[<ffffffff804daa72>] pipe_ioctl+0xae/0x1fc fs/pipe.c:631 [<ffffffff804f6ff8>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff804f6ff8>] __do_sys_ioctl fs/ioctl.c:874 [inline] [<ffffffff804f6ff8>] sys_ioctl+0x75c/0x139e fs/ioctl.c:860 [<ffffffff80005716>] ret_from_syscall+0x0/0x2 ================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline] BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] BUG: KASAN: null-ptr-deref in page_ref_count include/linux/page_ref.h:67 [inline] BUG: KASAN: null-ptr-deref in put_page_testzero include/linux/mm.h:717 [inline] BUG: KASAN: null-ptr-deref in __free_pages+0x20/0x112 mm/page_alloc.c:5473 Read of size 4 at addr 0000000000000034 by task syz-executor.1/2966 CPU: 1 PID: 2966 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Call Trace: [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113 [<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119 [<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106 [<ffffffff80474da6>] __kasan_report mm/kasan/report.c:446 [inline] [<ffffffff80474da6>] kasan_report+0x1de/0x1e0 mm/kasan/report.c:459 [<ffffffff80475ea2>] check_region_inline mm/kasan/generic.c:173 [inline] [<ffffffff80475ea2>] kasan_check_range+0x2a/0x136 mm/kasan/generic.c:189 [<ffffffff8047656e>] __kasan_check_read+0x14/0x1c mm/kasan/shadow.c:31 [<ffffffff8041465c>] instrument_atomic_read include/linux/instrumented.h:71 [inline] [<ffffffff8041465c>] atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] [<ffffffff8041465c>] page_ref_count include/linux/page_ref.h:67 [inline] [<ffffffff8041465c>] put_page_testzero include/linux/mm.h:717 [inline] [<ffffffff8041465c>] __free_pages+0x20/0x112 mm/page_alloc.c:5473 [<ffffffff8032b56c>] watch_queue_set_size+0x32c/0x372 kernel/watch_queue.c:276 [<ffffffff804daa72>] pipe_ioctl+0xae/0x1fc fs/pipe.c:631 [<ffffffff804f6ff8>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff804f6ff8>] __do_sys_ioctl fs/ioctl.c:874 [inline] [<ffffffff804f6ff8>] sys_ioctl+0x75c/0x139e fs/ioctl.c:860 [<ffffffff80005716>] ret_from_syscall+0x0/0x2 ================================================================== Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000000034 Oops [#1] Modules linked in: CPU: 0 PID: 2966 Comm: syz-executor.1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) epc : arch_atomic_read arch/riscv/include/asm/atomic.h:30 [inline] epc : atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline] epc : page_ref_count include/linux/page_ref.h:67 [inline] epc : put_page_testzero include/linux/mm.h:717 [inline] epc : __free_pages+0x26/0x112 mm/page_alloc.c:5473 ra : arch_atomic_read arch/riscv/include/asm/atomic.h:30 [inline] ra : atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline] ra : page_ref_count include/linux/page_ref.h:67 [inline] ra : put_page_testzero include/linux/mm.h:717 [inline] ra : __free_pages+0x26/0x112 mm/page_alloc.c:5473 epc : ffffffff80414662 ra : ffffffff80414662 sp : ffffaf800eb9bb70 gp : ffffffff85863ac0 tp : ffffaf8007520000 t0 : 0000000000000000 t1 : fffff5ef017310ca t2 : 0000000000000008 s0 : ffffaf800eb9bba0 s1 : 0000000000000000 a0 : 0000000000000000 a1 : 0000000000000004 a2 : 0000000000000000 a3 : ffffffff80414662 a4 : ffffffff85892ec8 a5 : 0000000000000001 a6 : ffffaf800b988650 a7 : ffffaf800b988653 s2 : 0000000000000034 s3 : 0000000000000000 s4 : 0000000000000001 s5 : ffffaf8010730400 s6 : 0000000000000000 s7 : ffffaf80083ccb18 s8 : 0000000000000001 s9 : ffffaf800e896e00 s10: 0000000000000cc0 s11: 0000000000000002 t3 : 0000000000000a79 t4 : fffff5ef017310ca t5 : fffff5ef017310cb t6 : 0000000000000002 status: 0000000000000120 badaddr: 0000000000000034 cause: 000000000000000d [<ffffffff8032b56c>] watch_queue_set_size+0x32c/0x372 kernel/watch_queue.c:276 [<ffffffff804daa72>] pipe_ioctl+0xae/0x1fc fs/pipe.c:631 [<ffffffff804f6ff8>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff804f6ff8>] __do_sys_ioctl fs/ioctl.c:874 [inline] [<ffffffff804f6ff8>] sys_ioctl+0x75c/0x139e fs/ioctl.c:860 [<ffffffff80005716>] ret_from_syscall+0x0/0x2 ---[ end trace 0000000000000000 ]---