* [syzbot] [block?] general protection fault in bio_add_page
@ 2026-03-20 22:44 syzbot
2026-03-21 8:36 ` Forwarded: [PATCH] ext4: fix NULL page dereference in ext4_bio_write_folio() with large folios syzbot
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: syzbot @ 2026-03-20 22:44 UTC (permalink / raw)
To: axboe, linux-block, linux-kernel, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 8e42d2514a7e Add linux-next specific files for 20260318
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=139b34ba580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1da705b17f2649a3
dashboard link: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=108d7352580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/64c940773401/disk-8e42d251.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aa7a94376665/vmlinux-8e42d251.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5a7ab603c859/bzImage-8e42d251.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ed8bc247f231c1a48e21@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 35 Comm: kworker/u8:2 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: writeback wb_workfn (flush-8:0)
RIP: 0010:bvec_set_page include/linux/bvec.h:44 [inline]
RIP: 0010:__bio_add_page block/bio.c:992 [inline]
RIP: 0010:bio_add_page+0x462/0x6e0 block/bio.c:1048
Code: fd 48 8b 1b 48 8b 44 24 30 42 0f b6 04 30 84 c0 0f 85 c3 01 00 00 48 8b 14 24 0f b7 02 c1 e0 04 48 01 c3 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 0c 48 89 df e8 5f da a3 fd 48 8b 14 24 48 8b 44
RSP: 0000:ffffc90000ab6b80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88801eac3d00
RDX: ffff88802cd6ea78 RSI: 00000000ffffefff RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffea0001b06147 R09: 1ffffd4000360c28
R10: dffffc0000000000 R11: fffff94000360c29 R12: 1ffff110059add4f
R13: 0000000000001000 R14: dffffc0000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff888124de1000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9bc55ed6b8 CR3: 00000000769ea000 CR4: 00000000003526f0
Call Trace:
<TASK>
bio_add_folio+0x64/0x90 block/bio.c:1084
io_submit_add_bh fs/ext4/page-io.c:465 [inline]
ext4_bio_write_folio+0x1446/0x1ea0 fs/ext4/page-io.c:603
mpage_map_and_submit_buffers fs/ext4/inode.c:2326 [inline]
mpage_map_and_submit_extent fs/ext4/inode.c:2516 [inline]
ext4_do_writepages+0x207e/0x46e0 fs/ext4/inode.c:2928
ext4_writepages+0x241/0x3b0 fs/ext4/inode.c:3022
do_writepages+0x32e/0x550 mm/page-writeback.c:2554
__writeback_single_inode+0x133/0x11a0 fs/fs-writeback.c:1750
writeback_sb_inodes+0x992/0x1a20 fs/fs-writeback.c:2042
__writeback_inodes_wb+0x111/0x240 fs/fs-writeback.c:2118
wb_writeback+0x46a/0xb70 fs/fs-writeback.c:2229
wb_check_start_all fs/fs-writeback.c:2355 [inline]
wb_do_writeback fs/fs-writeback.c:2381 [inline]
wb_workfn+0x95b/0xf50 fs/fs-writeback.c:2414
process_one_work+0x9ab/0x1780 kernel/workqueue.c:3288
process_scheduled_works kernel/workqueue.c:3379 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3465
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bvec_set_page include/linux/bvec.h:44 [inline]
RIP: 0010:__bio_add_page block/bio.c:992 [inline]
RIP: 0010:bio_add_page+0x462/0x6e0 block/bio.c:1048
Code: fd 48 8b 1b 48 8b 44 24 30 42 0f b6 04 30 84 c0 0f 85 c3 01 00 00 48 8b 14 24 0f b7 02 c1 e0 04 48 01 c3 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 0c 48 89 df e8 5f da a3 fd 48 8b 14 24 48 8b 44
RSP: 0000:ffffc90000ab6b80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88801eac3d00
RDX: ffff88802cd6ea78 RSI: 00000000ffffefff RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffea0001b06147 R09: 1ffffd4000360c28
R10: dffffc0000000000 R11: fffff94000360c29 R12: 1ffff110059add4f
R13: 0000000000001000 R14: dffffc0000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff888124ee1000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005577be56a168 CR3: 000000002552e000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: fd std
1: 48 8b 1b mov (%rbx),%rbx
4: 48 8b 44 24 30 mov 0x30(%rsp),%rax
9: 42 0f b6 04 30 movzbl (%rax,%r14,1),%eax
e: 84 c0 test %al,%al
10: 0f 85 c3 01 00 00 jne 0x1d9
16: 48 8b 14 24 mov (%rsp),%rdx
1a: 0f b7 02 movzwl (%rdx),%eax
1d: c1 e0 04 shl $0x4,%eax
20: 48 01 c3 add %rax,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) <-- trapping instruction
2f: 74 0c je 0x3d
31: 48 89 df mov %rbx,%rdi
34: e8 5f da a3 fd call 0xfda3da98
39: 48 8b 14 24 mov (%rsp),%rdx
3d: 48 rex.W
3e: 8b .byte 0x8b
3f: 44 rex.R
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 9+ messages in thread
* Forwarded: [PATCH] ext4: fix NULL page dereference in ext4_bio_write_folio() with large folios
2026-03-20 22:44 [syzbot] [block?] general protection fault in bio_add_page syzbot
@ 2026-03-21 8:36 ` syzbot
2026-03-21 12:15 ` Forwarded: [PATCH] ext4: fix general protection fault in bio_add_page for encrypted " syzbot
` (2 subsequent siblings)
3 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2026-03-21 8:36 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ext4: fix NULL page dereference in ext4_bio_write_folio() with large folios
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When blocksize < PAGE_SIZE, a folio can span multiple pages with
multiple buffer heads. ext4_bio_write_folio() encrypted the entire
folio once with offset=0 via fscrypt_encrypt_pagecache_blocks(),
which always returns a single bounce page covering only the first
page of the folio.
When the write loop iterated over buffer heads beyond the first page,
bio_add_folio() calculated nr = bh_offset(bh) / PAGE_SIZE which was
non-zero for bh's on subsequent pages. folio_page(io_folio, nr) then
went out of bounds on the single page bounce folio, returning a NULL
or garbage page pointer, causing a NULL pointer dereference in
bvec_set_page().
Fix this by moving the encryption inside the write loop and encrypting
per buffer head using the correct offset within the folio via
offset_in_folio(folio, bh->b_data). Each buffer head now gets its own
bounce page at index 0, so folio_page(io_folio, 0) is always valid.
The existing retry logic for -ENOMEM is preserved.
Reported-by: syzbot+ed8bc247f231c1a48e21@syzkaller.appspotmail.com
Signed-off-by: Deepanshu kartikey <Kartikey406@gmail.com>
---
fs/ext4/page-io.c | 87 +++++++++++++++++++++++------------------------
1 file changed, 43 insertions(+), 44 deletions(-)
diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
index a8c95eee91b7..d7114171cd52 100644
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -537,56 +537,55 @@ int ext4_bio_write_folio(struct ext4_io_submit *io, struct folio *folio,
* (e.g. holes) to be unnecessarily encrypted, but this is rare and
* can't happen in the common case of blocksize == PAGE_SIZE.
*/
- if (fscrypt_inode_uses_fs_layer_crypto(inode)) {
- gfp_t gfp_flags = GFP_NOFS;
- unsigned int enc_bytes = round_up(len, i_blocksize(inode));
- struct page *bounce_page;
-
- /*
- * Since bounce page allocation uses a mempool, we can only use
- * a waiting mask (i.e. request guaranteed allocation) on the
- * first page of the bio. Otherwise it can deadlock.
- */
- if (io->io_bio)
- gfp_flags = GFP_NOWAIT;
- retry_encrypt:
- bounce_page = fscrypt_encrypt_pagecache_blocks(folio,
- enc_bytes, 0, gfp_flags);
- if (IS_ERR(bounce_page)) {
- ret = PTR_ERR(bounce_page);
- if (ret == -ENOMEM &&
- (io->io_bio || wbc->sync_mode == WB_SYNC_ALL)) {
- gfp_t new_gfp_flags = GFP_NOFS;
- if (io->io_bio)
- ext4_io_submit(io);
- else
- new_gfp_flags |= __GFP_NOFAIL;
- memalloc_retry_wait(gfp_flags);
- gfp_flags = new_gfp_flags;
- goto retry_encrypt;
- }
-
- printk_ratelimited(KERN_ERR "%s: ret = %d\n", __func__, ret);
- folio_redirty_for_writepage(wbc, folio);
- do {
- if (buffer_async_write(bh)) {
- clear_buffer_async_write(bh);
- set_buffer_dirty(bh);
- }
- bh = bh->b_this_page;
- } while (bh != head);
-
- return ret;
- }
- io_folio = page_folio(bounce_page);
- }
-
__folio_start_writeback(folio, keep_towrite);
/* Now submit buffers to write */
do {
if (!buffer_async_write(bh))
continue;
+ if (fscrypt_inode_uses_fs_layer_crypto(inode)) {
+ gfp_t gfp_flags = GFP_NOFS;
+ struct page *bounce_page;
+ /*
+ * Since bounce page allocation uses a mempool, we can
+ * only use a waiting mask (i.e. request guaranteed
+ * allocation) on the first page of the bio.
+ * Otherwise it can deadlock.
+ */
+ if (io->io_bio)
+ gfp_flags = GFP_NOWAIT;
+ retry_encrypt:
+ bounce_page = fscrypt_encrypt_pagecache_blocks(folio,
+ bh->b_size,
+ offset_in_folio(folio, bh->b_data),
+ gfp_flags);
+ if (IS_ERR(bounce_page)) {
+ ret = PTR_ERR(bounce_page);
+ if (ret == -ENOMEM &&
+ (io->io_bio || wbc->sync_mode == WB_SYNC_ALL)) {
+ gfp_t new_gfp_flags = GFP_NOFS;
+ if (io->io_bio)
+ ext4_io_submit(io);
+ else
+ new_gfp_flags |= __GFP_NOFAIL;
+ memalloc_retry_wait(gfp_flags);
+ gfp_flags = new_gfp_flags;
+ goto retry_encrypt;
+ }
+ printk_ratelimited(KERN_ERR "%s: ret = %d\n",
+ __func__, ret);
+ folio_redirty_for_writepage(wbc, folio);
+ do {
+ if (buffer_async_write(bh)) {
+ clear_buffer_async_write(bh);
+ set_buffer_dirty(bh);
+ }
+ bh = bh->b_this_page;
+ } while (bh != head);
+ return ret;
+ }
+ io_folio = page_folio(bounce_page);
+ }
io_submit_add_bh(io, inode, folio, io_folio, bh);
} while ((bh = bh->b_this_page) != head);
--
2.43.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [block?] general protection fault in bio_add_page
[not found] <20260321083622.1124160-1-kartikey406@gmail.com>
@ 2026-03-21 10:42 ` syzbot
0 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2026-03-21 10:42 UTC (permalink / raw)
To: kartikey406, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
SYZFAIL: failed to recv rpc
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=-1 (errno 104: Connection reset by peer)
Tested on:
commit: a0c83177 Merge tag 'drm-fixes-2026-03-21' of https://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16ae01d6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a583012a914ba435
dashboard link: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=151d4cba580000
^ permalink raw reply [flat|nested] 9+ messages in thread
* Forwarded: [PATCH] ext4: fix general protection fault in bio_add_page for encrypted large folios
2026-03-20 22:44 [syzbot] [block?] general protection fault in bio_add_page syzbot
2026-03-21 8:36 ` Forwarded: [PATCH] ext4: fix NULL page dereference in ext4_bio_write_folio() with large folios syzbot
@ 2026-03-21 12:15 ` syzbot
2026-03-22 2:14 ` Forwarded: [PATCH] ext4: fix null-ptr-deref in bio_add_folio syzbot
2026-03-22 4:41 ` Forwarded: [PATCH] blktrace: reject buf_size smaller than struct blk_io_trace syzbot
3 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2026-03-21 12:15 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ext4: fix general protection fault in bio_add_page for encrypted large folios
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When writing back an encrypted file, ext4_bio_write_folio() encrypts the
folio into a single-page bounce buffer and passes it as io_folio to
io_submit_add_bh(). The offset passed to bio_add_folio() was always
bh_offset(bh), which is relative to the original folio.
For a large folio this offset can exceed PAGE_SIZE. bio_add_folio() calls
folio_page(io_folio, off >> PAGE_SHIFT) which computes &folio->page + N.
For a single-page bounce folio with N >= 1 this is out-of-bounds, causing
a general protection fault caught by KASAN:
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:bvec_set_page include/linux/bvec.h:44 [inline]
RIP: 0010:bio_add_page+0x462/0x6e0 block/bio.c:1048
Fix this by computing io_off at the call site. For the non-encrypted path
io_folio == folio so bh_offset(bh) is used unchanged. For the encrypted
path the bounce page is always a single PAGE_SIZE page, so the offset is
taken modulo PAGE_SIZE to map it correctly into the bounce page.
Using hardcoded 0 would be wrong for sub-page block sizes (e.g. 1024-byte
blocks) where multiple buffer heads exist within one page at offsets
0, 1024, 2048, 3072 etc. bh_offset(bh) % PAGE_SIZE handles all block
sizes correctly.
Reported-by: syzbot+ed8bc247f231c1a48e21@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
fs/ext4/page-io.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
index a8c95eee91b7..006b2f5173de 100644
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -438,7 +438,8 @@ static void io_submit_add_bh(struct ext4_io_submit *io,
struct inode *inode,
struct folio *folio,
struct folio *io_folio,
- struct buffer_head *bh)
+ struct buffer_head *bh,
+ size_t io_off)
{
if (io->io_bio && (bh->b_blocknr != io->io_next_block ||
!fscrypt_mergeable_bio_bh(io->io_bio, bh))) {
@@ -449,7 +450,7 @@ static void io_submit_add_bh(struct ext4_io_submit *io,
io_submit_init_bio(io, bh);
io->io_bio->bi_write_hint = inode->i_write_hint;
}
- if (!bio_add_folio(io->io_bio, io_folio, bh->b_size, bh_offset(bh)))
+ if (!bio_add_folio(io->io_bio, io_folio, bh->b_size, io_off))
goto submit_and_retry;
wbc_account_cgroup_owner(io->io_wbc, folio, bh->b_size);
io->io_next_block++;
@@ -585,9 +586,20 @@ int ext4_bio_write_folio(struct ext4_io_submit *io, struct folio *folio,
/* Now submit buffers to write */
do {
+ size_t io_off;
+
if (!buffer_async_write(bh))
continue;
- io_submit_add_bh(io, inode, folio, io_folio, bh);
+ /*
+ * When io_folio is a single-page bounce buffer (fscrypt),
+ * normalise to PAGE_SIZE to handle all block sizes correctly.
+ * Using 0 would break sub-page block sizes (e.g. 1024-byte
+ * blocks) where multiple bh offsets exist within one page
+ */
+ io_off = (io_folio == folio)
+ ? bh_offset(bh)
+ : bh_offset(bh) % PAGE_SIZE;
+ io_submit_add_bh(io, inode, folio, io_folio, bh, io_off);
} while ((bh = bh->b_this_page) != head);
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [block?] general protection fault in bio_add_page
[not found] <20260321121459.1128687-1-kartikey406@gmail.com>
@ 2026-03-21 12:42 ` syzbot
0 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2026-03-21 12:42 UTC (permalink / raw)
To: kartikey406, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
SYZFAIL: failed to recv rpc
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=-1 (errno 104: Connection reset by peer)
Tested on:
commit: a0c83177 Merge tag 'drm-fixes-2026-03-21' of https://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e40b52580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a583012a914ba435
dashboard link: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=11019e02580000
^ permalink raw reply [flat|nested] 9+ messages in thread
* Forwarded: [PATCH] ext4: fix null-ptr-deref in bio_add_folio
2026-03-20 22:44 [syzbot] [block?] general protection fault in bio_add_page syzbot
2026-03-21 8:36 ` Forwarded: [PATCH] ext4: fix NULL page dereference in ext4_bio_write_folio() with large folios syzbot
2026-03-21 12:15 ` Forwarded: [PATCH] ext4: fix general protection fault in bio_add_page for encrypted " syzbot
@ 2026-03-22 2:14 ` syzbot
2026-03-22 4:41 ` Forwarded: [PATCH] blktrace: reject buf_size smaller than struct blk_io_trace syzbot
3 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2026-03-22 2:14 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ext4: fix null-ptr-deref in bio_add_folio
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
bio_alloc() is called with BIO_MAX_VECS=256 which exceeds
BIO_INLINE_VECS=4, so the bvec array is allocated separately.
Under GFP_NOIO memory pressure this allocation can fail and
bio_alloc() returns NULL.
io_submit_init_bio() does not check for NULL, so NULL gets
stored in io->io_bio and causes a null-ptr-deref when
bio_add_folio() tries to use it.
Fix by adding __GFP_DIRECT_RECLAIM to guarantee the allocation
always succeeds, as documented in bio_alloc_bioset().
Reported-by: syzbot+ed8bc247f231c1a48e21@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
fs/ext4/page-io.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
index a8c95eee91b7..aea28e5a5665 100644
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -423,8 +423,14 @@ static void io_submit_init_bio(struct ext4_io_submit *io,
/*
* bio_alloc will _always_ be able to allocate a bio if
* __GFP_DIRECT_RECLAIM is set, see comments for bio_alloc_bioset().
- */
- bio = bio_alloc(bh->b_bdev, BIO_MAX_VECS, REQ_OP_WRITE, GFP_NOIO);
+ * We must use __GFP_DIRECT_RECLAIM to guarantee the bvec array
+ * allocation succeeds - BIO_MAX_VECS exceeds BIO_INLINE_VECS so
+ * bio_alloc_bioset() allocates the bvec array separately, which
+ * can fail under GFP_NOIO memory pressure, leaving bi_io_vec NULL
+ * and causing a null-ptr-deref in bio_add_folio().
+ */
+ bio = bio_alloc(bh->b_bdev, BIO_MAX_VECS, REQ_OP_WRITE,
+ GFP_NOIO | __GFP_DIRECT_RECLAIM);
fscrypt_set_bio_crypt_ctx_bh(bio, bh, GFP_NOIO);
bio->bi_iter.bi_sector = bh->b_blocknr * (bh->b_size >> 9);
bio->bi_end_io = ext4_end_bio;
--
2.43.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [block?] general protection fault in bio_add_page
[not found] <20260322021410.1133285-1-kartikey406@gmail.com>
@ 2026-03-22 2:54 ` syzbot
0 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2026-03-22 2:54 UTC (permalink / raw)
To: kartikey406, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in blk_trace_ioctl
INFO: task syz.3.20:6446 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.20 state:D stack:28296 pid:6446 tgid:6441 ppid:6252 task_flags:0x400040 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5298 [inline]
__schedule+0x15dd/0x52d0 kernel/sched/core.c:6911
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0x164/0x360 kernel/sched/core.c:7008
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7065
__mutex_lock_common kernel/locking/mutex.c:692 [inline]
__mutex_lock+0x7fe/0x1300 kernel/locking/mutex.c:776
blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
blk_trace_remove kernel/trace/blktrace.c:561 [inline]
blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
blkdev_common_ioctl+0x13a7/0x3250 block/ioctl.c:724
blkdev_ioctl+0x528/0x740 block/ioctl.c:798
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5c85f9c799
RSP: 002b:00007f5c86de0028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f5c86216090 RCX: 00007f5c85f9c799
RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000006
RBP: 00007f5c86032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5c86216128 R14: 00007f5c86216090 R15: 00007ffe89800468
</TASK>
INFO: task syz.2.19:6447 blocked for more than 144 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.19 state:D stack:28488 pid:6447 tgid:6444 ppid:6250 task_flags:0x400040 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5298 [inline]
__schedule+0x15dd/0x52d0 kernel/sched/core.c:6911
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0x164/0x360 kernel/sched/core.c:7008
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7065
__mutex_lock_common kernel/locking/mutex.c:692 [inline]
__mutex_lock+0x7fe/0x1300 kernel/locking/mutex.c:776
blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
blk_trace_remove kernel/trace/blktrace.c:561 [inline]
blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
blkdev_common_ioctl+0x13a7/0x3250 block/ioctl.c:724
blkdev_ioctl+0x528/0x740 block/ioctl.c:798
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbe8d19c799
RSP: 002b:00007fbe8dfea028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fbe8d416090 RCX: 00007fbe8d19c799
RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000006
RBP: 00007fbe8d232c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fbe8d416128 R14: 00007fbe8d416090 R15: 00007ffe5115dce8
</TASK>
INFO: task syz.1.18:6455 blocked for more than 144 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.18 state:D stack:27264 pid:6455 tgid:6454 ppid:6251 task_flags:0x480040 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5298 [inline]
__schedule+0x15dd/0x52d0 kernel/sched/core.c:6911
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0x164/0x360 kernel/sched/core.c:7008
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7065
__mutex_lock_common kernel/locking/mutex.c:692 [inline]
__mutex_lock+0x7fe/0x1300 kernel/locking/mutex.c:776
blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
blk_debugfs_lock block/blk.h:752 [inline]
blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
blk_trace_ioctl+0x37f/0x920 kernel/trace/blktrace.c:937
blkdev_ioctl+0x4c1/0x740 block/ioctl.c:793
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc3e1f9c799
RSP: 002b:00007fc3e2e8f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc3e2215fa0 RCX: 00007fc3e1f9c799
RDX: 00002000000001c0 RSI: 00000000c0481273 RDI: 0000000000000006
RBP: 00007fc3e2032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc3e2216038 R14: 00007fc3e2215fa0 R15: 00007ffc215e64d8
</TASK>
INFO: task syz.1.18:6457 blocked for more than 145 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.18 state:D stack:28568 pid:6457 tgid:6454 ppid:6251 task_flags:0x400040 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5298 [inline]
__schedule+0x15dd/0x52d0 kernel/sched/core.c:6911
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0x164/0x360 kernel/sched/core.c:7008
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7065
__mutex_lock_common kernel/locking/mutex.c:692 [inline]
__mutex_lock+0x7fe/0x1300 kernel/locking/mutex.c:776
blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
blk_trace_remove kernel/trace/blktrace.c:561 [inline]
blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
blkdev_common_ioctl+0x13a7/0x3250 block/ioctl.c:724
blkdev_ioctl+0x528/0x740 block/ioctl.c:798
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc3e1f9c799
RSP: 002b:00007fc3e2e6e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc3e2216090 RCX: 00007fc3e1f9c799
RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000006
RBP: 00007fc3e2032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc3e2216128 R14: 00007fc3e2216090 R15: 00007ffc215e64d8
</TASK>
Showing all locks held in the system:
1 lock held by khungtaskd/30:
#0: ffffffff8e95e520 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#0: ffffffff8e95e520 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#0: ffffffff8e95e520 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
3 locks held by kswapd0/85:
2 locks held by getty/5582:
#0: ffff8880328980a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x45c/0x13c0 drivers/tty/n_tty.c:2211
1 lock held by syz.3.20/6446:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
2 locks held by syz.2.19/6445:
1 lock held by syz.2.19/6447:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.1.18/6455:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.1.18/6457:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.4.21/6605:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.4.21/6607:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.5.22/6631:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.5.22/6632:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.7.24/6635:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.7.24/6636:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.6.23/6638:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.6.23/6640:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.8.25/6797:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.8.25/6798:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.0.27/6871:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.0.27/6873:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.1.28/6886:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.1.28/6887:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.9.26/6894:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.9.26/6895:
#0: ffff888026703888
(&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
(&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
(&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.2.29/6961:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.2.29/6963:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.3.30/7027:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.3.30/7028:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.5.32/7049:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.5.32/7050:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.4.31/7053:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.4.31/7054:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.6.33/7074:
#0: ffff888026703888
(&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
(&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
(&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.6.33/7075:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.7.34/7110:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.7.34/7117:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.8.35/7177:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.8.35/7179:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.0.36/7184:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.0.36/7185:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
1 lock held by syz.9.37/7194:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock block/blk.h:752 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_setup+0x2d3/0x520 kernel/trace/blktrace.c:788
1 lock held by syz.9.37/7195:
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_debugfs_lock_nomemsave block/blk.h:740 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_remove kernel/trace/blktrace.c:561 [inline]
#0: ffff888026703888 (&q->debugfs_mutex){+.+.}-{4:4}, at: blk_trace_ioctl+0x39a/0x920 kernel/trace/blktrace.c:952
7 locks held by syz-executor/7198:
=============================================
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
nmi_cpu_backtrace+0x274/0x2d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x135/0x170 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xfd9/0x1030 kernel/hung_task.c:515
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 7198 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:unwind_next_frame+0x1abd/0x23c0 arch/x86/kernel/unwind_orc.c:695
Code: a3 c9 8b e8 95 3b 2b 00 48 c7 c7 20 e5 95 8e 4c 89 fe e8 06 22 2b 00 e8 51 d1 34 00 89 d8 48 81 c4 98 00 00 00 5b 41 5c 41 5d <41> 5e 41 5f 5d c3 cc cc cc cc cc 4c 8b 7c 24 50 eb 89 c6 05 01 b8
RSP: 0018:ffffc90000a08608 EFLAGS: 00000296
RAX: 0000000090c2b501 RBX: ffffc90000a086e0 RCX: 0000000000000101
RDX: 0000000000000006 RSI: ffffffff8e28800c RDI: ffff88801e343d00
RBP: dffffc0000000000 R08: ffffc90003817008 R09: 0000000000000000
R10: ffffc90000a08678 R11: fffff520001410d1 R12: ffff88801e343d00
R13: 00000000000002c0 R14: ffffc90000a08628 R15: ffffffff8176ce95
FS: 00005555570c1500(0000) GS:ffff888125305000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8cc6b47e20 CR3: 00000001aba1c000 CR4: 00000000003526f0
Call Trace:
<IRQ>
arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4538 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
kmem_cache_alloc_node_noprof+0x384/0x690 mm/slub.c:4918
kmalloc_reserve net/core/skbuff.c:613 [inline]
__alloc_skb+0x27d/0x7d0 net/core/skbuff.c:713
__netdev_alloc_skb+0xc1/0x810 net/core/skbuff.c:775
netdev_alloc_skb include/linux/skbuff.h:3485 [inline]
dev_alloc_skb include/linux/skbuff.h:3498 [inline]
__ieee80211_beacon_get+0xc06/0x1880 net/mac80211/tx.c:5658
ieee80211_beacon_get_tim+0xbd/0x2c0 net/mac80211/tx.c:5780
ieee80211_beacon_get include/net/mac80211.h:5720 [inline]
mac80211_hwsim_beacon_tx+0x3c5/0x870 drivers/net/wireless/virtual/mac80211_hwsim.c:2361
__iterate_interfaces+0x2ab/0x590 net/mac80211/util.c:760
ieee80211_iterate_active_interfaces_atomic+0xdb/0x180 net/mac80211/util.c:796
mac80211_hwsim_beacon+0xbb/0x180 drivers/net/wireless/virtual/mac80211_hwsim.c:2395
__run_hrtimer kernel/time/hrtimer.c:1785 [inline]
__hrtimer_run_queues+0x53a/0xcc0 kernel/time/hrtimer.c:1849
hrtimer_run_softirq+0x182/0x5a0 kernel/time/hrtimer.c:1866
handle_softirqs+0x22a/0x870 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:console_flush_one_record arch/x86/include/asm/irqflags.h:-1 [inline]
RIP: 0010:console_flush_all+0x801/0xb20 kernel/printk/printk.c:3343
Code: ff ff e8 a2 f0 20 00 90 0f 0b 90 e9 85 fc ff ff e8 94 f0 20 00 e8 1f d2 14 0a 48 85 db 74 c0 e8 85 f0 20 00 fb 48 8b 5c 24 08 <48> 8b 44 24 20 42 80 3c 20 00 4c 8b 74 24 18 74 08 4c 89 f7 e8 96
RSP: 0018:ffffc90003816c80 EFLAGS: 00000293
RAX: ffffffff81a5007b RBX: ffffc90003816de0 RCX: ffff88801e343d00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003816d90 R08: ffffffff9033aeb7 R09: 1ffffffff20675d6
R10: dffffc0000000000 R11: fffffbfff20675d7 R12: dffffc0000000000
R13: 0000000000000001 R14: 0000000000000000 R15: ffffffff8f229520
__console_flush_and_unlock kernel/printk/printk.c:3373 [inline]
console_unlock+0xd1/0x1c0 kernel/printk/printk.c:3413
vprintk_emit+0x485/0x560 kernel/printk/printk.c:2479
_printk+0xdd/0x130 kernel/printk/printk.c:2504
hsr_dev_finalize+0x906/0xaa0 net/hsr/hsr_device.c:812
hsr_newlink+0x7ea/0x970 net/hsr/hsr_netlink.c:128
rtnl_newlink_create+0x329/0xb70 net/core/rtnetlink.c:3840
__rtnl_newlink net/core/rtnetlink.c:3957 [inline]
rtnl_newlink+0x1666/0x1be0 net/core/rtnetlink.c:4072
rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958
netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
__sys_sendto+0x672/0x710 net/socket.c:2206
__do_sys_sendto net/socket.c:2213 [inline]
__se_sys_sendto net/socket.c:2209 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2209
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8cc5d5cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007ffe0b9193b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00005555570c1500 RCX: 00007f8cc5d5cfce
RDX: 0000000000000058 RSI: 00007f8cc6b44670 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00007ffe0b919434 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f8cc6b44670 R15: 0000000000000000
</TASK>
Tested on:
commit: 113ae7b4 Merge tag 'hwmon-for-v7.0-rc5' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=140bccba580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a583012a914ba435
dashboard link: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=107281d6580000
^ permalink raw reply [flat|nested] 9+ messages in thread
* Forwarded: [PATCH] blktrace: reject buf_size smaller than struct blk_io_trace
2026-03-20 22:44 [syzbot] [block?] general protection fault in bio_add_page syzbot
` (2 preceding siblings ...)
2026-03-22 2:14 ` Forwarded: [PATCH] ext4: fix null-ptr-deref in bio_add_folio syzbot
@ 2026-03-22 4:41 ` syzbot
3 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2026-03-22 4:41 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] blktrace: reject buf_size smaller than struct blk_io_trace
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
blk_trace_setup() accepts any non-zero buf_size from userspace
and passes it directly to relay_open(). If buf_size is smaller
than sizeof(struct blk_io_trace) = 40 bytes, relay_switch_subbuf()
always hits the toobig path and returns 0, causing memory pressure
that leads to bio_alloc() failing under GFP_NOIO and a
null-ptr-deref in bio_add_folio().
Reject buf_size values too small to hold a single trace event.
Reported-by: syzbot+ed8bc247f231c1a48e21@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
kernel/trace/blktrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index 8cd2520b4c99..6cc7d83ed1c2 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -773,7 +773,7 @@ int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
if (ret)
return -EFAULT;
- if (!buts.buf_size || !buts.buf_nr)
+ if (buts.buf_size < sizeof(struct blk_io_trace) || !buts.buf_nr)
return -EINVAL;
buts2 = (struct blk_user_trace_setup2) {
--
2.43.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [block?] general protection fault in bio_add_page
[not found] <20260322044138.1136657-1-kartikey406@gmail.com>
@ 2026-03-22 5:02 ` syzbot
0 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2026-03-22 5:02 UTC (permalink / raw)
To: kartikey406, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
SYZFAIL: failed to recv rpc
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
Tested on:
commit: 113ae7b4 Merge tag 'hwmon-for-v7.0-rc5' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174fccba580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a583012a914ba435
dashboard link: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1677ccba580000
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2026-03-22 5:02 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-20 22:44 [syzbot] [block?] general protection fault in bio_add_page syzbot
2026-03-21 8:36 ` Forwarded: [PATCH] ext4: fix NULL page dereference in ext4_bio_write_folio() with large folios syzbot
2026-03-21 12:15 ` Forwarded: [PATCH] ext4: fix general protection fault in bio_add_page for encrypted " syzbot
2026-03-22 2:14 ` Forwarded: [PATCH] ext4: fix null-ptr-deref in bio_add_folio syzbot
2026-03-22 4:41 ` Forwarded: [PATCH] blktrace: reject buf_size smaller than struct blk_io_trace syzbot
[not found] <20260321083622.1124160-1-kartikey406@gmail.com>
2026-03-21 10:42 ` [syzbot] [block?] general protection fault in bio_add_page syzbot
[not found] <20260321121459.1128687-1-kartikey406@gmail.com>
2026-03-21 12:42 ` syzbot
[not found] <20260322021410.1133285-1-kartikey406@gmail.com>
2026-03-22 2:54 ` syzbot
[not found] <20260322044138.1136657-1-kartikey406@gmail.com>
2026-03-22 5:02 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox