The call stack io_sqe_buffer_register -> io_buffer_account_pin -> headpage_already_acct results in a null ptr dereference in the for loop. There is no guarantee that ctx->buf_table.nodes[i] is an allocated node so add a check if null before dereferencing. Signed-off-by: Daniel Yang <danielyangkang@xxxxxxxxx> Reported-by: syzbot+05c0f12a4d43d656817e@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=05c0f12a4d43d656817e Fixes: 661768085e99 ("io_uring/rsrc: get rid of the empty node and dummy_ubuf") --- io_uring/rsrc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c index af60d9f59..e2edb752a 100644 --- a/io_uring/rsrc.c +++ b/io_uring/rsrc.c @@ -581,6 +581,8 @@ static bool headpage_already_acct(struct io_ring_ctx *ctx, struct page **pages, /* check previously registered pages */ for (i = 0; i < ctx->buf_table.nr; i++) { struct io_rsrc_node *node = ctx->buf_table.nodes[i]; + if (!node) + continue; struct io_mapped_ubuf *imu = node->buf; for (j = 0; j < imu->nr_bvecs; j++) { -- 2.39.2
