last executing test programs: 790.650256ms ago: executing program 3 (id=215): inotify_init1(0x0) 743.183281ms ago: executing program 4 (id=217): cachestat(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000), 0x0) 691.871075ms ago: executing program 3 (id=220): getrlimit(0x0, &(0x7f0000000000)) 646.323187ms ago: executing program 4 (id=222): syz_open_dev$vim2m(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$vim2m(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$vim2m(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$vim2m(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$vim2m(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$vim2m(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$vim2m(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$vim2m(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$vim2m(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$vim2m(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$vim2m(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$vim2m(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$vim2m(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$vim2m(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$vim2m(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$vim2m(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$vim2m(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$vim2m(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$vim2m(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$vim2m(&(0x7f0000000500), 0x4, 0x800) 631.986203ms ago: executing program 1 (id=223): fchown(0xffffffffffffffff, 0x0, 0x0) 563.348128ms ago: executing program 3 (id=225): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm_plock', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm_plock', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm_plock', 0x800, 0x0) 537.64394ms ago: executing program 0 (id=226): socket$inet6_tcp(0xa, 0x1, 0x0) 529.518834ms ago: executing program 1 (id=228): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer2', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer2', 0x800, 0x0) 463.740187ms ago: executing program 3 (id=229): unlinkat(0xffffffffffffffff, &(0x7f0000000000), 0x0) 446.946577ms ago: executing program 2 (id=230): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/random', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/random', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/random', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/random', 0x800, 0x0) 437.034451ms ago: executing program 4 (id=231): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/damon/rm_contexts', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/sys/kernel/debug/damon/rm_contexts', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/kernel/debug/damon/rm_contexts', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/sys/kernel/debug/damon/rm_contexts', 0x800, 0x0) 379.580668ms ago: executing program 0 (id=232): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwbinder', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwbinder', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hwbinder', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hwbinder', 0x800, 0x0) 379.378699ms ago: executing program 1 (id=233): syz_open_dev$I2C(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$I2C(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$I2C(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$I2C(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$I2C(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$I2C(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$I2C(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$I2C(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$I2C(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$I2C(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$I2C(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$I2C(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$I2C(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$I2C(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$I2C(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$I2C(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$I2C(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$I2C(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$I2C(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$I2C(&(0x7f0000000500), 0x4, 0x800) 379.157447ms ago: executing program 3 (id=234): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/mISDNtimer', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/mISDNtimer', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/mISDNtimer', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/mISDNtimer', 0x800, 0x0) 344.197295ms ago: executing program 2 (id=235): sched_rr_get_interval(0x0, &(0x7f0000000000)) 334.958269ms ago: executing program 0 (id=236): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/qrtr-tun', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/qrtr-tun', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/qrtr-tun', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/qrtr-tun', 0x800, 0x0) 254.731165ms ago: executing program 4 (id=237): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/tcp_congestion_control', 0x1, 0x0) 254.507308ms ago: executing program 1 (id=238): close(0xffffffffffffffff) 254.314849ms ago: executing program 2 (id=239): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/urandom', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/urandom', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/urandom', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/urandom', 0x800, 0x0) 254.107332ms ago: executing program 3 (id=240): fsopen(&(0x7f0000000000), 0x0) 238.544702ms ago: executing program 0 (id=241): getgid() 201.084771ms ago: executing program 1 (id=242): sched_setaffinity(0x0, 0x0, &(0x7f0000000000)) 147.34546ms ago: executing program 4 (id=243): madvise(0x0, 0x0, 0x0) 147.207815ms ago: executing program 2 (id=244): syslog(0x0, 0x0, 0x0) 133.469468ms ago: executing program 0 (id=245): modify_ldt$auto(0x0, &(0x7f0000000000), 0x0) 100.742763ms ago: executing program 1 (id=246): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vhost-vsock', 0x2, 0x0) 43.807468ms ago: executing program 2 (id=247): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/full', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/full', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/full', 0x800, 0x0) 43.622573ms ago: executing program 4 (id=248): socket$inet6_udplite(0xa, 0x2, 0x88) 41.618483ms ago: executing program 0 (id=249): syz_open_dev$sndpcmp(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$sndpcmp(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$sndpcmp(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$sndpcmp(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$sndpcmp(&(0x7f0000000140), 0xa, 0x0) syz_open_dev$sndpcmp(&(0x7f0000000180), 0xa, 0x1) syz_open_dev$sndpcmp(&(0x7f00000001c0), 0xa, 0x2) syz_open_dev$sndpcmp(&(0x7f0000000200), 0xa, 0x800) syz_open_dev$sndpcmp(&(0x7f0000000240), 0x14, 0x0) syz_open_dev$sndpcmp(&(0x7f0000000280), 0x14, 0x1) syz_open_dev$sndpcmp(&(0x7f00000002c0), 0x14, 0x2) syz_open_dev$sndpcmp(&(0x7f0000000300), 0x14, 0x800) syz_open_dev$sndpcmp(&(0x7f0000000340), 0x1e, 0x0) syz_open_dev$sndpcmp(&(0x7f0000000380), 0x1e, 0x1) syz_open_dev$sndpcmp(&(0x7f00000003c0), 0x1e, 0x2) syz_open_dev$sndpcmp(&(0x7f0000000400), 0x1e, 0x800) syz_open_dev$sndpcmp(&(0x7f0000000440), 0x28, 0x0) syz_open_dev$sndpcmp(&(0x7f0000000480), 0x28, 0x1) syz_open_dev$sndpcmp(&(0x7f00000004c0), 0x28, 0x2) syz_open_dev$sndpcmp(&(0x7f0000000500), 0x28, 0x800) 0s ago: executing program 2 (id=250): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vtpmx', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vtpmx', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vtpmx', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vtpmx', 0x800, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.160' (ED25519) to the list of known hosts. [ 162.870481][ T5793] cgroup: Unknown subsys name 'net' [ 163.006832][ T5793] cgroup: Unknown subsys name 'cpuset' [ 163.021418][ T5793] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 168.761852][ T5793] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 176.216291][ T6007] mmap: syz.1.182 (6007) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 177.744586][ T6073] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 177.789118][ T6071] Oops: general protection fault, probably for non-canonical address 0x1fe20b4bc4627e8: 0000 [#1] SMP PTI [ 177.801552][ T6071] CPU: 1 UID: 0 PID: 6071 Comm: syz.1.246 Not tainted 6.16.0-syzkaller-11852-g479058002c32 #0 PREEMPT(none) [ 177.813657][ T6071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 177.824000][ T6071] RIP: 0010:kfree+0xf2/0xec0 SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 177.829318][ T6071] Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 06 61 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89 [ 177.850455][ T6071] RSP: 0018:ffff8881179e79f8 EFLAGS: 00010246 [ 177.857637][ T6071] RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 177.865994][ T6071] RDX: ffff88821ff13408 RSI: 0000000000000000 RDI: 01fe20b4bc4627e8 [ 177.874854][ T6071] RBP: ffff8881179e7aa0 R08: ffffea000000000f R09: 0000000000000000 [ 177.883200][ T6071] R10: ffff888116e8cce0 R11: 0000000000000000 R12: 0000000000000000 [ 177.891852][ T6071] R13: 0000000000000000 R14: 0000000000000000 R15: 01fe36b4bc4627e0 [ 177.900700][ T6071] FS: 0000000000000000(0000) GS:ffff8881aa79a000(0000) knlGS:0000000000000000 [ 177.910202][ T6071] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 177.917411][ T6071] CR2: 00000000f7320af8 CR3: 00000001161b4000 CR4: 00000000003526f0 [ 177.926281][ T6071] Call Trace: [ 177.929696][ T6071] [ 177.933039][ T6071] ? vhost_dev_cleanup+0x74d/0xf20 [ 177.938596][ T6071] ? kmsan_get_metadata+0xfb/0x160 [ 177.944424][ T6071] vhost_dev_cleanup+0x74d/0xf20 [ 177.949911][ T6071] vhost_vsock_dev_release+0x789/0x850 [ 177.956016][ T6071] ? __pfx_vhost_vsock_dev_release+0x10/0x10 [ 177.963315][ T6071] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 [ 177.970098][ T6071] ? __pfx_vhost_vsock_dev_release+0x10/0x10 [ 177.977208][ T6071] __fput+0x60b/0x1040 [ 177.981673][ T6071] ? __pfx_____fput+0x10/0x10 [ 177.986836][ T6071] ____fput+0x25/0x30 [ 177.991578][ T6071] task_work_run+0x209/0x2b0 [ 177.997120][ T6071] do_exit+0x99d/0x3d50 [ 178.001766][ T6071] ? kmsan_get_metadata+0xfb/0x160 [ 178.007293][ T6071] do_group_exit+0x259/0x390 [ 178.012509][ T6071] __ia32_sys_exit_group+0x35/0x40 [ 178.018196][ T6071] ia32_sys_call+0x4302/0x4310 [ 178.023360][ T6071] __do_fast_syscall_32+0xb0/0x150 [ 178.029406][ T6071] ? irqentry_exit_to_user_mode+0x82/0xa0 [ 178.035750][ T6071] do_fast_syscall_32+0x38/0x80 [ 178.041156][ T6071] do_SYSENTER_32+0x1f/0x30 [ 178.046043][ T6071] entry_SYSENTER_compat_after_hwframe+0x84/0x8e [ 178.054097][ T6071] RIP: 0023:0xf7fd1539 [ 178.058871][ T6071] Code: Unable to access opcode bytes at 0xf7fd150f. [ 178.066358][ T6071] RSP: 002b:00000000ffbae1ac EFLAGS: 00000206 ORIG_RAX: 00000000000000fc [ 178.075848][ T6071] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000 [ 178.084386][ T6071] RDX: 0000000000000000 RSI: 00000000ffffff9c RDI: 00000000f7464ff4 [ 178.092914][ T6071] RBP: 000000000000002c R08: 0000000000000000 R09: 0000000000000000 [ 178.101580][ T6071] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 178.109980][ T6071] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 178.118315][ T6071] [ 178.121464][ T6071] Modules linked in: [ 178.126224][ C1] vkms_vblank_simulate: vblank timer overrun [ 178.133419][ T6071] ---[ end trace 0000000000000000 ]--- [ 178.142751][ T6071] RIP: 0010:kfree+0xf2/0xec0 [ 178.147972][ T6071] Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 06 61 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89 [ 178.169966][ C1] vkms_vblank_simulate: vblank timer overrun [ 178.177327][ T6071] RSP: 0018:ffff8881179e79f8 EFLAGS: 00010246 [ 178.184217][ T6071] RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 178.193432][ T6071] RDX: ffff88821ff13408 RSI: 0000000000000000 RDI: 01fe20b4bc4627e8 [ 178.201884][ T6071] RBP: ffff8881179e7aa0 R08: ffffea000000000f R09: 0000000000000000 [ 178.210468][ T6071] R10: ffff888116e8cce0 R11: 0000000000000000 R12: 0000000000000000 [ 178.219524][ T6071] R13: 0000000000000000 R14: 0000000000000000 R15: 01fe36b4bc4627e0 [ 178.228880][ T6071] FS: 0000000000000000(0000) GS:ffff8881aa79a000(0000) knlGS:0000000000000000 [ 178.238815][ T6071] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 178.246285][ T6071] CR2: 00000000f7320af8 CR3: 00000001161b4000 CR4: 00000000003526f0 [ 178.255620][ T6071] Kernel panic - not syncing: Fatal exception [ 178.262984][ T6071] Kernel Offset: disabled [ 178.267710][ T6071] Rebooting in 86400 seconds..