dfc0: 00000000 00000000 00029734 00000036 7ee6d312 76f7b6d0 7ee6d4a4 76f7b20c dfe0: 76f7b020 76f7b010 000163a0 0004bf80 r10:00000036 r9:8502ae00 r8:802002a4 r7:00000036 r6:00029734 r5:00000000 r4:00000000 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 0000001c [0000001c] *pgd=857c5003, *pmd=fe671003 Internal error: Oops: 207 [#1] PREEMPT SMP ARM Modules linked in: CPU: 1 PID: 7979 Comm: syz-executor.1 Not tainted 5.17.0-rc8-syzkaller #0 Hardware name: ARM-Versatile Express PC is at atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline] PC is at page_ref_count include/linux/page_ref.h:67 [inline] PC is at put_page_testzero include/linux/mm.h:717 [inline] PC is at __free_pages+0xc/0xd8 mm/page_alloc.c:5473 LR is at watch_queue_set_size+0x18c/0x1b8 kernel/watch_queue.c:275 pc : [<80444378>] lr : [<803d9bc4>] psr: 60000013 sp : 85a0dea0 ip : 85a0dec0 fp : 85a0debc r10: 853a71c0 r9 : 856ef980 r8 : 00000000 r7 : 856ef980 r6 : 00000001 r5 : 85750f80 r4 : 00000001 r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 30c5387d Table: 84fbb780 DAC: 00000000 Register r0 information: NULL pointer Register r1 information: NULL pointer Register r2 information: NULL pointer Register r3 information: NULL pointer Register r4 information: non-paged memory Register r5 information: slab kmalloc-cg-128 start 85750f80 pointer offset 0 size 128 Register r6 information: non-paged memory Register r7 information: slab kmalloc-64 start 856ef980 pointer offset 0 size 64 Register r8 information: NULL pointer Register r9 information: slab kmalloc-64 start 856ef980 pointer offset 0 size 64 Register r10 information: slab kmalloc-64 start 853a71c0 pointer offset 0 size 64 Register r11 information: non-slab/vmalloc memory Register r12 information: non-slab/vmalloc memory Process syz-executor.1 (pid: 7979, stack limit = 0x85a0c000) Stack: (0x85a0dea0 to 0x85a0e000) dea0: 00000001 85750f80 00000001 856ef980 85a0def4 85a0dec0 803d9bc4 80444378 dec0: 00000020 856ef980 85a0deb8 00005760 00000008 85750f80 00000008 854c9240 dee0: 00000005 848b5440 85a0df14 85a0def8 80497540 803d9a44 00005760 00000000 df00: 854c9241 00000008 85a0dfa4 85a0df18 804a4910 804974ec 816dda44 80275688 df20: 803d7f24 20000013 85a0df9c 85a0df38 80200b6c 816dda04 00000001 5bd3e000 df40: 00000000 820a55ec 60000013 00000000 00029734 00000036 60000010 0004bf80 df60: 30c5387d 85a0df9c 85a0df58 85a0df88 816dafd0 e7cfbc9f 20000013 00000000 df80: 00000000 00029734 00000036 802002a4 8502ae00 00000036 00000000 85a0dfa8 dfa0: 80200060 804a480c 00000000 00000000 00000005 00005760 00000008 00000000 dfc0: 00000000 00000000 00029734 00000036 7ee6d312 76f7b6d0 7ee6d4a4 76f7b20c dfe0: 76f7b020 76f7b010 000163a0 0004bf80 60000010 00000005 00000000 00000000 Backtrace: [<8044436c>] (__free_pages) from [<803d9bc4>] (watch_queue_set_size+0x18c/0x1b8 kernel/watch_queue.c:275) r7:856ef980 r6:00000001 r5:85750f80 r4:00000001 [<803d9a38>] (watch_queue_set_size) from [<80497540>] (pipe_ioctl+0x60/0x100 fs/pipe.c:632) r10:848b5440 r9:00000005 r8:854c9240 r7:00000008 r6:85750f80 r5:00000008 r4:00005760 [<804974e0>] (pipe_ioctl) from [<804a4910>] (vfs_ioctl fs/ioctl.c:51 [inline]) [<804974e0>] (pipe_ioctl) from [<804a4910>] (do_vfs_ioctl fs/ioctl.c:834 [inline]) [<804974e0>] (pipe_ioctl) from [<804a4910>] (__do_sys_ioctl fs/ioctl.c:872 [inline]) [<804974e0>] (pipe_ioctl) from [<804a4910>] (sys_ioctl+0x110/0xaa0 fs/ioctl.c:860) r7:00000008 r6:854c9241 r5:00000000 r4:00005760 [<804a4800>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:64) Exception stack(0x85a0dfa8 to 0x85a0dff0) dfa0: 00000000 00000000 00000005 00005760 00000008 00000000 dfc0: 00000000 00000000 00029734 00000036 7ee6d312 76f7b6d0 7ee6d4a4 76f7b20c dfe0: 76f7b020 76f7b010 000163a0 0004bf80 r10:00000036 r9:8502ae00 r8:802002a4 r7:00000036 r6:00029734 r5:00000000 r4:00000000 Code: e7f001f2 e1a0c00d e92dd8f0 e24cb004 (e590301c) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e7f001f2 udf #18 4: e1a0c00d mov ip, sp 8: e92dd8f0 push {r4, r5, r6, r7, fp, ip, lr, pc} c: e24cb004 sub fp, ip, #4 * 10: e590301c ldr r3, [r0, #28] <-- trapping instruction