BUG: kernel NULL pointer dereference, address: 0000000000000031 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 28251067 P4D 28251067 PUD 253ca067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 56 Comm: kworker/1:1 Not tainted 6.10.0-rc1-syzkaller-00021-ge0cce98fe279 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Workqueue: slub_flushwq flush_cpu_slab RIP: 0010:__put_partials+0x84/0x170 mm/slub.c:2966 Code: 7b 50 4c 89 6d 18 48 89 55 10 4d 89 7d 00 48 89 ef e8 90 b4 ff ff f0 80 48 01 02 4d 85 e4 0f 84 aa 00 00 00 48 89 df 4c 89 e5 <4d> 8b 64 24 10 48 8b 45 00 48 83 f8 ff 74 69 48 8b 45 00 48 8b 0c RSP: 0018:ffffc9000076fc80 EFLAGS: 00010246 RAX: 0000000000000002 RBX: ffff888019006300 RCX: 1ffffffff28415f8 RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000000 RBP: 0000000000000021 R08: 0000000000000001 R09: fffffbfff283ee5e R10: ffffffff941f72f7 R11: 0000000000000002 R12: 0000000000000021 R13: ffff88802c13db40 R14: 0000000000000000 R15: ffffc9000076fd80 FS: 0000000000000000(0000) GS:ffff88802c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000031 CR3: 00000000120fe000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: process_one_work+0x958/0x1ad0 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: CR2: 0000000000000031 ---[ end trace 0000000000000000 ]--- RIP: 0010:__put_partials+0x84/0x170 mm/slub.c:2966 Code: 7b 50 4c 89 6d 18 48 89 55 10 4d 89 7d 00 48 89 ef e8 90 b4 ff ff f0 80 48 01 02 4d 85 e4 0f 84 aa 00 00 00 48 89 df 4c 89 e5 <4d> 8b 64 24 10 48 8b 45 00 48 83 f8 ff 74 69 48 8b 45 00 48 8b 0c RSP: 0018:ffffc9000076fc80 EFLAGS: 00010246 RAX: 0000000000000002 RBX: ffff888019006300 RCX: 1ffffffff28415f8 RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000000 RBP: 0000000000000021 R08: 0000000000000001 R09: fffffbfff283ee5e R10: ffffffff941f72f7 R11: 0000000000000002 R12: 0000000000000021 R13: ffff88802c13db40 R14: 0000000000000000 R15: ffffc9000076fd80 FS: 0000000000000000(0000) GS:ffff88802c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000031 CR3: 00000000120fe000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 7b 50 jnp 0x52 2: 4c 89 6d 18 mov %r13,0x18(%rbp) 6: 48 89 55 10 mov %rdx,0x10(%rbp) a: 4d 89 7d 00 mov %r15,0x0(%r13) e: 48 89 ef mov %rbp,%rdi 11: e8 90 b4 ff ff call 0xffffb4a6 16: f0 80 48 01 02 lock orb $0x2,0x1(%rax) 1b: 4d 85 e4 test %r12,%r12 1e: 0f 84 aa 00 00 00 je 0xce 24: 48 89 df mov %rbx,%rdi 27: 4c 89 e5 mov %r12,%rbp * 2a: 4d 8b 64 24 10 mov 0x10(%r12),%r12 <-- trapping instruction 2f: 48 8b 45 00 mov 0x0(%rbp),%rax 33: 48 83 f8 ff cmp $0xffffffffffffffff,%rax 37: 74 69 je 0xa2 39: 48 8b 45 00 mov 0x0(%rbp),%rax 3d: 48 rex.W 3e: 8b .byte 0x8b 3f: 0c .byte 0xc