================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: null-ptr-deref in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] BUG: KASAN: null-ptr-deref in __refcount_add include/linux/refcount.h:193 [inline] BUG: KASAN: null-ptr-deref in __refcount_inc include/linux/refcount.h:250 [inline] BUG: KASAN: null-ptr-deref in refcount_inc include/linux/refcount.h:267 [inline] BUG: KASAN: null-ptr-deref in sctp_chunk_hold+0x26/0xb4 net/sctp/sm_make_chunk.c:1523 Write of size 4 at addr 0000000000000010 by task kworker/1:3/3399 CPU: 1 PID: 3399 Comm: kworker/1:3 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Workqueue: events_power_efficient wg_ratelimiter_gc_entries Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119 [] __dump_stack lib/dump_stack.c:88 [inline] [] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106 [] __kasan_report mm/kasan/report.c:446 [inline] [] kasan_report+0x1de/0x1e0 mm/kasan/report.c:459 [] check_region_inline mm/kasan/generic.c:173 [inline] [] kasan_check_range+0x2a/0x136 mm/kasan/generic.c:189 [] __kasan_check_write+0x14/0x1c mm/kasan/shadow.c:37 [] instrument_atomic_read_write include/linux/instrumented.h:101 [inline] [] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] [] __refcount_add include/linux/refcount.h:193 [inline] [] __refcount_inc include/linux/refcount.h:250 [inline] [] refcount_inc include/linux/refcount.h:267 [inline] [] sctp_chunk_hold+0x26/0xb4 net/sctp/sm_make_chunk.c:1523 [] sctp_sf_send_reconf+0x78/0x2c4 net/sctp/sm_statefuns.c:1105 [] sctp_do_sm+0x15c/0x2ef4 net/sctp/sm_sideeffect.c:1163 [] sctp_generate_reconf_event+0x196/0x23e net/sctp/sm_sideeffect.c:461 [] call_timer_fn+0x164/0x698 kernel/time/timer.c:1421 [] expire_timers kernel/time/timer.c:1466 [inline] [] __run_timers.part.0+0x484/0x4e6 kernel/time/timer.c:1734 [] __run_timers kernel/time/timer.c:1715 [inline] [] run_timer_softirq+0x86/0x100 kernel/time/timer.c:1747 [] __do_softirq+0x274/0x8fc kernel/softirq.c:558 [] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] [] invoke_softirq kernel/softirq.c:439 [inline] [] __irq_exit_rcu+0x142/0x1f8 kernel/softirq.c:637 [] irq_exit+0x10/0x7a kernel/softirq.c:661 [] generic_handle_arch_irq+0x48/0x54 kernel/irq/handle.c:240 [] ret_from_exception+0x0/0x10 [] lockdep_recursion_finish kernel/locking/lockdep.c:438 [inline] [] lock_acquire.part.0+0x210/0x424 kernel/locking/lockdep.c:5641 ================================================================== Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 Oops [#1] Modules linked in: CPU: 1 PID: 3399 Comm: kworker/1:3 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Workqueue: events_power_efficient wg_ratelimiter_gc_entries epc : arch_atomic_fetch_add_relaxed arch/riscv/include/asm/atomic.h:138 [inline] epc : atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:117 [inline] epc : __refcount_add include/linux/refcount.h:193 [inline] epc : __refcount_inc include/linux/refcount.h:250 [inline] epc : refcount_inc include/linux/refcount.h:267 [inline] epc : sctp_chunk_hold+0x28/0xb4 net/sctp/sm_make_chunk.c:1523 ra : instrument_atomic_read_write include/linux/instrumented.h:101 [inline] ra : atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] ra : __refcount_add include/linux/refcount.h:193 [inline] ra : __refcount_inc include/linux/refcount.h:250 [inline] ra : refcount_inc include/linux/refcount.h:267 [inline] ra : sctp_chunk_hold+0x26/0xb4 net/sctp/sm_make_chunk.c:1523 epc : ffffffff82f40418 ra : ffffffff82f40416 sp : ffffaf800f00f160 gp : ffffffff85863ac0 tp : ffffaf8009af1840 t0 : ffffffff86bcb657 t1 : fffff5ef0b53c90c t2 : 0000000000000000 s0 : ffffaf800f00f190 s1 : ffffaf8011507000 a0 : 0000000000000000 a1 : 0000000000000001 a2 : 1ffff5f00135e309 a3 : ffffffff831afd3a a4 : 0000000000000000 a5 : ffffaf8009af2840 a6 : 0000000000f00000 a7 : ffffaf805a9e4863 s2 : ffffaf800f00f2b0 s3 : 0000000000000010 s4 : ffffaf80114b3000 s5 : 0000000000001000 s6 : 0000000000000000 s7 : ffffaf80114f0000 s8 : 0000000000000002 s9 : 0000000000000101 s10: ffffaf8011506000 s11: ffffaf80114b3000 t3 : 0000000061736944 t4 : fffff5ef0b53c90c t5 : fffff5ef0b53c90d t6 : ffffaf800f00eb98 status: 0000000000000120 badaddr: 0000000000000010 cause: 000000000000000f [] sctp_sf_send_reconf+0x78/0x2c4 net/sctp/sm_statefuns.c:1105 [] sctp_do_sm+0x15c/0x2ef4 net/sctp/sm_sideeffect.c:1163 [] sctp_generate_reconf_event+0x196/0x23e net/sctp/sm_sideeffect.c:461 [] call_timer_fn+0x164/0x698 kernel/time/timer.c:1421 [] expire_timers kernel/time/timer.c:1466 [inline] [] __run_timers.part.0+0x484/0x4e6 kernel/time/timer.c:1734 [] __run_timers kernel/time/timer.c:1715 [inline] [] run_timer_softirq+0x86/0x100 kernel/time/timer.c:1747 [] __do_softirq+0x274/0x8fc kernel/softirq.c:558 [] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] [] invoke_softirq kernel/softirq.c:439 [inline] [] __irq_exit_rcu+0x142/0x1f8 kernel/softirq.c:637 [] irq_exit+0x10/0x7a kernel/softirq.c:661 [] generic_handle_arch_irq+0x48/0x54 kernel/irq/handle.c:240 [] ret_from_exception+0x0/0x10 [] lockdep_recursion_finish kernel/locking/lockdep.c:438 [inline] [] lock_acquire.part.0+0x210/0x424 kernel/locking/lockdep.c:5641 ---[ end trace 0000000000000000 ]---