syzbot

 sign-in | mailing list | source | docs
🐞 Open [1465]
Subsystems
🐞 Fixed [6731]
🐞 Invalid [17298]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: null-ptr-deref Read in io_sqe_buffer_register

Status: upstream: reported C repro on 2025/09/04 15:36
Subsystems: io-uring
[Documentation on labels]
Reported-by: syzbot+1ab243d3eebb2aabf4a4@syzkaller.appspotmail.com
Fix commit: fixup: mm/gup: remove record_subpages()
Patched on: [ci-upstream-linux-next-kasan-gce-root ci-upstream-rust-kasan-gce], missing on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 70d, last: 66d
Cause bisection: introduced by (bisect log) :
commit da6b34293ff8dbb78f8b9278c9a492925bbf1f87
Author: David Hildenbrand <david@redhat.com>
Date: Mon Sep 1 15:03:40 2025 +0000

  mm/gup: remove record_subpages()

Crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register (log)
Repro: C syz .config
  
Duplicate bugs (5)
duplicates (5):
Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
general protection fault in io_check_coalesce_buffer io-uring 2 C 27 67d 70d 0/29 closed as dup on 2025/09/04 23:18
general protection fault in xxh64_update crypto 2 C error 11 66d 66d 0/29 closed as dup on 2025/09/08 18:47
KASAN: wild-memory-access Read in crypto_nhpoly1305_update_helper crypto 17 C done 13 68d 65d 0/29 closed as dup on 2025/09/10 06:35
KASAN: wild-memory-access Read in __sha512_update crypto 17 C 15 66d 66d 0/29 closed as dup on 2025/09/08 18:46
general protection fault in unpin_user_page_range_dirty_lock mm 2 C 4 67d 69d 0/29 closed as dup on 2025/09/05 13:27
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [io-uring?] KASAN: null-ptr-deref Read in io_sqe_buffer_register 6 (10) 2025/09/08 04:30
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in io_sqe_buffer_register io-uring 2 C done 55 375d 377d 28/29 fixed on 2024/12/16 10:37
Last patch testing requests (2)
Created Duration User Patch Repo Result
2025/09/05 10:04 24m david@redhat.com https://github.com/davidhildenbrand/linux.git nth_page OK log
2025/09/05 07:43 34m david@redhat.com patch linux-next error

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: null-ptr-deref in PageCompound include/linux/page-flags.h:331 [inline]
BUG: KASAN: null-ptr-deref in io_buffer_account_pin io_uring/rsrc.c:668 [inline]
BUG: KASAN: null-ptr-deref in io_sqe_buffer_register+0x369/0x20a0 io_uring/rsrc.c:817
Read of size 8 at addr 0000000000000000 by task syz.0.17/6093

CPU: 0 UID: 0 PID: 6093 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 PageCompound include/linux/page-flags.h:331 [inline]
 io_buffer_account_pin io_uring/rsrc.c:668 [inline]
 io_sqe_buffer_register+0x369/0x20a0 io_uring/rsrc.c:817
 io_sqe_buffers_register+0x3b9/0x8e0 io_uring/rsrc.c:913
 __io_uring_register io_uring/register.c:657 [inline]
 __do_sys_io_uring_register io_uring/register.c:926 [inline]
 __se_sys_io_uring_register+0xb85/0x11b0 io_uring/register.c:903
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f71d0b8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc64956de8 EFLAGS: 00000246 ORIG_RAX: 00000000000001ab
RAX: ffffffffffffffda RBX: 00007f71d0dc5fa0 RCX: 00007f71d0b8ebe9
RDX: 00002000000002c0 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f71d0c11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 100000000000011a R11: 0000000000000246 R12: 0000000000000000
R13: 00007f71d0dc5fa0 R14: 00007f71d0dc5fa0 R15: 0000000000000004
 </TASK>
==================================================================

Crashes (54):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/09/04 17:24 linux-next 4ac65880ebca d291dd2d .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/04 16:31 linux-next 4ac65880ebca d291dd2d .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/04 15:22 linux-next 4ac65880ebca d291dd2d .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/08 08:53 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/08 05:29 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/08 00:58 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 22:50 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 21:32 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 18:22 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 16:43 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 16:37 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 12:28 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 06:29 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 04:42 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 04:10 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 02:38 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 02:19 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/07 01:15 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 21:31 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 21:31 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 21:27 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 21:27 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 21:17 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 21:17 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 21:14 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 21:14 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 20:42 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 20:42 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 14:57 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 14:57 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 13:55 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 13:54 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 13:54 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 10:52 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 10:51 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 10:49 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 10:49 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/06 02:52 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/05 18:54 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/05 11:34 linux-next be5d4872e528 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/04 14:39 linux-next 4ac65880ebca d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/04 14:39 linux-next 4ac65880ebca d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/04 12:00 linux-next 4ac65880ebca d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/04 11:51 linux-next 4ac65880ebca d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/04 11:37 linux-next 4ac65880ebca d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/04 09:45 linux-next 4ac65880ebca d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
2025/09/04 09:45 linux-next 4ac65880ebca d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in io_sqe_buffer_register
* Struck through repros no longer work on HEAD.