syzbot

Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 0 UID: 0 PID: 7572 Comm: syz.0.427 Tainted: G             L      syzkaller #0 PREEMPT_{RT,(full)} 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:skb_segment+0x2cb9/0x41d0 net/core/skbuff.c:4879
Code: 00 e8 0b 74 d9 f8 48 8b 6c 24 30 4c 89 64 24 78 4c 8b 64 24 10 e9 54 df ff ff e8 f2 73 d9 f8 48 8d 5d 70 48 89 d8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 8b 6c 24 5c 0f 85 5e 09 00 00 44 8b 33 48 8b
RSP: 0018:ffffc9002269e590 EFLAGS: 00010202
RAX: 000000000000000e RBX: 0000000000000070 RCX: 0000000000080000
RDX: ffffc9001072f000 RSI: 000000000001bc85 RDI: 000000000001bc86
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 000000000000a888 R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000000 R15: 000000000000004a
FS:  00007fa4a73fd6c0(0000) GS:ffff8881263a1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000002b0000 CR3: 0000000056a7e000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 tcp_gso_segment+0x43c/0x19a0 net/ipv4/tcp_offload.c:181
 ipv6_gso_segment+0xb7c/0x18a0 net/ipv6/ip6_offload.c:135
 skb_mac_gso_segment+0x31c/0x690 net/core/gso.c:53
 __skb_gso_segment+0x371/0x550 net/core/gso.c:124
 skb_gso_segment include/net/gso.h:83 [inline]
 validate_xmit_skb+0x9fb/0x1460 net/core/dev.c:4039
 __dev_queue_xmit+0xb12/0x3890 net/core/dev.c:4860
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip6_output+0x337/0x540 net/ipv6/ip6_output.c:246
 dst_output include/net/dst.h:471 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ip6_xmit+0x117f/0x1a60 net/ipv6/ip6_output.c:379
 inet6_csk_xmit+0x397/0x660 net/ipv6/inet6_connection_sock.c:115
 __tcp_transmit_skb+0x2640/0x47c0 net/ipv4/tcp_output.c:1716
 tcp_transmit_skb net/ipv4/tcp_output.c:1733 [inline]
 tcp_write_xmit+0x1bed/0x63f0 net/ipv4/tcp_output.c:3061
 __tcp_push_pending_frames+0x96/0x380 net/ipv4/tcp_output.c:3244
 tcp_push_pending_frames include/net/tcp.h:2360 [inline]
 tcp_data_snd_check net/ipv4/tcp_input.c:6075 [inline]
 tcp_rcv_established+0xe05/0x2830 net/ipv4/tcp_input.c:6658
 tcp_v6_do_rcv+0x82f/0x1ba0 net/ipv6/tcp_ipv6.c:1610
 sk_backlog_rcv include/net/sock.h:1191 [inline]
 __release_sock+0x211/0x3d0 net/core/sock.c:3225
 release_sock+0x1be/0x290 net/core/sock.c:3824
 sk_stream_wait_memory+0x737/0xf90 net/core/stream.c:149
 tcp_sendmsg_locked+0x20b1/0x55c0 net/ipv4/tcp.c:1405
 tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1452
 sock_sendmsg_nosec net/socket.c:787 [inline]
 __sock_sendmsg net/socket.c:802 [inline]
 __sys_sendto+0x4b8/0x710 net/socket.c:2266
 __do_sys_sendto net/socket.c:2273 [inline]
 __se_sys_sendto net/socket.c:2269 [inline]
 __x64_sys_sendto+0xde/0x100 net/socket.c:2269
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa4a91cce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa4a73fd028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fa4a9446090 RCX: 00007fa4a91cce59
RDX: 00000000ffffff5d RSI: 0000200000000900 RDI: 0000000000000003
RBP: 00007fa4a9262d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000012 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa4a9446128 R14: 00007fa4a9446090 R15: 00007ffe0fc67408
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:skb_segment+0x2cb9/0x41d0 net/core/skbuff.c:4879
Code: 00 e8 0b 74 d9 f8 48 8b 6c 24 30 4c 89 64 24 78 4c 8b 64 24 10 e9 54 df ff ff e8 f2 73 d9 f8 48 8d 5d 70 48 89 d8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 8b 6c 24 5c 0f 85 5e 09 00 00 44 8b 33 48 8b
RSP: 0018:ffffc9002269e590 EFLAGS: 00010202
RAX: 000000000000000e RBX: 0000000000000070 RCX: 0000000000080000
RDX: ffffc9001072f000 RSI: 000000000001bc85 RDI: 000000000001bc86
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 000000000000a888 R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000000 R15: 000000000000004a
FS:  00007fa4a73fd6c0(0000) GS:ffff8881263a1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000002b0000 CR3: 0000000056a7e000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	00 e8                	add    %ch,%al
   2:	0b 74 d9 f8          	or     -0x8(%rcx,%rbx,8),%esi
   6:	48 8b 6c 24 30       	mov    0x30(%rsp),%rbp
   b:	4c 89 64 24 78       	mov    %r12,0x78(%rsp)
  10:	4c 8b 64 24 10       	mov    0x10(%rsp),%r12
  15:	e9 54 df ff ff       	jmp    0xffffdf6e
  1a:	e8 f2 73 d9 f8       	call   0xf8d97411
  1f:	48 8d 5d 70          	lea    0x70(%rbp),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	8b 6c 24 5c          	mov    0x5c(%rsp),%ebp
  35:	0f 85 5e 09 00 00    	jne    0x999
  3b:	44 8b 33             	mov    (%rbx),%r14d
  3e:	48                   	rex.W
  3f:	8b                   	.byte 0x8b