8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000018 when write [00000018] *pgd=97dd8003, *pmd=dfdd1003 Internal error: Oops: a07 [#1] PREEMPT SMP ARM Modules linked in: CPU: 1 PID: 31697 Comm: syz-executor.1 Not tainted 6.7.0-syzkaller #0 Hardware name: ARM-Versatile Express PC is at pagemap_scan_init_bounce_buffer fs/proc/task_mmu.c:2400 [inline] PC is at do_pagemap_scan+0x308/0x698 fs/proc/task_mmu.c:2447 LR is at 0x10 pc : [<80588f14>] lr : [<00000010>] psr: 20000013 sp : eb4e5dd0 ip : 00000000 fp : eb4e5eb4 r10: eb4e5e00 r9 : 00000000 r8 : 82e7b000 r7 : 00000000 r6 : 8574b000 r5 : 20ffa000 r4 : 00000000 r3 : 20ffa000 r2 : 00000000 r1 : 00000000 r0 : 00000000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 30c5387d Table: 8648b1c0 DAC: 00000000 Register r0 information: NULL pointer Register r1 information: NULL pointer Register r2 information: NULL pointer Register r3 information: non-paged memory Register r4 information: NULL pointer Register r5 information: non-paged memory Register r6 information: slab mm_struct start 8574b000 pointer offset 0 size 712 Register r7 information: NULL pointer Register r8 information: slab task_struct start 82e7b000 pointer offset 0 size 3072 Register r9 information: NULL pointer Register r10 information: 2-page vmalloc region starting at 0xeb4e4000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2901 Register r11 information: 2-page vmalloc region starting at 0xeb4e4000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2901 Register r12 information: NULL pointer Process syz-executor.1 (pid: 31697, stack limit = 0xeb4e4000) Stack: (0xeb4e5dd0 to 0xeb4e6000) 5dc0: 00000000 00000000 06000000 20000100 5de0: 20ffa000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 5e00: 00000060 00000000 00000000 00000000 20ffa000 00000000 20ffa000 00000000 5e20: 00000000 00000000 200000c0 00000000 00000000 06000000 ffffffff 00000000 5e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 5e60: 00000000 00000000 00000010 00000000 00000000 00000000 200000c0 00000000 5e80: c0606610 26919cb8 eb4e5ea4 c0606610 00000000 84418e41 20000100 84418e40 5ea0: 00000003 82e7b000 eb4e5ec4 eb4e5eb8 805892cc 80588c18 eb4e5fa4 eb4e5ec8 5ec0: 804ff5ac 805892b0 00050bb0 00000000 00000000 00000000 eb4e5f04 eb4e5ee8 5ee0: 8020c0cc 8020d098 00000000 00000001 81872698 ecac8b10 eb4e5f44 eb4e5f08 5f00: 8020d120 8020c0b4 000f4240 00000000 8020c974 eb4e5fac 82e7b000 00000001 5f20: ecac8b10 82e7b000 eb4e5f44 eb4e5f38 81867014 81866ee4 eb4e5f5c eb4e5f48 5f40: 8024c5ac 80279658 40000000 eb4e5fb0 eb4e5f84 eb4e5f60 80203104 8024c568 5f60: 8261c928 eb4e5fb0 0006b3e0 ecac8b10 80202fec 26919cb8 eb4e5fac 00000000 5f80: 00000000 0014c2c8 00000036 80200288 82e7b000 00000036 00000000 eb4e5fa8 5fa0: 80200060 804ff4a0 00000000 00000000 00000003 c0606610 20000100 00000000 5fc0: 00000000 00000000 0014c2c8 00000036 7ee9632e 7ee9632f 003d0f00 76baf0fc 5fe0: 76baef08 76baeef8 000167e8 00050bb0 60000010 00000003 00000000 00000000 Backtrace: [<80588c0c>] (do_pagemap_scan) from [<805892cc>] (do_pagemap_cmd+0x28/0x34 fs/proc/task_mmu.c:2511) r10:82e7b000 r9:00000003 r8:84418e40 r7:20000100 r6:84418e41 r5:00000000 r4:c0606610 [<805892a4>] (do_pagemap_cmd) from [<804ff5ac>] (vfs_ioctl fs/ioctl.c:51 [inline]) [<805892a4>] (do_pagemap_cmd) from [<804ff5ac>] (do_vfs_ioctl fs/ioctl.c:831 [inline]) [<805892a4>] (do_pagemap_cmd) from [<804ff5ac>] (__do_sys_ioctl fs/ioctl.c:869 [inline]) [<805892a4>] (do_pagemap_cmd) from [<804ff5ac>] (sys_ioctl+0x118/0xb58 fs/ioctl.c:857) [<804ff494>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66) Exception stack(0xeb4e5fa8 to 0xeb4e5ff0) 5fa0: 00000000 00000000 00000003 c0606610 20000100 00000000 5fc0: 00000000 00000000 0014c2c8 00000036 7ee9632e 7ee9632f 003d0f00 76baf0fc 5fe0: 76baef08 76baeef8 000167e8 00050bb0 r10:00000036 r9:82e7b000 r8:80200288 r7:00000036 r6:0014c2c8 r5:00000000 r4:00000000 Code: e51b2098 e51b108c e50b103c e3a01000 (e1ce00f8) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e51b2098 ldr r2, [fp, #-152] @ 0xffffff68 4: e51b108c ldr r1, [fp, #-140] @ 0xffffff74 8: e50b103c str r1, [fp, #-60] @ 0xffffffc4 c: e3a01000 mov r1, #0 * 10: e1ce00f8 strd r0, [lr, #8] <-- trapping instruction