8<--- cut here ---
Unable to handle kernel paging request at virtual address df000000 when read
[df000000] *pgd=80000080007003, *pmd=00000000
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 28690 Comm: syz-executor.1 Not tainted 6.4.0-rc5-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at csum_partial+0x40/0x130 arch/arm/lib/csumpartial.S:120
LR is at 0x0
pc : [<817acd68>]    lr : [<00000000>]    psr: 80000013
sp : df9c5b38  ip : a5beb440  fp : df9c5b94
r10: 813146b0  r9 : 813146b0  r8 : 0000a11c
r7 : ffff5ee3  r6 : 0000a11c  r5 : 00000000  r4 : 00000000
r3 : 00000000  r2 : 8aae7790  r1 : fffffef0  r0 : df000000
Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 85d3b480  DAC: fffffffd
Register r0 information: non-paged memory
Register r1 information: non-paged memory
Register r2 information: non-slab/vmalloc memory
Register r3 information: NULL pointer
Register r4 information: NULL pointer
Register r5 information: NULL pointer
Register r6 information: non-paged memory
Register r7 information: non-paged memory
Register r8 information: non-paged memory
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xdf9c4000 allocated at kernel_clone+0x9c/0x3dc kernel/fork.c:2915
Register r12 information: non-slab/vmalloc memory
Process syz-executor.1 (pid: 28690, stack limit = 0xdf9c4000)
Stack: (0xdf9c5b38 to 0xdf9c6000)
5b20:                                                       859ed240 84beb550
5b40: 84beb550 8150d5c4 df9c5b74 84ab2600 859ed840 859ed240 81fdf65c 827e238f
5b60: 86865000 00001f99 00c00000 859ed840 00006869 00000000 00000000 00000000
5b80: 00000000 84beb200 df9c5bd4 df9c5b98 815f7a30 8150d3ec 00000001 df9c5ba8
5ba0: 80277e40 a158571c 00000000 859ed840 0000000e 00000000 00006869 00000000
5bc0: 00000000 84beb200 df9c5c1c df9c5bd8 816313f0 815f7974 df9c5c2c df9c5be8
5be0: 00000060 00000052 df9c5cb0 a158571c 00000002 859ed840 00000000 00006869
5c00: 0000dd86 81631960 df9c5cf7 00000001 df9c5c3c df9c5c20 816319a4 816312d4
5c20: 859ed840 00000000 00006869 0000dd86 df9c5c6c df9c5c40 813785a4 8163196c
5c40: 0000000e a158571c df9c5cf7 859ed840 00006869 00000001 00000000 858d0800
5c60: df9c5c8c df9c5c70 8133371c 813784ec 859ed840 00006869 00000000 df9c5cf7
5c80: df9c5cc4 df9c5c90 8133b128 81333668 00000001 00000000 000000b8 00000000
5ca0: 00000000 859d6400 858d0800 00000000 df9c5cf7 00000001 df9c5cec df9c5cc8
5cc0: 8133b340 8133af98 85d05c00 859ed840 859d6400 858d0800 00000000 00000001
5ce0: df9c5d24 df9c5cf0 813aac28 8133b30c 85d05c00 008d0800 00000010 a158571c
5d00: 859ed840 85d05c00 00000000 00000001 a3ea31c0 85d05cc4 df9c5d84 df9c5d28
5d20: 8133bf20 813aaa74 00000000 00000001 00000011 8260ee30 009c5da4 fffffff4
5d40: 00000000 813215e0 00000000 0000dd86 00000000 a158571c 00000000 859ed840
5d60: 00002378 858d0800 0000000a 859ed840 86865000 84beb340 df9c5da4 df9c5d88
5d80: 816350ec 8133b9c4 86865000 00002378 858d0800 0000000a df9c5e5c df9c5da8
5da0: 81638840 8163505c df9c5e08 00000000 817fa874 80277f20 00002001 df9c5dc8
5dc0: df9c5ea8 83200f08 00002001 817fb15c 80200288 806b8594 df9c5e1c df9c5de8
5de0: 81a02a70 00000000 00000002 0000000e 00000060 00000300 00000000 0000000e
5e00: 00000000 0000000a 00000000 000a0500 07441c99 0000030c 00000000 00000000
5e20: 00000000 00000000 8216d67c a158571c df9c5e5c 00000000 df9c5e98 853a0500
5e40: 04000002 80200288 84642f00 00000122 df9c5e7c df9c5e60 8130db78 81637984
5e60: 00000000 853a0500 00000000 04000002 df9c5f8c df9c5e80 8130f9cc 8130db40
5e80: df9c5ea8 84646010 fffffff7 00000001 84645e00 00000000 00000000 00000000
5ea0: df9c5ed4 df9c5eb0 01000006 00000001 00002378 20000080 00000000 00000000
5ec0: 00000001 00000000 00000000 00000000 04000002 00000000 00000000 00000000
5ee0: 00000000 ffffffff 00000000 00000000 804f2204 a158571c 00000000 00000000
5f00: 00000080 0014c288 00000000 00000000 84642f00 000000f0 df9c5f4c df9c5f28
5f20: 80309a98 8030d218 ffffffff df9c5f38 8130ce7c 804f2224 00000000 00000000
5f40: df9c5fa4 df9c5f50 8030a05c 803099f4 df9c5f84 df9c5f60 80277e40 802a6108
5f60: 00000000 fffffff7 84642f00 a158571c 00000000 000002ff 0014c2c4 00000122
5f80: df9c5fa4 df9c5f90 8130fa34 8130f908 00000000 000002ff 00000000 df9c5fa8
5fa0: 80200060 8130fa24 00000000 000002ff 00000003 20000080 00002378 04000002
5fc0: 00000000 000002ff 0014c2c4 00000122 7eea43c2 76b7b6d0 7eea4534 76b7b20c
5fe0: 76b7b020 76b7b010 00017004 0004dfb0 60000010 00000003 00000000 00000000
Backtrace: 
[<8150d3e0>] (__udp_gso_segment) from [<815f7a30>] (udp6_ufo_fragment+0xc8/0x39c net/ipv6/udp_offload.c:47)
 r10:84beb200 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:00006869
 r4:859ed840
[<815f7968>] (udp6_ufo_fragment) from [<816313f0>] (ipv6_gso_segment.part.0+0x128/0x42c net/ipv6/ip6_offload.c:119)
 r10:84beb200 r9:00000000 r8:00000000 r7:00006869 r6:00000000 r5:0000000e
 r4:859ed840
[<816312c8>] (ipv6_gso_segment.part.0) from [<816319a4>] (ipv6_gso_segment+0x44/0x48 net/ipv6/ip6_offload.c:91)
 r10:00000001 r9:df9c5cf7 r8:81631960 r7:0000dd86 r6:00006869 r5:00000000
 r4:859ed840
[<81631960>] (ipv6_gso_segment) from [<813785a4>] (skb_mac_gso_segment+0xc4/0x1a4 net/core/gro.c:141)
 r7:0000dd86 r6:00006869 r5:00000000 r4:859ed840
[<813784e0>] (skb_mac_gso_segment) from [<8133371c>] (__skb_gso_segment+0xc0/0x16c net/core/dev.c:3401)
 r8:858d0800 r7:00000000 r6:00000001 r5:00006869 r4:859ed840
[<8133365c>] (__skb_gso_segment) from [<8133b128>] (skb_gso_segment include/linux/netdevice.h:4859 [inline])
[<8133365c>] (__skb_gso_segment) from [<8133b128>] (validate_xmit_skb+0x19c/0x374 net/core/dev.c:3659)
 r7:df9c5cf7 r6:00000000 r5:00006869 r4:859ed840
[<8133af8c>] (validate_xmit_skb) from [<8133b340>] (validate_xmit_skb_list+0x40/0x74 net/core/dev.c:3709)
 r10:00000001 r9:df9c5cf7 r8:00000000 r7:858d0800 r6:859d6400 r5:00000000
 r4:00000000
[<8133b300>] (validate_xmit_skb_list) from [<813aac28>] (sch_direct_xmit+0x1c0/0x45c net/sched/sch_generic.c:327)
 r9:00000001 r8:00000000 r7:858d0800 r6:859d6400 r5:859ed840 r4:85d05c00
[<813aaa68>] (sch_direct_xmit) from [<8133bf20>] (__dev_xmit_skb net/core/dev.c:3805 [inline])
[<813aaa68>] (sch_direct_xmit) from [<8133bf20>] (__dev_queue_xmit+0x568/0xdc8 net/core/dev.c:4210)
 r9:85d05cc4 r8:a3ea31c0 r7:00000001 r6:00000000 r5:85d05c00 r4:859ed840
[<8133b9b8>] (__dev_queue_xmit) from [<816350ec>] (dev_queue_xmit include/linux/netdevice.h:3085 [inline])
[<8133b9b8>] (__dev_queue_xmit) from [<816350ec>] (packet_xmit net/packet/af_packet.c:276 [inline])
[<8133b9b8>] (__dev_queue_xmit) from [<816350ec>] (packet_xmit+0x9c/0x100 net/packet/af_packet.c:273)
 r10:84beb340 r9:86865000 r8:859ed840 r7:0000000a r6:858d0800 r5:00002378
 r4:859ed840
[<81635050>] (packet_xmit) from [<81638840>] (packet_snd net/packet/af_packet.c:3081 [inline])
[<81635050>] (packet_xmit) from [<81638840>] (packet_sendmsg+0xec8/0x1448 net/packet/af_packet.c:3113)
 r7:0000000a r6:858d0800 r5:00002378 r4:86865000
[<81637978>] (packet_sendmsg) from [<8130db78>] (sock_sendmsg_nosec net/socket.c:724 [inline])
[<81637978>] (packet_sendmsg) from [<8130db78>] (sock_sendmsg+0x44/0x78 net/socket.c:747)
 r10:00000122 r9:84642f00 r8:80200288 r7:04000002 r6:853a0500 r5:df9c5e98
 r4:00000000
[<8130db34>] (sock_sendmsg) from [<8130f9cc>] (__sys_sendto+0xd0/0x11c net/socket.c:2144)
 r7:04000002 r6:00000000 r5:853a0500 r4:00000000
[<8130f8fc>] (__sys_sendto) from [<8130fa34>] (__do_sys_sendto net/socket.c:2156 [inline])
[<8130f8fc>] (__sys_sendto) from [<8130fa34>] (sys_sendto+0x1c/0x24 net/socket.c:2152)
 r7:00000122 r6:0014c2c4 r5:000002ff r4:00000000
[<8130fa18>] (sys_sendto) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xdf9c5fa8 to 0xdf9c5ff0)
5fa0:                   00000000 000002ff 00000003 20000080 00002378 04000002
5fc0: 00000000 000002ff 0014c2c4 00000122 7eea43c2 76b7b6d0 7eea4534 76b7b20c
5fe0: 76b7b020 76b7b010 00017004 0004dfb0
Code: e0b22003 e0b22004 e0b22005 e0b2200e (e8b04038) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e0b22003 	adcs	r2, r2, r3
   4:	e0b22004 	adcs	r2, r2, r4
   8:	e0b22005 	adcs	r2, r2, r5
   c:	e0b2200e 	adcs	r2, r2, lr
* 10:	e8b04038 	ldm	r0!, {r3, r4, r5, lr} <-- trapping instruction