bisecting cause commit starting from 7ae77150d94d3b535c7b85e6b3647113095e79bf
building syzkaller on d45a4d69d83f40579e74fb561e1583db1be0e294
testing commit 7ae77150d94d3b535c7b85e6b3647113095e79bf with gcc (GCC) 8.1.0
kernel signature: f8dc62b72e26094555d3aa22da63b7f60d632b69fc9ac99e5a46e2ffddc0e059
all runs: crashed: KASAN: null-ptr-deref Write in media_request_put
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 0ebc3c6595730d0aef8fbdf5c8442b8aa2ce42bb9570238c92e9b7d6d2baf7ee
all runs: OK
# git bisect start 7ae77150d94d3b535c7b85e6b3647113095e79bf 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162
Bisecting: 5798 revisions left to test after this (roughly 12 steps)
[2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63] Merge branch 'uaccess.comedi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
testing commit 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 with gcc (GCC) 8.1.0
kernel signature: 2bd85a9cb13d718989f80abca6dc7cb70d2952e6ed23c7069a980cdf96019293
all runs: OK
# git bisect good 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63
Bisecting: 2918 revisions left to test after this (roughly 12 steps)
[ee01c4d72adffb7d424535adf630f2955748fa8b] Merge branch 'akpm' (patches from Andrew)
testing commit ee01c4d72adffb7d424535adf630f2955748fa8b with gcc (GCC) 8.1.0
kernel signature: cba7110aaac5bde84292eace7362ae1e2e2ebb0c9fab1de737a8e99cf18aa39f
all runs: OK
# git bisect good ee01c4d72adffb7d424535adf630f2955748fa8b
Bisecting: 1490 revisions left to test after this (roughly 11 steps)
[587f17018a2c6c414e41a312b002faaef60cf423] Kconfig: add config option for asm goto w/ outputs
testing commit 587f17018a2c6c414e41a312b002faaef60cf423 with gcc (GCC) 8.1.0
kernel signature: a8c66b2e9cf1da45ff0861fda6bc7b4111ede7673b322280ae1c65489fb6fb69
all runs: crashed: KASAN: null-ptr-deref Write in media_request_put
# git bisect bad 587f17018a2c6c414e41a312b002faaef60cf423
Bisecting: 707 revisions left to test after this (roughly 10 steps)
[86c67ce20d080bdfefafd461d3068cad0a49a66b] Merge tag 'leds-5.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/pavel/linux-leds
testing commit 86c67ce20d080bdfefafd461d3068cad0a49a66b with gcc (GCC) 8.1.0
kernel signature: ad9acb61746e25ef7044ca60fd78b4a35aa57b3f5c9d63bf0ee3da894ada17a3
all runs: crashed: KASAN: null-ptr-deref Write in media_request_put
# git bisect bad 86c67ce20d080bdfefafd461d3068cad0a49a66b
Bisecting: 359 revisions left to test after this (roughly 9 steps)
[2c586f18919895f0acb9906dcd8a1790b19464bc] media: imx: csi: Create media links in bound notifier
testing commit 2c586f18919895f0acb9906dcd8a1790b19464bc with gcc (GCC) 8.1.0
kernel signature: be7271a0e02d23f1cca2112c2fa310f7a691c46c7862abe0f1373a45e19df096
all runs: crashed: KASAN: null-ptr-deref Write in media_request_put
# git bisect bad 2c586f18919895f0acb9906dcd8a1790b19464bc
Bisecting: 179 revisions left to test after this (roughly 8 steps)
[f2267d7ed803add8820c7a6537c12a6d8732f570] media: imx: utils: fix and simplify pixel format enumeration
testing commit f2267d7ed803add8820c7a6537c12a6d8732f570 with gcc (GCC) 8.1.0
kernel signature: 5496c5774d97112b85d370bcecb7c485f9f5a815f34c006c645202c11b18d427
all runs: crashed: KASAN: null-ptr-deref Write in media_request_put
# git bisect bad f2267d7ed803add8820c7a6537c12a6d8732f570
Bisecting: 89 revisions left to test after this (roughly 7 steps)
[34b7db6fff8d977398234cd6393c620787989e68] media: staging/intel-ipu3: Remove extra blank lines
testing commit 34b7db6fff8d977398234cd6393c620787989e68 with gcc (GCC) 8.1.0
kernel signature: 11abf9dc02a2f41c2506f7b0c337fa300bc77b7330f8ba369f2a729a0f366666
all runs: OK
# git bisect good 34b7db6fff8d977398234cd6393c620787989e68
Bisecting: 44 revisions left to test after this (roughly 6 steps)
[9393d050c860a8f03f1e04d380653d23c7911c90] Revert "media: Kconfig: move CEC-specific options to cec/Kconfig"
testing commit 9393d050c860a8f03f1e04d380653d23c7911c90 with gcc (GCC) 8.1.0
kernel signature: f6c748f47d8260cfb90a1eb2dc1e775865b935bdc708196647393b8db73bc96b
all runs: OK
# git bisect good 9393d050c860a8f03f1e04d380653d23c7911c90
Bisecting: 22 revisions left to test after this (roughly 5 steps)
[4605a6102a7bebabf3123b29daa94bea88b6a087] media: docs: cleanup bttv-devel.rst file
testing commit 4605a6102a7bebabf3123b29daa94bea88b6a087 with gcc (GCC) 8.1.0
kernel signature: 9f33413353de11864aa8a6e60babd7315e87d86f3706caf051c26eb3b06d8954
all runs: OK
# git bisect good 4605a6102a7bebabf3123b29daa94bea88b6a087
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[e36b68ed273e12a4539b54d24bcdb929d94b68ba] media: mc/Kconfig: remove staging dependency for request API
testing commit e36b68ed273e12a4539b54d24bcdb929d94b68ba with gcc (GCC) 8.1.0
kernel signature: 7eb0d90553885dff94eb0da233246db2a03ebe2e372b389aee583f02cb7e4f1e
all runs: crashed: KASAN: null-ptr-deref Write in media_request_put
# git bisect bad e36b68ed273e12a4539b54d24bcdb929d94b68ba
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[5c57ae64e8bccc693a96b4bbd9b20cc5890aeb69] media: i2c/Kconfig: use sub-menus for I2C support
testing commit 5c57ae64e8bccc693a96b4bbd9b20cc5890aeb69 with gcc (GCC) 8.1.0
kernel signature: 35819cd613aa41d1f4c8bd7d810065afacb993f12a219da5454cd6cb3d28ad64
all runs: OK
# git bisect good 5c57ae64e8bccc693a96b4bbd9b20cc5890aeb69
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[143f8adfd534baf7db9ab662c50d41f74d1c7e21] media: Documentation/media: drop/fix vivi references
testing commit 143f8adfd534baf7db9ab662c50d41f74d1c7e21 with gcc (GCC) 8.1.0
kernel signature: 0eaf1fc9c8d18b8690c0369971e45432ea749435b2e8b78a67c56ba93467f6d3
all runs: crashed: KASAN: null-ptr-deref Write in media_request_put
# git bisect bad 143f8adfd534baf7db9ab662c50d41f74d1c7e21
Bisecting: 0 revisions left to test after this (roughly 1 step)
[016baa59bf9f6c2550480b73f18100285e3a4fd2] media: Kconfig: Don't expose the Request API option
testing commit 016baa59bf9f6c2550480b73f18100285e3a4fd2 with gcc (GCC) 8.1.0
kernel signature: 7ca6a7a13749ec0c230c152331d69ef2537052c6e4e15d2570dcac25f5d58b07
all runs: crashed: KASAN: null-ptr-deref Write in media_request_put
# git bisect bad 016baa59bf9f6c2550480b73f18100285e3a4fd2
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[9cbb04551a85b6b222b0cec9c3d9d1b2a69e55ed] media: radio: don't use a menu just for wl128x driver
testing commit 9cbb04551a85b6b222b0cec9c3d9d1b2a69e55ed with gcc (GCC) 8.1.0
kernel signature: 9b7ce91fad16c94b11718533cc63e6f49b35653b046440c0aaab8dd569c2b809
all runs: OK
# git bisect good 9cbb04551a85b6b222b0cec9c3d9d1b2a69e55ed
016baa59bf9f6c2550480b73f18100285e3a4fd2 is the first bad commit
commit 016baa59bf9f6c2550480b73f18100285e3a4fd2
Author: Ezequiel Garcia <ezequiel@collabora.com>
Date:   Wed Apr 15 00:06:24 2020 +0200

    media: Kconfig: Don't expose the Request API option
    
    The Request API isn't meant to be chosen by users,
    but instead should be selected by drivers that want
    to support it.
    
    Hantro and Cedrus are already selecting the right options,
    so only the test drivers need to be fixed.
    
    Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

 drivers/media/mc/Kconfig                   | 6 ++++--
 drivers/media/test_drivers/Kconfig         | 2 ++
 drivers/media/test_drivers/vicodec/Kconfig | 2 ++
 drivers/media/test_drivers/vivid/Kconfig   | 2 ++
 4 files changed, 10 insertions(+), 2 deletions(-)
culprit signature: 7ca6a7a13749ec0c230c152331d69ef2537052c6e4e15d2570dcac25f5d58b07
parent  signature: 9b7ce91fad16c94b11718533cc63e6f49b35653b046440c0aaab8dd569c2b809
revisions tested: 16, total time: 3h44m28.426849093s (build: 1h40m35.598608643s, test: 2h1m11.948685633s)
first bad commit: 016baa59bf9f6c2550480b73f18100285e3a4fd2 media: Kconfig: Don't expose the Request API option
cc: ["ezequiel@collabora.com" "laurent.pinchart@ideasonboard.com" "linux-kernel@vger.kernel.org" "linux-media@vger.kernel.org" "mchehab+huawei@kernel.org" "mchehab@kernel.org" "sakari.ailus@linux.intel.com"]
crash: KASAN: null-ptr-deref Write in media_request_put
==================================================================
BUG: KASAN: null-ptr-deref in atomic_fetch_sub include/asm-generic/atomic-instrumented.h:199 [inline]
BUG: KASAN: null-ptr-deref in refcount_sub_and_test include/linux/refcount.h:266 [inline]
BUG: KASAN: null-ptr-deref in refcount_dec_and_test include/linux/refcount.h:294 [inline]
BUG: KASAN: null-ptr-deref in kref_put include/linux/kref.h:64 [inline]
BUG: KASAN: null-ptr-deref in media_request_put+0x16/0x110 drivers/media/mc/mc-request.c:81
Write of size 4 at addr 0000000000000008 by task syz-executor.5/8473

CPU: 1 PID: 8473 Comm: syz-executor.5 Not tainted 5.7.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 __kasan_report.cold.11+0x5/0x4d mm/kasan/report.c:515
 kasan_report+0x32/0x50 mm/kasan/common.c:625
 check_memory_region_inline mm/kasan/generic.c:187 [inline]
 check_memory_region+0x1c1/0x1e0 mm/kasan/generic.c:193
 atomic_fetch_sub include/asm-generic/atomic-instrumented.h:199 [inline]
 refcount_sub_and_test include/linux/refcount.h:266 [inline]
 refcount_dec_and_test include/linux/refcount.h:294 [inline]
 kref_put include/linux/kref.h:64 [inline]
 media_request_put+0x16/0x110 drivers/media/mc/mc-request.c:81
 media_request_close+0x2e/0x50 drivers/media/mc/mc-request.c:89
 __fput+0x2a4/0x7a0 fs/file_table.c:280
 task_work_run+0xc2/0x160 kernel/task_work.c:123
 get_signal+0x16eb/0x1d40 kernel/signal.c:2533
 do_signal+0x81/0x2360 arch/x86/kernel/signal.c:784
 exit_to_usermode_loop+0x10f/0x2d0 arch/x86/entry/common.c:161
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
 do_syscall_64+0x52a/0x620 arch/x86/entry/common.c:305
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45ca59
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f092cbd5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: fffffffffffffff4 RBX: 00000000004e9360 RCX: 000000000045ca59
RDX: 0000000000000000 RSI: 0000000080047c05 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 0000000000000404 R14: 00000000004c6c0b R15: 00007f092cbd66d4
==================================================================