do_el0_svc+0xa0/0xcc arch/arm64/kernel/syscall.c:181 el0_svc+0x64/0x290 arch/arm64/kernel/entry-common.c:603 el0t_64_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:621 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 ================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline] BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] BUG: KASAN: null-ptr-deref in page_ref_count include/linux/page_ref.h:67 [inline] BUG: KASAN: null-ptr-deref in put_page_testzero include/linux/mm.h:717 [inline] BUG: KASAN: null-ptr-deref in __free_pages+0x2c/0x20c mm/page_alloc.c:5473 Read of size 4 at addr 0000000000000034 by task syz-executor.1/14553 CPU: 0 PID: 14553 Comm: syz-executor.1 Not tainted 5.17.0-rc8-syzkaller-00061-g34e047aa16c0 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x21c/0x280 arch/arm64/kernel/stacktrace.c:184 show_stack+0x18/0x70 arch/arm64/kernel/stacktrace.c:191 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x9c/0xd8 lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:446 [inline] kasan_report+0x130/0x20c mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:173 [inline] kasan_check_range+0xfc/0x1a4 mm/kasan/generic.c:189 __kasan_check_read+0x34/0x60 mm/kasan/shadow.c:31 instrument_atomic_read include/linux/instrumented.h:71 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] page_ref_count include/linux/page_ref.h:67 [inline] put_page_testzero include/linux/mm.h:717 [inline] __free_pages+0x2c/0x20c mm/page_alloc.c:5473 watch_queue_set_size+0x348/0x46c kernel/watch_queue.c:275 pipe_ioctl+0x94/0x340 fs/pipe.c:632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __arm64_sys_ioctl+0x120/0x18c fs/ioctl.c:860 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x6c/0x260 arch/arm64/kernel/syscall.c:52 el0_svc_common.constprop.0+0xc4/0x254 arch/arm64/kernel/syscall.c:142 do_el0_svc+0xa0/0xcc arch/arm64/kernel/syscall.c:181 el0_svc+0x64/0x290 arch/arm64/kernel/entry-common.c:603 el0t_64_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:621 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 ================================================================== Unable to handle kernel paging request at virtual address dfff800000000006 KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] Mem abort info: ESR = 0x96000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 [dfff800000000006] address between user and kernel address ranges Internal error: Oops: 96000004 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 14553 Comm: syz-executor.1 Tainted: G B 5.17.0-rc8-syzkaller-00061-g34e047aa16c0 #0 Hardware name: linux,dummy-virt (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline] pc : page_ref_count include/linux/page_ref.h:67 [inline] pc : put_page_testzero include/linux/mm.h:717 [inline] pc : __free_pages+0x40/0x20c mm/page_alloc.c:5473 lr : instrument_atomic_read include/linux/instrumented.h:71 [inline] lr : atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] lr : page_ref_count include/linux/page_ref.h:67 [inline] lr : put_page_testzero include/linux/mm.h:717 [inline] lr : __free_pages+0x2c/0x20c mm/page_alloc.c:5473 sp : ffff8000192c7c30 x29: ffff8000192c7c30 x28: ffff000013260a08 x27: 0000000000000001 x26: ffff00000fed4544 x25: 0000000000000001 x24: dfff800000000000 x23: 0000000000000000 x22: 0000000000000001 x21: 0000000000000000 x20: 0000000000000000 x19: 0000000000000034 x18: ffff00006aa28c3c x17: 0000000000000000 x16: 0000000000000000 x15: 1fffe0000d545188 x14: 0000000000000004 x13: ffff80005ce09000 x12: ffff6000020d7f23 x11: 1fffe000020d7f22 x10: ffff6000020d7f22 x9 : dfff800000000000 x8 : ffff0000106bf913 x7 : 0000000000000001 x6 : 00009ffffdf280de x5 : ffff0000106bf910 x4 : ffff6000020d7f23 x3 : ffff0000106bf910 x2 : 0000000000000006 x1 : dfff800000000000 x0 : 0000000000000007 Call trace: atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline] page_ref_count include/linux/page_ref.h:67 [inline] put_page_testzero include/linux/mm.h:717 [inline] __free_pages+0x40/0x20c mm/page_alloc.c:5473 watch_queue_set_size+0x348/0x46c kernel/watch_queue.c:275 pipe_ioctl+0x94/0x340 fs/pipe.c:632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __arm64_sys_ioctl+0x120/0x18c fs/ioctl.c:860 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x6c/0x260 arch/arm64/kernel/syscall.c:52 el0_svc_common.constprop.0+0xc4/0x254 arch/arm64/kernel/syscall.c:142 do_el0_svc+0xa0/0xcc arch/arm64/kernel/syscall.c:181 el0_svc+0x64/0x290 arch/arm64/kernel/entry-common.c:603 el0t_64_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:621 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Code: d2d00001 f2fbffe1 92400a60 11000c00 (38e16841) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: d2d00001 mov x1, #0x800000000000 // #140737488355328 4: f2fbffe1 movk x1, #0xdfff, lsl #48 8: 92400a60 and x0, x19, #0x7 c: 11000c00 add w0, w0, #0x3 * 10: 38e16841 ldrsb w1, [x2, x1] <-- trapping instruction