8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000001 when read
[00000001] *pgd=85315003, *pmd=fe587003
Internal error: Oops: 205 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 4688 Comm: syz.1.107 Not tainted 6.10.0-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at __cpu_map_flush+0x18/0x54 kernel/bpf/cpumap.c:766
LR is at xdp_do_check_flushed+0xc4/0x1f0 net/core/filter.c:4304
pc : [<803f8b88>]    lr : [<81442060>]    psr: a0000013
sp : df805e30  ip : df805e50  fp : df805e4c
r10: ddde4f80  r9 : ddde51c0  r8 : df805ed0
r7 : df805ecb  r6 : eb7fdc70  r5 : ddde5070  r4 : 00000001
r3 : 8024b544  r2 : 00000001  r1 : 00000004  r0 : eb7fdc70
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 853f5bc0  DAC: 00000000
Register r0 information: 2-page vmalloc region starting at 0xeb7fc000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2780
Register r1 information: non-paged memory
Register r2 information: non-paged memory
Register r3 information: non-slab/vmalloc memory
Register r4 information: non-paged memory
Register r5 information: non-slab/vmalloc memory
Register r6 information: 2-page vmalloc region starting at 0xeb7fc000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2780
Register r7 information: 2-page vmalloc region starting at 0xdf804000 allocated at start_kernel+0x5d0/0x778 init/main.c:1006
Register r8 information: 2-page vmalloc region starting at 0xdf804000 allocated at start_kernel+0x5d0/0x778 init/main.c:1006
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xdf804000 allocated at start_kernel+0x5d0/0x778 init/main.c:1006
Register r12 information: 2-page vmalloc region starting at 0xdf804000 allocated at start_kernel+0x5d0/0x778 init/main.c:1006
Process syz.1.107 (pid: 4688, stack limit = 0xeb7fc000)
Stack: (0xdf805e30 to 0xdf806000)
5e20:                                     eb7fdc80 ddde5070 eb7fdc70 df805ecb
5e40: df805e74 df805e50 81442060 803f8b7c ddde5070 00000040 df805ecb 00000001
5e60: ddde5070 00000040 df805ea4 df805e78 8140f8d8 81441fa8 824b5f80 82606000
5e80: 00000000 ddde5070 ffffc545 0000012c df805ed0 ddde51c0 df805f64 df805ea8
5ea0: 81410100 8140f8a0 849ea400 83ed0c00 00000000 ffffc545 00010180 5b92f000
5ec0: 824b5f80 82604d40 00903d58 819050d0 df805ed0 df805ed0 df805ed8 df805ed8
5ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5f20: 00000000 00000000 00000000 00000000 8029d0e8 92102805 8260408c 8260408c
5f40: 00000004 00000003 00400140 00000101 849ea400 00000008 df805fdc df805f68
5f60: 8024afd4 8140fdd4 ddde1708 824b2710 824b2718 00400140 82604d40 ffffc544
5f80: 821b96a0 00000000 824b4c40 0000000a 827f0148 8260c5d0 821a69b4 824aa3f8
5fa0: df805f68 82604080 df805fc4 df805fb8 8190474c 60000013 00000001 00000000
5fc0: eb7fde58 84b9b2cc 84b9b128 00000000 df805fec df805fe0 802012d0 8024ae84
5fe0: df805ffc df805ff0 80208800 802012c8 eb7fddbc df806000 818b55e4 802087fc
Call trace: frame pointer underflow
[<803f8b70>] (__cpu_map_flush) from [<81442060>] (xdp_do_check_flushed+0xc4/0x1f0 net/core/filter.c:4304)
 r7:df805ecb r6:eb7fdc70 r5:ddde5070 r4:eb7fdc80
[<81441f9c>] (xdp_do_check_flushed) from [<8140f8d8>] (__napi_poll+0x44/0x240 net/core/dev.c:6774)
 r6:00000040 r5:ddde5070 r4:00000001
[<8140f894>] (__napi_poll) from [<81410100>] (napi_poll net/core/dev.c:6840 [inline])
[<8140f894>] (__napi_poll) from [<81410100>] (net_rx_action+0x338/0x420 net/core/dev.c:6962)
 r9:ddde51c0 r8:df805ed0 r7:0000012c r6:ffffc545 r5:ddde5070 r4:00000000
[<8140fdc8>] (net_rx_action) from [<8024afd4>] (handle_softirqs+0x15c/0x468 kernel/softirq.c:554)
 r10:00000008 r9:849ea400 r8:00000101 r7:00400140 r6:00000003 r5:00000004
 r4:8260408c
[<8024ae78>] (handle_softirqs) from [<802012d0>] (__do_softirq+0x14/0x18 kernel/softirq.c:588)
 r10:00000000 r9:84b9b128 r8:84b9b2cc r7:eb7fde58 r6:00000000 r5:00000001
 r4:60000013
[<802012bc>] (__do_softirq) from [<80208800>] (____do_softirq+0x10/0x14 arch/arm/kernel/irq.c:77)
[<802087f0>] (____do_softirq) from [<818b55e4>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40)
[<818b55c8>] (call_with_stack) from [<8020883c>] (do_softirq_own_stack+0x38/0x3c arch/arm/kernel/irq.c:82)
[<80208804>] (do_softirq_own_stack) from [<8024b4ec>] (do_softirq kernel/softirq.c:455 [inline])
[<80208804>] (do_softirq_own_stack) from [<8024b4ec>] (do_softirq+0x5c/0x64 kernel/softirq.c:442)
[<8024b490>] (do_softirq) from [<8024b5c0>] (__local_bh_enable_ip+0xcc/0xd0 kernel/softirq.c:382)
 r5:00000001 r4:849ea400
[<8024b4f4>] (__local_bh_enable_ip) from [<80c4d354>] (local_bh_enable include/linux/bottom_half.h:33 [inline])
[<8024b4f4>] (__local_bh_enable_ip) from [<80c4d354>] (tun_rx_batched drivers/net/tun.c:1550 [inline])
[<8024b4f4>] (__local_bh_enable_ip) from [<80c4d354>] (tun_get_user+0xdbc/0x1048 drivers/net/tun.c:2006)
 r5:8460d780 r4:836de680
[<80c4c598>] (tun_get_user) from [<80c4de60>] (tun_chr_write_iter+0x60/0xc8 drivers/net/tun.c:2052)
 r10:81b6d62c r9:20000240 r8:84b9b000 r7:836de680 r6:00000000 r5:eb7fdef0
 r4:eb7fdf08
[<80c4de00>] (tun_chr_write_iter) from [<80501a08>] (new_sync_write fs/read_write.c:497 [inline])
[<80c4de00>] (tun_chr_write_iter) from [<80501a08>] (vfs_write+0x274/0x44c fs/read_write.c:590)
 r8:eb7fdf68 r7:849ea400 r6:00000036 r5:845c6240 r4:80c4de00
[<80501794>] (vfs_write) from [<80501d64>] (ksys_write+0x78/0xf8 fs/read_write.c:643)
 r10:00000004 r9:849ea400 r8:8020029c r7:00000000 r6:0000006e r5:845c6240
 r4:845c6241
[<80501cec>] (ksys_write) from [<80501df4>] (__do_sys_write fs/read_write.c:655 [inline])
[<80501cec>] (ksys_write) from [<80501df4>] (sys_write+0x10/0x14 fs/read_write.c:652)
 r7:00000004 r6:000000c8 r5:20000240 r4:00000036
[<80501de4>] (sys_write) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xeb7fdfa8 to 0xeb7fdff0)
dfa0:                   00000036 20000240 000000c8 20000240 00000036 00000000
dfc0: 00000036 20000240 000000c8 00000004 7ebdf766 7ebdf767 003d0f00 76b310bc
dfe0: 00000158 76b30eb0 000d5c70 0012e68c
Code: e24cb004 e5904000 e1a06000 e1500004 (e4145020) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e24cb004 	sub	fp, ip, #4
   4:	e5904000 	ldr	r4, [r0]
   8:	e1a06000 	mov	r6, r0
   c:	e1500004 	cmp	r0, r4
* 10:	e4145020 	ldr	r5, [r4], #-32	@ 0xffffffe0 <-- trapping instruction