program:
bpf$PROG_LOAD_XDP(0x5, &(0x7f00000000c0)={0x12, 0x1f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0xf, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) (async, rerun: 32)
mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.cpu/syz0\x00', 0x1ff) (async, rerun: 32)
r0 = socket$igmp(0x2, 0x3, 0x2)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r0, 0x8933, &(0x7f00000000c0)={'batadv_slave_1\x00', <r1=>0x0}) (async, rerun: 32)
r2 = syz_usb_connect$printer(0x2, 0x2d, &(0x7f0000000200)=ANY=[@ANYBLOB="12017f00000001000000202505a8a44000030d030109021b000101ff2008090400fd0107000b00"/48], 0x0) (rerun: 32)
syz_usb_control_io$printer(r2, &(0x7f0000001100)={0x14, 0x0, &(0x7f0000000300)={0x0, 0x3, 0x2, @string={0x2}}}, 0x0)
syz_usb_control_io(r2, &(0x7f0000000180)={0x2c, 0x0, &(0x7f0000001480)=ANY=[@ANYBLOB="0003840000000403"], 0x0, 0x0, 0x0}, 0x0) (async)
syz_usb_control_io(r2, 0x0, 0x0)
syz_usb_ep_read(r2, 0x1, 0xde, &(0x7f0000007680)=""/222)
syz_usb_disconnect(r2)
r3 = syz_open_dev$char_usb(0xc, 0xb4, 0x0)
write$char_usb(r3, &(0x7f0000001680)="f31552c51ef8205abfa9f8ff810b310cabf01c94d4ce91d436423cf90c15d97c1217cc21e800e1a7c1ffe6b70eb4e86ad3d217ad07e656cdbdf756ca5078b27a12acf51c89b2f433714da7b7730ef423c41b606e3950b835b2570cb99bb73bbde81d707b6f54db5ffc8c9d48b02d7139870a9e448f6bc6e127fb10e21aa5b612877a37d640837671a1eae432a8e0f27b6b91cddaf37393fb137f5d7d273021b665437d5c3b2045eb8e4331c73ec23074e7f8b7003facda15776d26a82181eba32e0c9978c5cece1f710f880627626fe07a8309c265d5f1c98058123845e80f", 0xdf) (async)
ioctl$sock_inet6_SIOCSIFADDR(0xffffffffffffffff, 0x8936, &(0x7f0000000000)={@dev, 0x78, r1}) (async)
r4 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000340), 0x0, 0x0)
ioctl$FBIOPUT_VSCREENINFO(r4, 0x4601, &(0x7f0000000940)={0x20, 0x124, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, {0x0, 0x7}, {}, {0x0, 0x2}, {0x0, 0xfffffffc}, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffc, 0x0, 0x1})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000040)={'vcan0\x00'})
r5 = socket(0xa, 0x1, 0x0)
ioctl(r5, 0x8916, &(0x7f0000000000))
ioctl(r5, 0x8936, &(0x7f0000000000)) (async, rerun: 32)
r6 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) (rerun: 32)
openat$cgroup_int(r6, &(0x7f0000000080)='hugetlb.2MB.rsvd.failcnt\x00', 0x2, 0x0) (async)
sendfile(r3, r3, 0x0, 0x0) (async)
r7 = socket$nl_route(0x10, 0x3, 0x0) (async)
r8 = socket(0x1, 0x803, 0x0)
getsockname$packet(r8, &(0x7f0000000100)={0x11, 0x0, <r9=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
socketpair$unix(0x1, 0x5, 0x0, 0x0) (async, rerun: 32)
sendmsg$nl_route(r7, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[@ANYBLOB="740000001000030400"/20, @ANYRES32=0x0, @ANYBLOB="46060900000000004400128009000100766c616e00000000340002800c0002001f0000001f00000006000100010000001c0003800c00010005000000000000000c000100c5000083941987836663be00", @ANYRES32=r9, @ANYBLOB='\b\x00\n\x00', @ANYRES32=r9, @ANYBLOB], 0x74}, 0x1, 0x0, 0x0, 0x600}, 0x0) (rerun: 32)

[   88.023815][ T5334] syz.0.0 (5334) used greatest stack depth: 15[   85.166755][ T4678] Bluetooth: hci0: command tx timeout
[   85.300129][  T793] BUG: unable to handle page fault for address: ffffed1011a4a201
[   85.303535][  T793] #PF: supervisor read access in kernel mode
[   85.305979][  T793] #PF: error_code(0x0000) - not-present page
[   85.308565][  T793] PGD 5ffcd067 P4D 5ffcd067 PUD 2fff7067 PMD 0 
[   85.311140][  T793] Oops: Oops: 0000 [#1] SMP KASAN NOPTI
[   85.313567][  T793] CPU: 0 UID: 0 PID: 793 Comm: kworker/0:2 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) 
[   85.318743][  T793] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.323223][  T793] Workqueue: cgroup_destroy css_free_rwork_fn
[   85.326117][  T793] RIP: 0010:css_rstat_flush+0x5ff/0x1fa0
[   85.328795][  T793] Code: b4 be d1 0d 01 0f 85 e6 14 00 00 e8 bb 1e 07 00 4c 03 6c 24 20 4d 8d 7d 08 4c 89 fb 48 c1 eb 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 03 00 74 08 4c 89 ff e8 b3 9c 6a 00 49 83 3f 00 0f 84 5d 01
[   85.337447][  T793] RSP: 0018:ffffc90001a6f780 EFLAGS: 00010802
[   85.340216][  T793] RAX: dffffc0000000000 RBX: 1ffff11011a4a201 RCX: ffff888000b58000
[   85.343816][  T793] RDX: 0000000000000000 RSI: ffffffff8be28b60 RDI: ffffffff8be28b20
[   85.347585][  T793] RBP: ffffc90001a6f9b8 R08: ffffffff8fa10df7 R09: 1ffffffff1f421be
[   85.351132][  T793] R10: dffffc0000000000 R11: fffffbfff1f421bf R12: ffff88801fc43078
[   85.354282][  T793] R13: ffff88808d251000 R14: 0000000000000000 R15: ffff88808d251008
[   85.357294][  T793] FS:  0000000000000000(0000) GS:ffff88808d251000(0000) knlGS:0000000000000000
[   85.361305][  T793] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.364064][  T793] CR2: ffffed1011a4a201 CR3: 000000000df38000 CR4: 0000000000352ef0
[   85.367404][  T793] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   85.370758][  T793] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   85.374033][  T793] Call Trace:
[   85.375473][  T793]  <TASK>
[   85.376693][  T793]  ? check_path+0x21/0x40
[   85.378631][  T793]  ? __pfx_css_rstat_flush+0x10/0x10
[   85.381198][  T793]  ? __lock_acquire+0xab9/0xd20
[   85.383390][  T793]  css_rstat_exit+0xa9/0x320
[   85.385628][  T793]  ? process_scheduled_works+0x9ef/0x17b0
[   85.388130][  T793]  ? percpu_ref_exit+0xc5/0x1c0
[   85.390244][  T793]  css_free_rwork_fn+0x8b/0xc50
[   85.392397][  T793]  ? process_scheduled_works+0x9ef/0x17b0
[   85.394298][  T793]  ? process_scheduled_works+0x9ef/0x17b0
[   85.396667][  T793]  process_scheduled_works+0xae1/0x17b0
[   85.399097][  T793]  ? __pfx_process_scheduled_works+0x10/0x10
[   85.401578][  T793]  worker_thread+0x8a0/0xda0
[   85.403369][  T793]  kthread+0x70e/0x8a0
[   85.405008][  T793]  ? __pfx_worker_thread+0x10/0x10
[   85.407052][  T793]  ? __pfx_kthread+0x10/0x10
[   85.408832][  T793]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.411365][  T793]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.413897][  T793]  ? __pfx_kthread+0x10/0x10
[   85.416288][  T793]  ret_from_fork+0x3f9/0x770
[   85.418362][  T793]  ? __pfx_ret_from_fork+0x10/0x10
[   85.420352][  T793]  ? __pfx_kthread+0x10/0x10
[   85.422491][  T793]  ret_from_fork_asm+0x1a/0x30
[   85.424623][  T793]  </TASK>
[   85.426086][  T793] Modules linked in:
[   85.427756][  T793] CR2: ffffed1011a4a201
[   85.429497][  T793] ---[ end trace 0000000000000000 ]---
[   85.431703][  T793] RIP: 0010:css_rstat_flush+0x5ff/0x1fa0
[   85.433969][  T793] Code: b4 be d1 0d 01 0f 85 e6 14 00 00 e8 bb 1e 07 00 4c 03 6c 24 20 4d 8d 7d 08 4c 89 fb 48 c1 eb 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 03 00 74 08 4c 89 ff e8 b3 9c 6a 00 49 83 3f 00 0f 84 5d 01
[   85.441498][  T793] RSP: 0018:ffffc90001a6f780 EFLAGS: 00010802
[   85.443904][  T793] RAX: dffffc0000000000 RBX: 1ffff11011a4a201 RCX: ffff888000b58000
[   85.447276][  T793] RDX: 0000000000000000 RSI: ffffffff8be28b60 RDI: ffffffff8be28b20
[   85.450638][  T793] RBP: ffffc90001a6f9b8 R08: ffffffff8fa10df7 R09: 1ffffffff1f421be
[   85.454057][  T793] R10: dffffc0000000000 R11: fffffbfff1f421bf R12: ffff88801fc43078
[   85.457639][  T793] R13: ffff88808d251000 R14: 0000000000000000 R15: ffff88808d251008
[   85.461333][  T793] FS:  0000000000000000(0000) GS:ffff88808d251000(0000) knlGS:0000000000000000
[   85.465319][  T793] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.468262][  T793] CR2: ffffed1011a4a201 CR3: 000000000df38000 CR4: 0000000000352ef0
[   85.471719][  T793] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   85.475391][  T793] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   85.479017][  T793] Kernel panic - not syncing: Fatal exception
[   85.482159][  T793] Kernel Offset: disabled
[   85.484443][  T793] Rebooting in 86400 seconds..