last executing test programs: 574.993172ms ago: executing program 0 (id=26): sendto(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0, 0x0) 574.731792ms ago: executing program 0 (id=29): socket$inet_tcp(0x2, 0x1, 0x0) 553.588112ms ago: executing program 0 (id=31): lsetxattr(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0, 0x0) 553.121553ms ago: executing program 0 (id=34): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-control', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-control', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm-control', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm-control', 0x800, 0x0) 526.734023ms ago: executing program 0 (id=39): syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) 526.537994ms ago: executing program 0 (id=43): rt_sigreturn() 121.585636ms ago: executing program 3 (id=130): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20ncci', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/capi/capi20ncci', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/capi/capi20ncci', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/proc/capi/capi20ncci', 0x800, 0x0) 69.490568ms ago: executing program 4 (id=131): exit(0x0) 69.315798ms ago: executing program 2 (id=132): times(&(0x7f0000000000)) 69.207758ms ago: executing program 2 (id=133): set_mempolicy(0x0, &(0x7f0000000000), 0x0) 69.103898ms ago: executing program 3 (id=134): sched_yield() 68.960968ms ago: executing program 4 (id=135): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcsa', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcsa', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vcsa', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vcsa', 0x800, 0x0) 68.899518ms ago: executing program 1 (id=136): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hpet', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hpet', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hpet', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hpet', 0x800, 0x0) 68.801888ms ago: executing program 2 (id=137): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/fuse', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/fuse', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/fuse', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/fuse', 0x800, 0x0) 67.976348ms ago: executing program 1 (id=138): map_shadow_stack(0x0, 0x0, 0x0) 67.437448ms ago: executing program 4 (id=139): munlockall() 39.058449ms ago: executing program 2 (id=140): syz_open_dev$usbfs(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$usbfs(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$usbfs(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$usbfs(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$usbfs(&(0x7f0000000140), 0xa, 0x0) syz_open_dev$usbfs(&(0x7f0000000180), 0xa, 0x1) syz_open_dev$usbfs(&(0x7f00000001c0), 0xa, 0x2) syz_open_dev$usbfs(&(0x7f0000000200), 0xa, 0x800) syz_open_dev$usbfs(&(0x7f0000000240), 0x14, 0x0) syz_open_dev$usbfs(&(0x7f0000000280), 0x14, 0x1) syz_open_dev$usbfs(&(0x7f00000002c0), 0x14, 0x2) syz_open_dev$usbfs(&(0x7f0000000300), 0x14, 0x800) syz_open_dev$usbfs(&(0x7f0000000340), 0x1e, 0x0) syz_open_dev$usbfs(&(0x7f0000000380), 0x1e, 0x1) syz_open_dev$usbfs(&(0x7f00000003c0), 0x1e, 0x2) syz_open_dev$usbfs(&(0x7f0000000400), 0x1e, 0x800) syz_open_dev$usbfs(&(0x7f0000000440), 0x28, 0x0) syz_open_dev$usbfs(&(0x7f0000000480), 0x28, 0x1) syz_open_dev$usbfs(&(0x7f00000004c0), 0x28, 0x2) syz_open_dev$usbfs(&(0x7f0000000500), 0x28, 0x800) 38.868089ms ago: executing program 1 (id=141): close(0xffffffffffffffff) 38.639599ms ago: executing program 3 (id=142): fanotify_mark(0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, &(0x7f0000000000)) 38.393879ms ago: executing program 4 (id=143): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/lightnvm/control', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/lightnvm/control', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/lightnvm/control', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/lightnvm/control', 0x800, 0x0) 38.243599ms ago: executing program 2 (id=144): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/null', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/null', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/null', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/null', 0x800, 0x0) 38.196959ms ago: executing program 1 (id=145): get_robust_list(0x0, &(0x7f0000000000), &(0x7f0000000000)) 832.88µs ago: executing program 3 (id=146): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/snd/timer', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/snd/timer', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/snd/timer', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/snd/timer', 0x800, 0x0) 653.86µs ago: executing program 3 (id=147): socket$isdn(0x22, 0x3, 0x0) 579µs ago: executing program 4 (id=148): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ptp1', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptp1', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptp1', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptp1', 0x800, 0x0) 353.39µs ago: executing program 1 (id=149): ioprio_set$auto(0x0, 0x0, 0x0) 231.57µs ago: executing program 2 (id=150): io_cancel(0x0, &(0x7f0000000000), &(0x7f0000000000)) 168.41µs ago: executing program 1 (id=151): syz_open_dev$midi(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$midi(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$midi(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$midi(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$midi(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$midi(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$midi(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$midi(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$midi(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$midi(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$midi(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$midi(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$midi(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$midi(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$midi(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$midi(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$midi(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$midi(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$midi(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$midi(&(0x7f0000000500), 0x4, 0x800) 84.02µs ago: executing program 3 (id=152): epoll_ctl$EPOLL_CTL_ADD(0xffffffffffffffff, 0x1, 0xffffffffffffffff, &(0x7f0000000000)) 0s ago: executing program 4 (id=153): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcsu', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcsu', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vcsu', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vcsu', 0x800, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.176' (ED25519) to the list of known hosts. [ 31.098446][ T4035] cgroup: Unknown subsys name 'net' [ 31.341273][ T4035] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 31.617011][ T4035] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 32.774733][ T4163] mmap: syz.4.112 (4163) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst. [ 32.968174][ T4202] Internal error: Oops - BTI: 0000000036000001 [#1] PREEMPT SMP [ 32.969444][ T4202] Modules linked in: [ 32.970153][ T4202] CPU: 1 PID: 4202 Comm: syz.2.150 Not tainted syzkaller #0 [ 32.971364][ T4202] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 32.973011][ T4202] pstate: 42400405 (nZcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=jc) [ 32.974345][ T4202] pc : lookup_ioctx+0x108/0x7c8 [ 32.975193][ T4202] lr : lookup_ioctx+0xe4/0x7c8 [ 32.975944][ T4202] sp : ffff80001f377cf0 [ 32.976626][ T4202] x29: ffff80001f377cf0 x28: ffff0000cccf1b40 x27: 0000000000000000 [ 32.978040][ T4202] x26: 1fffe0001999e368 x25: 0000000000400040 x24: ffff0000d2a4e780 [ 32.979315][ T4202] x23: dfff800000000000 x22: 00000000fffffff2 x21: 0000000000000000 [ 32.980669][ T4202] x20: ffff0000cccf1b40 x19: 0000000000000000 x18: 0000000000000000 [ 32.982032][ T4202] x17: 0000000000000000 x16: ffff800008a23dc8 x15: 0000000000000000 [ 32.983457][ T4202] x14: 0000000000000003 x13: 1ffff0000285602b x12: 0000000000ff0100 [ 32.984848][ T4202] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000ffffffffffff [ 32.986137][ T4202] x8 : 0000000000000000 x7 : ffff800008758d80 x6 : 0000000000000000 [ 32.987379][ T4202] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000001 [ 32.988618][ T4202] x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000 [ 32.989953][ T4202] Call trace: [ 32.990504][ T4202] lookup_ioctx+0x108/0x7c8 [ 32.991265][ T4202] __arm64_sys_io_cancel+0x160/0x338 [ 32.992181][ T4202] invoke_syscall+0x98/0x2b0 [ 32.992973][ T4202] el0_svc_common+0x138/0x258 [ 32.993765][ T4202] do_el0_svc+0x58/0x13c [ 32.994505][ T4202] el0_svc+0x78/0x1d0 [ 32.995147][ T4202] el0t_64_sync_handler+0xcc/0xe4 [ 32.996000][ T4202] el0t_64_sync+0x1a0/0x1a4 [ 32.996800][ T4202] Code: d503229f 2a1f03f6 2a1f03e0 b8400953 (2a1603e1) [ 32.997965][ T4202] ---[ end trace efc21c3660e69904 ]--- SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 33.167847][ T4202] Kernel panic - not syncing: Oops - BTI: Fatal exception [ 33.168788][ T4202] SMP: stopping secondary CPUs [ 33.169496][ T4202] Kernel Offset: disabled [ 33.170091][ T4202] CPU features: 0x8,000003c1,7d33ffd9 [ 33.170942][ T4202] Memory Limit: none [ 33.332581][ T4202] Rebooting in 86400 seconds..