Hello, syzbot found the following issue on: HEAD commit: d4439a1189f9 Merge tag 'hsi-for-5.16' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1656d30ab00000 kernel config: https://syzkaller.appspot.com/x/.config?x=ff3ea6b218615239 dashboard link: https://syzkaller.appspot.com/bug?extid=50f5cf33a284ce738b62 compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+50f5cf33a284ce738b62@xxxxxxxxxxxxxxxxxxxxxxxxx general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] CPU: 1 PID: 11182 Comm: syz-executor.1 Not tainted 5.15.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:cgroup_file_write+0xbe/0x790 kernel/cgroup/cgroup.c:3831 Code: 81 c3 88 08 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 c0 5c 52 00 48 8b 1b 48 83 c3 40 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 a3 5c 52 00 48 8b 03 48 89 44 24 RSP: 0018:ffffc9000a79f2a0 EFLAGS: 00010202 RAX: 0000000000000008 RBX: 0000000000000040 RCX: ffff888074320000 RDX: 0000000000000000 RSI: ffff88801d008980 RDI: ffff88806b48ac00 RBP: ffffc9000a79f390 R08: ffffffff8207dab3 R09: fffffbfff1fedffb R10: fffffbfff1fedffb R11: 0000000000000000 R12: 1ffff920014f3e5c R13: ffff88806b48ac00 R14: ffff88806b48ac00 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe6fd24a1b8 CR3: 000000002c740000 CR4: 00000000003526e0 Call Trace: <TASK> kernfs_fop_write_iter+0x3b6/0x510 fs/kernfs/file.c:296 __kernel_write+0x5d1/0xaf0 fs/read_write.c:535 do_acct_process+0x112a/0x17b0 kernel/acct.c:518 acct_pin_kill+0x27/0x130 kernel/acct.c:173 pin_kill+0x2a6/0x940 fs/fs_pin.c:44 mnt_pin_kill+0xc1/0x170 fs/fs_pin.c:81 cleanup_mnt+0x4bc/0x510 fs/namespace.c:1130 task_work_run+0x146/0x1c0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x705/0x24f0 kernel/exit.c:832 do_group_exit+0x168/0x2d0 kernel/exit.c:929 get_signal+0x16b0/0x2090 kernel/signal.c:2820 arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300 do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f0054d5fae9 Code: Unable to access opcode bytes at RIP 0x7f0054d5fabf. RSP: 002b:00007f00522d5218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007f0054e72f68 RCX: 00007f0054d5fae9 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f0054e72f68 RBP: 00007f0054e72f60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0054e72f6c R13: 00007ffd99a378af R14: 00007f00522d5300 R15: 0000000000022000 </TASK> Modules linked in: ---[ end trace 54fd0e4a1cf7068c ]--- RIP: 0010:cgroup_file_write+0xbe/0x790 kernel/cgroup/cgroup.c:3831 Code: 81 c3 88 08 00 00 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 c0 5c 52 00 48 8b 1b 48 83 c3 40 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 a3 5c 52 00 48 8b 03 48 89 44 24 RSP: 0018:ffffc9000a79f2a0 EFLAGS: 00010202 RAX: 0000000000000008 RBX: 0000000000000040 RCX: ffff888074320000 RDX: 0000000000000000 RSI: ffff88801d008980 RDI: ffff88806b48ac00 RBP: ffffc9000a79f390 R08: ffffffff8207dab3 R09: fffffbfff1fedffb R10: fffffbfff1fedffb R11: 0000000000000000 R12: 1ffff920014f3e5c R13: ffff88806b48ac00 R14: ffff88806b48ac00 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe6fd24a1b8 CR3: 000000000c88e000 CR4: 00000000003526e0 ---------------- Code disassembly (best guess): 0: 81 c3 88 08 00 00 add $0x888,%ebx 6: 48 89 d8 mov %rbx,%rax 9: 48 c1 e8 03 shr $0x3,%rax d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) 12: 74 08 je 0x1c 14: 48 89 df mov %rbx,%rdi 17: e8 c0 5c 52 00 callq 0x525cdc 1c: 48 8b 1b mov (%rbx),%rbx 1f: 48 83 c3 40 add $0x40,%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 48 89 df mov %rbx,%rdi 34: e8 a3 5c 52 00 callq 0x525cdc 39: 48 8b 03 mov (%rbx),%rax 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 44 rex.R 3f: 24 .byte 0x24 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.