8<--- cut here ---
Unable to handle kernel paging request at virtual address 054a18bc when read
[054a18bc] *pgd=85009003, *pmd=00000000
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 UID: 0 PID: 4046 Comm: syz.1.91 Not tainted 6.12.0-rc4-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at llc_qualify_conn_ev net/llc/llc_conn.c:402 [inline]
PC is at llc_conn_service net/llc/llc_conn.c:366 [inline]
PC is at llc_conn_state_process+0xa8/0x620 net/llc/llc_conn.c:72
LR is at llc_process_tmr_ev net/llc/llc_c_ac.c:1445 [inline]
LR is at llc_conn_tmr_common_cb+0xc8/0x1ac net/llc/llc_c_ac.c:1331
pc : [<81527914>]    lr : [<815251f8>]    psr: 80000113
sp : df801df0  ip : df801e20  fp : df801e1c
r10: df801eb8  r9 : 84697000  r8 : 054a18bc
r7 : 84697000  r6 : 00000002  r5 : 84463240  r4 : 84463240
r3 : 815285e4  r2 : ffffffff  r1 : 00000014  r0 : 84697000
Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 84b16d00  DAC: fffffffd
Register r0 information: slab kmalloc-1k start 84697000 pointer offset 0 size 1024
Register r1 information: non-paged memory
Register r2 information: non-paged memory
Register r3 information: non-slab/vmalloc memory
Register r4 information: slab skbuff_head_cache start 84463240 pointer offset 0 size 192
Register r5 information: slab skbuff_head_cache start 84463240 pointer offset 0 size 192
Register r6 information: non-paged memory
Register r7 information: slab kmalloc-1k start 84697000 pointer offset 0 size 1024
Register r8 information: non-paged memory
Register r9 information: slab kmalloc-1k start 84697000 pointer offset 0 size 1024
Register r10 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1008
Register r11 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1008
Register r12 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1008
Process syz.1.91 (pid: 4046, stack limit = 0xdfbc0000)
Stack: (0xdf801df0 to 0xdf802000)
1de0:                                     00000000 84463240 84697000 00000002
1e00: 846970ec 00000100 ffffc610 df801eb8 df801e44 df801e20 815251f8 81527878
1e20: 84697268 81527210 83575400 81527210 00000100 ffffc610 df801e54 df801e48
1e40: 81527228 8152513c df801e8c df801e58 803015e8 8152721c 00000000 84697268
1e60: 81a04298 d0046134 84697268 81527210 dddc6040 00000000 00000122 83575400
1e80: df801f04 df801e90 80301a80 803015c4 82604d40 00000000 00000002 827fcfe8
1ea0: 8260c5d0 ffffc610 df801edc 00000000 00000000 847bacc8 8478581c 00000000
1ec0: 00000000 00000000 00000000 00000000 00000000 d0046134 00000002 dddc6040
1ee0: 00000002 00000001 00400040 00000100 83575400 00000002 df801f24 df801f08
1f00: 80301c10 803017e4 82604084 00000000 00000004 82604084 df801f34 df801f28
1f20: 80301c3c 80301bb4 df801fac df801f38 8024b524 80301c2c df801f54 df801f48
1f40: 819ba008 00400040 82604d40 ffffc611 8221fc50 00000000 824bbd00 0000000a
1f60: 827fc2c8 8260c5d0 8220cfbc 824b1208 df801f38 82604080 8029e440 80293dec
1f80: 83575400 83575400 8221fc50 821df450 dfbc1e30 00000000 83575400 b5403587
1fa0: df801fc4 df801fb0 8024b920 8024b3d8 824bbcdc 8221fc50 df801fd4 df801fc8
1fc0: 8024bc20 8024b888 df801ffc df801fd8 819b93cc 8024bc1c 81487854 80000113
1fe0: ffffffff dfbc1e64 00000000 83575400 dfbc1e2c df802000 819698dc 819b935c
Call trace: frame pointer underflow
[<8152786c>] (llc_conn_state_process) from [<815251f8>] (llc_process_tmr_ev net/llc/llc_c_ac.c:1445 [inline])
[<8152786c>] (llc_conn_state_process) from [<815251f8>] (llc_conn_tmr_common_cb+0xc8/0x1ac net/llc/llc_c_ac.c:1331)
 r10:df801eb8 r9:ffffc610 r8:00000100 r7:846970ec r6:00000002 r5:84697000
 r4:84463240 r3:00000000
[<81525130>] (llc_conn_tmr_common_cb) from [<81527228>] (llc_conn_ack_tmr_cb+0x18/0x1c net/llc/llc_c_ac.c:1354)
 r9:ffffc610 r8:00000100 r7:81527210 r6:83575400 r5:81527210 r4:84697268
[<81527210>] (llc_conn_ack_tmr_cb) from [<803015e8>] (call_timer_fn+0x30/0x220 kernel/time/timer.c:1794)
[<803015b8>] (call_timer_fn) from [<80301a80>] (expire_timers kernel/time/timer.c:1845 [inline])
[<803015b8>] (call_timer_fn) from [<80301a80>] (__run_timers+0x2a8/0x3d0 kernel/time/timer.c:2419)
 r9:83575400 r8:00000122 r7:00000000 r6:dddc6040 r5:81527210 r4:84697268
[<803017d8>] (__run_timers) from [<80301c10>] (__run_timer_base kernel/time/timer.c:2430 [inline])
[<803017d8>] (__run_timers) from [<80301c10>] (__run_timer_base kernel/time/timer.c:2423 [inline])
[<803017d8>] (__run_timers) from [<80301c10>] (run_timer_base+0x68/0x78 kernel/time/timer.c:2439)
 r10:00000002 r9:83575400 r8:00000100 r7:00400040 r6:00000001 r5:00000002
 r4:dddc6040
[<80301ba8>] (run_timer_base) from [<80301c3c>] (run_timer_softirq+0x1c/0x34 kernel/time/timer.c:2449)
 r4:82604084
[<80301c20>] (run_timer_softirq) from [<8024b524>] (handle_softirqs+0x158/0x464 kernel/softirq.c:554)
[<8024b3cc>] (handle_softirqs) from [<8024b920>] (__do_softirq kernel/softirq.c:588 [inline])
[<8024b3cc>] (handle_softirqs) from [<8024b920>] (invoke_softirq kernel/softirq.c:428 [inline])
[<8024b3cc>] (handle_softirqs) from [<8024b920>] (__irq_exit_rcu+0xa4/0x164 kernel/softirq.c:637)
 r10:b5403587 r9:83575400 r8:00000000 r7:dfbc1e30 r6:821df450 r5:8221fc50
 r4:83575400
[<8024b87c>] (__irq_exit_rcu) from [<8024bc20>] (irq_exit+0x10/0x18 kernel/softirq.c:661)
 r5:8221fc50 r4:824bbcdc
[<8024bc10>] (irq_exit) from [<819b93cc>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:240)
[<819b9350>] (generic_handle_arch_irq) from [<819698dc>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40)
 r9:83575400 r8:00000000 r7:dfbc1e64 r6:ffffffff r5:80000113 r4:81487854
[<819698c0>] (call_with_stack) from [<80200bcc>] (__irq_svc+0x8c/0xbc arch/arm/kernel/entry-armv.S:227)
Exception stack(0xdfbc1e30 to 0xdfbc1e78)
1e20:                                     00000000 7effffff 00000000 b5003500
1e40: dfbc1ec0 2001e140 00000f04 00000002 00000000 83575400 b5403587 dfbc1f5c
1e60: a101e15f dfbc1e80 8148784c 81487854 80000113 ffffffff
[<81487724>] (do_recvmmsg) from [<81488210>] (__sys_recvmmsg net/socket.c:3041 [inline])
[<81487724>] (do_recvmmsg) from [<81488210>] (__do_sys_recvmmsg_time32 net/socket.c:3075 [inline])
[<81487724>] (do_recvmmsg) from [<81488210>] (sys_recvmmsg_time32+0xc4/0xd8 net/socket.c:3068)
 r10:0000016d r9:83575400 r8:00010106 r7:00000002 r6:00000000 r5:200000c0
 r4:00000004
[<8148814c>] (sys_recvmmsg_time32) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfbc1fa8 to 0xdfbc1ff0)
1fa0:                   00000000 00000000 00000004 200000c0 00010106 00000002
1fc0: 00000000 00000000 00286388 0000016d 00000000 00006364 003d0f00 76b4b0bc
1fe0: 76b4aec0 76b4aeb0 00018b10 00133470
 r8:8020029c r7:0000016d r6:00286388 r5:00000000 r4:00000000
Code: e3a01014 e0233291 e593300c e0888103 (e5983000) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e3a01014 	mov	r1, #20
   4:	e0233291 	mla	r3, r1, r2, r3
   8:	e593300c 	ldr	r3, [r3, #12]
   c:	e0888103 	add	r8, r8, r3, lsl #2
* 10:	e5983000 	ldr	r3, [r8] <-- trapping instruction