Oops: general protection fault, probably for non-canonical address 0xdffffc001fffe000: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x00000000ffff0000-0x00000000ffff0007]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:__ref_is_percpu include/linux/percpu-refcount.h:174 [inline]
RIP: 0010:percpu_ref_get_many+0x8d/0x140 include/linux/percpu-refcount.h:204
Code: 01 48 c7 c7 00 4b 98 8b be 4b 03 00 00 48 c7 c2 40 4b 98 8b e8 24 bf 71 ff 49 bc 00 00 00 00 00 fc ff df 4c 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ff e8 e4 4d f7 ff 49 8b 07 a8 03 75 62
RSP: 0018:ffffc900000079f8 EFLAGS: 00010206
RAX: 000000001fffe000 RBX: ffffffff822bc619 RCX: 2feb229da084dd00
RDX: 0000000000000000 RSI: ffffffff8be33660 RDI: ffffffff8be33620
RBP: 0000000000000048 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1f47087 R12: dffffc0000000000
R13: ffff8880b863b540 R14: 0000000000000001 R15: 00000000ffff0000
FS:  0000000000000000(0000) GS:ffff888125c1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c395773 CR3: 000000000df36000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 percpu_ref_get include/linux/percpu-refcount.h:222 [inline]
 obj_cgroup_get include/linux/memcontrol.h:772 [inline]
 refill_obj_stock+0x254/0x850 mm/memcontrol.c:3042
 __memcg_slab_free_hook+0x127/0x3d0 mm/memcontrol.c:3216
 memcg_slab_free_hook mm/slub.c:2242 [inline]
 slab_free mm/slub.c:4677 [inline]
 kfree+0x255/0x440 mm/slub.c:4879
 security_cred_free+0xbf/0x1d0 security/security.c:3255
 put_cred_rcu+0x6a/0x2e0 kernel/cred.c:78
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:82
Code: 53 e7 02 00 cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d f3 96 0e 00 f3 0f 1e fa fb f4 <c3> cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffffff8de07d80 EFLAGS: 000002c2
RAX: 2feb229da084dd00 RBX: ffffffff819683b8 RCX: 2feb229da084dd00
RDX: 0000000000000001 RSI: ffffffff8be33660 RDI: ffffffff819683b8
RBP: ffffffff8de07eb8 R08: ffff8880b8632f9b R09: 1ffff110170c65f3
R10: dffffc0000000000 R11: ffffed10170c65f4 R12: ffffffff8fa38430
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffffffff1bd2a20
 arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 default_idle+0x13/0x20 arch/x86/kernel/process.c:757
 default_idle_call+0x74/0xb0 kernel/sched/idle.c:122
 cpuidle_idle_call kernel/sched/idle.c:190 [inline]
 do_idle+0x1e8/0x510 kernel/sched/idle.c:330
 cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:428
 rest_init+0x2de/0x300 init/main.c:744
 start_kernel+0x3a9/0x410 init/main.c:1097
 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:307
 x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:288
 common_startup_64+0x13e/0x147
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__ref_is_percpu include/linux/percpu-refcount.h:174 [inline]
RIP: 0010:percpu_ref_get_many+0x8d/0x140 include/linux/percpu-refcount.h:204
Code: 01 48 c7 c7 00 4b 98 8b be 4b 03 00 00 48 c7 c2 40 4b 98 8b e8 24 bf 71 ff 49 bc 00 00 00 00 00 fc ff df 4c 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ff e8 e4 4d f7 ff 49 8b 07 a8 03 75 62
RSP: 0018:ffffc900000079f8 EFLAGS: 00010206
RAX: 000000001fffe000 RBX: ffffffff822bc619 RCX: 2feb229da084dd00
RDX: 0000000000000000 RSI: ffffffff8be33660 RDI: ffffffff8be33620
RBP: 0000000000000048 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1f47087 R12: dffffc0000000000
R13: ffff8880b863b540 R14: 0000000000000001 R15: 00000000ffff0000
FS:  0000000000000000(0000) GS:ffff888125c1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c395773 CR3: 000000000df36000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	01 48 c7             	add    %ecx,-0x39(%rax)
   3:	c7 00 4b 98 8b be    	movl   $0xbe8b984b,(%rax)
   9:	4b 03 00             	rex.WXB add (%r8),%rax
   c:	00 48 c7             	add    %cl,-0x39(%rax)
   f:	c2 40 4b             	ret    $0x4b40
  12:	98                   	cwtl
  13:	8b e8                	mov    %eax,%ebp
  15:	24 bf                	and    $0xbf,%al
  17:	71 ff                	jno    0x18
  19:	49 bc 00 00 00 00 00 	movabs $0xdffffc0000000000,%r12
  20:	fc ff df
  23:	4c 89 f8             	mov    %r15,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	4c 89 ff             	mov    %r15,%rdi
  34:	e8 e4 4d f7 ff       	call   0xfff74e1d
  39:	49 8b 07             	mov    (%r15),%rax
  3c:	a8 03                	test   $0x3,%al
  3e:	75 62                	jne    0xa2