Extracting prog: 3m34.116333371s
Minimizing prog: 2m16.63664952s
Simplifying prog options: 0s
Extracting C: 22.794293599s
Simplifying C: 15m32.544598371s


extracting reproducer from 17 programs
testing a last program of every proc
single: executing 5 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-openat$sndtimer-ioctl$SNDRV_TIMER_IOCTL_SELECT-read-prlimit64-sched_setscheduler-getpid-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-sched_setscheduler-openat$nullb-ioprio_set$pid-sendfile-ioctl$SNDRV_TIMER_IOCTL_CONTINUE-read-ioctl$DRM_IOCTL_SET_CLIENT_CAP-ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES-socket$nl_generic-syz_genetlink_get_family_id$gtp-sendmsg$GTP_CMD_NEWPDP-ioctl$DRM_IOCTL_MODE_GETPLANE-socket$inet6_udp-bind$inet6-connect$inet6-socket$inet6_udp-bind$inet6
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000080), 0x1, 0x0)
r1 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000280), 0x0)
ioctl$SNDRV_TIMER_IOCTL_SELECT(r1, 0x40345410, &(0x7f00000083c0)={{0x1}})
read(r1, &(0x7f00000002c0)=""/200, 0x39)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x7)
r2 = getpid()
sched_setscheduler(r2, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbee2, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
connect$unix(r3, &(0x7f000057eff8)=@abs={0x0, 0x0, 0x4e21}, 0x6e)
sendmmsg$unix(r4, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r3, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
r5 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x179342, 0x0)
ioprio_set$pid(0x1, 0x0, 0x0)
sendfile(r5, r5, 0x0, 0x40008)
ioctl$SNDRV_TIMER_IOCTL_CONTINUE(r1, 0x54a2)
read(r1, &(0x7f00000003c0)=""/208, 0xd0)
ioctl$DRM_IOCTL_SET_CLIENT_CAP(r0, 0x4010640d, &(0x7f0000000000)={0x3, 0x2})
ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r0, 0xc01064b5, &(0x7f0000000300)={&(0x7f00000001c0)=[<r6=>0x0], 0x1})
r7 = socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$gtp(&(0x7f0000000040), r7)
sendmsg$GTP_CMD_NEWPDP(r7, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)={0x1c, r8, 0x1, 0x0, 0x0, {0x3}, [@GTPA_VERSION={0x8}]}, 0x1c}, 0x1, 0x0, 0x0, 0x805}, 0x0)
ioctl$DRM_IOCTL_MODE_GETPLANE(r0, 0xc02064b6, &(0x7f0000000700)={r6, 0x0, 0x0, 0x0, 0x0, 0x6, &(0x7f0000005fc0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0]})
r9 = socket$inet6_udp(0xa, 0x2, 0x0)
bind$inet6(r9, &(0x7f0000000500)={0xa, 0x4e20, 0xd19, @empty, 0x4}, 0x1c)
connect$inet6(r9, &(0x7f0000001d40)={0xa, 0x4e24, 0xf, @loopback, 0x2}, 0x1c)
r10 = socket$inet6_udp(0xa, 0x2, 0x0)
bind$inet6(r10, &(0x7f0000000100)={0xa, 0x4e20, 0xf63, @loopback={0xffffffffffff0000}, 0x1}, 0x1c)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
detailed listing:
executing program 0:
prctl$PR_MCE_KILL(0x4e, 0x1, 0x4000) (fail_nth: 1)

program crashed: BUG: sleeping function called from invalid context in vfree
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
testing program (duration=43.99405618s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
detailed listing:
executing program 0:
prctl$PR_MCE_KILL(0x4e, 0x1, 0x4000)

program did not crash
extracting C reproducer
testing compiled C program (duration=43.99405618s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in vfree
simplifying C reproducer
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in vfree
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in vfree
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in corrupted
a never seen crash title: BUG: sleeping function called from invalid context in corrupted, ignore
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in vfree
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in vfree
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in vfree
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in corrupted
a never seen crash title: BUG: sleeping function called from invalid context in corrupted, ignore
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in corrupted
a never seen crash title: BUG: sleeping function called from invalid context in corrupted, ignore
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program did not crash
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in vfree
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in corrupted
a never seen crash title: BUG: sleeping function called from invalid context in corrupted, ignore
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in corrupted
a never seen crash title: BUG: sleeping function called from invalid context in corrupted, ignore
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in vfree
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:true Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in vfree
testing compiled C program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
program crashed: BUG: sleeping function called from invalid context in corrupted
a never seen crash title: BUG: sleeping function called from invalid context in corrupted, ignore
testing program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:true Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
detailed listing:
executing program 0:
prctl$PR_MCE_KILL(0x4e, 0x1, 0x4000) (fail_nth: 1)

program crashed: BUG: sleeping function called from invalid context in vfree
validation run: crashed=true
testing program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:true Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
detailed listing:
executing program 0:
prctl$PR_MCE_KILL(0x4e, 0x1, 0x4000) (fail_nth: 1)

program crashed: BUG: sleeping function called from invalid context in vfree
validation run: crashed=true
testing program (duration=43.99405618s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:false IEEE802154:true Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_MCE_KILL
detailed listing:
executing program 0:
prctl$PR_MCE_KILL(0x4e, 0x1, 0x4000) (fail_nth: 1)

program crashed: BUG: sleeping function called from invalid context in vfree
validation run: crashed=true
reproducing took 25m18.507650157s
repro crashed as (corrupted=false):
BUG: sleeping function called from invalid context at mm/vmalloc.c:3409
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6163, name: udevd
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by udevd/6163:
 #0: ffff0000c907eb78 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0x1fc/0x2a0 fs/file.c:1232
 #1: ffff0000e44cd568 (&type->i_mutex_dir_key#4){++++}-{4:4}, at: iterate_dir+0x224/0x478 fs/readdir.c:101
Preemption disabled at:
[<ffff80008b0155cc>] preempt_schedule_irq+0x70/0x188 kernel/sched/core.c:7286
CPU: 0 UID: 0 PID: 6163 Comm: udevd Not tainted 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 dump_stack+0x1c/0x28 lib/dump_stack.c:129
 __might_resched+0x348/0x4c4 kernel/sched/core.c:8957
 __might_sleep+0x94/0x110 kernel/sched/core.c:8886
 vfree+0xa0/0x3dc mm/vmalloc.c:3409
 kvfree+0x24/0x40 mm/slub.c:5093
 futex_hash_free+0x84/0x9c kernel/futex/core.c:1742
 __mmdrop+0x2c0/0x4ec kernel/fork.c:692
 mmdrop include/linux/sched/mm.h:55 [inline]
 mmdrop_sched include/linux/sched/mm.h:83 [inline]
 mmdrop_lazy_tlb_sched include/linux/sched/mm.h:110 [inline]
 finish_task_switch+0x4a0/0x5a4 kernel/sched/core.c:5250
 context_switch kernel/sched/core.c:5360 [inline]
 __schedule+0x13b4/0x2864 kernel/sched/core.c:6961
 preempt_schedule_irq+0x80/0x188 kernel/sched/core.c:7288
 arm64_preempt_schedule_irq+0x44/0x58 arch/arm64/kernel/entry-common.c:305
 __el1_irq arch/arm64/kernel/entry-common.c:656 [inline]
 el1_interrupt+0x3c/0x54 arch/arm64/kernel/entry-common.c:668
 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:673
 el1h_64_irq+0x6c/0x70 arch/arm64/kernel/entry.S:592
 __daif_local_irq_restore arch/arm64/include/asm/irqflags.h:175 [inline] (P)
 arch_local_irq_restore arch/arm64/include/asm/irqflags.h:195 [inline] (P)
 seqcount_lockdep_reader_access+0xe4/0x104 include/linux/seqlock.h:74 (P)
 ktime_get_coarse_real_ts64_mg+0x70/0x1dc kernel/time/timekeeping.c:2430
 current_time+0x90/0x2f4 fs/inode.c:2252
 atime_needs_update+0x2b0/0x5e8 fs/inode.c:2114
 touch_atime+0x94/0x818 fs/inode.c:2131
 file_accessed include/linux/fs.h:2663 [inline]
 iterate_dir+0x344/0x478 fs/readdir.c:111
 __do_sys_getdents64 fs/readdir.c:410 [inline]
 __se_sys_getdents64 fs/readdir.c:396 [inline]
 __arm64_sys_getdents64+0x110/0x2fc fs/readdir.c:396
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

final repro crashed as (corrupted=false):
BUG: sleeping function called from invalid context at mm/vmalloc.c:3409
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6163, name: udevd
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by udevd/6163:
 #0: ffff0000c907eb78 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0x1fc/0x2a0 fs/file.c:1232
 #1: ffff0000e44cd568 (&type->i_mutex_dir_key#4){++++}-{4:4}, at: iterate_dir+0x224/0x478 fs/readdir.c:101
Preemption disabled at:
[<ffff80008b0155cc>] preempt_schedule_irq+0x70/0x188 kernel/sched/core.c:7286
CPU: 0 UID: 0 PID: 6163 Comm: udevd Not tainted 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 dump_stack+0x1c/0x28 lib/dump_stack.c:129
 __might_resched+0x348/0x4c4 kernel/sched/core.c:8957
 __might_sleep+0x94/0x110 kernel/sched/core.c:8886
 vfree+0xa0/0x3dc mm/vmalloc.c:3409
 kvfree+0x24/0x40 mm/slub.c:5093
 futex_hash_free+0x84/0x9c kernel/futex/core.c:1742
 __mmdrop+0x2c0/0x4ec kernel/fork.c:692
 mmdrop include/linux/sched/mm.h:55 [inline]
 mmdrop_sched include/linux/sched/mm.h:83 [inline]
 mmdrop_lazy_tlb_sched include/linux/sched/mm.h:110 [inline]
 finish_task_switch+0x4a0/0x5a4 kernel/sched/core.c:5250
 context_switch kernel/sched/core.c:5360 [inline]
 __schedule+0x13b4/0x2864 kernel/sched/core.c:6961
 preempt_schedule_irq+0x80/0x188 kernel/sched/core.c:7288
 arm64_preempt_schedule_irq+0x44/0x58 arch/arm64/kernel/entry-common.c:305
 __el1_irq arch/arm64/kernel/entry-common.c:656 [inline]
 el1_interrupt+0x3c/0x54 arch/arm64/kernel/entry-common.c:668
 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:673
 el1h_64_irq+0x6c/0x70 arch/arm64/kernel/entry.S:592
 __daif_local_irq_restore arch/arm64/include/asm/irqflags.h:175 [inline] (P)
 arch_local_irq_restore arch/arm64/include/asm/irqflags.h:195 [inline] (P)
 seqcount_lockdep_reader_access+0xe4/0x104 include/linux/seqlock.h:74 (P)
 ktime_get_coarse_real_ts64_mg+0x70/0x1dc kernel/time/timekeeping.c:2430
 current_time+0x90/0x2f4 fs/inode.c:2252
 atime_needs_update+0x2b0/0x5e8 fs/inode.c:2114
 touch_atime+0x94/0x818 fs/inode.c:2131
 file_accessed include/linux/fs.h:2663 [inline]
 iterate_dir+0x344/0x478 fs/readdir.c:111
 __do_sys_getdents64 fs/readdir.c:410 [inline]
 __se_sys_getdents64 fs/readdir.c:396 [inline]
 __arm64_sys_getdents64+0x110/0x2fc fs/readdir.c:396
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596