BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 IP: [] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1671 PGD 1cbffe067 PUD 1da21c067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 3856 Comm: syz-executor014 Not tainted 4.4.147-ga5fc665 #16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800bb8bc800 task.stack: ffff8801c7f10000 RIP: 0010:[] [] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1671 RSP: 0018:ffff8801db307af0 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8801d0da6500 RCX: 0000000000000000 RDX: 1ffff1003a34ec80 RSI: ffffffff835a3531 RDI: ffff8801d1a76400 RBP: ffff8801db307b10 R08: ffff8800bb8bd100 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801d1a76280 R13: ffff8801d0da6508 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:00000000093b2840 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000000000080 CR3: 00000001cbfff000 CR4: 00000000001606f0 Stack: ffff8800ba917700 ffff8801d0da6500 ffff8800ba917ad0 ffffffff8348b71e ffff8801db307b38 ffffffff835acfd7 ffff8800ba917700 ffffffff835acf00 ffff8800b3b93ba0 ffff8801db307b60 ffffffff82f34a2c ffff8800ba917700 Call Trace: [] l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:293 [inline] [] pppol2tp_session_destruct+0xd7/0x110 net/l2tp/l2tp_ppp.c:477 [] sk_destruct+0x4c/0x4c0 net/core/sock.c:1447 [] __sk_free+0x4f/0x220 net/core/sock.c:1480 [] sock_wfree+0x103/0x140 net/core/sock.c:1667 [] skb_release_head_state+0x103/0x210 net/core/skbuff.c:646 [] skb_release_all+0x15/0x60 net/core/skbuff.c:659 [] __kfree_skb+0x15/0x20 net/core/skbuff.c:675 [] kfree_skb+0xf7/0x3e0 net/core/skbuff.c:696 [] ndisc_error_report+0xbe/0x1a0 net/ipv6/ndisc.c:657 [] neigh_invalidate+0x234/0x530 net/core/neighbour.c:855 [] neigh_timer_handler+0x838/0xa50 net/core/neighbour.c:941 [] call_timer_fn+0x18c/0x870 kernel/time/timer.c:1185 [] __run_timers kernel/time/timer.c:1261 [inline] [] run_timer_softirq+0x642/0xb90 kernel/time/timer.c:1444 [] __do_softirq+0x22c/0xa1a kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10d/0x140 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:926 [] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741 [] spin_unlock_irqrestore include/linux/spinlock.h:362 [inline] [] add_wait_queue+0x76/0xa0 kernel/sched/wait.c:30 [] do_wait+0x1b5/0xa30 kernel/exit.c:1493 [] SYSC_wait4 kernel/exit.c:1641 [inline] [] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1606 [] C_SYSC_wait4+0x237/0x280 kernel/compat.c:543 [] compat_SyS_wait4+0x2c/0x40 kernel/compat.c:536 [] sys32_waitpid+0x25/0x30 arch/x86/ia32/sys_ia32.c:172 [] do_syscall_32_irqs_on arch/x86/entry/common.c:393 [inline] [] do_fast_syscall_32+0x324/0x8b0 arch/x86/entry/common.c:460 [] sysenter_flags_fixed+0xd/0x1a Code: 49 8d bc 24 80 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 d0 00 00 00 4d 8b b4 24 80 01 00 00 41 ff 8e 80 00 00 00 74 64 e8 55 02 db fd e8 50 02 db fd 4c RIP [] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1671 RSP CR2: 0000000000000080 ---[ end trace b0dc6d5fc9a1ebcb ]---