last executing test programs: 155.20664ms ago: executing program 3 (id=49): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/xen/evtchn', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/xen/evtchn', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/xen/evtchn', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/xen/evtchn', 0x800, 0x0) 123.029743ms ago: executing program 3 (id=54): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/damon/rm_contexts', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/sys/kernel/debug/damon/rm_contexts', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/kernel/debug/damon/rm_contexts', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/sys/kernel/debug/damon/rm_contexts', 0x800, 0x0) 122.659553ms ago: executing program 3 (id=57): socket$inet_mptcp(0x2, 0x1, 0x106) 96.659744ms ago: executing program 2 (id=60): readahead(0xffffffffffffffff, 0x0, 0x0) 96.315104ms ago: executing program 2 (id=63): fsetxattr(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000), 0x0, 0x0) 96.184414ms ago: executing program 3 (id=64): syz_open_dev$dri(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$dri(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$dri(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$dri(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$dri(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$dri(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$dri(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$dri(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$dri(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$dri(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$dri(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$dri(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$dri(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$dri(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$dri(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$dri(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$dri(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$dri(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$dri(&(0x7f0000000500), 0x4, 0x800) 62.068096ms ago: executing program 0 (id=66): process_vm_readv(0x0, &(0x7f0000000000), 0x0, &(0x7f0000000000), 0x0, 0x0) 61.928586ms ago: executing program 0 (id=67): timer_create(0x0, &(0x7f0000000000), &(0x7f0000000000)) 61.857246ms ago: executing program 2 (id=68): mq_unlink(&(0x7f0000000000)) 61.746726ms ago: executing program 4 (id=69): set_tid_address(&(0x7f0000000000)) 61.436826ms ago: executing program 1 (id=70): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/iommu', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/iommu', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/iommu', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/iommu', 0x800, 0x0) 61.111896ms ago: executing program 1 (id=71): signalfd4(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0) 60.713706ms ago: executing program 3 (id=72): socket$vsock_stream(0x28, 0x1, 0x0) 34.735477ms ago: executing program 4 (id=73): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/raw-gadget', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/raw-gadget', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/raw-gadget', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/raw-gadget', 0x800, 0x0) 34.471697ms ago: executing program 0 (id=74): msgsnd(0x0, &(0x7f0000000000), 0x0, 0x0) 34.255897ms ago: executing program 3 (id=75): socket$packet(0x11, 0x2, 0x300) 34.169137ms ago: executing program 2 (id=76): unlinkat(0xffffffffffffffff, &(0x7f0000000000), 0x0) 34.072518ms ago: executing program 1 (id=77): msgget(0xffffffffffffffff, 0x0) 34.019087ms ago: executing program 0 (id=78): socket(0x10, 0x3, 0x10) 33.953197ms ago: executing program 4 (id=79): tee(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0) 33.859827ms ago: executing program 2 (id=80): syz_open_dev$loop(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$loop(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$loop(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$loop(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$loop(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$loop(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$loop(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$loop(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$loop(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$loop(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$loop(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$loop(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$loop(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$loop(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$loop(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$loop(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$loop(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$loop(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$loop(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$loop(&(0x7f0000000500), 0x4, 0x800) 33.818887ms ago: executing program 4 (id=81): connect(0xffffffffffffffff, &(0x7f0000000000), 0x0) 1.37381ms ago: executing program 0 (id=82): fstat(0xffffffffffffffff, &(0x7f0000000000)) 1.21099ms ago: executing program 1 (id=83): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ashmem', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ashmem', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ashmem', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ashmem', 0x800, 0x0) 1.07097ms ago: executing program 4 (id=84): syz_init_net_socket$ax25(0x3, 0x2, 0x0) 811.81µs ago: executing program 1 (id=85): getpeername(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000)) 696.42µs ago: executing program 2 (id=86): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ptp0', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptp0', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptp0', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptp0', 0x800, 0x0) 589.62µs ago: executing program 0 (id=87): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/adsp1', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/adsp1', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/adsp1', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/adsp1', 0x800, 0x0) 452.78µs ago: executing program 4 (id=88): io_cancel(0x0, &(0x7f0000000000), &(0x7f0000000000)) 0s ago: executing program 1 (id=89): fsconfig$FSCONFIG_CMD_CREATE(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.200' (ED25519) to the list of known hosts. [ 27.511028][ T4031] cgroup: Unknown subsys name 'net' [ 27.750165][ T4031] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 28.088798][ T4031] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SSFS [ 29.146036][ T4137] Internal error: Oops - BTI: 0000000036000001 [#1] PREEMPT SMP [ 29.147315][ T4137] Modules linked in: [ 29.147932][ T4137] CPU: 0 PID: 4137 Comm: syz.4.88 Not tainted syzkaller #0 [ 29.148981][ T4137] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 29.150351][ T4137] pstate: 42400405 (nZcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=jc) [ 29.151473][ T4137] pc : lookup_ioctx+0x108/0x7c8 [ 29.152246][ T4137] lr : lookup_ioctx+0xe4/0x7c8 [ 29.153000][ T4137] sp : ffff80001f367cf0 [ 29.153615][ T4137] x29: ffff80001f367cf0 x28: ffff0000cd1ab680 x27: 0000000000000000 [ 29.154830][ T4137] x26: 1fffe00019a356d0 x25: 0000000000400040 x24: ffff0000da612840 [ 29.156102][ T4137] x23: dfff800000000000 x22: 00000000fffffff2 x21: 0000000000000000 [ 29.157301][ T4137] x20: ffff0000cd1ab680 x19: 0000000000000000 x18: 0000000000000000 [ 29.158536][ T4137] x17: 0000000000000000 x16: ffff800008a22da8 x15: 0000000000000000 [ 29.159583][ T4137] x14: 0000000000000003 x13: 1ffff0000285202b x12: 0000000000ff0100 [ 29.160861][ T4137] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000ffffffffffff [ 29.162158][ T4137] x8 : 0000000000000000 x7 : ffff8000087586bc x6 : 0000000000000000 [ 29.163339][ T4137] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000001 [ 29.164534][ T4137] x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000 [ 29.165690][ T4137] Call trace: [ 29.166150][ T4137] lookup_ioctx+0x108/0x7c8 [ 29.166814][ T4137] __arm64_sys_io_cancel+0x160/0x338 [ 29.167580][ T4137] invoke_syscall+0x98/0x2b0 [ 29.168256][ T4137] el0_svc_common+0x138/0x258 [ 29.168917][ T4137] do_el0_svc+0x58/0x13c [ 29.169573][ T4137] el0_svc+0x78/0x1d0 [ 29.170178][ T4137] el0t_64_sync_handler+0xcc/0xe4 [ 29.170986][ T4137] el0t_64_sync+0x1a0/0x1a4 [ 29.171663][ T4137] Code: d503229f 2a1f03f6 2a1f03e0 b8400953 (2a1603e1) [ 29.172632][ T4137] ---[ end trace b7b519b0d3595086 ]--- SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 29.293094][ T4038] ODEBUG: Out of memory. ODEBUG disabled [ 29.359966][ T4137] Kernel panic - not syncing: Oops - BTI: Fatal exception [ 29.360899][ T4137] SMP: stopping secondary CPUs [ 29.361534][ T4137] Kernel Offset: disabled [ 29.362167][ T4137] CPU features: 0x8,000003c1,7d33ffd9 [ 29.362894][ T4137] Memory Limit: none [ 29.552649][ T4137] Rebooting in 86400 seconds..