general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]
CPU: 1 PID: 8810 Comm: syz-executor.0 Not tainted 6.9.0-rc5-syzkaller-00202-g78cfe547607a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237
Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 29 4f db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff
RSP: 0018:ffffc90000a080d0 EFLAGS: 00010202
RAX: 00000000000000bc RBX: 00000000000005e0 RCX: ffff888079db0000
RDX: 0000000000000301 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff8a1f1e2a R09: 1ffffffff1f51fbd
R10: dffffc0000000000 R11: fffffbfff1f51fbe R12: ffff88807f0f38c0
R13: ffff888064bfe000 R14: 1ffff1100fe1e71a R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f12310de020 CR3: 000000000e134000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 ip6tunnel_xmit include/net/ip6_tunnel.h:161 [inline]
 udp_tunnel6_xmit_skb+0x590/0x9d0 net/ipv6/ip6_udp_tunnel.c:111
 geneve6_xmit_skb drivers/net/geneve.c:998 [inline]
 geneve_xmit+0x204f/0x2e60 drivers/net/geneve.c:1027
 __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 netdev_start_xmit include/linux/netdevice.h:4917 [inline]
 xmit_one net/core/dev.c:3531 [inline]
 dev_hard_start_xmit+0x27a/0x7e0 net/core/dev.c:3547
 __dev_queue_xmit+0x1ad1/0x3ca0 net/core/dev.c:4341
 dev_queue_xmit include/linux/netdevice.h:3091 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip6_finish_output2+0xfc0/0x1670 net/ipv6/ip6_output.c:137
 ip6_finish_output+0x41e/0x810 net/ipv6/ip6_output.c:222
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ndisc_send_skb+0xab0/0x1380 net/ipv6/ndisc.c:509
 addrconf_rs_timer+0x36e/0x660 net/ipv6/addrconf.c:4038
 call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793
 expire_timers kernel/time/timer.c:1844 [inline]
 __run_timers kernel/time/timer.c:2418 [inline]
 __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429
 run_timer_base kernel/time/timer.c:2438 [inline]
 run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448
 __do_softirq+0x2c6/0x980 kernel/softirq.c:554
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:unwind_next_frame+0x193c/0x2a00 arch/x86/kernel/unwind_orc.c:641
Code: 42 0f b6 44 2d 00 84 c0 0f 85 61 0e 00 00 48 8b 44 24 20 c6 00 00 4c 8b 74 24 48 48 8b 6c 24 28 48 8b 44 24 38 42 0f b6 04 28 <84> c0 0f 85 ea 0b 00 00 48 8b 44 24 78 42 0f b6 04 28 84 c0 0f 85
RSP: 0018:ffffc90004fde9e8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffc90004fdeaf8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90004fdeb20
RBP: ffffffff90360e2c R08: ffffc90004fdeb1f R09: 0000000000000000
R10: ffffc90004fdeb10 R11: fffff520009fbd64 R12: ffffc90004fdf318
R13: dffffc0000000000 R14: ffffc90004fdeb10 R15: 1ffff920009fbd58
 arch_stack_walk+0x151/0x1b0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
 save_stack+0xfb/0x1f0 mm/page_owner.c:156
 __reset_page_owner+0x75/0x3f0 mm/page_owner.c:302
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x986/0xab0 mm/page_alloc.c:2347
 free_unref_folios+0x185/0xb30 mm/page_alloc.c:2536
 folios_put_refs+0x8eb/0xa10 mm/swap.c:1034
 free_pages_and_swap_cache+0x2ea/0x690 mm/swap_state.c:329
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
 tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
 zap_pte_range mm/memory.c:1683 [inline]
 zap_pmd_range mm/memory.c:1722 [inline]
 zap_pud_range mm/memory.c:1751 [inline]
 zap_p4d_range mm/memory.c:1772 [inline]
 unmap_page_range+0x3e36/0x4820 mm/memory.c:1793
 unmap_vmas+0x3cc/0x5f0 mm/memory.c:1883
 exit_mmap+0x2cb/0xd60 mm/mmap.c:3267
 __mmput+0x115/0x3c0 kernel/fork.c:1346
 exit_mm+0x220/0x310 kernel/exit.c:569
 do_exit+0x99e/0x27e0 kernel/exit.c:865
 do_group_exit+0x207/0x2c0 kernel/exit.c:1027
 get_signal+0x16a1/0x1740 kernel/signal.c:2911
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x102/0x240 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4ab8a7dd29
Code: Unable to access opcode bytes at 0x7f4ab8a7dcff.
RSP: 002b:00007f4ab97320c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffea RBX: 00007f4ab8babf80 RCX: 00007f4ab8a7dd29
RDX: 0000000000001f00 RSI: 0000000020000500 RDI: 0000000000000003
RBP: 00007f4ab8aca47e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f4ab8babf80 R15: 00007ffc0201a6c8
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237
Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 29 4f db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff
RSP: 0018:ffffc90000a080d0 EFLAGS: 00010202
RAX: 00000000000000bc RBX: 00000000000005e0 RCX: ffff888079db0000
RDX: 0000000000000301 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff8a1f1e2a R09: 1ffffffff1f51fbd
R10: dffffc0000000000 R11: fffffbfff1f51fbe R12: ffff88807f0f38c0
R13: ffff888064bfe000 R14: 1ffff1100fe1e71a R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f12310de020 CR3: 000000000e134000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	3c 1e                	cmp    $0x1e,%al
   2:	00 49 89             	add    %cl,-0x77(%rcx)
   5:	df 74 08 4c          	fbstp  0x4c(%rax,%rcx,1)
   9:	89 ef                	mov    %ebp,%edi
   b:	e8 29 4f db f7       	call   0xf7db4f39
  10:	48 8b 44 24 20       	mov    0x20(%rsp),%rax
  15:	49 89 45 00          	mov    %rax,0x0(%r13)
  19:	49 89 c5             	mov    %rax,%r13
  1c:	48 8d 9d e0 05 00 00 	lea    0x5e0(%rbp),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	4c 8b 74 24 28       	mov    0x28(%rsp),%r14
  36:	0f 85 61 01 00 00    	jne    0x19d
  3c:	8b 1b                	mov    (%rbx),%ebx
  3e:	31 ff                	xor    %edi,%edi