netlink: 72 bytes leftover after parsing attributes in process `syz.0.685'.
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000000 when write
[00000000] *pgd=85cb6003, *pmd=df7d8003
Internal error: Oops: a05
Internal error: Oops: a05 [#1] SMP ARM
Modules linked in:
CPU: 0 UID: 0 PID: 6544 Comm: syz.0.685 Not tainted syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
PC is at hlist_add_before_rcu include/linux/rculist.h:705 [inline]
PC is at __xfrm_state_insert+0x5d8/0x7bc net/xfrm/xfrm_state.c:1743
LR is at __list_add_valid include/linux/list.h:88 [inline]
LR is at __list_add include/linux/list.h:150 [inline]
LR is at list_add include/linux/list.h:169 [inline]
LR is at __xfrm_state_insert+0x34/0x7bc net/xfrm/xfrm_state.c:1725
pc : [<817fd53c>]    lr : [<817fcf98>]    psr: 80000113
sp : dfc2da28  ip : 84e172c8  fp : dfc2da5c
r10: 00000000  r9 : 83c8aa40  r8 : 859108c0
r7 : 83c8ad24  r6 : 83c8aaa4  r5 : 85910000  r4 : 83c8aa00
r3 : 83c8aa14  r2 : 83c8a780  r1 : 00000000  r0 : 00000000
Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 85664f40  DAC: fffffffd
Register r0 information: NULL pointer
Register r1 information: NULL pointer
Register r2 information: slab request_queue start 83c8a780 pointer offset 0 size 640
Register r3 information: slab request_queue start 83c8aa00 pointer offset 20 size 640
Register r4 information: slab request_queue start 83c8aa00 pointer offset 0 size 640
Register r5 information: slab net_namespace start 85910000 pointer offset 0 size 3776
Register r6 information: slab request_queue start 83c8aa00 pointer offset 164 size 640
Register r7 information: slab request_queue start 83c8ac80 pointer offset 164 size 640
Register r8 information: slab net_namespace start 85910000 pointer offset 2240 size 3776
Register r9 information: slab request_queue start 83c8aa00 pointer offset 64 size 640
Register r10 information: NULL pointer
Register r11 information: 2-page vmalloc region starting at 0xdfc2c000 allocated at kernel_clone+0xac/0x3ec kernel/fork.c:2605
Register r12 information: slab kmalloc-64 start 84e172c0 pointer offset 8 size 64
Process syz.0.685 (pid: 6544, stack limit = 0xdfc2c000)
Stack: (0xdfc2da28 to 0xdfc2e000)
da20:                   0000006c 00000002 00000001 83c8aa00 00000000 83c8aa00
da40: 00000000 85910b40 85910000 00000002 dfc2dacc dfc2da60 817fe6f0 817fcf70
da60: 00000000 00000000 ffffffff 0000006c 83c8aa40 83c8aac4 00000000 8243ecd4
da80: dfc2dacc 00000000 817f9c7c 84e17e40 84e17d80 84e172c0 00000007 75e8c1c9
daa0: 817f8914 84c21800 83c8aa00 83c8aa34 dfc2dc40 85910000 00000000 82278104
dac0: dfc2db24 dfc2dad0 8180e618 817fe59c 855a3000 00000000 84c218f0 84c218f4
dae0: 00000000 00000000 00000000 00000000 00000000 75e8c1c9 80976e0c 84c21800
db00: 85ea7a80 8180d830 81e77a18 00000000 00000010 00000000 dfc2dc3c dfc2db28
db20: 8180a808 8180d83c 81e77be4 00000000 dfc2dc40 00000000 81e77be4 dfc2dc40
db40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
db60: 00000000 00000000 00000000 00000000 84c218f0 00000000 00000000 00000000
db80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dba0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dbc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dbe0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dc00: 00000000 00000000 00000000 75e8c1c9 00400000 85ea7a80 8180a6d0 84c21800
dc20: 00000180 85910000 00000000 00000000 dfc2dccc dfc2dc40 81672424 8180a6dc
dc40: 81d0cb14 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dc60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dc80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dca0: 00000000 00000000 00000000 75e8c1c9 85910b50 85ea7a80 84e17600 85ea7a80
dcc0: dfc2dce4 dfc2dcd0 818091bc 81672370 84b65400 00000180 dfc2dd1c dfc2dce8
dce0: 81671bf0 81809194 84c21c00 7fffffff 00000000 75e8c1c9 dfc2df20 85ea7a80
dd00: 00000180 84c21c00 00000000 00000000 dfc2dd84 dfc2dd20 81671ed8 81671a0c
dd20: 00000000 00000000 00000000 75e8c1c9 00000000 00000180 8d56f600 00000000
dd40: 00000337 00000000 00000000 00000000 80794cd0 75e8c1c9 dfc2dd84 00000000
dd60: dfc2df20 8502af00 00000000 dfc2ddc4 dfc2ddc4 00000000 dfc2dda4 dfc2dd88
dd80: 81543bb0 81671d18 dfc2df20 00004880 8502af00 00000000 dfc2de14 dfc2dda8
dda0: 81544f08 81543b78 dfc2de20 dfc2df30 00000000 00000000 dfc2de14 00000000
ddc0: 81546ddc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dde0: 00000000 75e8c1c9 00004075 00000000 dfc2df20 8502af00 00000000 00004880
de00: 200035c0 dfc2de24 dfc2df14 dfc2de18 81546ed0 81544c7c 00000000 855a3000
de20: 00000000 20000380 00000180 00000000 00000000 00000000 00000000 00000000
de40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
de60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
de80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dee0: 00000000 75e8c1c9 dfc2df14 00000003 856b03c1 200035c0 00004880 856b03c0
df00: 855a3000 00000128 dfc2df94 dfc2df18 81547368 81546e40 00000000 00000000
df20: 00000000 00000000 00000000 00000000 00010000 00000180 20000380 00000000
df40: 00000001 00000000 00000000 00000001 00004880 00000000 00000000 00000000
df60: 00000000 00000000 ecac8b10 75e8c1c9 00000000 00000000 00000000 00306308
df80: 00000128 8020029c dfc2dfa4 dfc2df98 815473d0 815472e8 00000000 dfc2dfa8
dfa0: 80200060 815473c8 00000000 00000000 00000003 200035c0 00004880 00000000
dfc0: 00000000 00000000 00306308 00000128 002f0000 00000000 00006364 76f6b0bc
dfe0: 76f6aec0 76f6aeb0 0001948c 001322a0 60000010 00000003 00000000 00000000
Call trace: 
[<817fcf64>] (__xfrm_state_insert) from [<817fe6f0>] (xfrm_state_add+0x160/0x348 net/xfrm/xfrm_state.c:1924)
 r8:00000002 r7:85910000 r6:85910b40 r5:00000000 r4:83c8aa00
[<817fe590>] (xfrm_state_add) from [<8180e618>] (xfrm_add_sa+0xde8/0x171c net/xfrm/xfrm_user.c:1025)
 r10:82278104 r9:00000000 r8:85910000 r7:dfc2dc40 r6:83c8aa34 r5:83c8aa00
 r4:84c21800
[<8180d830>] (xfrm_add_sa) from [<8180a808>] (xfrm_user_rcv_msg+0x138/0x2d0 net/xfrm/xfrm_user.c:3501)
 r10:00000000 r9:00000010 r8:00000000 r7:81e77a18 r6:8180d830 r5:85ea7a80
 r4:84c21800
[<8180a6d0>] (xfrm_user_rcv_msg) from [<81672424>] (netlink_rcv_skb+0xc0/0x120 net/netlink/af_netlink.c:2552)
 r10:00000000 r9:00000000 r8:85910000 r7:00000180 r6:84c21800 r5:8180a6d0
 r4:85ea7a80
[<81672364>] (netlink_rcv_skb) from [<818091bc>] (xfrm_netlink_rcv+0x34/0x40 net/xfrm/xfrm_user.c:3523)
 r7:85ea7a80 r6:84e17600 r5:85ea7a80 r4:85910b50
[<81809188>] (xfrm_netlink_rcv) from [<81671bf0>] (netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline])
[<81809188>] (xfrm_netlink_rcv) from [<81671bf0>] (netlink_unicast+0x1f0/0x30c net/netlink/af_netlink.c:1346)
 r5:00000180 r4:84b65400
[<81671a00>] (netlink_unicast) from [<81671ed8>] (netlink_sendmsg+0x1cc/0x444 net/netlink/af_netlink.c:1896)
 r9:00000000 r8:00000000 r7:84c21c00 r6:00000180 r5:85ea7a80 r4:dfc2df20
[<81671d0c>] (netlink_sendmsg) from [<81543bb0>] (sock_sendmsg_nosec net/socket.c:714 [inline])
[<81671d0c>] (netlink_sendmsg) from [<81543bb0>] (__sock_sendmsg+0x44/0x78 net/socket.c:729)
 r10:00000000 r9:dfc2ddc4 r8:dfc2ddc4 r7:00000000 r6:8502af00 r5:dfc2df20
 r4:00000000
[<81543b6c>] (__sock_sendmsg) from [<81544f08>] (____sys_sendmsg+0x298/0x2cc net/socket.c:2614)
 r7:00000000 r6:8502af00 r5:00004880 r4:dfc2df20
[<81544c70>] (____sys_sendmsg) from [<81546ed0>] (___sys_sendmsg+0x9c/0xd0 net/socket.c:2668)
 r10:dfc2de24 r9:200035c0 r8:00004880 r7:00000000 r6:8502af00 r5:dfc2df20
 r4:00000000
[<81546e34>] (___sys_sendmsg) from [<81547368>] (__sys_sendmsg+0x8c/0xe0 net/socket.c:2700)
 r10:00000128 r9:855a3000 r8:856b03c0 r7:00004880 r6:200035c0 r5:856b03c1
 r4:00000003
[<815472dc>] (__sys_sendmsg) from [<815473d0>] (__do_sys_sendmsg net/socket.c:2705 [inline])
[<815472dc>] (__sys_sendmsg) from [<815473d0>] (sys_sendmsg+0x14/0x18 net/socket.c:2703)
 r8:8020029c r7:00000128 r6:00306308 r5:00000000 r4:00000000
[<815473bc>] (sys_sendmsg) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfc2dfa8 to 0xdfc2dff0)
dfa0:                   00000000 00000000 00000003 200035c0 00004880 00000000
dfc0: 00000000 00000000 00306308 00000128 002f0000 00000000 00006364 76f6b0bc
dfe0: 76f6aec0 76f6aeb0 0001948c 001322a0
Code: e5840018 e5841014 f57ff05b e5941018 (e5813000) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e5840018 	str	r0, [r4, #24]
   4:	e5841014 	str	r1, [r4, #20]
   8:	f57ff05b 	dmb	ish
   c:	e5941018 	ldr	r1, [r4, #24]
* 10:	e5813000 	str	r3, [r1] <-- trapping instruction