8<--- cut here ---
Unable to handle kernel paging request at virtual address df000000 when read
[df000000] *pgd=80000080007003, *pmd=00000000
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 6926 Comm: syz-executor.1 Not tainted 6.4.0-rc3-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at csum_partial+0x40/0x130 arch/arm/lib/csumpartial.S:120
LR is at 0x0
pc : [<817abec8>]    lr : [<00000000>]    psr: 80000013
sp : eaea1b38  ip : a71a0800  fp : eaea1b94
r10: 81314164  r9 : 81314164  r8 : 00000d02
r7 : fffff2fd  r6 : 00000d02  r5 : 00000000  r4 : 00000000
r3 : 00000000  r2 : 96ffa3fa  r1 : fffffef0  r0 : df000000
Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 86110e00  DAC: fffffffd
Register r0 information: non-paged memory
Register r1 information: non-paged memory
Register r2 information: non-slab/vmalloc memory
Register r3 information: NULL pointer
Register r4 information: NULL pointer
Register r5 information: NULL pointer
Register r6 information: non-paged memory
Register r7 information: non-paged memory
Register r8 information: non-paged memory
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xeaea0000 allocated at kernel_clone+0x9c/0x3dc kernel/fork.c:2918
Register r12 information: non-slab/vmalloc memory
Process syz-executor.1 (pid: 6926, stack limit = 0xeaea0000)
Stack: (0xeaea1b38 to 0xeaea2000)
1b20:                                                       87350b40 861a0910
1b40: 861a0910 8150ce40 eaea1b74 eaea1b58 87350c00 87350b40 81fdf418 827e2390
1b60: 861a7800 000008c0 eaea1c1c 87350c00 00006869 00000000 00000000 00000000
1b80: 00000000 871f4000 eaea1bd4 eaea1b98 815f6de4 8150cc68 00000001 05200000
1ba0: 00c00000 18090a85 859b1b58 87350c00 0000000e 00000000 00006869 00000000
1bc0: 00000000 871f4000 eaea1c1c eaea1bd8 81630798 815f6d28 80277db8 802a6080
1be0: 00000060 00000052 85b81780 18090a85 20001000 87350c00 00000000 00006869
1c00: 0000dd86 81630d08 eaea1cf7 00000011 eaea1c3c eaea1c20 81630d4c 8163067c
1c20: 87350c00 00000000 00006869 0000dd86 eaea1c6c eaea1c40 81377ed8 81630d14
1c40: 0000000e 18090a85 eaea1cf7 87350c00 00006869 00000001 00000000 8408e800
1c60: eaea1c8c eaea1c70 81333158 81377e20 87350c00 00006869 00000000 eaea1cf7
1c80: eaea1cc4 eaea1c90 8133ab64 813330a4 00000001 ffff0000 ffffdd86 00000000
1ca0: 00000000 85bcd600 8408e800 00000000 eaea1cf7 00000011 eaea1cec eaea1cc8
1cc0: 8133ad7c 8133a9d4 84632400 87350c00 85bcd600 8408e800 00000000 00000001
1ce0: eaea1d24 eaea1cf0 813aa5b0 8133ad48 84632400 0008e800 00000010 18090a85
1d00: 87350c00 84632400 00000000 00000001 a3ea3680 846324c4 eaea1d84 eaea1d28
1d20: 8133b95c 813aa3fc 00000000 00000001 00000011 8260ee34 00ea1da4 fffffff4
1d40: 00000000 8132c5c8 00000000 0000dd86 00000000 18090a85 00000000 87350c00
1d60: 00002378 8408e800 0000000a 87350c00 861a7800 871f7f00 eaea1da4 eaea1d88
1d80: 81634494 8133b400 861a7800 00002378 8408e800 0000000a eaea1e5c eaea1da8
1da0: 81637bec 81634404 eaea1e08 00000000 817f99d4 80277e98 00002001 eaea1dc8
1dc0: eaea1ea8 83206b48 00002001 817fa2bc 80200288 806b84fc eaea1e1c eaea1de8
1de0: 81a02a70 00000000 00000002 0000236e 00000060 00000300 00000000 0000000e
1e00: 00000000 0000000a 00000000 236e0500 07440205 0000030c 00000000 00000000
1e20: 00000000 00000000 8216c67c 18090a85 eaea1e5c 00000000 eaea1e98 8546e000
1e40: 04000002 80200288 85b81780 00000122 eaea1e7c eaea1e60 8130d628 81636d30
1e60: 00000000 8546e000 00000000 04000002 eaea1f8c eaea1e80 8130f478 8130d5f0
1e80: eaea1ea8 85844890 fffffff7 00000001 85844680 00000000 00000000 00000000
1ea0: eaea1ed4 eaea1eb0 01000006 00000001 00002378 20000080 00000000 00000000
1ec0: 00000001 00000000 00000000 00000000 04000002 00000000 00000000 00000000
1ee0: 00000000 ffffffff 00000000 00000000 00000001 18090a85 00000005 00000000
1f00: 00000080 0014c288 00000000 00000000 85b81780 000000f0 eaea1f4c eaea1f28
1f20: 80309a10 8030d190 ffffffff 80200288 8546e000 8163a0dc 8546e000 00000000
1f40: eaea1fa4 eaea1f50 80309fd4 8030996c eaea1f84 eaea1f60 80277db8 802a6080
1f60: 00000000 00000000 85b81780 18090a85 00000000 000002ff 0014c2c4 00000122
1f80: eaea1fa4 eaea1f90 8130f4e0 8130f3b4 00000000 000002ff 00000000 eaea1fa8
1fa0: 80200060 8130f4d0 00000000 000002ff 00000003 20000080 00002378 04000002
1fc0: 00000000 000002ff 0014c2c4 00000122 7ef163c2 76bd16d0 7ef16534 76bd120c
1fe0: 76bd1020 76bd1010 00017004 0004dfb0 60000010 00000003 00000000 00000000
Backtrace: 
[<8150cc5c>] (__udp_gso_segment) from [<815f6de4>] (udp6_ufo_fragment+0xc8/0x39c net/ipv6/udp_offload.c:47)
 r10:871f4000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:00006869
 r4:87350c00
[<815f6d1c>] (udp6_ufo_fragment) from [<81630798>] (ipv6_gso_segment.part.0+0x128/0x42c net/ipv6/ip6_offload.c:119)
 r10:871f4000 r9:00000000 r8:00000000 r7:00006869 r6:00000000 r5:0000000e
 r4:87350c00
[<81630670>] (ipv6_gso_segment.part.0) from [<81630d4c>] (ipv6_gso_segment+0x44/0x48 net/ipv6/ip6_offload.c:91)
 r10:00000011 r9:eaea1cf7 r8:81630d08 r7:0000dd86 r6:00006869 r5:00000000
 r4:87350c00
[<81630d08>] (ipv6_gso_segment) from [<81377ed8>] (skb_mac_gso_segment+0xc4/0x1a4 net/core/gro.c:141)
 r7:0000dd86 r6:00006869 r5:00000000 r4:87350c00
[<81377e14>] (skb_mac_gso_segment) from [<81333158>] (__skb_gso_segment+0xc0/0x16c net/core/dev.c:3401)
 r8:8408e800 r7:00000000 r6:00000001 r5:00006869 r4:87350c00
[<81333098>] (__skb_gso_segment) from [<8133ab64>] (skb_gso_segment include/linux/netdevice.h:4859 [inline])
[<81333098>] (__skb_gso_segment) from [<8133ab64>] (validate_xmit_skb+0x19c/0x374 net/core/dev.c:3659)
 r7:eaea1cf7 r6:00000000 r5:00006869 r4:87350c00
[<8133a9c8>] (validate_xmit_skb) from [<8133ad7c>] (validate_xmit_skb_list+0x40/0x74 net/core/dev.c:3709)
 r10:00000011 r9:eaea1cf7 r8:00000000 r7:8408e800 r6:85bcd600 r5:00000000
 r4:00000000
[<8133ad3c>] (validate_xmit_skb_list) from [<813aa5b0>] (sch_direct_xmit+0x1c0/0x45c net/sched/sch_generic.c:327)
 r9:00000001 r8:00000000 r7:8408e800 r6:85bcd600 r5:87350c00 r4:84632400
[<813aa3f0>] (sch_direct_xmit) from [<8133b95c>] (__dev_xmit_skb net/core/dev.c:3805 [inline])
[<813aa3f0>] (sch_direct_xmit) from [<8133b95c>] (__dev_queue_xmit+0x568/0xdc8 net/core/dev.c:4210)
 r9:846324c4 r8:a3ea3680 r7:00000001 r6:00000000 r5:84632400 r4:87350c00
[<8133b3f4>] (__dev_queue_xmit) from [<81634494>] (dev_queue_xmit include/linux/netdevice.h:3085 [inline])
[<8133b3f4>] (__dev_queue_xmit) from [<81634494>] (packet_xmit net/packet/af_packet.c:276 [inline])
[<8133b3f4>] (__dev_queue_xmit) from [<81634494>] (packet_xmit+0x9c/0x100 net/packet/af_packet.c:273)
 r10:871f7f00 r9:861a7800 r8:87350c00 r7:0000000a r6:8408e800 r5:00002378
 r4:87350c00
[<816343f8>] (packet_xmit) from [<81637bec>] (packet_snd net/packet/af_packet.c:3081 [inline])
[<816343f8>] (packet_xmit) from [<81637bec>] (packet_sendmsg+0xec8/0x1448 net/packet/af_packet.c:3113)
 r7:0000000a r6:8408e800 r5:00002378 r4:861a7800
[<81636d24>] (packet_sendmsg) from [<8130d628>] (sock_sendmsg_nosec net/socket.c:724 [inline])
[<81636d24>] (packet_sendmsg) from [<8130d628>] (sock_sendmsg+0x44/0x78 net/socket.c:747)
 r10:00000122 r9:85b81780 r8:80200288 r7:04000002 r6:8546e000 r5:eaea1e98
 r4:00000000
[<8130d5e4>] (sock_sendmsg) from [<8130f478>] (__sys_sendto+0xd0/0x11c net/socket.c:2144)
 r7:04000002 r6:00000000 r5:8546e000 r4:00000000
[<8130f3a8>] (__sys_sendto) from [<8130f4e0>] (__do_sys_sendto net/socket.c:2156 [inline])
[<8130f3a8>] (__sys_sendto) from [<8130f4e0>] (sys_sendto+0x1c/0x24 net/socket.c:2152)
 r7:00000122 r6:0014c2c4 r5:000002ff r4:00000000
[<8130f4c4>] (sys_sendto) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xeaea1fa8 to 0xeaea1ff0)
1fa0:                   00000000 000002ff 00000003 20000080 00002378 04000002
1fc0: 00000000 000002ff 0014c2c4 00000122 7ef163c2 76bd16d0 7ef16534 76bd120c
1fe0: 76bd1020 76bd1010 00017004 0004dfb0
Code: e0b22003 e0b22004 e0b22005 e0b2200e (e8b04038) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e0b22003 	adcs	r2, r2, r3
   4:	e0b22004 	adcs	r2, r2, r4
   8:	e0b22005 	adcs	r2, r2, r5
   c:	e0b2200e 	adcs	r2, r2, lr
* 10:	e8b04038 	ldm	r0!, {r3, r4, r5, lr} <-- trapping instruction