Hi, We found a bug in Linux 6.10. It is probably a null pointer dereference bug. The bug report and syzkaller reproducer are as follows: Bug report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 0 PID: 45 Comm: kworker/u4:3 Not tainted 6.10.0 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: writeback wb_workfn (flush-8:0) RIP: 0010:update_io_ticks+0x94/0x2c0 block/blk-core.c:992 Code: f3 f3 f3 48 89 54 24 18 4a 89 04 32 e8 75 77 59 fd 48 c1 eb 03 48 89 5c 24 08 eb 03 4c 8b 2b 49 8d 5d 28 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 6d 82 bc fd 4c 8b 3b 48 8b 44 24 RSP: 0018:ffffc9000090e620 EFLAGS: 00010206 RAX: 0000000000000005 RBX: 0000000000000028 RCX: ffff888015330000 RDX: 0000000000000000 RSI: 0000000100000845 RDI: 0000000000000000 RBP: ffffc9000090e6d8 R08: ffffffff843a8b4a R09: 1ffffffff1e48be5 R10: dffffc0000000000 R11: fffffbfff1e48be6 R12: 0000000100000845 R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88801d4f2058 FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd0a027408 CR3: 00000000232cc000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> blk_account_io_start+0x189/0x2d0 block/blk-mq.c:1022 blk_mq_bio_to_request block/blk-mq.c:2559 [inline] blk_mq_submit_bio+0x1043/0x1f40 block/blk-mq.c:2996 __submit_bio+0x1bc/0x550 block/blk-core.c:627 __submit_bio_noacct_mq block/blk-core.c:708 [inline] submit_bio_noacct_nocheck+0x3ed/0xc20 block/blk-core.c:737 ext4_io_submit+0xd4/0x130 fs/ext4/page-io.c:377 ext4_do_writepages+0x293b/0x38e0 fs/ext4/inode.c:2699 ext4_writepages+0x20c/0x3b0 fs/ext4/inode.c:2768 do_writepages+0x36f/0x880 mm/page-writeback.c:2656 __writeback_single_inode+0xe2/0x660 fs/fs-writeback.c:1651 writeback_sb_inodes+0x8ee/0x1140 fs/fs-writeback.c:1947 __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:2018 wb_writeback+0x3e7/0x750 fs/fs-writeback.c:2129 wb_check_old_data_flush fs/fs-writeback.c:2233 [inline] wb_do_writeback fs/fs-writeback.c:2286 [inline] wb_workfn+0xa29/0xf00 fs/fs-writeback.c:2314 process_one_work kernel/workqueue.c:3248 [inline] process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329 worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409 kthread+0x2eb/0x380 kernel/kthread.c:389 ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:update_io_ticks+0x94/0x2c0 block/blk-core.c:992 Code: f3 f3 f3 48 89 54 24 18 4a 89 04 32 e8 75 77 59 fd 48 c1 eb 03 48 89 5c 24 08 eb 03 4c 8b 2b 49 8d 5d 28 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 6d 82 bc fd 4c 8b 3b 48 8b 44 24 RSP: 0018:ffffc9000090e620 EFLAGS: 00010206 RAX: 0000000000000005 RBX: 0000000000000028 RCX: ffff888015330000 RDX: 0000000000000000 RSI: 0000000100000845 RDI: 0000000000000000 RBP: ffffc9000090e6d8 R08: ffffffff843a8b4a R09: 1ffffffff1e48be5 R10: dffffc0000000000 R11: fffffbfff1e48be6 R12: 0000000100000845 R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88801d4f2058 FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd0a027408 CR3: 00000000232cc000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: f3 f3 f3 48 89 54 24 repz repz xrelease mov %rdx,0x18(%rsp) 7: 18 8: 4a 89 04 32 mov %rax,(%rdx,%r14,1) c: e8 75 77 59 fd call 0xfd597786 11: 48 c1 eb 03 shr $0x3,%rbx 15: 48 89 5c 24 08 mov %rbx,0x8(%rsp) 1a: eb 03 jmp 0x1f 1c: 4c 8b 2b mov (%rbx),%r13 1f: 49 8d 5d 28 lea 0x28(%r13),%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 48 89 df mov %rbx,%rdi 34: e8 6d 82 bc fd call 0xfdbc82a6 39: 4c 8b 3b mov (%rbx),%r15 3c: 48 rex.W 3d: 8b .byte 0x8b 3e: 44 rex.R 3f: 24 .byte 0x24 Syzkaller reproducer: # {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} write$syz_spec_18446744072532934322_80(0xffffffffffffffff, &(0x7f0000000000)="2b952480c7ca55097d1707935ba64b20f3026c03d658026b81bf264340512b3cb4e01afda2de754299ea7a113343ab7b9bda2fc0a2e2cdbfecbca0233a0772b12ebde5d98a1203cb871672dff7e4c86ec1dccef0a76312fbe8d45dc2bd0f8fc2ebeb2a6be6a300916c5281da2c1ef64d66267091b82429976c019da3645557ed1d439c5a637f6bf58c53bc414539dd87c69098d671402586b631f9ac5c2fe9cedc281a6f005b5c4d1dd5ed9be400", 0xb4) r0 = syz_open_dev$sg(&(0x7f00000000c0), 0x0, 0x181040) ioctl$syz_spec_1724254976_2866(r0, 0x1, &(0x7f0000000080)={0x0, 0x2, [0x85, 0x8, 0x15, 0xd]}) -- Yours sincerely, Xingyu