Oops: general protection fault, probably for non-canonical address 0x22cdd7d6740dc98: 0000 [#1] SMP PTI
CPU: 0 UID: 0 PID: 6280 Comm: syz.0.449 Not tainted 6.16.0-syzkaller-11241-g186f3edfdd41 #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:_compound_head include/linux/page-flags.h:284 [inline]
RIP: 0010:virt_to_folio include/linux/mm.h:1180 [inline]
RIP: 0010:kfree+0xf2/0xec0 mm/slub.c:4871
Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 66 5c 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89
RSP: 0018:ffff888023c87a28 EFLAGS: 00010246
RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888220112408 RSI: 0000000000000000 RDI: 022cdd7d6740dc98
RBP: ffff888023c87ad0 R08: ffffea000000000f R09: 0000000000000000
R10: ffff88812e360b60 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 022cf37d6740dc90
FS:  0000000000000000(0000) GS:ffff8881aa8a1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055559425b4a8 CR3: 00000001252c8000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 vhost_vq_free_iovecs drivers/vhost/vhost.c:505 [inline]
 vhost_dev_free_iovecs drivers/vhost/vhost.c:542 [inline]
 vhost_dev_cleanup+0x74d/0xf20 drivers/vhost/vhost.c:1214
 vhost_vsock_dev_release+0x789/0x850 drivers/vhost/vsock.c:755
 __fput+0x608/0x1040 fs/file_table.c:468
 ____fput+0x25/0x30 fs/file_table.c:496
 task_work_run+0x209/0x2b0 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x99d/0x3d50 kernel/exit.c:966
 do_group_exit+0x259/0x390 kernel/exit.c:1107
 __do_sys_exit_group kernel/exit.c:1118 [inline]
 __se_sys_exit_group kernel/exit.c:1116 [inline]
 __x64_sys_exit_group+0x35/0x40 kernel/exit.c:1116
 x64_sys_call+0x3e1a/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f396ef8eb69
Code: Unable to access opcode bytes at 0x7f396ef8eb3f.
RSP: 002b:00007ffd25b42328 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f396ef8eb69
RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: 0000000000000000
RBP: 00007ffd25b4238c R08: 0000000000000001 R09: 00000000000927c0
R10: 00007f396ee00000 R11: 0000000000000246 R12: 0000000000000043
R13: 00000000000927c0 R14: 0000000000031210 R15: 00007ffd25b423e0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:_compound_head include/linux/page-flags.h:284 [inline]
RIP: 0010:virt_to_folio include/linux/mm.h:1180 [inline]
RIP: 0010:kfree+0xf2/0xec0 mm/slub.c:4871
Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 66 5c 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89
RSP: 0018:ffff888023c87a28 EFLAGS: 00010246
RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888220112408 RSI: 0000000000000000 RDI: 022cdd7d6740dc98
RBP: ffff888023c87ad0 R08: ffffea000000000f R09: 0000000000000000
R10: ffff88812e360b60 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 022cf37d6740dc90
FS:  0000000000000000(0000) GS:ffff8881aa8a1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055559425b4a8 CR3: 00000001252c8000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	ef                   	out    %eax,(%dx)
   1:	0c 48                	or     $0x48,%al
   3:	3d 00 10 00 00       	cmp    $0x1000,%eax
   8:	41 0f 42 f6          	cmovb  %r14d,%esi
   c:	89 75 d0             	mov    %esi,-0x30(%rbp)
   f:	4f 8d 3c bf          	lea    (%r15,%r15,4),%r15
  13:	49 c1 e7 04          	shl    $0x4,%r15
  17:	48 09 4d b0          	or     %rcx,-0x50(%rbp)
  1b:	48 8b 45 80          	mov    -0x80(%rbp),%rax
  1f:	4a 8d 7c 38 08       	lea    0x8(%rax,%r15,1),%rdi
  24:	0f 85 70 05 00 00    	jne    0x59a
* 2a:	4c 8b 27             	mov    (%rdi),%r12 <-- trapping instruction
  2d:	e8 66 5c 14 00       	call   0x145c98
  32:	4c 8b 28             	mov    (%rax),%r13
  35:	44 8b 32             	mov    (%rdx),%r14d
  38:	44 89 e8             	mov    %r13d,%eax
  3b:	83 e0 01             	and    $0x1,%eax
  3e:	44                   	rex.R
  3f:	89                   	.byte 0x89