BUG: kernel NULL pointer dereference, address: 0000000000000649
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 800000004923b067 P4D 800000004923b067 PUD 0
Oops: Oops: 0002 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 16231 Comm: syz-executor Not tainted 6.16.0-syzkaller-06600-g1dbf1d590d10 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:llc_ui_setsockopt+0x4e1/0x5f0 net/llc/af_llc.c:-1
Code: aa f8 eb 4b e8 70 7b 47 f8 4c 6b f3 64 49 8d 9f a0 06 00 00 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 2f 9f aa f8 <4c> 89 33 eb 23 e8 45 7b 47 f8 4d 8d b7 0d 07 00 00 4c 89 f0 48 c1
RSP: 0000:ffffc90000a08b98 EFLAGS: 00010246
RAX: 00000000000000c9 RBX: 0000000000000649 RCX: ffff888076811e00
RDX: 0000000000000100 RSI: ffffffff8be309e0 RDI: ffff88805a4af010
RBP: ffffc90000a08c90 R08: ffffffff8fa07bf7 R09: 1ffffffff1f40f7e
R10: dffffc0000000000 R11: ffffffff89783460 R12: 1ffff92000141178
R13: ffff88805a4af010 R14: 0000000000000001 R15: 0000000000000001
FS: 000055556fab3500(0000) GS:ffff888125d80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000649 CR3: 00000000752aa000 CR4: 00000000003526f0
Call Trace:
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
handle_softirqs+0x283/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:should_fail_ex+0x4/0x560 lib/fault-inject.c:125
Code: 8d 8e 4c 89 f2 31 c9 e8 ba b1 ca ff e9 75 fe ff ff 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 <55> 41 57 41 56 41 55 41 54 53 48 83 ec 18 89 14 24 49 89 f6 48 89
RSP: 0000:ffffc9001253f748 EFLAGS: 00000293
RAX: 0000000000000001 RBX: ffffc9001253f800 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff8e25d160
RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffff8215895d
R10: ffffc9001253f800 R11: fffff520024a7f05 R12: 1ffff920024a7efb
R13: 0000000000140cca R14: 0000000000000008 R15: 1ffff920024a7f00
prepare_alloc_pages+0x213/0x610 mm/page_alloc.c:4734
__alloc_frozen_pages_noprof+0x123/0x370 mm/page_alloc.c:4948
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
folio_alloc_mpol_noprof mm/mempolicy.c:2438 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2473
folio_prealloc+0x30/0x180 mm/memory.c:-1
wp_page_copy mm/memory.c:3587 [inline]
do_wp_page+0x1231/0x5800 mm/memory.c:4048
handle_pte_fault mm/memory.c:6103 [inline]
__handle_mm_fault+0x1144/0x5620 mm/memory.c:6230
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6399
do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7f1b847b6921
Code: d7 eb b2 66 0f 1f 44 00 00 64 48 8b 0c 25 10 00 00 00 8b 91 08 03 00 00 48 8d b9 08 03 00 00 89 d6 83 ce 02 39 d6 74 21 89 d0 0f b1 37 89 c6 75 1b 83 e2 3b 83 ca 02 83 fa 0a 74 14 89 f0 c3
RSP: 002b:00007ffdc509dee8 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 0000000000000062 RCX: 000055556fab3500
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 000055556fab3808
RBP: 00007ffdc509df9c R08: 000000002aea3391 R09: 7fffffffffffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001f
R13: 00000000000927c0 R14: 000000000005c75f R15: 00007ffdc509dff0
Modules linked in:
CR2: 0000000000000649
---[ end trace 0000000000000000 ]---
RIP: 0010:llc_ui_setsockopt+0x4e1/0x5f0 net/llc/af_llc.c:-1
Code: aa f8 eb 4b e8 70 7b 47 f8 4c 6b f3 64 49 8d 9f a0 06 00 00 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 2f 9f aa f8 <4c> 89 33 eb 23 e8 45 7b 47 f8 4d 8d b7 0d 07 00 00 4c 89 f0 48 c1
RSP: 0000:ffffc90000a08b98 EFLAGS: 00010246
RAX: 00000000000000c9 RBX: 0000000000000649 RCX: ffff888076811e00
RDX: 0000000000000100 RSI: ffffffff8be309e0 RDI: ffff88805a4af010
RBP: ffffc90000a08c90 R08: ffffffff8fa07bf7 R09: 1ffffffff1f40f7e
R10: dffffc0000000000 R11: ffffffff89783460 R12: 1ffff92000141178
R13: ffff88805a4af010 R14: 0000000000000001 R15: 0000000000000001
FS: 000055556fab3500(0000) GS:ffff888125d80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000649 CR3: 00000000752aa000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: aa stos %al,%es:(%rdi)
1: f8 clc
2: eb 4b jmp 0x4f
4: e8 70 7b 47 f8 call 0xf8477b79
9: 4c 6b f3 64 imul $0x64,%rbx,%r14
d: 49 8d 9f a0 06 00 00 lea 0x6a0(%r15),%rbx
14: 48 89 d8 mov %rbx,%rax
17: 48 c1 e8 03 shr $0x3,%rax
1b: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
20: 74 08 je 0x2a
22: 48 89 df mov %rbx,%rdi
25: e8 2f 9f aa f8 call 0xf8aa9f59
* 2a: 4c 89 33 mov %r14,(%rbx) <-- trapping instruction
2d: eb 23 jmp 0x52
2f: e8 45 7b 47 f8 call 0xf8477b79
34: 4d 8d b7 0d 07 00 00 lea 0x70d(%r15),%r14
3b: 4c 89 f0 mov %r14,%rax
3e: 48 rex.W
3f: c1 .byte 0xc1