8<--- cut here ---
Unable to handle kernel paging request at virtual address 5bd2a000
[5bd2a000] *pgd=84a97003, *pmd=00000000
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 2222 Comm: syz-fuzzer Not tainted 6.1.0-rc4-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at __queue_work+0xa0/0x74c kernel/workqueue.c:1459
LR is at 0x82c00000
pc : [<80260410>]    lr : [<82c00000>]    psr: 60000193
sp : df801e30  ip : 82c00024  fp : df801e74
r10: 8280e800  r9 : 5bd2a000  r8 : 82449498
r7 : 8220c940  r6 : 00000008  r5 : 85b77200  r4 : 85be585c
r3 : 00000000  r2 : 00000000  r1 : 00000004  r0 : 8280e800
Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 8412b040  DAC: fffffffd
Register r0 information: slab kmalloc-512 start 8280e800 pointer offset 0 size 512
Register r1 information: non-paged memory
Register r2 information: NULL pointer
Register r3 information: NULL pointer
Register r4 information: slab kmalloc-2k start 85be5800 pointer offset 92 size 2048
Register r5 information: slab kmalloc-512 start 85b77200 pointer offset 0 size 512
Register r6 information: non-paged memory
Register r7 information: non-slab/vmalloc memory
Register r8 information: non-slab/vmalloc memory
Register r9 information: non-paged memory
Register r10 information: slab kmalloc-512 start 8280e800 pointer offset 0 size 512
Register r11 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x58c/0x790 init/main.c:1041
Register r12 information: slab radix_tree_node start 82c00000 pointer offset 36
Process syz-fuzzer (pid: 2222, stack limit = 0xdf974000)
Stack: (0xdf801e30 to 0xdf802000)
1e20:                                     817622b4 00000000 820a235c 83315c00
1e40: 00000027 00000000 852a3c00 85be585c 00000008 85b77200 20000113 00000100
1e60: 000441c0 dddcc900 df801e94 df801e78 80260b0c 8026037c 85be5830 816ca904
1e80: 83315c00 816ca904 df801ea4 df801e98 816ca92c 80260ac8 df801edc df801ea8
1ea0: 802e4f18 816ca910 000002cf dddcc900 8133c0ec 3c207e90 85be5830 816ca904
1ec0: df801f00 823d9310 000441c0 83315c00 df801f4c df801ee0 802e5454 802e4ef4
1ee0: 83315c00 82204d40 8220c5d8 8220c498 00000002 00000000 00000020 85874d48
1f00: 00000000 00000000 8029b138 802fab28 df801f4c df801f20 80293fc8 3c207e90
1f20: 82204084 82204084 00000002 00000001 df975fb0 00000002 00000100 83315c00
1f40: df801fbc df801f50 8020133c 802e512c 817582ac 81758198 00400100 82204d40
1f60: 000441c1 81ebdc70 820a2344 0000000a 820aaa00 823d7b3a 823d8aa0 8220c5d8
1f80: 8220c498 81eac3f4 820a23d0 82204080 817582cc 820aaa00 81ebdc70 81ebdc58
1fa0: df975fb0 00000000 00000020 024a70e0 df801fd4 df801fc0 80249f48 802011dc
1fc0: 820aa9dc 81ebdc70 df801ffc df801fd8 81757810 80249eb8 00148138 20000010
1fe0: ffffffff 83315c00 820a2044 00000020 df975fac df802000 8170ec2c 817577a0
Backtrace: frame pointer underflow
[<80260370>] (__queue_work) from [<80260b0c>] (queue_work_on+0x50/0x5c kernel/workqueue.c:1545)
 r10:dddcc900 r9:000441c0 r8:00000100 r7:20000113 r6:85b77200 r5:00000008
 r4:85be585c
[<80260abc>] (queue_work_on) from [<816ca92c>] (queue_work include/linux/workqueue.h:503 [inline])
[<80260abc>] (queue_work_on) from [<816ca92c>] (nci_cmd_timer+0x28/0x2c net/nfc/nci/core.c:615)
 r7:816ca904 r6:83315c00 r5:816ca904 r4:85be5830
[<816ca904>] (nci_cmd_timer) from [<802e4f18>] (call_timer_fn+0x30/0x238 kernel/time/timer.c:1474)
[<802e4ee8>] (call_timer_fn) from [<802e5454>] (expire_timers kernel/time/timer.c:1519 [inline])
[<802e4ee8>] (call_timer_fn) from [<802e5454>] (__run_timers kernel/time/timer.c:1790 [inline])
[<802e4ee8>] (call_timer_fn) from [<802e5454>] (run_timer_softirq+0x334/0x470 kernel/time/timer.c:1803)
 r9:83315c00 r8:000441c0 r7:823d9310 r6:df801f00 r5:816ca904 r4:85be5830
[<802e5120>] (run_timer_softirq) from [<8020133c>] (__do_softirq+0x16c/0x498 kernel/softirq.c:571)
 r10:83315c00 r9:00000100 r8:00000002 r7:df975fb0 r6:00000001 r5:00000002
 r4:82204084
[<802011d0>] (__do_softirq) from [<80249f48>] (invoke_softirq kernel/softirq.c:445 [inline])
[<802011d0>] (__do_softirq) from [<80249f48>] (__irq_exit_rcu kernel/softirq.c:650 [inline])
[<802011d0>] (__do_softirq) from [<80249f48>] (__irq_exit_rcu kernel/softirq.c:640 [inline])
[<802011d0>] (__do_softirq) from [<80249f48>] (irq_exit+0x9c/0xe8 kernel/softirq.c:674)
 r10:024a70e0 r9:00000020 r8:00000000 r7:df975fb0 r6:81ebdc58 r5:81ebdc70
 r4:820aaa00
[<80249eac>] (irq_exit) from [<81757810>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:240)
 r5:81ebdc70 r4:820aa9dc
[<81757794>] (generic_handle_arch_irq) from [<8170ec2c>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40)
 r9:00000020 r8:820a2044 r7:83315c00 r6:ffffffff r5:20000010 r4:00148138
[<8170ec10>] (call_with_stack) from [<80200e74>] (__irq_usr+0x74/0x80 arch/arm/kernel/entry-armv.S:436)
Exception stack(0xdf975fb0 to 0xdf975ff8)
5fa0:                                     00862358 89e7757b 03ed48c0 1447fe90
5fc0: 03ed26c0 03ebe940 00000005 0000000c 00ff72a0 00000020 024a70e0 82bc5fa2
5fe0: 00000000 0258b75c 00147b80 00148138 20000010 ffffffff
Code: 0a00003b e59f06a8 eb52dc03 e1a0a000 (e5990000) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	0a00003b 	beq	0xf4
   4:	e59f06a8 	ldr	r0, [pc, #1704]	; 0x6b4
   8:	eb52dc03 	bl	0x14b701c
   c:	e1a0a000 	mov	sl, r0
* 10:	e5990000 	ldr	r0, [r9] <-- trapping instruction