Extracting prog: 4m40.988057241s
Minimizing prog: 1h18m32.161803435s
Simplifying prog options: 0s
Extracting C: 1m34.952206952s
Simplifying C: 9m6.856204748s


extracting reproducer from 12 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 45s
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r3, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 12 programs with base timeout 45s
testing program (duration=48s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [4, 2, 4, 5, 23, 4, 9, 13, 2, 3, 3, 6]
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000100)=ANY=[@ANYBLOB="12013f00000000407f04ffff000000000001090224000100000000090400001503000000092140000001220f00", @ANYRES16], 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000280)={0x24, 0x0, 0x0, &(0x7f00000001c0)={0x0, 0x22, 0xf, {[@local=@item_4={0x3, 0x2, 0x0, "2e2b5aa4"}, @local=@item_4={0x3, 0x2, 0x0, "f85edaca"}, @main=@item_4={0x3, 0x0, 0x8}]}}, 0x0}, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000004c0)=ANY=[@ANYBLOB="12000000040000000400000008"], 0x48)
bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0x6, 0xd, &(0x7f0000000f80)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000003000000850000000800000095"], &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
executing program 0:
r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl802154(&(0x7f0000000080), r0)
ioctl$sock_SIOCGIFINDEX_802154(r0, 0x8933, &(0x7f0000000140)={'wpan0\x00', <r2=>0x0})
sendmsg$NL802154_CMD_DEL_SEC_DEVKEY(r0, &(0x7f0000000e40)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000003c0)={0x3c, r1, 0x1, 0x70bd25, 0x25dfdbfb, {}, [@NL802154_ATTR_IFINDEX={0x8, 0x3, r2}, @NL802154_ATTR_SEC_DEVKEY={0x20, 0x2f, 0x0, 0x1, [@NL802154_DEVKEY_ATTR_EXTENDED_ADDR={0xc, 0x2, {0xaaaaaaaaaaaa0302}}, @NL802154_DEVKEY_ATTR_ID={0x10, 0x3, 0x0, 0x1, [@NL802154_KEY_ID_ATTR_MODE={0x8}, @NL802154_KEY_ID_ATTR_IMPLICIT={0x4}]}]}]}, 0x3c}, 0x1, 0x0, 0x0, 0x20000041}, 0x4880)
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x169802, 0x0)
r1 = dup(r0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000006, 0x13, r1, 0x0)
sendmsg(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000540)=[{&(0x7f0000000100)="52b5d6d80ff2e09532b5b960ae8de0b01d54027c27bcf971aee72508418eaa1cb090afe1ef7318c73533595071c6e0cc26495811c7efeb33c91c63d41b81063275a832a62f447ab17755482e5297b62c7abee6ff60986fbab1c31cb53feadd5c1f0c9e83a7d2d474058c4dc5539883312a6d53143f9d174d5004f7ab14e610db64445fe5ba6a009d1652c22e7d6f5f55f79fe22bc664a2f9d8fb460b4ed8cbb1ef9802769a9b4dc8c9eff775f0a0a893e32b8e87c50487971868a26cf773ef18e9f35f631d4fb1", 0xc7}], 0x1}, 0x0)
ioctl$BLKRRPART(r1, 0x125f, 0x0)
executing program 0:
r0 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001840), 0x2982, 0x0)
sendfile(r0, 0xffffffffffffffff, 0x0, 0x20000023896)
r1 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, &(0x7f0000bbdffc))
r2 = syz_open_procfs(0x0, &(0x7f0000000000)='fd/3\x00')
write$RDMA_USER_CM_CMD_CREATE_ID(r2, 0x0, 0x0)
timer_settime(0x0, 0x1, &(0x7f0000000300)={{0x0, 0x989680}}, 0x0)
syz_genetlink_get_family_id$mptcp(0x0, r2)
sched_setscheduler(r1, 0x2, &(0x7f0000000180)=0x4)
r3 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f00000000c0)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r4 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000), 0x80082, 0x0)
syz_open_dev$usbmon(&(0x7f0000000280), 0x0, 0x0)
syz_io_uring_setup(0x886, &(0x7f0000000140)={0x0, 0x401, 0x10000, 0x400002, 0x2fc}, &(0x7f0000001680)=<r5=>0x0, &(0x7f0000000000)=<r6=>0x0)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r5, 0x4, &(0x7f0000000400)=0xfffffffc, 0x0, 0x4)
r7 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0)
syz_io_uring_submit(r5, r6, &(0x7f00000002c0)=@IORING_OP_UNLINKAT={0x24, 0x2, 0x0, 0xffffffffffffffff, 0x0, &(0x7f0000001640)='./file0\x00', 0x0, 0x200, 0x1, {0x0, r7}})
r8 = syz_usb_connect$printer(0x3, 0x36, &(0x7f0000000340)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x20, 0x525, 0xa4a8, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x1, 0x1, 0xb0, 0xf, [{{0x9, 0x4, 0x0, 0xfb, 0x2, 0x7, 0x1, 0x1, 0x8f, "", {{{0x9, 0x5, 0x1, 0x2, 0x20, 0x1, 0x6, 0x4}}, [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x5, 0x3, 0xfe}}]}}}]}}]}}, &(0x7f0000001140)={0xa, &(0x7f0000001480)={0xa, 0x6, 0x250, 0x4, 0x0, 0x7, 0xff, 0x10}, 0x3b, &(0x7f0000000840)=ANY=[@ANYBLOB="050f3b00060a10030003009c0a29000a1065875784140ef00b129854ed77b80300020006f9020103100903100b10100000000400c0c00000"], 0x5, [{0xe7, &(0x7f0000000600)=ANY=[@ANYBLOB="e7030d9e4ce96da0309c4b5bd237d4858eb482975228cdbd5f642459dce1fd7d688e44b759af494262353f3b31e0a69fbda0c146370d4ab59ceef3fcbe072c8c219eb0e97c6659ee3ab9e5b8917cd3e8cb7fd8c6729b78234a20196c973e6685f75ef80a03127fd6903f6f1837f8967ceb4769ed761ce556b39b10847b8239a4f657efdc3e73c6aae974bc82608f679b51c71c1e8afc0b12c5db3ee8ce7c40f390e3cc988c478eb41c055590c5a0826b832c3d5968ac42116fccaa63bb60f7bebdbc80b377fc7200b40728db7673018dc7723d26539c64a1d342b9e66cb66d6cc8826701a00d05d926738add91de8d"]}, {0x0, 0x0}, {0xf7, &(0x7f0000001880)=ANY=[@ANYRES64=0x0]}, {0xfd, &(0x7f0000001040)=ANY=[]}, {0x0, 0x0}]})
syz_usb_control_io$printer(r8, &(0x7f0000001300)={0x14, &(0x7f00000011c0)=ANY=[@ANYBLOB="00215400000054220636ff2854a8f44c1278347ba53202276fdd27fe2c77210eb1f3a6f6840d79eb4c74bb65"], &(0x7f0000001240)=ANY=[@ANYBLOB="ed029b0000009b033b0738f96848e4ad812b257a9f0cb5109e7f5993fc159da85ea08b23cf354bff1e04fe94267d46ba7e097fff46765f3b8d4f8e9b0d7b1de012f43de44633113cfca6debfcc86e82eaede609487a7ff259bd86138452132cf15878627d6723da916b95a22a2a81cfef0288267fcda90dc66c61bfdfefc364e16b04ccde062d3006b2f7c8b762ce997b45beebaea859a"]}, &(0x7f0000001600)={0x34, 0x0, 0x0, &(0x7f00000016c0)={0x0, 0x8, 0x1, 0x7}, &(0x7f00000014c0)={0x20, 0x0, 0x2}, 0x0, &(0x7f00000015c0)={0x20, 0x0, 0x1, 0x8}})
io_uring_enter(0xffffffffffffffff, 0x47f4, 0x3, 0x0, 0x0, 0x0)
syz_open_dev$usbmon(&(0x7f0000000700), 0xeba, 0x101283)
write$vga_arbiter(r4, &(0x7f0000000040)=@other={'lock', ' ', 'io+mem'}, 0xc)
write$vga_arbiter(r4, &(0x7f0000000080)=@other={'decodes', ' ', 'none'}, 0xd)
close_range(r3, 0xffffffffffffffff, 0x0)
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000100)=ANY=[@ANYBLOB="12013f00000000407f04ffff000000000001090224000100000000090400001503000000092140000001220f00", @ANYRES16], 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000280)={0x24, 0x0, 0x0, &(0x7f00000001c0)={0x0, 0x22, 0xf, {[@local=@item_4={0x3, 0x2, 0x0, "2e2b5aa4"}, @local=@item_4={0x3, 0x2, 0x0, "f85edaca"}, @main=@item_4={0x3, 0x0, 0x8}]}}, 0x0}, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
executing program 1:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
r1 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$IOMMU_IOAS_ALLOC(r2, 0x3b81, &(0x7f0000000140)={0xc, 0x0, <r3=>0x0})
ioctl$IOMMU_IOAS_ALLOC(r1, 0x3b81, &(0x7f0000000240)={0xc, 0x0, <r4=>0x0})
ioctl$IOMMU_IOAS_MAP$PAGES(r1, 0x3b85, &(0x7f0000000280)={0x28, 0x7, r4, 0x0, &(0x7f00007ff000/0x800000)=nil, 0x800000})
ioctl$IOMMU_TEST_OP_CREATE_ACCESS(r1, 0x3ba0, &(0x7f0000000400)={0x48, 0x5, r3, 0x0, <r5=>0xffffffffffffffff, 0x1})
ioctl$IOMMU_TEST_OP_ACCESS_PAGES$syz(r1, 0x3ba0, &(0x7f0000000380)={0x48, 0x7, r5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x146ead})
close_range(r0, 0xffffffffffffffff, 0x0)
executing program 1:
r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x90)
r1 = syz_genetlink_get_family_id$nbd(&(0x7f00000000c0), 0xffffffffffffffff)
sendmsg$NBD_CMD_CONNECT(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000480)=ANY=[@ANYBLOB='l\x00\x00\x00', @ANYRES16=r1, @ANYBLOB="010000000000000000000100000008000100400000000c000200700f0000000000000c00060003000000000000000a000a00272d5d29212b0000140007"], 0x6c}, 0x1, 0x0, 0x0, 0x40080}, 0x0)
r2 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0)
r3 = syz_open_dev$evdev(&(0x7f0000000040), 0x2, 0x0)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0x11, 0x3, &(0x7f00000002c0)=@framed={{0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffc}}, &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x3a, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000080)='sched_switch\x00', r4}, 0x10)
ioctl$EVIOCGRAB(r3, 0x40044590, &(0x7f0000000200)=0x7ffffffc)
ioctl$EVIOCGRAB(r3, 0x40044590, 0x0)
write$UHID_INPUT(r2, &(0x7f0000000500)={0x8, {"a31003c6eed6b1da1b469a7dc322a99ed9f7513a2c1fa3658201621a6379f5dd0d41258540ea8a286e8de8b38c3f0405f1dd97f26e1b157675ac315e75029a99cb4d8f5cf9b6e2580598cc1a8b26f7810e75c2d0d2cf0e76cc7b75322c32f89f41271b0aca1b283d1b7ca582993185096b70e4771a853d9338cbc2d7c4d663d03d5facf2f8241ee6ca520e02c2bb3fb5d9398095a8ec0b81d0a35e59a3965fc97f8432dd0c1e8554c35206a89efba742b482599467a31e36558834904c16ab9d8e3396ff231f7421e1916fc93aeef9eac0e55e0660c0347bbaa29f63bb16c835a5f660fbbc78f179e14f97cb041c123e4fbb8c7ff8f11cdb8c4464b434c6976b7ff607bd72c93e9e7fed6332f08143cea410ef0c1986774f33b66dd837764391961c490bc7858e68f87323ae31d49da2d34e1ef9ecff9af594f34d3a86be3a008cfa10c3d47db7d18508db4e02e608ad74495123e63e8d144dbb090f7e20ecc9893777e99e0d3c0a360eed135308473075efbafcea8bf8e3b7df9c903ac8b966269cf72d8efd629b0446a9dbc7636bb9a7df239b2ced32b3b79f6c231e352b5be25dd28cfd42e3143c5ecda76c2178a599f717deff69f739bf8281c40c67e19e87e4941849bc7e926469c6d29f0cd72ec82e4877ffbf5ad92dce0b6ee1d446d90678b0d943d68d9b2a73c290222e8809489faf8f009ee383062ed598a87301e07311382ced238a28596e8fa04de52611ab53fd3ac77710c414ef420665679feb7e93e8dcbf96e92ed55a159dbd58189e37a6767a74b2486b08501244c6a1d991620bc6832f87ed770dd010dc1b1237bc32701b9f08c7223c4575372854bd46abbe77103ff99718a85ae739cc3227bfc6c1da71a3084273bf0b9828518c49e554719b74fbe674b36770a09329cf3fcdaa43bd8f6549a474d84736a51fdd61fd3606363b1c520f45384b84baf84a15b639d0a52da45b0bb8b090b191f9d965c0b9ccb501e2fa27a713b665041bf692704d0e6b5cae9d864fb65e27418aa903dd148d7520409b1ea5242b3bd0ce2a20892012860e59c54e575e3e89cd662681f7078d7b7dbcad85f2a6d50dd7739450b6b662cca6a0cf0c5adfb18efedbb7f982b444415320593b99f15683b97cf45f515fd1dc9a489df312a4d175bed1b3858dbd9498a233f2662c2abba01c1660d8e0294cee8abf754c6379bc728545a3b37eb7b3392d8e684665a129a9a827aa978beabbad8429c671e74c5fc7c0704375b956e20be6392997aa6b322f465a2529ebb9a38f9461fa816a485bbddb19e80a3f5aa5548063e20076fae02384a705e60e7180585a215adf2393f35493381937df3f70488ecbb29816eebf7dc4e401209536a887b2ec6df30a5ef253f53fe3aff896ea0699ebac002153fc080208ee14bc84f4b0114d2dcdd15dc4985fee03557c6c7de4130b9ba86393bd0c303a879e2691fea55a7c25a5bfb12957d1e3da76ee3d9bf6e4ef5c4e9fbf4877609de78e274be28cb952e0b415c6c062f29a513a3858d881b5dd1f2a8f3c179405e0ff3c8fd65d4427a2d1d6ea33599039c58a62b8533a841b78e2ff74bde84b13d32ac9c4290ab074f505780b7a916caf0d8f4983097da48a44bfafa0bca774657dc85b14f0fc59855beb7202b3bc45730dfbffbb4ec46a13c4e8e8f978196b9af62c1fc671cbc0f3882a043dbb70174bd9644c91cde9909753b973887d7b2c21c55fd8fda01ae2ec970d25572286e8cf512ee77507d11c839861215b7bff867dc57fb15a3c53796be39021d86989a127e06aeb4bc2bb2fcc635d73051de17e91a904b98f4d12aa886e175459f3444e06099f4758f346008754a4ccb875162e73c8754bc3fda9f7a58276ab04fde689020aa1c5a2b4c103cd547086d9410291301cbbdb5b4bdfe6db7b2c7688cec5e5fa2b61f6431d52da01d428c47dc0403004cd1540181b1fe124eb843dde264be626caccad7e096b5dd1cd319e6a62fe4be8a46de1a954e517ed2737d1537132654619035618a9889e8c77c1189cbd54d95cd4e5db29073d4f2989104c62b5eb9eb13ea9aad67aabf94f5ccf90a66764183ef671ef364d7a6db95ec5a1c0e7453b9d643b192ee0ab011b162fb8918a51cd42f47b1aa01897657e7d1acb69b739da9f65cfbe0bff91d4dd4ee4071bb88c0e492dc6795ccb1b155127438006f97275b6aae0e4f90095a0753a072d43187109330729347d017af8ecf448ae2babc90c6d56776ee1ad0343e3518298ff0106e992f01e5d4a9665d251fa2242e49dd9618033723747d830f2f17724900a45dbf61f82ca878742c2ac57267ae776a6171113de44047db31103d0803923fc279dac840e58f3f9619524b0b28246652bc4f0e63adfa53981d69bf50c51c70e6a0637464555922d75edaf415d4dab4bf54e8d9ee6369e2f648c58c80b88850a4a01fe71dc076ed3e12a1fee54d5db0a38d31425ce40f4f8b4f105b1790d655e675cabb966c04f092b39315c0788316b4ecfc5da3df436686582aa29666613448222d3d0cc849630d6c0855d075321c28bd0d8e7ad7a5846455bb3690b9acbfe8125943a1683de8414e2823883605e50ca00405a61ef9f3c4f1efd914d15a32a2a3146d1ec07d2ab35276f2673725a0189a32ec9fcdb6a2005c63136ae6e285fc51c6a0b84ed02855a82b86009cb7d834e94e1ffbeca227ace424a01fbf3325d8dd48ad98929070127abb686472c3e21e2b1a0b625d4fba8ba64637821395b8767bcf40da1153af11868b1162283da96d44f0063a73c98b07f50ee846922cb6b8b25525bb3274fba4e45b1444c4967ab553128c83d8985773e3ffcec1ff33f3e0883bcb892afea48deccde2ce94b60d790cda3c4bdbcd8f991cac5a81d2025efbf272c99c0191d3ea6b5ab343ab3c9c82f20d3127a765b10dbcf0fe12d98fa8827a30fcf589db0a5c1b215112fad5ab344bdc3f8762fb2be3015fe98673bf2e9a2974235d67b90b7d3b49c7bab197e5a6304d1aba1ab13d13c0a04bd0a7a8d138d97ec5b907637353b1b1858792f7421d13ad215ec68e6021bfbf7f368370f95f458c7e929f34723f5c72f3f49aa1edd269942e151f80bb5056a8f0808df2b3f27cc4491d5831e910d8db65e9a631df960c93c2880d95d12210a5a283ab28d2071ca6f822d2ec4da732ca715fe509871839d39319fb7a503cb5215317d70458f4902b537213183e60d63efae6f65586b02f969f69738e86b1e79c1eb7eb15acbddc813e81950ea4ee6410b23f6c96b1b3d4dc513d05f4881caff7db7bcc0bd13ca2d92b019e94a3c3afabe64b609a3325b3cc9dd0f4d966496c6648f1e940bc210ef7729b9c639ddf76171062199a740b9677280290ce4f63a7ede03e2be5d007d37d59d3037dbea92c1670c102b3d19e4667f9ad5e8bc7d91ee8423f3452df6476575e998caedfae59d337b54c687d99535b328d8c82f9642f3587d54edd5480f6c6b2fe923a340dc7490027a63e1b4e25596406c40a323583fc365ccc2c3e315cbd4c115825eb794da6b63f4b735dcb453ca2e4c50a9921dbd2da30830ad25460e77c25ba7b9ccaf82d85d5ebb912840eab9db0b1cd93e4b70db10e8cbedc027f7070b0bd22a00d4cf8fe46e59472e1bde2bbb25b200699ed5c57545c234f74190a9793a1f1997c77b43ca01246c1345f2f6d0399f61897b37e7dd57f647acb617f45c8cf995743075f24dda7e6c9c90b3b434e591bfcba8bd0a8f2646886767e5003299474a8aace6b218b6ab878d21514950138b47b6baa2a394a40ab365bdf335d837868d7d30a7ffb3d04ef872b30a5eec184a891e0fe3369bb746b02970d76a89a46980034bde6f0496d348384de0180ddafcf5df4ae0319a7d08766e4bcfb126b6a475de3f70983d9441e4941ee8e1c02afc847ab28cced39a034d2a347b3cf32194749e594cfc774e260ed4bf88efc9bb665cbf363e8ae13c89fab9f4847b8f5e29aee7cc01ce767405c44e89642087e568e44b0b2ef8ca96fb79b9f88a6158eae98d739546ebc4c5de33b8947ac14931df23e5eaddadc03a46b3b515fa2a1802bd856eec6be65643b0614aa51f0d8c957565b4edf26071fe34494a64a39ccd84cfdfa60cb3e001589161c6b52cf8d191e2c9158a2a9e6fd974bf51bab401633a5dc882b17806599e483d0fa286d14425cdea244494361d48dc1009612b3317b25128818081ea57345e866990e2579395895fba8129e151c2f4d4c570237d4844b6e688a1b2ec42c6bb225bd5cb69870f732107cdc3938b82c2372bfa93d1798b18f66a17e608229a21dce25fe7a415bc512bb692b2c95164236f1d402bb8d9ed5ea73933c64105441d3ddd0e8ac5e8cf014d06268f669b3937e8d9195d263609432079267691ec82ccd72e0cc2b8aea8937caa31c3eaf3f5730479c60c3d1cf0ebabd267c23a0b7ccc6ff4a0cfd53535dcfcd0dfc87cce2130708842ac2b195ebf7539837dd6ceca466364298f5fc17f85397e7bd22826c38d89a3575ea632f1ab799090cdf49f9345870444b1843b029be643b998565e4fe5f4f32796e25e3eba421b9937e1119cb578a0bc165f19a9711cd03e8b10109ebdc6ee4f9115f1dbe0140ba1334298fd4a81f617b97491d48b6da02a4447914c7a21df4e0aa3a00d9df151aecc7764da7b34eb35597fe9c41437064d4e81bf694a4b4dbac971497e3c54779401b66025ac5cbcfe583892d5e33df2196461be0dbb8c89acc0b17c8c44e08d76becdfbdc1dcc06c1fb1e51328ebdd206f44a2cefcff60caa48b6d9431c32d5f72e3b381a0347c402b6d5f8834daae110f1a47694778563781b5e345fe3c3c8d2ad3ef0d4e57ef9ed62331082430b81677c486cca44ff5bee8ae849aa0cf8cfc56696ee04f7461e1d18a7d7121490636d3d8e2fe647fa9dfe6ec986f98709d3afa0ee990eb0309913352378d3a46e2f0df9a8e045e600dd4459e3e4e9891729841f8c69a200837b1b4762a6d3a4f59e353fa31b0cbc9b3caa181daeef9c0e1e18319ee5d98989c365204fc86ef8c135e6e4eac041ea8496166971323bed96b78738a5b51ef0b4db30125d06d2def7d6a176537954f972cce07ba17d49bc6bdfa406a7287a2f1661541647c0efae4cad510a4a50bd1348c69a9375a96928f8d5b90e17e44eccb256f44f5e722b6ed2c488c180a05b892188efba8fc2562b86dda851f6e894d25594ee3e032e35adeaea5839497727bcbf985713983d54a2bd31f8f968ca39a2720c1ea73890dd26b72a92af5a8b6208710c2a5b3598c2bde6f726a7490bfb553b9b6dd4a4ff62f558e89b2b6f10ca7e3972463e4e823749ddf2ade4c87226a84a296ca41a6369220893fbad4550f72ba3dadac17a53524d35866c2adf366094c0e0ed2e531f49d6e0c8b66f8fedcbcd7cb15a487e8d83b0135b6cc7f58776b98b41ac76821ba358bed44298484472e4de036c450439e7e7e9990ae40e50c3d6ef8986540d7509b65c9624ec97f3a29c0e656cf8b7545ee000fa7ac96f24cbf1ff7e201a7d39bda02f46233acd812f991a6d206598dcaf80e667c63f21a54cb7461fe1284d65a5941da0420a1004a4215c01549fba9073163a61a825352595f3c381937565cacb1275c3264226589a2fae1d55d4817bad0ffcae58cee7748faacd73c30053b8e56c9ff6e9ca1ede8281b9b4b6cc0904e326bd2b96da1b43f6497827d57a4ed0c643ca456ef65092b7260439b455edc57062f2cdf9929b4a483d49c1f381998c67e2b0a3c4", 0x1000}}, 0x1006)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
executing program 1:
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
ioctl$sock_inet6_SIOCADDRT(r0, 0x890b, &(0x7f0000000540)={@empty, @rand_addr=' \x01\x00', @rand_addr=' \x01\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x6})
executing program 1:
r0 = socket(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'ip6tnl0\x00', <r1=>0x0})
sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000340)=@newqdisc={0x44, 0x24, 0xf0b, 0x0, 0x25dfdbfd, {0x0, 0x0, 0x0, r1, {0x0, 0xc}, {0xffff, 0xffff}, {0xd, 0x2}}, [@qdisc_kind_options=@q_cake={{0x9}, {0x14, 0x2, [@TCA_CAKE_INGRESS={0x8, 0xf, 0x1}, @TCA_CAKE_AUTORATE={0x8, 0x9, 0x9}]}}]}, 0x44}, 0x1, 0x0, 0x0, 0x44004}, 0x0)
executing program 1:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cpuset.effective_cpus\x00', 0x275a, 0x0)
fcntl$lock(r0, 0x26, &(0x7f0000000000)={0x1, 0x0, 0x37f2602d})
fcntl$lock(r0, 0x25, &(0x7f0000000040)={0x0, 0x0, 0x80, 0x7})
executing program 1:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r3, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 1 programs separately with timeout 5m0s
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r3, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
single: successfully extracted reproducer
found reproducer with 6 syscalls
minimizing guilty program
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r3, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280))
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080))
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r3, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r3, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
io_uring_register$IORING_REGISTER_PBUF_RING(0xffffffffffffffff, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(0x0, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
syz_io_uring_submit(0x0, 0x0, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(0xffffffffffffffff, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, 0x0, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r3, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, 0x0, &(0x7f0000000280)=<r1=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(0x0, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
syz_io_uring_submit(0x0, r1, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r2, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, 0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
syz_io_uring_submit(r1, 0x0, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r2, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, 0x0, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r3, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={0x0, 0x0, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r3, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, 0x0, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r3, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, 0x0)
syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x12361, 0x1, {0x1}})
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x497, &(0x7f0000002180)={0x0, 0x787f, 0x100, 0x404, 0x1ad}, &(0x7f0000000000)=<r1=>0x0, &(0x7f0000000280)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0x700}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080))
syz_io_uring_submit(r1, r2, 0x0)
io_uring_enter(r0, 0x3517, 0x173d, 0x42, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
simplifying C reproducer
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-socketpair$unix-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
reproducing took 1h33m54.958299996s
repro crashed as (corrupted=false):
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read
[0000000e] *pgd=84997003, *pmd=df9a9003
Internal error: Oops: 205 [#1] SMP ARM
Modules linked in:
CPU: 0 UID: 0 PID: 3102 Comm: syz-executor415 Not tainted 6.15.0-rc5-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
PC is at io_ring_buffers_peek+0x24/0x258 io_uring/kbuf.c:227
LR is at io_buffers_peek+0x68/0x8c io_uring/kbuf.c:343
pc : [<8088956c>]    lr : [<80889cb0>]    psr: 20000013
sp : df991dc0  ip : df991e08  fp : df991e04
r10: 00012361  r9 : 00000000  r8 : 8498d740
r7 : 84498a0c  r6 : 84498a00  r5 : df991e44  r4 : 84995000
r3 : 00000001  r2 : 84498a0c  r1 : df991e44  r0 : 84995000
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 845f43c0  DAC: fffffffd
Register r0 information: slab io_kiocb start 84995000 pointer offset 0 size 192
Register r1 information: 2-page vmalloc region starting at 0xdf990000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r2 information: slab kmalloc-256 start 84498a00 pointer offset 12 size 256
Register r3 information: non-paged memory
Register r4 information: slab io_kiocb start 84995000 pointer offset 0 size 192
Register r5 information: 2-page vmalloc region starting at 0xdf990000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r6 information: slab kmalloc-256 start 84498a00 pointer offset 0 size 256
Register r7 information: slab kmalloc-256 start 84498a00 pointer offset 12 size 256
Register r8 information: slab kmalloc-64 start 8498d740 pointer offset 0 size 64
Register r9 information: NULL pointer
Register r10 information: non-paged memory
Register r11 information: 2-page vmalloc region starting at 0xdf990000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r12 information: 2-page vmalloc region starting at 0xdf990000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Process syz-executor415 (pid: 3102, stack limit = 0xdf990000)
Stack: (0xdf991dc0 to 0xdf992000)
1dc0: 81a4be54 8030cb0c 8495d100 00000001 00010000 84498a0c 00000000 84995000
1de0: df991e44 84498a00 84498a0c 00000000 80000001 00012361 df991e1c df991e08
1e00: 80889cb0 80889554 837e3b80 84995000 df991e84 df991e20 808931e0 80889c54
1e20: df991e4c df991e30 8089ec2c 8050a4c4 00010001 00000001 8057abbc 00000000
1e40: 00000000 84498a0c 00000000 00000000 00010001 7df2f2e8 80886a40 84995000
1e60: 81cf0ca0 00000000 80000001 81cf0b5c 0000001b 83b4ec00 df991ebc df991e88
1e80: 80886bd8 80892f38 849953c0 84995480 84995540 8495d000 8499506c 84995000
1ea0: 84ae0000 00000000 00000000 83b4ec00 df991f14 df991ec0 808877a8 80886b7c
1ec0: 8088e164 81a4bdf8 8499bdb8 845f43c8 00000800 00000800 81cf0b5c 00000800
1ee0: 8495d000 7df2f2e8 840ae0c0 00000042 8495d000 00003517 840ae0c0 00000000
1f00: 83b4ec00 00000000 df991fa4 df991f18 80888250 808875a8 df991f74 8495d040
1f20: 00000000 0000173d 840ae000 00000000 df991f94 df991f40 8151ae48 8057a670
1f40: df991f60 84404000 00000000 8281d1f0 00000a0f 76f57000 df991fb0 80234108
1f60: 20000280 00000000 df991fac df991f78 8023478c 7df2f2e8 00000120 00000000
1f80: 00000000 0008e068 000001aa 8020029c 83b4ec00 000001aa 00000000 df991fa8
1fa0: 80200060 80888124 00000000 00000000 00000003 00003517 0000173d 00000042
1fc0: 00000000 00000000 0008e068 000001aa 20000080 20000280 00000000 00000000
1fe0: 7e8b7c70 7e8b7c60 00010874 0002f900 40000010 00000003 00000000 00000000
Call trace: 
[<80889548>] (io_ring_buffers_peek) from [<80889cb0>] (io_buffers_peek+0x68/0x8c io_uring/kbuf.c:343)
 r10:00012361 r9:80000001 r8:00000000 r7:84498a0c r6:84498a00 r5:df991e44
 r4:84995000
[<80889c48>] (io_buffers_peek) from [<808931e0>] (io_recv_buf_select io_uring/net.c:1077 [inline])
[<80889c48>] (io_buffers_peek) from [<808931e0>] (io_recv+0x2b4/0x46c io_uring/net.c:1138)
 r5:84995000 r4:837e3b80
[<80892f2c>] (io_recv) from [<80886bd8>] (__io_issue_sqe io_uring/io_uring.c:1740 [inline])
[<80892f2c>] (io_recv) from [<80886bd8>] (io_issue_sqe+0x68/0x658 io_uring/io_uring.c:1759)
 r10:83b4ec00 r9:0000001b r8:81cf0b5c r7:80000001 r6:00000000 r5:81cf0ca0
 r4:84995000
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_queue_sqe io_uring/io_uring.c:1975 [inline])
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_submit_sqe io_uring/io_uring.c:2231 [inline])
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_submit_sqes+0x20c/0x938 io_uring/io_uring.c:2348)
 r10:83b4ec00 r9:00000000 r8:00000000 r7:84ae0000 r6:84995000 r5:8499506c
 r4:8495d000
[<8088759c>] (io_submit_sqes) from [<80888250>] (__do_sys_io_uring_enter io_uring/io_uring.c:3408 [inline])
[<8088759c>] (io_submit_sqes) from [<80888250>] (sys_io_uring_enter+0x138/0x780 io_uring/io_uring.c:3342)
 r10:00000000 r9:83b4ec00 r8:00000000 r7:840ae0c0 r6:00003517 r5:8495d000
 r4:00000042
[<80888118>] (sys_io_uring_enter) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdf991fa8 to 0xdf991ff0)
1fa0:                   00000000 00000000 00000003 00003517 0000173d 00000042
1fc0: 00000000 00000000 0008e068 000001aa 20000080 20000280 00000000 00000000
1fe0: 7e8b7c70 7e8b7c60 00010874 0002f900
 r10:000001aa r9:83b4ec00 r8:8020029c r7:000001aa r6:0008e068 r5:00000000
 r4:00000000
Code: e1a08002 e5912000 e50b2030 e1a05001 (e1d920be) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e1a08002 	mov	r8, r2
   4:	e5912000 	ldr	r2, [r1]
   8:	e50b2030 	str	r2, [fp, #-48]	@ 0xffffffd0
   c:	e1a05001 	mov	r5, r1
* 10:	e1d920be 	ldrh	r2, [r9, #14] <-- trapping instruction

final repro crashed as (corrupted=false):
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read
[0000000e] *pgd=84997003, *pmd=df9a9003
Internal error: Oops: 205 [#1] SMP ARM
Modules linked in:
CPU: 0 UID: 0 PID: 3102 Comm: syz-executor415 Not tainted 6.15.0-rc5-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
PC is at io_ring_buffers_peek+0x24/0x258 io_uring/kbuf.c:227
LR is at io_buffers_peek+0x68/0x8c io_uring/kbuf.c:343
pc : [<8088956c>]    lr : [<80889cb0>]    psr: 20000013
sp : df991dc0  ip : df991e08  fp : df991e04
r10: 00012361  r9 : 00000000  r8 : 8498d740
r7 : 84498a0c  r6 : 84498a00  r5 : df991e44  r4 : 84995000
r3 : 00000001  r2 : 84498a0c  r1 : df991e44  r0 : 84995000
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 845f43c0  DAC: fffffffd
Register r0 information: slab io_kiocb start 84995000 pointer offset 0 size 192
Register r1 information: 2-page vmalloc region starting at 0xdf990000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r2 information: slab kmalloc-256 start 84498a00 pointer offset 12 size 256
Register r3 information: non-paged memory
Register r4 information: slab io_kiocb start 84995000 pointer offset 0 size 192
Register r5 information: 2-page vmalloc region starting at 0xdf990000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r6 information: slab kmalloc-256 start 84498a00 pointer offset 0 size 256
Register r7 information: slab kmalloc-256 start 84498a00 pointer offset 12 size 256
Register r8 information: slab kmalloc-64 start 8498d740 pointer offset 0 size 64
Register r9 information: NULL pointer
Register r10 information: non-paged memory
Register r11 information: 2-page vmalloc region starting at 0xdf990000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r12 information: 2-page vmalloc region starting at 0xdf990000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Process syz-executor415 (pid: 3102, stack limit = 0xdf990000)
Stack: (0xdf991dc0 to 0xdf992000)
1dc0: 81a4be54 8030cb0c 8495d100 00000001 00010000 84498a0c 00000000 84995000
1de0: df991e44 84498a00 84498a0c 00000000 80000001 00012361 df991e1c df991e08
1e00: 80889cb0 80889554 837e3b80 84995000 df991e84 df991e20 808931e0 80889c54
1e20: df991e4c df991e30 8089ec2c 8050a4c4 00010001 00000001 8057abbc 00000000
1e40: 00000000 84498a0c 00000000 00000000 00010001 7df2f2e8 80886a40 84995000
1e60: 81cf0ca0 00000000 80000001 81cf0b5c 0000001b 83b4ec00 df991ebc df991e88
1e80: 80886bd8 80892f38 849953c0 84995480 84995540 8495d000 8499506c 84995000
1ea0: 84ae0000 00000000 00000000 83b4ec00 df991f14 df991ec0 808877a8 80886b7c
1ec0: 8088e164 81a4bdf8 8499bdb8 845f43c8 00000800 00000800 81cf0b5c 00000800
1ee0: 8495d000 7df2f2e8 840ae0c0 00000042 8495d000 00003517 840ae0c0 00000000
1f00: 83b4ec00 00000000 df991fa4 df991f18 80888250 808875a8 df991f74 8495d040
1f20: 00000000 0000173d 840ae000 00000000 df991f94 df991f40 8151ae48 8057a670
1f40: df991f60 84404000 00000000 8281d1f0 00000a0f 76f57000 df991fb0 80234108
1f60: 20000280 00000000 df991fac df991f78 8023478c 7df2f2e8 00000120 00000000
1f80: 00000000 0008e068 000001aa 8020029c 83b4ec00 000001aa 00000000 df991fa8
1fa0: 80200060 80888124 00000000 00000000 00000003 00003517 0000173d 00000042
1fc0: 00000000 00000000 0008e068 000001aa 20000080 20000280 00000000 00000000
1fe0: 7e8b7c70 7e8b7c60 00010874 0002f900 40000010 00000003 00000000 00000000
Call trace: 
[<80889548>] (io_ring_buffers_peek) from [<80889cb0>] (io_buffers_peek+0x68/0x8c io_uring/kbuf.c:343)
 r10:00012361 r9:80000001 r8:00000000 r7:84498a0c r6:84498a00 r5:df991e44
 r4:84995000
[<80889c48>] (io_buffers_peek) from [<808931e0>] (io_recv_buf_select io_uring/net.c:1077 [inline])
[<80889c48>] (io_buffers_peek) from [<808931e0>] (io_recv+0x2b4/0x46c io_uring/net.c:1138)
 r5:84995000 r4:837e3b80
[<80892f2c>] (io_recv) from [<80886bd8>] (__io_issue_sqe io_uring/io_uring.c:1740 [inline])
[<80892f2c>] (io_recv) from [<80886bd8>] (io_issue_sqe+0x68/0x658 io_uring/io_uring.c:1759)
 r10:83b4ec00 r9:0000001b r8:81cf0b5c r7:80000001 r6:00000000 r5:81cf0ca0
 r4:84995000
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_queue_sqe io_uring/io_uring.c:1975 [inline])
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_submit_sqe io_uring/io_uring.c:2231 [inline])
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_submit_sqes+0x20c/0x938 io_uring/io_uring.c:2348)
 r10:83b4ec00 r9:00000000 r8:00000000 r7:84ae0000 r6:84995000 r5:8499506c
 r4:8495d000
[<8088759c>] (io_submit_sqes) from [<80888250>] (__do_sys_io_uring_enter io_uring/io_uring.c:3408 [inline])
[<8088759c>] (io_submit_sqes) from [<80888250>] (sys_io_uring_enter+0x138/0x780 io_uring/io_uring.c:3342)
 r10:00000000 r9:83b4ec00 r8:00000000 r7:840ae0c0 r6:00003517 r5:8495d000
 r4:00000042
[<80888118>] (sys_io_uring_enter) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdf991fa8 to 0xdf991ff0)
1fa0:                   00000000 00000000 00000003 00003517 0000173d 00000042
1fc0: 00000000 00000000 0008e068 000001aa 20000080 20000280 00000000 00000000
1fe0: 7e8b7c70 7e8b7c60 00010874 0002f900
 r10:000001aa r9:83b4ec00 r8:8020029c r7:000001aa r6:0008e068 r5:00000000
 r4:00000000
Code: e1a08002 e5912000 e50b2030 e1a05001 (e1d920be) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e1a08002 	mov	r8, r2
   4:	e5912000 	ldr	r2, [r1]
   8:	e50b2030 	str	r2, [fp, #-48]	@ 0xffffffd0
   c:	e1a05001 	mov	r5, r1
* 10:	e1d920be 	ldrh	r2, [r9, #14] <-- trapping instruction