8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000004 when read [00000004] *pgd=85264003, *pmd=fecaa003 Internal error: Oops: 207 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 7899 Comm: syz-executor.0 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: ARM-Versatile Express PC is at bpf_link_free+0x90/0xd4 kernel/bpf/syscall.c:3065 LR is at debug_smp_processor_id+0x20/0x24 lib/smp_processor_id.c:60 pc : [<80394784>] lr : [<818c0ff0>] psr: 40000113 sp : dfb51f18 ip : dfb51eb8 fp : dfb51f2c r10: 00000006 r9 : 85055400 r8 : 82c9e9d0 r7 : 830475f0 r6 : 8309fe10 r5 : 00000000 r4 : 846bb180 r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : 00000000 Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 852b2d00 DAC: fffffffd Register r0 information: NULL pointer Register r1 information: NULL pointer Register r2 information: NULL pointer Register r3 information: NULL pointer Register r4 information: slab kmalloc-64 start 846bb180 pointer offset 0 size 64 Register r5 information: NULL pointer Register r6 information: slab dentry start 8309fe10 pointer offset 0 size 144 Register r7 information: slab inode_cache start 830475f0 pointer offset 0 size 424 Register r8 information: slab mnt_cache start 82c9e9c0 pointer offset 16 size 184 Register r9 information: slab task_struct start 85055400 pointer offset 0 size 3072 Register r10 information: non-paged memory Register r11 information: 2-page vmalloc region starting at 0xdfb50000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2797 Register r12 information: 2-page vmalloc region starting at 0xdfb50000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2797 Process syz-executor.0 (pid: 7899, stack limit = 0xdfb50000) Stack: (0xdfb51f18 to 0xdfb52000) 1f00: 00000001 00000000 1f20: dfb51f44 dfb51f30 803948e0 80394700 852c56c0 000a0001 dfb51f7c dfb51f48 1f40: 804f916c 803948a4 852c56c0 00000000 843f7300 00000006 00000000 852c56c0 1f60: 00000000 00000006 80200288 85055400 dfb51f8c dfb51f80 804f9478 804f90f4 1f80: dfb51fa4 dfb51f90 804f49d0 804f9448 00000004 00000000 00000000 dfb51fa8 1fa0: 80200278 804f49ac 00000004 00000000 00000004 00000002 00000000 00000000 1fc0: 00000004 00000000 00000000 00000006 00000000 0014c29c 000f4240 0005cd14 1fe0: 00000000 7eee93e0 00091184 0004f5fc 40000010 00000004 00000000 00000000 Call trace: [<803946f4>] (bpf_link_free) from [<803948e0>] (bpf_link_put_direct kernel/bpf/syscall.c:3093 [inline]) [<803946f4>] (bpf_link_free) from [<803948e0>] (bpf_link_release+0x48/0x50 kernel/bpf/syscall.c:3100) r5:00000000 r4:00000001 [<80394898>] (bpf_link_release) from [<804f916c>] (__fput+0x84/0x2d4 fs/file_table.c:422) r5:000a0001 r4:852c56c0 [<804f90e8>] (__fput) from [<804f9478>] (__fput_sync+0x3c/0x40 fs/file_table.c:507) r9:85055400 r8:80200288 r7:00000006 r6:00000000 r5:852c56c0 r4:00000000 [<804f943c>] (__fput_sync) from [<804f49d0>] (__do_sys_close fs/open.c:1556 [inline]) [<804f943c>] (__fput_sync) from [<804f49d0>] (sys_close+0x30/0x64 fs/open.c:1541) [<804f49a0>] (sys_close) from [<80200278>] (__sys_trace_return+0x0/0x10) Exception stack(0xdfb51fa8 to 0xdfb51ff0) 1fa0: 00000004 00000000 00000004 00000002 00000000 00000000 1fc0: 00000004 00000000 00000000 00000006 00000000 0014c29c 000f4240 0005cd14 1fe0: 00000000 7eee93e0 00091184 0004f5fc r5:00000000 r4:00000004 Code: e3041258 e3481039 ebfcf3f3 e5943010 (e5933004) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e3041258 movw r1, #16984 @ 0x4258 4: e3481039 movt r1, #32825 @ 0x8039 8: ebfcf3f3 bl 0xfff3cfdc c: e5943010 ldr r3, [r4, #16] * 10: e5933004 ldr r3, [r3, #4] <-- trapping instruction