------------[ cut here ]------------
WARNING: fs/namespace.c:1434 at mntput_no_expire+0x78e/0xbe0, CPU#1: syz-executor.2/4004
Modules linked in:
CPU: 1 UID: 0 PID: 4004 Comm: syz-executor.2 Tainted: G W 6.17.0-rc4-next-20250901 #1 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:mntput_no_expire+0x78e/0xbe0
Code: 05 d6 30 81 04 01 e8 71 df 91 ff e9 41 fc ff ff e8 27 47 b4 ff 31 ff 44 89 ee e8 4d 42 b4 ff 45 85 ed 79 09 e8 13 47 b4 ff 90 <0f> 0b 90 e8 0a 47 b4 ff e8 b5 2d fc 02 31 ff 89 c5 89 c6 e8 2a 42
RSP: 0018:ffff88804488fa18 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 1ffff11008911f48 RCX: ffffffff81bfaf93
RDX: ffff888016cd9b80 RSI: ffffffff81bfaf9d RDI: 0000000000000005
RBP: ffff888042eac1c0 R08: 0000000000000001 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000001 R12: ffff88804488fa80
R13: 00000000ffffffff R14: ffff888042eac1c0 R15: ffff888042eac150
FS: 0000000000000000(0000) GS:ffff8880e56d8000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000000e CR3: 000000003ee4f000 CR4: 0000000000350ef0
Call Trace:
cleanup_mnt+0x41e/0x430
task_work_run+0x172/0x280
do_exit+0x846/0x2970
do_group_exit+0xd3/0x2a0
get_signal+0x2315/0x2340
arch_do_signal_or_restart+0x80/0x790
irqentry_exit_to_user_mode+0x106/0x1c0
exc_page_fault+0xd9/0x180
asm_exc_page_fault+0x26/0x30
RIP: 0033:0xe
Code: Unable to access opcode bytes at 0xffffffffffffffe4.
RSP: 002b:00007fd7f4bc2190 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007fd7f775ff60 RCX: 00007fd7f764cb19
RDX: 0000000000000000 RSI: 0000000000000058 RDI: 00000000200002c0
RBP: 00007fd7f76a6f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffeb9615a7f R14: 00007fd7f4bc2300 R15: 0000000000022000
irq event stamp: 669
hardirqs last enabled at (677): [] __up_console_sem+0x78/0x80
hardirqs last disabled at (686): [] __up_console_sem+0x5d/0x80
softirqs last enabled at (196): [] handle_softirqs+0x50c/0x770
softirqs last disabled at (169): [] __irq_exit_rcu+0xc4/0x100
---[ end trace 0000000000000000 ]---
loop1: detected capacity change from 0 to 512
EXT4-fs (loop1): warning: mounting unchecked fs, running e2fsck is recommended
EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
EXT4-fs (loop1): unmounting filesystem 00000000-0000-0000-0000-000000000000.
loop1: detected capacity change from 0 to 512
EXT4-fs (loop1): warning: mounting unchecked fs, running e2fsck is recommended
EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
loop7: detected capacity change from 0 to 512
kmemleak: Found object by alias at 0x607f1a63e264
CPU: 0 UID: 0 PID: 4108 Comm: syz-executor.3 Tainted: G W 6.17.0-rc4-next-20250901 #1 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0xca/0x120
__lookup_object+0x94/0xb0
delete_object_full+0x27/0x70
free_percpu+0x30/0x1160
futex_hash_free+0x38/0xc0
mmput+0x2d3/0x390
do_exit+0x79d/0x2970
do_group_exit+0xd3/0x2a0
get_signal+0x2315/0x2340
arch_do_signal_or_restart+0x80/0x790
exit_to_user_mode_loop+0x8b/0x110
do_syscall_64+0x2f7/0x360
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f816a7f1b19
Code: Unable to access opcode bytes at 0x7f816a7f1aef.
RSP: 002b:00007f8167d67218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f816a904f68 RCX: 00007f816a7f1b19
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f816a904f68
RBP: 00007f816a904f60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f816a904f6c
R13: 00007ffdeeee695f R14: 00007f8167d67300 R15: 0000000000022000
kmemleak: Object (percpu) 0x607f1a63e260 (size 8):
kmemleak: comm "syz-executor.2", pid 4113, jiffies 4294779254
kmemleak: min_count = 1
kmemleak: count = 0
kmemleak: flags = 0x21
kmemleak: checksum = 0
kmemleak: backtrace:
pcpu_alloc_noprof+0x87a/0x1170
alloc_vfsmnt+0x135/0x6e0
clone_mnt+0x6c/0xb70
copy_tree+0x105/0xaf0
copy_mnt_ns+0x1ab/0xab0
create_new_namespaces+0xd6/0xab0
copy_namespaces+0x45c/0x580
copy_process+0x2649/0x73c0
kernel_clone+0xea/0x7f0
__do_sys_clone3+0x1f5/0x280
do_syscall_64+0xbf/0x360
entry_SYSCALL_64_after_hwframe+0x77/0x7f
kmemleak: Cannot insert 0x607f1a63e264 into the object search tree (overlaps existing)
CPU: 0 UID: 0 PID: 4119 Comm: syz-executor.0 Tainted: G W 6.17.0-rc4-next-20250901 #1 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0xca/0x120
__link_object+0x190/0x210
__create_object+0x48/0x80
pcpu_alloc_noprof+0x87a/0x1170
alloc_netdev_mqs+0x131/0x1360
loopback_net_init+0x38/0x180
ops_init+0x1e1/0x650
setup_net+0x10d/0x320
copy_net_ns+0x2e3/0x650
create_new_namespaces+0x3f6/0xab0
copy_namespaces+0x45c/0x580
copy_process+0x2649/0x73c0
kernel_clone+0xea/0x7f0
__do_sys_clone3+0x1f5/0x280
do_syscall_64+0xbf/0x360
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb62e2f8b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb62b86e188 EFLAGS: 00000246 ORIG_RAX: 00000000000001b3
RAX: ffffffffffffffda RBX: 00007fb62e40bf60 RCX: 00007fb62e2f8b19
RDX: 0000000000000000 RSI: 0000000000000058 RDI: 00000000200002c0
RBP: 00007fb62e352f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc7d49702f R14: 00007fb62b86e300 R15: 0000000000022000
kmemleak: Kernel memory leak detector disabled
kmemleak: Object (percpu) 0x607f1a63e260 (size 8):
kmemleak: comm "syz-executor.2", pid 4113, jiffies 4294779254
kmemleak: min_count = 1
kmemleak: count = 0
kmemleak: flags = 0x21
kmemleak: checksum = 0
kmemleak: backtrace:
pcpu_alloc_noprof+0x87a/0x1170
alloc_vfsmnt+0x135/0x6e0
clone_mnt+0x6c/0xb70
copy_tree+0x105/0xaf0
copy_mnt_ns+0x1ab/0xab0
create_new_namespaces+0xd6/0xab0
copy_namespaces+0x45c/0x580
copy_process+0x2649/0x73c0
kernel_clone+0xea/0x7f0
__do_sys_clone3+0x1f5/0x280
do_syscall_64+0xbf/0x360
entry_SYSCALL_64_after_hwframe+0x77/0x7f
------------[ cut here ]------------
WARNING: fs/namespace.c:1375 at cleanup_mnt+0x33f/0x430, CPU#1: syz-executor.2/4132
Modules linked in:
CPU: 1 UID: 0 PID: 4132 Comm: syz-executor.2 Tainted: G W 6.17.0-rc4-next-20250901 #1 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:cleanup_mnt+0x33f/0x430
Code: c7 20 49 d1 85 e8 41 b3 fa 02 49 8d 7d 40 5b 48 c7 c6 d0 fa be 81 5d 41 5c 41 5d 41 5e 41 5f e9 97 9a 9c ff e8 f2 3c b4 ff 90 <0f> 0b 90 e9 e6 fc ff ff e8 e4 3c b4 ff 4c 89 ef e8 6c d7 06 00 e9
RSP: 0018:ffff88804549faf8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff81bfb6a5
RDX: ffff888042f09b80 RSI: ffffffff81bfb9be RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888042f0a458
EXT4-fs (loop7): warning: mounting unchecked fs, running e2fsck is recommended
R13: ffff88801d7a4e00 R14: 0000000000000001 R15: ffff88801d7a4e40
EXT4-fs (loop7): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
FS: 0000000000000000(0000) GS:ffff8880e56d8000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000000e CR3: 000000004588f000 CR4: 0000000000350ef0
Call Trace:
task_work_run+0x172/0x280
do_exit+0x846/0x2970
do_group_exit+0xd3/0x2a0
get_signal+0x2315/0x2340
arch_do_signal_or_restart+0x80/0x790
irqentry_exit_to_user_mode+0x106/0x1c0
exc_page_fault+0xd9/0x180
asm_exc_page_fault+0x26/0x30
RIP: 0033:0xe
Code: Unable to access opcode bytes at 0xffffffffffffffe4.
RSP: 002b:00007fd7f4bc2190 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007fd7f775ff60 RCX: 00007fd7f764cb19
RDX: 0000000000000000 RSI: 0000000000000058 RDI: 00000000200002c0
RBP: 00007fd7f76a6f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffeb9615a7f R14: 00007fd7f4bc2300 R15: 0000000000022000
irq event stamp: 1673
hardirqs last enabled at (1681): [] __up_console_sem+0x78/0x80
hardirqs last disabled at (1690): [] __up_console_sem+0x5d/0x80
softirqs last enabled at (1358): [] handle_softirqs+0x50c/0x770
softirqs last disabled at (1115): [] __irq_exit_rcu+0xc4/0x100
---[ end trace 0000000000000000 ]---
EXT4-fs (loop1): unmounting filesystem 00000000-0000-0000-0000-000000000000.
EXT4-fs (loop7): unmounting filesystem 00000000-0000-0000-0000-000000000000.
loop1: detected capacity change from 0 to 512
loop7: detected capacity change from 0 to 512
EXT4-fs (loop1): warning: mounting unchecked fs, running e2fsck is recommended
EXT4-fs (loop1): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
EXT4-fs (loop7): warning: mounting unchecked fs, running e2fsck is recommended
EXT4-fs (loop7): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
EXT4-fs (loop1): unmounting filesystem 00000000-0000-0000-0000-000000000000.
EXT4-fs (loop7): unmounting filesystem 00000000-0000-0000-0000-000000000000.
loop7: detected capacity change from 0 to 512
EXT4-fs (loop7): warning: mounting unchecked fs, running e2fsck is recommended
EXT4-fs (loop7): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
EXT4-fs (loop7): unmounting filesystem 00000000-0000-0000-0000-000000000000.
Bluetooth: hci0: hardware error 0xf7
------------[ cut here ]------------
percpu ref (free_ioctx_reqs) <= 0 (0) after switching to atomic
WARNING: lib/percpu-refcount.c:197 at percpu_ref_switch_to_atomic_rcu+0x3cc/0x480, CPU#0: syz-executor.6/4226
Modules linked in:
CPU: 0 UID: 255 PID: 4226 Comm: syz-executor.6 Tainted: G W 6.17.0-rc4-next-20250901 #1 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:percpu_ref_switch_to_atomic_rcu+0x3cc/0x480
Code: 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 9e 00 00 00 49 8b 75 e8 48 c7 c7 c0 99 e2 84 e8 25 ac e9 fe 90 <0f> 0b 90 90 e9 2b ff ff ff e8 56 de 5f ff e9 9e fe ff ff e8 dc de
RSP: 0018:ffff88806ce08e20 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8139de70
RDX: ffff8880420cd280 RSI: ffffffff8139de7e RDI: 0000000000000001
RBP: 8000000000000000 R08: 0000000000000001 R09: ffffed100d9c4801
R10: 0000000000000000 R11: 0000000000000001 R12: ffff888041c9bd00
R13: ffff888041c9bd20 R14: 0000000000000002 R15: 0000000000000003
FS: 0000000000000000(0000) GS:ffff8880e55d8000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6f76a6414c CR3: 000000003374f000 CR4: 0000000000350ef0
Call Trace:
rcu_core+0x7c8/0x1800
handle_softirqs+0x1b1/0x770
__irq_exit_rcu+0xc4/0x100
irq_exit_rcu+0x9/0x20
sysvec_apic_timer_interrupt+0x70/0x80
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:arch_check_zapped_pte+0x5f/0xe0
Code: 48 8d 04 2b c7 00 f1 f1 f1 f1 c7 40 04 00 f3 f3 f3 65 48 8b 05 ca a5 4d 06 48 89 44 24 58 31 c0 48 89 74 24 20 e8 61 1c 3d 00 <48> 8d 7c 24 20 48 89 f8 48 c1 e8 03 80 3c 28 00 75 61 48 8b 6c 24
RSP: 0018:ffff88804622f5f8 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 1ffff11008c45ebf RCX: dffffc0000000000
RDX: ffff8880420cd280 RSI: ffffffff8136da4f RDI: ffff88801c9ddc80
RBP: dffffc0000000000 R08: 0000000000000000 R09: fffff9400019dda8
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88804622f7d0
R13: 00007f2b26da0000 R14: ffff88804622fad0 R15: 8000000033bb5007
unmap_page_range+0xdca/0x36d0
unmap_single_vma.constprop.0+0x153/0x230
unmap_vmas+0x1d6/0x430
exit_mmap+0x181/0xaa0
mmput+0xd5/0x390
do_exit+0x79d/0x2970
do_group_exit+0xd3/0x2a0
get_signal+0x2315/0x2340
arch_do_signal_or_restart+0x80/0x790
exit_to_user_mode_loop+0x8b/0x110
do_syscall_64+0x2f7/0x360
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2b2740bb19
Code: Unable to access opcode bytes at 0x7f2b2740baef.
RSP: 002b:00007f2b24981218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f2b2751ef68 RCX: 00007f2b2740bb19
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f2b2751ef68
RBP: 00007f2b2751ef60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2b2751ef6c
R13: 00007fff7471f30f R14: 00007f2b24981300 R15: 0000000000022000
irq event stamp: 1164
hardirqs last enabled at (1172): [] __up_console_sem+0x78/0x80
hardirqs last disabled at (1181): [] __up_console_sem+0x5d/0x80
softirqs last enabled at (318): [] handle_softirqs+0x50c/0x770
softirqs last disabled at (369): [] __irq_exit_rcu+0xc4/0x100
---[ end trace 0000000000000000 ]---
percpu_ref_switch_to_atomic_rcu: percpu_ref_switch_to_atomic_rcu(): percpu_ref underflow slab kmalloc-64 start ffff888041c9bd00 pointer offset 0 size 64
kmemleak: Automatic memory scanning thread ended
Bluetooth: hci1: Opcode 0x0c1a failed: -4
Bluetooth: hci1: Error when powering off device on rfkill (-4)
Bluetooth: hci0: Opcode 0x0c03 failed: -110
Bluetooth: hci0: hardware error 0xf7
Bluetooth: hci2: Opcode 0x0c1a failed: -4
Bluetooth: hci2: Error when powering off device on rfkill (-4)
Bluetooth: hci3: Opcode 0x0c1a failed: -4
Bluetooth: hci3: Error when powering off device on rfkill (-4)
Bluetooth: hci4: Opcode 0x0c1a failed: -4
Bluetooth: hci4: Error when powering off device on rfkill (-4)
Bluetooth: hci5: Opcode 0x0c1a failed: -4
Bluetooth: hci5: Error when powering off device on rfkill (-4)
Bluetooth: hci6: Opcode 0x0c1a failed: -4
Bluetooth: hci6: Error when powering off device on rfkill (-4)
Bluetooth: hci7: Opcode 0x0c1a failed: -4
Bluetooth: hci7: Error when powering off device on rfkill (-4)
----------------
Code disassembly (best guess):
0: 48 8d 04 2b lea (%rbx,%rbp,1),%rax
4: c7 00 f1 f1 f1 f1 movl $0xf1f1f1f1,(%rax)
a: c7 40 04 00 f3 f3 f3 movl $0xf3f3f300,0x4(%rax)
11: 65 48 8b 05 ca a5 4d mov %gs:0x64da5ca(%rip),%rax # 0x64da5e3
18: 06
19: 48 89 44 24 58 mov %rax,0x58(%rsp)
1e: 31 c0 xor %eax,%eax
20: 48 89 74 24 20 mov %rsi,0x20(%rsp)
25: e8 61 1c 3d 00 callq 0x3d1c8b
* 2a: 48 8d 7c 24 20 lea 0x20(%rsp),%rdi <-- trapping instruction
2f: 48 89 f8 mov %rdi,%rax
32: 48 c1 e8 03 shr $0x3,%rax
36: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1)
3a: 75 61 jne 0x9d
3c: 48 rex.W
3d: 8b .byte 0x8b
3e: 6c insb (%dx),%es:(%rdi)
3f: 24 .byte 0x24