general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 14975 Comm: kworker/u4:58 Not tainted 5.15.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline] RIP: 0010:____rb_erase_color lib/rbtree.c:255 [inline] RIP: 0010:rb_erase+0x494/0x1210 lib/rbtree.c:445 Code: ef 48 89 14 24 e8 ec 51 c9 fd 48 8b 14 24 e9 f2 fe ff ff 4c 89 e8 49 89 ee 4c 89 6d 08 48 c1 e8 03 49 89 6c 24 10 49 83 ce 01 <80> 3c 18 00 0f 85 b9 09 00 00 48 89 e8 4d 89 75 00 48 c1 e8 03 80 RSP: 0018:ffffc9001fa87770 EFLAGS: 00010286 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000 RDX: ffffed100e24a78a RSI: ffff8880001021b0 RDI: ffff8880001020e0 RBP: ffff888000102170 R08: 0000000000000001 R09: 0000000000000003 R10: fffff52003f50eea R11: 0000000000000000 R12: ffff8880001020d0 R13: 0000000000000000 R14: ffff888000102171 R15: ffff888071253c50 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020007038 CR3: 00000000351b5000 CR4: 0000000000350ef0 Call Trace: erase_entry fs/proc/proc_sysctl.c:180 [inline] erase_header fs/proc/proc_sysctl.c:209 [inline] start_unregistering fs/proc/proc_sysctl.c:300 [inline] drop_sysctl_table+0x233/0x4e0 fs/proc/proc_sysctl.c:1643 unregister_sysctl_table fs/proc/proc_sysctl.c:1685 [inline] unregister_sysctl_table+0xc0/0x190 fs/proc/proc_sysctl.c:1660 neigh_sysctl_unregister+0x5b/0x80 net/core/neighbour.c:3810 devinet_sysctl_unregister net/ipv4/devinet.c:2633 [inline] inetdev_destroy net/ipv4/devinet.c:326 [inline] inetdev_event+0xd01/0x15d0 net/ipv4/devinet.c:1600 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2002 call_netdevice_notifiers_extack net/core/dev.c:2014 [inline] call_netdevice_notifiers net/core/dev.c:2028 [inline] unregister_netdevice_many+0x94f/0x1790 net/core/dev.c:11074 ip6gre_exit_batch_net+0x4a7/0x760 net/ipv6/ip6_gre.c:1629 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:593 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Modules linked in: ---[ end trace 18698554b7ccaf00 ]--- RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline] RIP: 0010:____rb_erase_color lib/rbtree.c:255 [inline] RIP: 0010:rb_erase+0x494/0x1210 lib/rbtree.c:445 Code: ef 48 89 14 24 e8 ec 51 c9 fd 48 8b 14 24 e9 f2 fe ff ff 4c 89 e8 49 89 ee 4c 89 6d 08 48 c1 e8 03 49 89 6c 24 10 49 83 ce 01 <80> 3c 18 00 0f 85 b9 09 00 00 48 89 e8 4d 89 75 00 48 c1 e8 03 80 RSP: 0018:ffffc9001fa87770 EFLAGS: 00010286 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000 RDX: ffffed100e24a78a RSI: ffff8880001021b0 RDI: ffff8880001020e0 RBP: ffff888000102170 R08: 0000000000000001 R09: 0000000000000003 R10: fffff52003f50eea R11: 0000000000000000 R12: ffff8880001020d0 R13: 0000000000000000 R14: ffff888000102171 R15: ffff888071253c50 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020007038 CR3: 00000000351b5000 CR4: 0000000000350ef0 ---------------- Code disassembly (best guess): 0: ef out %eax,(%dx) 1: 48 89 14 24 mov %rdx,(%rsp) 5: e8 ec 51 c9 fd callq 0xfdc951f6 a: 48 8b 14 24 mov (%rsp),%rdx e: e9 f2 fe ff ff jmpq 0xffffff05 13: 4c 89 e8 mov %r13,%rax 16: 49 89 ee mov %rbp,%r14 19: 4c 89 6d 08 mov %r13,0x8(%rbp) 1d: 48 c1 e8 03 shr $0x3,%rax 21: 49 89 6c 24 10 mov %rbp,0x10(%r12) 26: 49 83 ce 01 or $0x1,%r14 * 2a: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1) <-- trapping instruction 2e: 0f 85 b9 09 00 00 jne 0x9ed 34: 48 89 e8 mov %rbp,%rax 37: 4d 89 75 00 mov %r14,0x0(%r13) 3b: 48 c1 e8 03 shr $0x3,%rax 3f: 80 .byte 0x80