================================================================== BUG: KASAN: null-ptr-deref in sg_alloc_append_table_from_pages+0x994/0xc4a lib/scatterlist.c:525 Read of size 8 at addr 0000000000000010 by task syz-executor.1/4347 CPU: 0 PID: 4347 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119 [] __dump_stack lib/dump_stack.c:88 [inline] [] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106 [] __kasan_report mm/kasan/report.c:446 [inline] [] kasan_report+0x1de/0x1e0 mm/kasan/report.c:459 [] check_region_inline mm/kasan/generic.c:183 [inline] [] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256 [] sg_alloc_append_table_from_pages+0x994/0xc4a lib/scatterlist.c:525 [] sg_alloc_table_from_pages_segment+0xc0/0x248 lib/scatterlist.c:573 [] sg_alloc_table_from_pages include/linux/scatterlist.h:348 [inline] [] get_sg_table+0x9c/0x11e drivers/dma-buf/udmabuf.c:67 [] begin_cpu_udmabuf+0xcc/0xfe drivers/dma-buf/udmabuf.c:126 [] dma_buf_begin_cpu_access+0xc0/0x13a drivers/dma-buf/dma-buf.c:1164 [] dma_buf_ioctl+0x1a8/0x25a drivers/dma-buf/dma-buf.c:363 [] vfs_ioctl fs/ioctl.c:51 [inline] [] __do_sys_ioctl fs/ioctl.c:874 [inline] [] sys_ioctl+0x75c/0x139e fs/ioctl.c:860 [] ret_from_syscall+0x0/0x2 ================================================================== Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000000010 Oops [#1] Modules linked in: CPU: 0 PID: 4347 Comm: syz-executor.1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) epc : sg_assign_page include/linux/scatterlist.h:112 [inline] epc : sg_set_page include/linux/scatterlist.h:136 [inline] epc : sg_alloc_append_table_from_pages+0x9b6/0xc4a lib/scatterlist.c:525 ra : sg_alloc_append_table_from_pages+0x994/0xc4a lib/scatterlist.c:525 epc : ffffffff80ac60d4 ra : ffffffff80ac60b2 sp : ffffaf800b943920 gp : ffffffff85863ac0 tp : ffffaf800cfc8000 t0 : 0000000000000000 t1 : 0000000000006000 t2 : 0000000000000008 s0 : ffffaf800b943a10 s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000007 a2 : 1ffff5f0019f9000 a3 : ffffffff831a6b2e a4 : 0000000000000000 a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffaf805a9c84c7 s2 : 0000000000001000 s3 : 0000000000000002 s4 : 0000000000000001 s5 : 0000000000000000 s6 : 0000000000000010 s7 : 0000000000000000 s8 : ffffffffffffffff s9 : 0000000000000cc0 s10: 8e38e38e38e38e39 s11: fffffffffffff000 t3 : 00007fff8b4e728c t4 : fffff5ef0b539098 t5 : fffff5ef0b539099 t6 : 6f6c5f6e61000000 status: 0000000000000120 badaddr: 0000000000000010 cause: 000000000000000d [] sg_alloc_table_from_pages_segment+0xc0/0x248 lib/scatterlist.c:573 [] sg_alloc_table_from_pages include/linux/scatterlist.h:348 [inline] [] get_sg_table+0x9c/0x11e drivers/dma-buf/udmabuf.c:67 [] begin_cpu_udmabuf+0xcc/0xfe drivers/dma-buf/udmabuf.c:126 [] dma_buf_begin_cpu_access+0xc0/0x13a drivers/dma-buf/dma-buf.c:1164 [] dma_buf_ioctl+0x1a8/0x25a drivers/dma-buf/dma-buf.c:363 [] vfs_ioctl fs/ioctl.c:51 [inline] [] __do_sys_ioctl fs/ioctl.c:874 [inline] [] sys_ioctl+0x75c/0x139e fs/ioctl.c:860 [] ret_from_syscall+0x0/0x2 ---[ end trace 0000000000000000 ]---