From: Andrew Morton <akpm@linux-foundation.org>
To: David Hildenbrand <david@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>,
syzbot <syzbot+1ab243d3eebb2aabf4a4@syzkaller.appspotmail.com>,
io-uring@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [io-uring?] KASAN: null-ptr-deref Read in io_sqe_buffer_register
Date: Fri, 5 Sep 2025 19:01:33 -0700 [thread overview]
Message-ID: <20250905190133.345203b8f0332490c0249f66@linux-foundation.org> (raw)
In-Reply-To: <cc7f03f8-da8b-407e-a03a-e8e5a9ec5462@redhat.com>
On Fri, 5 Sep 2025 09:42:55 +0200 David Hildenbrand <david@redhat.com> wrote:
> #syz test
>
> From bfd07c995814354f6b66c5b6a72e96a7aa9fb73b Mon Sep 17 00:00:00 2001
> From: David Hildenbrand <david@redhat.com>
> Date: Fri, 5 Sep 2025 08:38:43 +0200
> Subject: [PATCH] fixup: mm/gup: remove record_subpages()
>
> pages is not adjusted by the caller, but idnexed by existing *nr.
>
> Signed-off-by: David Hildenbrand <david@redhat.com>
Cool, I resurrected "mm/gup: remove record_subpages()" and added the -fix:
From: David Hildenbrand <david@redhat.com>
Subject: fixup: mm/gup: remove record_subpages()
Date: Fri, 5 Sep 2025 08:38:43 +0200
pages is not adjusted by the caller, but indexed by existing *nr.
Link: https://lkml.kernel.org/r/cc7f03f8-da8b-407e-a03a-e8e5a9ec5462@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reported-by: syzbot+1ab243d3eebb2aabf4a4@syzkaller.appspotmail.com
Tested-by: syzbot+1ab243d3eebb2aabf4a4@syzkaller.appspotmail.com
Reported-by: Jens Axboe <axboe@kernel.dk>
Cc: David Hildenbrand <david@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
mm/gup.c | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/gup.c~mm-gup-remove-record_subpages-fix
+++ a/mm/gup.c
@@ -2966,6 +2966,7 @@ static int gup_fast_pmd_leaf(pmd_t orig,
return 0;
}
+ pages += *nr;
*nr += refs;
for (; refs; refs--)
*(pages++) = page++;
@@ -3009,6 +3010,7 @@ static int gup_fast_pud_leaf(pud_t orig,
return 0;
}
+ pages += *nr;
*nr += refs;
for (; refs; refs--)
*(pages++) = page++;
_
next prev parent reply other threads:[~2025-09-06 2:01 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-04 15:36 [syzbot] [io-uring?] KASAN: null-ptr-deref Read in io_sqe_buffer_register syzbot
2025-09-04 23:20 ` Jens Axboe
2025-09-05 3:25 ` Andrew Morton
2025-09-05 6:34 ` David Hildenbrand
2025-09-05 7:42 ` David Hildenbrand
2025-09-05 9:41 ` syzbot
2025-09-05 10:04 ` David Hildenbrand
2025-09-05 10:48 ` syzbot
2025-09-06 2:01 ` Andrew Morton [this message]
2025-09-08 4:30 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250905190133.345203b8f0332490c0249f66@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=david@redhat.com \
--cc=io-uring@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+1ab243d3eebb2aabf4a4@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox