do_el0_svc_compat+0x40/0x70 arch/arm64/kernel/syscall.c:174 el0_svc_compat+0x24/0x3c arch/arm64/kernel/entry-common.c:494 el0_sync_compat_handler+0x90/0x140 arch/arm64/kernel/entry-common.c:503 el0_sync_compat+0x174/0x180 arch/arm64/kernel/entry.S:708 ================================================================== BUG: KASAN: null-ptr-deref in io_commit_cqring+0x274/0x6fc fs/io_uring.c:1318 Write of size 4 at addr 00000000000000c0 by task syz-executor.1/16755 CPU: 0 PID: 16755 Comm: syz-executor.1 Not tainted 5.12.0-rc5-syzkaller-00030-gd19cc4bfbff1 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x3e0 arch/arm64/include/asm/pointer_auth.h:76 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:191 __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x120/0x1a8 lib/dump_stack.c:120 __kasan_report mm/kasan/report.c:403 [inline] kasan_report+0x128/0x200 mm/kasan/report.c:416 check_region_inline mm/kasan/generic.c:170 [inline] kasan_check_range+0xfc/0x1a4 mm/kasan/generic.c:186 __kasan_check_write+0x34/0x60 mm/kasan/shadow.c:37 io_commit_cqring+0x274/0x6fc fs/io_uring.c:1318 io_kill_timeouts+0x1d0/0x244 fs/io_uring.c:8606 io_ring_ctx_wait_and_kill+0x1a0/0x380 fs/io_uring.c:8629 io_uring_create fs/io_uring.c:9572 [inline] io_uring_setup+0xc90/0x235c fs/io_uring.c:9599 __do_sys_io_uring_setup fs/io_uring.c:9605 [inline] __se_sys_io_uring_setup fs/io_uring.c:9602 [inline] __arm64_sys_io_uring_setup+0x50/0x70 fs/io_uring.c:9602 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.0+0xf0/0x2c0 arch/arm64/kernel/syscall.c:129 do_el0_svc_compat+0x40/0x70 arch/arm64/kernel/syscall.c:174 el0_svc_compat+0x24/0x3c arch/arm64/kernel/entry-common.c:494 el0_sync_compat_handler+0x90/0x140 arch/arm64/kernel/entry-common.c:503 el0_sync_compat+0x174/0x180 arch/arm64/kernel/entry.S:708 ================================================================== Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 Mem abort info: ESR = 0x96000047 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000047 CM = 0, WnR = 1 user pgtable: 4k pages, 48-bit VAs, pgdp=00000000508c5000 [00000000000000c0] pgd=0000000050ea5003, p4d=0000000050ea5003, pud=0000000049abf003, pmd=000000006e0d5003, pte=0000000000000000 Internal error: Oops: 96000047 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 16755 Comm: syz-executor.1 Tainted: G B 5.12.0-rc5-syzkaller-00030-gd19cc4bfbff1 #0 Hardware name: linux,dummy-virt (DT) pstate: 10000085 (nzcV daIf -PAN -UAO -TCO BTYPE=--) pc : io_commit_cqring+0x278/0x6fc fs/io_uring.c:1318 lr : io_commit_cqring+0x274/0x6fc fs/io_uring.c:1318 sp : ffff00000aea7a80 x29: ffff00000aea7a80 x28: 0000000000000000 x27: ffff00001bb9a400 x26: 1fffe000037734c0 x25: ffff00001bb9a078 x24: ffff00001bb9a088 x23: 0000000000000000 x22: ffff8000145441c0 x21: 1fffe00003773411 x20: ffff00001bb9a000 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000002 x15: ffff800016459e60 x14: 0000000000000000 x13: 0000000000000000 x12: ffff700002c34c09 x11: 1ffff00002c34c08 x10: ffff700002c34c08 x9 : dfff800000000000 x8 : ffff8000161a6040 x7 : 0000000000000001 x6 : 00008ffffd3cb3f8 x5 : ffff8000161a6040 x4 : 1fffe00001c169d9 x3 : dfff800000000000 x2 : 1fffe00001c169d9 x1 : ffff00000e0b4ec0 x0 : 00000000000000c0 Call trace: io_commit_cqring+0x278/0x6fc fs/io_uring.c:1318 io_kill_timeouts+0x1d0/0x244 fs/io_uring.c:8606 io_ring_ctx_wait_and_kill+0x1a0/0x380 fs/io_uring.c:8629 io_uring_create fs/io_uring.c:9572 [inline] io_uring_setup+0xc90/0x235c fs/io_uring.c:9599 __do_sys_io_uring_setup fs/io_uring.c:9605 [inline] __se_sys_io_uring_setup fs/io_uring.c:9602 [inline] __arm64_sys_io_uring_setup+0x50/0x70 fs/io_uring.c:9602 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.0+0xf0/0x2c0 arch/arm64/kernel/syscall.c:129 do_el0_svc_compat+0x40/0x70 arch/arm64/kernel/syscall.c:174 el0_svc_compat+0x24/0x3c arch/arm64/kernel/entry-common.c:494 el0_sync_compat_handler+0x90/0x140 arch/arm64/kernel/entry-common.c:503 el0_sync_compat+0x174/0x180 arch/arm64/kernel/entry.S:708 Code: 52800081 91030260 97f8ea3f 91030260 (889ffc17) ---[ end trace cf94d610370e775b ]---