Oops: general protection fault, probably for non-canonical address 0x1fe2050e40f4098: 0000 [#1] SMP PTI
CPU: 0 UID: 0 PID: 5979 Comm: syz.4.158 Not tainted 6.16.0-syzkaller-11699-g7e161a991ea7 #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:_compound_head include/linux/page-flags.h:284 [inline]
RIP: 0010:virt_to_folio include/linux/mm.h:1180 [inline]
RIP: 0010:kfree+0xf2/0xec0 mm/slub.c:4871
Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 66 5c 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89
RSP: 0018:ffff88812e2979f8 EFLAGS: 00010246
RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88821ff13408 RSI: 0000000000000000 RDI: 01fe2050e40f4098
RBP: ffff88812e297aa0 R08: ffffea000000000f R09: 0000000000000000
R10: ffff888117a64ce0 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 01fe3650e40f4090
FS:  0000000000000000(0000) GS:ffff8881aa69a000(0000) knlGS:0000000000000000
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f73e2000 CR3: 0000000118564000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 vhost_vq_free_iovecs drivers/vhost/vhost.c:505 [inline]
 vhost_dev_free_iovecs drivers/vhost/vhost.c:542 [inline]
 vhost_dev_cleanup+0x74d/0xf20 drivers/vhost/vhost.c:1214
 vhost_vsock_dev_release+0x789/0x850 drivers/vhost/vsock.c:755
 __fput+0x60b/0x1040 fs/file_table.c:468
 ____fput+0x25/0x30 fs/file_table.c:496
 task_work_run+0x209/0x2b0 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x99d/0x3d50 kernel/exit.c:961
 do_group_exit+0x259/0x390 kernel/exit.c:1102
 __do_sys_exit_group kernel/exit.c:1113 [inline]
 __se_sys_exit_group kernel/exit.c:1111 [inline]
 __ia32_sys_exit_group+0x35/0x40 kernel/exit.c:1111
 ia32_sys_call+0x4302/0x4310 arch/x86/include/generated/asm/syscalls_32.h:253
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf710e539
Code: Unable to access opcode bytes at 0xf710e50f.
RSP: 002b:00000000ffdf049c EFLAGS: 00000206 ORIG_RAX: 00000000000000fc
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00000000ffffff9c RDI: 00000000f7474ff4
RBP: 000000000000002c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:_compound_head include/linux/page-flags.h:284 [inline]
RIP: 0010:virt_to_folio include/linux/mm.h:1180 [inline]
RIP: 0010:kfree+0xf2/0xec0 mm/slub.c:4871
Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 66 5c 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89
RSP: 0018:ffff88812e2979f8 EFLAGS: 00010246
RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88821ff13408 RSI: 0000000000000000 RDI: 01fe2050e40f4098
RBP: ffff88812e297aa0 R08: ffffea000000000f R09: 0000000000000000
R10: ffff888117a64ce0 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 01fe3650e40f4090
FS:  0000000000000000(0000) GS:ffff8881aa69a000(0000) knlGS:0000000000000000
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f73e2000 CR3: 0000000012666000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	ef                   	out    %eax,(%dx)
   1:	0c 48                	or     $0x48,%al
   3:	3d 00 10 00 00       	cmp    $0x1000,%eax
   8:	41 0f 42 f6          	cmovb  %r14d,%esi
   c:	89 75 d0             	mov    %esi,-0x30(%rbp)
   f:	4f 8d 3c bf          	lea    (%r15,%r15,4),%r15
  13:	49 c1 e7 04          	shl    $0x4,%r15
  17:	48 09 4d b0          	or     %rcx,-0x50(%rbp)
  1b:	48 8b 45 80          	mov    -0x80(%rbp),%rax
  1f:	4a 8d 7c 38 08       	lea    0x8(%rax,%r15,1),%rdi
  24:	0f 85 70 05 00 00    	jne    0x59a
* 2a:	4c 8b 27             	mov    (%rdi),%r12 <-- trapping instruction
  2d:	e8 66 5c 14 00       	call   0x145c98
  32:	4c 8b 28             	mov    (%rax),%r13
  35:	44 8b 32             	mov    (%rdx),%r14d
  38:	44 89 e8             	mov    %r13d,%eax
  3b:	83 e0 01             	and    $0x1,%eax
  3e:	44                   	rex.R
  3f:	89                   	.byte 0x89