8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read [0000000e] *pgd=8a67a003, *pmd=e7381003 Internal error: Oops: 207 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 5547 Comm: syz-executor.1 Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: ARM-Versatile Express PC is at __io_remove_buffers io_uring/kbuf.c:219 [inline] PC is at __io_remove_buffers+0x38/0x184 io_uring/kbuf.c:209 LR is at io_unregister_pbuf_ring+0x104/0x18c io_uring/kbuf.c:615 pc : [<807c9634>] lr : [<807ca76c>] psr: 20000013 sp : df9d5ec8 ip : df9d5ef8 fp : df9d5ef4 r10: 00000017 r9 : 84765800 r8 : ffffffff r7 : 00000000 r6 : 00000001 r5 : 84760800 r4 : 00000000 r3 : 00000000 r2 : 00000000 r1 : 84760800 r0 : 84765800 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 84ac8280 DAC: fffffffd Register r0 information: slab kmalloc-2k start 84765800 pointer offset 0 size 2048 Register r1 information: slab kmalloc-2k start 84760800 pointer offset 0 size 2048 Register r2 information: NULL pointer Register r3 information: NULL pointer Register r4 information: NULL pointer Register r5 information: slab kmalloc-2k start 84760800 pointer offset 0 size 2048 Register r6 information: non-paged memory Register r7 information: NULL pointer Register r8 information: non-paged memory Register r9 information: slab kmalloc-2k start 84765800 pointer offset 0 size 2048 Register r10 information: non-paged memory Register r11 information: 2-page vmalloc region starting at 0xdf9d4000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909 Register r12 information: 2-page vmalloc region starting at 0xdf9d4000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909 Process syz-executor.1 (pid: 5547, stack limit = 0xdf9d4000) Stack: (0xdf9d5ec8 to 0xdf9d6000) 5ec0: 00000001 84760800 84765800 84618bc0 00000000 850d6cc0 5ee0: 84765840 00000017 df9d5f3c df9d5ef8 807ca76c 807c9608 00000000 00000000 5f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 5f20: df9d5f3c 957246a3 84765800 20000180 df9d5fa4 df9d5f40 807bed0c 807ca674 5f40: 8024bc7c 80278e68 40000000 df9d5fb0 df9d5f84 df9d5f60 80202fc4 00000001 5f60: 8261c9e8 df9d5fb0 0006b210 ecac8b10 80202eac 957246a3 df9d5fac 00000000 5f80: 00000000 0014c2c4 000001ab 80200288 84618bc0 000001ab 00000000 df9d5fa8 5fa0: 80200060 807be738 00000000 00000000 00000003 00000017 20000180 00000001 5fc0: 00000000 00000000 0014c2c4 000001ab 7e9d932e 7e9d932f 003d0f00 76bf00fc 5fe0: 76beff08 76befef8 00016688 000509e0 60000010 00000003 00000000 00000000 Backtrace: [<807c95fc>] (__io_remove_buffers) from [<807ca76c>] (io_unregister_pbuf_ring+0x104/0x18c io_uring/kbuf.c:615) r10:00000017 r9:84765840 r8:850d6cc0 r7:00000000 r6:84618bc0 r5:84765800 r4:84760800 r3:00000001 [<807ca668>] (io_unregister_pbuf_ring) from [<807bed0c>] (__io_uring_register io_uring/io_uring.c:4525 [inline]) [<807ca668>] (io_unregister_pbuf_ring) from [<807bed0c>] (__do_sys_io_uring_register io_uring/io_uring.c:4587 [inline]) [<807ca668>] (io_unregister_pbuf_ring) from [<807bed0c>] (sys_io_uring_register+0x5e0/0xd00 io_uring/io_uring.c:4547) r5:20000180 r4:84765800 [<807be72c>] (sys_io_uring_register) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66) Exception stack(0xdf9d5fa8 to 0xdf9d5ff0) 5fa0: 00000000 00000000 00000003 00000017 20000180 00000001 5fc0: 00000000 00000000 0014c2c4 000001ab 7e9d932e 7e9d932f 003d0f00 76bf00fc 5fe0: 76beff08 76befef8 00016688 000509e0 r10:000001ab r9:84618bc0 r8:80200288 r7:000001ab r6:0014c2c4 r5:00000000 r4:00000000 Code: 0a000022 e5913004 e1d120be e5d14013 (e1d380be) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 0a000022 beq 0x90 4: e5913004 ldr r3, [r1, #4] 8: e1d120be ldrh r2, [r1, #14] c: e5d14013 ldrb r4, [r1, #19] * 10: e1d380be ldrh r8, [r3, #14] <-- trapping instruction