[syzbot] [block?] BUG: unable to handle kernel NULL pointer dereference in __bio_release_pages

[syzbot <syzbot+004c1e0fced2b4bc3dcc@syzkaller.appspotmail.com>]

Hello,

syzbot found the following issue on:

HEAD commit:    052d534373b7 Merge tag 'exfat-for-6.8-rc1' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17957913e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9603f9823d535d97
dashboard link: https://syzkaller.appspot.com/bug?extid=004c1e0fced2b4bc3dcc
compiler:       aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13529733e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166850dde80000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-052d5343.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/74cc52d4cc15/vmlinux-052d5343.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a2da7e6a234c/Image-052d5343.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+004c1e0fced2b4bc3dcc@syzkaller.appspotmail.com

Unable to handle kernel paging request at virtual address dfff800000000001
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 3139 Comm: syz-executor303 Not tainted 6.7.0-syzkaller-09928-g052d534373b7 #0
Hardware name: linux,dummy-virt (DT)
pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : _compound_head include/linux/page-flags.h:247 [inline]
pc : bio_first_folio include/linux/bio.h:289 [inline]
pc : __bio_release_pages+0x100/0x73c block/bio.c:1153
lr : bio_release_pages include/linux/bio.h:508 [inline]
lr : blkdev_bio_end_io+0x2a0/0x3f0 block/fops.c:157
sp : ffff800089a375e0
x29: ffff800089a375e0 x28: 1fffe0000162e879 x27: ffff00000b1743c0
x26: ffff00000b1743c8 x25: 000000000000000a x24: 1fffe000015a9e12
x23: ffff00000ad4f094 x22: ffff00000f496600 x21: 1fffe0000162e87a
x20: 0000000000000004 x19: 0000000000000000 x18: ffff00000b174432
x17: ffff00000b174438 x16: ffff00000f948008 x15: 1fffe0000162e886
x14: ffff00000b1743d4 x13: 00000000f1f1f1f1 x12: ffff6000015a9e13
x11: 1fffe000015a9e12 x10: ffff6000015a9e12 x9 : dfff800000000000
x8 : ffff00000b1743d4 x7 : 0000000041b58ab3 x6 : 1ffff00011346ed0
x5 : ffff700011346ed0 x4 : 00000000f1f1f1f1 x3 : 000000000000f1f1
x2 : 0000000000000001 x1 : dfff800000000000 x0 : 0000000000000008
Call trace:
 _compound_head include/linux/page-flags.h:247 [inline]
 bio_first_folio include/linux/bio.h:289 [inline]
 __bio_release_pages+0x100/0x73c block/bio.c:1153
 bio_release_pages include/linux/bio.h:508 [inline]
 blkdev_bio_end_io+0x2a0/0x3f0 block/fops.c:157
 bio_endio+0x4a4/0x618 block/bio.c:1608
 __blkdev_direct_IO block/fops.c:213 [inline]
 blkdev_direct_IO.part.0+0xf08/0x13c0 block/fops.c:379
 blkdev_direct_IO block/fops.c:370 [inline]
 blkdev_direct_write block/fops.c:648 [inline]
 blkdev_write_iter+0x430/0x91c block/fops.c:706
 call_write_iter include/linux/fs.h:2085 [inline]
 do_iter_readv_writev+0x194/0x298 fs/read_write.c:741
 vfs_writev+0x244/0x684 fs/read_write.c:971
 do_pwritev+0x15c/0x1e0 fs/read_write.c:1072
 __do_sys_pwritev2 fs/read_write.c:1131 [inline]
 __se_sys_pwritev2 fs/read_write.c:1122 [inline]
 __arm64_sys_pwritev2+0xac/0x120 fs/read_write.c:1122
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:51
 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x58/0x140 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
Code: d2d00001 f2fbffe1 91002260 d343fc02 (38e16841) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	d2d00001 	mov	x1, #0x800000000000        	// #140737488355328
   4:	f2fbffe1 	movk	x1, #0xdfff, lsl #48
   8:	91002260 	add	x0, x19, #0x8
   c:	d343fc02 	lsr	x2, x0, #3
* 10:	38e16841 	ldrsb	w1, [x2, x1] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup