The function iter_file_splice_write() calls pipe_buf_release() which has a nullptr dereference in ops->release. Add check for buf->ops not null before calling pipe_buf_release(). Signed-off-by: Daniel Yang <danielyangkang@xxxxxxxxx> Reported-by: syzbot+d2125fcb6aa8c4276fd2@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2 Fixes: 2df86547b23d ("netfs: Cut over to using new writeback code") --- fs/splice.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/splice.c b/fs/splice.c index 06232d7e5..b8c503e47 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -756,7 +756,8 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out, if (ret >= buf->len) { ret -= buf->len; buf->len = 0; - pipe_buf_release(pipe, buf); + if (buf->ops) + pipe_buf_release(pipe, buf); tail++; pipe->tail = tail; if (pipe->files) -- 2.39.2
