------------[ cut here ]------------
percpu ref (free_ioctx_reqs) <= 0 (0) after switching to atomic
WARNING: lib/percpu-refcount.c:197 at percpu_ref_switch_to_atomic_rcu+0x3cc/0x480, CPU#0: syz-executor.1/3973
Modules linked in:
CPU: 0 UID: 0 PID: 3973 Comm: syz-executor.1 Tainted: G W 6.17.0-rc3-next-20250829 #1 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:percpu_ref_switch_to_atomic_rcu+0x3cc/0x480
Code: 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 9e 00 00 00 49 8b 75 e8 48 c7 c7 80 97 e2 84 e8 75 c5 e9 fe 90 <0f> 0b 90 90 e9 2b ff ff ff e8 f6 de 5f ff e9 9e fe ff ff e8 7c df
RSP: 0018:ffff88806ce08e20 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8139de70
RDX: ffff8880198a8000 RSI: ffffffff8139de7e RDI: 0000000000000001
RBP: 8000000000000000 R08: 0000000000000001 R09: ffffed100d9c4801
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800a692a00
R13: ffff88800a692a20 R14: 0000000000000002 R15: 0000000000000003
FS: 0000000000000000(0000) GS:ffff8880e55dd000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd9d905fe8 CR3: 0000000042c65000 CR4: 0000000000350ef0
Call Trace:
rcu_core+0x7c8/0x1800
handle_softirqs+0x1b1/0x770
__irq_exit_rcu+0xc4/0x100
irq_exit_rcu+0x9/0x20
sysvec_apic_timer_interrupt+0x70/0x80
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x80
Code: 4a 03 48 c7 c0 f4 ff ff ff eb 92 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 34 24 <65> 48 8b 15 88 48 10 06 65 8b 05 99 48 10 06 a9 00 01 ff 00 74 27
RSP: 0018:ffff888047097620 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffea0000e00100 RCX: ffffffff81a2801d
RDX: ffff8880198a8000 RSI: ffffffff81a28093 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000000 R09: fffff940001c0020
R10: 0000000000000000 R11: 0000000000000001 R12: ffffea0000e00100
R13: 0000000000000000 R14: ffff88800d86b140 R15: ffffea0000e00130
folio_remove_rmap_ptes+0x283/0x7c0
unmap_page_range+0x15fc/0x36d0
unmap_single_vma.constprop.0+0x153/0x230
unmap_vmas+0x1d6/0x430
exit_mmap+0x181/0xaa0
mmput+0xd5/0x390
do_exit+0x79d/0x2970
do_group_exit+0xd3/0x2a0
get_signal+0x2315/0x2340
arch_do_signal_or_restart+0x80/0x790
exit_to_user_mode_loop+0x8b/0x110
do_syscall_64+0x2f7/0x360
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe7b8153b19
Code: Unable to access opcode bytes at 0x7fe7b8153aef.
RSP: 002b:00007fe7b56a8218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fe7b8267028 RCX: 00007fe7b8153b19
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fe7b826702c
RBP: 00007fe7b8267020 R08: 000000000000000e R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 00007fe7b826702c
R13: 00007fffa3c4326f R14: 00007fe7b56a8300 R15: 0000000000022000
irq event stamp: 1328
hardirqs last enabled at (1336): [] __up_console_sem+0x78/0x80
hardirqs last disabled at (1345): [] __up_console_sem+0x5d/0x80
softirqs last enabled at (488): [] handle_softirqs+0x50c/0x770
softirqs last disabled at (529): [] __irq_exit_rcu+0xc4/0x100
---[ end trace 0000000000000000 ]---
percpu_ref_switch_to_atomic_rcu: percpu_ref_switch_to_atomic_rcu(): percpu_ref underflow slab kmalloc-64 start ffff88800a692a00 pointer offset 0 size 64
loop2: detected capacity change from 0 to 2048
EXT4-fs (loop2): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
ext4 filesystem being mounted at /syzkaller-testdir350410261/syzkaller.Lisx2q/4/file0 supports timestamps until 2038-01-19 (0x7fffffff)
loop7: detected capacity change from 0 to 264192
FAT-fs (loop7): invalid media value (0x08)
FAT-fs (loop7): Can't find a valid FAT filesystem
kmemleak: Found object by alias at 0x607f1a639c4c
CPU: 0 UID: 0 PID: 3967 Comm: syz-executor.6 Tainted: G W 6.17.0-rc3-next-20250829 #1 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0xca/0x120
__lookup_object+0x94/0xb0
delete_object_full+0x27/0x70
free_percpu+0x30/0x1160
futex_hash_free+0x38/0xc0
mmput+0x2d3/0x390
do_exit+0x79d/0x2970
do_group_exit+0xd3/0x2a0
__x64_sys_exit_group+0x3e/0x50
x64_sys_call+0x18c5/0x18d0
do_syscall_64+0xbf/0x360
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3b4bba4b19
Code: Unable to access opcode bytes at 0x7f3b4bba4aef.
RSP: 002b:00007ffe05ef0598 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000001e RCX: 00007f3b4bba4b19
RDX: 00007f3b4bb5772b RSI: ffffffffffffffbc RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000001 R15: 00007ffe05ef0680
kmemleak: Object (percpu) 0x607f1a639c48 (size 8):
kmemleak: comm "syz-executor.2", pid 3982, jiffies 4294823270
kmemleak: min_count = 1
kmemleak: count = 0
kmemleak: flags = 0x21
kmemleak: checksum = 0
kmemleak: backtrace:
pcpu_alloc_noprof+0x87a/0x1170
percpu_ref_init+0x37/0x400
blkg_alloc+0xe9/0x7d0
blkg_create+0xe08/0x1420
bio_associate_blkg_from_css+0xe06/0x1380
bio_associate_blkg+0x10e/0x2a0
bio_init+0x2dd/0x570
bio_alloc_bioset+0x2cf/0x8c0
submit_bh_wbc+0x286/0x720
ext4_read_bh+0x15a/0x2e0
ext4_read_bh_lock+0x7a/0xd0
ext4_sb_bread_unmovable+0x172/0x260
ext4_fill_super+0x662/0xba20
get_tree_bdev_flags+0x38a/0x620
vfs_get_tree+0x93/0x340
path_mount+0x132d/0x1dd0
audit: type=1400 audit(1756572493.568:11): avc: denied { watch_reads } for pid=3992 comm="syz-executor.1" path="/syzkaller-testdir080923812/syzkaller.BXrygC/3/file0" dev="hugetlbfs" ino=5470 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir permissive=1
kmemleak: Cannot insert 0x607f1a639c4c into the object search tree (overlaps existing)
CPU: 1 UID: 0 PID: 3994 Comm: syz-executor.1 Tainted: G W 6.17.0-rc3-next-20250829 #1 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0xca/0x120
__link_object+0x190/0x210
__create_object+0x48/0x80
pcpu_alloc_noprof+0x87a/0x1170
__percpu_init_rwsem+0x2d/0x160
alloc_super+0x29e/0xb80
sget_fc+0xfe/0xb80
get_tree_nodev+0x28/0x190
hugetlbfs_get_tree+0x23b/0x5a0
vfs_get_tree+0x93/0x340
path_mount+0x132d/0x1dd0
__x64_sys_mount+0x27b/0x300
do_syscall_64+0xbf/0x360
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe7b8153b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe7b56c9188 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fe7b8266f60 RCX: 00007fe7b8153b19
RDX: 0000000020000200 RSI: 00000000200000c0 RDI: 0000000000000000
RBP: 00007fe7b81adf6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fffa3c4326f R14: 00007fe7b56c9300 R15: 0000000000022000
kmemleak: Kernel memory leak detector disabled
kmemleak: Object (percpu) 0x607f1a639c48 (size 8):
kmemleak: comm "syz-executor.2", pid 3982, jiffies 4294823270
kmemleak: min_count = 1
kmemleak: count = 0
kmemleak: flags = 0x21
kmemleak: checksum = 0
kmemleak: backtrace:
pcpu_alloc_noprof+0x87a/0x1170
percpu_ref_init+0x37/0x400
blkg_alloc+0xe9/0x7d0
blkg_create+0xe08/0x1420
bio_associate_blkg_from_css+0xe06/0x1380
bio_associate_blkg+0x10e/0x2a0
bio_init+0x2dd/0x570
bio_alloc_bioset+0x2cf/0x8c0
submit_bh_wbc+0x286/0x720
ext4_read_bh+0x15a/0x2e0
ext4_read_bh_lock+0x7a/0xd0
ext4_sb_bread_unmovable+0x172/0x260
ext4_fill_super+0x662/0xba20
get_tree_bdev_flags+0x38a/0x620
vfs_get_tree+0x93/0x340
path_mount+0x132d/0x1dd0
loop7: detected capacity change from 0 to 264192
tmpfs: Bad value for 'nr_inodes'
loop7: detected capacity change from 0 to 264192
FAT-fs (loop7): invalid media value (0x08)
FAT-fs (loop7): Can't find a valid FAT filesystem
kmemleak: Automatic memory scanning thread ended
Bluetooth: Unexpected continuation frame (len 16)
EXT4-fs (loop2): unmounting filesystem 00000000-0000-0000-0000-000000000000.
Bluetooth: Unexpected continuation frame (len 16)
audit: type=1400 audit(1756572493.689:12): avc: denied { watch_reads } for pid=3992 comm="syz-executor.1" path="/syzkaller-testdir080923812/syzkaller.BXrygC/3/file0" dev="sda" ino=15991 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
loop7: detected capacity change from 0 to 264192
tmpfs: Bad value for 'nr_inodes'
UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
Bluetooth: hci5: Controller not accepting commands anymore: ncmd = 0
Bluetooth: hci5: Injecting HCI hardware error event
Bluetooth: hci5: hardware error 0x00
Bluetooth: hci5: Opcode 0x0c03 failed: -110
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 48 c7 c0 f4 ff ff ff mov $0xfffffffffffffff4,%rax
7: eb 92 jmp 0xffffff9b
9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: 90 nop
20: f3 0f 1e fa endbr64
24: 48 8b 34 24 mov (%rsp),%rsi
* 28: 65 48 8b 15 88 48 10 mov %gs:0x6104888(%rip),%rdx # 0x61048b8 <-- trapping instruction
2f: 06
30: 65 8b 05 99 48 10 06 mov %gs:0x6104899(%rip),%eax # 0x61048d0
37: a9 00 01 ff 00 test $0xff0100,%eax
3c: 74 27 je 0x65