BUG: kernel NULL pointer dereference, address: 0000000000000005 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 80000001063aa067 P4D 80000001063aa067 PUD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 11215 Comm: syz.7.1072 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 RIP: 0010:vma_refcount_put include/linux/mm.h:727 [inline] RIP: 0010:vma_end_read include/linux/mm.h:823 [inline] RIP: 0010:lock_vma_under_rcu+0x180/0x270 mm/memory.c:6454 Code: 28 49 8b 4d 10 8b 89 20 02 00 00 39 c8 0f 84 b0 00 00 00 49 81 fd 01 f0 ff ff 0f 82 8d 00 00 00 49 83 fd f5 0f 85 a1 00 00 00 <48> 8b 1c 25 05 00 00 00 48 8b b4 24 80 00 00 00 bf bd 00 00 00 e8 RSP: 0000:ffffc90003fbfe78 EFLAGS: 00010246 RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff88810f931280 RDX: ffff8881166fc800 RSI: 0000400000ffffff RDI: ffff888114fc4cc0 RBP: 0000000000000006 R08: ffffffffffffff00 R09: 00007fea3897efff R10: 0000000000000000 R11: ffff8881166fc80c R12: ffffc90003fbfe78 R13: ffff888114fc4c00 R14: ffffffff814b9e8f R15: 0000400000002fc0 FS: 000055556af0c500(0000) GS:ffff88813bb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000005 CR3: 00000001164bc000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: do_user_addr_fault arch/x86/mm/fault.c:1328 [inline] handle_page_fault arch/x86/mm/fault.c:1480 [inline] exc_page_fault+0x153/0x6d0 arch/x86/mm/fault.c:1538 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0033:0x7fea38754ed8 Code: fc 89 37 c3 c5 fa 6f 06 c5 fa 6f 4c 16 f0 c5 fa 7f 07 c5 fa 7f 4c 17 f0 c3 66 0f 1f 84 00 00 00 00 00 48 8b 4c 16 f8 48 8b 36 <48> 89 37 48 89 4c 17 f8 c3 c5 fe 6f 54 16 e0 c5 fe 6f 5c 16 c0 c5 RSP: 002b:00007ffe607d2fa8 EFLAGS: 00010246 RAX: 0000400000002fc0 RBX: 0000000000000004 RCX: 0031313230386c6e RDX: 0000000000000008 RSI: 0031313230386c6e RDI: 0000400000002fc0 RBP: 0000000000000000 R08: 00007fea38600000 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000009 R12: 00007fea389a5fac R13: 00007fea389a5fa0 R14: fffffffffffffffe R15: 0000000000000006 Modules linked in: CR2: 0000000000000005 ---[ end trace 0000000000000000 ]--- RIP: 0010:vma_refcount_put include/linux/mm.h:727 [inline] RIP: 0010:vma_end_read include/linux/mm.h:823 [inline] RIP: 0010:lock_vma_under_rcu+0x180/0x270 mm/memory.c:6454 Code: 28 49 8b 4d 10 8b 89 20 02 00 00 39 c8 0f 84 b0 00 00 00 49 81 fd 01 f0 ff ff 0f 82 8d 00 00 00 49 83 fd f5 0f 85 a1 00 00 00 <48> 8b 1c 25 05 00 00 00 48 8b b4 24 80 00 00 00 bf bd 00 00 00 e8 RSP: 0000:ffffc90003fbfe78 EFLAGS: 00010246 RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff88810f931280 RDX: ffff8881166fc800 RSI: 0000400000ffffff RDI: ffff888114fc4cc0 RBP: 0000000000000006 R08: ffffffffffffff00 R09: 00007fea3897efff R10: 0000000000000000 R11: ffff8881166fc80c R12: ffffc90003fbfe78 R13: ffff888114fc4c00 R14: ffffffff814b9e8f R15: 0000400000002fc0 FS: 000055556af0c500(0000) GS:ffff88813bb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000005 CR3: 00000001164bc000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 49 8b 4d 10 mov 0x10(%r13),%rcx 4: 8b 89 20 02 00 00 mov 0x220(%rcx),%ecx a: 39 c8 cmp %ecx,%eax c: 0f 84 b0 00 00 00 je 0xc2 12: 49 81 fd 01 f0 ff ff cmp $0xfffffffffffff001,%r13 19: 0f 82 8d 00 00 00 jb 0xac 1f: 49 83 fd f5 cmp $0xfffffffffffffff5,%r13 23: 0f 85 a1 00 00 00 jne 0xca * 29: 48 8b 1c 25 05 00 00 mov 0x5,%rbx <-- trapping instruction 30: 00 31: 48 8b b4 24 80 00 00 mov 0x80(%rsp),%rsi 38: 00 39: bf bd 00 00 00 mov $0xbd,%edi 3e: e8 .byte 0xe8