io_rings_free io_uring/io_uring.c:2770 [inline] io_ring_ctx_free+0x287/0x4e0 io_uring/io_uring.c:2864 io_ring_exit_work+0x8c4/0x930 io_uring/io_uring.c:3086 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ------------[ cut here ]------------ kernel BUG at mm/filemap.c:3519! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 21968 Comm: syz.5.4176 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 RIP: 0010:filemap_fault+0x122c/0x12b0 mm/filemap.c:3519 Code: 38 c1 0f 8c 8e fc ff ff 4c 89 e7 e8 8e d8 2c 00 e9 81 fc ff ff e8 94 23 c7 ff 48 89 df 48 c7 c6 60 5b 74 8b e8 b5 0d 2f ff 90 <0f> 0b e8 7d 23 c7 ff 48 8b 3c 24 48 c7 c6 e0 61 74 8b e8 9d 0d 2f RSP: 0018:ffffc9000ce9f6e0 EFLAGS: 00010246 RAX: 57ef0cf34c40f000 RBX: ffffea0001ad8800 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8d70bf39 RDI: 00000000ffffffff RBP: ffffc9000ce9f818 R08: ffffffff8f7cd277 R09: 1ffffffff1ef9a4e R10: dffffc0000000000 R11: fffffbfff1ef9a4f R12: dffffc0000000000 R13: 1ffffd400035b101 R14: ffffea0001ad8818 R15: ffffea0001ad8808 FS: 0000000000000000(0000) GS:ffff88812613e000(0063) knlGS:00000000f54e6b40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00000000f7123c90 CR3: 0000000066e60000 CR4: 00000000003526f0 Call Trace: __do_fault+0x138/0x390 mm/memory.c:5280 do_shared_fault mm/memory.c:5762 [inline] do_fault mm/memory.c:5836 [inline] do_pte_missing mm/memory.c:4361 [inline] handle_pte_fault mm/memory.c:6177 [inline] __handle_mm_fault+0x1847/0x5400 mm/memory.c:6318 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6487 do_user_addr_fault+0x764/0x1380 arch/x86/mm/fault.c:1387 handle_page_fault arch/x86/mm/fault.c:1476 [inline] exc_page_fault+0x82/0x100 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 RIP: 0010:__put_user_nocheck_4+0x3/0x10 arch/x86/lib/putuser.S:104 Code: d9 0f 01 cb 89 01 31 c9 0f 01 ca e9 07 68 03 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 01 cb <89> 01 31 c9 0f 01 ca c3 cc cc cc cc 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc9000ce9fc78 EFLAGS: 00050287 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000080006b3c RDX: ffffc9001da4d000 RSI: 000000000006b31a RDI: 000000000006b31b RBP: ffffc9000ce9fe90 R08: ffffffff8f7cd277 R09: 1ffffffff1ef9a4e R10: dffffc0000000000 R11: fffffbfff1ef9a4f R12: 0000000080000900 R13: 0000000080040000 R14: 0000000080006b20 R15: 0000000000000311 __sys_sendmmsg+0x2b1/0x430 net/socket.c:2770 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xa2/0xc0 net/compat.c:364 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb6/0x2b0 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:331 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7ff6539 Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f54e655c EFLAGS: 00000206 ORIG_RAX: 0000000000000159 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000080000900 RDX: 00000000040000cf RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:filemap_fault+0x122c/0x12b0 mm/filemap.c:3519 Code: 38 c1 0f 8c 8e fc ff ff 4c 89 e7 e8 8e d8 2c 00 e9 81 fc ff ff e8 94 23 c7 ff 48 89 df 48 c7 c6 60 5b 74 8b e8 b5 0d 2f ff 90 <0f> 0b e8 7d 23 c7 ff 48 8b 3c 24 48 c7 c6 e0 61 74 8b e8 9d 0d 2f RSP: 0018:ffffc9000ce9f6e0 EFLAGS: 00010246 RAX: 57ef0cf34c40f000 RBX: ffffea0001ad8800 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8d70bf39 RDI: 00000000ffffffff RBP: ffffc9000ce9f818 R08: ffffffff8f7cd277 R09: 1ffffffff1ef9a4e R10: dffffc0000000000 R11: fffffbfff1ef9a4f R12: dffffc0000000000 R13: 1ffffd400035b101 R14: ffffea0001ad8818 R15: ffffea0001ad8808 FS: 0000000000000000(0000) GS:ffff88812613e000(0063) knlGS:00000000f54e6b40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000034815ffc CR3: 0000000066e60000 CR4: 00000000003526f0 ---------------- Code disassembly (best guess): 0: d9 0f (bad) (%rdi) 2: 01 cb add %ecx,%ebx 4: 89 01 mov %eax,(%rcx) 6: 31 c9 xor %ecx,%ecx 8: 0f 01 ca clac b: e9 07 68 03 00 jmp 0x36817 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop 16: 90 nop 17: 90 nop 18: 90 nop 19: 90 nop 1a: 90 nop 1b: 90 nop 1c: 90 nop 1d: 90 nop 1e: 90 nop 1f: 90 nop 20: 90 nop 21: 90 nop 22: 90 nop 23: 90 nop 24: 90 nop 25: 90 nop 26: 90 nop 27: 0f 01 cb stac * 2a: 89 01 mov %eax,(%rcx) <-- trapping instruction 2c: 31 c9 xor %ecx,%ecx 2e: 0f 01 ca clac 31: c3 ret 32: cc int3 33: cc int3 34: cc int3 35: cc int3 36: 90 nop 37: 90 nop 38: 90 nop 39: 90 nop 3a: 90 nop 3b: 90 nop 3c: 90 nop 3d: 90 nop 3e: 90 nop 3f: 90 nop