8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000001 when read
[00000001] *pgd=85222003, *pmd=fedc9003
Internal error: Oops: 205 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 3797 Comm: syz.0.24 Not tainted 6.10.0-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at __cpu_map_flush+0x18/0x54 kernel/bpf/cpumap.c:766
LR is at xdp_do_check_flushed+0xc4/0x1f0 net/core/filter.c:4304
pc : [<803f8b88>]    lr : [<81442060>]    psr: a0000013
sp : df801e30  ip : df801e50  fp : df801e4c
r10: dddd0f80  r9 : dddd11c0  r8 : df801ed0
r7 : df801ecb  r6 : e0691c70  r5 : dddd1070  r4 : 00000001
r3 : 8024b544  r2 : 00000001  r1 : 00000004  r0 : e0691c70
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 852a7980  DAC: fffffffd
Register r0 information: 2-page vmalloc region starting at 0xe0690000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2780
Register r1 information: non-paged memory
Register r2 information: non-paged memory
Register r3 information: non-slab/vmalloc memory
Register r4 information: non-paged memory
Register r5 information: non-slab/vmalloc memory
Register r6 information: 2-page vmalloc region starting at 0xe0690000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2780
Register r7 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1006
Register r8 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1006
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1006
Register r12 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1006
Process syz.0.24 (pid: 3797, stack limit = 0xe0690000)
Stack: (0xdf801e30 to 0xdf802000)
1e20:                                     e0691c80 dddd1070 e0691c70 df801ecb
1e40: df801e74 df801e50 81442060 803f8b7c dddd1070 00000040 df801ecb 00000001
1e60: dddd1070 00000040 df801ea4 df801e78 8140f8d8 81441fa8 df801ea4 df801e88
1e80: 00000000 dddd1070 ffffb89b 0000012c df801ed0 dddd11c0 df801f64 df801ea8
1ea0: 81410100 8140f8a0 83798000 8031735c 00000000 ffffb89b 802f98e8 5b91b000
1ec0: 824b5f80 82604d40 00903d58 827f0c88 df801ed0 df801ed0 df801ed8 df801ed8
1ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f20: 00000000 00000000 00000000 00000000 00000002 6ce62a8e 8260408c 8260408c
1f40: 00000002 00000003 00400140 00000101 83798000 00000082 df801fdc df801f68
1f60: 8024afd4 8140fdd4 dddcd708 824b2710 824b2718 00400140 82604d40 ffffb89a
1f80: 821b96a0 00000000 824b4c40 0000000a 827f0148 8260c5d0 821a69b4 824aa3f8
1fa0: df801f68 82604080 df801fc4 df801fb8 8190474c 60000013 00000001 00000000
1fc0: e0691e58 8447bacc 8447b928 00000000 df801fec df801fe0 802012d0 8024ae84
1fe0: df801ffc df801ff0 80208800 802012c8 e0691dbc df802000 818b55e4 802087fc
Call trace: frame pointer underflow
[<803f8b70>] (__cpu_map_flush) from [<81442060>] (xdp_do_check_flushed+0xc4/0x1f0 net/core/filter.c:4304)
 r7:df801ecb r6:e0691c70 r5:dddd1070 r4:e0691c80
[<81441f9c>] (xdp_do_check_flushed) from [<8140f8d8>] (__napi_poll+0x44/0x240 net/core/dev.c:6774)
 r6:00000040 r5:dddd1070 r4:00000001
[<8140f894>] (__napi_poll) from [<81410100>] (napi_poll net/core/dev.c:6840 [inline])
[<8140f894>] (__napi_poll) from [<81410100>] (net_rx_action+0x338/0x420 net/core/dev.c:6962)
 r9:dddd11c0 r8:df801ed0 r7:0000012c r6:ffffb89b r5:dddd1070 r4:00000000
[<8140fdc8>] (net_rx_action) from [<8024afd4>] (handle_softirqs+0x15c/0x468 kernel/softirq.c:554)
 r10:00000082 r9:83798000 r8:00000101 r7:00400140 r6:00000003 r5:00000002
 r4:8260408c
[<8024ae78>] (handle_softirqs) from [<802012d0>] (__do_softirq+0x14/0x18 kernel/softirq.c:588)
 r10:00000000 r9:8447b928 r8:8447bacc r7:e0691e58 r6:00000000 r5:00000001
 r4:60000013
[<802012bc>] (__do_softirq) from [<80208800>] (____do_softirq+0x10/0x14 arch/arm/kernel/irq.c:77)
[<802087f0>] (____do_softirq) from [<818b55e4>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40)
[<818b55c8>] (call_with_stack) from [<8020883c>] (do_softirq_own_stack+0x38/0x3c arch/arm/kernel/irq.c:82)
[<80208804>] (do_softirq_own_stack) from [<8024b4ec>] (do_softirq kernel/softirq.c:455 [inline])
[<80208804>] (do_softirq_own_stack) from [<8024b4ec>] (do_softirq+0x5c/0x64 kernel/softirq.c:442)
[<8024b490>] (do_softirq) from [<8024b5c0>] (__local_bh_enable_ip+0xcc/0xd0 kernel/softirq.c:382)
 r5:00000001 r4:83798000
[<8024b4f4>] (__local_bh_enable_ip) from [<80c4d354>] (local_bh_enable include/linux/bottom_half.h:33 [inline])
[<8024b4f4>] (__local_bh_enable_ip) from [<80c4d354>] (tun_rx_batched drivers/net/tun.c:1550 [inline])
[<8024b4f4>] (__local_bh_enable_ip) from [<80c4d354>] (tun_get_user+0xdbc/0x1048 drivers/net/tun.c:2006)
 r5:845d7cc0 r4:84570680
[<80c4c598>] (tun_get_user) from [<80c4de60>] (tun_chr_write_iter+0x60/0xc8 drivers/net/tun.c:2052)
 r10:81b6d62c r9:20000240 r8:8447b800 r7:84570680 r6:00000000 r5:e0691ef0
 r4:e0691f08
[<80c4de00>] (tun_chr_write_iter) from [<80501a08>] (new_sync_write fs/read_write.c:497 [inline])
[<80c4de00>] (tun_chr_write_iter) from [<80501a08>] (vfs_write+0x274/0x44c fs/read_write.c:590)
 r8:e0691f68 r7:83798000 r6:00000036 r5:842e8b40 r4:80c4de00
[<80501794>] (vfs_write) from [<80501d64>] (ksys_write+0x78/0xf8 fs/read_write.c:643)
 r10:00000004 r9:83798000 r8:8020029c r7:00000000 r6:00000036 r5:842e8b40
 r4:842e8b41
[<80501cec>] (ksys_write) from [<80501df4>] (__do_sys_write fs/read_write.c:655 [inline])
[<80501cec>] (ksys_write) from [<80501df4>] (sys_write+0x10/0x14 fs/read_write.c:652)
 r7:00000004 r6:000000c8 r5:20000240 r4:00000036
[<80501de4>] (sys_write) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xe0691fa8 to 0xe0691ff0)
1fa0:                   00000036 20000240 000000c8 20000240 00000036 00000000
1fc0: 00000036 20000240 000000c8 00000004 7ed6c766 7ed6c767 003d0f00 76ba80bc
1fe0: 00000158 76ba7eb0 000d5c70 0012e68c
Code: e24cb004 e5904000 e1a06000 e1500004 (e4145020) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e24cb004 	sub	fp, ip, #4
   4:	e5904000 	ldr	r4, [r0]
   8:	e1a06000 	mov	r6, r0
   c:	e1500004 	cmp	r0, r4
* 10:	e4145020 	ldr	r5, [r4], #-32	@ 0xffffffe0 <-- trapping instruction