Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] CPU: 0 UID: 0 PID: 11050 Comm: kworker/u8:2 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker RIP: 0010:rt_cache_valid net/ipv4/route.c:1582 [inline] RIP: 0010:__mkroute_output net/ipv4/route.c:2650 [inline] RIP: 0010:ip_route_output_key_hash_rcu+0x12ba/0x25d0 net/ipv4/route.c:2875 Code: c3 31 ff 89 c6 e8 76 1b ce f7 85 db 74 5b e8 2d 17 ce f7 eb 05 e8 26 17 ce f7 4d 85 ff 74 36 49 8d 5f 3a 48 89 d8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 ff 10 00 00 0f b7 1b bf ff ff 00 00 89 RSP: 0018:ffffc9001f1ef580 EFLAGS: 00010212 RAX: 0000000000000007 RBX: 0000000000000039 RCX: ffff888027698000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: 0000000080000000 R08: ffff888027698000 R09: 0000000000000003 R10: 0000000000000005 R11: 0000000000000000 R12: dffffc0000000000 R13: 0000000000000000 R14: ffff888034aafc58 R15: ffffffffffffffff FS: 0000000000000000(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f774be708c0 CR3: 0000000031118000 CR4: 0000000000350ef0 Call Trace: ip_route_output_key_hash+0x18d/0x2a0 net/ipv4/route.c:2705 __ip_route_output_key include/net/route.h:169 [inline] ip_route_output_flow+0x2a/0x150 net/ipv4/route.c:2932 send4+0x463/0xed0 drivers/net/wireguard/socket.c:61 wg_socket_send_skb_to_peer+0xd1/0x1d0 drivers/net/wireguard/socket.c:175 wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline] wg_packet_handshake_send_worker+0x203/0x350 drivers/net/wireguard/send.c:51 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340 worker_thread+0xda6/0x1360 kernel/workqueue.c:3421 kthread+0x726/0x8b0 kernel/kthread.c:463 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:rt_cache_valid net/ipv4/route.c:1582 [inline] RIP: 0010:__mkroute_output net/ipv4/route.c:2650 [inline] RIP: 0010:ip_route_output_key_hash_rcu+0x12ba/0x25d0 net/ipv4/route.c:2875 Code: c3 31 ff 89 c6 e8 76 1b ce f7 85 db 74 5b e8 2d 17 ce f7 eb 05 e8 26 17 ce f7 4d 85 ff 74 36 49 8d 5f 3a 48 89 d8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 ff 10 00 00 0f b7 1b bf ff ff 00 00 89 RSP: 0018:ffffc9001f1ef580 EFLAGS: 00010212 RAX: 0000000000000007 RBX: 0000000000000039 RCX: ffff888027698000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: 0000000080000000 R08: ffff888027698000 R09: 0000000000000003 R10: 0000000000000005 R11: 0000000000000000 R12: dffffc0000000000 R13: 0000000000000000 R14: ffff888034aafc58 R15: ffffffffffffffff FS: 0000000000000000(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f774be708c0 CR3: 0000000031118000 CR4: 0000000000350ef0 ---------------- Code disassembly (best guess): 0: c3 ret 1: 31 ff xor %edi,%edi 3: 89 c6 mov %eax,%esi 5: e8 76 1b ce f7 call 0xf7ce1b80 a: 85 db test %ebx,%ebx c: 74 5b je 0x69 e: e8 2d 17 ce f7 call 0xf7ce1740 13: eb 05 jmp 0x1a 15: e8 26 17 ce f7 call 0xf7ce1740 1a: 4d 85 ff test %r15,%r15 1d: 74 36 je 0x55 1f: 49 8d 5f 3a lea 0x3a(%r15),%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax <-- trapping instruction 2f: 84 c0 test %al,%al 31: 0f 85 ff 10 00 00 jne 0x1136 37: 0f b7 1b movzwl (%rbx),%ebx 3a: bf ff ff 00 00 mov $0xffff,%edi 3f: 89 .byte 0x89