Hi, We found a bug in Linux 6.10 using syzkaller. It is possibly a null pointer dereference bug. The reprodcuer is https://gist.github.com/freexxxyyy/6f85bd6f69381fa00d04745376261c75 The bug report is: Syzkaller hit 'general protection fault in blk_mq_put_tag' bug. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 8453 Comm: kworker/0:5 Not tainted 6.10.0 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events_freezable_pwr_efficient disk_events_workfn RIP: 0010:blk_mq_tag_is_reserved block/blk-mq.h:214 [inline] RIP: 0010:blk_mq_put_tag+0x2b/0x130 block/blk-mq-tag.c:228 Code: 41 57 41 56 41 54 53 41 89 d7 49 89 f6 48 89 fb 49 bc 00 00 00 00 00 fc ff df e8 70 de 54 fd 48 8d 6b 04 48 89 e8 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 9a 00 00 00 8b 6d 00 89 ef 44 89 fe e8 ec RSP: 0018:ffffc9000b0cf6b0 EFLAGS: 00010247 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888018601e00 RDX: 0000000000000000 RSI: ffffe8ffffc0e9c0 RDI: 0000000000000000 RBP: 0000000000000004 R08: ffffffff843a3f0b R09: 1ffff11003a14613 R10: dffffc0000000000 R11: ffffffff8133c740 R12: dffffc0000000000 R13: ffff88801d195000 R14: ffffe8ffffc0e9c0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555587d9e7a8 CR3: 000000000d932000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __blk_mq_free_request+0x311/0x440 block/blk-mq.c:720 scsi_execute_cmd+0xf07/0x1090 drivers/scsi/scsi_lib.c:351 sr_get_events drivers/scsi/sr.c:177 [inline] sr_check_events+0x220/0xd30 drivers/scsi/sr.c:218 cdrom_update_events drivers/cdrom/cdrom.c:1468 [inline] cdrom_check_events+0x66/0x100 drivers/cdrom/cdrom.c:1478 disk_check_events+0x10f/0x5e0 block/disk-events.c:193 process_one_work kernel/workqueue.c:3248 [inline] process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329 worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409 kthread+0x2eb/0x380 kernel/kthread.c:389 ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:blk_mq_tag_is_reserved block/blk-mq.h:214 [inline] RIP: 0010:blk_mq_put_tag+0x2b/0x130 block/blk-mq-tag.c:228 Code: 41 57 41 56 41 54 53 41 89 d7 49 89 f6 48 89 fb 49 bc 00 00 00 00 00 fc ff df e8 70 de 54 fd 48 8d 6b 04 48 89 e8 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 9a 00 00 00 8b 6d 00 89 ef 44 89 fe e8 ec RSP: 0018:ffffc9000b0cf6b0 EFLAGS: 00010247 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888018601e00 RDX: 0000000000000000 RSI: ffffe8ffffc0e9c0 RDI: 0000000000000000 RBP: 0000000000000004 R08: ffffffff843a3f0b R09: 1ffff11003a14613 R10: dffffc0000000000 R11: ffffffff8133c740 R12: dffffc0000000000 R13: ffff88801d195000 R14: ffffe8ffffc0e9c0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd730046078 CR3: 000000001921e000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 41 57 push %r15 2: 41 56 push %r14 4: 41 54 push %r12 6: 53 push %rbx 7: 41 89 d7 mov %edx,%r15d a: 49 89 f6 mov %rsi,%r14 d: 48 89 fb mov %rdi,%rbx 10: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12 17: fc ff df 1a: e8 70 de 54 fd call 0xfd54de8f 1f: 48 8d 6b 04 lea 0x4(%rbx),%rbp 23: 48 89 e8 mov %rbp,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 8a 04 20 mov (%rax,%r12,1),%al <-- trapping instruction 2e: 84 c0 test %al,%al 30: 0f 85 9a 00 00 00 jne 0xd0 36: 8b 6d 00 mov 0x0(%rbp),%ebp 39: 89 ef mov %ebp,%edi 3b: 44 89 fe mov %r15d,%esi 3e: e8 .byte 0xe8 3f: ec in (%dx),%al -- Yours sincerely, Xingyu
