8<--- cut here ---
Unable to handle kernel paging request at virtual address df000000 when read
[df000000] *pgd=80000080007003, *pmd=00000000
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 4704 Comm: syz-executor.0 Not tainted 6.4.0-rc3-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at csum_partial+0x40/0x130 arch/arm/lib/csumpartial.S:120
LR is at 0x0
pc : [<817abec8>]    lr : [<00000000>]    psr: 00000013
sp : ec7c9b38  ip : a6f28000  fp : ec7c9b94
r10: 81314164  r9 : 81314164  r8 : 0000a11c
r7 : ffff5ee3  r6 : 0000a11c  r5 : 00000000  r4 : 00000000
r3 : 00000000  r2 : 10b120fe  r1 : fffffef0  r0 : df000000
Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 85dd94c0  DAC: 00000000
Register r0 information: non-paged memory
Register r1 information: non-paged memory
Register r2 information: non-paged memory
Register r3 information: NULL pointer
Register r4 information: NULL pointer
Register r5 information: NULL pointer
Register r6 information: non-paged memory
Register r7 information: non-paged memory
Register r8 information: non-paged memory
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xec7c8000 allocated at kernel_clone+0x9c/0x3dc kernel/fork.c:2918
Register r12 information: non-slab/vmalloc memory
Process syz-executor.0 (pid: 4704, stack limit = 0xec7c8000)
Stack: (0xec7c9b38 to 0xec7ca000)
9b20:                                                       840966c0 85f28110
9b40: 85f28110 8150ce40 ec7c9b70 8029062c 84096d80 840966c0 81fdf418 827e2390
9b60: 85ffc000 000020c0 80296b50 84096d80 00006869 00000000 00000000 00000000
9b80: 00000000 86034000 ec7c9bd4 ec7c9b98 815f6de4 8150cc68 00000001 bf9082da
9ba0: 00c00000 bf9082da 85ff54c0 84096d80 0000000e 00000000 00006869 00000000
9bc0: 00000000 86034000 ec7c9c1c ec7c9bd8 81630798 815f6d28 80277db8 802a6080
9be0: 00000060 00000052 00000000 bf9082da 802034c4 84096d80 00000000 00006869
9c00: 0000dd86 81630d08 ec7c9cf7 00000001 ec7c9c3c ec7c9c20 81630d4c 8163067c
9c20: 84096d80 00000000 00006869 0000dd86 ec7c9c6c ec7c9c40 81377ed8 81630d14
9c40: 0000000e bf9082da ec7c9cf7 84096d80 00006869 00000001 00000000 84ebb800
9c60: ec7c9c8c ec7c9c70 81333158 81377e20 84096d80 00006869 00000000 ec7c9cf7
9c80: ec7c9cc4 ec7c9c90 8133ab64 813330a4 00000001 8260c964 ffffdd86 00000000
9ca0: 00000000 84cb8000 84ebb800 00000000 ec7c9cf7 00000001 ec7c9cec ec7c9cc8
9cc0: 8133ad7c 8133a9d4 84978800 84096d80 84cb8000 84ebb800 00000000 00000001
9ce0: ec7c9d24 ec7c9cf0 813aa5b0 8133ad48 84978800 00ebb800 00000010 bf9082da
9d00: 84096d80 84978800 00000000 00000001 a3ea3210 849788c4 ec7c9d84 ec7c9d28
9d20: 8133b95c 813aa3fc 00000000 00000001 8132c7c4 816348c0 00000013 fffffff4
9d40: 00000000 8132c5c8 00000000 0000dd86 00000000 bf9082da 00000000 84096d80
9d60: 00002378 84ebb800 0000000a 84096d80 85ffc000 86037f00 ec7c9da4 ec7c9d88
9d80: 81634494 8133b400 85ffc000 00002378 84ebb800 0000000a ec7c9e5c ec7c9da8
9da0: 81637bec 81634404 ec7c9e08 00000000 817f99d4 80277e98 00002001 ec7c9dc8
9dc0: ec7c9ea8 83203008 00002001 817fa2bc 80200288 806b84fc ec7c9e1c ec7c9de8
9de0: 81a02a74 00000000 00000002 0000236e 00000060 00000300 00000000 0000000e
9e00: 00000000 0000000a 00000000 236e0500 07441c99 0000030c 00000000 00000000
9e20: 00000000 00000000 8216c67c bf9082da ec7c9e5c 00000000 ec7c9e98 8521c000
9e40: 04000002 80200288 85ff5240 00000122 ec7c9e7c ec7c9e60 8130d628 81636d30
9e60: 00000000 8521c000 00000000 04000002 ec7c9f8c ec7c9e80 8130f478 8130d5f0
9e80: ec7c9ea8 85ff0dd0 fffffff7 00000001 85ff0bc0 00000000 00000000 00000000
9ea0: ec7c9ed4 ec7c9eb0 01000006 00000001 00002378 20000080 00000000 00000000
9ec0: 00000001 00000000 00000000 00000000 04000002 00000000 00000000 00000000
9ee0: 00000000 ffffffff 00000000 00000000 00000001 bf9082da 00000005 00000000
9f00: 00000080 0014c288 00000000 00000000 85ff5240 000000f0 ec7c9f4c ec7c9f28
9f20: 80309a10 8030d190 ffffffff 80200288 8521c000 8163a0dc 8521c000 00000000
9f40: ec7c9fa4 ec7c9f50 80309fd4 8030996c ec7c9f84 ec7c9f60 80277db8 802a6080
9f60: 00000000 00000000 85ff5240 bf9082da 00000000 000002ff 0014c2c4 00000122
9f80: ec7c9fa4 ec7c9f90 8130f4e0 8130f3b4 00000000 000002ff 00000000 ec7c9fa8
9fa0: 80200060 8130f4d0 00000000 000002ff 00000003 20000080 00002378 04000002
9fc0: 00000000 000002ff 0014c2c4 00000122 7eac13c2 76b1e6d0 7eac1534 76b1e20c
9fe0: 76b1e020 76b1e010 00017004 0004dfb0 60000010 00000003 00000000 00000000
Backtrace: 
[<8150cc5c>] (__udp_gso_segment) from [<815f6de4>] (udp6_ufo_fragment+0xc8/0x39c net/ipv6/udp_offload.c:47)
 r10:86034000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:00006869
 r4:84096d80
[<815f6d1c>] (udp6_ufo_fragment) from [<81630798>] (ipv6_gso_segment.part.0+0x128/0x42c net/ipv6/ip6_offload.c:119)
 r10:86034000 r9:00000000 r8:00000000 r7:00006869 r6:00000000 r5:0000000e
 r4:84096d80
[<81630670>] (ipv6_gso_segment.part.0) from [<81630d4c>] (ipv6_gso_segment+0x44/0x48 net/ipv6/ip6_offload.c:91)
 r10:00000001 r9:ec7c9cf7 r8:81630d08 r7:0000dd86 r6:00006869 r5:00000000
 r4:84096d80
[<81630d08>] (ipv6_gso_segment) from [<81377ed8>] (skb_mac_gso_segment+0xc4/0x1a4 net/core/gro.c:141)
 r7:0000dd86 r6:00006869 r5:00000000 r4:84096d80
[<81377e14>] (skb_mac_gso_segment) from [<81333158>] (__skb_gso_segment+0xc0/0x16c net/core/dev.c:3401)
 r8:84ebb800 r7:00000000 r6:00000001 r5:00006869 r4:84096d80
[<81333098>] (__skb_gso_segment) from [<8133ab64>] (skb_gso_segment include/linux/netdevice.h:4859 [inline])
[<81333098>] (__skb_gso_segment) from [<8133ab64>] (validate_xmit_skb+0x19c/0x374 net/core/dev.c:3659)
 r7:ec7c9cf7 r6:00000000 r5:00006869 r4:84096d80
[<8133a9c8>] (validate_xmit_skb) from [<8133ad7c>] (validate_xmit_skb_list+0x40/0x74 net/core/dev.c:3709)
 r10:00000001 r9:ec7c9cf7 r8:00000000 r7:84ebb800 r6:84cb8000 r5:00000000
 r4:00000000
[<8133ad3c>] (validate_xmit_skb_list) from [<813aa5b0>] (sch_direct_xmit+0x1c0/0x45c net/sched/sch_generic.c:327)
 r9:00000001 r8:00000000 r7:84ebb800 r6:84cb8000 r5:84096d80 r4:84978800
[<813aa3f0>] (sch_direct_xmit) from [<8133b95c>] (__dev_xmit_skb net/core/dev.c:3805 [inline])
[<813aa3f0>] (sch_direct_xmit) from [<8133b95c>] (__dev_queue_xmit+0x568/0xdc8 net/core/dev.c:4210)
 r9:849788c4 r8:a3ea3210 r7:00000001 r6:00000000 r5:84978800 r4:84096d80
[<8133b3f4>] (__dev_queue_xmit) from [<81634494>] (dev_queue_xmit include/linux/netdevice.h:3085 [inline])
[<8133b3f4>] (__dev_queue_xmit) from [<81634494>] (packet_xmit net/packet/af_packet.c:276 [inline])
[<8133b3f4>] (__dev_queue_xmit) from [<81634494>] (packet_xmit+0x9c/0x100 net/packet/af_packet.c:273)
 r10:86037f00 r9:85ffc000 r8:84096d80 r7:0000000a r6:84ebb800 r5:00002378
 r4:84096d80
[<816343f8>] (packet_xmit) from [<81637bec>] (packet_snd net/packet/af_packet.c:3081 [inline])
[<816343f8>] (packet_xmit) from [<81637bec>] (packet_sendmsg+0xec8/0x1448 net/packet/af_packet.c:3113)
 r7:0000000a r6:84ebb800 r5:00002378 r4:85ffc000
[<81636d24>] (packet_sendmsg) from [<8130d628>] (sock_sendmsg_nosec net/socket.c:724 [inline])
[<81636d24>] (packet_sendmsg) from [<8130d628>] (sock_sendmsg+0x44/0x78 net/socket.c:747)
 r10:00000122 r9:85ff5240 r8:80200288 r7:04000002 r6:8521c000 r5:ec7c9e98
 r4:00000000
[<8130d5e4>] (sock_sendmsg) from [<8130f478>] (__sys_sendto+0xd0/0x11c net/socket.c:2144)
 r7:04000002 r6:00000000 r5:8521c000 r4:00000000
[<8130f3a8>] (__sys_sendto) from [<8130f4e0>] (__do_sys_sendto net/socket.c:2156 [inline])
[<8130f3a8>] (__sys_sendto) from [<8130f4e0>] (sys_sendto+0x1c/0x24 net/socket.c:2152)
 r7:00000122 r6:0014c2c4 r5:000002ff r4:00000000
[<8130f4c4>] (sys_sendto) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xec7c9fa8 to 0xec7c9ff0)
9fa0:                   00000000 000002ff 00000003 20000080 00002378 04000002
9fc0: 00000000 000002ff 0014c2c4 00000122 7eac13c2 76b1e6d0 7eac1534 76b1e20c
9fe0: 76b1e020 76b1e010 00017004 0004dfb0
Code: e0b22003 e0b22004 e0b22005 e0b2200e (e8b04038) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e0b22003 	adcs	r2, r2, r3
   4:	e0b22004 	adcs	r2, r2, r4
   8:	e0b22005 	adcs	r2, r2, r5
   c:	e0b2200e 	adcs	r2, r2, lr
* 10:	e8b04038 	ldm	r0!, {r3, r4, r5, lr} <-- trapping instruction