netlink: zone id is out of range netlink: zone id is out of range netlink: zone id is out of range netlink: get zone limit has 4 unknown bytes ------------[ cut here ]------------ kernfs: can not remove 'bind', no directory WARNING: fs/kernfs/dir.c:1706 at 0x0, CPU#0: syz.7.7477/3386 Modules linked in: CPU: 0 UID: 0 PID: 3386 Comm: syz.7.7477 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:kernfs_remove_by_name_ns+0xf8/0x100 fs/kernfs/dir.c:1706 Code: fd 08 e8 8b ed 55 ff 48 89 df 31 db e8 a1 a2 ff ff 48 89 ef e8 99 61 30 ff eb b1 e8 72 ed 55 ff 48 8d 3d 1b b6 23 0e 4c 89 ee <67> 48 0f b9 3a eb ba 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc9000466f9b8 EFLAGS: 00010283 RAX: 000000000000094f RBX: 0000000000000000 RCX: ffffc9000f28e000 RDX: 0000000000080000 RSI: ffffffff8c2073a0 RDI: ffffffff908bcd50 RBP: ffffffff8f29a8a0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000c7cb7485 R12: 0000000000000000 R13: ffffffff8c2073a0 R14: 0000000000000002 R15: ffff888029c15920 FS: 00007f0526e886c0(0000) GS:ffff88812497e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b34d12ff8 CR3: 000000008513e000 CR4: 00000000003526f0 DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083 DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: sysfs_remove_file include/linux/sysfs.h:770 [inline] driver_remove_file drivers/base/driver.c:201 [inline] driver_remove_file+0x4a/0x60 drivers/base/driver.c:197 remove_bind_files drivers/base/bus.c:605 [inline] bus_remove_driver+0x224/0x2c0 drivers/base/bus.c:743 driver_unregister+0x76/0xb0 drivers/base/driver.c:277 comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207 do_devconfig_ioctl+0x555/0x710 drivers/comedi/comedi_fops.c:848 comedi_unlocked_ioctl+0x165d/0x2ee0 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0525f8f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f0526e88038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f05261e6090 RCX: 00007f0525f8f749 RDX: 0000000000000000 RSI: 0000000040946400 RDI: 0000000000000004 RBP: 00007f0526013f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f05261e6128 R14: 00007f05261e6090 R15: 00007fff3c848328 ---------------- Code disassembly (best guess), 2 bytes skipped: 0: e8 8b ed 55 ff call 0xff55ed90 5: 48 89 df mov %rbx,%rdi 8: 31 db xor %ebx,%ebx a: e8 a1 a2 ff ff call 0xffffa2b0 f: 48 89 ef mov %rbp,%rdi 12: e8 99 61 30 ff call 0xff3061b0 17: eb b1 jmp 0xffffffca 19: e8 72 ed 55 ff call 0xff55ed90 1e: 48 8d 3d 1b b6 23 0e lea 0xe23b61b(%rip),%rdi # 0xe23b640 25: 4c 89 ee mov %r13,%rsi * 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2d: eb ba jmp 0xffffffe9 2f: 90 nop 30: 90 nop 31: 90 nop 32: 90 nop 33: 90 nop 34: 90 nop 35: 90 nop 36: 90 nop 37: 90 nop 38: 90 nop 39: 90 nop 3a: 90 nop 3b: 90 nop 3c: 90 nop 3d: 90 nop