BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 IP: [<ffffffff835a355c>] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1671 PGD 1cbffe067 PUD 1da21c067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 3856 Comm: syz-executor014 Not tainted 4.4.147-ga5fc665 #16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800bb8bc800 task.stack: ffff8801c7f10000 RIP: 0010:[<ffffffff835a355c>] [<ffffffff835a355c>] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1671 RSP: 0018:ffff8801db307af0 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8801d0da6500 RCX: 0000000000000000 RDX: 1ffff1003a34ec80 RSI: ffffffff835a3531 RDI: ffff8801d1a76400 RBP: ffff8801db307b10 R08: ffff8800bb8bd100 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801d1a76280 R13: ffff8801d0da6508 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:00000000093b2840 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000000000080 CR3: 00000001cbfff000 CR4: 00000000001606f0 Stack: ffff8800ba917700 ffff8801d0da6500 ffff8800ba917ad0 ffffffff8348b71e ffff8801db307b38 ffffffff835acfd7 ffff8800ba917700 ffffffff835acf00 ffff8800b3b93ba0 ffff8801db307b60 ffffffff82f34a2c ffff8800ba917700 Call Trace: <IRQ> [<ffffffff835acfd7>] l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:293 [inline] [<ffffffff835acfd7>] pppol2tp_session_destruct+0xd7/0x110 net/l2tp/l2tp_ppp.c:477 [<ffffffff82f34a2c>] sk_destruct+0x4c/0x4c0 net/core/sock.c:1447 [<ffffffff82f34eef>] __sk_free+0x4f/0x220 net/core/sock.c:1480 [<ffffffff82f36e83>] sock_wfree+0x103/0x140 net/core/sock.c:1667 [<ffffffff82f3ab03>] skb_release_head_state+0x103/0x210 net/core/skbuff.c:646 [<ffffffff82f3c9e5>] skb_release_all+0x15/0x60 net/core/skbuff.c:659 [<ffffffff82f3ca45>] __kfree_skb+0x15/0x20 net/core/skbuff.c:675 [<ffffffff82f3cb47>] kfree_skb+0xf7/0x3e0 net/core/skbuff.c:696 [<ffffffff8348b71e>] ndisc_error_report+0xbe/0x1a0 net/ipv6/ndisc.c:657 [<ffffffff82fa6934>] neigh_invalidate+0x234/0x530 net/core/neighbour.c:855 [<ffffffff82fabd58>] neigh_timer_handler+0x838/0xa50 net/core/neighbour.c:941 [<ffffffff81292d5c>] call_timer_fn+0x18c/0x870 kernel/time/timer.c:1185 [<ffffffff81293a82>] __run_timers kernel/time/timer.c:1261 [inline] [<ffffffff81293a82>] run_timer_softirq+0x642/0xb90 kernel/time/timer.c:1444 [<ffffffff838cc17c>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273 [<ffffffff81141a8d>] invoke_softirq kernel/softirq.c:350 [inline] [<ffffffff81141a8d>] irq_exit+0x10d/0x140 kernel/softirq.c:391 [<ffffffff838cb8e1>] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [<ffffffff838cb8e1>] smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:926 [<ffffffff838ca820>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741 <EOI> [<ffffffff8121c6a6>] spin_unlock_irqrestore include/linux/spinlock.h:362 [inline] [<ffffffff8121c6a6>] add_wait_queue+0x76/0xa0 kernel/sched/wait.c:30 [<ffffffff8113c925>] do_wait+0x1b5/0xa30 kernel/exit.c:1493 [<ffffffff8113da4b>] SYSC_wait4 kernel/exit.c:1641 [inline] [<ffffffff8113da4b>] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1606 [<ffffffff812f8477>] C_SYSC_wait4+0x237/0x280 kernel/compat.c:543 [<ffffffff812f882c>] compat_SyS_wait4+0x2c/0x40 kernel/compat.c:536 [<ffffffff81117565>] sys32_waitpid+0x25/0x30 arch/x86/ia32/sys_ia32.c:172 [<ffffffff81006d94>] do_syscall_32_irqs_on arch/x86/entry/common.c:393 [inline] [<ffffffff81006d94>] do_fast_syscall_32+0x324/0x8b0 arch/x86/entry/common.c:460 [<ffffffff838ca5c3>] sysenter_flags_fixed+0xd/0x1a Code: 49 8d bc 24 80 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 d0 00 00 00 4d 8b b4 24 80 01 00 00 <f0> 41 ff 8e 80 00 00 00 74 64 e8 55 02 db fd e8 50 02 db fd 4c RIP [<ffffffff835a355c>] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1671 RSP <ffff8801db307af0> CR2: 0000000000000080 ---[ end trace b0dc6d5fc9a1ebcb ]---