8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000000 when write
[00000000] *pgd=85aa4003, *pmd=ec4f8003
Internal error: Oops: a05 [#1] SMP ARM
Modules linked in:
CPU: 0 UID: 0 PID: 5880 Comm: syz.1.596 Not tainted syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
PC is at hlist_add_before_rcu include/linux/rculist.h:705 [inline]
PC is at __xfrm_state_insert+0x5d8/0x7bc net/xfrm/xfrm_state.c:1743
LR is at __list_add_valid include/linux/list.h:88 [inline]
LR is at __list_add include/linux/list.h:150 [inline]
LR is at list_add include/linux/list.h:169 [inline]
LR is at __xfrm_state_insert+0x34/0x7bc net/xfrm/xfrm_state.c:1725
pc : [<817fc7ec>]    lr : [<817fc248>]    psr: 80000113
sp : dfa39a10  ip : 84d40ed0  fp : dfa39a44
r10: 81e76010  r9 : 00000002  r8 : 857788c0
r7 : 857788c0  r6 : 83c7cd24  r5 : 85778000  r4 : 83c7cc80
r3 : 83c7cc94  r2 : 83c7ca00  r1 : 00000000  r0 : 00000000
Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 85c8d6c0  DAC: fffffffd
Register r0 information: NULL pointer
Register r1 information: NULL pointer
Register r2 information: slab request_queue start 83c7ca00 pointer offset 0 size 640
Register r3 information: slab request_queue start 83c7cc80 pointer offset 20 size 640
Register r4 information: slab request_queue start 83c7cc80 pointer offset 0 size 640
Register r5 information: slab net_namespace start 85778000 pointer offset 0 size 3776
Register r6 information: slab request_queue start 83c7cc80 pointer offset 164 size 640
Register r7 information:
 slab net_namespace start 85778000 pointer offset 2240 size 3776
Register r8 information: slab net_namespace start 85778000 pointer offset 2240 size 3776
Register r9 information: non-paged memory
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xdfa38000 allocated at kernel_clone+0xac/0x3ec kernel/fork.c:2605
Register r12 information: slab kmalloc-64 start 84d40ec0 pointer offset 16 size 64
Process syz.1.596 (pid: 5880, stack limit = 0xdfa38000)
Stack: (0xdfa39a10 to 0xdfa3a000)
9a00:                                     82c28944 85778b40 83c7cc80 85778b40
9a20: 83c7cc80 85778b40 83c7cc80 00000000 83c7cc80 83c7ccb4 dfa39a5c dfa39a48
9a40: 817fc9fc 817fc220 83c7ca00 00000001 dfa39a8c dfa39a60 817c6e04 817fc9dc
9a60: 00000004 00000002 817c6c54 83c7ca00 00000001 82c2894c 00000002 8243e310
9a80: dfa39acc dfa39a90 817f8df0 817c6c60 dfa39c40 81e77158 82c28944 dfa39c40
9aa0: 85bb8570 85bb8480 83c7ca00 dfa39b64 dfa39c40 85778000 85813880 822779ec
9ac0: dfa39b24 dfa39ad0 8180d3cc 817f8b38 83aa8c00 00000000 85bb8570 85bb8574
9ae0: 00000000 00000000 00000000 00000000 00000000 61ac0687 8097678c 85bb8480
9b00: 859dd840 8180cae0 81e77658 00000000 00000010 00000000 dfa39c3c dfa39b28
9b20: 81809ab8 8180caec 81e77824 00000000 dfa39c40 8280c960 81e77824 dfa39c40
9b40: 8022f794 802f63dc 83213214 00000001 80291da0 00000001 ddde3080 8280c960
9b60: dfa39b7c 00000000 00000000 00000000 85bb8570 00000000 00000000 00000000
9b80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ba0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9bc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9be0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9c00: 00000000 00000000 00000000 61ac0687 828ef98c 859dd840 81809980 85bb8480
9c20: 00000138 85778000 00000000 00000000 dfa39ccc dfa39c40 816718c0 8180998c
9c40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9c60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9c80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ca0: 00000000 00000000 00000000 61ac0687 85778b50 859dd840 84d37880 859dd840
9cc0: dfa39ce4 dfa39cd0 8180846c 8167180c 84234800 00000138 dfa39d1c dfa39ce8
9ce0: 8167108c 81808444 85d33c00 7fffffff 00000000 61ac0687 dfa39f20 859dd840
9d00: 00000138 85d33c00 00000000 00000000 dfa39d84 dfa39d20 81671374 81670ea8
9d20: 00000000 00000000 00000000 61ac0687 00000000 00000138 8551d800 00000000
9d40: 000002c9 00000000 00000000 00000000 80794b20 61ac0687 dfa39d84 00000000
9d60: dfa39f20 83555400 00000000 dfa39dc4 dfa39dc4 00000000 dfa39da4 dfa39d88
9d80: 81543070 816711b4 dfa39f20 00000000 83555400 00000000 dfa39e14 dfa39da8
9da0: 815443c4 81543038 dfa39e20 dfa39f30 00000000 00000000 dfa39e14 00000000
9dc0: 81546298 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9de0: 00000000 61ac0687 04004050 00000000 dfa39f20 83555400 00000000 00000000
9e00: 200035c0 dfa39e24 dfa39f14 dfa39e18 8154638c 81544138 00000000 83aa8c00
9e20: 00000000 20000ac0 00000138 00000000 00000000 00000000 00000000 00000000
9e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9e60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9e80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ee0: 00000000 61ac0687 dfa39f14 00000003 84ada541 200035c0 00000000 84ada540
9f00: 83aa8c00 00000128 dfa39f94 dfa39f18 81546824 815462fc 00000000 00000000
9f20: 00000000 00000000 00000000 00000000 00010000 00000138 20000ac0 00000000
9f40: 00000001 00000000 00000000 00000001 00000000 00000000 00000000 00000000
9f60: 00000000 00000000 ecac8b10 61ac0687 00000000 00000000 00000000 002f6308
9f80: 00000128 8020029c dfa39fa4 dfa39f98 8154688c 815467a4 00000000 dfa39fa8
9fa0: 80200060 81546884 00000000 00000000 00000003 200035c0 00000000 00000000
9fc0: 00000000 00000000 002f6308 00000128 002e0000 00000000 00006364 76fc20bc
9fe0: 76fc1ec0 76fc1eb0 0001948c 001322c0 60000010 00000003 00000000 00000000
Call trace: 
[<817fc214>] (__xfrm_state_insert) from [<817fc9fc>] (xfrm_state_insert+0x2c/0x38 net/xfrm/xfrm_state.c:1795)
 r8:83c7ccb4 r7:83c7cc80 r6:00000000 r5:83c7cc80 r4:85778b40
[<817fc9d0>] (xfrm_state_insert) from [<817c6e04>] (ipcomp_tunnel_attach net/ipv4/ipcomp.c:113 [inline])
[<817fc9d0>] (xfrm_state_insert) from [<817c6e04>] (ipcomp4_init_state net/ipv4/ipcomp.c:144 [inline])
[<817fc9d0>] (xfrm_state_insert) from [<817c6e04>] (ipcomp4_init_state+0x1b0/0x26c net/ipv4/ipcomp.c:122)
 r5:00000001 r4:83c7ca00
[<817c6c54>] (ipcomp4_init_state) from [<817f8df0>] (__xfrm_init_state+0x2c4/0x550 net/xfrm/xfrm_state.c:3188)
 r9:8243e310 r8:00000002 r7:82c2894c r6:00000001 r5:83c7ca00 r4:817c6c54
[<817f8b2c>] (__xfrm_init_state) from [<8180d3cc>] (xfrm_state_construct net/xfrm/xfrm_user.c:954 [inline])
[<817f8b2c>] (__xfrm_init_state) from [<8180d3cc>] (xfrm_add_sa+0x8ec/0x171c net/xfrm/xfrm_user.c:1019)
 r10:822779ec r9:85813880 r8:85778000 r7:dfa39c40 r6:dfa39b64 r5:83c7ca00
 r4:85bb8480
[<8180cae0>] (xfrm_add_sa) from [<81809ab8>] (xfrm_user_rcv_msg+0x138/0x2d0 net/xfrm/xfrm_user.c:3501)
 r10:00000000 r9:00000010 r8:00000000 r7:81e77658 r6:8180cae0 r5:859dd840
 r4:85bb8480
[<81809980>] (xfrm_user_rcv_msg) from [<816718c0>] (netlink_rcv_skb+0xc0/0x120 net/netlink/af_netlink.c:2552)
 r10:00000000 r9:00000000 r8:85778000 r7:00000138 r6:85bb8480 r5:81809980
 r4:859dd840
[<81671800>] (netlink_rcv_skb) from [<8180846c>] (xfrm_netlink_rcv+0x34/0x40 net/xfrm/xfrm_user.c:3523)
 r7:859dd840 r6:84d37880 r5:859dd840 r4:85778b50
[<81808438>] (xfrm_netlink_rcv) from [<8167108c>] (netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline])
[<81808438>] (xfrm_netlink_rcv) from [<8167108c>] (netlink_unicast+0x1f0/0x30c net/netlink/af_netlink.c:1346)
 r5:00000138 r4:84234800
[<81670e9c>] (netlink_unicast) from [<81671374>] (netlink_sendmsg+0x1cc/0x444 net/netlink/af_netlink.c:1896)
 r9:00000000 r8:00000000 r7:85d33c00 r6:00000138 r5:859dd840 r4:dfa39f20
[<816711a8>] (netlink_sendmsg) from [<81543070>] (sock_sendmsg_nosec net/socket.c:714 [inline])
[<816711a8>] (netlink_sendmsg) from [<81543070>] (__sock_sendmsg+0x44/0x78 net/socket.c:729)
 r10:00000000 r9:dfa39dc4 r8:dfa39dc4 r7:00000000 r6:83555400 r5:dfa39f20
 r4:00000000
[<8154302c>] (__sock_sendmsg) from [<815443c4>] (____sys_sendmsg+0x298/0x2cc net/socket.c:2614)
 r7:00000000 r6:83555400 r5:00000000 r4:dfa39f20
[<8154412c>] (____sys_sendmsg) from [<8154638c>] (___sys_sendmsg+0x9c/0xd0 net/socket.c:2668)
 r10:dfa39e24 r9:200035c0 r8:00000000 r7:00000000 r6:83555400 r5:dfa39f20
 r4:00000000
[<815462f0>] (___sys_sendmsg) from [<81546824>] (__sys_sendmsg+0x8c/0xe0 net/socket.c:2700)
 r10:00000128 r9:83aa8c00 r8:84ada540 r7:00000000 r6:200035c0 r5:84ada541
 r4:00000003
[<81546798>] (__sys_sendmsg) from [<8154688c>] (__do_sys_sendmsg net/socket.c:2705 [inline])
[<81546798>] (__sys_sendmsg) from [<8154688c>] (sys_sendmsg+0x14/0x18 net/socket.c:2703)
 r8:8020029c r7:00000128 r6:002f6308 r5:00000000 r4:00000000
[<81546878>] (sys_sendmsg) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfa39fa8 to 0xdfa39ff0)
9fa0:                   00000000 00000000 00000003 200035c0 00000000 00000000
9fc0: 00000000 00000000 002f6308 00000128 002e0000 00000000 00006364 76fc20bc
9fe0: 76fc1ec0 76fc1eb0 0001948c 001322c0
Code: e5840018 e5841014 f57ff05b e5941018 (e5813000) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e5840018 	str	r0, [r4, #24]
   4:	e5841014 	str	r1, [r4, #20]
   8:	f57ff05b 	dmb	ish
   c:	e5941018 	ldr	r1, [r4, #24]
* 10:	e5813000 	str	r3, [r1] <-- trapping instruction