syzbot

 sign-in | mailing list | source | docs
🐞 Open [1414]
Subsystems
🐞 Fixed [5827]
🐞 Invalid [14218]
Missing Backports [92]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers (2)

Status: fixed on 2023/12/21 03:45
Subsystems: io-uring
[Documentation on labels]
Reported-by: syzbot+2113e61b8848fa7951d8@syzkaller.appspotmail.com
Fix commit: f8024f1f36a3 io_uring/kbuf: don't allow registered buffer rings on highmem pages
First crash: 419d, last: 411d
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] [io-uring?] BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers (2) 3 (5) 2023/10/03 02:02
[PATCH] io_uring/kbuf: don't allow registered buffer rings on highmem pages 1 (1) 2023/10/03 00:26
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers io-uring 1 545d 541d 0/28 auto-obsoleted due to no activity on 2023/09/05 16:07
upstream KASAN: use-after-free Read in __io_remove_buffers io-uring C done 2 838d 834d 22/28 fixed on 2023/02/24 13:50
upstream general protection fault in __io_remove_buffers io-uring C done 3 127d 126d 27/28 fixed on 2024/08/14 03:44

Sample crash report:
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read
[0000000e] *pgd=80000080004003, *pmd=00000000
Internal error: Oops: 207 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 23321 Comm: kworker/u5:1 Not tainted 6.6.0-rc4-syzkaller #0
Hardware name: ARM-Versatile Express
Workqueue: events_unbound io_ring_exit_work
PC is at __io_remove_buffers io_uring/kbuf.c:219 [inline]
PC is at __io_remove_buffers+0x38/0x184 io_uring/kbuf.c:209
LR is at io_destroy_buffers+0x48/0x138 io_uring/kbuf.c:264
pc : [<807c970c>]    lr : [<807c9cc8>]    psr: 20000013
sp : eca7de48  ip : eca7de78  fp : eca7de74
r10: 827e4712  r9 : 89d5f800  r8 : ffffffff
r7 : 89d5fb4c  r6 : 00000001  r5 : 89d5c800  r4 : 00000000
r3 : 00000000  r2 : 00000000  r1 : 89d5c800  r0 : 89d5f800
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 8aa48840  DAC: fffffffd
Register r0 information: slab kmalloc-2k start 89d5f800 pointer offset 0 size 2048
Register r1 information: slab kmalloc-2k start 89d5c800 pointer offset 0 size 2048
Register r2 information: NULL pointer
Register r3 information: NULL pointer
Register r4 information: NULL pointer
Register r5 information: slab kmalloc-2k start 89d5c800 pointer offset 0 size 2048
Register r6 information: non-paged memory
Register r7 information: slab kmalloc-2k start 89d5f800 pointer offset 844 size 2048
Register r8 information: non-paged memory
Register r9 information: slab kmalloc-2k start 89d5f800 pointer offset 0 size 2048
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xeca7c000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909
Register r12 information: 2-page vmalloc region starting at 0xeca7c000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909
Process kworker/u5:1 (pid: 23321, stack limit = 0xeca7c000)
Stack: (0xeca7de48 to 0xeca7e000)
de40:                   8467c680 00000014 89d5f800 89d5f840 89d5fb4c 82604d40
de60: 89d5fbcc 827e4712 eca7de9c eca7de78 807c9cc8 807c96e0 00000000 b8805018
de80: 89d5fbbc 89d5f800 89d5f840 89d5fb4c eca7df04 eca7dea0 81827188 807c9c8c
dea0: eca7debc 89d5fbcc 0004f970 89d5f800 00000000 00000000 00000000 81825cb8
dec0: 00000000 00030003 eca7dec8 eca7dec8 89d5f800 b8805018 eca7df48 89524780
dee0: 89d5fbbc 82c21400 82c0f000 00000140 8467c680 82c21405 eca7df44 eca7df08
df00: 80265fd4 81826dec eca7df2c eca7df18 eca7df44 eca7df20 8026196c 89524780
df20: 895247ac 82c0f000 82604d40 82c0f020 8467c680 61c88647 eca7df84 eca7df48
df40: 80266520 80265e44 eca7df64 eca7df58 81848868 80278e68 eca7df84 83acbf80
df60: 8467c680 802662e0 89524780 83acb4c0 dfc0de98 00000000 eca7dfac eca7df88
df80: 8026d8e0 802662ec 83acbf80 8026d7dc 00000000 00000000 00000000 00000000
dfa0: 00000000 eca7dfb0 80200104 8026d7e8 00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
Backtrace: 
[<807c96d4>] (__io_remove_buffers) from [<807c9cc8>] (io_destroy_buffers+0x48/0x138 io_uring/kbuf.c:264)
 r10:827e4712 r9:89d5fbcc r8:82604d40 r7:89d5fb4c r6:89d5f840 r5:89d5f800
 r4:00000014 r3:8467c680
[<807c9c80>] (io_destroy_buffers) from [<81827188>] (io_ring_ctx_free io_uring/io_uring.c:2895 [inline])
[<807c9c80>] (io_destroy_buffers) from [<81827188>] (io_ring_exit_work+0x3a8/0x5ec io_uring/io_uring.c:3151)
 r7:89d5fb4c r6:89d5f840 r5:89d5f800 r4:89d5fbbc
[<81826de0>] (io_ring_exit_work) from [<80265fd4>] (process_one_work+0x19c/0x4a8 kernel/workqueue.c:2630)
 r10:82c21405 r9:8467c680 r8:00000140 r7:82c0f000 r6:82c21400 r5:89d5fbbc
 r4:89524780
[<80265e38>] (process_one_work) from [<80266520>] (process_scheduled_works kernel/workqueue.c:2703 [inline])
[<80265e38>] (process_one_work) from [<80266520>] (worker_thread+0x240/0x48c kernel/workqueue.c:2784)
 r10:61c88647 r9:8467c680 r8:82c0f020 r7:82604d40 r6:82c0f000 r5:895247ac
 r4:89524780
[<802662e0>] (worker_thread) from [<8026d8e0>] (kthread+0x104/0x134 kernel/kthread.c:388)
 r10:00000000 r9:dfc0de98 r8:83acb4c0 r7:89524780 r6:802662e0 r5:8467c680
 r4:83acbf80
[<8026d7dc>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xeca7dfb0 to 0xeca7dff8)
dfa0:                                     00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026d7dc r4:83acbf80
Code: 0a000022 e5913004 e1d120be e5d14013 (e1d380be) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	0a000022 	beq	0x90
   4:	e5913004 	ldr	r3, [r1, #4]
   8:	e1d120be 	ldrh	r2, [r1, #14]
   c:	e5d14013 	ldrb	r4, [r1, #19]
* 10:	e1d380be 	ldrh	r8, [r3, #14] <-- trapping instruction

Crashes (86):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/10/07 04:27 upstream af95dc6fdc25 ea12a918 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/07 02:50 upstream af95dc6fdc25 ea12a918 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/06 17:00 upstream b78b18fb8ee1 db17ad9f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/06 04:17 upstream 3006adf3be79 becbb1de .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/06 04:17 upstream 3006adf3be79 becbb1de .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/06 03:12 upstream 3006adf3be79 becbb1de .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/05 10:44 upstream ba7d997a2a29 b7d7ff54 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/05 09:11 upstream ba7d997a2a29 b7d7ff54 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/05 08:09 upstream ba7d997a2a29 b7d7ff54 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/04 21:33 upstream cbf3a2cb156a b7d7ff54 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/04 19:23 upstream cbf3a2cb156a b7d7ff54 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/04 06:33 upstream 5e62ed3b1c8a 65faba36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/04 04:04 upstream 5e62ed3b1c8a 65faba36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/03 17:36 upstream ce36c8b14987 65faba36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/03 16:01 upstream ce36c8b14987 65faba36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/03 14:48 upstream ce36c8b14987 65faba36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/03 13:44 upstream ce36c8b14987 65faba36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/03 13:06 upstream ce36c8b14987 65faba36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/03 10:04 upstream ce36c8b14987 65faba36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/02 22:03 upstream 8a749fd1a872 50b20e75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/02 20:57 upstream 8a749fd1a872 50b20e75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/02 19:36 upstream 8a749fd1a872 50b20e75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/02 07:06 upstream ec8c298121e3 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/02 05:47 upstream ec8c298121e3 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/02 05:34 upstream ec8c298121e3 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/02 05:25 upstream ec8c298121e3 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/02 05:12 upstream ec8c298121e3 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/01 16:35 upstream e402b08634b3 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/01 15:57 upstream e402b08634b3 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/01 05:38 upstream 830380e3178a 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/01 05:38 upstream 830380e3178a 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/01 04:12 upstream 830380e3178a 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/01 04:00 upstream 830380e3178a 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/01 03:51 upstream 830380e3178a 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/01 03:10 upstream 830380e3178a 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/01 03:10 upstream 830380e3178a 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/10/01 02:33 upstream 830380e3178a 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/09/30 23:45 upstream 830380e3178a 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/09/30 17:08 upstream 9f3ebbef746f 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/09/30 17:08 upstream 9f3ebbef746f 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/09/30 16:58 upstream 9f3ebbef746f 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/09/30 16:57 upstream 9f3ebbef746f 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/09/30 16:57 upstream 9f3ebbef746f 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/09/30 16:51 upstream 9f3ebbef746f 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/09/30 16:16 upstream 9f3ebbef746f 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/09/30 15:57 upstream 9f3ebbef746f 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
2023/09/29 03:14 upstream 633b47cb009d d265efd8 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
* Struck through repros no longer work on HEAD.