8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000000 when write
[00000000] *pgd=80000080004003, *pmd=00000000
Internal error: Oops: a05 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 2960 Comm: kworker/0:3 Not tainted 6.10.0-rc1-syzkaller #0
Hardware name: ARM-Versatile Express
Workqueue: usb_hub_wq hub_event
PC is at llc_conn_state_process+0x300/0x618 net/llc/llc_conn.c:141
LR is at llc_exec_conn_trans_actions net/llc/llc_conn.c:443 [inline]
LR is at llc_conn_service net/llc/llc_conn.c:368 [inline]
LR is at llc_conn_state_process+0x140/0x618 net/llc/llc_conn.c:72
pc : [<8146f47c>]    lr : [<8146f2bc>]    psr: 20000113
sp : df801df0  ip : df801df0  fp : df801e1c
r10: 827d05a0  r9 : 84df2c00  r8 : 81c3c9f0
r7 : 84df2c00  r6 : 00000000  r5 : 84689a80  r4 : 00000000
r3 : 00000001  r2 : 00000002  r1 : 00000000  r0 : 84df2c00
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 84e76f40  DAC: fffffffd
Register r0 information: slab kmalloc-1k start 84df2c00 pointer offset 0 size 1024
Register r1 information: NULL pointer
Register r2 information: non-paged memory
Register r3 information: non-paged memory
Register r4 information: NULL pointer
Register r5 information: slab skbuff_head_cache start 84689a80 pointer offset 0 size 192
Register r6 information: NULL pointer
Register r7 information: slab kmalloc-1k start 84df2c00 pointer offset 0 size 1024
Register r8 information: non-slab/vmalloc memory
Register r9 information: slab kmalloc-1k start 84df2c00 pointer offset 0 size 1024
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1006
Register r12 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1006
Process kworker/0:3 (pid: 2960, stack limit = 0xec420000)
Stack: (0xdf801df0 to 0xdf802000)
1de0:                                     00000000 84689a80 84df2c00 00000005
1e00: 84df2cec 00000100 ffffbb58 df801eb4 df801e44 df801e20 8146cb20 8146f188
1e20: 84df2e60 8146eb20 8343bc00 8146eb20 00000100 ffffbb58 df801e54 df801e48
1e40: 8146eb38 8146ca64 df801e8c df801e58 802fb638 8146eb2c 00000000 84df2e60
1e60: 81a04d90 66dc36f9 84df2e60 8146eb20 dddc6200 00000000 00000122 8343bc00
1e80: df801f04 df801e90 802fbad0 802fb614 82604d40 00000000 00000001 827efb28
1ea0: 8260c5d0 ffffbb58 df801edc 00000000 00000000 00000000 00000000 00000000
1ec0: 00000000 00000000 00000000 00000000 00000000 66dc36f9 00000002 dddc6200
1ee0: 00000002 00000001 04208060 00000100 8343bc00 00000202 df801f24 df801f08
1f00: 802fbc60 802fb834 82604084 00000000 00000004 82604084 df801f34 df801f28
1f20: 802fbc8c 802fbc04 df801fac df801f38 8024cd54 802fbc7c df801f54 df801f48
1f40: 818f49dc 04208060 82604d40 ffffbb59 821b2e90 00000000 824b5cc0 0000000a
1f60: 827eefe8 8260c5d0 821a0290 824ab3e8 df801f38 82604080 802a10c4 8029616c
1f80: 8343bc00 8343bc00 821b2e90 82173fe4 ec4216f0 00000000 8343bc00 ec421838
1fa0: df801fc4 df801fb0 8024d150 8024cc04 824b5ca4 821b2e90 df801fd4 df801fc8
1fc0: 8024d450 8024d0b8 df801ffc df801fd8 818f3da0 8024d44c 802fa9b8 00000013
1fe0: ffffffff ec421724 ffffbd4b 8343bc00 ec4216ec df802000 818a595c 818f3d30
Call trace: frame pointer underflow
[<8146f17c>] (llc_conn_state_process) from [<8146cb20>] (llc_process_tmr_ev net/llc/llc_c_ac.c:1445 [inline])
[<8146f17c>] (llc_conn_state_process) from [<8146cb20>] (llc_conn_tmr_common_cb+0xc8/0x1a8 net/llc/llc_c_ac.c:1331)
 r10:df801eb4 r9:ffffbb58 r8:00000100 r7:84df2cec r6:00000005 r5:84df2c00
 r4:84689a80 r3:00000000
[<8146ca58>] (llc_conn_tmr_common_cb) from [<8146eb38>] (llc_conn_ack_tmr_cb+0x18/0x1c net/llc/llc_c_ac.c:1354)
 r9:ffffbb58 r8:00000100 r7:8146eb20 r6:8343bc00 r5:8146eb20 r4:84df2e60
[<8146eb20>] (llc_conn_ack_tmr_cb) from [<802fb638>] (call_timer_fn+0x30/0x220 kernel/time/timer.c:1792)
[<802fb608>] (call_timer_fn) from [<802fbad0>] (expire_timers kernel/time/timer.c:1843 [inline])
[<802fb608>] (call_timer_fn) from [<802fbad0>] (__run_timers+0x2a8/0x3d0 kernel/time/timer.c:2417)
 r9:8343bc00 r8:00000122 r7:00000000 r6:dddc6200 r5:8146eb20 r4:84df2e60
[<802fb828>] (__run_timers) from [<802fbc60>] (__run_timer_base kernel/time/timer.c:2428 [inline])
[<802fb828>] (__run_timers) from [<802fbc60>] (__run_timer_base kernel/time/timer.c:2421 [inline])
[<802fb828>] (__run_timers) from [<802fbc60>] (run_timer_base+0x68/0x78 kernel/time/timer.c:2437)
 r10:00000202 r9:8343bc00 r8:00000100 r7:04208060 r6:00000001 r5:00000002
 r4:dddc6200
[<802fbbf8>] (run_timer_base) from [<802fbc8c>] (run_timer_softirq+0x1c/0x34 kernel/time/timer.c:2447)
 r4:82604084
[<802fbc70>] (run_timer_softirq) from [<8024cd54>] (handle_softirqs+0x15c/0x468 kernel/softirq.c:554)
[<8024cbf8>] (handle_softirqs) from [<8024d150>] (__do_softirq kernel/softirq.c:588 [inline])
[<8024cbf8>] (handle_softirqs) from [<8024d150>] (invoke_softirq kernel/softirq.c:428 [inline])
[<8024cbf8>] (handle_softirqs) from [<8024d150>] (__irq_exit_rcu+0xa4/0x164 kernel/softirq.c:637)
 r10:ec421838 r9:8343bc00 r8:00000000 r7:ec4216f0 r6:82173fe4 r5:821b2e90
 r4:8343bc00
[<8024d0ac>] (__irq_exit_rcu) from [<8024d450>] (irq_exit+0x10/0x18 kernel/softirq.c:661)
 r5:821b2e90 r4:824b5ca4
[<8024d440>] (irq_exit) from [<818f3da0>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:240)
[<818f3d24>] (generic_handle_arch_irq) from [<818a595c>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40)
 r9:8343bc00 r8:ffffbd4b r7:ec421724 r6:ffffffff r5:00000013 r4:802fa9b8
[<818a5940>] (call_with_stack) from [<80200bcc>] (__irq_svc+0x8c/0xbc arch/arm/kernel/entry-armv.S:221)
Exception stack(0xec4216f0 to 0xec421738)
16e0:                                     ec42179c ec421758 00000000 8343bc00
1700: ec42179c 00000000 00000004 8343bc00 ffffbd4b 00000000 ec421838 ec421794
1720: ec4216d0 ec421740 802fca38 802fa9b8 00000013 ffffffff
[<802fc8bc>] (__mod_timer) from [<818ff668>] (schedule_timeout+0x98/0x114 kernel/time/timer.c:2580)
 r10:ec421838 r9:00000002 r8:ec4217e4 r7:8343bc00 r6:82604d40 r5:00000000
 r4:ffffbd4b
[<818ff5d0>] (schedule_timeout) from [<818f9154>] (do_wait_for_common kernel/sched/completion.c:95 [inline])
[<818ff5d0>] (schedule_timeout) from [<818f9154>] (__wait_for_common kernel/sched/completion.c:116 [inline])
[<818ff5d0>] (schedule_timeout) from [<818f9154>] (wait_for_common kernel/sched/completion.c:127 [inline])
[<818ff5d0>] (schedule_timeout) from [<818f9154>] (wait_for_completion_timeout+0x6c/0x150 kernel/sched/completion.c:167)
 r7:8343bc00 r6:ec421830 r5:ec421834 r4:000001f4
[<818f90e8>] (wait_for_completion_timeout) from [<80d909b0>] (usb_start_wait_urb+0x90/0x168 drivers/usb/core/message.c:64)
 r10:00002200 r9:00001388 r8:8343bc00 r7:ec421878 r6:ec421830 r5:00000000
 r4:84fc3cc0
[<80d90920>] (usb_start_wait_urb) from [<80d90b54>] (usb_internal_control_msg drivers/usb/core/message.c:103 [inline])
[<80d90920>] (usb_start_wait_urb) from [<80d90b54>] (usb_control_msg+0xcc/0x12c drivers/usb/core/message.c:154)
 r9:00000000 r8:0000000f r7:84fe6640 r6:00000081 r5:00000000 r4:84e05000
[<80d90a88>] (usb_control_msg) from [<812154a8>] (hid_get_class_descriptor.constprop.0+0x7c/0xa4 drivers/hid/usbhid/hid-core.c:670)
 r10:0000000f r9:00001388 r8:84fe6f40 r7:80000080 r6:0000000f r5:84e05000
 r4:00000003
[<8121542c>] (hid_get_class_descriptor.constprop.0) from [<8121563c>] (usbhid_parse+0x16c/0x2dc drivers/hid/usbhid/hid-core.c:1038)
 r10:84fe6f40 r9:84e05000 r8:84e05080 r7:00080000 r6:0000000f r5:84fe6d48
 r4:84f0a000
[<812154d0>] (usbhid_parse) from [<811b1440>] (hid_add_device+0x68/0x2c8 drivers/hid/hid-core.c:2790)
 r10:00000000 r9:84fe6d48 r8:00000017 r7:00000000 r6:84f0d000 r5:84f0c000
 r4:84f0a000
[<811b13d8>] (hid_add_device) from [<81215b90>] (usbhid_probe+0x3e4/0x55c drivers/hid/usbhid/hid-core.c:1429)
 r10:00000000 r9:84fe6d48 r8:00000017 r7:00000000 r6:84f0d000 r5:84f0c000
 r4:84f0a000
[<812157ac>] (usbhid_probe) from [<80d95594>] (usb_probe_interface+0xe4/0x2ec drivers/usb/core/driver.c:399)
 r10:84e05000 r9:84e05400 r8:827b8688 r7:81bf8b70 r6:84e05080 r5:00000001
 r4:84e05430
[<80d954b0>] (usb_probe_interface) from [<80a6afe0>] (call_driver_probe drivers/base/dd.c:578 [inline])
[<80d954b0>] (usb_probe_interface) from [<80a6afe0>] (really_probe+0xd8/0x3ac drivers/base/dd.c:656)
 r10:844e4250 r9:82756760 r8:81b8b860 r7:00000000 r6:827b8688 r5:00000000
 r4:84e05430
[<80a6af08>] (really_probe) from [<80a6b348>] (__driver_probe_device+0x94/0x1dc drivers/base/dd.c:798)
 r7:00000013 r6:84e05430 r5:827b8688 r4:84e05430
[<80a6b2b4>] (__driver_probe_device) from [<80a6b4c8>] (driver_probe_device+0x38/0xc8 drivers/base/dd.c:828)
 r8:81b8b860 r7:00000013 r6:84e05430 r5:827b8688 r4:828f3f60
[<80a6b490>] (driver_probe_device) from [<80a6b5f8>] (__device_attach_driver+0xa0/0x114 drivers/base/dd.c:956)
 r7:84e05430 r6:ec421aec r5:827b8688 r4:00000001
[<80a6b558>] (__device_attach_driver) from [<80a68c80>] (bus_for_each_drv+0x98/0xec drivers/base/bus.c:457)
 r7:80a6b558 r6:ec421aec r5:82f22f00 r4:00000000
[<80a68be8>] (bus_for_each_drv) from [<80a6ba54>] (__device_attach+0xb0/0x1d0 drivers/base/dd.c:1028)
 r7:82f22f00 r6:00000001 r5:84e05474 r4:84e05430
[<80a6b9a4>] (__device_attach) from [<80a6bd1c>] (device_initial_probe+0x14/0x18 drivers/base/dd.c:1077)
 r6:00000000 r5:84e05430 r4:84e05430
[<80a6bd08>] (device_initial_probe) from [<80a69f4c>] (bus_probe_device+0x90/0x94 drivers/base/bus.c:532)
[<80a69ebc>] (bus_probe_device) from [<80a675f0>] (device_add+0x5e0/0x7ec drivers/base/core.c:3721)
 r9:82756760 r8:81b8b860 r7:84e05080 r6:00000000 r5:00000000 r4:84e05430
[<80a67010>] (device_add) from [<80d93600>] (usb_set_configuration+0x4b4/0x900 drivers/usb/core/message.c:2210)
 r9:ffc00000 r8:00000000 r7:844e4250 r6:844e424c r5:84e05000 r4:84e05400
[<80d9314c>] (usb_set_configuration) from [<80da0504>] (usb_generic_driver_probe+0x44/0x80 drivers/usb/core/generic.c:254)
 r10:00000000 r9:82756760 r8:00000000 r7:00000001 r6:84e05000 r5:00000000
 r4:84e05000
[<80da04c0>] (usb_generic_driver_probe) from [<80d949f8>] (usb_probe_device+0x44/0x140 drivers/usb/core/driver.c:294)
 r5:8277c10c r4:84e05080
[<80d949b4>] (usb_probe_device) from [<80a6afe0>] (call_driver_probe drivers/base/dd.c:578 [inline])
[<80d949b4>] (usb_probe_device) from [<80a6afe0>] (really_probe+0xd8/0x3ac drivers/base/dd.c:656)
 r7:00000000 r6:8277c10c r5:00000000 r4:84e05080
[<80a6af08>] (really_probe) from [<80a6b348>] (__driver_probe_device+0x94/0x1dc drivers/base/dd.c:798)
 r7:00000013 r6:84e05080 r5:8277c10c r4:84e05080
[<80a6b2b4>] (__driver_probe_device) from [<80a6b4c8>] (driver_probe_device+0x38/0xc8 drivers/base/dd.c:828)
 r8:00000000 r7:00000013 r6:84e05080 r5:8277c10c r4:828f3f60
[<80a6b490>] (driver_probe_device) from [<80a6b5f8>] (__device_attach_driver+0xa0/0x114 drivers/base/dd.c:956)
 r7:84e05080 r6:ec421d34 r5:8277c10c r4:00000001
[<80a6b558>] (__device_attach_driver) from [<80a68c80>] (bus_for_each_drv+0x98/0xec drivers/base/bus.c:457)
 r7:80a6b558 r6:ec421d34 r5:82f22f00 r4:00000000
[<80a68be8>] (bus_for_each_drv) from [<80a6ba54>] (__device_attach+0xb0/0x1d0 drivers/base/dd.c:1028)
 r7:82f22f00 r6:00000001 r5:84e050c4 r4:84e05080
[<80a6b9a4>] (__device_attach) from [<80a6bd1c>] (device_initial_probe+0x14/0x18 drivers/base/dd.c:1077)
 r6:00000000 r5:84e05080 r4:84e05080
[<80a6bd08>] (device_initial_probe) from [<80a69f4c>] (bus_probe_device+0x90/0x94 drivers/base/bus.c:532)
[<80a69ebc>] (bus_probe_device) from [<80a675f0>] (device_add+0x5e0/0x7ec drivers/base/core.c:3721)
 r9:82756760 r8:00000000 r7:83845480 r6:00000000 r5:00000000 r4:84e05080
[<80a67010>] (device_add) from [<80d8802c>] (usb_new_device+0x274/0x67c drivers/usb/core/hub.c:2651)
 r9:00000003 r8:ffffffff r7:00000001 r6:00000000 r5:84e05080 r4:84e05000
[<80d87db8>] (usb_new_device) from [<80d8a5bc>] (hub_port_connect drivers/usb/core/hub.c:5521 [inline])
[<80d87db8>] (usb_new_device) from [<80d8a5bc>] (hub_port_connect_change drivers/usb/core/hub.c:5661 [inline])
[<80d87db8>] (usb_new_device) from [<80d8a5bc>] (port_event drivers/usb/core/hub.c:5821 [inline])
[<80d87db8>] (usb_new_device) from [<80d8a5bc>] (hub_event+0x1064/0x194c drivers/usb/core/hub.c:5903)
 r10:00000000 r9:84e05000 r8:837acb00 r7:00000000 r6:83845400 r5:837ac400
 r4:837ac41c
[<80d89558>] (hub_event) from [<802671bc>] (process_one_work+0x1c4/0x510 kernel/workqueue.c:3231)
 r10:82fcf005 r9:8343bc00 r8:00800000 r7:dddd00c0 r6:82fcf000 r5:837acb00
 r4:8440e700
[<80266ff8>] (process_one_work) from [<80267df0>] (process_scheduled_works kernel/workqueue.c:3312 [inline])
[<80266ff8>] (process_one_work) from [<80267df0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3393)
 r10:8343bc00 r9:8440e72c r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
 r4:8440e700
[<80267c04>] (worker_thread) from [<80271228>] (kthread+0x104/0x134 kernel/kthread.c:389)
 r10:00000000 r9:df839e90 r8:843a76c0 r7:8440e700 r6:80267c04 r5:8343bc00
 r4:843a75c0
[<80271124>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:134)
Exception stack(0xec421fb0 to 0xec421ff8)
1fa0:                                     00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:80271124 r4:843a75c0
Code: e5d5201c e1a00009 e59910dc e3520000 (15813000) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e5d5201c 	ldrb	r2, [r5, #28]
   4:	e1a00009 	mov	r0, r9
   8:	e59910dc 	ldr	r1, [r9, #220]	@ 0xdc
   c:	e3520000 	cmp	r2, #0
* 10:	15813000 	strne	r3, [r1] <-- trapping instruction