8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read [0000000e] *pgd=8b20d003, *pmd=e0181003 Internal error: Oops: 207 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 6504 Comm: syz-executor.0 Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: ARM-Versatile Express PC is at __io_remove_buffers io_uring/kbuf.c:219 [inline] PC is at __io_remove_buffers+0x38/0x184 io_uring/kbuf.c:209 LR is at io_unregister_pbuf_ring+0x104/0x18c io_uring/kbuf.c:615 pc : [<807c9634>] lr : [<807ca76c>] psr: 20000013 sp : ee83dec8 ip : ee83def8 fp : ee83def4 r10: 00000017 r9 : 8a0de000 r8 : ffffffff r7 : 00000000 r6 : 00000001 r5 : 8a0df000 r4 : 00000000 r3 : 00000000 r2 : 00000000 r1 : 8a0df000 r0 : 8a0de000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 89dea780 DAC: fffffffd Register r0 information: slab kmalloc-2k start 8a0de000 pointer offset 0 size 2048 Register r1 information: slab kmalloc-2k start 8a0df000 pointer offset 0 size 2048 Register r2 information: NULL pointer Register r3 information: NULL pointer Register r4 information: NULL pointer Register r5 information: slab kmalloc-2k start 8a0df000 pointer offset 0 size 2048 Register r6 information: non-paged memory Register r7 information: NULL pointer Register r8 information: non-paged memory Register r9 information: slab kmalloc-2k start 8a0de000 pointer offset 0 size 2048 Register r10 information: non-paged memory Register r11 information: 2-page vmalloc region starting at 0xee83c000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909 Register r12 information: 2-page vmalloc region starting at 0xee83c000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909 Process syz-executor.0 (pid: 6504, stack limit = 0xee83c000) Stack: (0xee83dec8 to 0xee83e000) dec0: 00000001 8a0df000 8a0de000 89ee5e00 00000000 841e86c0 dee0: 8a0de040 00000017 ee83df3c ee83def8 807ca76c 807c9608 00000000 00000000 df00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 df20: ee83df3c c8d452dc 8a0de000 20000180 ee83dfa4 ee83df40 807bed0c 807ca674 df40: 8024bc7c 80278e68 40000000 ee83dfb0 ee83df84 ee83df60 80202fc4 00000001 df60: 8261c9e8 ee83dfb0 0006b210 ecac8b10 80202eac c8d452dc ee83dfac 00000000 df80: 00000000 0014c2c4 000001ab 80200288 89ee5e00 000001ab 00000000 ee83dfa8 dfa0: 80200060 807be738 00000000 00000000 00000003 00000017 20000180 00000001 dfc0: 00000000 00000000 0014c2c4 000001ab 7eb3332e 7eb3332f 003d0f00 76bed0fc dfe0: 76becf08 76becef8 00016688 000509e0 60000010 00000003 00000000 00000000 Backtrace: [<807c95fc>] (__io_remove_buffers) from [<807ca76c>] (io_unregister_pbuf_ring+0x104/0x18c io_uring/kbuf.c:615) r10:00000017 r9:8a0de040 r8:841e86c0 r7:00000000 r6:89ee5e00 r5:8a0de000 r4:8a0df000 r3:00000001 [<807ca668>] (io_unregister_pbuf_ring) from [<807bed0c>] (__io_uring_register io_uring/io_uring.c:4525 [inline]) [<807ca668>] (io_unregister_pbuf_ring) from [<807bed0c>] (__do_sys_io_uring_register io_uring/io_uring.c:4587 [inline]) [<807ca668>] (io_unregister_pbuf_ring) from [<807bed0c>] (sys_io_uring_register+0x5e0/0xd00 io_uring/io_uring.c:4547) r5:20000180 r4:8a0de000 [<807be72c>] (sys_io_uring_register) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66) Exception stack(0xee83dfa8 to 0xee83dff0) dfa0: 00000000 00000000 00000003 00000017 20000180 00000001 dfc0: 00000000 00000000 0014c2c4 000001ab 7eb3332e 7eb3332f 003d0f00 76bed0fc dfe0: 76becf08 76becef8 00016688 000509e0 r10:000001ab r9:89ee5e00 r8:80200288 r7:000001ab r6:0014c2c4 r5:00000000 r4:00000000 Code: 0a000022 e5913004 e1d120be e5d14013 (e1d380be) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 0a000022 beq 0x90 4: e5913004 ldr r3, [r1, #4] 8: e1d120be ldrh r2, [r1, #14] c: e5d14013 ldrb r4, [r1, #19] * 10: e1d380be ldrh r8, [r3, #14] <-- trapping instruction