program: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f0000000040)={'batadv_slave_1\x00', 0x0}) sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000d80)=@ipv4_newaddr={0x20, 0x14, 0x509, 0x0, 0x0, {0x2, 0x1, 0x0, 0xff, r2}, [@IFA_LOCAL={0x8, 0x2, @multicast2}]}, 0x20}}, 0x0) (async) sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000d80)=@ipv4_newaddr={0x20, 0x14, 0x509, 0x0, 0x0, {0x2, 0x1, 0x0, 0xff, r2}, [@IFA_LOCAL={0x8, 0x2, @multicast2}]}, 0x20}}, 0x0) r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$TIOCSETD(r3, 0x5423, &(0x7f00000000c0)=0xf) (async) ioctl$TIOCSETD(r3, 0x5423, &(0x7f00000000c0)=0xf) fcntl$dupfd(r3, 0x0, r3) (async) r4 = fcntl$dupfd(r3, 0x0, r3) ioctl$TCFLSH(r4, 0x400455c8, 0x2) (async) ioctl$TCFLSH(r4, 0x400455c8, 0x2) ioctl$TIOCSETD(r4, 0x5412, &(0x7f0000000140)=0xffffffc0) ioctl$TIOCSTI(r4, 0x5412, &(0x7f0000000100)=0xdb) (async) ioctl$TIOCSTI(r4, 0x5412, &(0x7f0000000100)=0xdb) setsockopt$MRT6_ASSERT(r4, 0x29, 0xcf, &(0x7f0000000140), 0x4) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x2, 0x0) r6 = ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x2) ioctl$KVM_GET_MSRS_cpu(r7, 0xc008ae88, &(0x7f0000000140)={0x1, 0x0, [{0x40000086, 0x0, 0x6}]}) r8 = socket$inet_sctp(0x2, 0x5, 0x84) bind$inet(r8, &(0x7f0000000080)={0x2, 0x4e22, @empty}, 0x10) connect$inet(r8, &(0x7f0000000040)={0x2, 0x4e22, @local}, 0x10) (async) connect$inet(r8, &(0x7f0000000040)={0x2, 0x4e22, @local}, 0x10) openat$sysctl(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/tcp_timestamps\x00', 0x1, 0x0) [ 74.829617][ T5314] Bluetooth: hci0: command tx timeout [ 74.940287][ T5336] Oops: general protection fault, probably for non-canonical address 0xdffffc000000005f: 0000 [#1] SMP KASAN NOPTI [ 74.945602][ T5336] KASAN: null-ptr-deref in range [0x00000000000002f8-0x00000000000002ff] [ 74.949014][ T5336] CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 74.952469][ T5336] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 74.956564][ T5336] RIP: 0010:h5_recv+0x136/0x850 [ 74.958781][ T5336] Code: 03 48 89 44 24 50 48 89 4c 24 10 48 c1 e9 03 48 89 4c 24 20 48 89 d8 48 c1 e8 03 48 89 44 24 48 4c 89 64 24 58 48 8b 44 24 28 <42> 80 3c 30 00 74 08 4c 89 ef e8 3b 97 d2 f9 4d 8b 65 00 31 ff 4c [ 74.966181][ T5336] RSP: 0018:ffffc9000d1efc40 EFLAGS: 00010202 [ 74.968611][ T5336] RAX: 000000000000005f RBX: 00000000000002e8 RCX: 000000000000005e [ 74.971830][ T5336] RDX: 000000000000005f RSI: 0000000000000001 RDI: 0000000000000000 [ 74.974815][ T5336] RBP: ffffc9000d1efd60 R08: ffff888033dbb81f R09: 1ffff110067b7703 [ 74.977955][ T5336] R10: dffffc0000000000 R11: ffffffff88589630 R12: ffff888033dbb810 [ 74.981156][ T5336] R13: 00000000000002f8 R14: dffffc0000000000 R15: ffffc9000d1efe00 [ 74.984374][ T5336] FS: 00007f685f2ce6c0(0000) GS:ffff88808cf1d000(0000) knlGS:0000000000000000 [ 74.988511][ T5336] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 74.991292][ T5336] CR2: 00007f685f2cdff0 CR3: 0000000012a9d000 CR4: 0000000000352ef0 [ 74.994593][ T5336] Call Trace: [ 74.995968][ T5336] [ 74.997232][ T5336] ? __pfx_h5_recv+0x10/0x10 [ 74.999098][ T5336] hci_uart_tty_receive+0x194/0x220 [ 75.001356][ T5336] ? __pfx_hci_uart_tty_receive+0x10/0x10 [ 75.003723][ T5336] tiocsti+0x218/0x2a0 [ 75.005539][ T5336] ? __pfx_tiocsti+0x10/0x10 [ 75.007399][ T5336] ? __fget_files+0x2a/0x420 [ 75.009336][ T5336] ? __fget_files+0x3a0/0x420 [ 75.011290][ T5336] ? __fget_files+0x2a/0x420 [ 75.013128][ T5336] tty_ioctl+0x626/0xde0 [ 75.014912][ T5336] ? __pfx_tty_ioctl+0x10/0x10 [ 75.016811][ T5336] __se_sys_ioctl+0xfc/0x170 [ 75.018841][ T5336] do_syscall_64+0xe2/0xf80 [ 75.020753][ T5336] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.023542][ T5336] ? trace_irq_disable+0x37/0x100 [ 75.025671][ T5336] ? clear_bhb_loop+0x60/0xb0 [ 75.027656][ T5336] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.030169][ T5336] RIP: 0033:0x7f685e39acb9 [ 75.032092][ T5336] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 75.039802][ T5336] RSP: 002b:00007f685f2ce028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 75.043553][ T5336] RAX: ffffffffffffffda RBX: 00007f685e616090 RCX: 00007f685e39acb9 [ 75.046969][ T5336] RDX: 0000200000000140 RSI: 0000000000005412 RDI: 0000000000000007 [ 75.050211][ T5336] RBP: 00007f685e408bf7 R08: 0000000000000000 R09: 0000000000000000 [ 75.053371][ T5336] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.056827][ T5336] R13: 00007f685e616128 R14: 00007f685e616090 R15: 00007ffef6841068 [ 75.060549][ T5336] [ 75.062088][ T5336] Modules linked in: [ 75.064762][ T5336] ---[ end trace 0000000000000000 ]--- [ 75.148854][ T5336] RIP: 0010:h5_recv+0x136/0x850 [ 75.151227][ T5336] Code: 03 48 89 44 24 50 48 89 4c 24 10 48 c1 e9 03 48 89 4c 24 20 48 89 d8 48 c1 e8 03 48 89 44 24 48 4c 89 64 24 58 48 8b 44 24 28 <42> 80 3c 30 00 74 08 4c 89 ef e8 3b 97 d2 f9 4d 8b 65 00 31 ff 4c [ 75.160476][ T5336] RSP: 0018:ffffc9000d1efc40 EFLAGS: 00010202 [ 75.163024][ T5336] RAX: 000000000000005f RBX: 00000000000002e8 RCX: 000000000000005e [ 75.167631][ T5336] RDX: 000000000000005f RSI: 0000000000000001 RDI: 0000000000000000 [ 75.170978][ T5336] RBP: ffffc9000d1efd60 R08: ffff888033dbb81f R09: 1ffff110067b7703 [ 75.175076][ T5336] R10: dffffc0000000000 R11: ffffffff88589630 R12: ffff888033dbb810 [ 75.178423][ T5336] R13: 00000000000002f8 R14: dffffc0000000000 R15: ffffc9000d1efe00 [ 75.181971][ T5336] FS: 00007f685f2ce6c0(0000) GS:ffff88808cf1d000(0000) knlGS:0000000000000000 [ 75.186686][ T5336] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.189259][ T5336] CR2: 00007f685f2acff8 CR3: 0000000012a9d000 CR4: 0000000000352ef0 [ 75.192945][ T5336] Kernel panic - not syncing: Fatal exception [ 75.195739][ T5336] Kernel Offset: disabled [ 75.197592][ T5336] Rebooting in 86400 seconds..