BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: Oops: 0000 [#1] SMP PTI
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc1-syzkaller #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:pidfs_free_pid+0x1c/0x60 fs/pidfs.c:162
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 41 56 53 48 8b 5f 70 48 c7 47 70 00 00 00 00 48 81 fb 00 f0 ff ff 77 33 <4c> 8b 33 4d 85 f6 74 1b 4c 89 f7 31 f6 e8 12 1e fe ff 49 81 fe 00
RSP: 0018:ffffc90000003ee8 EFLAGS: 00010207
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0df5d3885faa6b00
RDX: 8d1561c308730288 RSI: ffffffff8251e8eb RDI: ffff888101b68780
RBP: 0000000000000075 R08: 0000000000000000 R09: 00000000000000d3
R10: 0000000000000000 R11: ffffffff812d8ee0 R12: ffffffff81368571
R13: ffffffff82624880 R14: ffff88810339a000 R15: ffffffff812d8ee0
FS:  0000000000000000(0000) GS:ffff8882b4c3d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000102280000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 put_pid kernel/pid.c:103 [inline]
 delayed_put_pid+0x3c/0x70 kernel/pid.c:113
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 rcu_core+0x3f0/0x8b0 kernel/rcu/tree.c:2832
 handle_softirqs+0xf2/0x2f0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x48/0x110 kernel/softirq.c:680
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0x92/0xb0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:82
Code: 93 0b 01 00 cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 29 4f 0b 00 f3 0f 1e fa fb f4 <c3> cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffffff82603e90 EFLAGS: 000002c6
RAX: 0df5d3885faa6b00 RBX: 0000000000000000 RCX: 0df5d3885faa6b00
RDX: 00000000ffffa2df RSI: ffffffff82462126 RDI: ffffffff82520cb4
RBP: ffffffff82603ea8 R08: 0000000000080000 R09: 000000000000006f
R10: 0000000000000000 R11: ffffffff8125aad0 R12: 0000000000000000
R13: ffffffff82624880 R14: 0000000000000000 R15: 0000000000000000
 arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 default_idle+0x13/0x20 arch/x86/kernel/process.c:749
 default_idle_call+0x3d/0x70 kernel/sched/idle.c:117
 cpuidle_idle_call kernel/sched/idle.c:185 [inline]
 do_idle+0xd7/0x240 kernel/sched/idle.c:325
 cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:423
 rest_init+0xca/0xd0 init/main.c:744
 start_kernel+0x2f5/0x310 init/main.c:1101
 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:307
 x86_64_start_kernel+0xfc/0x100 arch/x86/kernel/head64.c:288
 common_startup_64+0x13e/0x147
 </TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:pidfs_free_pid+0x1c/0x60 fs/pidfs.c:162
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 41 56 53 48 8b 5f 70 48 c7 47 70 00 00 00 00 48 81 fb 00 f0 ff ff 77 33 <4c> 8b 33 4d 85 f6 74 1b 4c 89 f7 31 f6 e8 12 1e fe ff 49 81 fe 00
RSP: 0018:ffffc90000003ee8 EFLAGS: 00010207
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0df5d3885faa6b00
RDX: 8d1561c308730288 RSI: ffffffff8251e8eb RDI: ffff888101b68780
RBP: 0000000000000075 R08: 0000000000000000 R09: 00000000000000d3
R10: 0000000000000000 R11: ffffffff812d8ee0 R12: ffffffff81368571
R13: ffffffff82624880 R14: ffff88810339a000 R15: ffffffff812d8ee0
FS:  0000000000000000(0000) GS:ffff8882b4c3d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000102280000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	66 0f 1f 00          	nopw   (%rax)
  12:	41 56                	push   %r14
  14:	53                   	push   %rbx
  15:	48 8b 5f 70          	mov    0x70(%rdi),%rbx
  19:	48 c7 47 70 00 00 00 	movq   $0x0,0x70(%rdi)
  20:	00
  21:	48 81 fb 00 f0 ff ff 	cmp    $0xfffffffffffff000,%rbx
  28:	77 33                	ja     0x5d
* 2a:	4c 8b 33             	mov    (%rbx),%r14 <-- trapping instruction
  2d:	4d 85 f6             	test   %r14,%r14
  30:	74 1b                	je     0x4d
  32:	4c 89 f7             	mov    %r14,%rdi
  35:	31 f6                	xor    %esi,%esi
  37:	e8 12 1e fe ff       	call   0xfffe1e4e
  3c:	49                   	rex.WB
  3d:	81                   	.byte 0x81
  3e:	fe 00                	incb   (%rax)