8<--- cut here ---
Unable to handle kernel paging request at virtual address 5bd3b000
[5bd3b000] *pgd=8ef70003, *pmd=00000000
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 3007 Comm: syz-executor.0 Not tainted 6.1.0-rc6-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at __queue_work+0xa0/0x74c kernel/workqueue.c:1459
LR is at 0x82c00000
pc : [<80260410>]    lr : [<82c00000>]    psr: 60000193
sp : df805e30  ip : 82c00024  fp : df805e74
r10: 8280e800  r9 : 5bd3b000  r8 : 82446498
r7 : 8220c940  r6 : 00000008  r5 : 85308400  r4 : 8517105c
r3 : 00000000  r2 : 00000000  r1 : 00000004  r0 : 8280e800
Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 851ab000  DAC: 00000000
Register r0 information: slab kmalloc-512 start 8280e800 pointer offset 0 size 512
Register r1 information: non-paged memory
Register r2 information: NULL pointer
Register r3 information: NULL pointer
Register r4 information: slab kmalloc-2k start 85171000 pointer offset 92 size 2048
Register r5 information: slab kmalloc-512 start 85308400 pointer offset 0 size 512
Register r6 information: non-paged memory
Register r7 information: non-slab/vmalloc memory
Register r8 information: non-slab/vmalloc memory
Register r9 information: non-paged memory
Register r10 information: slab kmalloc-512 start 8280e800 pointer offset 0 size 512
Register r11 information: 2-page vmalloc region starting at 0xdf804000 allocated at start_kernel+0x588/0x78c init/main.c:1041
Register r12 information: slab radix_tree_node start 82c00000 pointer offset 36
Process syz-executor.0 (pid: 3007, stack limit = 0xe02d0000)
Stack: (0xdf805e30 to 0xdf806000)
5e20:                                     80279278 802745b4 820a235c 82a8d080
5e40: 00000027 00000001 20000113 8517105c 00000008 85308400 20000113 00000100
5e60: 000c5480 ddddd900 df805e94 df805e78 80260b0c 8026037c 85171030 816df1cc
5e80: 82a8d080 816df1cc df805ea4 df805e98 816df1f4 80260ac8 df805edc df805ea8
5ea0: 802e4f38 816df1d8 0000079f ddddd900 802e409c 3f2ad9f4 85171030 816df1cc
5ec0: df805f00 823d9d10 000c5480 82a8d080 df805f4c df805ee0 802e5474 802e4f14
5ee0: 82a8d080 82204d40 8220c5d8 8220c498 00000002 00000000 76bfc6d0 85098848
5f00: 00000000 df805f10 8029b158 802fab48 df805f4c df805f20 80293fe8 3f2ad9f4
5f20: 82204084 82204084 00000002 00000001 e02d1fb0 00000082 00000100 82a8d080
5f40: df805fbc df805f50 8020133c 802e514c 8176e574 8176e460 00400040 82204d40
5f60: 000c5481 81eba890 820a2344 0000000a 820aaa00 823d843a 823d94a0 8220c5d8
5f80: 8220c498 81ea8f64 820a23d0 82204080 8176e594 820aaa00 81eba890 81eba878
5fa0: e02d1fb0 00000000 76bfc6d0 7ebb7544 df805fd4 df805fc0 80249f48 802011dc
5fc0: 820aa9dc 81eba890 df805ffc df805fd8 8176dad8 80249eb8 000170cc 20000010
5fe0: ffffffff 82a8d080 820a2044 76bfc6d0 e02d1fac df806000 81723ac8 8176da68
Backtrace: frame pointer underflow
[<80260370>] (__queue_work) from [<80260b0c>] (queue_work_on+0x50/0x5c kernel/workqueue.c:1545)
 r10:ddddd900 r9:000c5480 r8:00000100 r7:20000113 r6:85308400 r5:00000008
 r4:8517105c
[<80260abc>] (queue_work_on) from [<816df1f4>] (queue_work include/linux/workqueue.h:503 [inline])
[<80260abc>] (queue_work_on) from [<816df1f4>] (nci_cmd_timer+0x28/0x2c net/nfc/nci/core.c:615)
 r7:816df1cc r6:82a8d080 r5:816df1cc r4:85171030
[<816df1cc>] (nci_cmd_timer) from [<802e4f38>] (call_timer_fn+0x30/0x238 kernel/time/timer.c:1474)
[<802e4f08>] (call_timer_fn) from [<802e5474>] (expire_timers kernel/time/timer.c:1519 [inline])
[<802e4f08>] (call_timer_fn) from [<802e5474>] (__run_timers kernel/time/timer.c:1790 [inline])
[<802e4f08>] (call_timer_fn) from [<802e5474>] (run_timer_softirq+0x334/0x470 kernel/time/timer.c:1803)
 r9:82a8d080 r8:000c5480 r7:823d9d10 r6:df805f00 r5:816df1cc r4:85171030
[<802e5140>] (run_timer_softirq) from [<8020133c>] (__do_softirq+0x16c/0x498 kernel/softirq.c:571)
 r10:82a8d080 r9:00000100 r8:00000082 r7:e02d1fb0 r6:00000001 r5:00000002
 r4:82204084
[<802011d0>] (__do_softirq) from [<80249f48>] (invoke_softirq kernel/softirq.c:445 [inline])
[<802011d0>] (__do_softirq) from [<80249f48>] (__irq_exit_rcu kernel/softirq.c:650 [inline])
[<802011d0>] (__do_softirq) from [<80249f48>] (__irq_exit_rcu kernel/softirq.c:640 [inline])
[<802011d0>] (__do_softirq) from [<80249f48>] (irq_exit+0x9c/0xe8 kernel/softirq.c:674)
 r10:7ebb7544 r9:76bfc6d0 r8:00000000 r7:e02d1fb0 r6:81eba878 r5:81eba890
 r4:820aaa00
[<80249eac>] (irq_exit) from [<8176dad8>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:240)
 r5:81eba890 r4:820aa9dc
[<8176da5c>] (generic_handle_arch_irq) from [<81723ac8>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40)
 r9:76bfc6d0 r8:820a2044 r7:82a8d080 r6:ffffffff r5:20000010 r4:000170cc
[<81723aac>] (call_with_stack) from [<80200e74>] (__irq_usr+0x74/0x80 arch/arm/kernel/entry-armv.S:436)
Exception stack(0xe02d1fb0 to 0xe02d1ff8)
1fa0:                                     ffffffff 00000026 000001b8 00000000
1fc0: 00000000 3e29604c 000063dc 00000000 7ebb73d2 76bfc6d0 7ebb7544 76bfc20c
1fe0: 20004310 20004310 000170cc 000170cc 20000010 ffffffff
Code: 0a00003b e59f06a8 eb532fab e1a0a000 (e5990000) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	0a00003b 	beq	0xf4
   4:	e59f06a8 	ldr	r0, [pc, #1704]	; 0x6b4
   8:	eb532fab 	bl	0x14cbebc
   c:	e1a0a000 	mov	sl, r0
* 10:	e5990000 	ldr	r0, [r9] <-- trapping instruction