Extracting prog: 5m44.462533686s
Minimizing prog: 1h28m9.701946751s
Simplifying prog options: 0s
Extracting C: 1m19.730961533s
Simplifying C: 7m24.180135712s


extracting reproducer from 12 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 45s
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-syz_open_dev$sndmidi-writev-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-ioctl$sock_SIOCETHTOOL-syz_io_uring_submit-openat$uinput-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
r2 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r3=>0x0, &(0x7f0000000600)=<r4=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r2, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r3, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
ioctl$sock_SIOCETHTOOL(0xffffffffffffffff, 0x89f1, 0x0)
syz_io_uring_submit(r3, r4, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r1, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
openat$uinput(0xffffffffffffff9c, 0x0, 0x802, 0x0)
io_uring_enter(r2, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 12 programs with base timeout 45s
testing program (duration=48s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 2, 4, 13, 8, 2, 3, 5, 3, 4, 12, 14]
detailed listing:
executing program 0:
r0 = socket(0x400000000010, 0x3, 0x0)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x1, 0xe, &(0x7f0000000900)=ANY=[@ANYBLOB="b7020000f7ffffffbfa70000000000002402000020fe29817a0af0fff8ffffff69a4f0ff00000000b70600000018d1fe2d6405000000000075040000000000400704000000000000b7040000100000206a0700fe000000008500000005000000b70000000a00000095000000000000000000c2c62f6004ad13aa957e2af5e49a53c2868f0399d909a63796c113a80c19aab9d607000000b6c9483be3f0d3253730e714c46cc4f79fd2b316da4f0de8163f6242fa7323f1740637c48468766af540439fce41f144631ac262dcae18c3d1a1fbe96dc86035b44174f7c0620254ab6d285e6b343185089a0f119e31975e551558050800000000000000125d67857f290870093f38153608561a2128a79cce912d1f05de330800a9f5422bee8ca49166f6a587f2f593775afcd071efc5a972f757521b7b38ec273c2ad3e406f8c124f7dc1c4553229a69df4b2780e6da4420d71489fe383e0b5ce08b750502f2b8add8d2dddde19ac050537e973782b4053150580035fb2c579e1b2100000033d1ee8cab6d236f05b1f7b9f78fd5abfe033eb79f7a0b498366f5edfe311258016fbf47d9c85bf5325bf61419372be377022433e20900a262b20bb8b36de7b0e6c5ebfc5baec1ebe58d4af587d33e2935ad68da6e0fea5c21301f5d002b51a5b60fc741cb2c5d4cd5e896774f9293a6435558795043404ac6eafc8310fbcacca7f971b260fd06d4590ded8429fcd1c9a8dbbdedb32675388df363c0bc536e00448208b72405ebf27ddb402e5a2d675aaad92e183cef1eadc1661140fb567b55c72907a1aca75277a5f0022b1e957ba737f10f1161c5ae6e2cc64072ff3b4e76084922242e63d4b7806e30f786cff147e4bc819060678319a0e5534f5a0db52526c30000000000000000000000a63705b1a60525620acca06d57c055059df7651768310c9085c5f86be6ab819506961ad51f18b35fdc3fd4d0a0dbbdcd494ef168931f27748787bee95d739fef7ee67dd21c34647de82707e41d7db6d981a4fcf0bbd3d38ebb7a2489e28c6b28c0f70092ffb016b7766399555f3e6b538c2c862d17e53eaeb2036f9f0ab6e95e71bda4b5bbf53344264ad93bac1207b31d6e9c78181c7fe204c0b7582d1c762857f2a2e0c60f4a4855591a4f70f94df9629e470701103c40c8f6d3a3068091d62b58999e0a046f9509cb8ddc2a9ad4e0f1f85e5f076218b4b931acdff0c34fc5bdbad17ec481f1c9b17727c14e053e315d0d8d03c24ddaba65c5ce5b1aa04d1f767e25662b155d49460ec720d54044ac2856c11407835f341e2614bcae270000000001000000df7f736aab5d713240b2f40ec7be8251eba969686b2670ddc1a84df6ab12ab3e0cf8747837062233935704ebbd943ef0c5fef29513c7c1d6d2611796dccb45bdfd9e6533ad3574be5b9ea70e0c3b41a32067c03f5f8ed147cd0655c90d656f66eaed18a3c284c4f19417b5d91431759356db5d45ea40c9866957105b6252b0c028c672049ce163126f143f5758faf2a43f4c4f45a69b4e9113f85ae531085c11c75edbdee5af454757cdaff396c15ab9b210c202ffaea96d1bac60c6d6c56a4babc659858789bd479334e13e1c7876f95429431e61400815788c1397b260600d78e7513c58d9ac9474d392cc06f789753e1e7ebf5f1b55e2a64b9150c6580bf48e7bff763034801cccf403108d127b959ffc425a563ea2b90fbe779fd7d2ebfe94"], &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
r2 = socket$kcm(0x11, 0x2, 0x300)
setsockopt$sock_attach_bpf(r2, 0x1, 0x32, &(0x7f0000000000)=r1, 0x4)
sendmsg$nl_route_sched(r0, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000001300)=@newqdisc={0x24, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0xffffffff, {0x0, 0x0, 0x0, 0x0, {0x0, 0x10}, {0xffff, 0xffff}, {0xffe0, 0xf}}}, 0x24}}, 0x0)
executing program 0:
r0 = socket(0xa, 0x3, 0x3a)
setsockopt$inet6_mtu(r0, 0x29, 0x17, 0x0, 0x0)
executing program 0:
r0 = bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={0x0, r0}, 0x18)
r1 = add_key$keyring(&(0x7f0000000100), &(0x7f0000000180)={'syz', 0x2}, 0x0, 0x0, 0xffffffffffffffff)
keyctl$KEYCTL_RESTRICT_KEYRING(0x1d, r1, &(0x7f0000000200)='asymmetric\x00', &(0x7f00000002c0)=@chain)
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0x4, &(0x7f00000002c0)=ANY=[], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
syz_io_uring_setup(0x110, &(0x7f0000000380)={0x0, 0x5885, 0x1f, 0xfffffffd, 0x216}, &(0x7f0000000340), &(0x7f0000000280))
executing program 0:
epoll_create1(0x0)
openat$ttyS3(0xffffffffffffff9c, &(0x7f0000001840), 0x80002, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600722, 0x19)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
munlockall()
madvise(&(0x7f00001a1000/0x4000)=nil, 0x4000, 0x8)
executing program 1:
r0 = socket$l2tp6(0xa, 0x2, 0x73)
sendto$l2tp6(r0, 0x0, 0x0, 0x4890, &(0x7f0000000040)={0xa, 0x0, 0xfffffffd, @local, 0x2, 0x4}, 0x20)
executing program 1:
socket$nl_generic(0x10, 0x3, 0x10)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x1b, &(0x7f0000000380)={@ipv4={'\x00', '\xff\xff', @remote}, 0x8, 0x0, 0x2, 0x0, 0x0, 0xfffe}, 0x20)
executing program 1:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='freezer.self_freezing\x00', 0x275a, 0x0)
write$binfmt_script(r0, &(0x7f0000000040), 0x55af)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x10012, r0, 0x0)
r1 = socket$xdp(0x2c, 0x3, 0x0)
getsockopt$XDP_MMAP_OFFSETS(r1, 0x11b, 0x8, 0x0, &(0x7f0000000440))
executing program 1:
r0 = syz_open_procfs(0x0, &(0x7f0000000080)='net/ip_vs_stats_percpu\x00')
read$FUSE(r0, &(0x7f0000004140)={0x2020}, 0x2020)
lseek(r0, 0xfffffffffffffffd, 0x1)
executing program 1:
r0 = socket$inet6(0xa, 0x8000000000080001, 0x0)
setsockopt$inet6_MCAST_JOIN_GROUP(r0, 0x29, 0x2a, &(0x7f0000fca000)={0x100000001, {{0xa, 0x0, 0x0, @mcast1}}}, 0x88)
setsockopt$inet6_MCAST_JOIN_GROUP(r0, 0x29, 0x2a, &(0x7f0000000000)={0x1, {{0xa, 0x0, 0x0, @mcast2}}}, 0x88)
setsockopt$inet6_MCAST_MSFILTER(r0, 0x29, 0x30, &(0x7f0000000540)={0x1, {{0xa, 0x4204, 0xffffffff, @mcast1, 0xd57a}}}, 0x8c)
executing program 1:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000480)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
fsopen(0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
sendmsg(r1, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x0)
sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x5, 0x0, 0x0, 0x0, 0xb49, 0x9, 0x8, 0x0, 0x3}, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x0)
unshare(0x26020480)
unshare(0x22020400)
fchmodat(0xffffffffffffff9c, &(0x7f0000000300)='./file0\x00', 0x1ff)
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
r2 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r3=>0x0, &(0x7f0000000600)=<r4=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r2, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r3, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
ioctl$sock_SIOCETHTOOL(0xffffffffffffffff, 0x89f1, 0x0)
syz_io_uring_submit(r3, r4, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r1, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
openat$uinput(0xffffffffffffff9c, 0x0, 0x802, 0x0)
io_uring_enter(r2, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 1 programs separately with timeout 5m0s
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-syz_open_dev$sndmidi-writev-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-ioctl$sock_SIOCETHTOOL-syz_io_uring_submit-openat$uinput-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
r2 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r3=>0x0, &(0x7f0000000600)=<r4=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r2, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r3, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
ioctl$sock_SIOCETHTOOL(0xffffffffffffffff, 0x89f1, 0x0)
syz_io_uring_submit(r3, r4, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r1, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
openat$uinput(0xffffffffffffff9c, 0x0, 0x802, 0x0)
io_uring_enter(r2, 0x3516, 0x0, 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
single: successfully extracted reproducer
found reproducer with 14 syscalls
minimizing guilty program
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-syz_open_dev$sndmidi-writev-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-ioctl$sock_SIOCETHTOOL-syz_io_uring_submit-openat$uinput
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
r2 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r3=>0x0, &(0x7f0000000600)=<r4=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r2, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r3, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
ioctl$sock_SIOCETHTOOL(0xffffffffffffffff, 0x89f1, 0x0)
syz_io_uring_submit(r3, r4, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r1, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
openat$uinput(0xffffffffffffff9c, 0x0, 0x802, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-syz_open_dev$sndmidi-writev-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-ioctl$sock_SIOCETHTOOL-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
r2 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r3=>0x0, &(0x7f0000000600)=<r4=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r2, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r3, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
ioctl$sock_SIOCETHTOOL(0xffffffffffffffff, 0x89f1, 0x0)
syz_io_uring_submit(r3, r4, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r1, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r2, 0x3516, 0x0, 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-syz_open_dev$sndmidi-writev-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-ioctl$sock_SIOCETHTOOL-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600))
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
ioctl$sock_SIOCETHTOOL(0xffffffffffffffff, 0x89f1, 0x0)
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-syz_open_dev$sndmidi-writev-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
r2 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r3=>0x0, &(0x7f0000000600)=<r4=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r2, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r3, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r3, r4, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r1, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r2, 0x3516, 0x0, 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-syz_open_dev$sndmidi-writev-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
r2 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r3=>0x0, &(0x7f0000000600)=<r4=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r2, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_io_uring_submit(r3, r4, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r1, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r2, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-syz_open_dev$sndmidi-writev-socket$inet6_sctp-syz_io_uring_setup-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
r2 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r3=>0x0, &(0x7f0000000600)=<r4=>0x0)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r3, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r3, r4, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r1, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r2, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-syz_open_dev$sndmidi-writev-socket$inet6_sctp-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
io_uring_register$IORING_REGISTER_PBUF_RING(0xffffffffffffffff, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(0x0, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(0x0, 0x0, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r1, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(0xffffffffffffffff, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-syz_open_dev$sndmidi-writev-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600)=<r3=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-syz_open_dev$sndmidi-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600)=<r3=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-openat$sequencer-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600)=<r3=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-prctl$PR_SCHED_CORE-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600)=<r3=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600)=<r3=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600)=<r3=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600)=<r3=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, 0x0, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600)=<r3=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, 0x0, &(0x7f0000000600)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(0x0, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(0x0, r2, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, 0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, 0x0, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600)=<r3=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, 0x0, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600)=<r3=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={0x0, 0x0, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r2=>0x0, &(0x7f0000000600)=<r3=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r1, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, 0x0, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x10, r0, 0x0, 0x0, 0x0, 0x242, 0x1, {0x1}})
io_uring_enter(r1, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
detailed listing:
executing program 0:
socket$inet6_sctp(0xa, 0x5, 0x84)
r0 = syz_io_uring_setup(0x497, &(0x7f0000000180)={0x0, 0x4885, 0x100, 0x4, 0x1d}, &(0x7f0000000340)=<r1=>0x0, &(0x7f0000000600)=<r2=>0x0)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000040)={&(0x7f0000001000)={[{0x0, 0x0, 0x3, 0xf4}]}, 0x1, 0x1}, 0x1)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r1, r2, 0x0)
io_uring_enter(r0, 0x3516, 0x0, 0x0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
simplifying C reproducer
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
testing compiled C program (duration=5m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-syz_io_uring_setup-io_uring_register$IORING_REGISTER_PBUF_RING-syz_memcpy_off$IO_URING_METADATA_GENERIC-syz_io_uring_submit-io_uring_enter
program crashed: BUG: unable to handle kernel NULL pointer dereference in io_ring_buffers_peek
reproducing took 1h42m38.075641442s
repro crashed as (corrupted=false):
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read
[0000000e] *pgd=849b1003, *pmd=df115003
Internal error: Oops: 205 [#1] SMP ARM
Modules linked in:
CPU: 1 UID: 0 PID: 3104 Comm: syz-executor103 Not tainted 6.15.0-rc5-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
PC is at io_ring_buffers_peek+0x24/0x258 io_uring/kbuf.c:227
LR is at io_buffers_peek+0x68/0x8c io_uring/kbuf.c:343
pc : [<8088956c>]    lr : [<80889cb0>]    psr: 20000013
sp : df971dc0  ip : df971e08  fp : df971e04
r10: 00000242  r9 : 00000000  r8 : 8499d580
r7 : 8498780c  r6 : 84987800  r5 : df971e44  r4 : 84990000
r3 : 00000001  r2 : 8498780c  r1 : df971e44  r0 : 84990000
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 8499d100  DAC: 00000000
Register r0 information: slab io_kiocb start 84990000 pointer offset 0 size 192
Register r1 information: 2-page vmalloc region starting at 0xdf970000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r2 information: slab kmalloc-256 start 84987800 pointer offset 12 size 256
Register r3 information: non-paged memory
Register r4 information: slab io_kiocb start 84990000 pointer offset 0 size 192
Register r5 information: 2-page vmalloc region starting at 0xdf970000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r6 information: slab kmalloc-256 start 84987800 pointer offset 0 size 256
Register r7 information: slab kmalloc-256 start 84987800 pointer offset 12 size 256
Register r8 information: slab kmalloc-64 start 8499d580 pointer offset 0 size 64
Register r9 information: NULL pointer
Register r10 information: non-paged memory
Register r11 information: 2-page vmalloc region starting at 0xdf970000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r12 information: 2-page vmalloc region starting at 0xdf970000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Process syz-executor103 (pid: 3104, stack limit = 0xdf970000)
Stack: (0xdf971dc0 to 0xdf972000)
1dc0: 81a4be54 8030cb0c 8494e900 00000001 00010000 8498780c 00000000 84990000
1de0: df971e44 84987800 8498780c 00000000 80000001 00000242 df971e1c df971e08
1e00: 80889cb0 80889554 83752500 84990000 df971e84 df971e20 808931e0 80889c54
1e20: df971e4c df971e30 8089ec2c 8050a4c4 00010001 00000001 8057abbc 00000000
1e40: 00000000 8498780c 00000000 00000000 00010001 c805563e 80886a40 84990000
1e60: 81cf0ca0 00000000 80000001 81cf0b5c 0000001b 840ba400 df971ebc df971e88
1e80: 80886bd8 80892f38 849903c0 84990480 84990540 8494e800 8499006c 84990000
1ea0: 84920000 00000000 00000000 840ba400 df971f14 df971ec0 808877a8 80886b7c
1ec0: 8088e164 81a4bdf8 849f3db8 8499d108 00000800 00000800 81cf0b5c 00000800
1ee0: 8494e800 c805563e 847d56c0 00000000 8494e800 00003516 847d56c0 00000000
1f00: 840ba400 00000000 df971fa4 df971f18 80888250 808875a8 df971f74 8494e840
1f20: 00000000 00000000 df971fac 847d56c0 00000003 00020000 df971f5c df971f48
1f40: 80553b94 844cd800 76f96000 8281d1f0 00000a0f 76f96000 df971fb0 80234108
1f60: 00000000 0008a270 df971fac df971f78 8023478c c805563e 000000c0 00000000
1f80: 00000000 0008e068 000001aa 8020029c 840ba400 000001aa 00000000 df971fa8
1fa0: 80200060 80888124 00000000 00000000 00000004 00003516 00000000 00000000
1fc0: 00000000 00000000 0008e068 000001aa 76fb6000 00000000 0008a270 00000001
1fe0: 7eb14c70 7eb14c60 00010860 0002f8f0 40000010 00000004 00000000 00000000
Call trace: 
[<80889548>] (io_ring_buffers_peek) from [<80889cb0>] (io_buffers_peek+0x68/0x8c io_uring/kbuf.c:343)
 r10:00000242 r9:80000001 r8:00000000 r7:8498780c r6:84987800 r5:df971e44
 r4:84990000
[<80889c48>] (io_buffers_peek) from [<808931e0>] (io_recv_buf_select io_uring/net.c:1077 [inline])
[<80889c48>] (io_buffers_peek) from [<808931e0>] (io_recv+0x2b4/0x46c io_uring/net.c:1138)
 r5:84990000 r4:83752500
[<80892f2c>] (io_recv) from [<80886bd8>] (__io_issue_sqe io_uring/io_uring.c:1740 [inline])
[<80892f2c>] (io_recv) from [<80886bd8>] (io_issue_sqe+0x68/0x658 io_uring/io_uring.c:1759)
 r10:840ba400 r9:0000001b r8:81cf0b5c r7:80000001 r6:00000000 r5:81cf0ca0
 r4:84990000
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_queue_sqe io_uring/io_uring.c:1975 [inline])
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_submit_sqe io_uring/io_uring.c:2231 [inline])
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_submit_sqes+0x20c/0x938 io_uring/io_uring.c:2348)
 r10:840ba400 r9:00000000 r8:00000000 r7:84920000 r6:84990000 r5:8499006c
 r4:8494e800
[<8088759c>] (io_submit_sqes) from [<80888250>] (__do_sys_io_uring_enter io_uring/io_uring.c:3408 [inline])
[<8088759c>] (io_submit_sqes) from [<80888250>] (sys_io_uring_enter+0x138/0x780 io_uring/io_uring.c:3342)
 r10:00000000 r9:840ba400 r8:00000000 r7:847d56c0 r6:00003516 r5:8494e800
 r4:00000000
[<80888118>] (sys_io_uring_enter) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdf971fa8 to 0xdf971ff0)
1fa0:                   00000000 00000000 00000004 00003516 00000000 00000000
1fc0: 00000000 00000000 0008e068 000001aa 76fb6000 00000000 0008a270 00000001
1fe0: 7eb14c70 7eb14c60 00010860 0002f8f0
 r10:000001aa r9:840ba400 r8:8020029c r7:000001aa r6:0008e068 r5:00000000
 r4:00000000
Code: e1a08002 e5912000 e50b2030 e1a05001 (e1d920be) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e1a08002 	mov	r8, r2
   4:	e5912000 	ldr	r2, [r1]
   8:	e50b2030 	str	r2, [fp, #-48]	@ 0xffffffd0
   c:	e1a05001 	mov	r5, r1
* 10:	e1d920be 	ldrh	r2, [r9, #14] <-- trapping instruction

final repro crashed as (corrupted=false):
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read
[0000000e] *pgd=849b1003, *pmd=df115003
Internal error: Oops: 205 [#1] SMP ARM
Modules linked in:
CPU: 1 UID: 0 PID: 3104 Comm: syz-executor103 Not tainted 6.15.0-rc5-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
PC is at io_ring_buffers_peek+0x24/0x258 io_uring/kbuf.c:227
LR is at io_buffers_peek+0x68/0x8c io_uring/kbuf.c:343
pc : [<8088956c>]    lr : [<80889cb0>]    psr: 20000013
sp : df971dc0  ip : df971e08  fp : df971e04
r10: 00000242  r9 : 00000000  r8 : 8499d580
r7 : 8498780c  r6 : 84987800  r5 : df971e44  r4 : 84990000
r3 : 00000001  r2 : 8498780c  r1 : df971e44  r0 : 84990000
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 8499d100  DAC: 00000000
Register r0 information: slab io_kiocb start 84990000 pointer offset 0 size 192
Register r1 information: 2-page vmalloc region starting at 0xdf970000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r2 information: slab kmalloc-256 start 84987800 pointer offset 12 size 256
Register r3 information: non-paged memory
Register r4 information: slab io_kiocb start 84990000 pointer offset 0 size 192
Register r5 information: 2-page vmalloc region starting at 0xdf970000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r6 information: slab kmalloc-256 start 84987800 pointer offset 0 size 256
Register r7 information: slab kmalloc-256 start 84987800 pointer offset 12 size 256
Register r8 information: slab kmalloc-64 start 8499d580 pointer offset 0 size 64
Register r9 information: NULL pointer
Register r10 information: non-paged memory
Register r11 information: 2-page vmalloc region starting at 0xdf970000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Register r12 information: 2-page vmalloc region starting at 0xdf970000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844
Process syz-executor103 (pid: 3104, stack limit = 0xdf970000)
Stack: (0xdf971dc0 to 0xdf972000)
1dc0: 81a4be54 8030cb0c 8494e900 00000001 00010000 8498780c 00000000 84990000
1de0: df971e44 84987800 8498780c 00000000 80000001 00000242 df971e1c df971e08
1e00: 80889cb0 80889554 83752500 84990000 df971e84 df971e20 808931e0 80889c54
1e20: df971e4c df971e30 8089ec2c 8050a4c4 00010001 00000001 8057abbc 00000000
1e40: 00000000 8498780c 00000000 00000000 00010001 c805563e 80886a40 84990000
1e60: 81cf0ca0 00000000 80000001 81cf0b5c 0000001b 840ba400 df971ebc df971e88
1e80: 80886bd8 80892f38 849903c0 84990480 84990540 8494e800 8499006c 84990000
1ea0: 84920000 00000000 00000000 840ba400 df971f14 df971ec0 808877a8 80886b7c
1ec0: 8088e164 81a4bdf8 849f3db8 8499d108 00000800 00000800 81cf0b5c 00000800
1ee0: 8494e800 c805563e 847d56c0 00000000 8494e800 00003516 847d56c0 00000000
1f00: 840ba400 00000000 df971fa4 df971f18 80888250 808875a8 df971f74 8494e840
1f20: 00000000 00000000 df971fac 847d56c0 00000003 00020000 df971f5c df971f48
1f40: 80553b94 844cd800 76f96000 8281d1f0 00000a0f 76f96000 df971fb0 80234108
1f60: 00000000 0008a270 df971fac df971f78 8023478c c805563e 000000c0 00000000
1f80: 00000000 0008e068 000001aa 8020029c 840ba400 000001aa 00000000 df971fa8
1fa0: 80200060 80888124 00000000 00000000 00000004 00003516 00000000 00000000
1fc0: 00000000 00000000 0008e068 000001aa 76fb6000 00000000 0008a270 00000001
1fe0: 7eb14c70 7eb14c60 00010860 0002f8f0 40000010 00000004 00000000 00000000
Call trace: 
[<80889548>] (io_ring_buffers_peek) from [<80889cb0>] (io_buffers_peek+0x68/0x8c io_uring/kbuf.c:343)
 r10:00000242 r9:80000001 r8:00000000 r7:8498780c r6:84987800 r5:df971e44
 r4:84990000
[<80889c48>] (io_buffers_peek) from [<808931e0>] (io_recv_buf_select io_uring/net.c:1077 [inline])
[<80889c48>] (io_buffers_peek) from [<808931e0>] (io_recv+0x2b4/0x46c io_uring/net.c:1138)
 r5:84990000 r4:83752500
[<80892f2c>] (io_recv) from [<80886bd8>] (__io_issue_sqe io_uring/io_uring.c:1740 [inline])
[<80892f2c>] (io_recv) from [<80886bd8>] (io_issue_sqe+0x68/0x658 io_uring/io_uring.c:1759)
 r10:840ba400 r9:0000001b r8:81cf0b5c r7:80000001 r6:00000000 r5:81cf0ca0
 r4:84990000
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_queue_sqe io_uring/io_uring.c:1975 [inline])
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_submit_sqe io_uring/io_uring.c:2231 [inline])
[<80886b70>] (io_issue_sqe) from [<808877a8>] (io_submit_sqes+0x20c/0x938 io_uring/io_uring.c:2348)
 r10:840ba400 r9:00000000 r8:00000000 r7:84920000 r6:84990000 r5:8499006c
 r4:8494e800
[<8088759c>] (io_submit_sqes) from [<80888250>] (__do_sys_io_uring_enter io_uring/io_uring.c:3408 [inline])
[<8088759c>] (io_submit_sqes) from [<80888250>] (sys_io_uring_enter+0x138/0x780 io_uring/io_uring.c:3342)
 r10:00000000 r9:840ba400 r8:00000000 r7:847d56c0 r6:00003516 r5:8494e800
 r4:00000000
[<80888118>] (sys_io_uring_enter) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdf971fa8 to 0xdf971ff0)
1fa0:                   00000000 00000000 00000004 00003516 00000000 00000000
1fc0: 00000000 00000000 0008e068 000001aa 76fb6000 00000000 0008a270 00000001
1fe0: 7eb14c70 7eb14c60 00010860 0002f8f0
 r10:000001aa r9:840ba400 r8:8020029c r7:000001aa r6:0008e068 r5:00000000
 r4:00000000
Code: e1a08002 e5912000 e50b2030 e1a05001 (e1d920be) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e1a08002 	mov	r8, r2
   4:	e5912000 	ldr	r2, [r1]
   8:	e50b2030 	str	r2, [fp, #-48]	@ 0xffffffd0
   c:	e1a05001 	mov	r5, r1
* 10:	e1d920be 	ldrh	r2, [r9, #14] <-- trapping instruction