general protection fault in wakeup_preempt

Oops: general protection fault, probably for non-canonical address 0xdffffc000000000b: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000058-0x000000000000005f]
CPU: 2 UID: 0 PID: 701 Comm: syz.7.6804 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:pick_next_entity kernel/sched/fair.c:5757 [inline]
RIP: 0010:wakeup_preempt_fair+0x60a/0xfd0 kernel/sched/fair.c:9141
Code: 0f 85 02 02 00 00 44 89 ee 4c 89 f7 4c 89 04 24 e8 9b 00 fd ff 4c 8b 04 24 48 8d 78 59 48 89 fa 48 89 fe 48 c1 ea 03 83 e6 07 <42> 0f b6 14 22 40 38 f2 7f 08 84 d2 0f 85 53 09 00 00 80 78 59 00
RSP: 0000:ffffc90006f3f078 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff88802918a580 RCX: 1ffff110052314bb
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
RBP: ffff88801c7ca580 R08: ffff88802918a630 R09: 0000000000000000
R10: ffff88802918a507 R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8880255f2000 R15: ffff88802b43b380
FS:  0000000000000000(0000) GS:ffff88809737d000(0063) knlGS:00000000f5466b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000059b97000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 wakeup_preempt+0x1a3/0x400 kernel/sched/core.c:2248
 attach_task kernel/sched/sched.h:3035 [inline]
 attach_tasks kernel/sched/fair.c:10026 [inline]
 sched_balance_rq+0x15cd/0x36d0 kernel/sched/fair.c:12164
 sched_balance_newidle kernel/sched/fair.c:13239 [inline]
 pick_next_task_fair+0x773/0x2470 kernel/sched/fair.c:9267
 __pick_next_task+0xea/0x6c0 kernel/sched/core.c:6019
 pick_next_task kernel/sched/core.c:6126 [inline]
 __schedule+0x5b7/0x6820 kernel/sched/core.c:7105
 __schedule_loop kernel/sched/core.c:7268 [inline]
 schedule+0xdd/0x390 kernel/sched/core.c:7283
 schedule_timeout+0x1b2/0x280 kernel/time/sleep_timeout.c:75
 unix_wait_for_peer+0x268/0x2a0 net/unix/af_unix.c:1622
 unix_dgram_sendmsg+0x1696/0x1810 net/unix/af_unix.c:2261
 sock_sendmsg_nosec net/socket.c:787 [inline]
 __sock_sendmsg net/socket.c:802 [inline]
 ____sys_sendmsg+0x9e1/0xb70 net/socket.c:2698
 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2752
 __sys_sendmmsg+0x2ff/0x430 net/socket.c:2834
 __compat_sys_sendmmsg net/compat.c:360 [inline]
 __do_compat_sys_sendmmsg net/compat.c:367 [inline]
 __se_compat_sys_sendmmsg net/compat.c:364 [inline]
 __ia32_compat_sys_sendmmsg+0x9d/0x100 net/compat.c:364
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0xe7/0x950 arch/x86/entry/syscall_32.c:307
 do_fast_syscall_32+0x32/0x70 arch/x86/entry/syscall_32.c:332
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf7fa7fcc
Code: d2 74 05 c1 e8 0c 89 02 8b 5d fc 31 c0 c9 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 2e 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 58 b8
RSP: 002b:00000000f546650c EFLAGS: 00000292 ORIG_RAX: 0000000000000159
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000800bd000
RDX: 000000000000008f RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pick_next_entity kernel/sched/fair.c:5757 [inline]
RIP: 0010:wakeup_preempt_fair+0x60a/0xfd0 kernel/sched/fair.c:9141
Code: 0f 85 02 02 00 00 44 89 ee 4c 89 f7 4c 89 04 24 e8 9b 00 fd ff 4c 8b 04 24 48 8d 78 59 48 89 fa 48 89 fe 48 c1 ea 03 83 e6 07 <42> 0f b6 14 22 40 38 f2 7f 08 84 d2 0f 85 53 09 00 00 80 78 59 00
RSP: 0000:ffffc90006f3f078 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff88802918a580 RCX: 1ffff110052314bb
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
RBP: ffff88801c7ca580 R08: ffff88802918a630 R09: 0000000000000000
R10: ffff88802918a507 R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8880255f2000 R15: ffff88802b43b380
FS:  0000000000000000(0000) GS:ffff88809737d000(0063) knlGS:00000000f5466b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000059b97000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	0f 85 02 02 00 00    	jne    0x208
   6:	44 89 ee             	mov    %r13d,%esi
   9:	4c 89 f7             	mov    %r14,%rdi
   c:	4c 89 04 24          	mov    %r8,(%rsp)
  10:	e8 9b 00 fd ff       	call   0xfffd00b0
  15:	4c 8b 04 24          	mov    (%rsp),%r8
  19:	48 8d 78 59          	lea    0x59(%rax),%rdi
  1d:	48 89 fa             	mov    %rdi,%rdx
  20:	48 89 fe             	mov    %rdi,%rsi
  23:	48 c1 ea 03          	shr    $0x3,%rdx
  27:	83 e6 07             	and    $0x7,%esi
* 2a:	42 0f b6 14 22       	movzbl (%rdx,%r12,1),%edx <-- trapping instruction
  2f:	40 38 f2             	cmp    %sil,%dl
  32:	7f 08                	jg     0x3c
  34:	84 d2                	test   %dl,%dl
  36:	0f 85 53 09 00 00    	jne    0x98f
  3c:	80 78 59 00          	cmpb   $0x0,0x59(%rax)

Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Assets (help?)	Manager	Title
2026/05/07 00:48	upstream	adc1e5c6203c	f250db59	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream-386	general protection fault in wakeup_preempt_fair
2026/05/06 22:00	upstream	adc1e5c6203c	f250db59	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream-386	general protection fault in wakeup_preempt_fair
2026/05/06 07:06	upstream	9207d47f966b	26da2c66	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream-386	general protection fault in wakeup_preempt_fair