8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read [0000000e] *pgd=849f8003, *pmd=e9ef1003 Internal error: Oops: 205 [#1] SMP ARM Modules linked in: CPU: 0 UID: 0 PID: 7993 Comm: syz.2.1132 Not tainted 6.15.0-rc6-syzkaller #0 PREEMPT Hardware name: ARM-Versatile Express PC is at io_ring_buffer_select io_uring/kbuf.c:163 [inline] PC is at io_buffer_select+0x50/0x18c io_uring/kbuf.c:207 LR is at rcu_read_unlock include/linux/rcupdate.h:873 [inline] LR is at xa_load+0x68/0xa4 lib/xarray.c:1621 pc : [<80889b04>] lr : [<81a4c354>] psr: 20000013 sp : dffd9d88 ip : dffd9d48 fp : dffd9da4 r10: 00000362 r9 : 80000001 r8 : 00000000 r7 : dffd9dc8 r6 : 00000000 r5 : 8445d100 r4 : 84e1b0c0 r3 : 00000001 r2 : 00000000 r1 : 84bfa3c0 r0 : 00000000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 8499f280 DAC: fffffffd Register r0 information: NULL pointer Register r1 information: slab kmalloc-64 start 84bfa3c0 pointer offset 0 size 64 Register r2 information: NULL pointer Register r3 information: non-paged memory Register r4 information: slab io_kiocb start 84e1b0c0 pointer offset 0 size 192 Register r5 information: slab kmalloc-2k start 8445d000 pointer offset 256 size 2048 Register r6 information: NULL pointer Register r7 information: 2-page vmalloc region starting at 0xdffd8000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844 Register r8 information: NULL pointer Register r9 information: non-slab/vmalloc memory Register r10 information: non-paged memory Register r11 information: 2-page vmalloc region starting at 0xdffd8000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844 Register r12 information: 2-page vmalloc region starting at 0xdffd8000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844 Process syz.2.1132 (pid: 7993, stack limit = 0xdffd8000) Stack: (0xdffd9d88 to 0xdffda000) 9d80: 8359db80 84e1b0c0 85445600 00000000 dffd9e0c dffd9da8 9da0: 8089336c 80889ac0 808949f0 00000000 00000000 732420ba 00010001 00000001 9dc0: dffd9df4 00000000 00000000 dffd9dd8 8022be54 8022ce4c 00000000 732420ba 9de0: 81a5c0e8 84e1b0c0 81cf0ca0 00000000 00000000 00000000 80000001 84e1b0c0 9e00: dffd9e34 dffd9e10 808822b4 8089302c 84e1b0c0 80000001 0000001b 81cf0b5c 9e20: 84bfca80 dffd9ef8 dffd9e74 dffd9e38 80886d84 80882274 00000000 854665c0 9e40: c000004b 8445d240 84bd87ec 84e1b0c0 856b7f7c 8445d000 ffffffff 8553bc00 9e60: dffd9ef8 84e1b0c0 dffd9e8c dffd9e78 8088731c 80886d48 84e1b13c 856b7f7c 9e80: dffd9ecc dffd9e90 80885d68 808872e4 dffd9ec4 dffd9e90 8029fb8c 8030cb14 9ea0: dd9bdcf8 85445900 ffffffff 8553bc00 dffd9ef8 82a716d0 8553bc00 000001aa 9ec0: dffd9ef4 dffd9ed0 80885e2c 80885cc8 00000000 8553c464 8553c494 8553bc00 9ee0: 82a716d0 8553bc00 dffd9f0c dffd9ef8 80885f84 80885dd4 00000000 732420ba 9f00: dffd9f34 dffd9f10 8028d014 80885f5c 8553bc00 dffd9fb0 8020029c 000001aa 9f20: 8020029c 8553bc00 dffd9fac dffd9f38 8022bc08 8028cf90 8026b438 8029ce24 9f40: dffd9fb0 40000000 dffd9f84 dffd9f58 802229dc 8026b3f4 00000000 8281d05c 9f60: dffd9fb0 0014c490 ecac8b10 80222930 00000000 732420ba dffd9fac 732420ba 9f80: 00000000 00000000 00000000 002e630c 000001aa 8020029c 8553bc00 000001aa 9fa0: 00000000 dffd9fb0 80200088 8022b7cc 00000800 00003516 00000000 00000000 9fc0: 00000000 00000000 002e630c 000001aa 002d0000 00000000 00006364 76bb20bc 9fe0: 76bb1ec0 76bb1eb0 0001939c 00131f30 60000010 00000003 00000000 00000000 Call trace: [<80889ab4>] (io_buffer_select) from [<8089336c>] (io_recv_buf_select io_uring/net.c:1098 [inline]) [<80889ab4>] (io_buffer_select) from [<8089336c>] (io_recv+0x34c/0x46c io_uring/net.c:1138) r7:00000000 r6:85445600 r5:84e1b0c0 r4:8359db80 [<80893020>] (io_recv) from [<808822b4>] (__io_issue_sqe+0x4c/0x1c0 io_uring/io_uring.c:1734) r10:84e1b0c0 r9:80000001 r8:00000000 r7:00000000 r6:00000000 r5:81cf0ca0 r4:84e1b0c0 [<80882268>] (__io_issue_sqe) from [<80886d84>] (io_issue_sqe+0x48/0x59c io_uring/io_uring.c:1757) r9:dffd9ef8 r8:84bfca80 r7:81cf0b5c r6:0000001b r5:80000001 r4:84e1b0c0 [<80886d3c>] (io_issue_sqe) from [<8088731c>] (io_queue_sqe io_uring/io_uring.c:1963 [inline]) [<80886d3c>] (io_issue_sqe) from [<8088731c>] (io_req_task_submit+0x44/0x64 io_uring/io_uring.c:1362) r10:84e1b0c0 r9:dffd9ef8 r8:8553bc00 r7:ffffffff r6:8445d000 r5:856b7f7c r4:84e1b0c0 [<808872d8>] (io_req_task_submit) from [<80885d68>] (io_handle_tw_list+0xac/0x10c io_uring/io_uring.c:1049) r5:856b7f7c r4:84e1b13c [<80885cbc>] (io_handle_tw_list) from [<80885e2c>] (tctx_task_work_run+0x64/0x188 io_uring/io_uring.c:1114) r10:000001aa r9:8553bc00 r8:82a716d0 r7:dffd9ef8 r6:8553bc00 r5:ffffffff r4:85445900 [<80885dc8>] (tctx_task_work_run) from [<80885f84>] (tctx_task_work+0x34/0x94 io_uring/io_uring.c:1132) r9:8553bc00 r8:82a716d0 r7:8553bc00 r6:8553c494 r5:8553c464 r4:00000000 [<80885f50>] (tctx_task_work) from [<8028d014>] (task_work_run+0x90/0xb8 kernel/task_work.c:227) [<8028cf84>] (task_work_run) from [<8022bc08>] (resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]) [<8028cf84>] (task_work_run) from [<8022bc08>] (do_work_pending+0x448/0x4f8 arch/arm/kernel/signal.c:631) r9:8553bc00 r8:8020029c r7:000001aa r6:8020029c r5:dffd9fb0 r4:8553bc00 [<8022b7c0>] (do_work_pending) from [<80200088>] (slow_work_pending+0xc/0x24) Exception stack(0xdffd9fb0 to 0xdffd9ff8) 9fa0: 00000800 00003516 00000000 00000000 9fc0: 00000000 00000000 002e630c 000001aa 002d0000 00000000 00006364 76bb20bc 9fe0: 76bb1ec0 76bb1eb0 0001939c 00131f30 60000010 00000003 r10:000001aa r9:8553bc00 r8:8020029c r7:000001aa r6:002e630c r5:00000000 r4:00000000 Code: e3130001 0a00002f e5910000 e1d120be (e1d030be) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e3130001 tst r3, #1 4: 0a00002f beq 0xc8 8: e5910000 ldr r0, [r1] c: e1d120be ldrh r2, [r1, #14] * 10: e1d030be ldrh r3, [r0, #14] <-- trapping instruction