8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read [0000000e] *pgd=8ac74003, *pmd=e1b9f003 Internal error: Oops: 207 [#1] PREEMPT SMP ARM Modules linked in: CPU: 1 PID: 9020 Comm: syz-executor.0 Not tainted 6.6.0-rc4-syzkaller #0 Hardware name: ARM-Versatile Express PC is at __io_remove_buffers io_uring/kbuf.c:219 [inline] PC is at __io_remove_buffers+0x38/0x184 io_uring/kbuf.c:209 LR is at io_unregister_pbuf_ring+0x104/0x18c io_uring/kbuf.c:615 pc : [<807c96e4>] lr : [<807ca81c>] psr: 20000013 sp : dfb49ec8 ip : dfb49ef8 fp : dfb49ef4 r10: 00000017 r9 : 8a815800 r8 : ffffffff r7 : 00000000 r6 : 00000001 r5 : 8a811000 r4 : 00000000 r3 : 00000000 r2 : 00000000 r1 : 8a811000 r0 : 8a815800 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 30c5387d Table: 8b77cb40 DAC: 00000000 Register r0 information: slab kmalloc-2k start 8a815800 pointer offset 0 size 2048 Register r1 information: slab kmalloc-2k start 8a811000 pointer offset 0 size 2048 Register r2 information: NULL pointer Register r3 information: NULL pointer Register r4 information: NULL pointer Register r5 information: slab kmalloc-2k start 8a811000 pointer offset 0 size 2048 Register r6 information: non-paged memory Register r7 information: NULL pointer Register r8 information: non-paged memory Register r9 information: slab kmalloc-2k start 8a815800 pointer offset 0 size 2048 Register r10 information: non-paged memory Register r11 information: 2-page vmalloc region starting at 0xdfb48000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909 Register r12 information: 2-page vmalloc region starting at 0xdfb48000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909 Process syz-executor.0 (pid: 9020, stack limit = 0xdfb48000) Stack: (0xdfb49ec8 to 0xdfb4a000) 9ec0: 00000001 8a811000 8a815800 8ac6c680 00000000 8995cc00 9ee0: 8a815840 00000017 dfb49f3c dfb49ef8 807ca81c 807c96b8 00000000 00000000 9f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9f20: dfb49f3c 103c1c8d 8a815800 20000300 dfb49fa4 dfb49f40 807bedbc 807ca724 9f40: 8024bc7c 80278e68 40000000 dfb49fb0 dfb49f84 dfb49f60 80202fc4 00000001 9f60: 8261c9e8 dfb49fb0 0006b210 ecac8b10 80202eac 103c1c8d dfb49fac 00000000 9f80: 00000000 0014c2c4 000001ab 80200288 8ac6c680 000001ab 00000000 dfb49fa8 9fa0: 80200060 807be7e8 00000000 00000000 00000005 00000017 20000300 00000001 9fc0: 00000000 00000000 0014c2c4 000001ab 7eae332e 7eae332f 003d0f00 76be80fc 9fe0: 76be7f08 76be7ef8 00016688 000509e0 60000010 00000005 00000000 00000000 Backtrace: [<807c96ac>] (__io_remove_buffers) from [<807ca81c>] (io_unregister_pbuf_ring+0x104/0x18c io_uring/kbuf.c:615) r10:00000017 r9:8a815840 r8:8995cc00 r7:00000000 r6:8ac6c680 r5:8a815800 r4:8a811000 r3:00000001 [<807ca718>] (io_unregister_pbuf_ring) from [<807bedbc>] (__io_uring_register io_uring/io_uring.c:4525 [inline]) [<807ca718>] (io_unregister_pbuf_ring) from [<807bedbc>] (__do_sys_io_uring_register io_uring/io_uring.c:4587 [inline]) [<807ca718>] (io_unregister_pbuf_ring) from [<807bedbc>] (sys_io_uring_register+0x5e0/0xd00 io_uring/io_uring.c:4547) r5:20000300 r4:8a815800 [<807be7dc>] (sys_io_uring_register) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66) Exception stack(0xdfb49fa8 to 0xdfb49ff0) 9fa0: 00000000 00000000 00000005 00000017 20000300 00000001 9fc0: 00000000 00000000 0014c2c4 000001ab 7eae332e 7eae332f 003d0f00 76be80fc 9fe0: 76be7f08 76be7ef8 00016688 000509e0 r10:000001ab r9:8ac6c680 r8:80200288 r7:000001ab r6:0014c2c4 r5:00000000 r4:00000000 Code: 0a000022 e5913004 e1d120be e5d14013 (e1d380be) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 0a000022 beq 0x90 4: e5913004 ldr r3, [r1, #4] 8: e1d120be ldrh r2, [r1, #14] c: e5d14013 ldrb r4, [r1, #19] * 10: e1d380be ldrh r8, [r3, #14] <-- trapping instruction