[syzbot] [netfs?] BUG: unable to handle kernel NULL pointer dereference in netfs_unbuffered_write

[syzbot] [netfs?] BUG: unable to handle kernel NULL pointer dereference in netfs_unbuffered_write

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c107785c7e8d Merge tag 'modules-7.0-rc3.fixes' of git://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15db7b5a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1628ab5a580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16a5414a580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-c107785c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3a4a4abcd973/vmlinux-c107785c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f60667f16840/bzImage-c107785c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com

netfs: Couldn't get user pages (rc=-14)
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 31867067 P4D 31867067 PUD 0 
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90003b7fb90 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88803bd3a5b0 RCX: ffffffff82c49d0a
RDX: ffff88802b9ca4c0 RSI: ffffffff82c49b9c RDI: ffff88803bd3a500
RBP: 0000000000140000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88803bd3a598
R13: dffffc0000000000 R14: ffff88803bd3a500 R15: ffff888023066580
FS:  00007f9e9a09f6c0(0000) GS:ffff8880d6644000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000002c65b000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 netfs_unbuffered_write+0xae5/0x2080 fs/netfs/direct_write.c:189
 netfs_unbuffered_write_iter_locked+0x801/0xab0 fs/netfs/direct_write.c:287
 netfs_unbuffered_write_iter+0x40c/0x710 fs/netfs/direct_write.c:377
 v9fs_file_write_iter+0xbf/0x100 fs/9p/vfs_file.c:409
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_write+0x12a/0x250 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9e9919c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9e9a09f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f9e99415fa0 RCX: 00007f9e9919c799
RDX: 000000000208e24b RSI: 0000200000000000 RDI: 0000000000000003
RBP: 00007f9e99232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9e99416038 R14: 00007f9e99415fa0 R15: 00007fff05034208
 </TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90003b7fb90 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88803bd3a5b0 RCX: ffffffff82c49d0a
RDX: ffff88802b9ca4c0 RSI: ffffffff82c49b9c RDI: ffff88803bd3a500
RBP: 0000000000140000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88803bd3a598
R13: dffffc0000000000 R14: ffff88803bd3a500 R15: ffff888023066580
FS:  00007f9e9a09f6c0(0000) GS:ffff8880d6644000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000002c65b000 CR4: 0000000000352ef0


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path
in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
without checking if it is NULL.

Filesystems such as 9P do not set the prepare_write operation, so
stream->prepare_write remains NULL. When get_user_pages() fails with
-EFAULT and the subrequest is flagged for retry, this results in a NULL
pointer dereference at fs/netfs/direct_write.c:189.

Fix this by mirroring the pattern already used in write_retry.c: if
stream->prepare_write is NULL, skip renegotiation and directly reissue
the subrequest via netfs_reissue_write(), which handles iterator reset,
IN_PROGRESS flag, stats update and reissue internally.

Reported-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/netfs/direct_write.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index dd1451bf7543..d7295a64f0a9 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -186,10 +186,17 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
 		stream->sreq_max_segs	= INT_MAX;
 
 		netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
-		stream->prepare_write(subreq);
 
-		__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
-		netfs_stat(&netfs_n_wh_retry_write_subreq);
+		if (stream->prepare_write) {
+			stream->prepare_write(subreq);
+			__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
+			netfs_stat(&netfs_n_wh_retry_write_subreq);
+		} else {
+			struct iov_iter source;
+			netfs_reset_iter(subreq);
+			source = subreq->io_iter;
+			netfs_reissue_write(stream, subreq, &source);
+		}
 	}
 
 	netfs_unbuffered_write_done(wreq);
-- 
2.43.0

Re: [syzbot] [netfs?] BUG: unable to handle kernel NULL pointer dereference in netfs_unbuffered_write

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

lost connection to test machine



[   52.755134][   T40] audit: type=1400 audit(1772843937.457:60): avc:  denied  { rlimitinh } for  pid=5908 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   52.762936][   T40] audit: type=1400 audit(1772843937.457:61): avc:  denied  { siginh } for  pid=5908 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
Warning: Permanently added '[localhost]:9893' (ED25519) to the list of known hosts.
[   59.078731][   T40] audit: type=1400 audit(1772843943.797:62): avc:  denied  { execute } for  pid=5928 comm="sh" name="syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
[   59.085870][   T40] audit: type=1400 audit(1772843943.797:63): avc:  denied  { execute_no_trans } for  pid=5928 comm="sh" path="/syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x99000)
[   59.742863][ T1116] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[   59.745980][ T1116] ata1: failed to read log page 10h (errno=-5)
[   59.748698][ T1116] ata1.00: exception Emask 0x1 SAct 0x40000001 SErr 0x0 action 0x0
[   59.752402][ T1116] ata1.00: irq_stat 0x41000000
[   59.754519][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[   59.757324][ T1116] ata1.00: cmd 61/58:00:d6:6d:04/06:00:00:00:00/40 tag 0 ncq dma 831488 out
[   59.757324][ T1116]          res 50/00:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[   59.764851][ T1116] ata1.00: status: { DRDY }
[   59.766900][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[   59.769743][ T1116] ata1.00: cmd 61/c8:f0:0e:69:04/04:00:00:00:00/40 tag 30 ncq dma 626688 out
[   59.769743][ T1116]          res 50/00:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[   59.777328][ T1116] ata1.00: status: { DRDY }
[   59.780442][ T1116] ata1.00: configured for UDMA/100
[   59.783246][ T1116] ata1: EH complete
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x400000)
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x400000)
[   60.002677][ T1116] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[   60.005615][ T1116] ata1: failed to read log page 10h (errno=-5)
[   60.008370][ T1116] ata1.00: NCQ disabled due to excessive errors
[   60.011117][ T1116] ata1.00: exception Emask 0x1 SAct 0x89000000 SErr 0x0 action 0x0
[   60.014746][ T1116] ata1.00: irq_stat 0x41000000
[   60.016900][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[   60.019566][ T1116] ata1.00: cmd 61/00:c0:f6:06:05/20:00:00:00:00/40 tag 24 ncq dma 4194304 ou
[   60.019566][ T1116]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[   60.027211][ T1116] ata1.00: status: { DRDY }
[   60.029244][ T1116] ata1.00: error: { ABRT }
[   60.031278][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[   60.034084][ T1116] ata1.00: cmd 61/00:d8:36:61:05/20:00:00:00:00/40 tag 27 ncq dma 4194304 ou
[   60.034084][ T1116]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[   60.041564][ T1116] ata1.00: status: { DRDY }
[   60.043728][ T1116] ata1.00: error: { ABRT }
[   60.045740][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[   60.048454][ T1116] ata1.00: cmd 61/38:f8:36:81:05/0d:00:00:00:00/40 tag 31 ncq dma 1732608 ou
[   60.048454][ T1116]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[   60.056127][ T1116] ata1.00: status: { DRDY }
[   60.058176][ T1116] ata1.00: error: { ABRT }
[   60.061129][ T1116] ata1.00: configured for UDMA/100
[   60.064028][ T1116] ata1: EH complete
qemu-system-x86_64: hw/ide/core.c:934: ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Connection to localhost closed by remote host.


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1140076034=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at d20b04c80a0
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d20b04c80a01e68026299511a6ba77cc67a198f5\"
/usr/bin/ld: /tmp/ccLEWSPc.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1223d552580000

Forwarded: [PATCH] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path
in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
without checking if it is NULL.

Filesystems such as 9P do not set the prepare_write operation, so
stream->prepare_write remains NULL. When get_user_pages() fails with
-EFAULT and the subrequest is flagged for retry, this results in a NULL
pointer dereference at fs/netfs/direct_write.c:189.

Fix this by mirroring the pattern already used in write_retry.c: if
stream->prepare_write is NULL, skip renegotiation and directly reissue
the subrequest via netfs_reissue_write(), which handles iterator reset,
IN_PROGRESS flag, stats update and reissue internally.

Reported-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/netfs/direct_write.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index dd1451bf7543..d7295a64f0a9 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -186,10 +186,17 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
 		stream->sreq_max_segs	= INT_MAX;
 
 		netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
-		stream->prepare_write(subreq);
 
-		__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
-		netfs_stat(&netfs_n_wh_retry_write_subreq);
+		if (stream->prepare_write) {
+			stream->prepare_write(subreq);
+			__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
+			netfs_stat(&netfs_n_wh_retry_write_subreq);
+		} else {
+			struct iov_iter source;
+			netfs_reset_iter(subreq);
+			source = subreq->io_iter;
+			netfs_reissue_write(stream, subreq, &source);
+		}
 	}
 
 	netfs_unbuffered_write_done(wreq);
-- 
2.43.0

Re: [syzbot] [netfs?] BUG: unable to handle kernel NULL pointer dereference in netfs_unbuffered_write

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

lost connection to test machine



[   53.006729][   T40] audit: type=1400 audit(1772844781.220:61): avc:  denied  { siginh } for  pid=5916 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
Warning: Permanently added '[localhost]:6261' (ED25519) to the list of known hosts.
[   59.362394][   T40] audit: type=1400 audit(1772844787.600:62): avc:  denied  { execute } for  pid=5934 comm="sh" name="syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
[   59.370350][   T40] audit: type=1400 audit(1772844787.600:63): avc:  denied  { execute_no_trans } for  pid=5934 comm="sh" path="/syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x276000)
[   60.287164][ T1115] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[   60.290289][ T1115] ata1: failed to read log page 10h (errno=-5)
[   60.293027][ T1115] ata1.00: exception Emask 0x1 SAct 0x18000000 SErr 0x0 action 0x0
[   60.296801][ T1115] ata1.00: irq_stat 0x41000000
[   60.298945][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[   60.301653][ T1115] ata1.00: cmd 61/b0:d8:86:ad:04/13:00:00:00:00/40 tag 27 ncq dma 2580480 ou
[   60.301653][ T1115]          res 50/00:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[   60.309312][ T1115] ata1.00: status: { DRDY }
[   60.311350][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[   60.314078][ T1115] ata1.00: cmd 61/a8:e0:36:c1:04/06:00:00:00:00/40 tag 28 ncq dma 872448 out
[   60.314078][ T1115]          res 50/00:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[   60.321656][ T1115] ata1.00: status: { DRDY }
[   60.325837][ T1115] ata1.00: configured for UDMA/100
[   60.328869][ T1115] ata1: EH complete
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x306000)
2026/03/07 00:53:09 parsed 1 programs
[   60.882101][   T40] audit: type=1400 audit(1772844789.120:64): avc:  denied  { node_bind } for  pid=5934 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[   63.061673][   T40] audit: type=1400 audit(1772844791.300:65): avc:  denied  { mounton } for  pid=5944 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[   63.072219][   T40] audit: type=1400 audit(1772844791.310:66): avc:  denied  { mount } for  pid=5944 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   63.074421][ T5944] cgroup: Unknown subsys name 'net'
[   63.086127][   T40] audit: type=1400 audit(1772844791.330:67): avc:  denied  { unmount } for  pid=5944 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   63.204323][ T5944] cgroup: Unknown subsys name 'cpuset'
[   63.211220][ T5944] cgroup: Unknown subsys name 'rlimit'
[   63.354811][   T40] audit: type=1400 audit(1772844791.590:68): avc:  denied  { setattr } for  pid=5944 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=849 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   63.362722][   T40] audit: type=1400 audit(1772844791.590:69): avc:  denied  { create } for  pid=5944 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   63.371542][   T40] audit: type=1400 audit(1772844791.590:70): avc:  denied  { write } for  pid=5944 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   63.379823][   T40] audit: type=1400 audit(1772844791.590:71): avc:  denied  { read } for  pid=5944 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   76.290044][ T1418] ieee802154 phy0 wpan0: encryption failed: -22
[   76.292902][ T1418] ieee802154 phy1 wpan1: encryption failed: -22
[   86.527671][   T71] cfg80211: failed to load regulatory.db
[   90.406172][ T1115] ata1.00: exception Emask 0x0 SAct 0x8000000 SErr 0x0 action 0x6 frozen
[   90.408914][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[   90.410920][ T1115] ata1.00: cmd 61/30:d8:06:29:05/18:00:00:00:00/40 tag 27 ncq dma 3170304 ou
[   90.410920][ T1115]          res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[   90.417891][ T1115] ata1.00: status: { DRDY }
[   90.419868][ T1115] ata1: hard resetting link
[   90.740475][ T1115] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
[   90.744117][ T1115] ata1.00: configured for UDMA/100
[   90.746150][ T1115] ata1: EH complete
[   90.797641][ T5947] SELinux:  Context root:object_r:swapfile_t is not valid (left unmapped).
[   90.802207][   T40] kauditd_printk_skb: 6 callbacks suppressed
[   90.802221][   T40] audit: type=1400 audit(1772844819.040:78): avc:  denied  { relabelto } for  pid=5947 comm="mkswap" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0xa6000)
[   90.886300][   T40] audit: type=1400 audit(1772844819.120:79): avc:  denied  { write } for  pid=5947 comm="mkswap" path="/swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   90.937311][ T1115] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[   90.940273][ T1115] ata1: failed to read log page 10h (errno=-5)
[   90.943034][ T1115] ata1.00: exception Emask 0x1 SAct 0x4000 SErr 0x0 action 0x0
[   90.946430][ T1115] ata1.00: irq_stat 0x41000008
[   90.948570][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[   90.951219][ T1115] ata1.00: cmd 61/30:70:46:90:05/05:00:00:00:00/40 tag 14 ncq dma 679936 out
[   90.951219][ T1115]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[   90.958887][ T1115] ata1.00: status: { DRDY }
[   90.960867][ T1115] ata1.00: error: { ABRT }
[   90.963944][ T1115] ata1.00: configured for UDMA/100
[   90.966577][ T1115] ata1: EH complete
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x400000)
[   91.007150][ T1115] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[   91.010097][ T1115] ata1: failed to read log page 10h (errno=-5)
[   91.012787][ T1115] ata1.00: NCQ disabled due to excessive errors
[   91.015506][ T1115] ata1.00: exception Emask 0x1 SAct 0x600000 SErr 0x0 action 0x0
[   91.019092][ T1115] ata1.00: irq_stat 0x41000000
[   91.020807][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[   91.022931][ T1115] ata1.00: cmd 61/00:a8:76:95:05/20:00:00:00:00/40 tag 21 ncq dma 4194304 ou
[   91.022931][ T1115]          res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[   91.029236][ T1115] ata1.00: status: { DRDY }
[   91.030908][ T1115] ata1.00: error: { ABRT }
[   91.032434][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[   91.034457][ T1115] ata1.00: cmd 61/30:b0:46:90:05/05:00:00:00:00/40 tag 22 ncq dma 679936 out
[   91.034457][ T1115]          res 50/04:01:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[   91.041746][ T1115] ata1.00: status: { DRDY }
[   91.043252][ T1115] ata1.00: error: { ABRT }
[   91.045632][ T1115] ata1.00: configured for UDMA/100
[   91.048480][ T1115] ata1: EH complete
qemu-system-x86_64: hw/ide/core.c:934: ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Connection to localhost closed by remote host.


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1814019681=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at d20b04c80a0
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d20b04c80a01e68026299511a6ba77cc67a198f5\"
/usr/bin/ld: /tmp/ccZswRL1.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16cbfb5a580000

Forwarded: [PATCH] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path
in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
without checking if it is NULL.

Filesystems such as 9P do not set the prepare_write operation, so
stream->prepare_write remains NULL. When get_user_pages() fails with
-EFAULT and the subrequest is flagged for retry, this results in a NULL
pointer dereference at fs/netfs/direct_write.c:189.

Fix this by mirroring the pattern already used in write_retry.c: if
stream->prepare_write is NULL, skip renegotiation and directly reissue
the subrequest via netfs_reissue_write(), which handles iterator reset,
IN_PROGRESS flag, stats update and reissue internally.

Reported-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/netfs/direct_write.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index dd1451bf7543..d7295a64f0a9 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -186,10 +186,17 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
 		stream->sreq_max_segs	= INT_MAX;
 
 		netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
-		stream->prepare_write(subreq);
 
-		__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
-		netfs_stat(&netfs_n_wh_retry_write_subreq);
+		if (stream->prepare_write) {
+			stream->prepare_write(subreq);
+			__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
+			netfs_stat(&netfs_n_wh_retry_write_subreq);
+		} else {
+			struct iov_iter source;
+			netfs_reset_iter(subreq);
+			source = subreq->io_iter;
+			netfs_reissue_write(stream, subreq, &source);
+		}
 	}
 
 	netfs_unbuffered_write_done(wreq);
-- 
2.43.0

Re: [syzbot] [netfs?] BUG: unable to handle kernel NULL pointer dereference in netfs_unbuffered_write

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

lost connection to test machine



qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0xec000)
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x372000)
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x2b4000)
Warning: Permanently added '[localhost]:9553' (ED25519) to the list of known hosts.
[   60.013321][   T40] audit: type=1400 audit(1772846336.792:62): avc:  denied  { execute } for  pid=5928 comm="sh" name="syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
[   60.020535][   T40] audit: type=1400 audit(1772846336.802:63): avc:  denied  { execute_no_trans } for  pid=5928 comm="sh" path="/syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
2026/03/07 01:18:58 parsed 1 programs
[   61.787218][   T40] audit: type=1400 audit(1772846338.562:64): avc:  denied  { node_bind } for  pid=5928 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[   64.314024][   T40] audit: type=1400 audit(1772846341.092:65): avc:  denied  { mounton } for  pid=5937 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[   64.325364][   T40] audit: type=1400 audit(1772846341.102:66): avc:  denied  { mount } for  pid=5937 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   64.327352][ T5937] cgroup: Unknown subsys name 'net'
[   64.338664][   T40] audit: type=1400 audit(1772846341.112:67): avc:  denied  { unmount } for  pid=5937 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   64.492218][ T5937] cgroup: Unknown subsys name 'cpuset'
[   64.497527][ T5937] cgroup: Unknown subsys name 'rlimit'
[   64.697609][   T40] audit: type=1400 audit(1772846341.472:68): avc:  denied  { setattr } for  pid=5937 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=849 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   64.709106][   T40] audit: type=1400 audit(1772846341.482:69): avc:  denied  { create } for  pid=5937 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   64.717475][   T40] audit: type=1400 audit(1772846341.482:70): avc:  denied  { write } for  pid=5937 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   64.726303][   T40] audit: type=1400 audit(1772846341.482:71): avc:  denied  { read } for  pid=5937 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[   76.424366][ T1416] ieee802154 phy0 wpan0: encryption failed: -22
[   76.427236][ T1416] ieee802154 phy1 wpan1: encryption failed: -22
[   86.668293][   T29] cfg80211: failed to load regulatory.db
[  118.059383][ T1113] ata1.00: NCQ disabled due to excessive errors
[  118.062114][ T1113] ata1.00: exception Emask 0x0 SAct 0x40000120 SErr 0x0 action 0x6 frozen
[  118.065797][ T1113] ata1.00: failed command: WRITE FPDMA QUEUED
[  118.068375][ T1113] ata1.00: cmd 61/90:28:36:21:05/1b:00:00:00:00/40 tag 5 ncq dma 3612672 ou
[  118.068375][ T1113]          res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[  118.075829][ T1113] ata1.00: status: { DRDY }
[  118.077372][ T1113] ata1.00: failed command: WRITE FPDMA QUEUED
[  118.079529][ T1113] ata1.00: cmd 61/a0:40:36:61:05/15:00:00:00:00/40 tag 8 ncq dma 2834432 ou
[  118.079529][ T1113]          res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[  118.084906][ T1113] ata1.00: status: { DRDY }
[  118.086422][ T1113] ata1.00: failed command: WRITE FPDMA QUEUED
[  118.088377][ T1113] ata1.00: cmd 61/60:f0:76:4a:04/07:00:00:00:00/40 tag 30 ncq dma 966656 out
[  118.088377][ T1113]          res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[  118.093826][ T1113] ata1.00: status: { DRDY }
[  118.095370][ T1113] ata1: hard resetting link
[  118.414125][ T1113] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
[  118.417532][ T1113] ata1.00: configured for UDMA/100
[  118.419565][ T1113] ata1: EH complete
qemu-system-x86_64: hw/ide/core.c:934: ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Connection to localhost closed by remote host.


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build632602998=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at d20b04c80a0
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d20b04c80a01e68026299511a6ba77cc67a198f5\"
/usr/bin/ld: /tmp/ccWzPJKl.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12486b5a580000

Forwarded: [PATCH] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path
in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
without checking if it is NULL.

Filesystems such as 9P do not set the prepare_write operation, so
stream->prepare_write remains NULL. When get_user_pages() fails with
-EFAULT and the subrequest is flagged for retry, this results in a NULL
pointer dereference at fs/netfs/direct_write.c:189.

Fix this by mirroring the pattern already used in write_retry.c: if
stream->prepare_write is NULL, skip renegotiation and directly reissue
the subrequest via netfs_reissue_write(), which handles iterator reset,
IN_PROGRESS flag, stats update and reissue internally.

Reported-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/netfs/direct_write.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index dd1451bf7543..d7295a64f0a9 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -186,10 +186,17 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
 		stream->sreq_max_segs	= INT_MAX;
 
 		netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
-		stream->prepare_write(subreq);
 
-		__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
-		netfs_stat(&netfs_n_wh_retry_write_subreq);
+		if (stream->prepare_write) {
+			stream->prepare_write(subreq);
+			__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
+			netfs_stat(&netfs_n_wh_retry_write_subreq);
+		} else {
+			struct iov_iter source;
+			netfs_reset_iter(subreq);
+			source = subreq->io_iter;
+			netfs_reissue_write(stream, subreq, &source);
+		}
 	}
 
 	netfs_unbuffered_write_done(wreq);
-- 
2.43.0

Re: [syzbot] [netfs?] BUG: unable to handle kernel NULL pointer dereference in netfs_unbuffered_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com
Tested-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com

Tested on:

commit:         325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12be9552580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=179cd8d6580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [netfs?] BUG: unable to handle kernel NULL pointer dereference in netfs_unbuffered_write

[David Howells]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git c107785c7e8d

commit eb8299de8f603a6d7acf50e534c87ac1adeb3060
Author: Deepanshu Kartikey <kartikey406@gmail.com>
Date:   Sat Mar 7 10:09:47 2026 +0530

    netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
    
    When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path
    in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
    without checking if it is NULL.
    
    Filesystems such as 9P do not set the prepare_write operation, so
    stream->prepare_write remains NULL. When get_user_pages() fails with
    -EFAULT and the subrequest is flagged for retry, this results in a NULL
    pointer dereference at fs/netfs/direct_write.c:189.
    
    Fix this by mirroring the pattern already used in write_retry.c: if
    stream->prepare_write is NULL, skip renegotiation and directly reissue
    the subrequest via netfs_reissue_write(), which handles iterator reset,
    IN_PROGRESS flag, stats update and reissue internally.
    
    Fixes: a0b4c7a49137 ("netfs: Fix unbuffered/DIO writes to dispatch subrequests in strict sequence")
    Reported-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
    Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>

diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index dd1451bf7543..4d9760e36c11 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -186,10 +186,18 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
 		stream->sreq_max_segs	= INT_MAX;
 
 		netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
-		stream->prepare_write(subreq);
 
-		__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
-		netfs_stat(&netfs_n_wh_retry_write_subreq);
+		if (stream->prepare_write) {
+			stream->prepare_write(subreq);
+			__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
+			netfs_stat(&netfs_n_wh_retry_write_subreq);
+		} else {
+			struct iov_iter source;
+
+			netfs_reset_iter(subreq);
+			source = subreq->io_iter;
+			netfs_reissue_write(stream, subreq, &source);
+		}
 	}
 
 	netfs_unbuffered_write_done(wreq);

Re: [syzbot] [netfs?] BUG: unable to handle kernel NULL pointer dereference in netfs_unbuffered_write

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com
Tested-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com

Tested on:

commit:         c107785c Merge tag 'modules-7.0-rc3.fixes' of git://gi..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11d4db5a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1464db5a580000

Note: testing is done by a robot and is best-effort only.