BUG: unable to handle page fault for address: ffffed101acea401
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 17ffee067 P4D 17ffee067 PUD 7ffd3067 PMD 0 
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 6002 Comm: kworker/0:4 Not tainted 6.16.0-rc3-syzkaller-00329-gdfba48a70cb6 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: cgroup_destroy css_free_rwork_fn
RIP: 0010:css_rstat_updated_list kernel/cgroup/rstat.c:296 [inline]
RIP: 0010:css_rstat_flush+0x372/0x23f0 kernel/cgroup/rstat.c:425
Code: 92 c3 31 ff 89 de e8 fd 2d 07 00 84 db 0f 85 01 11 00 00 e8 10 33 07 00 48 8b 44 24 08 48 83 c0 08 48 89 44 24 10 48 c1 e8 03 <42> 80 3c 38 00 0f 85 b8 15 00 00 48 8b 44 24 08 48 8b 58 08 48 85
RSP: 0018:ffffc90004a2fb18 EFLAGS: 00010802
RAX: 1ffff1101acea401 RBX: 0000000000000001 RCX: ffffffff81b4fe71
RDX: ffff8880329aa440 RSI: ffffffff81b4ed60 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88803a64e000
R13: ffff888053e68000 R14: 0000000000000001 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880d6752000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed101acea401 CR3: 000000003409f000 CR4: 0000000000352ef0
DR0: 000003fffffffffe DR1: 0000000000000ddb DR2: 0000000000000006
DR3: 0000000000000006 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 css_rstat_exit+0xa2/0x470 kernel/cgroup/rstat.c:491
 css_free_rwork_fn+0x80/0x12e0 kernel/cgroup/cgroup.c:5449
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
CR2: ffffed101acea401
---[ end trace 0000000000000000 ]---
RIP: 0010:css_rstat_updated_list kernel/cgroup/rstat.c:296 [inline]
RIP: 0010:css_rstat_flush+0x372/0x23f0 kernel/cgroup/rstat.c:425
Code: 92 c3 31 ff 89 de e8 fd 2d 07 00 84 db 0f 85 01 11 00 00 e8 10 33 07 00 48 8b 44 24 08 48 83 c0 08 48 89 44 24 10 48 c1 e8 03 <42> 80 3c 38 00 0f 85 b8 15 00 00 48 8b 44 24 08 48 8b 58 08 48 85
RSP: 0018:ffffc90004a2fb18 EFLAGS: 00010802
RAX: 1ffff1101acea401 RBX: 0000000000000001 RCX: ffffffff81b4fe71
RDX: ffff8880329aa440 RSI: ffffffff81b4ed60 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88803a64e000
R13: ffff888053e68000 R14: 0000000000000001 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880d6752000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed101acea401 CR3: 000000003409f000 CR4: 0000000000352ef0
DR0: 000003fffffffffe DR1: 0000000000000ddb DR2: 0000000000000006
DR3: 0000000000000006 DR6: 00000000ffff0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	92                   	xchg   %eax,%edx
   1:	c3                   	ret
   2:	31 ff                	xor    %edi,%edi
   4:	89 de                	mov    %ebx,%esi
   6:	e8 fd 2d 07 00       	call   0x72e08
   b:	84 db                	test   %bl,%bl
   d:	0f 85 01 11 00 00    	jne    0x1114
  13:	e8 10 33 07 00       	call   0x73328
  18:	48 8b 44 24 08       	mov    0x8(%rsp),%rax
  1d:	48 83 c0 08          	add    $0x8,%rax
  21:	48 89 44 24 10       	mov    %rax,0x10(%rsp)
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	0f 85 b8 15 00 00    	jne    0x15ed
  35:	48 8b 44 24 08       	mov    0x8(%rsp),%rax
  3a:	48 8b 58 08          	mov    0x8(%rax),%rbx
  3e:	48                   	rex.W
  3f:	85                   	.byte 0x85