last executing test programs:

3.177286083s ago: executing program 4 (id=5):
time(&(0x7f0000000000))

3.071886928s ago: executing program 4 (id=19):
name_to_handle_at(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0)

2.963035636s ago: executing program 4 (id=23):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwbinder', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwbinder', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hwbinder', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hwbinder', 0x800, 0x0)

2.907279665s ago: executing program 4 (id=25):
pause()

1.391259911s ago: executing program 3 (id=80):
syz_init_net_socket$bt_rfcomm(0x1f, 0x1, 0x3)

1.311391909s ago: executing program 3 (id=84):
dup(0xffffffffffffffff)

1.226881373s ago: executing program 3 (id=88):
fsmount(0xffffffffffffffff, 0x0, 0x0)

1.186029145s ago: executing program 3 (id=92):
syz_open_dev$audion(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$audion(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$audion(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$audion(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$audion(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$audion(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$audion(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$audion(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$audion(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$audion(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$audion(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$audion(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$audion(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$audion(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$audion(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$audion(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$audion(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$audion(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$audion(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$audion(&(0x7f0000000500), 0x4, 0x800)

475.106244ms ago: executing program 2 (id=119):
fchdir(0xffffffffffffffff)

454.979133ms ago: executing program 1 (id=120):
socket$netlink(0x10, 0x3, 0x0)

409.687164ms ago: executing program 0 (id=121):
fspick(0xffffffffffffffff, &(0x7f0000000000), 0x0)

351.279755ms ago: executing program 2 (id=122):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sr0', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sr0', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sr0', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sr0', 0x800, 0x0)

350.723808ms ago: executing program 1 (id=123):
sched_setaffinity(0x0, 0x0, &(0x7f0000000000))

323.87084ms ago: executing program 0 (id=124):
socket$alg(0x26, 0x5, 0x0)

321.086186ms ago: executing program 2 (id=125):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-monitor', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm-monitor', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm-monitor', 0x800, 0x0)

263.081099ms ago: executing program 1 (id=126):
link(&(0x7f0000000000), &(0x7f0000000000))

235.80641ms ago: executing program 0 (id=127):
socket$caif_stream(0x25, 0x1, 0x0)

231.205873ms ago: executing program 2 (id=128):
msgsnd(0x0, &(0x7f0000000000), 0x0, 0x0)

171.692454ms ago: executing program 1 (id=129):
setpgid(0x0, 0x0)

171.344939ms ago: executing program 1 (id=130):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ptp0', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptp0', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptp0', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptp0', 0x800, 0x0)

145.664019ms ago: executing program 0 (id=131):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/load', 0x2, 0x0)

140.957837ms ago: executing program 2 (id=132):
socket$can_raw(0x1d, 0x3, 0x1)

39.525688ms ago: executing program 3 (id=133):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/binder', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/binder', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/binder', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/binder', 0x800, 0x0)

39.260831ms ago: executing program 1 (id=134):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vhost-net', 0x2, 0x0)

39.206979ms ago: executing program 0 (id=135):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/msm', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/msm', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/msm', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/msm', 0x800, 0x0)

39.044379ms ago: executing program 2 (id=136):
socket$inet_sctp(0x2, 0x1, 0x84)

10.576236ms ago: executing program 3 (id=137):
msync(0x0, 0x0, 0x0)

0s ago: executing program 0 (id=138):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/load', 0x2, 0x0)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.101' (ED25519) to the list of known hosts.
[  163.795787][ T5791] cgroup: Unknown subsys name 'net'
[  163.939829][ T5791] cgroup: Unknown subsys name 'cpuset'
[  163.958987][ T5791] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[  169.575139][ T5791] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[  176.524034][ T5960] Oops: general protection fault, probably for non-canonical address 0x1fe209b7b053be8: 0000 [#1] SMP PTI
[  176.535816][ T5960] CPU: 0 UID: 0 PID: 5960 Comm: syz.1.134 Not tainted 6.16.0-syzkaller-11952-g6e64f4580381 #0 PREEMPT(none) 
[  176.548398][ T5960] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[  176.558783][ T5960] RIP: 0010:kfree+0xf2/0xec0
[  176.563750][ T5960] Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 06 61 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89
[  176.583938][ T5960] RSP: 0018:ffff888128eaba38 EFLAGS: 00010246
[  176.590415][ T5960] RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  176.598627][ T5960] RDX: ffff88821ff13408 RSI: 0000000000000000 RDI: 01fe209b7b053be8
[  176.607275][ T5960] RBP: ffff888128eabae0 R08: ffffea000000000f R09: 0000000000000000
[  176.615495][ T5960] R10: ffff888116372c20 R11: 0000000000000000 R12: 0000000000000000
[  176.623874][ T5960] R13: 0000000000000000 R14: 0000000000000000 R15: 01fe369b7b053be0
[  176.632253][ T5960] FS:  0000000000000000(0000) GS:ffff8881aa69a000(0000) knlGS:0000000000000000
[  176.641350][ T5960] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  176.648105][ T5960] CR2: 00000000f7f75588 CR3: 000000012535a000 CR4: 00000000003526f0
[  176.656489][ T5960] Call Trace:
[  176.659895][ T5960]  <TASK>
[  176.663018][ T5960]  ? vhost_dev_cleanup+0x74d/0xf20
[  176.668343][ T5960]  ? kmsan_get_metadata+0xfb/0x160
[  176.673929][ T5960]  vhost_dev_cleanup+0x74d/0xf20
[  176.679076][ T5960]  ? __pfx_vhost_net_release+0x10/0x10
[  176.684768][ T5960]  vhost_net_release+0x18f/0x930
[  176.689977][ T5960]  ? __pfx_vhost_net_release+0x10/0x10
[  176.695739][ T5960]  __fput+0x60b/0x1040
[  176.700107][ T5960]  ? __pfx_____fput+0x10/0x10
[  176.705149][ T5960]  ____fput+0x25/0x30
[  176.709299][ T5960]  task_work_run+0x209/0x2b0
[  176.714546][ T5960]  do_exit+0x99d/0x3d50
[  176.719252][ T5960]  ? kmsan_get_metadata+0xfb/0x160
[  176.724787][ T5960]  do_group_exit+0x259/0x390
[  176.729613][ T5960]  __ia32_sys_exit_group+0x35/0x40
[  176.734952][ T5960]  ia32_sys_call+0x4302/0x4310
[  176.740095][ T5960]  __do_fast_syscall_32+0xb0/0x150
[  176.745583][ T5960]  ? irqentry_exit_to_user_mode+0x82/0xa0
[  176.751867][ T5960]  do_fast_syscall_32+0x38/0x80
[  176.757650][ T5960]  do_SYSENTER_32+0x1f/0x30
[  176.762379][ T5960]  entry_SYSENTER_compat_after_hwframe+0x84/0x8e
[  176.769057][ T5960] RIP: 0023:0xf7fc5539
[  176.773480][ T5960] Code: Unable to access opcode bytes at 0xf7fc550f.
[  176.780276][ T5960] RSP: 002b:00000000ffaa6c8c EFLAGS: 00000206 ORIG_RAX: 00000000000000fc
[  176.789190][ T5960] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000
[  176.797426][ T5960] RDX: 0000000000000000 RSI: 00000000ffffff9c RDI: 00000000f7454ff4
[  176.805662][ T5960] RBP: 000000000000002c R08: 0000000000000000 R09: 0000000000000000
[  176.813889][ T5960] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
[  176.822353][ T5960] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  176.831319][ T5960]  </TASK>
[  176.834555][ T5960] Modules linked in:
[  176.839798][ T5960] ---[ end trace 0000000000000000 ]---
[  176.845545][ T5960] RIP: 0010:kfree+0xf2/0xec0
[  176.850709][ T5960] Code: ef 0c 48 3d 00 10 00 00 41 0f 42 f6 89 75 d0 4f 8d 3c bf 49 c1 e7 04 48 09 4d b0 48 8b 45 80 4a 8d 7c 38 08 0f 85 70 05 00 00 <4c> 8b 27 e8 06 61 14 00 4c 8b 28 44 8b 32 44 89 e8 83 e0 01 44 89
[  176.871643][ T5960] RSP: 0018:ffff888128eaba38 EFLAGS: 00010246
[  176.878662][ T5960] RAX: ffffea0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  176.887592][ T5960] RDX: ffff88821ff13408 RSI: 0000000000000000 RDI: 01fe209b7b053be8
[  176.896306][ T5960] RBP: ffff888128eabae0 R08: ffffea000000000f R09: 0000000000000000
[  176.904963][ T5960] R10: ffff888116372c20 R11: 0000000000000000 R12: 0000000000000000
[  176.913442][ T5960] R13: 0000000000000000 R14: 0000000000000000 R15: 01fe369b7b053be0
[  176.921866][ T5960] FS:  0000000000000000(0000) GS:ffff8881aa69a000(0000) knlGS:0000000000000000
[  176.931977][ T5960] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  176.938911][ T5960] CR2: 00000000f7f75588 CR3: 000000012535a000 CR4: 00000000003526f0
[  176.947237][ T5960] Kernel panic - not syncing: Fatal exception
[  176.953973][ T5960] Kernel Offset: disabled
[  176.958772][ T5960] Rebooting in 86400 seconds..