Unable to handle kernel paging request at virtual address fffffdffbf747465
KASAN: maybe wild-memory-access in range [0x0003effdfba3a328-0x0003effdfba3a32f]
Mem abort info:
  ESR = 0x0000000096000021
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x21: alignment fault
Data abort info:
  ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000001a5699000
[fffffdffbf747465] pgd=0000000000000000, p4d=100000023ea6a403, pud=1000000102b6b403, pmd=1000000102b6d403, pte=006800010f5b8703
Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 8337 Comm: syz.2.528 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __lse_atomic_fetch_add_release arch/arm64/include/asm/atomic_lse.h:62 [inline]
pc : __lse_atomic_fetch_sub_release arch/arm64/include/asm/atomic_lse.h:76 [inline]
pc : arch_atomic_fetch_sub_release arch/arm64/include/asm/atomic.h:51 [inline]
pc : raw_atomic_fetch_sub_release include/linux/atomic/atomic-arch-fallback.h:944 [inline]
pc : atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:401 [inline]
pc : __refcount_sub_and_test include/linux/refcount.h:264 [inline]
pc : __refcount_dec_and_test include/linux/refcount.h:307 [inline]
pc : refcount_dec_and_test include/linux/refcount.h:325 [inline]
pc : skb_unref include/linux/skbuff.h:1233 [inline]
pc : __sk_skb_reason_drop net/core/skbuff.c:1213 [inline]
pc : sk_skb_reason_drop+0x50/0x43c net/core/skbuff.c:1241
lr : arch_atomic_fetch_sub_release arch/arm64/include/asm/atomic.h:51 [inline]
lr : raw_atomic_fetch_sub_release include/linux/atomic/atomic-arch-fallback.h:944 [inline]
lr : atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:401 [inline]
lr : __refcount_sub_and_test include/linux/refcount.h:264 [inline]
lr : __refcount_dec_and_test include/linux/refcount.h:307 [inline]
lr : refcount_dec_and_test include/linux/refcount.h:325 [inline]
lr : skb_unref include/linux/skbuff.h:1233 [inline]
lr : __sk_skb_reason_drop net/core/skbuff.c:1213 [inline]
lr : sk_skb_reason_drop+0x4c/0x43c net/core/skbuff.c:1241
sp : ffff80009bd47400
x29: ffff80009bd47400 x28: ffff0000d38b45f0 x27: dfff800000000000
x26: dfff800000000000 x25: ffff80009bd47580 x24: 1fffe0001a7168be
x23: fffffdffbf747465 x22: ffff80008980d42c x21: 0000000000000000
x20: 0000000000000002 x19: fffffdffbf747381 x18: 1fffe000366fc27e
x17: ffff80008f99d000 x16: ffff80008069d39c x15: 0000000000000002
x14: 1fffffbff7ee8e8c x13: 0000000000000000 x12: 0000000000000000
x11: ffff7fbff7ee8e8e x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 00000000ffffffff x7 : ffff80008980c8c4 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff800089790680
x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000001
Call trace:
 arch_atomic_fetch_sub_release arch/arm64/include/asm/atomic.h:51 [inline] (P)
 raw_atomic_fetch_sub_release include/linux/atomic/atomic-arch-fallback.h:944 [inline] (P)
 atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:401 [inline] (P)
 __refcount_sub_and_test include/linux/refcount.h:264 [inline] (P)
 __refcount_dec_and_test include/linux/refcount.h:307 [inline] (P)
 refcount_dec_and_test include/linux/refcount.h:325 [inline] (P)
 skb_unref include/linux/skbuff.h:1233 [inline] (P)
 __sk_skb_reason_drop net/core/skbuff.c:1213 [inline] (P)
 sk_skb_reason_drop+0x50/0x43c net/core/skbuff.c:1241 (P)
 kfree_skb_reason include/linux/skbuff.h:1263 [inline]
 kfree_skb include/linux/skbuff.h:1272 [inline]
 flush_gro_hash net/core/dev.c:6840 [inline]
 __netif_napi_del+0x1e4/0x714 net/core/dev.c:6859
 gro_cells_destroy+0x120/0x348 net/core/gro_cells.c:117
 ip_tunnel_dev_free+0x20/0x38 net/ipv4/ip_tunnel.c:1101
 netdev_run_todo+0xc64/0xe5c net/core/dev.c:10917
 rtnl_unlock+0x14/0x20 net/core/rtnetlink.c:152
 setup_net+0x598/0x8c0 net/core/net_namespace.c:390
 copy_net_ns+0x2ac/0x4ac net/core/net_namespace.c:516
 create_new_namespaces+0x344/0x614 kernel/nsproxy.c:110
 copy_namespaces+0x3c8/0x43c kernel/nsproxy.c:179
 copy_process+0x1654/0x3250 kernel/fork.c:2398
 kernel_clone+0x1d8/0x82c kernel/fork.c:2807
 __do_sys_clone kernel/fork.c:2950 [inline]
 __se_sys_clone kernel/fork.c:2918 [inline]
 __arm64_sys_clone+0x1f8/0x24c kernel/fork.c:2918
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Code: 979e6e81 d503201f 979e6bf3 12800008 (b86802f8) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	979e6e81 	bl	0xfffffffffe79ba04
   4:	d503201f 	nop
   8:	979e6bf3 	bl	0xfffffffffe79afd4
   c:	12800008 	mov	w8, #0xffffffff            	// #-1
* 10:	b86802f8 	ldaddl	w8, w24, [x23] <-- trapping instruction