8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000008 when read
[00000008] *pgd=851f7003, *pmd=fdcc9003
Internal error: Oops: 205 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 UID: 0 PID: 6633 Comm: syz.0.883 Not tainted 6.12.0-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at selinux_ip_output+0x54/0x80 security/selinux/hooks.c:5762
LR is at selinux_ip_output+0x18/0x80 security/selinux/hooks.c:5735
pc : [<8072a1d8>]    lr : [<8072a19c>]    psr: 40000013
sp : df805aa8  ip : df805aa8  fp : df805abc
r10: 84f04e40  r9 : 84f16188  r8 : df805b10
r7 : 844cae40  r6 : 84f16180  r5 : df805b10  r4 : 844cae40
r3 : 00000000  r2 : 00000000  r1 : 00000040  r0 : 00000001
Flags: nZcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 851f8180  DAC: 00000000
Register r0 information: non-paged memory
Register r1 information: non-paged memory
Register r2 information: NULL pointer
Register r3 information: NULL pointer
Register r4 information: slab skbuff_head_cache start 844cae40 pointer offset 0 size 192
Register r5 information: 2-page vmalloc region starting at 0xdf804000 allocated at start_kernel+0x5d0/0x778 init/main.c:1005
Register r6 information: slab kmalloc-cg-128 start 84f16180 pointer offset 0 size 128
Register r7 information: slab skbuff_head_cache start 844cae40 pointer offset 0 size 192
Register r8 information: 2-page vmalloc region starting at 0xdf804000 allocated at start_kernel+0x5d0/0x778 init/main.c:1005
Register r9 information: slab kmalloc-cg-128 start 84f16180 pointer offset 8 size 128
Register r10 information: slab mnt_cache start 84f04e40 pointer offset 0 size 184
Register r11 information: 2-page vmalloc region starting at 0xdf804000 allocated at start_kernel+0x5d0/0x778 init/main.c:1005
Register r12 information: 2-page vmalloc region starting at 0xdf804000 allocated at start_kernel+0x5d0/0x778 init/main.c:1005
Process syz.0.883 (pid: 6633, stack limit = 0xeb504000)
Stack: (0xdf805aa8 to 0xdf806000)
5aa0:                   00000001 00000001 df805ae4 df805ac0 815dec9c 8072a190
5ac0: 844cae40 ffffdd86 84414b40 82e6be10 df805be8 847a8000 df805bac df805ae8
5ae0: 81768f18 815dec68 a0000013 804d3dc8 82fec000 df805c20 00000020 000000b8
5b00: 00000000 8400a400 06000000 df805c10 00000a03 00000000 82fec000 84414b40
5b20: 847a8000 81766c4c ffffffff 00000000 847a8000 84f04e40 84414b40 00000000
5b40: 82e6be20 000000e0 df805b7c df805b58 8173e0cc 8173d134 00000006 00000000
5b60: 84414b40 00000000 df805be8 847a8000 df805bac df805b80 81767510 7fcfe624
5b80: 00000000 844cae40 00000000 00000000 83eb0980 00000000 82e6be20 000000e0
5ba0: df805c74 df805bb0 817ac35c 81768b38 00000000 00000000 00000000 82eb6840
5bc0: 00000000 00000000 96d772d4 ba538b57 82e6b680 df805cd8 84414b40 847a8000
5be0: 82e6b760 83eb0980 00000001 00000001 00000000 00000000 00060000 00000000
5c00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 01000000
5c20: 00000000 00000000 00000000 01000000 00000000 01402cde 00000000 00000000
5c40: df805c74 7fcfe624 8030b2e8 00000000 00000200 1f9720cc 00000000 84f5f000
5c60: 83eb0980 00000000 df805d1c df805c78 817ae890 817abf10 00000200 1f9720cd
5c80: 1f9720cc 00000001 00000000 00000000 00000000 00000000 ffc9dd60 df805cd8
5ca0: 00000001 817f43a0 84043000 00002cde 82929400 8149cc30 00000020 82e6b738
5cc0: 847a8000 00000001 96d772d4 ba538b57 00000002 00000000 00000000 00000000
5ce0: 00000000 00000000 00000000 7fcfe624 00000084 83eb0980 826060cc 00000006
5d00: 00000001 82e6b738 8261a060 82e6b680 df805d64 df805d20 8176e7dc 817ad9a4
5d20: 00000000 7fcfe624 00000000 00000006 8400a400 847a8000 80c63e84 83eb0980
5d40: 847a8000 847a8000 00000000 00000001 00000040 ddde4e88 df805d7c df805d68
5d60: 8176efdc 8176e780 83eb0980 00000001 df805dbc df805d80 8176f038 8176ef98
5d80: 00000002 00000a01 82fec000 00000000 00000000 847a8000 8176ef8c 7fcfe624
5da0: 847a8000 00000001 83eb0980 847a8000 df805dfc df805dc0 8176e614 8176f004
5dc0: 802aca0c 00000a00 82fec000 00000000 00000000 847a8000 8176dc00 7fcfe624
5de0: 00000000 82fec000 8176e4c4 00000000 df805e24 df805e00 814cc17c 8176e4d0
5e00: ddde4180 83eb0980 82619424 7fcfe624 83eb0980 ddde4f70 df805e3c df805e28
5e20: 814cc1e8 814cc12c 83eb0980 ddde4f70 df805e74 df805e40 814cc4f0 814cc1dc
5e40: 00000001 ddde4f5c 824bd180 00000001 ddde4f70 00000040 df805ecb df805ed0
5e60: ddde50c0 ddde4e80 df805ea4 df805e78 814cd3f0 814cc45c 824bde80 82606040
5e80: 00000000 ddde4f70 0000594c 0000012c df805ed0 ddde50c0 df805f64 df805ea8
5ea0: 814cdc64 814cd3c8 84043000 11d2b900 df805ee0 0000594c 80319d5c 5b927000
5ec0: 824bde80 82604d40 00de77c0 00000000 df805ed0 df805ed0 df805ed8 df805ed8
5ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5f20: 00000000 00000000 00000000 00000000 8029f31c 7fcfe624 8260408c 8260408c
5f40: 00000004 00000003 00400040 00000101 84043000 00000008 df805fdc df805f68
5f60: 8024ba68 814cd918 ddde16c4 824ba6cc 824ba6d4 00400040 82604d40 0000594b
5f80: 82223e4c 00000000 824bca80 0000000a 827ff928 8260c610 822111b8 824b2210
5fa0: df805f68 82604080 df805fc4 df805fb8 819d75d4 60000013 00000001 824bdecc
5fc0: 82fec000 eb505908 84f04e40 00000013 df805fec df805fe0 802012d0 8024b91c
5fe0: df805ffc df805ff0 80208824 802012c8 eb5058c4 df806000 8198744c 80208820
Call trace: frame pointer underflow
[<8072a184>] (selinux_ip_output) from [<815dec9c>] (nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline])
[<8072a184>] (selinux_ip_output) from [<815dec9c>] (nf_hook_slow+0x40/0x104 net/netfilter/core.c:626)
 r5:00000001 r4:00000001
[<815dec5c>] (nf_hook_slow) from [<81768f18>] (nf_hook include/linux/netfilter.h:269 [inline])
[<815dec5c>] (nf_hook_slow) from [<81768f18>] (NF_HOOK include/linux/netfilter.h:312 [inline])
[<815dec5c>] (nf_hook_slow) from [<81768f18>] (ip6_xmit+0x3ec/0x7b8 net/ipv6/ip6_output.c:366)
 r9:847a8000 r8:df805be8 r7:82e6be10 r6:84414b40 r5:ffffdd86 r4:844cae40
[<81768b2c>] (ip6_xmit) from [<817ac35c>] (tcp_v6_send_response+0x458/0x868 net/ipv6/tcp_ipv6.c:999)
 r10:000000e0 r9:82e6be20 r8:00000000 r7:83eb0980 r6:00000000 r5:00000000
 r4:844cae40
[<817abf04>] (tcp_v6_send_response) from [<817ae890>] (tcp_v6_send_ack net/ipv6/tcp_ipv6.c:1152 [inline])
[<817abf04>] (tcp_v6_send_response) from [<817ae890>] (tcp_v6_timewait_ack net/ipv6/tcp_ipv6.c:1199 [inline])
[<817abf04>] (tcp_v6_send_response) from [<817ae890>] (tcp_v6_rcv+0xef8/0x1190 net/ipv6/tcp_ipv6.c:1993)
 r10:00000000 r9:83eb0980 r8:84f5f000 r7:00000000 r6:1f9720cc r5:00000200
 r4:00000000
[<817ad998>] (tcp_v6_rcv) from [<8176e7dc>] (ip6_protocol_deliver_rcu+0x68/0x818 net/ipv6/ip6_input.c:436)
 r10:82e6b680 r9:8261a060 r8:82e6b738 r7:00000001 r6:00000006 r5:826060cc
 r4:83eb0980
[<8176e774>] (ip6_protocol_deliver_rcu) from [<8176efdc>] (ip6_input_finish+0x50/0x6c net/ipv6/ip6_input.c:481)
 r10:ddde4e88 r9:00000040 r8:00000001 r7:00000000 r6:847a8000 r5:847a8000
 r4:83eb0980
[<8176ef8c>] (ip6_input_finish) from [<8176f038>] (NF_HOOK include/linux/netfilter.h:314 [inline])
[<8176ef8c>] (ip6_input_finish) from [<8176f038>] (NF_HOOK include/linux/netfilter.h:308 [inline])
[<8176ef8c>] (ip6_input_finish) from [<8176f038>] (ip6_input+0x40/0xd0 net/ipv6/ip6_input.c:490)
 r5:00000001 r4:83eb0980
[<8176eff8>] (ip6_input) from [<8176e614>] (dst_input include/net/dst.h:460 [inline])
[<8176eff8>] (ip6_input) from [<8176e614>] (ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline])
[<8176eff8>] (ip6_input) from [<8176e614>] (NF_HOOK include/linux/netfilter.h:314 [inline])
[<8176eff8>] (ip6_input) from [<8176e614>] (NF_HOOK include/linux/netfilter.h:308 [inline])
[<8176eff8>] (ip6_input) from [<8176e614>] (ipv6_rcv+0x150/0x15c net/ipv6/ip6_input.c:309)
 r6:847a8000 r5:83eb0980 r4:00000001
[<8176e4c4>] (ipv6_rcv) from [<814cc17c>] (__netif_receive_skb_one_core+0x5c/0x80 net/core/dev.c:5672)
 r6:00000000 r5:8176e4c4 r4:82fec000
[<814cc120>] (__netif_receive_skb_one_core) from [<814cc1e8>] (__netif_receive_skb+0x18/0x5c net/core/dev.c:5785)
 r5:ddde4f70 r4:83eb0980
[<814cc1d0>] (__netif_receive_skb) from [<814cc4f0>] (process_backlog+0xa0/0x17c net/core/dev.c:6117)
 r5:ddde4f70 r4:83eb0980
[<814cc450>] (process_backlog) from [<814cd3f0>] (__napi_poll+0x34/0x240 net/core/dev.c:6877)
 r10:ddde4e80 r9:ddde50c0 r8:df805ed0 r7:df805ecb r6:00000040 r5:ddde4f70
 r4:00000001
[<814cd3bc>] (__napi_poll) from [<814cdc64>] (napi_poll net/core/dev.c:6946 [inline])
[<814cd3bc>] (__napi_poll) from [<814cdc64>] (net_rx_action+0x358/0x440 net/core/dev.c:7068)
 r9:ddde50c0 r8:df805ed0 r7:0000012c r6:0000594c r5:ddde4f70 r4:00000000
[<814cd90c>] (net_rx_action) from [<8024ba68>] (handle_softirqs+0x158/0x464 kernel/softirq.c:554)
 r10:00000008 r9:84043000 r8:00000101 r7:00400040 r6:00000003 r5:00000004
 r4:8260408c
[<8024b910>] (handle_softirqs) from [<802012d0>] (__do_softirq+0x14/0x18 kernel/softirq.c:588)
 r10:00000013 r9:84f04e40 r8:eb505908 r7:82fec000 r6:824bdecc r5:00000001
 r4:60000013
[<802012bc>] (__do_softirq) from [<80208824>] (____do_softirq+0x10/0x14 arch/arm/kernel/irq.c:77)
[<80208814>] (____do_softirq) from [<8198744c>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40)
[<81987430>] (call_with_stack) from [<80208860>] (do_softirq_own_stack+0x38/0x3c arch/arm/kernel/irq.c:82)
[<80208828>] (do_softirq_own_stack) from [<8024c064>] (do_softirq kernel/softirq.c:455 [inline])
[<80208828>] (do_softirq_own_stack) from [<8024c064>] (do_softirq+0x5c/0x64 kernel/softirq.c:442)
[<8024c008>] (do_softirq) from [<8024c138>] (__local_bh_enable_ip+0xcc/0xd0 kernel/softirq.c:382)
 r5:00000001 r4:84043000
[<8024c06c>] (__local_bh_enable_ip) from [<814c943c>] (local_bh_enable include/linux/bottom_half.h:33 [inline])
[<8024c06c>] (__local_bh_enable_ip) from [<814c943c>] (rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline])
[<8024c06c>] (__local_bh_enable_ip) from [<814c943c>] (__dev_queue_xmit+0x394/0xfa4 net/core/dev.c:4461)
 r5:83eff000 r4:00000000
[<814c90a8>] (__dev_queue_xmit) from [<81767b1c>] (dev_queue_xmit include/linux/netdevice.h:3168 [inline])
[<814c90a8>] (__dev_queue_xmit) from [<81767b1c>] (neigh_hh_output include/net/neighbour.h:523 [inline])
[<814c90a8>] (__dev_queue_xmit) from [<81767b1c>] (neigh_output include/net/neighbour.h:537 [inline])
[<814c90a8>] (__dev_queue_xmit) from [<81767b1c>] (ip6_finish_output2+0x374/0x97c net/ipv6/ip6_output.c:141)
 r10:00000013 r9:00000009 r8:00000010 r7:0000000e r6:84f69d00 r5:83eb0980
 r4:00000000
[<817677a8>] (ip6_finish_output2) from [<8176c774>] (__ip6_finish_output net/ipv6/ip6_output.c:215 [inline])
[<817677a8>] (ip6_finish_output2) from [<8176c774>] (ip6_finish_output+0x238/0x3a8 net/ipv6/ip6_output.c:226)
 r10:84f04e40 r9:00000000 r8:00010000 r7:00000000 r6:847a8000 r5:846d8840
 r4:83eb0980
[<8176c53c>] (ip6_finish_output) from [<8176c964>] (NF_HOOK_COND include/linux/netfilter.h:303 [inline])
[<8176c53c>] (ip6_finish_output) from [<8176c964>] (ip6_output+0x80/0x1e8 net/ipv6/ip6_output.c:247)
 r10:84f04e40 r9:00000000 r8:82fec000 r7:00000001 r6:846d8840 r5:847a8000
 r4:83eb0980
[<8176c8e4>] (ip6_output) from [<81768e78>] (dst_output include/net/dst.h:450 [inline])
[<8176c8e4>] (ip6_output) from [<81768e78>] (NF_HOOK include/linux/netfilter.h:314 [inline])
[<8176c8e4>] (ip6_output) from [<81768e78>] (NF_HOOK include/linux/netfilter.h:308 [inline])
[<8176c8e4>] (ip6_output) from [<81768e78>] (ip6_xmit+0x34c/0x7b8 net/ipv6/ip6_output.c:366)
 r9:847a8000 r8:eb505b88 r7:82e6b750 r6:846d8840 r5:00000001 r4:83eb0980
[<81768b2c>] (ip6_xmit) from [<817b70a4>] (inet6_csk_xmit+0xc8/0x124 net/ipv6/inet6_connection_sock.c:135)
 r10:00010000 r9:0000007b r8:83eb0998 r7:846d8fc0 r6:84f04e40 r5:83eb0980
 r4:846d8840
[<817b6fdc>] (inet6_csk_xmit) from [<8169c984>] (__tcp_transmit_skb+0x56c/0xd5c net/ipv4/tcp_output.c:1466)
 r7:00000020 r6:00000000 r5:83eb0980 r4:846d8840
[<8169c418>] (__tcp_transmit_skb) from [<8169eec0>] (tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline])
[<8169c418>] (__tcp_transmit_skb) from [<8169eec0>] (tcp_write_xmit+0x388/0x1848 net/ipv4/tcp_output.c:2827)
 r10:00008000 r9:00008000 r8:96d772d3 r7:846d8968 r6:00000000 r5:846d8840
 r4:83eb08c0
[<8169eb38>] (tcp_write_xmit) from [<816a03b8>] (__tcp_push_pending_frames+0x38/0x10c net/ipv4/tcp_output.c:3010)
 r10:000001b4 r9:84043000 r8:82caf610 r7:000001a2 r6:846d8968 r5:83eb08c0
 r4:846d8840
[<816a0380>] (__tcp_push_pending_frames) from [<816a1204>] (tcp_send_fin+0x64/0x248 net/ipv4/tcp_output.c:3616)
 r5:83eb08c0 r4:846d8840
[<816a11a0>] (tcp_send_fin) from [<81684070>] (tcp_shutdown net/ipv4/tcp.c:2994 [inline])
[<816a11a0>] (tcp_send_fin) from [<81684070>] (tcp_shutdown+0x54/0x58 net/ipv4/tcp.c:2979)
 r6:00000002 r5:00000089 r4:846d8840
[<8168401c>] (tcp_shutdown) from [<81964604>] (mptcp_subflow_shutdown+0xd8/0x1b8 net/mptcp/protocol.c:2928)
 r5:84e50000 r4:846d8840
[<8196452c>] (mptcp_subflow_shutdown) from [<8196479c>] (mptcp_check_send_data_fin+0xb8/0x17c net/mptcp/protocol.c:3018)
 r7:00000000 r6:84e50514 r5:84f7b200 r4:84e50000
[<819646e4>] (mptcp_check_send_data_fin) from [<819648b4>] (__mptcp_wr_shutdown+0x54/0xf0 net/mptcp/protocol.c:3034)
 r7:00000000 r6:84e50000 r5:00000000 r4:84e50000
[<81964860>] (__mptcp_wr_shutdown) from [<8196724c>] (__mptcp_close+0x2c0/0x2c8 net/mptcp/protocol.c:3114)
 r7:00000000 r6:84e50000 r5:00000000 r4:00000084
[<81966f8c>] (__mptcp_close) from [<8196727c>] (mptcp_close+0x28/0x94 net/mptcp/protocol.c:3168)
 r10:000001b4 r9:84043000 r8:82caf610 r7:00000000 r6:81c88930 r5:00000000
 r4:84e50000 r3:00000000
[<81967254>] (mptcp_close) from [<816cbb98>] (inet_release+0x54/0x8c net/ipv4/af_inet.c:435)
 r5:833cf180 r4:84e50000
[<816cbb44>] (inet_release) from [<81764bd8>] (inet6_release+0x34/0x40 net/ipv6/af_inet6.c:487)
 r5:84e50000 r4:833cf180
[<81764ba4>] (inet6_release) from [<81493fdc>] (__sock_release+0x44/0xbc net/socket.c:640)
 r5:833cf280 r4:833cf180
[<81493f98>] (__sock_release) from [<8149406c>] (sock_close+0x18/0x20 net/socket.c:1408)
 r7:833cf200 r6:833b2d48 r5:082e0003 r4:84f84300
[<81494054>] (sock_close) from [<8051f748>] (__fput+0xdc/0x2f0 fs/file_table.c:450)
[<8051f66c>] (__fput) from [<8051f9e4>] (____fput+0x14/0x18 fs/file_table.c:478)
 r9:84043000 r8:82875694 r7:84043000 r6:84043884 r5:84043854 r4:00000000
[<8051f9d0>] (____fput) from [<8026d41c>] (task_work_run+0x90/0xb8 kernel/task_work.c:239)
[<8026d38c>] (task_work_run) from [<8020be00>] (resume_user_mode_work include/linux/resume_user_mode.h:50 [inline])
[<8026d38c>] (task_work_run) from [<8020be00>] (do_work_pending+0x448/0x4f8 arch/arm/kernel/signal.c:631)
 r9:84043000 r8:8020029c r7:000001b4 r6:8020029c r5:eb505fb0 r4:84043000
[<8020b9b8>] (do_work_pending) from [<80200088>] (slow_work_pending+0xc/0x24)
Exception stack(0xeb505fb0 to 0xeb505ff8)
5fa0:                                     00000000 0000001e 00000000 7ed74938
5fc0: 00000000 00000000 00000000 000001b4 00270000 00270000 00087fb2 00000000
5fe0: 7ed74838 7ed74828 0002422c 00133450 20000010 00000003
 r10:000001b4 r9:84043000 r8:8020029c r7:000001b4 r6:00000000 r5:00000000
 r4:00000000
Code: e3482224 e59331ec e5922010 e0833002 (e5932008) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e3482224 	movt	r2, #33316	@ 0x8224
   4:	e59331ec 	ldr	r3, [r3, #492]	@ 0x1ec
   8:	e5922010 	ldr	r2, [r2, #16]
   c:	e0833002 	add	r3, r3, r2
* 10:	e5932008 	ldr	r2, [r3, #8] <-- trapping instruction