From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f69.google.com (mail-ot1-f69.google.com [209.85.210.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 555B9C8CE for ; Sun, 22 Mar 2026 02:14:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.69 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774145660; cv=none; b=ab27+xX76N4axv44gru9Kdl4N8xAp1yDUuUjTrK7cIQQL0yL2wNm+gbZeH7ueBBS/qvlwgxsPvbjlXbUYmDbYs7fwUtaIKHWFSOj6+G+xcSEVbXCkR0LJpNPrxq8lRO3C7KLy4wgpbEMS2+nTdPiiQSD4R0Zq8xQrWIQQ+Ky4rg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774145660; c=relaxed/simple; bh=q6I9mbjCEIqwml9vBNM3iKnLgtVsKeun46d9tR7eq20=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=NQghV1BAdQ5v5YaSTJ2ZvsvmuQMheZynFQruS5p7jz+OEF4mTxGYLeJqUJd3RpxVrTxZRYyJaZrBITTFLC/7nFBazy+uuf2AmAUvwMmFBHnnIx6EU8p4cxkZ1yK7j+uB5EN28hhrStptiNm6iBzkBswDZKyYNyT+k3Fqgoj2xNc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.69 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f69.google.com with SMTP id 46e09a7af769-7d7c848c866so7867305a34.0 for ; Sat, 21 Mar 2026 19:14:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774145658; x=1774750458; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=9WMwycroBUK24hxuTy5WJ8s0gOO7YZP/NHj2HNaT4RA=; b=o8o4TPmJL1y9+CQnoawFczcl5r3z/EhpnlqPDFay9UtbzqgloU786ug8ctvwrqZFcI Ixk8RoK9JtV9aF1zBFkmxWaL3BEYQFxpW55DrgPj6CyHsNBe9gCQm3XyOSEd0vlj58bt 3Jozxhomz/zjoIwmbXPv3TUflw8frWp+1akUfms9en5ySU4VNTKijME01lc1DhGYGvTS CEXIBT4oDPRDjfYMxTKueVwzHsA/D+mQlTXZdFQSYBT2Q7gbNZRoB357B/FDLJNoOdhk 6Nv99zytN+ekylGXzR3xNaSXx0d90jF0CHTSaztUg5A0rOzOmCIFHSc5XYaQNyTmcsh+ /vSg== X-Gm-Message-State: AOJu0YwDXPIsVko+HcdHtohtFiS355sY+2xsNzOWDS9z4AXB/VeNB24f kGlKS/KD4wppbq4KizdPwihIpQXL7GI7ci5ajrI4Bs4CoV7yXIxU/h7QXjPYOtTaj/1K/h4/cab gH+wKmn6FkBlvpBrJm38LEgsxUEwvv9lfVRGf40GB6cyvNGasQBkD6uc3ZWA= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6808:302a:b0:463:f9ad:a4dd with SMTP id 5614622812f47-467e5d50e75mr4255040b6e.1.1774145658446; Sat, 21 Mar 2026 19:14:18 -0700 (PDT) Date: Sat, 21 Mar 2026 19:14:18 -0700 In-Reply-To: <69bdcdcd.050a0220.3bf4de.0030.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69bf507a.050a0220.3bf4de.006d.GAE@google.com> Subject: Forwarded: [PATCH] ext4: fix null-ptr-deref in bio_add_folio From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ext4: fix null-ptr-deref in bio_add_folio Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master bio_alloc() is called with BIO_MAX_VECS=256 which exceeds BIO_INLINE_VECS=4, so the bvec array is allocated separately. Under GFP_NOIO memory pressure this allocation can fail and bio_alloc() returns NULL. io_submit_init_bio() does not check for NULL, so NULL gets stored in io->io_bio and causes a null-ptr-deref when bio_add_folio() tries to use it. Fix by adding __GFP_DIRECT_RECLAIM to guarantee the allocation always succeeds, as documented in bio_alloc_bioset(). Reported-by: syzbot+ed8bc247f231c1a48e21@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21 Signed-off-by: Deepanshu Kartikey --- fs/ext4/page-io.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c index a8c95eee91b7..aea28e5a5665 100644 --- a/fs/ext4/page-io.c +++ b/fs/ext4/page-io.c @@ -423,8 +423,14 @@ static void io_submit_init_bio(struct ext4_io_submit *io, /* * bio_alloc will _always_ be able to allocate a bio if * __GFP_DIRECT_RECLAIM is set, see comments for bio_alloc_bioset(). - */ - bio = bio_alloc(bh->b_bdev, BIO_MAX_VECS, REQ_OP_WRITE, GFP_NOIO); + * We must use __GFP_DIRECT_RECLAIM to guarantee the bvec array + * allocation succeeds - BIO_MAX_VECS exceeds BIO_INLINE_VECS so + * bio_alloc_bioset() allocates the bvec array separately, which + * can fail under GFP_NOIO memory pressure, leaving bi_io_vec NULL + * and causing a null-ptr-deref in bio_add_folio(). + */ + bio = bio_alloc(bh->b_bdev, BIO_MAX_VECS, REQ_OP_WRITE, + GFP_NOIO | __GFP_DIRECT_RECLAIM); fscrypt_set_bio_crypt_ctx_bh(bio, bh, GFP_NOIO); bio->bi_iter.bi_sector = bh->b_blocknr * (bh->b_size >> 9); bio->bi_end_io = ext4_end_bio; -- 2.43.0