general protection fault in __xfrm_policy

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-44	general protection fault in __xfrm_policy_unlink	2	C			4	2752d	2429d	0/2	public: reported C repro on 2019/04/13 00:00
IPVS: stop unused estimator thread 0...
Oops: general protection fault, probably for non-canonical address 0xdffffc00000002b3: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000000001598-0x000000000000159f]
CPU: 1 UID: 0 PID: 12 Comm: kworker/u8:0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: netns cleanup_net

RIP: 0010:__xfrm_policy_unlink+0x351/0x3a0 net/xfrm/xfrm_policy.c:2349
Code: bf 07 00 00 00 44 89 f6 e8 fc f3 d2 f7 41 83 fe 06 77 39 e8 b1 ef d2 f7 4e 8d 34 b5 00 00 00 00 4d 01 ee 4c 89 f0 48 c1 e8 03 <0f> b6 04 28 84 c0 75 30 41 ff 0e 48 89 d8 48 83 c4 28 5b 41 5c 41
RSP: 0018:ffffc900001177b8 EFLAGS: 00010202
RAX: 00000000000002b3 RBX: ffff8880278b3000 RCX: ffff88801c2bdac0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007
RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000022ef4 R12: ffff88807e560180
R13: 0000000000001598 R14: 0000000000001598 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888125e0f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1f9e44f727 CR3: 0000000077c5c000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 xfrm_policy_flush+0x2fc/0x530 net/xfrm/xfrm_policy.c:1839
 xfrm_policy_fini+0x43/0x3e0 net/xfrm/xfrm_policy.c:4282
 xfrm_net_exit+0x25/0x70 net/xfrm/xfrm_policy.c:4353
 ops_exit_list net/core/net_namespace.c:199 [inline]
 ops_undo_list+0x49a/0x990 net/core/net_namespace.c:252
 cleanup_net+0x4d8/0x820 net/core/net_namespace.c:695
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__xfrm_policy_unlink+0x351/0x3a0 net/xfrm/xfrm_policy.c:2349
Code: bf 07 00 00 00 44 89 f6 e8 fc f3 d2 f7 41 83 fe 06 77 39 e8 b1 ef d2 f7 4e 8d 34 b5 00 00 00 00 4d 01 ee 4c 89 f0 48 c1 e8 03 <0f> b6 04 28 84 c0 75 30 41 ff 0e 48 89 d8 48 83 c4 28 5b 41 5c 41
RSP: 0018:ffffc900001177b8 EFLAGS: 00010202
RAX: 00000000000002b3 RBX: ffff8880278b3000 RCX: ffff88801c2bdac0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007
RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000022ef4 R12: ffff88807e560180
R13: 0000000000001598 R14: 0000000000001598 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888125e0f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1f9e44f727 CR3: 0000000077c5c000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	bf 07 00 00 00       	mov    $0x7,%edi
   5:	44 89 f6             	mov    %r14d,%esi
   8:	e8 fc f3 d2 f7       	call   0xf7d2f409
   d:	41 83 fe 06          	cmp    $0x6,%r14d
  11:	77 39                	ja     0x4c
  13:	e8 b1 ef d2 f7       	call   0xf7d2efc9
  18:	4e 8d 34 b5 00 00 00 	lea    0x0(,%r14,4),%r14
  1f:	00
  20:	4d 01 ee             	add    %r13,%r14
  23:	4c 89 f0             	mov    %r14,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	0f b6 04 28          	movzbl (%rax,%rbp,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	75 30                	jne    0x62
  32:	41 ff 0e             	decl   (%r14)
  35:	48 89 d8             	mov    %rbx,%rax
  38:	48 83 c4 28          	add    $0x28,%rsp
  3c:	5b                   	pop    %rbx
  3d:	41 5c                	pop    %r12
  3f:	41                   	rex.B