| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <69ae835b-89b2-44bf-b51c-c365d89dbb45@kernel.dk> Date: Mon, 12 May 2025 08:19:47 -0600 From: Jens Axboe <axboe@...nel.dk> To: Pavel Begunkov <asml.silence@...il.com>, syzbot <syzbot+6456a99dfdc2e78c4feb@...kaller.appspotmail.com>, io-uring@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] [io-uring?] BUG: unable to handle kernel NULL pointer dereference in io_buffer_select On 5/12/25 8:19 AM, Pavel Begunkov wrote: > On 5/12/25 14:56, Jens Axboe wrote: >> On 5/11/25 6:22 AM, Pavel Begunkov wrote: >>> On 5/11/25 01:19, syzbot wrote: > ...>> this line: >>> >>> tail = smp_load_acquire(&br->tail); >>> >>> The offset of the tail field is 0xe so bl->buf_ring should be 0. That's >>> while it has IOBL_BUF_RING flag set. Same goes for the other report. Also, >>> since it's off io_buffer_select(), which looks up the list every time we >>> can exclude the req having a dangling pointer. >> >> It's funky for sure, the other one is regular classic provided buffers. >> Interestingly, both reports are for arm32... > > The other is ring pbuf as well True yes, both are pbuf. I can't hit any of this on arm64 or x86-64, fwiw. Which is why I thought the arm32 connection might be interesting. Not that the arch should matter at all here, but... -- Jens Axboe
Powered by blists - more mailing lists