The LTP test pty03 is causing a null pointer dereference on Tumbleweed in
OpenQA: https://openqa.opensuse.org/tests/2891345#step/pty03/9
https://openqa.opensuse.org/tests/2891345/logfile?filename=serial0.txt

This has been happening for a month or more:
https://openqa.opensuse.org/tests/2891345#next_previous

I can't reproduce this on the upstream kernel (v6.0.9). Plus I can't see the
connection to SLCAN although I guess it could have submitted faulty data to the
workqueue. Or else this is actually a use-after-free of some sort.

AFAIK enabling the SLCAN ldisc requires privs. I'd be in favour of moving the
module to a separate package or blacklisting it.

Below is the decoded stack trace.

[  173.520584][  T348] BUG: kernel NULL pointer dereference, address:
0000000000000008
[  173.521211][  T348] #PF: supervisor read access in kernel mode
[  173.521711][  T348] #PF: error_code(0x0000) - not-present page
[  173.522197][  T348] PGD 0 P4D 0
[  173.522641][  T348] Oops: 0000 [#1] PREEMPT SMP NOPTI
[  173.523287][  T348] CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted
6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab
[  173.524682][  T348] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
[  173.525978][  T348] Workqueue:  0x0 (events)
[ 173.526562][ T348] RIP: 0010:process_one_work
(/home/rich/kernel/linux/kernel/workqueue.c:706
/home/rich/kernel/linux/kernel/workqueue.c:2185) 
[ 173.527114][ T348] Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec
10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49>
8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e
All code
========
   0:    49 89 ff                 mov    %rdi,%r15
   3:    41 56                    push   %r14
   5:    41 55                    push   %r13
   7:    41 54                    push   %r12
   9:    55                       push   %rbp
   a:    53                       push   %rbx
   b:    48 89 f3                 mov    %rsi,%rbx
   e:    48 83 ec 10              sub    $0x10,%rsp
  12:    48 8b 06                 mov    (%rsi),%rax
  15:    48 8b 6f 48              mov    0x48(%rdi),%rbp
  19:    49 89 c4                 mov    %rax,%r12
  1c:    45 30 e4                 xor    %r12b,%r12b
  1f:    a8 04                    test   $0x4,%al
  21:    b8 00 00 00 00           mov    $0x0,%eax
  26:    4c 0f 44 e0              cmove  %rax,%r12
  2a:*    49 8b 44 24 08           mov    0x8(%r12),%rax        <-- trapping
instruction
  2f:    44 8b a8 00 01 00 00     mov    0x100(%rax),%r13d
  36:    41 83 e5 20              and    $0x20,%r13d
  3a:    f6 45 10 04              testb  $0x4,0x10(%rbp)
  3e:    75 0e                    jne    0x4e

Code starting with the faulting instruction
===========================================
   0:    49 8b 44 24 08           mov    0x8(%r12),%rax
   5:    44 8b a8 00 01 00 00     mov    0x100(%rax),%r13d
   c:    41 83 e5 20              and    $0x20,%r13d
  10:    f6 45 10 04              testb  $0x4,0x10(%rbp)
  14:    75 0e                    jne    0x24
[  173.528748][  T348] RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046
[  173.529401][  T348] RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX:
ffff9d649e439968
[  173.530031][  T348] RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI:
ffff9d64764aa6c0
[  173.530660][  T348] RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09:
ffff9d64764aa734
[  173.531300][  T348] R10: 0000000000000007 R11: 0000000000000001 R12:
0000000000000000
[  173.531959][  T348] R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15:
ffff9d64764aa6c0
[  173.532620][  T348] FS:  0000000000000000(0000) GS:ffff9d649e400000(0000)
knlGS:0000000000000000
[  173.533412][  T348] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  173.534064][  T348] CR2: 0000000000000008 CR3: 0000000036424000 CR4:
00000000000006f0
[  173.534827][  T348] Call Trace:
[  173.535315][  T348]  <TASK>
[ 173.535753][ T348] worker_thread
(/home/rich/kernel/linux/kernel/workqueue.c:2436) 
[ 173.536379][ T348] ? process_one_work
(/home/rich/kernel/linux/./include/trace/events/workqueue.h:82
/home/rich/kernel/linux/kernel/workqueue.c:2288) 
[ 173.536947][ T348] kthread (/home/rich/kernel/linux/kernel/kthread.c:376) 
[ 173.537396][ T348] ? kthread_complete_and_exit
(/home/rich/kernel/linux/kernel/kthread.c:331) 
[ 173.537912][ T348] ret_from_fork
(/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312) 
[  173.538370][  T348]  </TASK>
[  173.538754][  T348] Modules linked in: slcan can_dev ppp_synctty n_hdlc
mkiss ax25 ppp_async ppp_generic slip slhc serport af_packet rfkill qrtr
snd_hda_codec_generic ledtrig_audio tiny_power_button snd_hda_intel
snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec ppdev snd_hda_core snd_hwdep
snd_pcm snd_timer pcspkr virtio_net net_failover snd soundcore failover
i2c_piix4 parport_pc button parport joydev nfsd auth_rpcgss nfs_acl lockd grace
sunrpc fuse configfs dmi_sysfs ip_tables x_tables hid_generic usbhid xhci_pci
xhci_pci_renesas xhci_hcd sr_mod cdrom ata_generic usbcore bochs virtio_blk
virtio_scsi drm_vram_helper drm_ttm_helper ttm ata_piix floppy serio_raw btrfs
blake2b_generic libcrc32c xor raid6_pq sg dm_multipath dm_mod scsi_dh_rdac
scsi_dh_emc scsi_dh_alua qemu_fw_cfg virtio_rng
[  173.544273][  T348] CR2: 0000000000000008
[  173.544764][  T348] ---[ end trace 0000000000000000 ]---
[ 173.545331][ T348] RIP: 0010:process_one_work
(/home/rich/kernel/linux/kernel/workqueue.c:706
/home/rich/kernel/linux/kernel/workqueue.c:2185) 
[ 173.545891][ T348] Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec
10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49>
8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e
All code
========
   0:    49 89 ff                 mov    %rdi,%r15
   3:    41 56                    push   %r14
   5:    41 55                    push   %r13
   7:    41 54                    push   %r12
   9:    55                       push   %rbp
   a:    53                       push   %rbx
   b:    48 89 f3                 mov    %rsi,%rbx
   e:    48 83 ec 10              sub    $0x10,%rsp
  12:    48 8b 06                 mov    (%rsi),%rax
  15:    48 8b 6f 48              mov    0x48(%rdi),%rbp
  19:    49 89 c4                 mov    %rax,%r12
  1c:    45 30 e4                 xor    %r12b,%r12b
  1f:    a8 04                    test   $0x4,%al
  21:    b8 00 00 00 00           mov    $0x0,%eax
  26:    4c 0f 44 e0              cmove  %rax,%r12
  2a:*    49 8b 44 24 08           mov    0x8(%r12),%rax        <-- trapping
instruction
  2f:    44 8b a8 00 01 00 00     mov    0x100(%rax),%r13d
  36:    41 83 e5 20              and    $0x20,%r13d
  3a:    f6 45 10 04              testb  $0x4,0x10(%rbp)
  3e:    75 0e                    jne    0x4e

Code starting with the faulting instruction
===========================================
   0:    49 8b 44 24 08           mov    0x8(%r12),%rax
   5:    44 8b a8 00 01 00 00     mov    0x100(%rax),%r13d
   c:    41 83 e5 20              and    $0x20,%r13d
  10:    f6 45 10 04              testb  $0x4,0x10(%rbp)
  14:    75 0e                    jne    0x24
[  173.547458][  T348] RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046
[  173.548063][  T348] RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX:
ffff9d649e439968
[  173.548766][  T348] RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI:
ffff9d64764aa6c0
[  173.549488][  T348] RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09:
ffff9d64764aa734
[  173.550193][  T348] R10: 0000000000000007 R11: 0000000000000001 R12:
0000000000000000
[  173.550898][  T348] R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15:
ffff9d64764aa6c0
[  173.551604][  T348] FS:  0000000000000000(0000) GS:ffff9d649e400000(0000)
knlGS:0000000000000000
[  173.552358][  T348] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  173.552998][  T348] CR2: 0000000000000008 CR3: 0000000036424000 CR4:
00000000000006f0
[  173.553729][  T348] note: kworker/0:3[348] exited with preempt_count 1