold+0x24/0x70 [ 26.648933][ T295] Write of size 4 at addr 0000000000000168 by task syz-executor/295 [ 26.657345][ T295] [ 26.659679][ T295] CPU: 1 UID: 0 PID: 295 Comm: syz-executor Tainted: G W syzkaller #0 916f3d974aa0fa32e8d6ac226cea77ce335b314b [ 26.659700][ T295] Tainted: [W]=WARN [ 26.659704][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 26.659711][ T295] Call Trace: [ 26.659716][ T295] [ 26.659722][ T295] __dump_stack+0x21/0x30 [ 26.659743][ T295] dump_stack_lvl+0x140/0x1c0 [ 26.659756][ T295] ? __cfi_dump_stack_lvl+0x10/0x10 [ 26.659770][ T295] print_report+0x3d/0x70 [ 26.659783][ T295] kasan_report+0x162/0x1a0 [ 26.659794][ T295] ? ihold+0x24/0x70 [ 26.659804][ T295] ? _raw_spin_unlock+0x45/0x60 [ 26.659818][ T295] ? ihold+0x24/0x70 [ 26.659827][ T295] kasan_check_range+0x25a/0x2b0 [ 26.659838][ T295] __kasan_check_write+0x18/0x20 [ 26.659851][ T295] ihold+0x24/0x70 [ 26.659860][ T295] vfs_rmdir+0x26a/0x560 [ 26.659871][ T295] incfs_kill_sb+0x109/0x230 [ 26.659886][ T295] deactivate_locked_super+0xd8/0x2a0 [ 26.659898][ T295] deactivate_super+0xb8/0xe0 [ 26.659909][ T295] cleanup_mnt+0x406/0x4a0 [ 26.659919][ T295] __cleanup_mnt+0x1d/0x40 [ 26.659928][ T295] task_work_run+0x1e8/0x260 [ 26.659941][ T295] ? __cfi_task_work_run+0x10/0x10 [ 26.659952][ T295] ? __x64_sys_umount+0x12e/0x180 [ 26.659964][ T295] ? __cfi___x64_sys_umount+0x10/0x10 [ 26.659977][ T295] ? __kasan_check_read+0x15/0x20 [ 26.659990][ T295] resume_user_mode_work+0x35/0x50 [ 26.660004][ T295] syscall_exit_to_user_mode+0x63/0xb0 [ 26.660017][ T295] do_syscall_64+0x63/0xf0 [ 26.660031][ T295] ? clear_bhb_loop+0x50/0xa0 [ 26.660041][ T295] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 26.660057][ T295] RIP: 0033:0x7f919cf9da57 [ 26.660067][ T295] Code: a2 c7 05 9c fc 24 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 [ 26.660076][ T295] RSP: 002b:00007ffce655bad8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 26.660089][ T295] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f919cf9da57 [ 26.660096][ T295] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffce655bb90 [ 26.660103][ T295] RBP: 00007ffce655bb90 R08: 00007ffce655cb90 R09: 00000000ffffffff [ 26.660110][ T295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffce655cc20 [ 26.660117][ T295] R13: 00007f919d032048 R14: 0000000000006692 R15: 00007ffce655cc60 [ 26.660125][ T295] [ 26.660129][ T295] ================================================================== [ 26.927161][ T295] Disabling lock debugging due to kernel taint [ 26.934828][ T295] BUG: kernel NULL pointer dereference, address: 0000000000000168 [ 26.943517][ T295] #PF: supervisor write access in kernel mode [ 26.949968][ T295] #PF: error_code(0x0002) - not-present page [ 26.956380][ T295] PGD 800000010ebcb067 P4D 800000010ebcb067 PUD 0 [ 26.962996][ T295] Oops: Oops: 0002 [#1] PREEMPT SMP KASAN PTI [ 26.969428][ T295] CPU: 1 UID: 0 PID: 295 Comm: syz-executor Tainted: G B W syzkaller #0 916f3d974aa0fa32e8d6ac226cea77ce335b314b [ 26.983202][ T295] Tainted: [B]=BAD_PAGE, [W]=WARN [ 26.988506][ T295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 26.998743][ T295] RIP: 0010:ihold+0x2a/0x70 [ 27.003425][ T295] Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 bd d3 95 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 9c 0c ee ff 41 be 01 00 00 00 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 cd [ 27.024173][ T295] RSP: 0018:ffffc9000b677ca0 EFLAGS: 00010246 [ 27.030796][ T295] RAX: ffff88812eac5f00 RBX: 0000000000000000 RCX: ffff88812eac5f00 [ 27.039693][ T295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 27.050055][ T295] RBP: ffffc9000b677cb0 R08: ffffffff88b98947 R09: 1ffffffff1173128 [ 27.058999][ T295] R10: dffffc0000000000 R11: fffffbfff1173129 R12: ffff88810efb4f5c [ 27.069079][ T295] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 [ 27.077936][ T295] FS: 0000555562cb7500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 27.087484][ T295] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.094341][ T295] CR2: 0000000000000168 CR3: 000000012d27c000 CR4: 00000000003526b0 [ 27.102867][ T295] Call Trace: [ 27.106548][ T295] [ 27.110107][ T295] vfs_rmdir+0x26a/0x560 [ 27.114656][ T295] incfs_kill_sb+0x109/0x230 [ 27.119919][ T295] deactivate_locked_super+0xd8/0x2a0 [ 27.126130][ T295] deactivate_super+0xb8/0xe0 [ 27.132207][ T295] cleanup_mnt+0x406/0x4a0 [ 27.137165][ T295] __cleanup_mnt+0x1d/0x40 [ 27.141687][ T295] task_work_run+0x1e8/0x260 [ 27.146634][ T295] ? __cfi_task_work_run+0x10/0x10 [ 27.151929][ T295] ? __x64_sys_umount+0x12e/0x180 [ 27.157569][ T295] ? __cfi___x64_sys_umount+0x10/0x10 [ 27.163120][ T295] ? __kasan_check_read+0x15/0x20 [ 27.168512][ T295] resume_user_mode_work+0x35/0x50 [ 27.173925][ T295] syscall_exit_to_user_mode+0x63/0xb0 [ 27.179591][ T295] do_syscall_64+0x63/0xf0 [ 27.184375][ T295] ? clear_bhb_loop+0x50/0xa0 [ 27.189398][ T295] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 27.195567][ T295] RIP: 0033:0x7f919cf9da57 [ 27.200354][ T295] Code: a2 c7 05 9c fc 24 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 [ 27.221104][ T295] RSP: 002b:00007ffce655bad8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 27.229899][ T295] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f919cf9da57 [ 27.238126][ T295] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffce655bb90 [ 27.246100][ T295] RBP: 00007ffce655bb90 R08: 00007ffce655cb90 R09: 00000000ffffffff [ 27.254567][ T295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffce655cc20 [ 27.263376][ T295] R13: 00007f919d032048 R14: 0000000000006692 R15: 00007ffce655cc60 [ 27.271777][ T295] [ 27.274873][ T295] Modules linked in: [ 27.279133][ T295] CR2: 0000000000000168 [ 27.283703][ T295] ---[ end trace 0000000000000000 ]--- [ 27.289751][ T295] RIP: 0010:ihold+0x2a/0x70 [ 27.294250][ T295] Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 bd d3 95 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 9c 0c ee ff 41 be 01 00 00 00 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 cd [ 27.314284][ T295] RSP: 0018:ffffc9000b677ca0 EFLAGS: 00010246 [ 27.320884][ T295] RAX: ffff88812eac5f00 RBX: 0000000000000000 RCX: ffff88812eac5f00 [ 27.329241][ T295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 27.337224][ T295] RBP: ffffc9000b677cb0 R08: ffffffff88b98947 R09: 1ffffffff1173128 [ 27.345378][ T295] R10: dffffc0000000000 R11: fffffbfff1173129 R12: ffff88810efb4f5c [ 27.353544][ T295] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 [ 27.361698][ T295] FS: 0000555562cb7500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 27.370812][ T295] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.377508][ T295] CR2: 0000000000000168 CR3: 000000012d27c000 CR4: 00000000003526b0 [ 27.386051][ T295] Kernel panic - not syncing: Fatal exception [ 27.392685][ T295] Kernel Offset: disabled [ 27.397349][ T295] Rebooting in 86400 seconds..