8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read [0000000e] *pgd=854be003, *pmd=df563003 Internal error: Oops: 205 [#1] SMP ARM Modules linked in: CPU: 0 UID: 0 PID: 4457 Comm: syz.0.247 Not tainted 6.15.0-rc5-syzkaller #0 PREEMPT Hardware name: ARM-Versatile Express PC is at io_ring_buffer_select io_uring/kbuf.c:163 [inline] PC is at io_buffer_select+0x50/0x18c io_uring/kbuf.c:207 LR is at rcu_read_unlock include/linux/rcupdate.h:873 [inline] LR is at xa_load+0x68/0xa4 lib/xarray.c:1621 pc : [<8088999c>] lr : [<81a4c0b4>] psr: 20000013 sp : df9b5d88 ip : df9b5d48 fp : df9b5da4 r10: 00000362 r9 : 80000001 r8 : 00000000 r7 : df9b5dc8 r6 : 00000000 r5 : 84de0900 r4 : 84e969c0 r3 : 00000001 r2 : 00000000 r1 : 85530d00 r0 : 00000000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 854dc3c0 DAC: fffffffd Register r0 information: NULL pointer Register r1 information: slab kmalloc-64 start 85530d00 pointer offset 0 size 64 Register r2 information: NULL pointer Register r3 information: non-paged memory Register r4 information: slab io_kiocb start 84e969c0 pointer offset 0 size 192 Register r5 information: slab kmalloc-2k start 84de0800 pointer offset 256 size 2048 Register r6 information: NULL pointer Register r7 information: 2-page vmalloc region starting at 0xdf9b4000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844 Register r8 information: NULL pointer Register r9 information: non-slab/vmalloc memory Register r10 information: non-paged memory Register r11 information: 2-page vmalloc region starting at 0xdf9b4000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844 Register r12 information: 2-page vmalloc region starting at 0xdf9b4000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844 Process syz.0.247 (pid: 4457, stack limit = 0xdf9b4000) Stack: (0xdf9b5d88 to 0xdf9b6000) 5d80: 834f5400 84e969c0 8545a200 00000000 df9b5e0c df9b5da8 5da0: 80893204 80889958 80894888 00000000 00000000 aae7dd11 00010001 00000001 5dc0: df9b5df4 00000000 00000000 df9b5dd8 8022be54 8022ce4c 00000000 aae7dd11 5de0: 81a5be48 84e969c0 81cf0ca0 00000000 00000000 00000000 80000001 84e969c0 5e00: df9b5e34 df9b5e10 8088214c 80892ec4 84e969c0 80000001 0000001b 81cf0b5c 5e20: 8607f180 df9b5ef8 df9b5e74 df9b5e38 80886c1c 8088210c 00000000 860079c0 5e40: c000004b 84de0a40 860047ec 84e969c0 86037f7c 84de0800 ffffffff 83a86c00 5e60: df9b5ef8 84e969c0 df9b5e8c df9b5e78 808871b4 80886be0 84e96a3c 86037f7c 5e80: df9b5ecc df9b5e90 80885c00 8088717c 00000000 df9b5e90 8028cffc df9b5f34 5ea0: df9b5f10 8545a000 ffffffff 83a86c00 df9b5ef8 82a716d0 83a86c00 000001aa 5ec0: df9b5ef4 df9b5ed0 80885cc4 80885b60 00000000 83a87464 83a87494 83a86c00 5ee0: 82a716d0 83a86c00 df9b5f0c df9b5ef8 80885e1c 80885c6c 00000000 aae7dd11 5f00: df9b5f34 df9b5f10 8028d014 80885df4 83a86c00 df9b5fb0 8020029c 000001aa 5f20: 8020029c 83a86c00 df9b5fac df9b5f38 8022bc08 8028cf90 8026b438 8029ce24 5f40: df9b5fb0 40000000 df9b5f84 df9b5f58 802229dc 8026b3f4 00000000 8281d05c 5f60: df9b5fb0 0014c490 ecac8b10 80222930 00000000 aae7dd11 df9b5fac aae7dd11 5f80: 00000000 00000000 00000000 002e630c 000001aa 8020029c 83a86c00 000001aa 5fa0: 00000000 df9b5fb0 80200088 8022b7cc 00000800 00003516 00000000 00000000 5fc0: 00000000 00000000 002e630c 000001aa 002d0000 00000000 00006364 76b790bc 5fe0: 76b78ec0 76b78eb0 0001939c 00131f30 60000010 00000003 00000000 00000000 Call trace: [<8088994c>] (io_buffer_select) from [<80893204>] (io_recv_buf_select io_uring/net.c:1098 [inline]) [<8088994c>] (io_buffer_select) from [<80893204>] (io_recv+0x34c/0x46c io_uring/net.c:1138) r7:00000000 r6:8545a200 r5:84e969c0 r4:834f5400 [<80892eb8>] (io_recv) from [<8088214c>] (__io_issue_sqe+0x4c/0x1c0 io_uring/io_uring.c:1734) r10:84e969c0 r9:80000001 r8:00000000 r7:00000000 r6:00000000 r5:81cf0ca0 r4:84e969c0 [<80882100>] (__io_issue_sqe) from [<80886c1c>] (io_issue_sqe+0x48/0x59c io_uring/io_uring.c:1757) r9:df9b5ef8 r8:8607f180 r7:81cf0b5c r6:0000001b r5:80000001 r4:84e969c0 [<80886bd4>] (io_issue_sqe) from [<808871b4>] (io_queue_sqe io_uring/io_uring.c:1963 [inline]) [<80886bd4>] (io_issue_sqe) from [<808871b4>] (io_req_task_submit+0x44/0x64 io_uring/io_uring.c:1362) r10:84e969c0 r9:df9b5ef8 r8:83a86c00 r7:ffffffff r6:84de0800 r5:86037f7c r4:84e969c0 [<80887170>] (io_req_task_submit) from [<80885c00>] (io_handle_tw_list+0xac/0x10c io_uring/io_uring.c:1049) r5:86037f7c r4:84e96a3c [<80885b54>] (io_handle_tw_list) from [<80885cc4>] (tctx_task_work_run+0x64/0x188 io_uring/io_uring.c:1114) r10:000001aa r9:83a86c00 r8:82a716d0 r7:df9b5ef8 r6:83a86c00 r5:ffffffff r4:8545a000 [<80885c60>] (tctx_task_work_run) from [<80885e1c>] (tctx_task_work+0x34/0x94 io_uring/io_uring.c:1132) r9:83a86c00 r8:82a716d0 r7:83a86c00 r6:83a87494 r5:83a87464 r4:00000000 [<80885de8>] (tctx_task_work) from [<8028d014>] (task_work_run+0x90/0xb8 kernel/task_work.c:227) [<8028cf84>] (task_work_run) from [<8022bc08>] (resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]) [<8028cf84>] (task_work_run) from [<8022bc08>] (do_work_pending+0x448/0x4f8 arch/arm/kernel/signal.c:631) r9:83a86c00 r8:8020029c r7:000001aa r6:8020029c r5:df9b5fb0 r4:83a86c00 [<8022b7c0>] (do_work_pending) from [<80200088>] (slow_work_pending+0xc/0x24) Exception stack(0xdf9b5fb0 to 0xdf9b5ff8) 5fa0: 00000800 00003516 00000000 00000000 5fc0: 00000000 00000000 002e630c 000001aa 002d0000 00000000 00006364 76b790bc 5fe0: 76b78ec0 76b78eb0 0001939c 00131f30 60000010 00000003 r10:000001aa r9:83a86c00 r8:8020029c r7:000001aa r6:002e630c r5:00000000 r4:00000000 Code: e3130001 0a00002f e5910000 e1d120be (e1d030be) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e3130001 tst r3, #1 4: 0a00002f beq 0xc8 8: e5910000 ldr r0, [r1] c: e1d120be ldrh r2, [r1, #14] * 10: e1d030be ldrh r3, [r0, #14] <-- trapping instruction