8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read
[0000000e] *pgd=80000080004003, *pmd=00000000
Internal error: Oops: 207 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 25 Comm: kworker/u6:0 Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: ARM-Versatile Express
Workqueue: events_unbound io_ring_exit_work
PC is at __io_remove_buffers io_uring/kbuf.c:219 [inline]
PC is at __io_remove_buffers+0x38/0x184 io_uring/kbuf.c:209
LR is at io_destroy_buffers+0x48/0x138 io_uring/kbuf.c:264
pc : [<807c967c>]    lr : [<807c9c38>]    psr: 20000013
sp : df881e48  ip : df881e78  fp : df881e74
r10: 827e4691  r9 : 8a39d000  r8 : ffffffff
r7 : 8a39d34c  r6 : 00000001  r5 : 8a398000  r4 : 00000000
r3 : 00000000  r2 : 00000000  r1 : 8a398000  r0 : 8a39d000
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 846fbd00  DAC: 00000000
Register r0 information: slab kmalloc-2k start 8a39d000 pointer offset 0 size 2048
Register r1 information: slab kmalloc-2k start 8a398000 pointer offset 0 size 2048
Register r2 information: NULL pointer
Register r3 information: NULL pointer
Register r4 information: NULL pointer
Register r5 information: slab kmalloc-2k start 8a398000 pointer offset 0 size 2048
Register r6 information: non-paged memory
Register r7 information: slab kmalloc-2k start 8a39d000 pointer offset 844 size 2048
Register r8 information: non-paged memory
Register r9 information: slab kmalloc-2k start 8a39d000 pointer offset 0 size 2048
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xdf880000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909
Register r12 information: 2-page vmalloc region starting at 0xdf880000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909
Process kworker/u6:0 (pid: 25, stack limit = 0xdf880000)
Stack: (0xdf881e48 to 0xdf882000)
1e40:                   82e20000 00000014 8a39d000 8a39d040 8a39d34c 82604d40
1e60: 8a39d3cc 827e4691 df881e9c df881e78 807c9c38 807c9650 00000000 d8e1c134
1e80: 8a39d3bc 8a39d000 8a39d040 8a39d34c df881f04 df881ea0 818264f0 807c9bfc
1ea0: df881ebc df881eb0 00023ace 8a39d000 00000000 df881ec0 00000000 81825020
1ec0: 00000000 00000000 df881ec8 df881ec8 8a39d000 d8e1c134 df881f48 82c0bd00
1ee0: 8a39d3bc 82c21600 82c0f200 00000180 82e20000 82c21605 df881f44 df881f08
1f00: 80265fd4 81826154 df881f2c df881f18 df881f44 df881f20 8026196c 82c0bd00
1f20: 82c0bd2c 82c0f200 82604d40 82c0f220 82e20000 61c88647 df881f84 df881f48
1f40: 80266520 80265e44 82604d40 82604d40 61c88647 82c0bd2c df881f84 82cc6f80
1f60: 82e20000 802662e0 82c0bd00 82ce7080 df819e28 00000000 df881fac df881f88
1f80: 8026d8e0 802662ec 82cc6f80 8026d7dc 00000000 00000000 00000000 00000000
1fa0: 00000000 df881fb0 80200104 8026d7e8 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
Backtrace: 
[<807c9644>] (__io_remove_buffers) from [<807c9c38>] (io_destroy_buffers+0x48/0x138 io_uring/kbuf.c:264)
 r10:827e4691 r9:8a39d3cc r8:82604d40 r7:8a39d34c r6:8a39d040 r5:8a39d000
 r4:00000014 r3:82e20000
[<807c9bf0>] (io_destroy_buffers) from [<818264f0>] (io_ring_ctx_free io_uring/io_uring.c:2895 [inline])
[<807c9bf0>] (io_destroy_buffers) from [<818264f0>] (io_ring_exit_work+0x3a8/0x5ec io_uring/io_uring.c:3151)
 r7:8a39d34c r6:8a39d040 r5:8a39d000 r4:8a39d3bc
[<81826148>] (io_ring_exit_work) from [<80265fd4>] (process_one_work+0x19c/0x4a8 kernel/workqueue.c:2630)
 r10:82c21605 r9:82e20000 r8:00000180 r7:82c0f200 r6:82c21600 r5:8a39d3bc
 r4:82c0bd00
[<80265e38>] (process_one_work) from [<80266520>] (process_scheduled_works kernel/workqueue.c:2703 [inline])
[<80265e38>] (process_one_work) from [<80266520>] (worker_thread+0x240/0x48c kernel/workqueue.c:2784)
 r10:61c88647 r9:82e20000 r8:82c0f220 r7:82604d40 r6:82c0f200 r5:82c0bd2c
 r4:82c0bd00
[<802662e0>] (worker_thread) from [<8026d8e0>] (kthread+0x104/0x134 kernel/kthread.c:388)
 r10:00000000 r9:df819e28 r8:82ce7080 r7:82c0bd00 r6:802662e0 r5:82e20000
 r4:82cc6f80
[<8026d7dc>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdf881fb0 to 0xdf881ff8)
1fa0:                                     00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026d7dc r4:82cc6f80
Code: 0a000022 e5913004 e1d120be e5d14013 (e1d380be) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	0a000022 	beq	0x90
   4:	e5913004 	ldr	r3, [r1, #4]
   8:	e1d120be 	ldrh	r2, [r1, #14]
   c:	e5d14013 	ldrb	r4, [r1, #19]
* 10:	e1d380be 	ldrh	r8, [r3, #14] <-- trapping instruction