[syzbot] [netfs?] BUG: unable to handle kernel NULL pointer dereference in netfs_unbuffered_write
7 views
Skip to first unread message
syzbot
Mar 6, 2026, 1:36:21 AM (yesterday) Mar 6
to dhow...@redhat.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, ne...@lists.linux.dev, p...@manguebit.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c107785c7e8d Merge tag 'modules-7.0-rc3.fixes' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15db7b5a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1628ab5a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a5414a580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-c107785c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3a4a4abcd973/vmlinux-c107785c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f60667f16840/bzImage-c107785c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7227db...@syzkaller.appspotmail.com
netfs: Couldn't get user pages (rc=-14)
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 31867067 P4D 31867067 PUD 0
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90003b7fb90 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88803bd3a5b0 RCX: ffffffff82c49d0a
RDX: ffff88802b9ca4c0 RSI: ffffffff82c49b9c RDI: ffff88803bd3a500
RBP: 0000000000140000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88803bd3a598
R13: dffffc0000000000 R14: ffff88803bd3a500 R15: ffff888023066580
FS: 00007f9e9a09f6c0(0000) GS:ffff8880d6644000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000002c65b000 CR4: 0000000000352ef0
Call Trace:
<TASK>
netfs_unbuffered_write+0xae5/0x2080 fs/netfs/direct_write.c:189
netfs_unbuffered_write_iter_locked+0x801/0xab0 fs/netfs/direct_write.c:287
netfs_unbuffered_write_iter+0x40c/0x710 fs/netfs/direct_write.c:377
v9fs_file_write_iter+0xbf/0x100 fs/9p/vfs_file.c:409
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9e9919c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9e9a09f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f9e99415fa0 RCX: 00007f9e9919c799
RDX: 000000000208e24b RSI: 0000200000000000 RDI: 0000000000000003
RBP: 00007f9e99232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9e99416038 R14: 00007f9e99415fa0 R15: 00007fff05034208
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90003b7fb90 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88803bd3a5b0 RCX: ffffffff82c49d0a
RDX: ffff88802b9ca4c0 RSI: ffffffff82c49b9c RDI: ffff88803bd3a500
RBP: 0000000000140000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88803bd3a598
R13: dffffc0000000000 R14: ffff88803bd3a500 R15: ffff888023066580
FS: 00007f9e9a09f6c0(0000) GS:ffff8880d6644000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000002c65b000 CR4: 0000000000352ef0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c107785c7e8d Merge tag 'modules-7.0-rc3.fixes' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15db7b5a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1628ab5a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a5414a580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-c107785c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3a4a4abcd973/vmlinux-c107785c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f60667f16840/bzImage-c107785c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7227db...@syzkaller.appspotmail.com
netfs: Couldn't get user pages (rc=-14)
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 31867067 P4D 31867067 PUD 0
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90003b7fb90 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88803bd3a5b0 RCX: ffffffff82c49d0a
RDX: ffff88802b9ca4c0 RSI: ffffffff82c49b9c RDI: ffff88803bd3a500
RBP: 0000000000140000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88803bd3a598
R13: dffffc0000000000 R14: ffff88803bd3a500 R15: ffff888023066580
FS: 00007f9e9a09f6c0(0000) GS:ffff8880d6644000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000002c65b000 CR4: 0000000000352ef0
Call Trace:
<TASK>
netfs_unbuffered_write+0xae5/0x2080 fs/netfs/direct_write.c:189
netfs_unbuffered_write_iter_locked+0x801/0xab0 fs/netfs/direct_write.c:287
netfs_unbuffered_write_iter+0x40c/0x710 fs/netfs/direct_write.c:377
v9fs_file_write_iter+0xbf/0x100 fs/9p/vfs_file.c:409
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x6ac/0x1070 fs/read_write.c:688
ksys_write+0x12a/0x250 fs/read_write.c:740
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9e9919c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9e9a09f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f9e99415fa0 RCX: 00007f9e9919c799
RDX: 000000000208e24b RSI: 0000200000000000 RDI: 0000000000000003
RBP: 00007f9e99232bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9e99416038 R14: 00007f9e99415fa0 R15: 00007fff05034208
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90003b7fb90 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88803bd3a5b0 RCX: ffffffff82c49d0a
RDX: ffff88802b9ca4c0 RSI: ffffffff82c49b9c RDI: ffff88803bd3a500
RBP: 0000000000140000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88803bd3a598
R13: dffffc0000000000 R14: ffff88803bd3a500 R15: ffff888023066580
FS: 00007f9e9a09f6c0(0000) GS:ffff8880d6644000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000002c65b000 CR4: 0000000000352ef0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Mar 6, 2026, 7:12:46 PM (23 hours ago) Mar 6
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path
in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
without checking if it is NULL.
Filesystems such as 9P do not set the prepare_write operation, so
stream->prepare_write remains NULL. When get_user_pages() fails with
-EFAULT and the subrequest is flagged for retry, this results in a NULL
pointer dereference at fs/netfs/direct_write.c:189.
Fix this by mirroring the pattern already used in write_retry.c: if
stream->prepare_write is NULL, skip renegotiation and directly reissue
the subrequest via netfs_reissue_write(), which handles iterator reset,
IN_PROGRESS flag, stats update and reissue internally.
Reported-by: syzbot+7227db...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/netfs/direct_write.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index dd1451bf7543..d7295a64f0a9 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -186,10 +186,17 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
stream->sreq_max_segs = INT_MAX;
netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
- stream->prepare_write(subreq);
- __set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
- netfs_stat(&netfs_n_wh_retry_write_subreq);
+ if (stream->prepare_write) {
+ stream->prepare_write(subreq);
+ __set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
+ netfs_stat(&netfs_n_wh_retry_write_subreq);
+ } else {
+ struct iov_iter source;
+ netfs_reset_iter(subreq);
+ source = subreq->io_iter;
+ netfs_reissue_write(stream, subreq, &source);
+ }
}
netfs_unbuffered_write_done(wreq);
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path
in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
without checking if it is NULL.
Filesystems such as 9P do not set the prepare_write operation, so
stream->prepare_write remains NULL. When get_user_pages() fails with
-EFAULT and the subrequest is flagged for retry, this results in a NULL
pointer dereference at fs/netfs/direct_write.c:189.
Fix this by mirroring the pattern already used in write_retry.c: if
stream->prepare_write is NULL, skip renegotiation and directly reissue
the subrequest via netfs_reissue_write(), which handles iterator reset,
IN_PROGRESS flag, stats update and reissue internally.
Reported-by: syzbot+7227db...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/netfs/direct_write.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index dd1451bf7543..d7295a64f0a9 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -186,10 +186,17 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
stream->sreq_max_segs = INT_MAX;
netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
- stream->prepare_write(subreq);
- __set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
- netfs_stat(&netfs_n_wh_retry_write_subreq);
+ if (stream->prepare_write) {
+ stream->prepare_write(subreq);
+ __set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
+ netfs_stat(&netfs_n_wh_retry_write_subreq);
+ } else {
+ struct iov_iter source;
+ netfs_reset_iter(subreq);
+ source = subreq->io_iter;
+ netfs_reissue_write(stream, subreq, &source);
+ }
}
netfs_unbuffered_write_done(wreq);
--
2.43.0
syzbot
Mar 6, 2026, 7:40:04 PM (23 hours ago) Mar 6
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
lost connection to test machine
[ 52.755134][ T40] audit: type=1400 audit(1772843937.457:60): avc: denied { rlimitinh } for pid=5908 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 52.762936][ T40] audit: type=1400 audit(1772843937.457:61): avc: denied { siginh } for pid=5908 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
Warning: Permanently added '[localhost]:9893' (ED25519) to the list of known hosts.
[ 59.078731][ T40] audit: type=1400 audit(1772843943.797:62): avc: denied { execute } for pid=5928 comm="sh" name="syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
[ 59.085870][ T40] audit: type=1400 audit(1772843943.797:63): avc: denied { execute_no_trans } for pid=5928 comm="sh" path="/syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x99000)
[ 59.742863][ T1116] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[ 59.745980][ T1116] ata1: failed to read log page 10h (errno=-5)
[ 59.748698][ T1116] ata1.00: exception Emask 0x1 SAct 0x40000001 SErr 0x0 action 0x0
[ 59.752402][ T1116] ata1.00: irq_stat 0x41000000
[ 59.754519][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[ 59.757324][ T1116] ata1.00: cmd 61/58:00:d6:6d:04/06:00:00:00:00/40 tag 0 ncq dma 831488 out
[ 59.757324][ T1116] res 50/00:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 59.764851][ T1116] ata1.00: status: { DRDY }
[ 59.766900][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[ 59.769743][ T1116] ata1.00: cmd 61/c8:f0:0e:69:04/04:00:00:00:00/40 tag 30 ncq dma 626688 out
[ 59.769743][ T1116] res 50/00:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 59.777328][ T1116] ata1.00: status: { DRDY }
[ 59.780442][ T1116] ata1.00: configured for UDMA/100
[ 59.783246][ T1116] ata1: EH complete
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x400000)
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x400000)
[ 60.002677][ T1116] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[ 60.005615][ T1116] ata1: failed to read log page 10h (errno=-5)
[ 60.008370][ T1116] ata1.00: NCQ disabled due to excessive errors
[ 60.011117][ T1116] ata1.00: exception Emask 0x1 SAct 0x89000000 SErr 0x0 action 0x0
[ 60.014746][ T1116] ata1.00: irq_stat 0x41000000
[ 60.016900][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[ 60.019566][ T1116] ata1.00: cmd 61/00:c0:f6:06:05/20:00:00:00:00/40 tag 24 ncq dma 4194304 ou
[ 60.019566][ T1116] res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 60.027211][ T1116] ata1.00: status: { DRDY }
[ 60.029244][ T1116] ata1.00: error: { ABRT }
[ 60.031278][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[ 60.034084][ T1116] ata1.00: cmd 61/00:d8:36:61:05/20:00:00:00:00/40 tag 27 ncq dma 4194304 ou
[ 60.034084][ T1116] res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 60.041564][ T1116] ata1.00: status: { DRDY }
[ 60.043728][ T1116] ata1.00: error: { ABRT }
[ 60.045740][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[ 60.048454][ T1116] ata1.00: cmd 61/38:f8:36:81:05/0d:00:00:00:00/40 tag 31 ncq dma 1732608 ou
[ 60.048454][ T1116] res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 60.056127][ T1116] ata1.00: status: { DRDY }
[ 60.058176][ T1116] ata1.00: error: { ABRT }
[ 60.061129][ T1116] ata1.00: configured for UDMA/100
[ 60.064028][ T1116] ata1: EH complete
qemu-system-x86_64: hw/ide/core.c:934: ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Connection to localhost closed by remote host.
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1140076034=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at d20b04c80a0
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d20b04c80a01e68026299511a6ba77cc67a198f5\"
/usr/bin/ld: /tmp/ccLEWSPc.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: 325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree: upstream
syzbot tried to test the proposed patch but the build/boot failed:
lost connection to test machine
[ 52.755134][ T40] audit: type=1400 audit(1772843937.457:60): avc: denied { rlimitinh } for pid=5908 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 52.762936][ T40] audit: type=1400 audit(1772843937.457:61): avc: denied { siginh } for pid=5908 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
Warning: Permanently added '[localhost]:9893' (ED25519) to the list of known hosts.
[ 59.078731][ T40] audit: type=1400 audit(1772843943.797:62): avc: denied { execute } for pid=5928 comm="sh" name="syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
[ 59.085870][ T40] audit: type=1400 audit(1772843943.797:63): avc: denied { execute_no_trans } for pid=5928 comm="sh" path="/syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x99000)
[ 59.742863][ T1116] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[ 59.745980][ T1116] ata1: failed to read log page 10h (errno=-5)
[ 59.748698][ T1116] ata1.00: exception Emask 0x1 SAct 0x40000001 SErr 0x0 action 0x0
[ 59.752402][ T1116] ata1.00: irq_stat 0x41000000
[ 59.754519][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[ 59.757324][ T1116] ata1.00: cmd 61/58:00:d6:6d:04/06:00:00:00:00/40 tag 0 ncq dma 831488 out
[ 59.757324][ T1116] res 50/00:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 59.764851][ T1116] ata1.00: status: { DRDY }
[ 59.766900][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[ 59.769743][ T1116] ata1.00: cmd 61/c8:f0:0e:69:04/04:00:00:00:00/40 tag 30 ncq dma 626688 out
[ 59.769743][ T1116] res 50/00:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 59.777328][ T1116] ata1.00: status: { DRDY }
[ 59.780442][ T1116] ata1.00: configured for UDMA/100
[ 59.783246][ T1116] ata1: EH complete
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x400000)
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x400000)
[ 60.002677][ T1116] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[ 60.005615][ T1116] ata1: failed to read log page 10h (errno=-5)
[ 60.008370][ T1116] ata1.00: NCQ disabled due to excessive errors
[ 60.011117][ T1116] ata1.00: exception Emask 0x1 SAct 0x89000000 SErr 0x0 action 0x0
[ 60.014746][ T1116] ata1.00: irq_stat 0x41000000
[ 60.016900][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[ 60.019566][ T1116] ata1.00: cmd 61/00:c0:f6:06:05/20:00:00:00:00/40 tag 24 ncq dma 4194304 ou
[ 60.019566][ T1116] res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 60.027211][ T1116] ata1.00: status: { DRDY }
[ 60.029244][ T1116] ata1.00: error: { ABRT }
[ 60.031278][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[ 60.034084][ T1116] ata1.00: cmd 61/00:d8:36:61:05/20:00:00:00:00/40 tag 27 ncq dma 4194304 ou
[ 60.034084][ T1116] res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 60.041564][ T1116] ata1.00: status: { DRDY }
[ 60.043728][ T1116] ata1.00: error: { ABRT }
[ 60.045740][ T1116] ata1.00: failed command: WRITE FPDMA QUEUED
[ 60.048454][ T1116] ata1.00: cmd 61/38:f8:36:81:05/0d:00:00:00:00/40 tag 31 ncq dma 1732608 ou
[ 60.048454][ T1116] res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 60.056127][ T1116] ata1.00: status: { DRDY }
[ 60.058176][ T1116] ata1.00: error: { ABRT }
[ 60.061129][ T1116] ata1.00: configured for UDMA/100
[ 60.064028][ T1116] ata1: EH complete
qemu-system-x86_64: hw/ide/core.c:934: ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Connection to localhost closed by remote host.
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1140076034=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at d20b04c80a0
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d20b04c80a01e68026299511a6ba77cc67a198f5 -X github.com/google/syzkaller/prog.gitRevisionDate=20260305-101922" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d20b04c80a01e68026299511a6ba77cc67a198f5\"
/usr/bin/ld: /tmp/ccLEWSPc.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: 325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=1223d552580000
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syzbot
Mar 6, 2026, 7:41:12 PM (23 hours ago) Mar 6
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Mar 6, 2026, 7:55:05 PM (23 hours ago) Mar 6
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
lost connection to test machine
[ 53.006729][ T40] audit: type=1400 audit(1772844781.220:61): avc: denied { siginh } for pid=5916 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
syzbot tried to test the proposed patch but the build/boot failed:
lost connection to test machine
Warning: Permanently added '[localhost]:6261' (ED25519) to the list of known hosts.
[ 59.362394][ T40] audit: type=1400 audit(1772844787.600:62): avc: denied { execute } for pid=5934 comm="sh" name="syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
[ 59.370350][ T40] audit: type=1400 audit(1772844787.600:63): avc: denied { execute_no_trans } for pid=5934 comm="sh" path="/syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x276000)
[ 60.287164][ T1115] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[ 60.290289][ T1115] ata1: failed to read log page 10h (errno=-5)
[ 60.293027][ T1115] ata1.00: exception Emask 0x1 SAct 0x18000000 SErr 0x0 action 0x0
[ 60.296801][ T1115] ata1.00: irq_stat 0x41000000
[ 60.298945][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[ 60.301653][ T1115] ata1.00: cmd 61/b0:d8:86:ad:04/13:00:00:00:00/40 tag 27 ncq dma 2580480 ou
[ 60.301653][ T1115] res 50/00:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 60.309312][ T1115] ata1.00: status: { DRDY }
[ 60.311350][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[ 60.314078][ T1115] ata1.00: cmd 61/a8:e0:36:c1:04/06:00:00:00:00/40 tag 28 ncq dma 872448 out
[ 60.314078][ T1115] res 50/00:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 60.321656][ T1115] ata1.00: status: { DRDY }
[ 60.325837][ T1115] ata1.00: configured for UDMA/100
[ 60.328869][ T1115] ata1: EH complete
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x306000)
2026/03/07 00:53:09 parsed 1 programs
[ 60.882101][ T40] audit: type=1400 audit(1772844789.120:64): avc: denied { node_bind } for pid=5934 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[ 63.061673][ T40] audit: type=1400 audit(1772844791.300:65): avc: denied { mounton } for pid=5944 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 63.072219][ T40] audit: type=1400 audit(1772844791.310:66): avc: denied { mount } for pid=5944 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 63.074421][ T5944] cgroup: Unknown subsys name 'net'
[ 63.086127][ T40] audit: type=1400 audit(1772844791.330:67): avc: denied { unmount } for pid=5944 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 63.204323][ T5944] cgroup: Unknown subsys name 'cpuset'
[ 63.211220][ T5944] cgroup: Unknown subsys name 'rlimit'
[ 63.354811][ T40] audit: type=1400 audit(1772844791.590:68): avc: denied { setattr } for pid=5944 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=849 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 63.362722][ T40] audit: type=1400 audit(1772844791.590:69): avc: denied { create } for pid=5944 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 63.371542][ T40] audit: type=1400 audit(1772844791.590:70): avc: denied { write } for pid=5944 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 63.379823][ T40] audit: type=1400 audit(1772844791.590:71): avc: denied { read } for pid=5944 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 76.290044][ T1418] ieee802154 phy0 wpan0: encryption failed: -22
[ 76.292902][ T1418] ieee802154 phy1 wpan1: encryption failed: -22
[ 86.527671][ T71] cfg80211: failed to load regulatory.db
[ 90.406172][ T1115] ata1.00: exception Emask 0x0 SAct 0x8000000 SErr 0x0 action 0x6 frozen
[ 90.408914][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[ 90.410920][ T1115] ata1.00: cmd 61/30:d8:06:29:05/18:00:00:00:00/40 tag 27 ncq dma 3170304 ou
[ 90.410920][ T1115] res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[ 90.417891][ T1115] ata1.00: status: { DRDY }
[ 90.419868][ T1115] ata1: hard resetting link
[ 90.740475][ T1115] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
[ 90.744117][ T1115] ata1.00: configured for UDMA/100
[ 90.746150][ T1115] ata1: EH complete
[ 90.797641][ T5947] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped).
[ 90.802207][ T40] kauditd_printk_skb: 6 callbacks suppressed
[ 90.802221][ T40] audit: type=1400 audit(1772844819.040:78): avc: denied { relabelto } for pid=5947 comm="mkswap" name="swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0xa6000)
[ 90.886300][ T40] audit: type=1400 audit(1772844819.120:79): avc: denied { write } for pid=5947 comm="mkswap" path="/swap-file" dev="sda1" ino=2026 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[ 90.937311][ T1115] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[ 90.940273][ T1115] ata1: failed to read log page 10h (errno=-5)
[ 90.943034][ T1115] ata1.00: exception Emask 0x1 SAct 0x4000 SErr 0x0 action 0x0
[ 90.946430][ T1115] ata1.00: irq_stat 0x41000008
[ 90.948570][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[ 90.951219][ T1115] ata1.00: cmd 61/30:70:46:90:05/05:00:00:00:00/40 tag 14 ncq dma 679936 out
[ 90.951219][ T1115] res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 90.958887][ T1115] ata1.00: status: { DRDY }
[ 90.960867][ T1115] ata1.00: error: { ABRT }
[ 90.963944][ T1115] ata1.00: configured for UDMA/100
[ 90.966577][ T1115] ata1: EH complete
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x400000)
[ 91.007150][ T1115] ata1.00: Read log 0x10 page 0x00 failed, Emask 0x1
[ 91.010097][ T1115] ata1: failed to read log page 10h (errno=-5)
[ 91.012787][ T1115] ata1.00: NCQ disabled due to excessive errors
[ 91.015506][ T1115] ata1.00: exception Emask 0x1 SAct 0x600000 SErr 0x0 action 0x0
[ 91.019092][ T1115] ata1.00: irq_stat 0x41000000
[ 91.020807][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[ 91.022931][ T1115] ata1.00: cmd 61/00:a8:76:95:05/20:00:00:00:00/40 tag 21 ncq dma 4194304 ou
[ 91.022931][ T1115] res 50/04:00:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 91.029236][ T1115] ata1.00: status: { DRDY }
[ 91.030908][ T1115] ata1.00: error: { ABRT }
[ 91.032434][ T1115] ata1.00: failed command: WRITE FPDMA QUEUED
[ 91.034457][ T1115] ata1.00: cmd 61/30:b0:46:90:05/05:00:00:00:00/40 tag 22 ncq dma 679936 out
[ 91.034457][ T1115] res 50/04:01:00:00:00/00:00:00:00:00/00 Emask 0x1 (device error)
[ 91.041746][ T1115] ata1.00: status: { DRDY }
[ 91.043252][ T1115] ata1.00: error: { ABRT }
[ 91.045632][ T1115] ata1.00: configured for UDMA/100
[ 91.048480][ T1115] ata1: EH complete
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: 325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=16cbfb5a580000
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: 325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syzbot
Mar 6, 2026, 8:06:43 PM (23 hours ago) Mar 6
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Mar 6, 2026, 8:21:05 PM (22 hours ago) Mar 6
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
lost connection to test machine
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0xec000)
syzbot tried to test the proposed patch but the build/boot failed:
lost connection to test machine
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x372000)
qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x2b4000)
Warning: Permanently added '[localhost]:9553' (ED25519) to the list of known hosts.
[ 60.013321][ T40] audit: type=1400 audit(1772846336.792:62): avc: denied { execute } for pid=5928 comm="sh" name="syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
[ 60.020535][ T40] audit: type=1400 audit(1772846336.802:63): avc: denied { execute_no_trans } for pid=5928 comm="sh" path="/syz-execprog" dev="sda1" ino=2020 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
2026/03/07 01:18:58 parsed 1 programs
[ 61.787218][ T40] audit: type=1400 audit(1772846338.562:64): avc: denied { node_bind } for pid=5928 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[ 64.314024][ T40] audit: type=1400 audit(1772846341.092:65): avc: denied { mounton } for pid=5937 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2023 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 64.325364][ T40] audit: type=1400 audit(1772846341.102:66): avc: denied { mount } for pid=5937 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 64.327352][ T5937] cgroup: Unknown subsys name 'net'
[ 64.338664][ T40] audit: type=1400 audit(1772846341.112:67): avc: denied { unmount } for pid=5937 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 64.492218][ T5937] cgroup: Unknown subsys name 'cpuset'
[ 64.497527][ T5937] cgroup: Unknown subsys name 'rlimit'
[ 64.697609][ T40] audit: type=1400 audit(1772846341.472:68): avc: denied { setattr } for pid=5937 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=849 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 64.709106][ T40] audit: type=1400 audit(1772846341.482:69): avc: denied { create } for pid=5937 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 64.717475][ T40] audit: type=1400 audit(1772846341.482:70): avc: denied { write } for pid=5937 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 64.726303][ T40] audit: type=1400 audit(1772846341.482:71): avc: denied { read } for pid=5937 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 76.424366][ T1416] ieee802154 phy0 wpan0: encryption failed: -22
[ 76.427236][ T1416] ieee802154 phy1 wpan1: encryption failed: -22
[ 86.668293][ T29] cfg80211: failed to load regulatory.db
[ 118.059383][ T1113] ata1.00: NCQ disabled due to excessive errors
[ 118.062114][ T1113] ata1.00: exception Emask 0x0 SAct 0x40000120 SErr 0x0 action 0x6 frozen
[ 118.065797][ T1113] ata1.00: failed command: WRITE FPDMA QUEUED
[ 118.068375][ T1113] ata1.00: cmd 61/90:28:36:21:05/1b:00:00:00:00/40 tag 5 ncq dma 3612672 ou
[ 118.068375][ T1113] res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[ 118.075829][ T1113] ata1.00: status: { DRDY }
[ 118.077372][ T1113] ata1.00: failed command: WRITE FPDMA QUEUED
[ 118.079529][ T1113] ata1.00: cmd 61/a0:40:36:61:05/15:00:00:00:00/40 tag 8 ncq dma 2834432 ou
[ 118.079529][ T1113] res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[ 118.084906][ T1113] ata1.00: status: { DRDY }
[ 118.086422][ T1113] ata1.00: failed command: WRITE FPDMA QUEUED
[ 118.088377][ T1113] ata1.00: cmd 61/60:f0:76:4a:04/07:00:00:00:00/40 tag 30 ncq dma 966656 out
[ 118.088377][ T1113] res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
[ 118.093826][ T1113] ata1.00: status: { DRDY }
[ 118.095370][ T1113] ata1: hard resetting link
[ 118.414125][ T1113] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
[ 118.417532][ T1113] ata1.00: configured for UDMA/100
[ 118.419565][ T1113] ata1: EH complete
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: 325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=12486b5a580000
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: 325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syzbot
Mar 6, 2026, 10:58:29 PM (20 hours ago) Mar 6
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Mar 6, 2026, 11:19:05 PM (19 hours ago) Mar 6
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7227db...@syzkaller.appspotmail.com
Tested-by: syzbot+7227db...@syzkaller.appspotmail.com
Tested on:
commit: 325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12be9552580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7227db...@syzkaller.appspotmail.com
Tested-by: syzbot+7227db...@syzkaller.appspotmail.com
Tested on:
commit: 325a118c Merge tag 'pci-v7.0-fixes-3' of git://git.ker..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=179cd8d6580000
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Note: testing is done by a robot and is best-effort only.
David Howells
2:27 AM (16 hours ago) 2:27 AM
to syzbot, dhow...@redhat.com, Deepanshu Kartikey, linux-...@vger.kernel.org, linux-...@vger.kernel.org, ne...@lists.linux.dev, p...@manguebit.org, syzkall...@googlegroups.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git c107785c7e8d
commit eb8299de8f603a6d7acf50e534c87ac1adeb3060
Author: Deepanshu Kartikey <karti...@gmail.com>
Date: Sat Mar 7 10:09:47 2026 +0530
netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
index dd1451bf7543..4d9760e36c11 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -186,10 +186,18 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
commit eb8299de8f603a6d7acf50e534c87ac1adeb3060
Author: Deepanshu Kartikey <karti...@gmail.com>
Date: Sat Mar 7 10:09:47 2026 +0530
netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path
in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
without checking if it is NULL.
Filesystems such as 9P do not set the prepare_write operation, so
stream->prepare_write remains NULL. When get_user_pages() fails with
-EFAULT and the subrequest is flagged for retry, this results in a NULL
pointer dereference at fs/netfs/direct_write.c:189.
Fix this by mirroring the pattern already used in write_retry.c: if
stream->prepare_write is NULL, skip renegotiation and directly reissue
the subrequest via netfs_reissue_write(), which handles iterator reset,
IN_PROGRESS flag, stats update and reissue internally.
Fixes: a0b4c7a49137 ("netfs: Fix unbuffered/DIO writes to dispatch subrequests in strict sequence")
in netfs_unbuffered_write() unconditionally calls stream->prepare_write()
without checking if it is NULL.
Filesystems such as 9P do not set the prepare_write operation, so
stream->prepare_write remains NULL. When get_user_pages() fails with
-EFAULT and the subrequest is flagged for retry, this results in a NULL
pointer dereference at fs/netfs/direct_write.c:189.
Fix this by mirroring the pattern already used in write_retry.c: if
stream->prepare_write is NULL, skip renegotiation and directly reissue
the subrequest via netfs_reissue_write(), which handles iterator reset,
IN_PROGRESS flag, stats update and reissue internally.
Reported-by: syzbot+7227db...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
Closes: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
index dd1451bf7543..4d9760e36c11 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -186,10 +186,18 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)
syzbot
3:00 AM (16 hours ago) 3:00 AM
to dhow...@redhat.com, karti...@gmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, ne...@lists.linux.dev, p...@manguebit.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7227db...@syzkaller.appspotmail.com
Tested-by: syzbot+7227db...@syzkaller.appspotmail.com
Tested on:
commit: c107785c Merge tag 'modules-7.0-rc3.fixes' of git://gi..
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+7227db...@syzkaller.appspotmail.com
Tested-by: syzbot+7227db...@syzkaller.appspotmail.com
Tested on:
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11d4db5a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=976ba5a93c4add9e
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=1464db5a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=7227db0fbac9f348dba0
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Reply all
Reply to author
Forward
0 new messages