8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read [0000000e] *pgd=8a1e1003, *pmd=e4fda003 Internal error: Oops: 207 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 24789 Comm: syz-executor.1 Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: ARM-Versatile Express PC is at __io_remove_buffers io_uring/kbuf.c:219 [inline] PC is at __io_remove_buffers+0x38/0x184 io_uring/kbuf.c:209 LR is at io_unregister_pbuf_ring+0x104/0x18c io_uring/kbuf.c:615 pc : [<807c9634>] lr : [<807ca76c>] psr: 20000013 sp : eafadec8 ip : eafadef8 fp : eafadef4 r10: 00000017 r9 : 8a034000 r8 : ffffffff r7 : 00000000 r6 : 00000001 r5 : 8a036000 r4 : 00000000 r3 : 00000000 r2 : 00000000 r1 : 8a036000 r0 : 8a034000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 8b060640 DAC: fffffffd Register r0 information: slab kmalloc-2k start 8a034000 pointer offset 0 size 2048 Register r1 information: slab kmalloc-2k start 8a036000 pointer offset 0 size 2048 Register r2 information: NULL pointer Register r3 information: NULL pointer Register r4 information: NULL pointer Register r5 information: slab kmalloc-2k start 8a036000 pointer offset 0 size 2048 Register r6 information: non-paged memory Register r7 information: NULL pointer Register r8 information: non-paged memory Register r9 information: slab kmalloc-2k start 8a034000 pointer offset 0 size 2048 Register r10 information: non-paged memory Register r11 information: 2-page vmalloc region starting at 0xeafac000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909 Register r12 information: 2-page vmalloc region starting at 0xeafac000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909 Process syz-executor.1 (pid: 24789, stack limit = 0xeafac000) Stack: (0xeafadec8 to 0xeafae000) dec0: 00000001 8a036000 8a034000 84b0d240 00000000 83905540 dee0: 8a034040 00000017 eafadf3c eafadef8 807ca76c 807c9608 00000000 00000000 df00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 df20: eafadf3c 5ee0ef21 8a034000 20000180 eafadfa4 eafadf40 807bed0c 807ca674 df40: 8024bc7c 80278e68 40000000 eafadfb0 eafadf84 eafadf60 80202fc4 00000001 df60: 8261c9e8 eafadfb0 0006b210 ecac8b10 80202eac 5ee0ef21 eafadfac 00000000 df80: 00000000 0014c2c4 000001ab 80200288 84b0d240 000001ab 00000000 eafadfa8 dfa0: 80200060 807be738 00000000 00000000 00000003 00000017 20000180 00000001 dfc0: 00000000 00000000 0014c2c4 000001ab 7eede32e 7eede32f 003d0f00 76b760fc dfe0: 76b75f08 76b75ef8 00016688 000509e0 60000010 00000003 00000000 00000000 Backtrace: [<807c95fc>] (__io_remove_buffers) from [<807ca76c>] (io_unregister_pbuf_ring+0x104/0x18c io_uring/kbuf.c:615) r10:00000017 r9:8a034040 r8:83905540 r7:00000000 r6:84b0d240 r5:8a034000 r4:8a036000 r3:00000001 [<807ca668>] (io_unregister_pbuf_ring) from [<807bed0c>] (__io_uring_register io_uring/io_uring.c:4525 [inline]) [<807ca668>] (io_unregister_pbuf_ring) from [<807bed0c>] (__do_sys_io_uring_register io_uring/io_uring.c:4587 [inline]) [<807ca668>] (io_unregister_pbuf_ring) from [<807bed0c>] (sys_io_uring_register+0x5e0/0xd00 io_uring/io_uring.c:4547) r5:20000180 r4:8a034000 [<807be72c>] (sys_io_uring_register) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66) Exception stack(0xeafadfa8 to 0xeafadff0) dfa0: 00000000 00000000 00000003 00000017 20000180 00000001 dfc0: 00000000 00000000 0014c2c4 000001ab 7eede32e 7eede32f 003d0f00 76b760fc dfe0: 76b75f08 76b75ef8 00016688 000509e0 r10:000001ab r9:84b0d240 r8:80200288 r7:000001ab r6:0014c2c4 r5:00000000 r4:00000000 Code: 0a000022 e5913004 e1d120be e5d14013 (e1d380be) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 0a000022 beq 0x90 4: e5913004 ldr r3, [r1, #4] 8: e1d120be ldrh r2, [r1, #14] c: e5d14013 ldrb r4, [r1, #19] * 10: e1d380be ldrh r8, [r3, #14] <-- trapping instruction