general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 13052 Comm: syz-executor.3 Not tainted 5.18.0-rc4-syzkaller-00196-ga9384a4c1d25 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ip6_pol_route+0x12b/0x1190 net/ipv6/route.c:2213 Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 a9 0e 00 00 4c 8b bd f8 09 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a0 0a 00 00 45 8b 3f 31 ff 44 RSP: 0018:ffffc90000007408 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc90000007988 RCX: ffffffff88097c41 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888076c889f8 RBP: ffff888076c88000 R08: 0000000000000000 R09: 0000000000000085 R10: ffffffff8809713d R11: 0000000000000000 R12: 0000000000000080 R13: 000000000000001e R14: 0000000000000001 R15: 0000000000000000 FS: 00007f11d4b67700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002000c038 CR3: 000000004c002000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: pol_lookup_func include/net/ip6_fib.h:582 [inline] fib6_rule_lookup+0x111/0x6f0 net/ipv6/fib6_rules.c:116 ip6_route_output_flags_noref+0x2e2/0x380 net/ipv6/route.c:2625 ip6_route_output_flags+0x72/0x320 net/ipv6/route.c:2638 ip6_dst_lookup_tail+0xa0b/0x1610 net/ipv6/ip6_output.c:1097 ip6_dst_lookup_flow+0x8c/0x1d0 net/ipv6/ip6_output.c:1200 inet6_csk_route_socket+0x8d1/0xf90 net/ipv6/inet6_connection_sock.c:106 inet6_csk_xmit+0x128/0x6c0 net/ipv6/inet6_connection_sock.c:121 __tcp_transmit_skb+0x190e/0x38b0 net/ipv4/tcp_output.c:1403 tcp_transmit_skb net/ipv4/tcp_output.c:1421 [inline] tcp_xmit_probe_skb+0x28c/0x320 net/ipv4/tcp_output.c:4010 tcp_write_wakeup+0x1bd/0x610 net/ipv4/tcp_output.c:4063 tcp_send_probe0+0x44/0x560 net/ipv4/tcp_output.c:4078 tcp_probe_timer net/ipv4/tcp_timer.c:398 [inline] tcp_write_timer_handler+0x9ed/0xbc0 net/ipv4/tcp_timer.c:626 tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:642 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x679/0xa80 kernel/time/timer.c:1737 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1750 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:645 RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline] RIP: 0010:check_kcov_mode kernel/kcov.c:166 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:200 Code: 48 89 ef 5d e9 e1 ee 4a 00 5d be 03 00 00 00 e9 b6 48 7e 02 66 0f 1f 44 00 00 48 8b be a8 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 <65> 8b 05 69 3f 89 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b RSP: 0018:ffffc90006177128 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff88805b0be800 RCX: ffffc9000a721000 RDX: 0000000000040000 RSI: ffffffff88073c88 RDI: 0000000000000003 RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000001 R10: ffffffff88073bd9 R11: 0000000000000000 R12: ffff88805b0be800 R13: ffff88801f5b0000 R14: ffff88805b0be800 R15: 0000000000000000 fib6_table_lookup+0x2cf/0x9c0 net/ipv6/route.c:2187 ip6_pol_route+0x1c5/0x1190 net/ipv6/route.c:2218 pol_lookup_func include/net/ip6_fib.h:582 [inline] fib6_rule_lookup+0x111/0x6f0 net/ipv6/fib6_rules.c:116 ip6_route_output_flags_noref+0x2e2/0x380 net/ipv6/route.c:2625 ip6_route_output_flags+0x72/0x320 net/ipv6/route.c:2638 ip6_dst_lookup_tail+0xa0b/0x1610 net/ipv6/ip6_output.c:1097 ip6_dst_lookup_flow+0x8c/0x1d0 net/ipv6/ip6_output.c:1200 rawv6_sendmsg+0xc8c/0x3ab0 net/ipv6/raw.c:928 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 ____sys_sendmsg+0x32b/0x800 net/socket.c:2413 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 __sys_sendmmsg+0x195/0x470 net/socket.c:2553 __do_sys_sendmmsg net/socket.c:2582 [inline] __se_sys_sendmmsg net/socket.c:2579 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f11d3a890e9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f11d4b67168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f11d3b9bf60 RCX: 00007f11d3a890e9 RDX: 03fffffffffffe9f RSI: 00000000200092c0 RDI: 0000000000000004 RBP: 00007f11d3ae308d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffdb2ed88f R14: 00007f11d4b67300 R15: 0000000000022000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:ip6_pol_route+0x12b/0x1190 net/ipv6/route.c:2213 Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 a9 0e 00 00 4c 8b bd f8 09 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a0 0a 00 00 45 8b 3f 31 ff 44 RSP: 0018:ffffc90000007408 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc90000007988 RCX: ffffffff88097c41 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888076c889f8 RBP: ffff888076c88000 R08: 0000000000000000 R09: 0000000000000085 R10: ffffffff8809713d R11: 0000000000000000 R12: 0000000000000080 R13: 000000000000001e R14: 0000000000000001 R15: 0000000000000000 FS: 00007f11d4b67700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002000c038 CR3: 000000004c002000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: df 48 89 fisttps -0x77(%rax) 3: fa cli 4: 48 c1 ea 03 shr $0x3,%rdx 8: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) c: 0f 85 a9 0e 00 00 jne 0xebb 12: 4c 8b bd f8 09 00 00 mov 0x9f8(%rbp),%r15 19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 20: fc ff df 23: 4c 89 fa mov %r15,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction 2e: 84 c0 test %al,%al 30: 74 08 je 0x3a 32: 3c 03 cmp $0x3,%al 34: 0f 8e a0 0a 00 00 jle 0xada 3a: 45 8b 3f mov (%r15),%r15d 3d: 31 ff xor %edi,%edi 3f: 44 rex.R