Starting with the first update to 5.16, I started getting Oopses like the
following when docker starts up:

[   62.463049] BUG: unable to handle page fault for address: 000000c000b3e9b8
[   62.463094] #PF: supervisor read access in kernel mode
[   62.463118] #PF: error_code(0x0001) - permissions violation
[   62.463143] PGD 800000011bf99067 P4D 800000011bf99067 PUD 11bf9a067 PMD
800000011d4008e7
[   62.463179] Oops: 0001 [#1] PREEMPT SMP PTI
[   62.463200] CPU: 1 PID: 4865 Comm: dockerd Kdump: loaded Not tainted
5.16.4-1-default #1 openSUSE Tumbleweed
f35df798c13cc3a259a6bf2924380af618948152
[   62.463260] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
[   62.463304] RIP: 0010:audit_filter_rules.constprop.0+0x97e/0x1220
[   62.463339] Code: 41 21 c5 41 83 7f 18 01 0f 85 5f f7 ff ff e9 65 f9 ff ff
83 f8 05 0f 84 5f 06 00 00 83 f8 06 0f 85 03 02 00 00 49 8b 44 24 40 <48> 8b 00
83 e0 03 0f be 80 c5 5e 65 b6 41 21 c5 eb c7 4d 85 e4 0f
[   62.463409] RSP: 0018:ffffab1b005e7dd0 EFLAGS: 00010246
[   62.463433] RAX: 000000c000b3e9b8 RBX: 0000000000000001 RCX:
000000000000001f
[   62.463463] RDX: 0000000000000006 RSI: 00000000000001b5 RDI:
00000000c000003e
[   62.463492] RBP: ffff88a306606620 R08: ffff88a301eebaa0 R09:
ffff88a30a30c238
[   62.463522] R10: 0000000040000020 R11: ffff88a301770210 R12:
ffff88a31a54c800
[   62.463551] R13: 000000000000000f R14: 00000000000001b5 R15:
ffff88a301eebaa0
[   62.463580] FS:  00007fd43c94c640(0000) GS:ffff88a37fd00000(0000)
knlGS:0000000000000000
[   62.463613] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   62.463638] CR2: 000000c000b3e9b8 CR3: 000000010f02a002 CR4:
0000000000370ee0
[   62.463671] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   62.463701] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[   62.463730] Call Trace:
[   62.463754]  <TASK>
[   62.463775]  audit_filter_syscall+0xb0/0x100
[   62.463799]  ? do_sys_openat2+0x81/0x160
[   62.463820]  __audit_syscall_exit+0x69/0xf0
[   62.463842]  syscall_exit_to_user_mode_prepare+0x14d/0x180
[   62.463870]  syscall_exit_to_user_mode+0x9/0x40
[   62.463903]  do_syscall_64+0x69/0x80
[   62.463926]  ? syscall_exit_to_user_mode+0x18/0x40
[   62.463948]  ? do_syscall_64+0x69/0x80
[   62.463968]  ? syscall_exit_to_user_mode+0x18/0x40
[   62.463991]  ? do_syscall_64+0x69/0x80
[   62.464010]  ? do_syscall_64+0x69/0x80
[   62.464030]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   62.464074] RIP: 0033:0x562f9ebdf64a
[   62.464872] Code: e8 9b 00 fa ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24
20 4c 8b 54 24 28 4c 8b 44 24 30 4c 8b 4c 24 38 48 8b 44 24 08 0f 05 <48> 3d 01
f0 ff ff 76 20 48 c7 44 24 40 ff ff ff ff 48 c7 44 24 48
[   62.466526] RSP: 002b:000000c000b3e8a8 EFLAGS: 00000216 ORIG_RAX:
00000000000001b5
[   62.467380] RAX: 000000000000000d RBX: 000000c00005e800 RCX:
0000562f9ebdf64a
[   62.468252] RDX: 000000c000b3e9b8 RSI: 000000c000190480 RDI:
ffffffffffffff9c
[   62.469104] RBP: 000000c000b3e928 R08: 0000000000000000 R09:
0000000000000000
[   62.469977] R10: 0000000000000018 R11: 0000000000000216 R12:
0000000000000000
[   62.470814] R13: 0000000000000001 R14: 0000000000000031 R15:
ffffffffffffffff
[   62.471648]  </TASK>
[   62.472512] Modules linked in: af_packet iscsi_ibft iscsi_boot_sysfs rfkill
snd_hda_codec_generic ledtrig_audio snd_hda_intel intel_rapl_msr
intel_rapl_common snd_intel_dspcfg snd_intel_sdw_acpi kvm_intel snd_hda_codec
snd_hda_core iTCO_wdt intel_pmc_bxt iTCO_vendor_support snd_hwdep kvm snd_pcm
snd_timer qxl irqbypass i2c_i801 snd drm_ttm_helper pcspkr i2c_smbus ttm
soundcore lpc_ich virtio_balloon drm_kms_helper tiny_power_button joydev
virtio_net net_failover failover cec rc_core button syscopyarea sysfillrect
sysimgblt fb_sys_fops drm configfs fuse ip_tables x_tables hid_generic usbhid
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd
cryptd xhci_pci serio_raw xhci_pci_renesas xhci_hcd usbcore virtio_blk
qemu_fw_cfg btrfs blake2b_generic libcrc32c crc32c_intel xor raid6_pq sg
virtio_rng
[   62.478895] CR2: 000000c000b3e9b8

After some investigation, I've identified the following commit as the cause:
commit 1c30e3af8a79260cdba833a719209b01e6b92300
Author: Richard Guy Briggs <rgb@redhat.com>
Date:   Wed May 19 16:00:21 2021 -0400

    audit: add support for the openat2 syscall

[...]
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 3f9108101598..8c4335a35274 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -63,6 +63,7 @@
 #include <linux/fsnotify_backend.h>
 #include <uapi/linux/limits.h>
 #include <uapi/linux/netfilter/nf_tables.h>
+#include <uapi/linux/openat2.h>

 #include "audit.h"

@@ -183,6 +184,8 @@ static int audit_match_perm(struct audit_context *ctx, int
mask)
                return ((mask & AUDIT_PERM_WRITE) && ctx->argv[0] == SYS_BIND);
        case AUDITSC_EXECVE:
                return mask & AUDIT_PERM_EXEC;
+       case AUDITSC_OPENAT2:
+               return mask & ACC_MODE((u32)((struct open_how
*)ctx->argv[2])->flags);
        default:
                return 0;
        }

Where ctx->argv[2] holds a userspace pointer.

A small test program using an audit rule of "-w /var/tmp/testfile -k
openat2-oops" prints the address of the struct open_how and it matches the
faulting address.

#include <fcntl.h>
#include <linux/openat2.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <stdio.h>

long openat2(int dirfd, const char *pathname, struct open_how *how, size_t
size)
{
       return  syscall(SYS_openat2, dirfd, pathname, how, size);
}


int
main(void)
{
        struct open_how how = {
                .flags = O_RDONLY|O_DIRECTORY,
        };

        int fd;

        fprintf(stderr, "&how = %p\n", &how);

        fd = openat2(AT_FDCWD, "/var/tmp/testfile", &how, sizeof(struct
open_how));
        perror("openat2");
}

$ mkdir /var/tmp/testfile
$ ./a.out
&how = [address]
<crash>

I've submitted the report upstream as well.