8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read
[0000000e] *pgd=80000080004003, *pmd=00000000
Internal error: Oops: 207 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 28 Comm: kworker/u5:1 Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: ARM-Versatile Express
Workqueue: events_unbound io_ring_exit_work
PC is at __io_remove_buffers io_uring/kbuf.c:219 [inline]
PC is at __io_remove_buffers+0x38/0x184 io_uring/kbuf.c:209
LR is at io_destroy_buffers+0x48/0x138 io_uring/kbuf.c:264
pc : [<807c9634>]    lr : [<807c9bf0>]    psr: 20000113
sp : df88de48  ip : df88de78  fp : df88de74
r10: 827e4691  r9 : 8479c800  r8 : ffffffff
r7 : 8479cb4c  r6 : 00000001  r5 : 8479b800  r4 : 00000000
r3 : 00000000  r2 : 00000000  r1 : 8479b800  r0 : 8479c800
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 846ad5c0  DAC: fffffffd
Register r0 information: slab kmalloc-2k start 8479c800 pointer offset 0 size 2048
Register r1 information: slab kmalloc-2k start 8479b800 pointer offset 0 size 2048
Register r2 information: NULL pointer
Register r3 information: NULL pointer
Register r4 information: NULL pointer
Register r5 information: slab kmalloc-2k start 8479b800 pointer offset 0 size 2048
Register r6 information: non-paged memory
Register r7 information: slab kmalloc-2k start 8479c800 pointer offset 844 size 2048
Register r8 information: non-paged memory
Register r9 information: slab kmalloc-2k start 8479c800 pointer offset 0 size 2048
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xdf88c000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909
Register r12 information: 2-page vmalloc region starting at 0xdf88c000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909
Process kworker/u5:1 (pid: 28, stack limit = 0xdf88c000)
Stack: (0xdf88de48 to 0xdf88e000)
de40:                   82dfde00 00000014 8479c800 8479c840 8479cb4c 82604d40
de60: 8479cbcc 827e4691 df88de9c df88de78 807c9bf0 807c9608 00000000 60bbcf0f
de80: 8479cbbc 8479c800 8479c840 8479cb4c df88df04 df88dea0 81826490 807c9bb4
dea0: df88debc df88deb0 00023ee7 8479c800 00000000 df88dec0 00000000 81824fc0
dec0: 00000000 00000000 df88dec8 df88dec8 8479c800 60bbcf0f df88df48 82e9d480
dee0: 8479cbbc 82c21400 82c0f000 00000140 82dfde00 82c21405 df88df44 df88df08
df00: 80265fd4 818260f4 df88df2c df88df18 df88df44 df88df20 8026196c 82e9d480
df20: 82e9d4ac 82c0f000 82604d40 82c0f020 82dfde00 61c88647 df88df84 df88df48
df40: 80266520 80265e44 82604d40 82604d40 61c88647 82e9d4ac df88df84 82e99f40
df60: 82dfde00 802662e0 82e9d480 82ea2380 df87de98 00000000 df88dfac df88df88
df80: 8026d8e0 802662ec 82e99f40 8026d7dc 00000000 00000000 00000000 00000000
dfa0: 00000000 df88dfb0 80200104 8026d7e8 00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
Backtrace: 
[<807c95fc>] (__io_remove_buffers) from [<807c9bf0>] (io_destroy_buffers+0x48/0x138 io_uring/kbuf.c:264)
 r10:827e4691 r9:8479cbcc r8:82604d40 r7:8479cb4c r6:8479c840 r5:8479c800
 r4:00000014 r3:82dfde00
[<807c9ba8>] (io_destroy_buffers) from [<81826490>] (io_ring_ctx_free io_uring/io_uring.c:2895 [inline])
[<807c9ba8>] (io_destroy_buffers) from [<81826490>] (io_ring_exit_work+0x3a8/0x5ec io_uring/io_uring.c:3151)
 r7:8479cb4c r6:8479c840 r5:8479c800 r4:8479cbbc
[<818260e8>] (io_ring_exit_work) from [<80265fd4>] (process_one_work+0x19c/0x4a8 kernel/workqueue.c:2630)
 r10:82c21405 r9:82dfde00 r8:00000140 r7:82c0f000 r6:82c21400 r5:8479cbbc
 r4:82e9d480
[<80265e38>] (process_one_work) from [<80266520>] (process_scheduled_works kernel/workqueue.c:2703 [inline])
[<80265e38>] (process_one_work) from [<80266520>] (worker_thread+0x240/0x48c kernel/workqueue.c:2784)
 r10:61c88647 r9:82dfde00 r8:82c0f020 r7:82604d40 r6:82c0f000 r5:82e9d4ac
 r4:82e9d480
[<802662e0>] (worker_thread) from [<8026d8e0>] (kthread+0x104/0x134 kernel/kthread.c:388)
 r10:00000000 r9:df87de98 r8:82ea2380 r7:82e9d480 r6:802662e0 r5:82dfde00
 r4:82e99f40
[<8026d7dc>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdf88dfb0 to 0xdf88dff8)
dfa0:                                     00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026d7dc r4:82e99f40
Code: 0a000022 e5913004 e1d120be e5d14013 (e1d380be) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	0a000022 	beq	0x90
   4:	e5913004 	ldr	r3, [r1, #4]
   8:	e1d120be 	ldrh	r2, [r1, #14]
   c:	e5d14013 	ldrb	r4, [r1, #19]
* 10:	e1d380be 	ldrh	r8, [r3, #14] <-- trapping instruction