BUG: kernel NULL pointer dereference, address: 00000000000000c4
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000010c2f9067 P4D 800000010c2f9067 PUD 0 
Oops: Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4850 [inline]
RIP: 0010:__lock_acquire+0x278/0x2570 kernel/locking/lockdep.c:5176
Code: 8b 04 73 10 48 69 c0 c8 00 00 00 48 8d 80 20 8b 4a 85 eb 16 83 3d d7 61 8f 0a 00 75 0b 90 e8 2f 0b a0 00 48 8b 3c 24 90 31 c0 <0f> b6 98 c4 00 00 00 41 8b 45 00 25 ff 1f 00 00 48 0f a3 05 80 d7
RSP: 0018:ffffc900000d3750 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000080000 RCX: 0000000000000001
RDX: 0000000000000014 RSI: 0000000000000000 RDI: ffff8881012f0000
RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000100007f R11: ffffffff8254b590 R12: ffff8881799cd2d8
R13: ffff8881012f0b40 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000c4 CR3: 00000001057d2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 lock_acquire+0xeb/0x270 kernel/locking/lockdep.c:5849
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x61/0xa0 kernel/locking/spinlock.c:162
 __wake_up_common_lock kernel/sched/wait.c:105 [inline]
 __wake_up_sync_key+0x26/0xa0 kernel/sched/wait.c:173
 sock_def_readable+0xe0/0x240 net/core/sock.c:3453
 tcp_data_queue+0xf14/0x1180 net/ipv4/tcp_input.c:5310
 tcp_rcv_established+0x4e3/0x650 net/ipv4/tcp_input.c:6264
 tcp_v4_do_rcv+0xf6/0x3a0 net/ipv4/tcp_ipv4.c:1916
 tcp_v4_rcv+0xcf9/0xe60 net/ipv4/tcp_ipv4.c:2351
 ip_protocol_deliver_rcu+0x183/0x300 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x100/0x1a0 net/ipv4/ip_input.c:233
 NF_HOOK+0x177/0x1f0 include/linux/netfilter.h:314
 NF_HOOK+0x177/0x1f0 include/linux/netfilter.h:314
 __netif_receive_skb_one_core net/core/dev.c:5672 [inline]
 __netif_receive_skb+0xa3/0x160 net/core/dev.c:5785
 process_backlog+0x287/0x550 net/core/dev.c:6117
 __napi_poll+0x28/0x1d0 net/core/dev.c:6883
 napi_poll net/core/dev.c:6952 [inline]
 net_rx_action+0x298/0x4b0 net/core/dev.c:7074
 handle_softirqs+0x13d/0x3d0 kernel/softirq.c:561
 run_ksoftirqd+0x55/0x90 kernel/softirq.c:950
 smpboot_thread_fn+0x163/0x220 kernel/smpboot.c:164
 kthread+0xea/0x100 kernel/kthread.c:389
 ret_from_fork+0x32/0x40 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
CR2: 00000000000000c4
---[ end trace 0000000000000000 ]---
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4850 [inline]
RIP: 0010:__lock_acquire+0x278/0x2570 kernel/locking/lockdep.c:5176
Code: 8b 04 73 10 48 69 c0 c8 00 00 00 48 8d 80 20 8b 4a 85 eb 16 83 3d d7 61 8f 0a 00 75 0b 90 e8 2f 0b a0 00 48 8b 3c 24 90 31 c0 <0f> b6 98 c4 00 00 00 41 8b 45 00 25 ff 1f 00 00 48 0f a3 05 80 d7
RSP: 0018:ffffc900000d3750 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000080000 RCX: 0000000000000001
RDX: 0000000000000014 RSI: 0000000000000000 RDI: ffff8881012f0000
RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000100007f R11: ffffffff8254b590 R12: ffff8881799cd2d8
R13: ffff8881012f0b40 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000c4 CR3: 00000001057d2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	8b 04 73             	mov    (%rbx,%rsi,2),%eax
   3:	10 48 69             	adc    %cl,0x69(%rax)
   6:	c0 c8 00             	ror    $0x0,%al
   9:	00 00                	add    %al,(%rax)
   b:	48 8d 80 20 8b 4a 85 	lea    -0x7ab574e0(%rax),%rax
  12:	eb 16                	jmp    0x2a
  14:	83 3d d7 61 8f 0a 00 	cmpl   $0x0,0xa8f61d7(%rip)        # 0xa8f61f2
  1b:	75 0b                	jne    0x28
  1d:	90                   	nop
  1e:	e8 2f 0b a0 00       	call   0xa00b52
  23:	48 8b 3c 24          	mov    (%rsp),%rdi
  27:	90                   	nop
  28:	31 c0                	xor    %eax,%eax
* 2a:	0f b6 98 c4 00 00 00 	movzbl 0xc4(%rax),%ebx <-- trapping instruction
  31:	41 8b 45 00          	mov    0x0(%r13),%eax
  35:	25 ff 1f 00 00       	and    $0x1fff,%eax
  3a:	48                   	rex.W
  3b:	0f                   	.byte 0xf
  3c:	a3                   	.byte 0xa3
  3d:	05                   	.byte 0x5
  3e:	80                   	.byte 0x80
  3f:	d7                   	xlat   %ds:(%rbx)