8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000000 when write
[00000000] *pgd=8580
[00000000] *pgd=85806003, *pmd=df7d6003
Internal error: Oops: a05 [#1] SMP ARM
Modules linked in:
CPU: 1 UID: 0 PID: 13282 Comm: syz.6.2006 Not tainted syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
PC is at hlist_add_before_rcu include/linux/rculist.h:705 [inline]
PC is at __xfrm_state_insert+0x5d8/0x7bc net/xfrm/xfrm_state.c:1743
LR is at __list_add_valid include/linux/list.h:88 [inline]
LR is at __list_add include/linux/list.h:150 [inline]
LR is at list_add include/linux/list.h:169 [inline]
LR is at __xfrm_state_insert+0x34/0x7bc net/xfrm/xfrm_state.c:1725
pc : [<817fdb64>]    lr : [<817fd5c0>]    psr: 80000013
sp : dfbd5a10  ip : 84e7ffcc  fp : dfbd5a44
r10: 81e76510  r9 : 00000002  r8 : 858bf000
r7 : 83eb9224  r6 : 83c09224  r5 : 858be740  r4 : 83c09180
r3 : 83c09194  r2 : 83c09180  r1 : 00000000  r0 : 00000000
Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 8608ca00  DAC: 00000000
Register r0 information: NULL pointer
Register r1 information: NULL pointer
Register r2 information: slab request_queue start 83c09180 pointer offset 0 size 640
Register r3 information: slab request_queue start 83c09180 pointer offset 20 size 640
Register r4 information: slab request_queue start 83c09180 pointer offset 0 size 640
Register r5 information: slab net_namespace start 858be740 pointer offset 0 size 3776
Register r6 information: slab request_queue start 83c09180 pointer offset 164 size 640
Register r7 information: slab request_queue start 83eb9180 pointer offset 164 size 640
Register r8 information: slab net_namespace start 858be740 pointer offset 2240 size 3776
Register r9 information: non-paged memory
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xdfbd4000 allocated at kernel_clone+0xac/0x3ec kernel/fork.c:2605
Register r12 information: slab kmalloc-64 start 84e7ffc0 pointer offset 12 size 64
Process syz.6.2006 (pid: 13282, stack limit = 0xdfbd4000)
Stack: (0xdfbd5a10 to 0xdfbd6000)
5a00:                                     82c28944 858bf280 83c09180 858bf280
5a20: 83c09180 858bf280 83c09180 00000000 83c09180 83c091b4 dfbd5a5c dfbd5a48
5a40: 817fdd74 817fd598 83a05b80 00000001 dfbd5a8c dfbd5a60 817c8144 817fdd54
5a60: 00000004 00000002 817c7f94 83a05b80 00000001 82c2894c 00000002 8243f0d4
5a80: dfbd5acc dfbd5a90 817fa168 817c7fa0 dfbd5c40 81e77658 82c28944 dfbd5c40
5aa0: 857d48f0 857d4800 83a05b80 dfbd5b64 dfbd5c40 858be740 85b99b00 8227844c
5ac0: dfbd5b24 dfbd5ad0 8180e744 817f9eb0 857a0c00 00000000 857d48f0 857d48f4
5ae0: 00000000 00000000 00000000 00000000 00000000 14a88ac5 8097708c 857d4800
5b00: 85ebfe40 8180de58 81e77b58 00000000 00000010 00000000 dfbd5c3c dfbd5b28
5b20: 8180ae30 8180de64 81e77d24 00000000 dfbd5c40 ddebe9d0 81e77d24 dfbd5c40
5b40: dfbd5b74 dfbd5b50 857d4800 ddde64f8 ddebe9d0 40000013 dfbd5b74 dfbd5b68
5b60: 81a3b358 00000000 00000000 00000000 857d48f0 00000000 00000000 00000000
5b80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ba0: 00000000 00000000 00000000 00000000 00000000 00000000 857d4938 00000000
5bc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5be0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5c00: 00000000 00000000 00000000 14a88ac5 00400000 85ebfe40 8180acf8 857d4800
5c20: 00000144 858be740 00000000 00000000 dfbd5ccc dfbd5c40 81672a9c 8180ad04
5c40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5c60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5c80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ca0: 00000000 00000000 00000000 14a88ac5 858bf290 85ebfe40 84e7fd80 85ebfe40
5cc0: dfbd5ce4 dfbd5cd0 818097e4 816729e8 85a4ec00 00000144 dfbd5d1c dfbd5ce8
5ce0: 81672268 818097bc 857d7800 7fffffff 00000000 14a88ac5 dfbd5f20 85ebfe40
5d00: 00000144 857d7800 00000000 00000000 dfbd5d84 dfbd5d20 81672550 81672084
5d20: 00000000 00000000 00000000 14a88ac5 00000000 00000144 85f5b800 00000000
5d40: 000001f3 00000000 00000000 00000000 80794fc8 14a88ac5 dfbd5d84 00000000
5d60: dfbd5f20 8513db80 00000000 dfbd5dc4 dfbd5dc4 00000000 dfbd5da4 dfbd5d88
5d80: 815440d8 81672390 dfbd5f20 00000010 8513db80 00000000 dfbd5e14 dfbd5da8
5da0: 81545430 815440a0 dfbd5e20 dfbd5f30 00000000 00000000 dfbd5e14 00000000
5dc0: 81547304 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5de0: 00000000 14a88ac5 00008801 00000000 dfbd5f20 8513db80 00000000 00000010
5e00: 20000040 dfbd5e24 dfbd5f14 dfbd5e18 815473f8 815451a4 00000000 857a0c00
5e20: 00000000 20000780 00000144 00000000 00000000 00000000 00000000 00000000
5e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5e60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5e80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ee0: 00000000 14a88ac5 00000000 00000007 86b36780 20000040 00000010 86b36780
5f00: 857a0c00 00000128 dfbd5f94 dfbd5f18 81547890 81547368 00000000 00000000
5f20: 00000000 00000000 00000000 00000000 00010000 00000144 20000780 00000000
5f40: 00000001 00000000 00000000 00000001 00000010 00000000 00000000 00000000
5f60: 00000000 00000000 ecac8b10 14a88ac5 00000000 00000000 00000000 00306448
5f80: 00000128 8020029c dfbd5fa4 dfbd5f98 815478f8 81547810 00000000 dfbd5fa8
5fa0: 80200060 815478f0 00000000 00000000 00000007 20000040 00000010 00000000
5fc0: 00000000 00000000 00306448 00000128 002f0000 00000000 00006364 76eda0bc
5fe0: 76ed9ec0 76ed9eb0 0001948c 001322a0 60000010 00000007 00000000 00000000
Call trace: 
[<817fd58c>] (__xfrm_state_insert) from [<817fdd74>] (xfrm_state_insert+0x2c/0x38 net/xfrm/xfrm_state.c:1795)
 r8:83c091b4 r7:83c09180 r6:00000000 r5:83c09180 r4:858bf280
[<817fdd48>] (xfrm_state_insert) from [<817c8144>] (ipcomp_tunnel_attach net/ipv4/ipcomp.c:113 [inline])
[<817fdd48>] (xfrm_state_insert) from [<817c8144>] (ipcomp4_init_state net/ipv4/ipcomp.c:144 [inline])
[<817fdd48>] (xfrm_state_insert) from [<817c8144>] (ipcomp4_init_state+0x1b0/0x26c net/ipv4/ipcomp.c:122)
 r5:00000001 r4:83a05b80
[<817c7f94>] (ipcomp4_init_state) from [<817fa168>] (__xfrm_init_state+0x2c4/0x550 net/xfrm/xfrm_state.c:3188)
 r9:8243f0d4 r8:00000002 r7:82c2894c r6:00000001 r5:83a05b80 r4:817c7f94
[<817f9ea4>] (__xfrm_init_state) from [<8180e744>] (xfrm_state_construct net/xfrm/xfrm_user.c:954 [inline])
[<817f9ea4>] (__xfrm_init_state) from [<8180e744>] (xfrm_add_sa+0x8ec/0x171c net/xfrm/xfrm_user.c:1019)
 r10:8227844c r9:85b99b00 r8:858be740 r7:dfbd5c40 r6:dfbd5b64 r5:83a05b80
 r4:857d4800
[<8180de58>] (xfrm_add_sa) from [<8180ae30>] (xfrm_user_rcv_msg+0x138/0x2d0 net/xfrm/xfrm_user.c:3501)
 r10:00000000 r9:00000010 r8:00000000 r7:81e77b58 r6:8180de58 r5:85ebfe40
 r4:857d4800
[<8180acf8>] (xfrm_user_rcv_msg) from [<81672a9c>] (netlink_rcv_skb+0xc0/0x120 net/netlink/af_netlink.c:2552)
 r10:00000000 r9:00000000 r8:858be740 r7:00000144 r6:857d4800 r5:8180acf8
 r4:85ebfe40
[<816729dc>] (netlink_rcv_skb) from [<818097e4>] (xfrm_netlink_rcv+0x34/0x40 net/xfrm/xfrm_user.c:3523)
 r7:85ebfe40 r6:84e7fd80 r5:85ebfe40 r4:858bf290
[<818097b0>] (xfrm_netlink_rcv) from [<81672268>] (netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline])
[<818097b0>] (xfrm_netlink_rcv) from [<81672268>] (netlink_unicast+0x1f0/0x30c net/netlink/af_netlink.c:1346)
 r5:00000144 r4:85a4ec00
[<81672078>] (netlink_unicast) from [<81672550>] (netlink_sendmsg+0x1cc/0x444 net/netlink/af_netlink.c:1896)
 r9:00000000 r8:00000000 r7:857d7800 r6:00000144 r5:85ebfe40 r4:dfbd5f20
[<81672384>] (netlink_sendmsg) from [<815440d8>] (sock_sendmsg_nosec net/socket.c:714 [inline])
[<81672384>] (netlink_sendmsg) from [<815440d8>] (__sock_sendmsg+0x44/0x78 net/socket.c:729)
 r10:00000000 r9:dfbd5dc4 r8:dfbd5dc4 r7:00000000 r6:8513db80 r5:dfbd5f20
 r4:00000000
[<81544094>] (__sock_sendmsg) from [<81545430>] (____sys_sendmsg+0x298/0x2cc net/socket.c:2614)
 r7:00000000 r6:8513db80 r5:00000010 r4:dfbd5f20
[<81545198>] (____sys_sendmsg) from [<815473f8>] (___sys_sendmsg+0x9c/0xd0 net/socket.c:2668)
 r10:dfbd5e24 r9:20000040 r8:00000010 r7:00000000 r6:8513db80 r5:dfbd5f20
 r4:00000000
[<8154735c>] (___sys_sendmsg) from [<81547890>] (__sys_sendmsg+0x8c/0xe0 net/socket.c:2700)
 r10:00000128 r9:857a0c00 r8:86b36780 r7:00000010 r6:20000040 r5:86b36780
 r4:00000007
[<81547804>] (__sys_sendmsg) from [<815478f8>] (__do_sys_sendmsg net/socket.c:2705 [inline])
[<81547804>] (__sys_sendmsg) from [<815478f8>] (sys_sendmsg+0x14/0x18 net/socket.c:2703)
 r8:8020029c r7:00000128 r6:00306448 r5:00000000 r4:00000000
[<815478e4>] (sys_sendmsg) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfbd5fa8 to 0xdfbd5ff0)
5fa0:                   00000000 00000000 00000007 20000040 00000010 00000000
5fc0: 00000000 00000000 00306448 00000128 002f0000 00000000 00006364 76eda0bc
5fe0: 76ed9ec0 76ed9eb0 0001948c 001322a0
Code: e5840018 e5841014 f57ff05b e5941018 (e5813000) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e5840018 	str	r0, [r4, #24]
   4:	e5841014 	str	r1, [r4, #20]
   8:	f57ff05b 	dmb	ish
   c:	e5941018 	ldr	r1, [r4, #24]
* 10:	e5813000 	str	r3, [r1] <-- trapping instruction