general protection fault, probably for non-canonical address 0xdffffc0000000182: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000c10-0x0000000000000c17]
CPU: 0 PID: 24441 Comm: syz-executor.4 Not tainted 5.15.0-rc3-next-20210927-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__ref_is_percpu include/linux/percpu-refcount.h:174 [inline]
RIP: 0010:percpu_ref_put_many include/linux/percpu-refcount.h:319 [inline]
RIP: 0010:percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
RIP: 0010:cgroup_bpf_put include/linux/cgroup.h:926 [inline]
RIP: 0010:cgroup_sk_free+0x8d/0x570 kernel/cgroup/cgroup.c:6636
Code: 25 06 00 40 84 ed 5a 0f 84 42 01 00 00 e8 6b 1f 06 00 4c 8d ab 10 0c 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 6f 04 00 00 48 8b ab 10 0c 00 00 31 ff 49 89 ec
RSP: 0018:ffffc90000007c38 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: 0000000000000182 RSI: ffffffff81702235 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81702226 R11: 0000000000000000 R12: ffff888075e98000
R13: 0000000000000c10 R14: ffffffff8d0d1c8c R15: 0000000000000000
FS:  000055555678d400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557ac0d2b9b8 CR3: 000000004c2cd000 CR4: 00000000003506f0
Call Trace:
 <IRQ>
 sk_prot_free net/core/sock.c:1852 [inline]
 __sk_destruct+0x579/0x900 net/core/sock.c:1943
 sk_destruct+0xbd/0xe0 net/core/sock.c:1958
 __sk_free+0xef/0x3d0 net/core/sock.c:1969
 sk_free+0x78/0xa0 net/core/sock.c:1980
 sock_put include/net/sock.h:1804 [inline]
 nr_heartbeat_expiry+0x2e7/0x460 net/netrom/nr_timer.c:148
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:check_kcov_mode kernel/kcov.c:163 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x7/0x60 kernel/kcov.c:197
Code: fd ff ff b9 ff ff ff ff ba 08 00 00 00 4d 8b 03 48 0f bd ca 49 8b 45 00 48 63 c9 e9 64 ff ff ff 0f 1f 00 65 8b 05 59 2e 8c 7e <89> c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b 14 25 40 70 02 00 a9
RSP: 0018:ffffc90004c6f7f8 EFLAGS: 00000217
RAX: 0000000080000002 RBX: 800000004cf1d007 RCX: 00fff00000000002
RDX: 0000000000000000 RSI: ffff88802dac8000 RDI: 0000000000000003
RBP: 0000000000000008 R08: ffffffffffffffff R09: 0000000000000000
R10: ffffffff81ac25c1 R11: 0000000000000000 R12: ffffea000133c740
R13: dffffc0000000000 R14: 00fff00000000002 R15: 0000000000000000
 _compound_head include/linux/page-flags.h:189 [inline]
 PageSwapBacked include/linux/page-flags.h:437 [inline]
 mm_counter_file include/linux/mm.h:2068 [inline]
 mm_counter include/linux/mm.h:2077 [inline]
 copy_present_pte mm/memory.c:959 [inline]
 copy_pte_range mm/memory.c:1073 [inline]
 copy_pmd_range mm/memory.c:1159 [inline]
 copy_pud_range mm/memory.c:1196 [inline]
 copy_p4d_range mm/memory.c:1220 [inline]
 copy_page_range+0x17d0/0x42c0 mm/memory.c:1293
 dup_mmap kernel/fork.c:610 [inline]
 dup_mm+0xa4e/0x13e0 kernel/fork.c:1504
 copy_mm kernel/fork.c:1556 [inline]
 copy_process+0x6fcf/0x7580 kernel/fork.c:2245
 kernel_clone+0xe7/0xac0 kernel/fork.c:2635
 __do_sys_clone+0xc8/0x110 kernel/fork.c:2752
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f1fadc95cfb
Code: ed 0f 85 60 01 00 00 64 4c 8b 0c 25 10 00 00 00 45 31 c0 4d 8d 91 d0 02 00 00 31 d2 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 89 00 00 00 41 89 c5 85 c0 0f 85 90 00 00
RSP: 002b:00007fff51b6bda0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1fadc95cfb
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 0000000000000001 R08: 0000000000000000 R09: 000055555678d400
R10: 000055555678d6d0 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000001 R15: 00007fff51b6be80
 </TASK>
Modules linked in:
---[ end trace 14c28369f86129ac ]---
RIP: 0010:__ref_is_percpu include/linux/percpu-refcount.h:174 [inline]
RIP: 0010:percpu_ref_put_many include/linux/percpu-refcount.h:319 [inline]
RIP: 0010:percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
RIP: 0010:cgroup_bpf_put include/linux/cgroup.h:926 [inline]
RIP: 0010:cgroup_sk_free+0x8d/0x570 kernel/cgroup/cgroup.c:6636
Code: 25 06 00 40 84 ed 5a 0f 84 42 01 00 00 e8 6b 1f 06 00 4c 8d ab 10 0c 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 6f 04 00 00 48 8b ab 10 0c 00 00 31 ff 49 89 ec
RSP: 0018:ffffc90000007c38 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: 0000000000000182 RSI: ffffffff81702235 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81702226 R11: 0000000000000000 R12: ffff888075e98000
R13: 0000000000000c10 R14: ffffffff8d0d1c8c R15: 0000000000000000
FS:  000055555678d400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557ac0d2b9b8 CR3: 000000004c2cd000 CR4: 00000000003506f0
----------------
Code disassembly (best guess):
   0:	25 06 00 40 84       	and    $0x84400006,%eax
   5:	ed                   	in     (%dx),%eax
   6:	5a                   	pop    %rdx
   7:	0f 84 42 01 00 00    	je     0x14f
   d:	e8 6b 1f 06 00       	callq  0x61f7d
  12:	4c 8d ab 10 0c 00 00 	lea    0xc10(%rbx),%r13
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	4c 89 ea             	mov    %r13,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 6f 04 00 00    	jne    0x4a3
  34:	48 8b ab 10 0c 00 00 	mov    0xc10(%rbx),%rbp
  3b:	31 ff                	xor    %edi,%edi
  3d:	49 89 ec             	mov    %rbp,%r12