last executing test programs: 173.737205ms ago: executing program 3 (id=4): r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0) ioctl$VHOST_SET_OWNER(r0, 0xaf01, 0x0) ioctl$VHOST_SET_VRING_ERR(r0, 0x4004af61, &(0x7f0000000240)) 115.000867ms ago: executing program 0 (id=1): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x1c1401, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000000200)=[@text32={0x20, &(0x7f0000000000)="3e650f23310f20d6f26f0f22c00f70f7000f011e0f01ba00000000360f7984df153100000f01b9050900004ac786c7230f30c4e191c2e8000f0fbfdb6a00001d", 0x40}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) 107.436767ms ago: executing program 1 (id=2): r0 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) close_range(r0, 0xffffffffffffffff, 0x2) syz_open_dev$evdev(&(0x7f0000000000), 0x1, 0x2002) read$eventfd(r0, 0x0, 0x0) 10.491241ms ago: executing program 1 (id=5): mkdir(&(0x7f0000000100)='./bus\x00', 0x1c8) mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) chdir(&(0x7f00000001c0)='./bus\x00') munmap(&(0x7f0000002000/0x1000)=nil, 0x1000) r0 = open(&(0x7f00000000c0)='.\x00', 0x101000, 0x190) getdents(r0, &(0x7f0000000040)=""/48, 0x30) getdents(r0, &(0x7f0000001fc0)=""/184, 0xb8) 10.364461ms ago: executing program 3 (id=6): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x20040, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, 0x0}], 0x1, 0x74, 0x0, 0x0) mkdir(&(0x7f0000000400)='./file0\x00', 0x0) mount$incfs(&(0x7f0000000080)='./file0\x00', &(0x7f0000000140)='./file0\x00', &(0x7f00000005c0), 0x2010800, 0x0) r3 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x8c) r4 = openat$incfs(r3, &(0x7f00000001c0)='.pending_reads\x00', 0x0, 0x130) ioctl$TIOCL_GETKMSGREDIRECT(r4, 0x40106726, &(0x7f00000000c0)) 10.31059ms ago: executing program 2 (id=3): r0 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f0000000080)={@private1, 0x8000000, 0x2, 0x0, 0x1, 0x35, 0x4}, 0x20) 0s ago: executing program 2 (id=7): mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c0) pipe2$9p(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}, 0x800) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000280)=0x8) write$P9_RVERSION(r1, &(0x7f0000000280)=ANY=[@ANYBLOB="1500000065ffff097b00000800395032303030"], 0x15) r2 = dup(r1) write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18) write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x14c}, 0x137) mount$9p_fd(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f0000000b80), 0x0, &(0x7f0000000140)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r2}}) open(&(0x7f0000000000)='./file0\x00', 0x8000, 0x112) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.89' (ED25519) to the list of known hosts. [ 25.914720][ T36] audit: type=1400 audit(1774666957.170:64): avc: denied { mounton } for pid=283 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2022 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 25.918169][ T283] cgroup: Unknown subsys name 'net' [ 25.937479][ T36] audit: type=1400 audit(1774666957.170:65): avc: denied { mount } for pid=283 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.964838][ T36] audit: type=1400 audit(1774666957.200:66): avc: denied { unmount } for pid=283 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 25.965307][ T283] cgroup: Unknown subsys name 'devices' [ 26.126423][ T283] cgroup: Unknown subsys name 'hugetlb' [ 26.132067][ T283] cgroup: Unknown subsys name 'rlimit' [ 26.287041][ T36] audit: type=1400 audit(1774666957.540:67): avc: denied { setattr } for pid=283 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=190 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 26.310272][ T36] audit: type=1400 audit(1774666957.540:68): avc: denied { mounton } for pid=283 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 26.335215][ T36] audit: type=1400 audit(1774666957.540:69): avc: denied { mount } for pid=283 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 26.354322][ T285] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 26.367147][ T36] audit: type=1400 audit(1774666957.620:70): avc: denied { relabelto } for pid=285 comm="mkswap" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 26.389816][ T283] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 26.392667][ T36] audit: type=1400 audit(1774666957.620:71): avc: denied { write } for pid=285 comm="mkswap" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 26.426921][ T36] audit: type=1400 audit(1774666957.640:72): avc: denied { read } for pid=283 comm="syz-executor" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 26.452488][ T36] audit: type=1400 audit(1774666957.640:73): avc: denied { open } for pid=283 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 27.287105][ T291] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.294562][ T291] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.301622][ T291] bridge_slave_0: entered allmulticast mode [ 27.308062][ T291] bridge_slave_0: entered promiscuous mode [ 27.316189][ T291] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.323238][ T291] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.330490][ T291] bridge_slave_1: entered allmulticast mode [ 27.336911][ T291] bridge_slave_1: entered promiscuous mode [ 27.374236][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.381419][ T293] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.388607][ T293] bridge_slave_0: entered allmulticast mode [ 27.395116][ T293] bridge_slave_0: entered promiscuous mode [ 27.418356][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.425480][ T293] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.432562][ T293] bridge_slave_1: entered allmulticast mode [ 27.438943][ T293] bridge_slave_1: entered promiscuous mode [ 27.463444][ T290] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.470700][ T290] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.477840][ T290] bridge_slave_0: entered allmulticast mode [ 27.484165][ T290] bridge_slave_0: entered promiscuous mode [ 27.490637][ T290] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.497722][ T290] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.504820][ T290] bridge_slave_1: entered allmulticast mode [ 27.511133][ T290] bridge_slave_1: entered promiscuous mode [ 27.549677][ T292] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.556856][ T292] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.564006][ T292] bridge_slave_0: entered allmulticast mode [ 27.570279][ T292] bridge_slave_0: entered promiscuous mode [ 27.590729][ T292] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.597882][ T292] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.605131][ T292] bridge_slave_1: entered allmulticast mode [ 27.611378][ T292] bridge_slave_1: entered promiscuous mode [ 27.710450][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.717583][ T293] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.724914][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.731968][ T293] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.760031][ T291] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.767220][ T291] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.774524][ T291] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.781570][ T291] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.798343][ T290] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.805439][ T290] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.812715][ T290] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.819776][ T290] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.830427][ T292] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.837622][ T292] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.844928][ T292] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.851968][ T292] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.888502][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.895936][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.903491][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.910890][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.918617][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.925920][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.933173][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.940662][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.956811][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.963952][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.971655][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.978755][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.005236][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.012316][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.020360][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.027430][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.044765][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.051845][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.059747][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.066834][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.096791][ T293] veth0_vlan: entered promiscuous mode [ 28.106879][ T13] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.113987][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.126086][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.133156][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.156419][ T293] veth1_macvtap: entered promiscuous mode [ 28.176346][ T290] veth0_vlan: entered promiscuous mode [ 28.190694][ T291] veth0_vlan: entered promiscuous mode [ 28.211205][ T290] veth1_macvtap: entered promiscuous mode [ 28.234692][ T291] veth1_macvtap: entered promiscuous mode [ 28.246941][ T293] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 28.267681][ T292] veth0_vlan: entered promiscuous mode [ 28.311018][ T292] veth1_macvtap: entered promiscuous mode [ 28.346115][ T313] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 28.405035][ T320] incfs: iterate_incfs_dir / -22 [ 28.425575][ T321] ------------[ cut here ]------------ [ 28.431115][ T321] WARNING: CPU: 0 PID: 321 at mm/page_alloc.c:5268 __alloc_pages_noprof+0x109/0x7e0 [ 28.440661][ T321] Modules linked in: [ 28.444672][ T321] CPU: 0 UID: 0 PID: 321 Comm: syz.3.6 Not tainted syzkaller #0 7beaeb3ad893ecbf8bcfcfada8847ce2a8dfc7fe [ 28.455958][ T321] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 28.466136][ T321] RIP: 0010:__alloc_pages_noprof+0x109/0x7e0 [ 28.472194][ T321] Code: 00 0f 1f 44 00 00 83 fb 0b 72 28 b8 00 20 00 00 23 44 24 40 75 1d 80 3d 0a 7f 0b 06 00 0f 85 c2 00 00 00 c6 05 fd 7e 0b 06 01 <0f> 0b 31 c0 e9 b4 00 00 00 83 fb 0a 0f 87 a9 00 00 00 44 8b 64 24 [ 28.491937][ T321] RSP: 0018:ffffc9000c05f980 EFLAGS: 00010246 [ 28.498103][ T321] RAX: 0000000000000000 RBX: 0000000000000034 RCX: 0000000000000000 [ 28.506168][ T321] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc9000c05fa38 [ 28.514256][ T321] RBP: ffffc9000c05faa8 R08: ffffc9000c05fa37 R09: 0000000000000000 [ 28.522268][ T321] R10: ffffc9000c05fa20 R11: fffff5200180bf47 R12: ffffc9000c05f9c0 [ 28.530343][ T321] R13: dffffc0000000000 R14: 1ffff9200180bf34 R15: 0000000000000000 [ 28.538440][ T321] FS: 00007f0cc25a86c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 28.547461][ T321] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 28.554127][ T321] CR2: 0000200000002000 CR3: 0000000130b1a000 CR4: 00000000003526b0 [ 28.562139][ T321] Call Trace: [ 28.565498][ T321] [ 28.568450][ T321] ? preempt_schedule_thunk+0x1a/0x40 [ 28.573829][ T321] ? __cfi___alloc_pages_noprof+0x10/0x10 [ 28.579678][ T321] ? try_to_wake_up+0xf9e/0x1db0 [ 28.584710][ T321] ? stack_trace_save+0xaa/0x100 [ 28.589671][ T321] ? pending_reads_dispatch_ioctl+0xc86/0x2080 [ 28.595946][ T321] ___kmalloc_large_node+0x81/0x210 [ 28.601195][ T321] ? pending_reads_dispatch_ioctl+0xc86/0x2080 [ 28.607430][ T321] __kmalloc_large_node_noprof+0x1e/0xd0 [ 28.613107][ T321] ? pending_reads_dispatch_ioctl+0xc86/0x2080 [ 28.619367][ T321] __kmalloc_noprof+0x326/0x500 [ 28.624304][ T321] pending_reads_dispatch_ioctl+0xc86/0x2080 [ 28.630344][ T321] ? __cfi_pending_reads_dispatch_ioctl+0x10/0x10 [ 28.636888][ T321] ? selinux_file_ioctl+0x732/0x1480 [ 28.642229][ T321] ? __cfi_selinux_file_ioctl+0x10/0x10 [ 28.647853][ T321] ? do_futex+0x37d/0x510 [ 28.652230][ T321] ? __cfi_do_futex+0x10/0x10 [ 28.657012][ T321] ? __fget_files+0x2c5/0x340 [ 28.661736][ T321] ? bpf_lsm_file_ioctl+0xd/0x20 [ 28.666854][ T321] ? security_file_ioctl+0x3e/0x110 [ 28.672098][ T321] ? __cfi_pending_reads_dispatch_ioctl+0x10/0x10 [ 28.678629][ T321] __se_sys_ioctl+0x132/0x1b0 [ 28.683348][ T321] __x64_sys_ioctl+0x7f/0xa0 [ 28.688052][ T321] x64_sys_call+0x1878/0x2ee0 [ 28.692803][ T321] do_syscall_64+0x57/0xf0 [ 28.697309][ T321] ? clear_bhb_loop+0x50/0xa0 [ 28.702044][ T321] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 28.708042][ T321] RIP: 0033:0x7f0cc179c799 [ 28.712504][ T321] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 28.732187][ T321] RSP: 002b:00007f0cc25a8028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 28.740687][ T321] RAX: ffffffffffffffda RBX: 00007f0cc1a15fa0 RCX: 00007f0cc179c799 [ 28.748738][ T321] RDX: 00002000000000c0 RSI: 0000000040106726 RDI: 0000000000000007 [ 28.756834][ T321] RBP: 00007f0cc1832c99 R08: 0000000000000000 R09: 0000000000000000 [ 28.764873][ T321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 28.772874][ T321] R13: 00007f0cc1a16038 R14: 00007f0cc1a15fa0 R15: 00007ffceaa178c8 [ 28.780967][ T321] [ 28.784054][ T321] ---[ end trace 0000000000000000 ]--- [ 28.789975][ T291] ------------[ cut here ]------------ [ 28.795561][ T291] WARNING: CPU: 1 PID: 291 at fs/inode.c:340 drop_nlink+0xce/0x110 [ 28.803502][ T291] Modules linked in: [ 28.807467][ T291] CPU: 1 UID: 0 PID: 291 Comm: syz-executor Tainted: G W syzkaller #0 7beaeb3ad893ecbf8bcfcfada8847ce2a8dfc7fe [ 28.820736][ T291] Tainted: [W]=WARN [ 28.824608][ T291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 28.834767][ T291] RIP: 0010:drop_nlink+0xce/0x110 [ 28.839827][ T291] Code: 04 00 00 be 08 00 00 00 e8 df 15 ee ff f0 48 ff 83 b8 04 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 f2 e5 95 ff <0f> 0b eb 81 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 59 ff ff ff 4c [ 28.859562][ T291] RSP: 0018:ffffc9000b6cfc60 EFLAGS: 00010293 [ 28.865696][ T291] RAX: ffffffff81f1c4be RBX: ffff88813143f838 RCX: ffff888102f62600 [ 28.873704][ T291] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 28.881761][ T291] RBP: ffffc9000b6cfc88 R08: 0000000000000003 R09: 0000000000000004 [ 28.889814][ T291] R10: dffffc0000000000 R11: fffff520016d9f7c R12: dffffc0000000000 [ 28.897881][ T291] R13: 1ffff11026287f10 R14: ffff88813143f880 R15: 0000000000000000 [ 28.905919][ T291] FS: 0000555574815500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 28.915010][ T291] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 28.921624][ T291] CR2: 0000555574838948 CR3: 000000012eeae000 CR4: 00000000003526b0 [ 28.929652][ T291] Call Trace: [ 28.932957][ T291] [ 28.935955][ T291] shmem_rmdir+0x5f/0x90 [ 28.940240][ T291] vfs_rmdir+0x3e3/0x560 [ 28.944550][ T291] incfs_kill_sb+0x109/0x230 [ 28.949194][ T291] deactivate_locked_super+0xd5/0x2a0 [ 28.954634][ T291] deactivate_super+0xb8/0xe0 [ 28.959342][ T291] cleanup_mnt+0x406/0x4a0 [ 28.963769][ T291] __cleanup_mnt+0x1d/0x40 [ 28.968242][ T291] task_work_run+0x1e5/0x260 [ 28.972855][ T291] ? __cfi_task_work_run+0x10/0x10 [ 28.978011][ T291] ? __x64_sys_umount+0x12e/0x180 [ 28.983069][ T291] ? __cfi___x64_sys_umount+0x10/0x10 [ 28.988545][ T291] ? __kasan_check_read+0x15/0x20 [ 28.993604][ T291] resume_user_mode_work+0x35/0x50 [ 28.998877][ T291] syscall_exit_to_user_mode+0x63/0xb0 [ 29.004405][ T291] do_syscall_64+0x63/0xf0 [ 29.008861][ T291] ? clear_bhb_loop+0x50/0xa0 [ 29.013560][ T291] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 29.019506][ T291] RIP: 0033:0x7f25fe39d9d7 [ 29.024025][ T291] Code: a2 c7 05 1c fd 24 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 [ 29.043692][ T291] RSP: 002b:00007ffe6c796638 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 29.052163][ T291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f25fe39d9d7 [ 29.060193][ T291] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe6c7966f0 [ 29.068260][ T291] RBP: 00007ffe6c7966f0 R08: 00007ffe6c7976f0 R09: 00000000ffffffff [ 29.076383][ T291] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe6c797780 [ 29.084414][ T291] R13: 00007f25fe432050 R14: 0000000000006efa R15: 00007ffe6c7977c0 [ 29.092419][ T291] [ 29.095500][ T291] ---[ end trace 0000000000000000 ]--- [ 29.101071][ T291] ================================================================== [ 29.109172][ T291] BUG: KASAN: null-ptr-deref in ihold+0x24/0x70 [ 29.115414][ T291] Write of size 4 at addr 0000000000000168 by task syz-executor/291 [ 29.123399][ T291] [ 29.125749][ T291] CPU: 0 UID: 0 PID: 291 Comm: syz-executor Tainted: G W syzkaller #0 7beaeb3ad893ecbf8bcfcfada8847ce2a8dfc7fe [ 29.125772][ T291] Tainted: [W]=WARN [ 29.125778][ T291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 29.125788][ T291] Call Trace: [ 29.125793][ T291] [ 29.125801][ T291] __dump_stack+0x21/0x30 [ 29.125823][ T291] dump_stack_lvl+0x140/0x1c0 [ 29.125844][ T291] ? __cfi_dump_stack_lvl+0x10/0x10 [ 29.125866][ T291] print_report+0x3d/0x70 [ 29.125885][ T291] kasan_report+0x162/0x1a0 [ 29.125901][ T291] ? ihold+0x24/0x70 [ 29.125915][ T291] ? _raw_spin_unlock+0x45/0x60 [ 29.125936][ T291] ? ihold+0x24/0x70 [ 29.125950][ T291] kasan_check_range+0x25a/0x2b0 [ 29.125966][ T291] __kasan_check_write+0x18/0x20 [ 29.125992][ T291] ihold+0x24/0x70 [ 29.126005][ T291] vfs_rmdir+0x26a/0x560 [ 29.126024][ T291] incfs_kill_sb+0x109/0x230 [ 29.126046][ T291] deactivate_locked_super+0xd5/0x2a0 [ 29.126065][ T291] deactivate_super+0xb8/0xe0 [ 29.126082][ T291] cleanup_mnt+0x406/0x4a0 [ 29.126097][ T291] __cleanup_mnt+0x1d/0x40 [ 29.126111][ T291] task_work_run+0x1e5/0x260 [ 29.126130][ T291] ? __cfi_task_work_run+0x10/0x10 [ 29.126147][ T291] ? __x64_sys_umount+0x12e/0x180 [ 29.126167][ T291] ? __cfi___x64_sys_umount+0x10/0x10 [ 29.126187][ T291] ? __kasan_check_read+0x15/0x20 [ 29.126208][ T291] resume_user_mode_work+0x35/0x50 [ 29.126230][ T291] syscall_exit_to_user_mode+0x63/0xb0 [ 29.126260][ T291] do_syscall_64+0x63/0xf0 [ 29.126280][ T291] ? clear_bhb_loop+0x50/0xa0 [ 29.126303][ T291] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 29.126324][ T291] RIP: 0033:0x7f25fe39d9d7 [ 29.126337][ T291] Code: a2 c7 05 1c fd 24 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 [ 29.126350][ T291] RSP: 002b:00007ffe6c796638 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 29.126366][ T291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f25fe39d9d7 [ 29.126376][ T291] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe6c7966f0 [ 29.126386][ T291] RBP: 00007ffe6c7966f0 R08: 00007ffe6c7976f0 R09: 00000000ffffffff [ 29.126397][ T291] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe6c797780 [ 29.126407][ T291] R13: 00007f25fe432050 R14: 0000000000006efa R15: 00007ffe6c7977c0 [ 29.126420][ T291] [ 29.126425][ T291] ================================================================== [ 29.372748][ T291] Disabling lock debugging due to kernel taint [ 29.381143][ T291] BUG: kernel NULL pointer dereference, address: 0000000000000168 [ 29.388997][ T291] #PF: supervisor write access in kernel mode [ 29.395104][ T291] #PF: error_code(0x0002) - not-present page [ 29.401089][ T291] PGD 800000013156b067 P4D 800000013156b067 PUD 0 [ 29.407606][ T291] Oops: Oops: 0002 [#1] PREEMPT SMP KASAN PTI [ 29.413696][ T291] CPU: 1 UID: 0 PID: 291 Comm: syz-executor Tainted: G B W syzkaller #0 7beaeb3ad893ecbf8bcfcfada8847ce2a8dfc7fe [ 29.426988][ T291] Tainted: [B]=BAD_PAGE, [W]=WARN [ 29.432006][ T291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 29.442067][ T291] RIP: 0010:ihold+0x2a/0x70 [ 29.446600][ T291] Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 dd dc 95 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 9c 0c ee ff 41 be 01 00 00 00 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 ed [ 29.466229][ T291] RSP: 0018:ffffc9000b6cfca0 EFLAGS: 00010246 [ 29.472305][ T291] RAX: ffff888102f62600 RBX: 0000000000000000 RCX: ffff888102f62600 [ 29.480288][ T291] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 29.488267][ T291] RBP: ffffc9000b6cfcb0 R08: ffffffff88b98947 R09: 1ffffffff1173128 [ 29.496248][ T291] R10: dffffc0000000000 R11: fffffbfff1173129 R12: ffff88813143f844 [ 29.504225][ T291] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 [ 29.512213][ T291] FS: 0000555574815500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 29.521145][ T291] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.527741][ T291] CR2: 0000000000000168 CR3: 000000012eeae000 CR4: 00000000003526b0 [ 29.535716][ T291] Call Trace: [ 29.539010][ T291] [ 29.541967][ T291] vfs_rmdir+0x26a/0x560 [ 29.546218][ T291] incfs_kill_sb+0x109/0x230 [ 29.550814][ T291] deactivate_locked_super+0xd5/0x2a0 [ 29.556218][ T291] deactivate_super+0xb8/0xe0 [ 29.560942][ T291] cleanup_mnt+0x406/0x4a0 [ 29.565381][ T291] __cleanup_mnt+0x1d/0x40 [ 29.569809][ T291] task_work_run+0x1e5/0x260 [ 29.574422][ T291] ? __cfi_task_work_run+0x10/0x10 [ 29.579552][ T291] ? __x64_sys_umount+0x12e/0x180 [ 29.584581][ T291] ? __cfi___x64_sys_umount+0x10/0x10 [ 29.589968][ T291] ? __kasan_check_read+0x15/0x20 [ 29.595018][ T291] resume_user_mode_work+0x35/0x50 [ 29.600138][ T291] syscall_exit_to_user_mode+0x63/0xb0 [ 29.605609][ T291] do_syscall_64+0x63/0xf0 [ 29.610033][ T291] ? clear_bhb_loop+0x50/0xa0 [ 29.614727][ T291] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 29.620630][ T291] RIP: 0033:0x7f25fe39d9d7 [ 29.625046][ T291] Code: a2 c7 05 1c fd 24 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 [ 29.644658][ T291] RSP: 002b:00007ffe6c796638 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 29.653164][ T291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f25fe39d9d7 [ 29.661157][ T291] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe6c7966f0 [ 29.669131][ T291] RBP: 00007ffe6c7966f0 R08: 00007ffe6c7976f0 R09: 00000000ffffffff [ 29.677103][ T291] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe6c797780 [ 29.685074][ T291] R13: 00007f25fe432050 R14: 0000000000006efa R15: 00007ffe6c7977c0 [ 29.693047][ T291] [ 29.696067][ T291] Modules linked in: [ 29.699974][ T291] CR2: 0000000000000168 [ 29.704133][ T291] ---[ end trace 0000000000000000 ]--- [ 29.709582][ T291] RIP: 0010:ihold+0x2a/0x70 [ 29.714096][ T291] Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 dd dc 95 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 9c 0c ee ff 41 be 01 00 00 00 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 ed [ 29.733729][ T291] RSP: 0018:ffffc9000b6cfca0 EFLAGS: 00010246 [ 29.739813][ T291] RAX: ffff888102f62600 RBX: 0000000000000000 RCX: ffff888102f62600 [ 29.747788][ T291] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 29.755760][ T291] RBP: ffffc9000b6cfcb0 R08: ffffffff88b98947 R09: 1ffffffff1173128 [ 29.763729][ T291] R10: dffffc0000000000 R11: fffffbfff1173129 R12: ffff88813143f844 [ 29.771699][ T291] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 [ 29.779682][ T291] FS: 0000555574815500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 29.788649][ T291] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.795237][ T291] CR2: 0000000000000168 CR3: 000000012eeae000 CR4: 00000000003526b0 [ 29.803214][ T291] Kernel panic - not syncing: Fatal exception [ 29.809876][ T291] Kernel Offset: disabled [ 29.814206][ T291] Rebooting in 86400 seconds..