8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read
[0000000e] *pgd=80000080004003, *pmd=00000000
Internal error: Oops: 207 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 1323 Comm: kworker/u6:6 Not tainted 6.6.0-rc4-syzkaller #0
Hardware name: ARM-Versatile Express
Workqueue: events_unbound io_ring_exit_work
PC is at __io_remove_buffers io_uring/kbuf.c:219 [inline]
PC is at __io_remove_buffers+0x38/0x184 io_uring/kbuf.c:209
LR is at io_destroy_buffers+0xa0/0x138 io_uring/kbuf.c:269
pc : [<807c96e4>]    lr : [<807c9cf8>]    psr: 20000113
sp : eaa95e48  ip : eaa95e78  fp : eaa95e74
r10: 827e4712  r9 : 844f3800  r8 : ffffffff
r7 : 844f3b4c  r6 : 00000001  r5 : 89a12d00  r4 : 00000000
r3 : 00000000  r2 : 00000000  r1 : 89a12d00  r0 : 844f3800
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 89b54f40  DAC: fffffffd
Register r0 information: slab kmalloc-2k start 844f3800 pointer offset 0 size 2048
Register r1 information: slab kmalloc-64 start 89a12d00 pointer offset 0 size 64
Register r2 information: NULL pointer
Register r3 information: NULL pointer
Register r4 information: NULL pointer
Register r5 information: slab kmalloc-64 start 89a12d00 pointer offset 0 size 64
Register r6 information: non-paged memory
Register r7 information: slab kmalloc-2k start 844f3800 pointer offset 844 size 2048
Register r8 information: non-paged memory
Register r9 information: slab kmalloc-2k start 844f3800 pointer offset 0 size 2048
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xeaa94000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909
Register r12 information: 2-page vmalloc region starting at 0xeaa94000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909
Process kworker/u6:6 (pid: 1323, stack limit = 0xeaa94000)
Stack: (0xeaa95e48 to 0xeaa96000)
5e40:                   00000000 89a12d00 844f3800 844f38bc 844f3b4c 82604d40
5e60: 844f3bcc 827e4712 eaa95e9c eaa95e78 807c9cf8 807c96b8 000001ff dbc66865
5e80: 844f3bbc 844f3800 844f3840 844f3b4c eaa95f04 eaa95ea0 81826728 807c9c64
5ea0: eaa95ebc eaa95eb0 00014394 844f3800 00000000 eaa95ec0 00000000 81825258
5ec0: 00000000 00000000 eaa95ec8 eaa95ec8 844f3800 dbc66865 eaa95f48 83e07c00
5ee0: 844f3bbc 82c21600 82c0f200 00000180 83e31780 82c21605 eaa95f44 eaa95f08
5f00: 80265fd4 8182638c eaa95f2c eaa95f18 eaa95f44 eaa95f20 8026196c 83e07c00
5f20: 83e07c2c 82c0f200 82604d40 82c0f220 83e31780 61c88647 eaa95f84 eaa95f48
5f40: 80266520 80265e44 eaa95f64 eaa95f58 81847e08 80278e68 eaa95f84 83ddd600
5f60: 83e31780 802662e0 83e07c00 839d8b80 dfc99e98 00000000 eaa95fac eaa95f88
5f80: 8026d8e0 802662ec 83ddd600 8026d7dc 00000000 00000000 00000000 00000000
5fa0: 00000000 eaa95fb0 80200104 8026d7e8 00000000 00000000 00000000 00000000
5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
Backtrace: 
[<807c96ac>] (__io_remove_buffers) from [<807c9cf8>] (io_destroy_buffers+0xa0/0x138 io_uring/kbuf.c:269)
 r10:827e4712 r9:844f3bcc r8:82604d40 r7:844f3b4c r6:844f38bc r5:844f3800
 r4:89a12d00 r3:00000000
[<807c9c58>] (io_destroy_buffers) from [<81826728>] (io_ring_ctx_free io_uring/io_uring.c:2895 [inline])
[<807c9c58>] (io_destroy_buffers) from [<81826728>] (io_ring_exit_work+0x3a8/0x5ec io_uring/io_uring.c:3151)
 r7:844f3b4c r6:844f3840 r5:844f3800 r4:844f3bbc
[<81826380>] (io_ring_exit_work) from [<80265fd4>] (process_one_work+0x19c/0x4a8 kernel/workqueue.c:2630)
 r10:82c21605 r9:83e31780 r8:00000180 r7:82c0f200 r6:82c21600 r5:844f3bbc
 r4:83e07c00
[<80265e38>] (process_one_work) from [<80266520>] (process_scheduled_works kernel/workqueue.c:2703 [inline])
[<80265e38>] (process_one_work) from [<80266520>] (worker_thread+0x240/0x48c kernel/workqueue.c:2784)
 r10:61c88647 r9:83e31780 r8:82c0f220 r7:82604d40 r6:82c0f200 r5:83e07c2c
 r4:83e07c00
[<802662e0>] (worker_thread) from [<8026d8e0>] (kthread+0x104/0x134 kernel/kthread.c:388)
 r10:00000000 r9:dfc99e98 r8:839d8b80 r7:83e07c00 r6:802662e0 r5:83e31780
 r4:83ddd600
[<8026d7dc>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xeaa95fb0 to 0xeaa95ff8)
5fa0:                                     00000000 00000000 00000000 00000000
5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026d7dc r4:83ddd600
Code: 0a000022 e5913004 e1d120be e5d14013 (e1d380be) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	0a000022 	beq	0x90
   4:	e5913004 	ldr	r3, [r1, #4]
   8:	e1d120be 	ldrh	r2, [r1, #14]
   c:	e5d14013 	ldrb	r4, [r1, #19]
* 10:	e1d380be 	ldrh	r8, [r3, #14] <-- trapping instruction