Unable to handle kernel paging request at virtual address dfff800000000000 KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 [dfff800000000000] address between user and kernel address ranges Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 13334 Comm: dhcpcd-run-hook Not tainted 6.1.147-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dequeue_head net/sched/sch_fq_codel.c:120 [inline] pc : fq_codel_drop net/sched/sch_fq_codel.c:168 [inline] pc : fq_codel_enqueue+0x79c/0xf38 net/sched/sch_fq_codel.c:230 lr : fq_codel_drop net/sched/sch_fq_codel.c:162 [inline] lr : fq_codel_enqueue+0x728/0xf38 net/sched/sch_fq_codel.c:230 sp : ffff8000080074a0 x29: ffff8000080075a0 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000001 x24: ffff0000f4a89400 x23: 0000000000000000 x22: ffff0000fc1422d0 x21: ffff800008007860 x20: dfff800000000000 x19: 0000000000000000 x18: 0000000031cc1f58 x17: ffff8000181e7000 x16: ffff8000082d2374 x15: ffff800017cc7fc0 x14: ffff0000d6480a98 x13: 1ffff00002a160b1 x12: 0000000000ff0100 x11: ff0080000ff9d370 x10: 0000000000000000 x9 : 1fffe0001e951280 x8 : 0000000000000000 x7 : ffff8000083b9874 x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0000fc142328 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: dequeue_head net/sched/sch_fq_codel.c:120 [inline] fq_codel_drop net/sched/sch_fq_codel.c:168 [inline] fq_codel_enqueue+0x79c/0xf38 net/sched/sch_fq_codel.c:230 qdisc_enqueue include/net/sch_generic.h:816 [inline] sfb_enqueue+0x794/0x1294 net/sched/sch_sfb.c:405 dev_qdisc_enqueue+0x5c/0x38c net/core/dev.c:3863 __dev_xmit_skb net/core/dev.c:3952 [inline] __dev_queue_xmit+0xad0/0x309c net/core/dev.c:4300 dev_queue_xmit include/linux/netdevice.h:3051 [inline] tipc_l2_send_msg+0x29c/0x35c net/tipc/bearer.c:518 tipc_bearer_xmit_skb+0x244/0x384 net/tipc/bearer.c:577 tipc_disc_timeout+0x4c8/0x608 net/tipc/discover.c:338 call_timer_fn+0x1b8/0x964 kernel/time/timer.c:1504 expire_timers kernel/time/timer.c:1549 [inline] __run_timers+0x460/0x6bc kernel/time/timer.c:1820 run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1833 handle_softirqs+0x318/0xc6c kernel/softirq.c:596 __do_softirq+0x14/0x20 kernel/softirq.c:630 ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80 call_on_irq_stack+0x24/0x30 arch/arm64/kernel/entry.S:849 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85 invoke_softirq kernel/softirq.c:477 [inline] __irq_exit_rcu+0x23c/0x43c kernel/softirq.c:679 irq_exit_rcu+0x14/0x84 kernel/softirq.c:691 __el1_irq arch/arm64/kernel/entry-common.c:472 [inline] el1_interrupt+0x38/0x54 arch/arm64/kernel/entry-common.c:486 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581 mas_start lib/maple_tree.c:1401 [inline] mas_state_walk lib/maple_tree.c:3894 [inline] mt_find+0x368/0x7d0 lib/maple_tree.c:6537 find_vma+0x120/0x1a8 mm/mmap.c:1894 lock_mm_and_find_vma+0x74/0x2e8 mm/memory.c:5387 do_page_fault+0x2c0/0x99c arch/arm64/mm/fault.c:577 do_translation_fault+0x94/0xc8 arch/arm64/mm/fault.c:667 do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:803 el0_ia+0xa4/0x1e8 arch/arm64/kernel/entry-common.c:533 el0t_64_sync_handler+0xd8/0xf0 arch/arm64/kernel/entry-common.c:661 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Code: aa1803e0 9624e4c0 f9400317 d343fee8 (38746908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: aa1803e0 mov x0, x24 4: 9624e4c0 bl 0xfffffffff8939304 8: f9400317 ldr x23, [x24] c: d343fee8 lsr x8, x23, #3 * 10: 38746908 ldrb w8, [x8, x20] <-- trapping instruction