Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 5929 Comm: kworker/1:6 Not tainted 6.16.0-rc5-next-20250711-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: wg-crypt-wg0 wg_packet_tx_worker RIP: 0010:hlist_add_before_rcu include/linux/rculist.h:705 [inline] RIP: 0010:xfrm_state_find+0x4c9b/0x5400 net/xfrm/xfrm_state.c:1579 Code: 00 00 00 00 00 fc ff df 80 3c 03 00 74 08 4c 89 ff e8 29 88 04 f8 49 8b 1f 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 f7 88 04 f8 4c 89 23 48 b8 00 00 00 RSP: 0018:ffffc900049df100 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008 RBP: ffffc900049df320 R08: dffffc0000000000 R09: 0000000000000002 R10: 000000000000000a R11: 0000000000000000 R12: ffff88806f5cd9a8 R13: ffff88806f5cd980 R14: ffff88806f5cd9a8 R15: ffff88806f5cd9b0 FS: 0000000000000000(0000) GS:ffff888125cc6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b33816ff8 CR3: 000000000df36000 CR4: 00000000003526f0 Call Trace: xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2522 [inline] xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2573 [inline] xfrm_resolve_and_create_bundle+0x768/0x2f90 net/xfrm/xfrm_policy.c:2871 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3106 [inline] xfrm_lookup_with_ifid+0x58a/0x1a70 net/xfrm/xfrm_policy.c:3237 xfrm_lookup net/xfrm/xfrm_policy.c:3336 [inline] xfrm_lookup_route+0x3c/0x1c0 net/xfrm/xfrm_policy.c:3347 send6+0x4cb/0x8d0 drivers/net/wireguard/socket.c:139 wg_socket_send_skb_to_peer+0x111/0x1d0 drivers/net/wireguard/socket.c:178 wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline] wg_packet_tx_worker+0x1c8/0x7c0 drivers/net/wireguard/send.c:276 process_one_work kernel/workqueue.c:3239 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3322 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3403 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:hlist_add_before_rcu include/linux/rculist.h:705 [inline] RIP: 0010:xfrm_state_find+0x4c9b/0x5400 net/xfrm/xfrm_state.c:1579 Code: 00 00 00 00 00 fc ff df 80 3c 03 00 74 08 4c 89 ff e8 29 88 04 f8 49 8b 1f 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 f7 88 04 f8 4c 89 23 48 b8 00 00 00 RSP: 0018:ffffc900049df100 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008 RBP: ffffc900049df320 R08: dffffc0000000000 R09: 0000000000000002 R10: 000000000000000a R11: 0000000000000000 R12: ffff88806f5cd9a8 R13: ffff88806f5cd980 R14: ffff88806f5cd9a8 R15: ffff88806f5cd9b0 FS: 0000000000000000(0000) GS:ffff888125cc6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b33816ff8 CR3: 000000000df36000 CR4: 00000000003526f0 ---------------- Code disassembly (best guess), 7 bytes skipped: 0: df 80 3c 03 00 74 filds 0x7400033c(%rax) 6: 08 4c 89 ff or %cl,-0x1(%rcx,%rcx,4) a: e8 29 88 04 f8 call 0xf8048838 f: 49 8b 1f mov (%r15),%rbx 12: 48 89 d8 mov %rbx,%rax 15: 48 c1 e8 03 shr $0x3,%rax 19: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx 20: fc ff df * 23: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction 27: 74 08 je 0x31 29: 48 89 df mov %rbx,%rdi 2c: e8 f7 88 04 f8 call 0xf8048928 31: 4c 89 23 mov %r12,(%rbx) 34: 48 rex.W 35: b8 .byte 0xb8 36: 00 00 add %al,(%rax)