Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp1649628rdb; Mon, 2 Oct 2023 17:12:57 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGR0qScGdI0O2X2C4gbiw2UIhRjPO+AOitc6rAZIBHNMlmvf7jzaL0uoeZ5pG2rsXj3db/U X-Received: by 2002:a05:6870:3914:b0:1d6:5483:75e7 with SMTP id b20-20020a056870391400b001d6548375e7mr16649150oap.13.1696291976652; Mon, 02 Oct 2023 17:12:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696291976; cv=none; d=google.com; s=arc-20160816; b=QsTAECHn5hz69krVhyjFmeRp2+pnNqMRU5hbB0iC6AZtz7J/ArqksDnya6YGvPPu1m 8sGDnNYmkvItx+rEQOUjd/1zAXy+NbLWog9kcGTHylGH1EOLIiJq+xFgA5gho4MFFYkQ jjFhf32GCGNIAorjrbfWumDL8xoq8SfQRR6vM5W611tDu8dsxeauRepxwibEiZuqdsli qm79n98OWIVrG+C669/2kdPuOU3i/qRhvsALJs4Jsd0oCwjPghslQEIkVsaJGzSlCADI c9zszEfaI+ZJkTwd83QwSWPZ7zPasreq7NfySEukVUhPogUhRKPtCh5bb5ztJKD0oWWQ Lg7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :to:from:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=3ZYFOCnJg3JB+NMDyiBkV1Ci3jAh1uzwfMkuIhs6hs0=; fh=0oKMt6Nk6u3FinErQor8BVT5vtqMf70TK45//5KVRl4=; b=LgE5qA6ge12C96Ky//8j2UH/yQ98ANpptBXpD12xdBiHH91rlNT0kX9ChjFG/olFrc r8wZ6yj0RvJc/uDvV9cXxbD4MJC+5TgCwxlr7Oh7QpYEaC7E4wXbp8nmMH/oGD1Slj54 kOoXgb6k7LTDF/awr8HCe/XBCF1o9gF08sAbvbO/askfRWqsduJSZGZQ96laIN+5pXRh H7TBtHgdhpKURpnIo87dXh8nXN+D5TUpFIEO2XgK2IicYGmxadJEK/tGLO2LSP1ycDUV J8knFU+teE+zz5ekFJiMu22yt+E6qRhDgB25IcrVgUYX3lAf5Ld5/PjxlAZyspV2GDjZ +DYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=ZxK+ppqI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id m16-20020a63fd50000000b0057759a5b7dasi102961pgj.827.2023.10.02.17.12.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Oct 2023 17:12:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=ZxK+ppqI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 90FE98245A48; Mon, 2 Oct 2023 17:12:55 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229595AbjJCAMx (ORCPT + 99 others); Mon, 2 Oct 2023 20:12:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37466 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229791AbjJCAMx (ORCPT ); Mon, 2 Oct 2023 20:12:53 -0400 Received: from mail-oa1-x43.google.com (mail-oa1-x43.google.com [IPv6:2001:4860:4864:20::43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A6BDC6 for ; Mon, 2 Oct 2023 17:12:50 -0700 (PDT) Received: by mail-oa1-x43.google.com with SMTP id 586e51a60fabf-1dd94578a4fso52547fac.1 for ; Mon, 02 Oct 2023 17:12:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20230601.gappssmtp.com; s=20230601; t=1696291969; x=1696896769; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:references:to:from :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=3ZYFOCnJg3JB+NMDyiBkV1Ci3jAh1uzwfMkuIhs6hs0=; b=ZxK+ppqIAwBoLU4Zrlxbxl99bJyWSPO4YXpbA+aA5+U6dM6VaTw63DAV7ypdcRALLK yBwp4EY5sxDocSj8s/C6z13uZXD3A09KH5mBLmmig3gV6XiG29EY/mB2Tf1PfFWxRSUR FoX8DYHyYO1FWJEzZC/67CVuBck8rz8XOvIjFo9SAm1AosXqQmPdB7nVsSZsBzJKPV3i v8vB26ygaMFeX9CQ5p4xdisvL+xmkVDrCap42GCGd2AfyEQo6GlFFwQrWKv78ZHFv/Nz lmla6ezeiAA8EGRBRUkUSKsVFQ/GJFfKq3Ctl140G0Vgwic81uR3FlsWTKJuBAhFENrQ BsKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696291969; x=1696896769; h=content-transfer-encoding:in-reply-to:references:to:from :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3ZYFOCnJg3JB+NMDyiBkV1Ci3jAh1uzwfMkuIhs6hs0=; b=r82xJFCfe3K8CO7Kez3j60Mrn4ThdM9VLP/LnGNXjQe2NnnMp4k5cF50zyy4hoG9gH Ov6uClpPAud1lIubIg9sgwS+ikT2rp5uC8CYC/t8cVLC4zCr7ors75B160NJ/bzveMma HZus0/xDwI2Kqq7Iha3koCecJ92eAe1VAMURYevkBABLGG51Edan+F4H/miJk4ajmDlo abAAsy5j6GIxFbCetMDjvmSyY5wbVpJV4JjMWbwqrfPCcAmmVZIxDYVABloFLRUFdDkt c0Xu9xC2X/rH5zS8VOZFwjFNRs//aGyhf4/V/WZ0g/Gpq0R98kHkFfu/j44+U1MxrMy5 Q0Bw== X-Gm-Message-State: AOJu0YyYze9FJA6mKt7b16yAUSJGfVUog6p6DS6brMVaWicXXIlHQgRM /ucHZ0/EDtkCKp4LTGA0JE+pAVNdZgVzFXfOxFKRWw== X-Received: by 2002:a05:6358:c610:b0:147:eb87:3665 with SMTP id fd16-20020a056358c61000b00147eb873665mr10087049rwb.3.1696291969642; Mon, 02 Oct 2023 17:12:49 -0700 (PDT) Received: from [192.168.1.136] ([198.8.77.194]) by smtp.gmail.com with ESMTPSA id f17-20020aa782d1000000b0068bc6a75848sm71459pfn.156.2023.10.02.17.12.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 02 Oct 2023 17:12:48 -0700 (PDT) Message-ID: Date: Mon, 2 Oct 2023 18:12:47 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [io-uring?] BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers (2) Content-Language: en-US From: Jens Axboe To: syzbot , asml.silence@gmail.com, io-uring@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <000000000000af635c0606bcb889@google.com> <7567c27a-b5d0-41fc-a7e5-d65ed168b39c@kernel.dk> In-Reply-To: <7567c27a-b5d0-41fc-a7e5-d65ed168b39c@kernel.dk> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Mon, 02 Oct 2023 17:12:55 -0700 (PDT) On 10/2/23 10:43 AM, Jens Axboe wrote: > On 10/2/23 8:38 AM, syzbot wrote: >> Hello, >> >> syzbot found the following issue on: >> >> HEAD commit: ec8c298121e3 Merge tag 'x86-urgent-2023-10-01' of git://gi.. >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=16ef0ed6680000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=3be743fa9361d5b0 >> dashboard link: https://syzkaller.appspot.com/bug?extid=2113e61b8848fa7951d8 >> compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 >> userspace arch: arm > > I tried the syz repro in the console output, but can't trigger it. It > also makes very little sense to me... For when there is a reproducer, > the below would perhaps shed some light on it. We have bl->is_mapped == > 1, yet bl->buf_ring is NULL. Probably some artifact of 32-bit arm? I think this is 32-bit and highmem... The page being mapped into the kernel is a highmem page, and this won't really fly with having a permanent ->buf_ring address which we get from page_address(). -- Jens Axboe