bisecting fixing commit since 14b58326976de6ef3998eefec1dd7f8b38b97a75 building syzkaller on ff51e5229e0ee846d2fd687cb0dbca13de758c66 testing commit 14b58326976de6ef3998eefec1dd7f8b38b97a75 with gcc (GCC) 8.1.0 kernel signature: 2ec8a2fb61beded6f2c27c61838fa9be52712b4521b63967378770cd9839dcb8 run #0: crashed: KASAN: use-after-free Read in sco_chan_del run #1: crashed: KASAN: use-after-free Read in sco_chan_del run #2: crashed: KASAN: use-after-free Read in sco_chan_del run #3: crashed: KASAN: use-after-free Read in sco_chan_del run #4: crashed: KASAN: use-after-free Read in sco_chan_del run #5: crashed: KASAN: use-after-free Read in sco_chan_del run #6: crashed: KASAN: use-after-free Read in sco_chan_del run #7: crashed: KASAN: use-after-free Read in sco_chan_del run #8: crashed: WARNING: ODEBUG bug in bt_link_release run #9: crashed: WARNING: ODEBUG bug in bt_link_release testing current HEAD 1752938529c614a8ed4432ecce6ebc95d3b87207 testing commit 1752938529c614a8ed4432ecce6ebc95d3b87207 with gcc (GCC) 8.1.0 kernel signature: 902eb643af2adceccfaa6e86aa3d8cb4de21705c05c4a43f33d3dcad64ecd97e all runs: OK # git bisect start 1752938529c614a8ed4432ecce6ebc95d3b87207 14b58326976de6ef3998eefec1dd7f8b38b97a75 Bisecting: 837 revisions left to test after this (roughly 10 steps) [a4c597c385c474e07c672afa8b4406f10b595539] media: s5p-mfc: Fix a reference count leak testing commit a4c597c385c474e07c672afa8b4406f10b595539 with gcc (GCC) 8.1.0 kernel signature: b62122e61609ba9c3b057fb8a28ff07297d705811d3e4c5b7e425cb123f45503 run #0: crashed: WARNING: ODEBUG bug in bt_link_release run #1: crashed: KASAN: use-after-free Read in sco_chan_del run #2: crashed: WARNING: ODEBUG bug in bt_link_release run #3: crashed: WARNING: ODEBUG bug in bt_link_release run #4: crashed: KASAN: use-after-free Read in sco_chan_del run #5: crashed: KASAN: use-after-free Read in sco_chan_del run #6: crashed: WARNING: ODEBUG bug in bt_link_release run #7: crashed: KASAN: use-after-free Read in sco_chan_del run #8: crashed: WARNING: ODEBUG bug in bt_link_release run #9: crashed: WARNING: ODEBUG bug in bt_link_release # git bisect good a4c597c385c474e07c672afa8b4406f10b595539 Bisecting: 418 revisions left to test after this (roughly 9 steps) [db01cad9efe3c3838a6b3a3f68affd295c4b92d6] powerpc/64s: flush L1D on kernel entry testing commit db01cad9efe3c3838a6b3a3f68affd295c4b92d6 with gcc (GCC) 8.1.0 kernel signature: 1ca0e96680e1f63f1ded058a0d1df03f9664db85248c1bd77ace3a4f7d385927 run #0: crashed: WARNING: ODEBUG bug in bt_link_release run #1: crashed: WARNING: ODEBUG bug in bt_link_release run #2: crashed: WARNING: ODEBUG bug in bt_link_release run #3: crashed: WARNING: ODEBUG bug in bt_link_release run #4: crashed: WARNING: ODEBUG bug in bt_link_release run #5: crashed: KASAN: use-after-free Read in sco_chan_del run #6: crashed: KASAN: use-after-free Read in sco_chan_del run #7: crashed: WARNING: ODEBUG bug in bt_link_release run #8: crashed: WARNING: ODEBUG bug in bt_link_release run #9: crashed: KASAN: use-after-free Read in sco_chan_del # git bisect good db01cad9efe3c3838a6b3a3f68affd295c4b92d6 Bisecting: 209 revisions left to test after this (roughly 8 steps) [2fe986f75f52768280b364f272d0362739025cd4] USB: sisusbvga: Make console support depend on BROKEN testing commit 2fe986f75f52768280b364f272d0362739025cd4 with gcc (GCC) 8.1.0 kernel signature: 5906623b144852a1ec1cde1875695509ca1b94085a80639de9a42777609e4449 run #0: crashed: WARNING: ODEBUG bug in bt_link_release run #1: crashed: KASAN: use-after-free Read in sco_chan_del run #2: crashed: WARNING: ODEBUG bug in bt_link_release run #3: crashed: WARNING: ODEBUG bug in bt_link_release run #4: crashed: WARNING: ODEBUG bug in bt_link_release run #5: crashed: WARNING: ODEBUG bug in bt_link_release run #6: crashed: WARNING: ODEBUG bug in bt_link_release run #7: crashed: KASAN: use-after-free Read in sco_chan_del run #8: crashed: KASAN: use-after-free Read in sco_chan_del run #9: crashed: KASAN: use-after-free Read in sco_chan_del # git bisect good 2fe986f75f52768280b364f272d0362739025cd4 Bisecting: 104 revisions left to test after this (roughly 7 steps) [290a79f8afdd6ded217f3d5981c3c10143c4d551] clocksource/drivers/arm_arch_timer: Correct fault programming of CNTKCTL_EL1.EVNTI testing commit 290a79f8afdd6ded217f3d5981c3c10143c4d551 with gcc (GCC) 8.1.0 kernel signature: 8f027b651a97f4a4043c7cacbc98fb4d3e038954b2cda3a2c6e03c92e1d2c51a all runs: OK # git bisect bad 290a79f8afdd6ded217f3d5981c3c10143c4d551 Bisecting: 52 revisions left to test after this (roughly 6 steps) [70a7d4e41de6433535040034064703e68ef8bfbb] spi: tegra20-sflash: fix reference leak in tegra_sflash_resume testing commit 70a7d4e41de6433535040034064703e68ef8bfbb with gcc (GCC) 8.1.0 kernel signature: e73f2a74c97b706a477d8ed49eb48bcb69bd8558003b090cb39bdcd3895f4da8 all runs: OK # git bisect bad 70a7d4e41de6433535040034064703e68ef8bfbb Bisecting: 25 revisions left to test after this (roughly 5 steps) [81ad6b09b27f34d668174fe19715bbc00c4eda82] ARM: dts: exynos: fix USB 3.0 pins supply being turned off on Odroid XU testing commit 81ad6b09b27f34d668174fe19715bbc00c4eda82 with gcc (GCC) 8.1.0 kernel signature: 3647b2c2d34fc61c2ea4dc9004db38e76eb0bc33d71b2d4818194a87339b00ba run #0: crashed: WARNING: ODEBUG bug in bt_link_release run #1: crashed: KASAN: use-after-free Read in sco_chan_del run #2: crashed: KASAN: use-after-free Read in sco_chan_del run #3: crashed: WARNING: ODEBUG bug in bt_link_release run #4: crashed: WARNING: ODEBUG bug in bt_link_release run #5: crashed: KASAN: use-after-free Read in sco_chan_del run #6: crashed: KASAN: use-after-free Read in sco_chan_del run #7: crashed: KASAN: use-after-free Read in sco_chan_del run #8: crashed: KASAN: use-after-free Read in sco_chan_del run #9: crashed: WARNING: ODEBUG bug in bt_link_release # git bisect good 81ad6b09b27f34d668174fe19715bbc00c4eda82 Bisecting: 12 revisions left to test after this (roughly 4 steps) [1100b71de7e5ebe01a73b7a162666568839b10fa] RDMA/rxe: Compute PSN windows correctly testing commit 1100b71de7e5ebe01a73b7a162666568839b10fa with gcc (GCC) 8.1.0 kernel signature: d4821ed0af4b8811f1f214c73e5cc57877c2b1c2e0d997b6f5b4a31144b1d204 run #0: crashed: WARNING: ODEBUG bug in bt_link_release run #1: crashed: KASAN: use-after-free Read in sco_chan_del run #2: crashed: KASAN: use-after-free Read in sco_chan_del run #3: crashed: KASAN: use-after-free Read in sco_chan_del run #4: crashed: KASAN: use-after-free Read in sco_chan_del run #5: crashed: WARNING: ODEBUG bug in bt_link_release run #6: crashed: KASAN: use-after-free Read in sco_chan_del run #7: crashed: WARNING: ODEBUG bug in bt_link_release run #8: crashed: WARNING: ODEBUG bug in bt_link_release run #9: crashed: KASAN: use-after-free Read in sco_chan_del # git bisect good 1100b71de7e5ebe01a73b7a162666568839b10fa Bisecting: 6 revisions left to test after this (roughly 3 steps) [2e1efddfd9c40c022d7055b83ada90dadf93f9de] spi: img-spfi: fix reference leak in img_spfi_resume testing commit 2e1efddfd9c40c022d7055b83ada90dadf93f9de with gcc (GCC) 8.1.0 kernel signature: 4b957c4731f943d8037b4c2da7b78f4b75f05a4044a32b4fc5aef3c2b3ebc283 run #0: crashed: WARNING: ODEBUG bug in bt_link_release run #1: crashed: KASAN: use-after-free Read in sco_chan_del run #2: crashed: KASAN: use-after-free Read in sco_chan_del run #3: crashed: WARNING: ODEBUG bug in bt_link_release run #4: crashed: WARNING: ODEBUG bug in bt_link_release run #5: crashed: WARNING: ODEBUG bug in bt_link_release run #6: crashed: KASAN: use-after-free Read in sco_chan_del run #7: crashed: WARNING: ODEBUG bug in bt_link_release run #8: crashed: WARNING: ODEBUG bug in bt_link_release run #9: crashed: WARNING: ODEBUG bug in bt_link_release # git bisect good 2e1efddfd9c40c022d7055b83ada90dadf93f9de Bisecting: 3 revisions left to test after this (roughly 2 steps) [9054435396d7e99e6ddece2c8481afc5e0f418dd] arm64: dts: exynos: Correct psci compatible used on Exynos7 testing commit 9054435396d7e99e6ddece2c8481afc5e0f418dd with gcc (GCC) 8.1.0 kernel signature: 469184bef58d92a21994926e7c350e1b0c5df400ba70633e60ad67f4157ddcec run #0: crashed: WARNING: ODEBUG bug in bt_link_release run #1: crashed: KASAN: use-after-free Read in sco_chan_del run #2: crashed: WARNING: ODEBUG bug in bt_link_release run #3: crashed: KASAN: use-after-free Read in sco_chan_del run #4: crashed: KASAN: use-after-free Read in sco_chan_del run #5: crashed: WARNING: ODEBUG bug in bt_link_release run #6: crashed: KASAN: use-after-free Read in sco_chan_del run #7: crashed: KASAN: use-after-free Read in sco_chan_del run #8: crashed: WARNING: ODEBUG bug in bt_link_release run #9: crashed: KASAN: use-after-free Read in sco_chan_del # git bisect good 9054435396d7e99e6ddece2c8481afc5e0f418dd Bisecting: 1 revision left to test after this (roughly 1 step) [1d0d30e1e5e6b846e919418111e9f2a959201179] spi: spi-ti-qspi: fix reference leak in ti_qspi_setup testing commit 1d0d30e1e5e6b846e919418111e9f2a959201179 with gcc (GCC) 8.1.0 kernel signature: e73f2a74c97b706a477d8ed49eb48bcb69bd8558003b090cb39bdcd3895f4da8 all runs: OK # git bisect bad 1d0d30e1e5e6b846e919418111e9f2a959201179 Bisecting: 0 revisions left to test after this (roughly 0 steps) [4113f6f73f6e8d215609bde8c0c14ca9f8a476c5] Bluetooth: Fix null pointer dereference in hci_event_packet() testing commit 4113f6f73f6e8d215609bde8c0c14ca9f8a476c5 with gcc (GCC) 8.1.0 kernel signature: e73f2a74c97b706a477d8ed49eb48bcb69bd8558003b090cb39bdcd3895f4da8 all runs: OK # git bisect bad 4113f6f73f6e8d215609bde8c0c14ca9f8a476c5 4113f6f73f6e8d215609bde8c0c14ca9f8a476c5 is the first bad commit commit 4113f6f73f6e8d215609bde8c0c14ca9f8a476c5 Author: Anmol Karn Date: Wed Sep 30 19:48:13 2020 +0530 Bluetooth: Fix null pointer dereference in hci_event_packet() [ Upstream commit 6dfccd13db2ff2b709ef60a50163925d477549aa ] AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called from hci_event_packet() and there is a possibility, that hcon->amp_mgr may not be found when accessing after initialization of hcon. - net/bluetooth/hci_event.c:4945 The bug seems to get triggered in this line: bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; Fix it by adding a NULL check for the hcon->amp_mgr before checking the ev-status. Fixes: d5e911928bd8 ("Bluetooth: AMP: Process Physical Link Complete evt") Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f Signed-off-by: Anmol Karn Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin net/bluetooth/hci_event.c | 5 +++++ 1 file changed, 5 insertions(+) culprit signature: e73f2a74c97b706a477d8ed49eb48bcb69bd8558003b090cb39bdcd3895f4da8 parent signature: 469184bef58d92a21994926e7c350e1b0c5df400ba70633e60ad67f4157ddcec revisions tested: 13, total time: 3h18m16.151228374s (build: 1h52m1.87378894s, test: 1h24m53.240177599s) first good commit: 4113f6f73f6e8d215609bde8c0c14ca9f8a476c5 Bluetooth: Fix null pointer dereference in hci_event_packet() recipients (to): ["anmol.karan123@gmail.com" "marcel@holtmann.org" "sashal@kernel.org" "syzbot+0bef568258653cff272f@syzkaller.appspotmail.com"] recipients (cc): []