==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: null-ptr-deref in smc_tcp_syn_recv_sock+0x84/0x574 net/smc/af_smc.c:134
Read of size 4 at addr 0000000000000acc by task syz.0.140/7581

CPU: 1 UID: 0 PID: 7581 Comm: syz.0.140 Not tainted syzkaller #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_report+0x58/0x84 mm/kasan/report.c:485
 kasan_report+0xb0/0x110 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:200
 __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 smc_tcp_syn_recv_sock+0x84/0x574 net/smc/af_smc.c:134
 tcp_check_req+0xf6c/0x18e8 net/ipv4/tcp_minisocks.c:912
 tcp_v6_rcv+0xf50/0x2460 net/ipv6/tcp_ipv6.c:1845
 ip6_protocol_deliver_rcu+0x9a4/0x12d4 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x154/0x350 net/ipv6/ip6_input.c:489
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:318
 ip6_input+0x15c/0x270 net/ipv6/ip6_input.c:500
 dst_input include/net/dst.h:474 [inline]
 ip6_rcv_finish+0x1f0/0x21c net/ipv6/ip6_input.c:79
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:318
 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:311
 __netif_receive_skb_one_core net/core/dev.c:6079 [inline]
 __netif_receive_skb+0xcc/0x2a8 net/core/dev.c:6192
 process_backlog+0x60c/0x10e4 net/core/dev.c:6544
 __napi_poll+0xb4/0x310 net/core/dev.c:7594
 napi_poll net/core/dev.c:7657 [inline]
 net_rx_action+0x548/0xd00 net/core/dev.c:7784
 handle_softirqs+0x328/0xc88 kernel/softirq.c:622
 __do_softirq+0x14/0x20 kernel/softirq.c:656
 ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:68
 call_on_irq_stack+0x30/0x48 arch/arm64/kernel/entry.S:891
 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:73
 do_softirq+0x90/0xf8 kernel/softirq.c:523
 __local_bh_enable_ip+0x240/0x35c kernel/softirq.c:450
 local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33
 rcu_read_unlock_bh include/linux/rcupdate.h:936 [inline]
 __dev_queue_xmit+0x17ac/0x32a8 net/core/dev.c:4790
 dev_queue_xmit include/linux/netdevice.h:3365 [inline]
 neigh_hh_output include/net/neighbour.h:531 [inline]
 neigh_output include/net/neighbour.h:545 [inline]
 ip6_finish_output2+0x1150/0x1a78 net/ipv6/ip6_output.c:136
 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
 ip6_finish_output+0x418/0x7b4 net/ipv6/ip6_output.c:220
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip6_output+0x2c8/0x640 net/ipv6/ip6_output.c:247
 dst_output include/net/dst.h:464 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ip6_xmit+0x1134/0x1a20 net/ipv6/ip6_output.c:371
 inet6_csk_xmit+0x454/0x66c net/ipv6/inet6_connection_sock.c:120
 __tcp_transmit_skb+0x1a34/0x3214 net/ipv4/tcp_output.c:1628
 tcp_transmit_skb net/ipv4/tcp_output.c:1646 [inline]
 tcp_write_xmit+0x159c/0x52a4 net/ipv4/tcp_output.c:2999
 __tcp_push_pending_frames net/ipv4/tcp_output.c:3182 [inline]
 tcp_send_fin+0x620/0xc08 net/ipv4/tcp_output.c:3800
 __tcp_close+0x558/0xf68 net/ipv4/tcp.c:3207
 tcp_close+0x38/0x144 net/ipv4/tcp.c:3298
 inet_release+0x154/0x1d0 net/ipv4/af_inet.c:437
 inet6_release+0x5c/0x78 net/ipv6/af_inet6.c:487
 __sock_release net/socket.c:662 [inline]
 sock_close+0xa0/0x1e4 net/socket.c:1455
 __fput+0x340/0x75c fs/file_table.c:468
 ____fput+0x20/0x58 fs/file_table.c:496
 task_work_run+0x1dc/0x260 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0xfc/0x178 kernel/entry/common.c:43
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 arm64_exit_to_user_mode arch/arm64/kernel/entry-common.c:81 [inline]
 el0_svc+0x170/0x254 arch/arm64/kernel/entry-common.c:725
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
==================================================================
Unable to handle kernel paging request at virtual address dfff800000000159
KASAN: null-ptr-deref in range [0x0000000000000ac8-0x0000000000000acf]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000159] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1]  SMP
Modules linked in:
CPU: 1 UID: 0 PID: 7581 Comm: syz.0.140 Tainted: G    B               syzkaller #0 PREEMPT 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
pstate: 43400005 (nZcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
pc : atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]
pc : smc_tcp_syn_recv_sock+0x88/0x574 net/smc/af_smc.c:134
lr : instrument_atomic_read include/linux/instrumented.h:68 [inline]
lr : atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
lr : smc_tcp_syn_recv_sock+0x84/0x574 net/smc/af_smc.c:134
sp : ffff800097967340
x29: ffff800097967340 x28: 0000000000000000 x27: dfff800000000000
x26: 0000000000000000 x25: 0000000000000acc x24: ffff0000ca40b770
x23: ffff0000dd5f2b60 x22: ffff0000dd5f2b60 x21: ffff800097967480
x20: 0000000000000000 x19: ffff0000c7bf3600 x18: 0000000000000000
x17: 3d3d3d3d3d3d3d3d x16: ffff800082defcc0 x15: 0000000000000001
x14: 1ffff000125d3514 x13: 0000000000000000 x12: 0000000000000000
x11: ffff7000125d3515 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 0000000000000159 x7 : 0000000000000001 x6 : ffff800080565b88
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000803c104c
x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
 raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] (P)
 atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] (P)
 smc_tcp_syn_recv_sock+0x88/0x574 net/smc/af_smc.c:134 (P)
 tcp_check_req+0xf6c/0x18e8 net/ipv4/tcp_minisocks.c:912
 tcp_v6_rcv+0xf50/0x2460 net/ipv6/tcp_ipv6.c:1845
 ip6_protocol_deliver_rcu+0x9a4/0x12d4 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x154/0x350 net/ipv6/ip6_input.c:489
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:318
 ip6_input+0x15c/0x270 net/ipv6/ip6_input.c:500
 dst_input include/net/dst.h:474 [inline]
 ip6_rcv_finish+0x1f0/0x21c net/ipv6/ip6_input.c:79
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:318
 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:311
 __netif_receive_skb_one_core net/core/dev.c:6079 [inline]
 __netif_receive_skb+0xcc/0x2a8 net/core/dev.c:6192
 process_backlog+0x60c/0x10e4 net/core/dev.c:6544
 __napi_poll+0xb4/0x310 net/core/dev.c:7594
 napi_poll net/core/dev.c:7657 [inline]
 net_rx_action+0x548/0xd00 net/core/dev.c:7784
 handle_softirqs+0x328/0xc88 kernel/softirq.c:622
 __do_softirq+0x14/0x20 kernel/softirq.c:656
 ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:68
 call_on_irq_stack+0x30/0x48 arch/arm64/kernel/entry.S:891
 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:73
 do_softirq+0x90/0xf8 kernel/softirq.c:523
 __local_bh_enable_ip+0x240/0x35c kernel/softirq.c:450
 local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33
 rcu_read_unlock_bh include/linux/rcupdate.h:936 [inline]
 __dev_queue_xmit+0x17ac/0x32a8 net/core/dev.c:4790
 dev_queue_xmit include/linux/netdevice.h:3365 [inline]
 neigh_hh_output include/net/neighbour.h:531 [inline]
 neigh_output include/net/neighbour.h:545 [inline]
 ip6_finish_output2+0x1150/0x1a78 net/ipv6/ip6_output.c:136
 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
 ip6_finish_output+0x418/0x7b4 net/ipv6/ip6_output.c:220
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip6_output+0x2c8/0x640 net/ipv6/ip6_output.c:247
 dst_output include/net/dst.h:464 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ip6_xmit+0x1134/0x1a20 net/ipv6/ip6_output.c:371
 inet6_csk_xmit+0x454/0x66c net/ipv6/inet6_connection_sock.c:120
 __tcp_transmit_skb+0x1a34/0x3214 net/ipv4/tcp_output.c:1628
 tcp_transmit_skb net/ipv4/tcp_output.c:1646 [inline]
 tcp_write_xmit+0x159c/0x52a4 net/ipv4/tcp_output.c:2999
 __tcp_push_pending_frames net/ipv4/tcp_output.c:3182 [inline]
 tcp_send_fin+0x620/0xc08 net/ipv4/tcp_output.c:3800
 __tcp_close+0x558/0xf68 net/ipv4/tcp.c:3207
 tcp_close+0x38/0x144 net/ipv4/tcp.c:3298
 inet_release+0x154/0x1d0 net/ipv4/af_inet.c:437
 inet6_release+0x5c/0x78 net/ipv6/af_inet6.c:487
 __sock_release net/socket.c:662 [inline]
 sock_close+0xa0/0x1e4 net/socket.c:1455
 __fput+0x340/0x75c fs/file_table.c:468
 ____fput+0x20/0x58 fs/file_table.c:496
 task_work_run+0x1dc/0x260 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0xfc/0x178 kernel/entry/common.c:43
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 arm64_exit_to_user_mode arch/arm64/kernel/entry-common.c:81 [inline]
 el0_svc+0x170/0x254 arch/arm64/kernel/entry-common.c:725
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Code: 52800081 aa1903e0 9761b9ba d343ff28 (38fb6908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	52800081 	mov	w1, #0x4                   	// #4
   4:	aa1903e0 	mov	x0, x25
   8:	9761b9ba 	bl	0xfffffffffd86e6f0
   c:	d343ff28 	lsr	x8, x25, #3
* 10:	38fb6908 	ldrsb	w8, [x8, x27] <-- trapping instruction