ret_from_fork+0x45/0x60 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ---[ end trace 0000000000000000 ]--- BUG: unable to handle page fault for address: ffffffff0ea64a50 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 6c66067 P4D 6c66067 PUD 0 Oops: Oops: 0002 [#1] SMP PTI CPU: 0 UID: 0 PID: 1053 Comm: kworker/u8:5 Tainted: G W 6.15.0-rc7-syzkaller-00112-geccf6f2f6ab9 #0 PREEMPT(full) Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: netns cleanup_net RIP: 0010:__pv_queued_spin_lock_slowpath+0x278/0x380 kernel/locking/qspinlock.c:288 Code: ff ff e8 1b f6 c3 fb e9 e1 fd ff ff 83 e0 03 c1 ea 12 48 c1 e0 05 48 8d a8 c0 53 49 89 8d 42 ff 48 98 48 03 2c c5 e0 4c 99 86 <4c> 89 75 00 b8 00 80 00 00 eb 13 84 c0 75 08 0f b6 55 14 84 d2 75 RSP: 0018:ffffc9000270fa88 EFLAGS: 00010087 RAX: 0000000000000388 RBX: 0000000000040000 RCX: 0000000000000001 RDX: 0000000000000389 RSI: 0000000000000000 RDI: ffff88810e252a98 RBP: ffffffff0ea64a50 R08: ffffffff81202f19 R09: ffffffff87264fd8 R10: 000000001f7d060b R11: 0000000096496c23 R12: 00000000003c00ed R13: ffff88810e252a98 R14: ffff88813ba2c3c0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881b2597000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff0ea64a50 CR3: 00000001111ca000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:572 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline] queued_spin_lock include/asm-generic/qspinlock.h:114 [inline] do_raw_spin_lock include/linux/spinlock.h:187 [inline] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline] _raw_spin_lock_irqsave+0x36/0x40 kernel/locking/spinlock.c:162 ref_tracker_free+0xab/0x330 lib/ref_tracker.c:243 netdev_tracker_free include/linux/netdevice.h:4351 [inline] netdev_put include/linux/netdevice.h:4368 [inline] netdev_put include/linux/netdevice.h:4364 [inline] neigh_parms_release+0xc0/0x120 net/core/neighbour.c:1709 addrconf_ifdown.isra.0+0xb50/0xc60 net/ipv6/addrconf.c:4011 addrconf_notify+0x155/0xcc0 net/ipv6/addrconf.c:3780 notifier_call_chain+0x90/0x180 kernel/notifier.c:85 call_netdevice_notifiers_info+0x7d/0xe0 net/core/dev.c:2176 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline] call_netdevice_notifiers net/core/dev.c:2228 [inline] unregister_netdevice_many_notify+0x7a3/0x1050 net/core/dev.c:11972 cleanup_net+0x333/0x5a0 net/core/net_namespace.c:649 process_one_work+0x26b/0x620 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3400 kthread+0x158/0x310 kernel/kthread.c:464 ret_from_fork+0x45/0x60 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Modules linked in: CR2: ffffffff0ea64a50 ---[ end trace 0000000000000000 ]--- RIP: 0010:__pv_queued_spin_lock_slowpath+0x278/0x380 kernel/locking/qspinlock.c:288 Code: ff ff e8 1b f6 c3 fb e9 e1 fd ff ff 83 e0 03 c1 ea 12 48 c1 e0 05 48 8d a8 c0 53 49 89 8d 42 ff 48 98 48 03 2c c5 e0 4c 99 86 <4c> 89 75 00 b8 00 80 00 00 eb 13 84 c0 75 08 0f b6 55 14 84 d2 75 RSP: 0018:ffffc9000270fa88 EFLAGS: 00010087 RAX: 0000000000000388 RBX: 0000000000040000 RCX: 0000000000000001 RDX: 0000000000000389 RSI: 0000000000000000 RDI: ffff88810e252a98 RBP: ffffffff0ea64a50 R08: ffffffff81202f19 R09: ffffffff87264fd8 R10: 000000001f7d060b R11: 0000000096496c23 R12: 00000000003c00ed R13: ffff88810e252a98 R14: ffff88813ba2c3c0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881b2597000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff0ea64a50 CR3: 00000001111ca000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess), 2 bytes skipped: 0: e8 1b f6 c3 fb call 0xfbc3f620 5: e9 e1 fd ff ff jmp 0xfffffdeb a: 83 e0 03 and $0x3,%eax d: c1 ea 12 shr $0x12,%edx 10: 48 c1 e0 05 shl $0x5,%rax 14: 48 8d a8 c0 53 49 89 lea -0x76b6ac40(%rax),%rbp 1b: 8d 42 ff lea -0x1(%rdx),%eax 1e: 48 98 cltq 20: 48 03 2c c5 e0 4c 99 add -0x7966b320(,%rax,8),%rbp 27: 86 * 28: 4c 89 75 00 mov %r14,0x0(%rbp) <-- trapping instruction 2c: b8 00 80 00 00 mov $0x8000,%eax 31: eb 13 jmp 0x46 33: 84 c0 test %al,%al 35: 75 08 jne 0x3f 37: 0f b6 55 14 movzbl 0x14(%rbp),%edx 3b: 84 d2 test %dl,%dl 3d: 75 .byte 0x75