------------[ cut here ]------------
WARNING: ./include/linux/ns_common.h:255 at __ns_ref_put include/linux/ns_common.h:255 [inline], CPU#1: syz.5.235/6986
WARNING: ./include/linux/ns_common.h:255 at put_user_ns include/linux/user_namespace.h:189 [inline], CPU#1: syz.5.235/6986
WARNING: ./include/linux/ns_common.h:255 at put_cred_rcu+0x2c5/0x340 kernel/cred.c:61, CPU#1: syz.5.235/6986
Modules linked in:
CPU: 1 UID: 0 PID: 6986 Comm: syz.5.235 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__ns_ref_put include/linux/ns_common.h:255 [inline]
RIP: 0010:put_user_ns include/linux/user_namespace.h:189 [inline]
RIP: 0010:put_cred_rcu+0x2c5/0x340 kernel/cred.c:61
Code: 5c 41 5d 41 5e 41 5f 5d e9 e8 d0 8d 00 e8 13 a7 32 00 4c 89 e7 be 03 00 00 00 e8 46 a1 0a 03 e9 b8 fe ff ff e8 fc a6 32 00 90 <0f> 0b 90 eb 9f e8 f1 a6 32 00 4c 89 ff be 03 00 00 00 e8 24 a1 0a
RSP: 0018:ffffc90000a08ba8 EFLAGS: 00010246
RAX: ffffffff818f2934 RBX: ffff8880275854a0 RCX: ffff888025f88000
RDX: 0000000000000100 RSI: 0000000000000004 RDI: 0000000000000000
RBP: 0000000000000004 R08: ffff88803325c193 R09: 1ffff1100664b832
R10: dffffc0000000000 R11: ffffed100664b833 R12: dffffc0000000000
R13: ffff888027585400 R14: ffff88803325c000 R15: ffff88803325c190
FS:  0000000000000000(0000) GS:ffff888125b79000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f729cd156c0 CR3: 0000000075df8000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
 handle_softirqs+0x286/0x870 kernel/softirq.c:626
 __do_softirq kernel/softirq.c:660 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:727
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:743
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:check_kcov_mode kernel/kcov.c:194 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:246 [inline]
RIP: 0010:__sanitizer_cov_trace_const_cmp8+0x37/0x90 kernel/kcov.c:321
Code: 08 70 ba 92 65 8b 15 08 9b f8 10 81 e2 00 01 ff 00 74 11 81 fa 00 01 00 00 75 57 83 b9 84 16 00 00 00 74 4e 8b 91 60 16 00 00 <83> fa 03 75 43 48 8b 91 68 16 00 00 44 8b 89 64 16 00 00 49 c1 e1
RSP: 0018:ffffc9000463f398 EFLAGS: 00000246
RAX: ffffffff81fef7ff RBX: dffffc0000000000 RCX: ffff888025f88000
RDX: 0000000000000000 RSI: 0000000000000013 RDI: 000000000000001f
RBP: ffffc9000463f490 R08: ffffea00014c3cf7 R09: 1ffffd400029879e
R10: dffffc0000000000 R11: fffff9400029879f R12: ffffc9000463f500
R13: ffffc9000463f5a0 R14: 0000000000000013 R15: 0000000000000014
 folios_put_refs+0x10f/0x670 mm/swap.c:958
 free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:355
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
 tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
 tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
 exit_mmap+0x444/0xb40 mm/mmap.c:1290
 __mmput+0x118/0x430 kernel/fork.c:1132
 exit_mm+0x1da/0x2c0 kernel/exit.c:581
 do_exit+0x650/0x2300 kernel/exit.c:958
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1111
 get_signal+0x1285/0x1340 kernel/signal.c:3034
 arch_do_signal_or_restart+0x9a/0x7a0 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
 exit_to_user_mode_loop+0x87/0x4f0 kernel/entry/common.c:75
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
 do_syscall_64+0x2e9/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0bea78f6c9
Code: Unable to access opcode bytes at 0x7f0bea78f69f.
RSP: 002b:00007f0beb678fe8 EFLAGS: 00000202 ORIG_RAX: 0000000000000038
RAX: fffffffffffffff4 RBX: 00007f0bea9e5fa0 RCX: 00007f0bea78f6c9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000fdba2080
RBP: 00007f0bea811f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007f0bea9e6038 R14: 00007f0bea9e5fa0 R15: 00007ffcb4f38b28
 </TASK>
----------------
Code disassembly (best guess):
   0:	08 70 ba             	or     %dh,-0x46(%rax)
   3:	92                   	xchg   %eax,%edx
   4:	65 8b 15 08 9b f8 10 	mov    %gs:0x10f89b08(%rip),%edx        # 0x10f89b13
   b:	81 e2 00 01 ff 00    	and    $0xff0100,%edx
  11:	74 11                	je     0x24
  13:	81 fa 00 01 00 00    	cmp    $0x100,%edx
  19:	75 57                	jne    0x72
  1b:	83 b9 84 16 00 00 00 	cmpl   $0x0,0x1684(%rcx)
  22:	74 4e                	je     0x72
  24:	8b 91 60 16 00 00    	mov    0x1660(%rcx),%edx
* 2a:	83 fa 03             	cmp    $0x3,%edx <-- trapping instruction
  2d:	75 43                	jne    0x72
  2f:	48 8b 91 68 16 00 00 	mov    0x1668(%rcx),%rdx
  36:	44 8b 89 64 16 00 00 	mov    0x1664(%rcx),%r9d
  3d:	49                   	rex.WB
  3e:	c1                   	.byte 0xc1
  3f:	e1                   	.byte 0xe1