8<--- cut here ---
Unable to handle kernel paging request at virtual address 5bd3b000
[5bd3b000] *pgd=852d2003, *pmd=00000000
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 11486 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at __queue_work+0xa0/0x74c kernel/workqueue.c:1459
LR is at 0x82c00000
pc : [<80260410>]    lr : [<82c00000>]    psr: 60000193
sp : df805e30  ip : 82c00024  fp : df805e74
r10: 8280e800  r9 : 5bd3b000  r8 : 82446498
r7 : 8220c940  r6 : 00000008  r5 : 83f3b200  r4 : 85a4b85c
r3 : 00000000  r2 : 00000000  r1 : 00000004  r0 : 8280e800
Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 849357c0  DAC: 00000000
Register r0 information: slab kmalloc-512 start 8280e800 pointer offset 0 size 512
Register r1 information: non-paged memory
Register r2 information: NULL pointer
Register r3 information: NULL pointer
Register r4 information: slab kmalloc-2k start 85a4b800 pointer offset 92 size 2048
Register r5 information: slab kmalloc-512 start 83f3b200 pointer offset 0 size 512
Register r6 information: non-paged memory
Register r7 information: non-slab/vmalloc memory
Register r8 information: non-slab/vmalloc memory
Register r9 information: non-paged memory
Register r10 information: slab kmalloc-512 start 8280e800 pointer offset 0 size 512
Register r11 information: 2-page vmalloc region starting at 0xdf804000 allocated at start_kernel+0x588/0x78c init/main.c:1041
Register r12 information: slab radix_tree_node start 82c00000 pointer offset 36
Process syz-executor.0 (pid: 11486, stack limit = 0xec4c0000)
Stack: (0xdf805e30 to 0xdf806000)
5e20:                                     80279278 802745b4 820a235c 84082280
5e40: 0000000b 00000001 80000113 85a4b85c 00000008 83f3b200 20000113 00000100
5e60: 0005e370 ddddd900 df805e94 df805e78 80260b0c 8026037c 85a4b830 816def8c
5e80: 84082280 816def8c df805ea4 df805e98 816defb4 80260ac8 df805edc df805ea8
5ea0: 802e4f18 816def98 000003c8 ddddd900 802e407c dc8eaf1f 85a4b830 816def8c
5ec0: df805f00 823d9d10 0005e370 84082280 df805f4c df805ee0 802e5454 802e4ef4
5ee0: 84082280 82204d40 8220c5d8 8220c498 00000002 00000000 76bfe6d0 850abd08
5f00: 00000000 df805f10 8029b138 802fab28 df805f4c df805f20 80293fc8 dc8eaf1f
5f20: 82204084 82204084 00000002 00000001 ec4c1fb0 00000002 00000100 84082280
5f40: df805fbc df805f50 8020133c 802e512c 8176e334 8176e220 00400040 82204d40
5f60: 0005e371 81eba81c 820a2344 0000000a 820aaa00 823d843a 823d94a0 8220c5d8
5f80: 8220c498 81ea8ef0 820a23d0 82204080 8176e354 820aaa00 81eba81c 81eba804
5fa0: ec4c1fb0 00000000 76bfe6d0 7ecfa544 df805fd4 df805fc0 80249f48 802011dc
5fc0: 820aa9dc 81eba81c df805ffc df805fd8 8176d898 80249eb8 000165f4 20000010
5fe0: ffffffff 84082280 820a2044 76bfe6d0 ec4c1fac df806000 81723888 8176d828
Backtrace: frame pointer underflow
[<80260370>] (__queue_work) from [<80260b0c>] (queue_work_on+0x50/0x5c kernel/workqueue.c:1545)
 r10:ddddd900 r9:0005e370 r8:00000100 r7:20000113 r6:83f3b200 r5:00000008
 r4:85a4b85c
[<80260abc>] (queue_work_on) from [<816defb4>] (queue_work include/linux/workqueue.h:503 [inline])
[<80260abc>] (queue_work_on) from [<816defb4>] (nci_cmd_timer+0x28/0x2c net/nfc/nci/core.c:615)
 r7:816def8c r6:84082280 r5:816def8c r4:85a4b830
[<816def8c>] (nci_cmd_timer) from [<802e4f18>] (call_timer_fn+0x30/0x238 kernel/time/timer.c:1474)
[<802e4ee8>] (call_timer_fn) from [<802e5454>] (expire_timers kernel/time/timer.c:1519 [inline])
[<802e4ee8>] (call_timer_fn) from [<802e5454>] (__run_timers kernel/time/timer.c:1790 [inline])
[<802e4ee8>] (call_timer_fn) from [<802e5454>] (run_timer_softirq+0x334/0x470 kernel/time/timer.c:1803)
 r9:84082280 r8:0005e370 r7:823d9d10 r6:df805f00 r5:816def8c r4:85a4b830
[<802e5120>] (run_timer_softirq) from [<8020133c>] (__do_softirq+0x16c/0x498 kernel/softirq.c:571)
 r10:84082280 r9:00000100 r8:00000002 r7:ec4c1fb0 r6:00000001 r5:00000002
 r4:82204084
[<802011d0>] (__do_softirq) from [<80249f48>] (invoke_softirq kernel/softirq.c:445 [inline])
[<802011d0>] (__do_softirq) from [<80249f48>] (__irq_exit_rcu kernel/softirq.c:650 [inline])
[<802011d0>] (__do_softirq) from [<80249f48>] (__irq_exit_rcu kernel/softirq.c:640 [inline])
[<802011d0>] (__do_softirq) from [<80249f48>] (irq_exit+0x9c/0xe8 kernel/softirq.c:674)
 r10:7ecfa544 r9:76bfe6d0 r8:00000000 r7:ec4c1fb0 r6:81eba804 r5:81eba81c
 r4:820aaa00
[<80249eac>] (irq_exit) from [<8176d898>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:240)
 r5:81eba81c r4:820aa9dc
[<8176d81c>] (generic_handle_arch_irq) from [<81723888>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40)
 r9:76bfe6d0 r8:820a2044 r7:84082280 r6:ffffffff r5:20000010 r4:000165f4
[<8172386c>] (call_with_stack) from [<80200e74>] (__irq_usr+0x74/0x80 arch/arm/kernel/entry-armv.S:436)
Exception stack(0xec4c1fb0 to 0xec4c1ff8)
1fa0:                                     ffffffff 00000004 000001b8 00000000
1fc0: 00000000 007fe15f 00000000 00000000 7ecfa3d2 76bfe6d0 7ecfa544 76bfe20c
1fe0: 20000110 20000110 000165f4 000165f4 20000010 ffffffff
Code: 0a00003b e59f06a8 eb532f1b e1a0a000 (e5990000) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	0a00003b 	beq	0xf4
   4:	e59f06a8 	ldr	r0, [pc, #1704]	; 0x6b4
   8:	eb532f1b 	bl	0x14cbc7c
   c:	e1a0a000 	mov	sl, r0
* 10:	e5990000 	ldr	r0, [r9] <-- trapping instruction