last executing test programs:

1.516008238s ago: executing program 3 (id=133):
sendmmsg(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0)

1.400054256s ago: executing program 3 (id=139):
socket$inet_tcp(0x2, 0x1, 0x0)

1.275890413s ago: executing program 3 (id=143):
socket$inet_dccp(0x2, 0x6, 0x0)

922.290925ms ago: executing program 1 (id=156):
syz_open_dev$dricontrol(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$dricontrol(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$dricontrol(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$dricontrol(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$dricontrol(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$dricontrol(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$dricontrol(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$dricontrol(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$dricontrol(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$dricontrol(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$dricontrol(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$dricontrol(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$dricontrol(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$dricontrol(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$dricontrol(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$dricontrol(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$dricontrol(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$dricontrol(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$dricontrol(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$dricontrol(&(0x7f0000000500), 0x4, 0x800)

792.075241ms ago: executing program 0 (id=159):
readahead(0xffffffffffffffff, 0x0, 0x0)

762.305704ms ago: executing program 1 (id=161):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/fuse', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/fuse', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/fuse', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/fuse', 0x800, 0x0)

760.410189ms ago: executing program 2 (id=162):
msgget(0xffffffffffffffff, 0x0)

687.946689ms ago: executing program 0 (id=163):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/thread-self/attr/current', 0x2, 0x0)

662.423978ms ago: executing program 4 (id=164):
socket$pptp(0x18, 0x1, 0x2)

642.111405ms ago: executing program 2 (id=165):
copy_file_range(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0)

580.248986ms ago: executing program 0 (id=166):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ptp0', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptp0', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptp0', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptp0', 0x800, 0x0)

580.138205ms ago: executing program 1 (id=167):
setuid(0x0)

526.314279ms ago: executing program 1 (id=168):
sync()

494.407232ms ago: executing program 2 (id=169):
syz_open_dev$I2C(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$I2C(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$I2C(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$I2C(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$I2C(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$I2C(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$I2C(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$I2C(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$I2C(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$I2C(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$I2C(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$I2C(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$I2C(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$I2C(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$I2C(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$I2C(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$I2C(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$I2C(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$I2C(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$I2C(&(0x7f0000000500), 0x4, 0x800)

415.75426ms ago: executing program 0 (id=170):
syz_open_dev$vim2m(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$vim2m(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$vim2m(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$vim2m(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$vim2m(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$vim2m(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$vim2m(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$vim2m(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$vim2m(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$vim2m(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$vim2m(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$vim2m(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$vim2m(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$vim2m(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$vim2m(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$vim2m(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$vim2m(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$vim2m(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$vim2m(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$vim2m(&(0x7f0000000500), 0x4, 0x800)

415.548038ms ago: executing program 4 (id=171):
mprotect(0x0, 0x0, 0x0)

369.233108ms ago: executing program 4 (id=172):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/btrfs-control', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/btrfs-control', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/btrfs-control', 0x800, 0x0)

329.149897ms ago: executing program 2 (id=173):
readlinkat(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000), 0x0)

228.522117ms ago: executing program 3 (id=174):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/null', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/null', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/null', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/null', 0x800, 0x0)

228.322469ms ago: executing program 4 (id=175):
clock_adjtime(0x0, &(0x7f0000000000))

219.078046ms ago: executing program 1 (id=176):
inotify_rm_watch(0xffffffffffffffff, 0x0)

156.486544ms ago: executing program 0 (id=177):
msgctl$IPC_INFO(0x0, 0x3, &(0x7f0000000000))

108.076201ms ago: executing program 2 (id=178):
lseek(0xffffffffffffffff, 0x0, 0x0)

107.804646ms ago: executing program 3 (id=179):
msgsnd(0x0, &(0x7f0000000000), 0x0, 0x0)

107.5361ms ago: executing program 4 (id=180):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hpet', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hpet', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hpet', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hpet', 0x800, 0x0)

76.054963ms ago: executing program 1 (id=181):
shmctl$IPC_INFO(0x0, 0x3, &(0x7f0000000000))

72.407423ms ago: executing program 2 (id=182):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vhost-vsock', 0x2, 0x0)

363.953µs ago: executing program 0 (id=183):
syz_open_dev$video4linux(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$video4linux(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$video4linux(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$video4linux(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$video4linux(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$video4linux(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$video4linux(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$video4linux(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$video4linux(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$video4linux(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$video4linux(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$video4linux(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$video4linux(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$video4linux(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$video4linux(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$video4linux(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$video4linux(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$video4linux(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$video4linux(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$video4linux(&(0x7f0000000500), 0x4, 0x800)

107.615µs ago: executing program 3 (id=184):
utime(&(0x7f0000000000), &(0x7f0000000000))

0s ago: executing program 4 (id=185):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/qat_adf_ctl', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/qat_adf_ctl', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/qat_adf_ctl', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/qat_adf_ctl', 0x800, 0x0)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.55' (ED25519) to the list of known hosts.
[  195.700757][ T5789] cgroup: Unknown subsys name 'net'
[  195.834649][ T5789] cgroup: Unknown subsys name 'cpuset'
[  195.854380][ T5789] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[  202.369460][ T5789] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[  210.979049][ T6003] Oops: general protection fault, probably for non-canonical address 0x1e606557fffffe8: 0000 [#1] SMP PTI
[  210.990833][ T6003] CPU: 0 UID: 0 PID: 6003 Comm: syz.2.182 Not tainted 6.16.0-syzkaller-11699-g7e161a991ea7 #0 PREEMPT(none) 
[  211.002684][ T6003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[  211.013113][ T6003] RIP: 0010:kfree+0xf2/0xec0
[  211.018148][ T6003] Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 66 5c 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89
[  211.038044][ T6003] RSP: 0018:ffff8881187d7a28 EFLAGS: 00010246
[  211.044421][ T6003] RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  211.052603][ T6003] RDX: ffff88821ff13408 RSI: 0000000000000000 RDI: 01e606557fffffe8
[  211.060890][ T6003] RBP: ffff8881187d7ad0 R08: ffffea000000000f R09: 0000000000000000
[  211.069264][ T6003] R10: ffff88812e002c20 R11: 0000000000000000 R12: 0000000000000000
[  211.077463][ T6003] R13: 0000000000000000 R14: 0000000000000000 R15: 01e61c557fffffe0
[  211.085665][ T6003] FS:  0000000000000000(0000) GS:ffff8881aa69a000(0000) knlGS:0000000000000000
[  211.094830][ T6003] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  211.101657][ T6003] CR2: 0000001b2e65ffff CR3: 000000011578a000 CR4: 00000000003526f0
[  211.110029][ T6003] Call Trace:
[  211.113475][ T6003]  <TASK>
[  211.116571][ T6003]  ? vhost_dev_cleanup+0x74d/0xf20
[  211.121975][ T6003]  ? kmsan_get_metadata+0xfb/0x160
[  211.127410][ T6003]  vhost_dev_cleanup+0x74d/0xf20
[  211.132673][ T6003]  vhost_vsock_dev_release+0x789/0x850
[  211.138631][ T6003]  ? __pfx_vhost_vsock_dev_release+0x10/0x10
[  211.144948][ T6003]  ? kmsan_get_shadow_origin_ptr+0x4a/0xb0
[  211.151161][ T6003]  ? __pfx_vhost_vsock_dev_release+0x10/0x10
[  211.157464][ T6003]  __fput+0x60b/0x1040
[  211.161841][ T6003]  ? __pfx_____fput+0x10/0x10
[  211.166784][ T6003]  ____fput+0x25/0x30
[  211.171037][ T6003]  task_work_run+0x209/0x2b0
[  211.175932][ T6003]  do_exit+0x99d/0x3d50
[  211.180396][ T6003]  ? kmsan_get_metadata+0xfb/0x160
[  211.186095][ T6003]  do_group_exit+0x259/0x390
[  211.191134][ T6003]  __x64_sys_exit_group+0x35/0x40
[  211.196586][ T6003]  x64_sys_call+0x3e1a/0x3e20
[  211.201595][ T6003]  do_syscall_64+0xd9/0x210
[  211.206345][ T6003]  ? irqentry_exit+0x16/0x60
[  211.211153][ T6003]  ? clear_bhb_loop+0x40/0x90
[  211.216081][ T6003]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  211.222239][ T6003] RIP: 0033:0x7f94a618eb69
[  211.226863][ T6003] Code: Unable to access opcode bytes at 0x7f94a618eb3f.
[  211.234047][ T6003] RSP: 002b:00007ffed79761c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[  211.242722][ T6003] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f94a618eb69
[  211.250939][ T6003] RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: 0000000000000000
[  211.259108][ T6003] RBP: 00007ffed797622c R08: 0000000000000001 R09: 00000000000927c0
[  211.267557][ T6003] R10: 00007f94a6000000 R11: 0000000000000246 R12: 0000000000000028
[  211.275766][ T6003] R13: 00000000000927c0 R14: 0000000000033775 R15: 00007ffed7976280
[  211.283969][ T6003]  </TASK>
[  211.287137][ T6003] Modules linked in:
[  211.292575][ T6003] ---[ end trace 0000000000000000 ]---
[  211.300360][ T6003] RIP: 0010:kfree+0xf2/0xec0
[  211.305446][ T6003] Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 66 5c 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[  211.325534][ T6003] RSP: 0018:ffff8881187d7a28 EFLAGS: 00010246
[  211.331882][ T6003] RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  211.340488][ T6003] RDX: ffff88821ff13408 RSI: 0000000000000000 RDI: 01e606557fffffe8
[  211.348883][ T6003] RBP: ffff8881187d7ad0 R08: ffffea000000000f R09: 0000000000000000
[  211.357241][ T6003] R10: ffff88812e002c20 R11: 0000000000000000 R12: 0000000000000000
[  211.365661][ T6003] R13: 0000000000000000 R14: 0000000000000000 R15: 01e61c557fffffe0
[  211.375156][ T6003] FS:  0000000000000000(0000) GS:ffff8881aa69a000(0000) knlGS:0000000000000000
[  211.384635][ T6003] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  211.391439][ T6003] CR2: 0000001b2e65ffff CR3: 0000000012666000 CR4: 00000000003526f0
[  211.399826][ T6003] Kernel panic - not syncing: Fatal exception
[  211.406302][ T6003] Kernel Offset: disabled
[  211.410857][ T6003] Rebooting in 86400 seconds..