Oops: general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]
CPU: 2 PID: 7889 Comm: syz-executor.3 Not tainted 6.9.0-syzkaller-09699-geb6a9339efeb #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:rt6_get_pcpu_route net/ipv6/route.c:1407 [inline]
RIP: 0010:ip6_pol_route+0x3bc/0x1150 net/ipv6/route.c:2262
Code: f8 48 85 ed 0f 84 52 03 00 00 e8 1f 9e 06 f8 48 8d bd 98 00 00 00 49 89 ec 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a3 08 00 00 8b 85 98 00 00 00
RSP: 0018:ffffc90002b26ab8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888028c31cc0 RCX: ffffc9000347b000
RDX: 0000000000000038 RSI: ffffffff8987e2b1 RDI: 00000000000001c3
RBP: 000000000000012b R08: 0000000000000007 R09: 0000000000000000
R10: 000000000000012b R11: 0000000000000002 R12: 000000000000012b
R13: 1ffff92000564d5b R14: 0000000000000080 R15: ffffc90002b26b38
FS:  0000000000000000(0000) GS:ffff88802c200000(0063) knlGS:00000000f5f01b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002005ffe4 CR3: 000000006d846000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 pol_lookup_func include/net/ip6_fib.h:616 [inline]
 fib6_rule_lookup+0x24c/0x720 net/ipv6/fib6_rules.c:116
 ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]
 ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2649
 ip6_route_output include/net/ip6_route.h:93 [inline]
 ip6_dst_lookup_tail.constprop.0+0x573/0x1760 net/ipv6/ip6_output.c:1120
 ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250
 sctp_v6_get_dst+0x6a7/0x2070 net/sctp/ipv6.c:326
 sctp_transport_route+0x12e/0x350 net/sctp/transport.c:455
 sctp_assoc_add_peer+0x743/0x14b0 net/sctp/associola.c:662
 sctp_process_param net/sctp/sm_make_chunk.c:2576 [inline]
 sctp_process_init+0x2733/0x2d60 net/sctp/sm_make_chunk.c:2396
 sctp_sf_do_unexpected_init.isra.0+0x96f/0x16e0 net/sctp/sm_statefuns.c:1612
 sctp_do_sm+0x17f/0x5c90 net/sctp/sm_sideeffect.c:1166
 sctp_assoc_bh_rcv+0x392/0x6f0 net/sctp/associola.c:1051
 sctp_inq_push+0x1d8/0x270 net/sctp/inqueue.c:88
 sctp_backlog_rcv+0x169/0x590 net/sctp/input.c:331
 sk_backlog_rcv include/net/sock.h:1106 [inline]
 __release_sock+0x35f/0x400 net/core/sock.c:2983
 release_sock+0x5a/0x220 net/core/sock.c:3549
 sctp_wait_for_connect+0x1c6/0x5c0 net/sctp/socket.c:9345
 sctp_sendmsg_to_asoc+0x1765/0x1ad0 net/sctp/socket.c:1885
 sctp_sendmsg+0x129c/0x1f10 net/sctp/socket.c:2031
 inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:851
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 __sys_sendto+0x42c/0x4e0 net/socket.c:2192
 __do_sys_sendto net/socket.c:2204 [inline]
 __se_sys_sendto net/socket.c:2200 [inline]
 __ia32_sys_sendto+0xdd/0x1b0 net/socket.c:2200
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0x75/0x120 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf730f579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f5f015ac EFLAGS: 00000292 ORIG_RAX: 0000000000000171
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020847fff
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000002005ffe4
RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rt6_get_pcpu_route net/ipv6/route.c:1407 [inline]
RIP: 0010:ip6_pol_route+0x3bc/0x1150 net/ipv6/route.c:2262
Code: f8 48 85 ed 0f 84 52 03 00 00 e8 1f 9e 06 f8 48 8d bd 98 00 00 00 49 89 ec 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a3 08 00 00 8b 85 98 00 00 00
RSP: 0018:ffffc90002b26ab8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888028c31cc0 RCX: ffffc9000347b000
RDX: 0000000000000038 RSI: ffffffff8987e2b1 RDI: 00000000000001c3
RBP: 000000000000012b R08: 0000000000000007 R09: 0000000000000000
R10: 000000000000012b R11: 0000000000000002 R12: 000000000000012b
R13: 1ffff92000564d5b R14: 0000000000000080 R15: ffffc90002b26b38
FS:  0000000000000000(0000) GS:ffff88802c200000(0063) knlGS:00000000f5f01b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002005ffe4 CR3: 000000006d846000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	f8                   	clc
   1:	48 85 ed             	test   %rbp,%rbp
   4:	0f 84 52 03 00 00    	je     0x35c
   a:	e8 1f 9e 06 f8       	call   0xf8069e2e
   f:	48 8d bd 98 00 00 00 	lea    0x98(%rbp),%rdi
  16:	49 89 ec             	mov    %rbp,%r12
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	74 08                	je     0x3a
  32:	3c 03                	cmp    $0x3,%al
  34:	0f 8e a3 08 00 00    	jle    0x8dd
  3a:	8b 85 98 00 00 00    	mov    0x98(%rbp),%eax