program: r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0x600, 0x0) ioctl$SNDCTL_DSP_SETFMT(r0, 0xc0045005, &(0x7f0000000640)=0x10) r1 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r1, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000006c0)=ANY=[@ANYBLOB="2c010000160001000000000000000000fc000000000000000000000000000000ac1414bb00"/64, @ANYRES32=0x0, @ANYRES32=0xee00, @ANYBLOB="ac1e0001000000000000000000000000000000006c"], 0x12c}}, 0x0) r2 = socket$kcm(0x10, 0x2, 0x0) sendmsg$inet(r2, &(0x7f0000000080)={0x0, 0x74, &(0x7f0000000100)=[{&(0x7f00000001c0)="5c00000012006bab9a3fe3d86e17aa0a046b876c1d0048007ea60864160af36504001a0038001d001931a0e69ee517d34460bc06000000a705251e6182949a3651f60a84c9f4d4938037e70e4509c5bb", 0x33fe0}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x0) r3 = open(&(0x7f0000000080)='./bus\x00', 0x400141042, 0x2) mmap(&(0x7f0000001000/0xa000)=nil, 0xa000, 0x0, 0x13, r3, 0x0) r4 = syz_open_procfs(0x0, &(0x7f00000001c0)='maps\x00') ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0xc0686611, &(0x7f0000000180)={0x67, 0x0, 0x18, 0x2000, &(0x7f0000ffd000/0x2000)=nil}) syz_emit_ethernet(0x4a, &(0x7f0000000400)=ANY=[@ANYBLOB="aaaaaaaaaaaaaaaaaaaaaabb81003400001142aa6992e71f2db04c876ef10400e44e020000000000000596befe417f2c93b24b53789559ea417b863705e2e88cc408bc45a4363e482f624795aeaa6567171afc221147d2f18d9d0608f73dba923b94cf4d39402cdee1bc22ef99f30dbce363a53b2f4bd57bf5605d7d44446baed3aab6aca94d906bcf32f34638f42e8a3b4f13e9ba11f53931298235b2e279234e157218737b76277070539449477abd486200f9931311dd446610d58f21e457017fa6e6f057"], &(0x7f0000000140)={0x1, 0x4, [0xfff, 0x3cf, 0x3f7, 0x951]}) recvmsg$kcm(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000004140)=[{&(0x7f0000000240)=""/212, 0xd4}], 0x1}, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000001900)=@newtaction={0x78, 0x30, 0x871a15abc695fb3d, 0x0, 0x0, {}, [{0x64, 0x1, [@m_tunnel_key={0x60, 0x1, 0x0, 0x0, {{0xf}, {0x30, 0x2, 0x0, 0x1, [@TCA_TUNNEL_KEY_PARMS={0x1c, 0x2, {{0x0, 0x0, 0x390113395e37d927}, 0x1}}, @TCA_TUNNEL_KEY_ENC_IPV4_SRC={0x8, 0x3, @loopback}, @TCA_TUNNEL_KEY_ENC_IPV4_DST={0x8, 0x4, @broadcast}]}, {0x4}, {0xc}, {0xc}}}]}]}, 0x78}}, 0x0) r6 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r6, &(0x7f0000000840)={0x0, 0x0, &(0x7f0000000800)={&(0x7f00000001c0)=ANY=[@ANYBLOB="4c030000160001000000000000000000fc010000000000000000000000000000fe88000000000000000000000000000100"/64, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="ac141400000000000000000000000000000000006c000000ac14140000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025bd7000000000000000000000000000000000000300000006"], 0x34c}}, 0x0) mmap$dsp(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x100000b, 0x8012, r0, 0x0) [ 68.401638][ T5338] Bluetooth: hci0: command tx timeout [ 68.404680][ T5359] netlink: 52 bytes leftover after parsing attributes in process `syz.0.0'. [ 68.416867][ T5359] netlink: 'syz.0.0': attribute type 29 has an invalid length. [ 68.431462][ T5358] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 68.434674][ T5358] #PF: supervisor instruction fetch in kernel mode [ 68.437337][ T5358] #PF: error_code(0x0010) - not-present page [ 68.439887][ T5358] PGD 0 P4D 0 [ 68.441503][ T5358] Oops: Oops: 0010 [#1] SMP KASAN NOPTI [ 68.443985][ T5358] CPU: 0 UID: 0 PID: 5358 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 68.447639][ T5358] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.452049][ T5358] RIP: 0010:0x0 [ 68.453622][ T5358] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 68.456674][ T5358] RSP: 0018:ffffc9000d367998 EFLAGS: 00010283 [ 68.459429][ T5358] RAX: ffffffff81f90f64 RBX: 1ffffd40002649c0 RCX: 0000000000100000 [ 68.462936][ T5358] RDX: ffffc9000e0d2000 RSI: ffffea0001324e00 RDI: ffff88803f135e00 [ 68.466320][ T5358] RBP: ffffc9000d367a50 R08: ffffea0001324e07 R09: 1ffffd40002649c0 [ 68.469708][ T5358] R10: dffffc0000000000 R11: 0000000000000000 R12: 0000000000000000 [ 68.472907][ T5358] R13: ffffea0001324e08 R14: ffffea0001324e00 R15: 1ffffd40002649c1 [ 68.476833][ T5358] FS: 00007fedc0ef56c0(0000) GS:ffff88808d001000(0000) knlGS:0000000000000000 [ 68.480690][ T5358] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 68.483543][ T5358] CR2: ffffffffffffffd6 CR3: 00000000426c9000 CR4: 0000000000352ef0 [ 68.487090][ T5358] Call Trace: [ 68.488550][ T5358] [ 68.489902][ T5358] filemap_read_folio+0x114/0x380 [ 68.492078][ T5358] ? __pfx_filemap_read_folio+0x10/0x10 [ 68.494539][ T5358] ? filemap_add_folio+0x1af/0x270 [ 68.496751][ T5358] do_read_cache_folio+0x350/0x590 [ 68.499206][ T5358] freader_get_folio+0x3c4/0x830 [ 68.501501][ T5358] freader_fetch+0xa3/0x5d0 [ 68.503652][ T5358] __build_id_parse+0x133/0x7d0 [ 68.505707][ T5358] ? __pfx___build_id_parse+0x10/0x10 [ 68.508013][ T5358] ? find_vma+0xe7/0x160 [ 68.509884][ T5358] ? __pfx_find_vma+0x10/0x10 [ 68.511942][ T5358] ? query_matching_vma+0x1b2/0x1d0 [ 68.514370][ T5358] procfs_procmap_ioctl+0x7f0/0xce0 [ 68.516674][ T5358] ? __pfx_procfs_procmap_ioctl+0x10/0x10 [ 68.519264][ T5358] ? __fget_files+0x2a/0x420 [ 68.521377][ T5358] ? __fget_files+0x2a/0x420 [ 68.523658][ T5358] ? __fget_files+0x3a0/0x420 [ 68.525492][ T5358] ? __fget_files+0x2a/0x420 [ 68.527488][ T5358] ? bpf_lsm_file_ioctl+0x9/0x20 [ 68.529601][ T5358] ? __pfx_procfs_procmap_ioctl+0x10/0x10 [ 68.532025][ T5358] __se_sys_ioctl+0xf9/0x170 [ 68.533608][ T5358] do_syscall_64+0xfa/0x3b0 [ 68.535386][ T5358] ? lockdep_hardirqs_on+0x9c/0x150 [ 68.537279][ T5358] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.539859][ T5358] ? clear_bhb_loop+0x60/0xb0 [ 68.541931][ T5358] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.544493][ T5358] RIP: 0033:0x7fedbff8eec9 [ 68.546475][ T5358] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.554435][ T5358] RSP: 002b:00007fedc0ef5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 68.557967][ T5358] RAX: ffffffffffffffda RBX: 00007fedc01e5fa0 RCX: 00007fedbff8eec9 [ 68.561345][ T5358] RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000007 [ 68.564688][ T5358] RBP: 00007fedc0011f91 R08: 0000000000000000 R09: 0000000000000000 [ 68.568080][ T5358] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.571453][ T5358] R13: 00007fedc01e6038 R14: 00007fedc01e5fa0 R15: 00007ffe8033c268 [ 68.574720][ T5358] [ 68.576110][ T5358] Modules linked in: [ 68.577820][ T5358] CR2: 0000000000000000 [ 68.579624][ T5358] ---[ end trace 0000000000000000 ]--- [ 68.581876][ T5358] RIP: 0010:0x0 [ 68.583468][ T5358] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 68.586441][ T5358] RSP: 0018:ffffc9000d367998 EFLAGS: 00010283 [ 68.589024][ T5358] RAX: ffffffff81f90f64 RBX: 1ffffd40002649c0 RCX: 0000000000100000 [ 68.592360][ T5358] RDX: ffffc9000e0d2000 RSI: ffffea0001324e00 RDI: ffff88803f135e00 [ 68.595846][ T5358] RBP: ffffc9000d367a50 R08: ffffea0001324e07 R09: 1ffffd40002649c0 [ 68.599325][ T5358] R10: dffffc0000000000 R11: 0000000000000000 R12: 0000000000000000 [ 68.602658][ T5358] R13: ffffea0001324e08 R14: ffffea0001324e00 R15: 1ffffd40002649c1 [ 68.606078][ T5358] FS: 00007fedc0ef56c0(0000) GS:ffff88808d001000(0000) knlGS:0000000000000000 [ 68.609824][ T5358] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 68.612606][ T5358] CR2: ffffffffffffffd6 CR3: 00000000426c9000 CR4: 0000000000352ef0 [ 68.616072][ T5358] Kernel panic - not syncing: Fatal exception [ 68.618913][ T5358] Kernel Offset: disabled [ 68.620607][ T5358] Rebooting in 86400 seconds..