diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 1279b5c5c95974..eebbe8a6da0c5f 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -9467,8 +9467,10 @@ static void io_tctx_exit_cb(struct callback_head *cb)
 	/*
 	 * When @in_idle, we're in cancellation and it's racy to remove the
 	 * node. It'll be removed by the end of cancellation, just ignore it.
+	 * tctx can be NULL if the queueing of this task_work raced with
+	 * work cancelation off the exec path.
 	 */
-	if (!atomic_read(&tctx->in_idle))
+	if (tctx && !atomic_read(&tctx->in_idle))
 		io_uring_del_tctx_node((unsigned long)work->ctx);
 	complete(&work->completion);
 }