slab kmalloc-8k start ffff888146718000 pointer offset 1480 size 8192 list_del corruption. prev->next should be ffff88805d041b70, but was ffff8881467185c8. (prev=ffff8881467185c8) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:62! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 7510 Comm: syz.5.378 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62 Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc90010557860 EFLAGS: 00010082 RAX: 000000000000006d RBX: ffff88805d041b70 RCX: 0000000000000000 RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff520020aaefd RBP: ffff8881467185c8 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000001 R11: 0000000000000001 R12: ffff88805d041a30 R13: ffff88805d041b88 R14: ffff88805d041b70 R15: ffff88805d041b48 FS: 0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f42701f8ff8 CR3: 000000007a7e0000 CR4: 00000000003526f0 Call Trace: __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del_init include/linux/list.h:295 [inline] io_poll_remove_waitq io_uring/poll.c:149 [inline] io_poll_remove_entry io_uring/poll.c:166 [inline] io_poll_remove_entries.part.0+0x156/0x7e0 io_uring/poll.c:197 io_poll_remove_entries io_uring/poll.c:177 [inline] io_poll_task_func+0x39e/0xe30 io_uring/poll.c:343 io_handle_tw_list+0x194/0x580 io_uring/io_uring.c:1122 tctx_task_work_run+0x57/0x2b0 io_uring/io_uring.c:1182 tctx_task_work+0x7a/0xd0 io_uring/io_uring.c:1200 task_work_run+0x150/0x240 kernel/task_work.c:233 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x829/0x2a30 kernel/exit.c:971 do_group_exit+0xd5/0x2a0 kernel/exit.c:1112 get_signal+0x1ec7/0x21e0 kernel/signal.c:3034 arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] exit_to_user_mode_loop+0x86/0x4b0 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x4fe/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5a5959aeb9 Code: Unable to access opcode bytes at 0x7f5a5959ae8f. RSP: 002b:00007f5a5a3770e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007f5a59815fa8 RCX: 00007f5a5959aeb9 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f5a59815fa8 RBP: 00007f5a59815fa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5a59816038 R14: 00007ffd9b6dc8c0 R15: 00007ffd9b6dc9a8 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62 Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc90010557860 EFLAGS: 00010082 RAX: 000000000000006d RBX: ffff88805d041b70 RCX: 0000000000000000 RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff520020aaefd RBP: ffff8881467185c8 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000001 R11: 0000000000000001 R12: ffff88805d041a30 R13: ffff88805d041b88 R14: ffff88805d041b70 R15: ffff88805d041b48 FS: 0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f42701f8ff8 CR3: 000000007a7e0000 CR4: 00000000003526f0