8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000012 when read
[00000012] *pgd=8558f003, *pmd=df850003
Internal error: Oops: 205 [#1] SMP ARM
Modules linked in:
CPU: 1 UID: 0 PID: 4415 Comm: syz.1.137 Not tainted 6.15.0-rc6-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
PC is at is_anon_ns fs/mount.h:165 [inline]
PC is at do_move_mount+0x88/0x588 fs/namespace.c:3648
LR is at get_mountpoint+0x58/0x164 fs/namespace.c:973
pc : [<805837a8>]    lr : [<8057cf18>]    psr: 60000013
sp : dfb1dea8  ip : dfb1de50  fp : dfb1df04
r10: dfb1df6c  r9 : 830af240  r8 : 830af240
r7 : 830af250  r6 : ffffffea  r5 : 00000000  r4 : 85559900
r3 : 8329dd80  r2 : 8329dd80  r1 : 00000000  r0 : 85559900
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 85586c40  DAC: 00000000
Register r0 information: slab kmalloc-64 start 85559900 pointer offset 0 size 64
Register r1 information: NULL pointer
Register r2 information: slab kmalloc-cg-128 start 8329dd80 pointer offset 0 size 128
Register r3 information: slab kmalloc-cg-128 start 8329dd80 pointer offset 0 size 128
Register r4 information: slab kmalloc-64 start 85559900 pointer offset 0 size 64
Register r5 information: NULL pointer
Register r6 information: non-paged memory
Register r7 information: slab mnt_cache start 830af240 pointer offset 16 size 192
Register r8 information: slab mnt_cache start 830af240 pointer offset 0 size 192
Register r9 information: slab mnt_cache start 830af240 pointer offset 0 size 192
Register r10 information: 2-page vmalloc region starting at 0xdfb1c000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r11 information: 2-page vmalloc region starting at 0xdfb1c000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r12 information: 2-page vmalloc region starting at 0xdfb1c000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Process syz.1.137 (pid: 4415, stack limit = 0xdfb1c000)
Stack: (0xdfb1dea8 to 0xdfb1e000)
dea0:                   85559540 00002008 00000000 8400ec00 dfb1dedc 00000000
dec0: 8400ec00 00000000 85516e50 dfb1df1c dfb1df04 dfb1dee0 80566114 00000000
dee0: 00000024 dfb1df6c 85559540 00002008 00000000 8400ec00 dfb1df54 dfb1df08
df00: 805841cc 8058372c 00000000 dfb1df18 805604bc 00000000 832dc000 830af250
df20: 837a5dd0 d77355c5 80566208 00000000 00000000 00000000 85559540 00000000
df40: 8400ec00 00000015 dfb1dfa4 dfb1df58 80584f88 80583f30 00000000 8281d05c
df60: 00002008 20000080 ecac8b10 85516e50 837a53b8 d77355c5 dfb1dfac 00000000
df80: 00000000 002e6308 00000015 8020029c 8400ec00 00000015 00000000 dfb1dfa8
dfa0: 80200060 80584e1c 00000000 00000000 20000000 20000080 00000000 00002008
dfc0: 00000000 00000000 002e6308 00000015 002d0000 00000000 00006364 76bfd0bc
dfe0: 76bfcec0 76bfceb0 0001939c 00131f30 60000010 20000000 00000000 00000000
Call trace: 
[<80583720>] (do_move_mount) from [<805841cc>] (do_move_mount_old fs/namespace.c:3752 [inline])
[<80583720>] (do_move_mount) from [<805841cc>] (path_mount+0x2a8/0xae4 fs/namespace.c:4206)
 r10:8400ec00 r9:00000000 r8:00002008 r7:85559540 r6:dfb1df6c r5:00000024
 r4:00000000
[<80583f24>] (path_mount) from [<80584f88>] (do_mount fs/namespace.c:4221 [inline])
[<80583f24>] (path_mount) from [<80584f88>] (__do_sys_mount fs/namespace.c:4432 [inline])
[<80583f24>] (path_mount) from [<80584f88>] (sys_mount+0x178/0x260 fs/namespace.c:4409)
 r10:00000015 r9:8400ec00 r8:00000000 r7:85559540 r6:00000000 r5:00000000
 r4:00000000
[<80584e10>] (sys_mount) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfb1dfa8 to 0xdfb1dff0)
dfa0:                   00000000 00000000 20000000 20000080 00000000 00002008
dfc0: 00000000 00000000 002e6308 00000015 002d0000 00000000 00006364 76bfd0bc
dfe0: 76bfcec0 76bfceb0 0001939c 00131f30
 r10:00000015 r9:8400ec00 r8:8020029c r7:00000015 r6:002e6308 r5:00000000
 r4:00000000
Code: e592200c e1590008 e50b1048 13855001 (e5961028) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e592200c 	ldr	r2, [r2, #12]
   4:	e1590008 	cmp	r9, r8
   8:	e50b1048 	str	r1, [fp, #-72]	@ 0xffffffb8
   c:	13855001 	orrne	r5, r5, #1
* 10:	e5961028 	ldr	r1, [r6, #40]	@ 0x28 <-- trapping instruction