program:
r0 = creat(&(0x7f0000000440)='./file0\x00', 0x0) (async)
r1 = open$dir(&(0x7f0000000140)='./file0\x00', 0x0, 0x0)
ioctl$FS_IOC_FSSETXATTR(r1, 0x401c5820, &(0x7f0000000040)={0x5, 0x0, 0x0, 0x0, 0xc})
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
sendmmsg$unix(r3, &(0x7f0000000e80)=[{{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}}, {{&(0x7f0000000640)=@abs={0x1, 0x0, 0x4e24}, 0x6e, 0x0, 0x0, 0x0, 0x0, 0x4004000}}], 0x2, 0x0)
link(&(0x7f0000000200)='./file0\x00', &(0x7f0000000280)='./file1\x00')
pipe(&(0x7f0000000180))
r4 = socket$inet6_sctp(0xa, 0x5, 0x84) (async)
socketpair(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r5=>0xffffffffffffffff})
r6 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x12, 0xa, 0x4, 0x2, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000180)={{r6, <r7=>0xffffffffffffffff}, &(0x7f0000000040), &(0x7f0000000140)=r5}, 0x20)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000600)={{r6}, &(0x7f0000000580)=0x2, &(0x7f00000005c0)=r5}, 0x20)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f00000002c0)={{r7}, &(0x7f0000000240), &(0x7f0000000280)=r5}, 0x20) (async)
shutdown(r4, 0x0) (async)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r4, 0x84, 0x6f, &(0x7f0000000000)={<r8=>0x0, 0x1c, &(0x7f0000000100)=[@in6={0xa, 0x4e24, 0x8, @private1, 0x6}]}, &(0x7f0000000440)=0x10)
setsockopt$inet_sctp6_SCTP_CONTEXT(r4, 0x84, 0x18, &(0x7f0000000080)={r8}, 0x8)
openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000080), 0x80301, 0x0) (async)
mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.cpu/syz0\x00', 0x1ff) (async)
socket$inet6(0xa, 0x2, 0x2) (async)
mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.net/syz0\x00', 0x1ff) (async)
r9 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_int(r9, 0x29, 0x1a, &(0x7f0000000100)=0x401, 0x4)
bind$inet6(r9, &(0x7f0000000140)={0xa, 0x4e26, 0xfffffffd, @remote, 0x24}, 0x1c) (async)
r10 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r10, &(0x7f0000000140)={0xa, 0x4e22, 0x0, @ipv4={'\x00', '\xff\xff', @multicast1}}, 0x1c) (async)
unlinkat(r0, &(0x7f00000000c0)='\x00', 0x0)
openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000180), 0x200002, 0x0) (async)
ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r4, 0x81f8943c, &(0x7f00000cd740)={<r11=>0x0, ""/256, <r12=>0x0, <r13=>0x0})
ioctl$BTRFS_IOC_GET_SUBVOL_ROOTREF(r2, 0xd000943d, &(0x7f00000cd940)={0x5, [{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {r12}, {}, {r11}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, <r14=>0x0}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, r13}, {}, {}, {}, {}, {}, {}, {r12}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, <r15=>0x0}, {}, {}, {}, {}, {}, {}, {}, {0x0, r13}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {r12}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, r13}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, <r16=>0x0}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, <r17=>0x0}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, <r18=>0x0}], 0xff, "a0b845b928f7e9"})
ioctl$BTRFS_IOC_GET_SUBVOL_ROOTREF(r2, 0xd000943d, &(0x7f00000ce940)={0x400, [{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, r15}, {}, {}, {0x0, r18}, {}, {}, {}, {}, {}, {}, {0x0, r17}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {0x0, r14}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {r12, r16}], 0x7, "869be2f53bfaa6"})

[   86.682175][ T5308] Bluetooth: hci0: command tx timeout
[   88.762622][ T5308] Bluetooth: hci0: command tx timeout
[   84.637596][ T4672] Bluetooth: hci0: command tx timeout
[   84.832323][ T5329] BUG: unable to handle page fault for address: ffffed1011a4a401
[   84.836684][ T5329] #PF: supervisor read access in kernel mode
[   84.839489][ T5329] #PF: error_code(0x0000) - not-present page
[   84.842244][ T5329] PGD 5ffcd067 P4D 5ffcd067 PUD 2fff7067 PMD 0 
[   84.845093][ T5329] Oops: Oops: 0000 [#1] SMP KASAN NOPTI
[   84.847439][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: kworker/0:5 Not tainted 6.15.0-syzkaller-13743-g8630c59e9936 #0 PREEMPT(full) 
[   84.853819][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   84.858632][ T5329] Workqueue: cgroup_destroy css_free_rwork_fn
[   84.862674][ T5329] RIP: 0010:css_rstat_flush+0x5ff/0x1fa0
[   84.864897][ T5329] Code: c2 bf d1 0d 01 0f 85 e6 14 00 00 e8 bb 1e 07 00 4c 03 6c 24 20 4d 8d 7d 08 4c 89 fb 48 c1 eb 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 03 00 74 08 4c 89 ff e8 a3 95 6a 00 49 83 3f 00 0f 84 5d 01
[   84.873560][ T5329] RSP: 0018:ffffc9000d607780 EFLAGS: 00010802
[   84.876076][ T5329] RAX: dffffc0000000000 RBX: 1ffff11011a4a401 RCX: ffff8880007d8000
[   84.879502][ T5329] RDX: 0000000000000000 RSI: ffffffff8be28260 RDI: ffffffff8be28220
[   84.882854][ T5329] RBP: ffffc9000d6079b8 R08: ffffffff8fa113f7 R09: 1ffffffff1f4227e
[   84.886345][ T5329] R10: dffffc0000000000 R11: fffffbfff1f4227f R12: ffff88801fc42730
[   84.890484][ T5329] R13: ffff88808d252000 R14: 0000000000000000 R15: ffff88808d252008
[   84.893850][ T5329] FS:  0000000000000000(0000) GS:ffff88808d252000(0000) knlGS:0000000000000000
[   84.897561][ T5329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   84.900752][ T5329] CR2: ffffed1011a4a401 CR3: 00000000515b6000 CR4: 0000000000352ef0
[   84.904721][ T5329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   84.908184][ T5329] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   84.911550][ T5329] Call Trace:
[   84.912894][ T5329]  <TASK>
[   84.914274][ T5329]  ? check_path+0x21/0x40
[   84.916353][ T5329]  ? __pfx_css_rstat_flush+0x10/0x10
[   84.919021][ T5329]  ? __lock_acquire+0xab9/0xd20
[   84.921438][ T5329]  css_rstat_exit+0xa9/0x320
[   84.923556][ T5329]  ? process_scheduled_works+0x9ef/0x17b0
[   84.926082][ T5329]  ? percpu_ref_exit+0xc5/0x1c0
[   84.928159][ T5329]  css_free_rwork_fn+0x8b/0xc50
[   84.930426][ T5329]  ? process_scheduled_works+0x9ef/0x17b0
[   84.932891][ T5329]  ? process_scheduled_works+0x9ef/0x17b0
[   84.935351][ T5329]  process_scheduled_works+0xae1/0x17b0
[   84.938153][ T5329]  ? __pfx_process_scheduled_works+0x10/0x10
[   84.941815][ T5329]  worker_thread+0x8a0/0xda0
[   84.943767][ T5329]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   84.946471][ T5329]  ? __kthread_parkme+0x7b/0x200
[   84.948547][ T5329]  kthread+0x70e/0x8a0
[   84.950335][ T5329]  ? __pfx_worker_thread+0x10/0x10
[   84.952618][ T5329]  ? __pfx_kthread+0x10/0x10
[   84.954794][ T5329]  ? _raw_spin_unlock_irq+0x23/0x50
[   84.957242][ T5329]  ? lockdep_hardirqs_on+0x9c/0x150
[   84.959901][ T5329]  ? __pfx_kthread+0x10/0x10
[   84.962200][ T5329]  ret_from_fork+0x3f9/0x770
[   84.964332][ T5329]  ? __pfx_ret_from_fork+0x10/0x10
[   84.966736][ T5329]  ? __pfx_kthread+0x10/0x10
[   84.968711][ T5329]  ret_from_fork_asm+0x1a/0x30
[   84.970864][ T5329]  </TASK>
[   84.972314][ T5329] Modules linked in:
[   84.974057][ T5329] CR2: ffffed1011a4a401
[   84.976015][ T5329] ---[ end trace 0000000000000000 ]---
[   84.979545][ T5329] RIP: 0010:css_rstat_flush+0x5ff/0x1fa0
[   84.982207][ T5329] Code: c2 bf d1 0d 01 0f 85 e6 14 00 00 e8 bb 1e 07 00 4c 03 6c 24 20 4d 8d 7d 08 4c 89 fb 48 c1 eb 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 03 00 74 08 4c 89 ff e8 a3 95 6a 00 49 83 3f 00 0f 84 5d 01
[   84.990624][ T5329] RSP: 0018:ffffc9000d607780 EFLAGS: 00010802
[   84.993556][ T5329] RAX: dffffc0000000000 RBX: 1ffff11011a4a401 RCX: ffff8880007d8000
[   84.997543][ T5329] RDX: 0000000000000000 RSI: ffffffff8be28260 RDI: ffffffff8be28220
[   85.001597][ T5329] RBP: ffffc9000d6079b8 R08: ffffffff8fa113f7 R09: 1ffffffff1f4227e
[   85.005494][ T5329] R10: dffffc0000000000 R11: fffffbfff1f4227f R12: ffff88801fc42730
[   85.009463][ T5329] R13: ffff88808d252000 R14: 0000000000000000 R15: ffff88808d252008
[   85.012880][ T5329] FS:  0000000000000000(0000) GS:ffff88808d252000(0000) knlGS:0000000000000000
[   85.016712][ T5329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.019511][ T5329] CR2: ffffed1011a4a401 CR3: 00000000515b6000 CR4: 0000000000352ef0
[   85.022826][ T5329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   85.026881][ T5329] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   85.030039][ T5329] Kernel panic - not syncing: Fatal exception
[   85.033591][ T5329] Kernel Offset: disabled
[   85.036015][ T5329] Rebooting in 86400 seconds..