==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: null-ptr-deref in smc_tcp_syn_recv_sock+0x84/0x4b8 net/smc/af_smc.c:131
Read of size 4 at addr 00000000000009d4 by task syz.4.87/6970

CPU: 0 UID: 0 PID: 6970 Comm: syz.4.87 Not tainted 6.14.0-rc6-syzkaller-ga5618886fdab #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_report+0xf8/0x550 mm/kasan/report.c:524
 kasan_report+0xd8/0x138 mm/kasan/report.c:634
 kasan_check_range+0x268/0x2a8 mm/kasan/generic.c:189
 __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 smc_tcp_syn_recv_sock+0x84/0x4b8 net/smc/af_smc.c:131
 tcp_check_req+0xd50/0x175c net/ipv4/tcp_minisocks.c:861
 tcp_v4_rcv+0x13e8/0x2b14 net/ipv4/tcp_ipv4.c:2274
 ip_protocol_deliver_rcu+0x1f8/0x484 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x284/0x4f0 net/ipv4/ip_input.c:233
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ip_local_deliver+0x120/0x194 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:469 [inline]
 ip_rcv_finish+0x220/0x24c net/ipv4/ip_input.c:447
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ip_rcv+0x7c/0x9c net/ipv4/ip_input.c:567
 __netif_receive_skb_one_core net/core/dev.c:5893 [inline]
 __netif_receive_skb+0x18c/0x3c8 net/core/dev.c:6006
 process_backlog+0x640/0x123c net/core/dev.c:6354
 __napi_poll+0xb4/0x3fc net/core/dev.c:7188
 napi_poll net/core/dev.c:7257 [inline]
 net_rx_action+0x6a8/0xf4c net/core/dev.c:7379
 handle_softirqs+0x320/0xd34 kernel/softirq.c:561
 __do_softirq+0x14/0x20 kernel/softirq.c:595
 ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:81
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891
 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:86
 do_softirq+0x90/0xf8 kernel/softirq.c:462
 __local_bh_enable_ip+0x288/0x44c kernel/softirq.c:389
 local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33
 rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
 __dev_queue_xmit+0x185c/0x35b4 net/core/dev.c:4676
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip_finish_output2+0xe34/0x1414 net/ipv4/ip_output.c:236
 __ip_finish_output+0x1b0/0x45c
 ip_finish_output+0x44/0x304 net/ipv4/ip_output.c:324
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip_output+0x1a8/0x21c net/ipv4/ip_output.c:434
 dst_output include/net/dst.h:459 [inline]
 ip_local_out net/ipv4/ip_output.c:130 [inline]
 __ip_queue_xmit+0xd80/0x1780 net/ipv4/ip_output.c:528
 ip_queue_xmit+0x5c/0x78 net/ipv4/ip_output.c:542
 __tcp_transmit_skb+0x192c/0x3250 net/ipv4/tcp_output.c:1471
 __tcp_send_ack+0x248/0x518 net/ipv4/tcp_output.c:4275
 tcp_send_ack+0x4c/0x64 net/ipv4/tcp_output.c:4281
 tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6600 [inline]
 tcp_rcv_state_process+0x2480/0x3b84 net/ipv4/tcp_input.c:6794
 tcp_v4_do_rcv+0x71c/0xc44 net/ipv4/tcp_ipv4.c:1941
 sk_backlog_rcv include/net/sock.h:1122 [inline]
 __release_sock+0x1a8/0x3d8 net/core/sock.c:3123
 release_sock+0x68/0x1b8 net/core/sock.c:3677
 mptcp_connect+0x854/0xdac net/mptcp/protocol.c:3810
 __inet_stream_connect+0x208/0xc48 net/ipv4/af_inet.c:677
 inet_stream_connect+0x74/0xb0 net/ipv4/af_inet.c:748
 __sys_connect_file net/socket.c:2045 [inline]
 __sys_connect+0x260/0x294 net/socket.c:2064
 __do_sys_connect net/socket.c:2070 [inline]
 __se_sys_connect net/socket.c:2067 [inline]
 __arm64_sys_connect+0x7c/0x94 net/socket.c:2067
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
==================================================================
Unable to handle kernel paging request at virtual address dfff80000000013a
KASAN: null-ptr-deref in range [0x00000000000009d0-0x00000000000009d7]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff80000000013a] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:

CPU: 0 UID: 0 PID: 6970 Comm: syz.4.87 Tainted: G    B              6.14.0-rc6-syzkaller-ga5618886fdab #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
pc : atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]
pc : smc_tcp_syn_recv_sock+0x88/0x4b8 net/smc/af_smc.c:131
lr : instrument_atomic_read include/linux/instrumented.h:68 [inline]
lr : atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
lr : smc_tcp_syn_recv_sock+0x84/0x4b8 net/smc/af_smc.c:131
sp : ffff800080007260
x29: ffff800080007260 x28: 0000000000000000 x27: dfff800000000000
x26: 0000000000000000 x25: 00000000000009d4 x24: ffff0000d310c640
x23: ffff0000c8b94330
 x22: ffff0000c8b94330 x21: ffff8000800073a0
x20: 0000000000000000 x19: ffff0000d68c6c00 x18: ffff800080006a08
x17: 0000000000000000 x16: ffff8000832bd8fc x15: 0000000000000001
x14: 1ffff0001262e8f8 x13: 0000000000000000 x12: 0000000000000000
x11: ffff70001262e8f9 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 000000000000013a x7 : 205b5d3331333231 x6 : ffff8000804aa598
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff8000802f88ec
x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
 raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] (P)
 atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] (P)
 smc_tcp_syn_recv_sock+0x88/0x4b8 net/smc/af_smc.c:131 (P)
 tcp_check_req+0xd50/0x175c net/ipv4/tcp_minisocks.c:861
 tcp_v4_rcv+0x13e8/0x2b14 net/ipv4/tcp_ipv4.c:2274
 ip_protocol_deliver_rcu+0x1f8/0x484 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x284/0x4f0 net/ipv4/ip_input.c:233
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ip_local_deliver+0x120/0x194 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:469 [inline]
 ip_rcv_finish+0x220/0x24c net/ipv4/ip_input.c:447
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ip_rcv+0x7c/0x9c net/ipv4/ip_input.c:567
 __netif_receive_skb_one_core net/core/dev.c:5893 [inline]
 __netif_receive_skb+0x18c/0x3c8 net/core/dev.c:6006
 process_backlog+0x640/0x123c net/core/dev.c:6354
 __napi_poll+0xb4/0x3fc net/core/dev.c:7188
 napi_poll net/core/dev.c:7257 [inline]
 net_rx_action+0x6a8/0xf4c net/core/dev.c:7379
 handle_softirqs+0x320/0xd34 kernel/softirq.c:561
 __do_softirq+0x14/0x20 kernel/softirq.c:595
 ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:81
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891
 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:86
 do_softirq+0x90/0xf8 kernel/softirq.c:462
 __local_bh_enable_ip+0x288/0x44c kernel/softirq.c:389
 local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33
 rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
 __dev_queue_xmit+0x185c/0x35b4 net/core/dev.c:4676
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip_finish_output2+0xe34/0x1414 net/ipv4/ip_output.c:236
 __ip_finish_output+0x1b0/0x45c
 ip_finish_output+0x44/0x304 net/ipv4/ip_output.c:324
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip_output+0x1a8/0x21c net/ipv4/ip_output.c:434
 dst_output include/net/dst.h:459 [inline]
 ip_local_out net/ipv4/ip_output.c:130 [inline]
 __ip_queue_xmit+0xd80/0x1780 net/ipv4/ip_output.c:528
 ip_queue_xmit+0x5c/0x78 net/ipv4/ip_output.c:542
 __tcp_transmit_skb+0x192c/0x3250 net/ipv4/tcp_output.c:1471
 __tcp_send_ack+0x248/0x518 net/ipv4/tcp_output.c:4275
 tcp_send_ack+0x4c/0x64 net/ipv4/tcp_output.c:4281
 tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:6600 [inline]
 tcp_rcv_state_process+0x2480/0x3b84 net/ipv4/tcp_input.c:6794
 tcp_v4_do_rcv+0x71c/0xc44 net/ipv4/tcp_ipv4.c:1941
 sk_backlog_rcv include/net/sock.h:1122 [inline]
 __release_sock+0x1a8/0x3d8 net/core/sock.c:3123
 release_sock+0x68/0x1b8 net/core/sock.c:3677
 mptcp_connect+0x854/0xdac net/mptcp/protocol.c:3810
 __inet_stream_connect+0x208/0xc48 net/ipv4/af_inet.c:677
 inet_stream_connect+0x74/0xb0 net/ipv4/af_inet.c:748
 __sys_connect_file net/socket.c:2045 [inline]
 __sys_connect+0x260/0x294 net/socket.c:2064
 __do_sys_connect net/socket.c:2070 [inline]
 __se_sys_connect net/socket.c:2067 [inline]
 __arm64_sys_connect+0x7c/0x94 net/socket.c:2067
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Code: aa1903e0 52800081 973140c1 d343ff28 (38fb6908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	aa1903e0 	mov	x0, x25
   4:	52800081 	mov	w1, #0x4                   	// #4
   8:	973140c1 	bl	0xfffffffffcc5030c
   c:	d343ff28 	lsr	x8, x25, #3
* 10:	38fb6908 	ldrsb	w8, [x8, x27] <-- trapping instruction