The s_dio_done_wq was not allocated memory, leading to the null-ptr-deref reported by syzbot in [1]. As shown in [1], we are currently in a soft interrupt context, and we cannot use sb_init_dio_done_wq() to allocate memory for wq because it requires a mutex lock. Added a check to the workqueue; if it is empty, it switches to using a synchronous method to end the dio. [1] KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7] CPU: 1 UID: 0 PID: 23 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT(full) Call Trace: iomap_dio_bio_end_io+0xf4/0x1c0 fs/iomap/direct-io.c:222 blk_update_request+0x57e/0xe60 block/blk-mq.c:1006 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1168 blk_complete_reqs block/blk-mq.c:1243 [inline] blk_done_softirq+0x10a/0x160 block/blk-mq.c:1248 handle_softirqs+0x27d/0x880 kernel/softirq.c:626 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1067 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 Reported-by: syzbot+a2b9a4ed0d61b1efb3f5@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=a2b9a4ed0d61b1efb3f5 Signed-off-by: Edward Adam Davis --- fs/iomap/direct-io.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c index d4e2e328d893..6b0ef7e0f05b 100644 --- a/fs/iomap/direct-io.c +++ b/fs/iomap/direct-io.c @@ -202,10 +202,14 @@ static void iomap_dio_done(struct iomap_dio *dio) * filesystem metadata changes or guarantee data integrity. */ INIT_WORK(&dio->aio.work, iomap_dio_complete_work); + if (!inode->i_sb->s_dio_done_wq) + goto done; + queue_work(inode->i_sb->s_dio_done_wq, &dio->aio.work); return; } +done: WRITE_ONCE(iocb->private, NULL); iomap_dio_complete_work(&dio->aio.work); } -- 2.43.0