last executing test programs: 1.172903368s ago: executing program 1 (id=21): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/cmdline', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/cmdline', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/cmdline', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/proc/cmdline', 0x800, 0x0) 1.084627024s ago: executing program 1 (id=23): removexattr(&(0x7f0000000000), &(0x7f0000000000)) 905.732749ms ago: executing program 1 (id=29): syz_open_dev$sndpcmc(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$sndpcmc(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$sndpcmc(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$sndpcmc(&(0x7f0000000140), 0xa, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000180), 0xa, 0x1) syz_open_dev$sndpcmc(&(0x7f00000001c0), 0xa, 0x2) syz_open_dev$sndpcmc(&(0x7f0000000200), 0xa, 0x800) syz_open_dev$sndpcmc(&(0x7f0000000240), 0x14, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000280), 0x14, 0x1) syz_open_dev$sndpcmc(&(0x7f00000002c0), 0x14, 0x2) syz_open_dev$sndpcmc(&(0x7f0000000300), 0x14, 0x800) syz_open_dev$sndpcmc(&(0x7f0000000340), 0x1e, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000380), 0x1e, 0x1) syz_open_dev$sndpcmc(&(0x7f00000003c0), 0x1e, 0x2) syz_open_dev$sndpcmc(&(0x7f0000000400), 0x1e, 0x800) syz_open_dev$sndpcmc(&(0x7f0000000440), 0x28, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000480), 0x28, 0x1) syz_open_dev$sndpcmc(&(0x7f00000004c0), 0x28, 0x2) syz_open_dev$sndpcmc(&(0x7f0000000500), 0x28, 0x800) 799.989048ms ago: executing program 1 (id=36): umount2(&(0x7f0000000000), 0x0) 701.248675ms ago: executing program 1 (id=40): socket$inet_dccp(0x2, 0x6, 0x0) 624.142082ms ago: executing program 4 (id=43): set_tid_address(&(0x7f0000000000)) 569.127064ms ago: executing program 3 (id=45): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/i915', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/i915', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/i915', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/i915', 0x800, 0x0) 512.180622ms ago: executing program 3 (id=47): fspick(0xffffffffffffffff, &(0x7f0000000000), 0x0) 511.834736ms ago: executing program 4 (id=48): mq_timedreceive(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0) 461.69858ms ago: executing program 0 (id=49): openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/checkreqprot', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/selinux/checkreqprot', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/checkreqprot', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/checkreqprot', 0x800, 0x0) 461.509879ms ago: executing program 2 (id=50): userfaultfd(0x0) 447.939067ms ago: executing program 4 (id=51): mlockall(0x0) 405.198268ms ago: executing program 3 (id=52): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video0', 0x2, 0x0) 352.111513ms ago: executing program 0 (id=53): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video36', 0x2, 0x0) 351.944009ms ago: executing program 2 (id=54): set_robust_list(&(0x7f0000000000), 0x0) 334.243012ms ago: executing program 4 (id=55): futex_waitv(&(0x7f0000000000), 0x0, 0x0, &(0x7f0000000000), 0x0) 312.51042ms ago: executing program 2 (id=56): membarrier(0x0, 0x0) 261.295321ms ago: executing program 0 (id=57): lremovexattr(&(0x7f0000000000), &(0x7f0000000000)) 261.086691ms ago: executing program 3 (id=58): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/class/mac80211_hwsim/', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/sys/class/mac80211_hwsim/', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/class/mac80211_hwsim/', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/sys/class/mac80211_hwsim/', 0x800, 0x0) 232.938068ms ago: executing program 0 (id=59): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cdrom', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/cdrom', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/cdrom', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/cdrom', 0x800, 0x0) 217.293622ms ago: executing program 4 (id=60): rt_sigtimedwait(&(0x7f0000000000), 0x0, &(0x7f0000000000), 0x0) 157.468506ms ago: executing program 2 (id=61): openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/enforce', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/selinux/enforce', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/enforce', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/enforce', 0x800, 0x0) 157.130516ms ago: executing program 3 (id=62): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwbinder', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwbinder', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hwbinder', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hwbinder', 0x800, 0x0) 141.249419ms ago: executing program 0 (id=63): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/syslog', 0x2, 0x0) 111.589458ms ago: executing program 2 (id=64): iopl(0x0) 45.755364ms ago: executing program 4 (id=65): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vhost-vsock', 0x2, 0x0) 45.531096ms ago: executing program 3 (id=66): epoll_pwait2(0xffffffffffffffff, &(0x7f0000000000), 0x0, &(0x7f0000000000), &(0x7f0000000000), 0x0) 45.326712ms ago: executing program 0 (id=67): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/keys', 0x0, 0x0) 23.771702ms ago: executing program 2 (id=68): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rtc0', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rtc0', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/rtc0', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/rtc0', 0x800, 0x0) 0s ago: executing program 1 (id=69): syz_init_net_socket$netrom(0x6, 0x5, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.13' (ED25519) to the list of known hosts. [ 169.127501][ T5796] cgroup: Unknown subsys name 'net' [ 169.276630][ T5796] cgroup: Unknown subsys name 'cpuset' [ 169.291126][ T5796] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 174.935371][ T5796] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 180.104866][ T5892] Oops: general protection fault, probably for non-canonical address 0xa0dd60750014e8: 0000 [#1] SMP PTI [ 180.116569][ T5892] CPU: 0 UID: 0 PID: 5892 Comm: syz.4.65 Not tainted 6.16.0-syzkaller-11752-g7881cd6886a8 #0 PREEMPT(none) [ 180.128424][ T5892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 180.138681][ T5892] RIP: 0010:kfree+0xf2/0xec0 [ 180.143530][ T5892] Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 06 61 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89 [ 180.163530][ T5892] RSP: 0018:ffff88811b6c7a28 EFLAGS: 00010246 [ 180.170860][ T5892] RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 180.179241][ T5892] RDX: ffff88821ff13408 RSI: 0000000000000000 RDI: 00a0dd60750014e8 [ 180.187979][ T5892] RBP: ffff88811b6c7ad0 R08: ffffea000000000f R09: 0000000000000000 [ 180.196110][ T5892] R10: ffff888117972c20 R11: 0000000000000000 R12: 0000000000000000 [ 180.204231][ T5892] R13: 0000000000000000 R14: 0000000000000000 R15: 00a0f360750014e0 [ 180.212369][ T5892] FS: 0000000000000000(0000) GS:ffff8881aa69a000(0000) knlGS:0000000000000000 [ 180.221466][ T5892] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 180.228198][ T5892] CR2: 00005555690674a8 CR3: 0000000130550000 CR4: 00000000003526f0 [ 180.236342][ T5892] Call Trace: [ 180.239730][ T5892] [ 180.242801][ T5892] ? vhost_dev_cleanup+0x74d/0xf20 [ 180.248132][ T5892] ? kmsan_get_metadata+0xfb/0x160 [ 180.253455][ T5892] vhost_dev_cleanup+0x74d/0xf20 [ 180.258815][ T5892] vhost_vsock_dev_release+0x789/0x850 [ 180.264752][ T5892] ? __pfx_vhost_vsock_dev_release+0x10/0x10 [ 180.270944][ T5892] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 [ 180.277509][ T5892] ? __pfx_vhost_vsock_dev_release+0x10/0x10 [ 180.283705][ T5892] __fput+0x60b/0x1040 [ 180.288016][ T5892] ? __pfx_____fput+0x10/0x10 [ 180.292967][ T5892] ____fput+0x25/0x30 [ 180.297148][ T5892] task_work_run+0x209/0x2b0 [ 180.302050][ T5892] do_exit+0x99d/0x3d50 [ 180.306399][ T5892] ? kmsan_get_metadata+0xfb/0x160 [ 180.311764][ T5892] do_group_exit+0x259/0x390 [ 180.316753][ T5892] __x64_sys_exit_group+0x35/0x40 [ 180.328165][ T5892] x64_sys_call+0x3e1a/0x3e20 [ 180.333219][ T5892] do_syscall_64+0xd9/0x210 [ 180.337937][ T5892] ? irqentry_exit+0x16/0x60 [ 180.342727][ T5892] ? clear_bhb_loop+0x40/0x90 [ 180.347645][ T5892] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 180.353838][ T5892] RIP: 0033:0x7f519bf8eb69 [ 180.358441][ T5892] Code: Unable to access opcode bytes at 0x7f519bf8eb3f. [ 180.365605][ T5892] RSP: 002b:00007ffcf97cb7d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 180.374876][ T5892] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f519bf8eb69 [ 180.383476][ T5892] RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: 0000000000000000 [ 180.391725][ T5892] RBP: 00007ffcf97cb83c R08: 0000000000000001 R09: 00000000000927c0 [ 180.400268][ T5892] R10: 00007f519be00000 R11: 0000000000000246 R12: 000000000000000b [ 180.409096][ T5892] R13: 00000000000927c0 R14: 000000000002bebd R15: 00007ffcf97cb890 [ 180.417382][ T5892] [ 180.420696][ T5892] Modules linked in: [ 180.425702][ T5892] ---[ end trace 0000000000000000 ]--- [ 180.431489][ T5892] RIP: 0010:kfree+0xf2/0xec0 [ 180.438422][ T5892] Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 06 61 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89 [ 180.463830][ T5892] RSP: 0018:ffff88811b6c7a28 EFLAGS: 00010246 [ 180.470265][ T5892] RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 180.478561][ T5892] RDX: ffff88821ff13408 RSI: 0000000000000000 RDI: 00a0dd60750014e8 [ 180.486895][ T5892] RBP: ffff88811b6c7ad0 R08: ffffea000000000f R09: 0000000000000000 [ 180.495247][ T5892] R10: ffff888117972c20 R11: 0000000000000000 R12: 0000000000000000 [ 180.503855][ T5892] R13: 0000000000000000 R14: 0000000000000000 R15: 00a0f360750014e0 [ 180.512107][ T5892] FS: 0000000000000000(0000) GS:ffff8881aa69a000(0000) knlGS:0000000000000000 [ 180.521767][ T5892] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 180.528811][ T5892] CR2: 00005555690674a8 CR3: 0000000130550000 CR4: 00000000003526f0 [ 180.537211][ T5892] Kernel panic - not syncing: Fatal exception [ 180.543876][ T5892] Kernel Offset: disabled [ 180.548325][ T5892] Rebooting in 86400 seconds..