* [syzbot] [netfs?] kernel BUG in netfs_limit_iter @ 2026-03-06 6:36 syzbot 2026-03-07 7:26 ` David Howells 2026-03-07 13:51 ` David Howells 0 siblings, 2 replies; 5+ messages in thread From: syzbot @ 2026-03-06 6:36 UTC (permalink / raw) To: dhowells, linux-fsdevel, linux-kernel, netfs, pc, syzkaller-bugs Hello, syzbot found the following issue on: HEAD commit: c107785c7e8d Merge tag 'modules-7.0-rc3.fixes' of git://gi.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=13d408ba580000 kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e dashboard link: https://syzkaller.appspot.com/bug?extid=9c058f0d63475adc97fd compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16421552580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=166a97e6580000 Downloadable assets: disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-c107785c.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/3a4a4abcd973/vmlinux-c107785c.xz kernel image: https://storage.googleapis.com/syzbot-assets/f60667f16840/bzImage-c107785c.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com ------------[ cut here ]------------ kernel BUG at fs/netfs/iterator.c:248! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 6437 Comm: syz.9.39 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:netfs_limit_iter+0x100d/0x1100 fs/netfs/iterator.c:248 Code: ff e9 a4 f4 ff ff 48 89 de 48 c7 c7 a0 db ab 8e e8 e8 3f 74 fe e9 59 f6 ff ff e8 9e e8 b1 ff e9 6f f6 ff ff e8 74 6b 45 ff 90 <0f> 0b e8 fc e7 b1 ff e9 cd f9 ff ff 4c 89 f6 48 c7 c7 20 dc ab 8e RSP: 0018:ffffc900040e6d18 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff82c3391b RDX: ffff8880298a0000 RSI: ffffffff82c3484c RDI: ffff8880298a0000 RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000005 R10: 0000000000000003 R11: 0000000000000012 R12: 000000007fffffff R13: 1ffff9200081cda9 R14: ffff88801c7f3960 R15: ffff888022886580 FS: 000055556085f500(0000) GS:ffff8880d6644000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c008fdc000 CR3: 000000002f279000 CR4: 0000000000352ef0 Call Trace: <TASK> netfs_unbuffered_write+0x25d/0x2080 fs/netfs/direct_write.c:128 netfs_unbuffered_write_iter_locked+0x801/0xab0 fs/netfs/direct_write.c:287 netfs_unbuffered_write_iter+0x40c/0x710 fs/netfs/direct_write.c:377 v9fs_file_write_iter+0xbf/0x100 fs/9p/vfs_file.c:409 __kernel_write_iter+0x2ac/0x920 fs/read_write.c:621 __kernel_write+0xf6/0x140 fs/read_write.c:641 __dump_emit fs/coredump.c:1221 [inline] dump_emit+0x21f/0x330 fs/coredump.c:1259 elf_core_dump+0x2127/0x3d10 fs/binfmt_elf.c:2062 coredump_write fs/coredump.c:1050 [inline] do_coredump fs/coredump.c:1127 [inline] vfs_coredump+0x27bc/0x5570 fs/coredump.c:1201 get_signal+0x1f2a/0x21e0 kernel/signal.c:3019 arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop kernel/entry/common.c:98 [inline] __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:270 [inline] irqentry_exit_to_user_mode include/linux/irq-entry-common.h:339 [inline] irqentry_exit+0x1f8/0x670 kernel/entry/common.c:219 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 RIP: 0033:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 002b:0000200000000088 EFLAGS: 00010217 RAX: 0000000000000000 RBX: 00007f5120e15fa0 RCX: 00007f5120b9c799 RDX: 0000000000000000 RSI: 0000200000000080 RDI: 0000000000008000 RBP: 00007f5120c32bd9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 R13: 00007f5120e15fac R14: 00007f5120e15fa0 R15: 00007f5120e15fa0 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:netfs_limit_iter+0x100d/0x1100 fs/netfs/iterator.c:248 Code: ff e9 a4 f4 ff ff 48 89 de 48 c7 c7 a0 db ab 8e e8 e8 3f 74 fe e9 59 f6 ff ff e8 9e e8 b1 ff e9 6f f6 ff ff e8 74 6b 45 ff 90 <0f> 0b e8 fc e7 b1 ff e9 cd f9 ff ff 4c 89 f6 48 c7 c7 20 dc ab 8e RSP: 0018:ffffc900040e6d18 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff82c3391b RDX: ffff8880298a0000 RSI: ffffffff82c3484c RDI: ffff8880298a0000 RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000005 R10: 0000000000000003 R11: 0000000000000012 R12: 000000007fffffff R13: 1ffff9200081cda9 R14: ffff88801c7f3960 R15: ffff888022886580 FS: 000055556085f500(0000) GS:ffff8880d6644000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c008fdc000 CR3: 000000002f279000 CR4: 0000000000352ef0 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [syzbot] [netfs?] kernel BUG in netfs_limit_iter 2026-03-06 6:36 [syzbot] [netfs?] kernel BUG in netfs_limit_iter syzbot @ 2026-03-07 7:26 ` David Howells 2026-03-07 7:40 ` syzbot 2026-03-07 13:51 ` David Howells 1 sibling, 1 reply; 5+ messages in thread From: David Howells @ 2026-03-07 7:26 UTC (permalink / raw) To: syzbot Cc: dhowells, Deepanshu Kartikey, linux-fsdevel, linux-kernel, netfs, pc, syzkaller-bugs #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git c107785c7e8d commit eb8299de8f603a6d7acf50e534c87ac1adeb3060 Author: Deepanshu Kartikey <kartikey406@gmail.com> Date: Sat Mar 7 10:09:47 2026 +0530 netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL. Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189. Fix this by mirroring the pattern already used in write_retry.c: if stream->prepare_write is NULL, skip renegotiation and directly reissue the subrequest via netfs_reissue_write(), which handles iterator reset, IN_PROGRESS flag, stats update and reissue internally. Fixes: a0b4c7a49137 ("netfs: Fix unbuffered/DIO writes to dispatch subrequests in strict sequence") Reported-by: syzbot+7227db0fbac9f348dba0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0 Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com> diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c index dd1451bf7543..4d9760e36c11 100644 --- a/fs/netfs/direct_write.c +++ b/fs/netfs/direct_write.c @@ -186,10 +186,18 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq) stream->sreq_max_segs = INT_MAX; netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit); - stream->prepare_write(subreq); - __set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags); - netfs_stat(&netfs_n_wh_retry_write_subreq); + if (stream->prepare_write) { + stream->prepare_write(subreq); + __set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags); + netfs_stat(&netfs_n_wh_retry_write_subreq); + } else { + struct iov_iter source; + + netfs_reset_iter(subreq); + source = subreq->io_iter; + netfs_reissue_write(stream, subreq, &source); + } } netfs_unbuffered_write_done(wreq); ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [syzbot] [netfs?] kernel BUG in netfs_limit_iter 2026-03-07 7:26 ` David Howells @ 2026-03-07 7:40 ` syzbot 0 siblings, 0 replies; 5+ messages in thread From: syzbot @ 2026-03-07 7:40 UTC (permalink / raw) To: dhowells, kartikey406, linux-fsdevel, linux-kernel, netfs, pc, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: kernel BUG in netfs_limit_iter ------------[ cut here ]------------ kernel BUG at fs/netfs/iterator.c:248! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 6595 Comm: syz.0.28 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:netfs_limit_iter+0x100d/0x1100 fs/netfs/iterator.c:248 Code: ff e9 a4 f4 ff ff 48 89 de 48 c7 c7 a0 db ab 8e e8 d8 3d 74 fe e9 59 f6 ff ff e8 8e e6 b1 ff e9 6f f6 ff ff e8 64 69 45 ff 90 <0f> 0b e8 ec e5 b1 ff e9 cd f9 ff ff 4c 89 f6 48 c7 c7 20 dc ab 8e RSP: 0018:ffffc90003c16c70 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff82c33b2b RDX: ffff88802b2aa4c0 RSI: ffffffff82c34a5c RDI: ffff88802b2aa4c0 RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000005 R10: 0000000000000003 R11: 0000000000000012 R12: 000000007fffffff R13: 1ffff92000782d94 R14: ffff88802222ef60 R15: ffff8880224b2580 FS: 00007ffbb60b56c0(0000) GS:ffff8880d6444000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffea0531a80 CR3: 000000002ff66000 CR4: 0000000000352ef0 Call Trace: <TASK> netfs_unbuffered_write+0x2bb/0x2290 fs/netfs/direct_write.c:128 netfs_unbuffered_write_iter_locked+0x801/0xab0 fs/netfs/direct_write.c:295 netfs_unbuffered_write_iter+0x40c/0x710 fs/netfs/direct_write.c:385 v9fs_file_write_iter+0xbf/0x100 fs/9p/vfs_file.c:409 __kernel_write_iter+0x2ac/0x920 fs/read_write.c:621 __kernel_write+0xf6/0x140 fs/read_write.c:641 __dump_emit fs/coredump.c:1221 [inline] dump_emit+0x21f/0x330 fs/coredump.c:1259 elf_core_dump+0x2127/0x3d10 fs/binfmt_elf.c:2062 coredump_write fs/coredump.c:1050 [inline] do_coredump fs/coredump.c:1127 [inline] vfs_coredump+0x27bc/0x5570 fs/coredump.c:1201 get_signal+0x1f2a/0x21e0 kernel/signal.c:3019 arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop kernel/entry/common.c:98 [inline] __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:270 [inline] irqentry_exit_to_user_mode include/linux/irq-entry-common.h:339 [inline] irqentry_exit+0x1f8/0x670 kernel/entry/common.c:219 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 RIP: 0033:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 002b:0000200000000088 EFLAGS: 00010217 RAX: 0000000000000000 RBX: 00007ffbb5415fa0 RCX: 00007ffbb519c799 RDX: 0000000000000000 RSI: 0000200000000080 RDI: 0000000000008000 RBP: 00007ffbb5232bd9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 R13: 00007ffbb5416038 R14: 00007ffbb5415fa0 R15: 00007ffea05320b8 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:netfs_limit_iter+0x100d/0x1100 fs/netfs/iterator.c:248 Code: ff e9 a4 f4 ff ff 48 89 de 48 c7 c7 a0 db ab 8e e8 d8 3d 74 fe e9 59 f6 ff ff e8 8e e6 b1 ff e9 6f f6 ff ff e8 64 69 45 ff 90 <0f> 0b e8 ec e5 b1 ff e9 cd f9 ff ff 4c 89 f6 48 c7 c7 20 dc ab 8e RSP: 0018:ffffc90003c16c70 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff82c33b2b RDX: ffff88802b2aa4c0 RSI: ffffffff82c34a5c RDI: ffff88802b2aa4c0 RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000005 R10: 0000000000000003 R11: 0000000000000012 R12: 000000007fffffff R13: 1ffff92000782d94 R14: ffff88802222ef60 R15: ffff8880224b2580 FS: 00007ffbb60b56c0(0000) GS:ffff8880d6644000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffea0530cd0 CR3: 000000002ff66000 CR4: 0000000000352ef0 Tested on: commit: c107785c Merge tag 'modules-7.0-rc3.fixes' of git://gi.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=103ad8d6580000 kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e dashboard link: https://syzkaller.appspot.com/bug?extid=9c058f0d63475adc97fd compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44 patch: https://syzkaller.appspot.com/x/patch.diff?x=131ad8d6580000 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [syzbot] [netfs?] kernel BUG in netfs_limit_iter 2026-03-06 6:36 [syzbot] [netfs?] kernel BUG in netfs_limit_iter syzbot 2026-03-07 7:26 ` David Howells @ 2026-03-07 13:51 ` David Howells 2026-03-07 14:12 ` syzbot 1 sibling, 1 reply; 5+ messages in thread From: David Howells @ 2026-03-07 13:51 UTC (permalink / raw) To: syzbot Cc: dhowells, Deepanshu Kartikey, linux-fsdevel, linux-kernel, netfs, pc, syzkaller-bugs #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git c107785c7e8d commit c4449647436e654c150cf5fdb70a64a9d02283a1 Author: Deepanshu Kartikey <kartikey406@gmail.com> Date: Sat Mar 7 14:30:41 2026 +0530 netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators When a process crashes and the kernel writes a core dump to a 9P filesystem, __kernel_write() creates an ITER_KVEC iterator. This iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types, hitting the BUG() for any other type. Fix this by adding netfs_limit_kvec() following the same pattern as netfs_limit_bvec(), since both kvec and bvec are simple segment arrays with pointer and length fields. Dispatch it from netfs_limit_iter() when the iterator type is ITER_KVEC. Fixes: cae932d3aee5 ("netfs: Add func to calculate pagecount/size-limited span of an iterator") Reported-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9c058f0d63475adc97fd Tested-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> diff --git a/fs/netfs/iterator.c b/fs/netfs/iterator.c index 72a435e5fc6d..154a14bb2d7f 100644 --- a/fs/netfs/iterator.c +++ b/fs/netfs/iterator.c @@ -142,6 +142,47 @@ static size_t netfs_limit_bvec(const struct iov_iter *iter, size_t start_offset, return min(span, max_size); } +/* + * Select the span of a kvec iterator we're going to use. Limit it by both + * maximum size and maximum number of segments. Returns the size of the span + * in bytes. + */ +static size_t netfs_limit_kvec(const struct iov_iter *iter, size_t start_offset, + size_t max_size, size_t max_segs) +{ + const struct kvec *kvecs = iter->kvec; + unsigned int nkv = iter->nr_segs, ix = 0, nsegs = 0; + size_t len, span = 0, n = iter->count; + size_t skip = iter->iov_offset + start_offset; + + if (WARN_ON(!iov_iter_is_kvec(iter)) || + WARN_ON(start_offset > n) || + n == 0) + return 0; + + while (n && ix < nkv && skip) { + len = kvecs[ix].iov_len; + if (skip < len) + break; + skip -= len; + n -= len; + ix++; + } + + while (n && ix < nkv) { + len = min3(n, kvecs[ix].iov_len - skip, max_size); + span += len; + nsegs++; + ix++; + if (span >= max_size || nsegs >= max_segs) + break; + skip = 0; + n -= len; + } + + return min(span, max_size); +} + /* * Select the span of an xarray iterator we're going to use. Limit it by both * maximum size and maximum number of segments. It is assumed that segments @@ -245,6 +286,8 @@ size_t netfs_limit_iter(const struct iov_iter *iter, size_t start_offset, return netfs_limit_bvec(iter, start_offset, max_size, max_segs); if (iov_iter_is_xarray(iter)) return netfs_limit_xarray(iter, start_offset, max_size, max_segs); + if (iov_iter_is_kvec(iter)) + return netfs_limit_kvec(iter, start_offset, max_size, max_segs); BUG(); } EXPORT_SYMBOL(netfs_limit_iter); ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [syzbot] [netfs?] kernel BUG in netfs_limit_iter 2026-03-07 13:51 ` David Howells @ 2026-03-07 14:12 ` syzbot 0 siblings, 0 replies; 5+ messages in thread From: syzbot @ 2026-03-07 14:12 UTC (permalink / raw) To: dhowells, kartikey406, linux-fsdevel, linux-kernel, netfs, pc, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com Tested-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com Tested on: commit: c107785c Merge tag 'modules-7.0-rc3.fixes' of git://gi.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=1756db5a580000 kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e dashboard link: https://syzkaller.appspot.com/bug?extid=9c058f0d63475adc97fd compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44 patch: https://syzkaller.appspot.com/x/patch.diff?x=15916b5a580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-07 14:12 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-06 6:36 [syzbot] [netfs?] kernel BUG in netfs_limit_iter syzbot 2026-03-07 7:26 ` David Howells 2026-03-07 7:40 ` syzbot 2026-03-07 13:51 ` David Howells 2026-03-07 14:12 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox