================================================================== BUG: KASAN: null-ptr-deref in hlist_add_before_rcu include/linux/rculist.h:705 [inline] BUG: KASAN: null-ptr-deref in __xfrm_state_insert+0xe00/0x11a4 net/xfrm/xfrm_state.c:1743 Write of size 8 at addr 0000000000000000 by task syz.5.557/10178 CPU: 1 UID: 0 PID: 10178 Comm: syz.5.557 Not tainted syzkaller #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_report+0x58/0x84 mm/kasan/report.c:485 kasan_report+0xb0/0x110 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 hlist_add_before_rcu include/linux/rculist.h:705 [inline] __xfrm_state_insert+0xe00/0x11a4 net/xfrm/xfrm_state.c:1743 xfrm_state_insert+0x5c/0x78 net/xfrm/xfrm_state.c:1795 ipcomp_tunnel_attach net/ipv4/ipcomp.c:113 [inline] ipcomp4_init_state+0x4a4/0x8f4 net/ipv4/ipcomp.c:144 __xfrm_init_state+0x8c4/0x12b8 net/xfrm/xfrm_state.c:3188 xfrm_state_construct net/xfrm/xfrm_user.c:954 [inline] xfrm_add_sa+0x21f4/0x310c net/xfrm/xfrm_user.c:1019 xfrm_user_rcv_msg+0x588/0x7c4 net/xfrm/xfrm_user.c:3501 netlink_rcv_skb+0x220/0x3fc net/netlink/af_netlink.c:2552 xfrm_netlink_rcv+0x80/0x9c net/xfrm/xfrm_user.c:3523 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x694/0x8c4 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x648/0x930 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg net/socket.c:729 [inline] ____sys_sendmsg+0x490/0x7b8 net/socket.c:2614 ___sys_sendmsg+0x204/0x278 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __arm64_sys_sendmsg+0x184/0x238 net/socket.c:2703 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:763 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 ================================================================== Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000144c6f000 [0000000000000000] pgd=080000013d880403, p4d=080000013d880403, pud=080000013734e403, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] SMP Modules linked in: CPU: 1 UID: 0 PID: 10178 Comm: syz.5.557 Tainted: G B syzkaller #0 PREEMPT Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : hlist_add_before_rcu include/linux/rculist.h:705 [inline] pc : __xfrm_state_insert+0xe00/0x11a4 net/xfrm/xfrm_state.c:1743 lr : hlist_add_before_rcu include/linux/rculist.h:705 [inline] lr : __xfrm_state_insert+0xe00/0x11a4 net/xfrm/xfrm_state.c:1743 sp : ffff8000a23c6f20 x29: ffff8000a23c6f50 x28: dfff800000000000 x27: 1fffe0001a5713be x26: ffff0000edfb4470 x25: 0000000000000000 x24: ffff0000edfb4468 x23: ffff0000d2b89df0 x22: ffff0000edfb4770 x21: ffff0000d2b89de8 x20: ffff0000c5ae2440 x19: ffff0000edfb4440 x18: 1fffe00033799a88 x17: 3d3d3d3d3d3d3d3d x16: ffff80008b01d6e0 x15: 0000000000000001 x14: 1ffff00012611d00 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000080000 x10: 000000000000ad4d x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000001 x6 : ffff80008056556c x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000803c2084 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: hlist_add_before_rcu include/linux/rculist.h:705 [inline] (P) __xfrm_state_insert+0xe00/0x11a4 net/xfrm/xfrm_state.c:1743 (P) xfrm_state_insert+0x5c/0x78 net/xfrm/xfrm_state.c:1795 ipcomp_tunnel_attach net/ipv4/ipcomp.c:113 [inline] ipcomp4_init_state+0x4a4/0x8f4 net/ipv4/ipcomp.c:144 __xfrm_init_state+0x8c4/0x12b8 net/xfrm/xfrm_state.c:3188 xfrm_state_construct net/xfrm/xfrm_user.c:954 [inline] xfrm_add_sa+0x21f4/0x310c net/xfrm/xfrm_user.c:1019 xfrm_user_rcv_msg+0x588/0x7c4 net/xfrm/xfrm_user.c:3501 netlink_rcv_skb+0x220/0x3fc net/netlink/af_netlink.c:2552 xfrm_netlink_rcv+0x80/0x9c net/xfrm/xfrm_user.c:3523 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x694/0x8c4 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x648/0x930 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg net/socket.c:729 [inline] ____sys_sendmsg+0x490/0x7b8 net/socket.c:2614 ___sys_sendmsg+0x204/0x278 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __arm64_sys_sendmsg+0x184/0x238 net/socket.c:2703 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:763 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 Code: aa1903e0 52800101 f9000315 9790eb0c (c89fff38) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: aa1903e0 mov x0, x25 4: 52800101 mov w1, #0x8 // #8 8: f9000315 str x21, [x24] c: 9790eb0c bl 0xfffffffffe43ac3c * 10: c89fff38 stlr x24, [x25] <-- trapping instruction