bisecting cause commit starting from 2646738520338211e74394857e36df7c455a8a91 building syzkaller on 6738e0b30b938a389bceee9f445a27db50399e95 testing commit 2646738520338211e74394857e36df7c455a8a91 with gcc (GCC) 8.1.0 kernel signature: bd92557bce3d4da256f2c342392831c56318ba8e run #0: crashed: KASAN: null-ptr-deref Write in video_usercopy run #1: crashed: KASAN: null-ptr-deref Write in video_usercopy run #2: crashed: KASAN: null-ptr-deref Write in video_usercopy run #3: crashed: KASAN: null-ptr-deref Write in video_usercopy run #4: crashed: KASAN: null-ptr-deref Write in video_usercopy run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in video_usercopy run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in video_usercopy run #7: crashed: KASAN: null-ptr-deref Write in video_usercopy run #8: crashed: KASAN: null-ptr-deref Write in video_usercopy run #9: crashed: KASAN: null-ptr-deref Write in video_usercopy testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 6450617695d83bbc4ad27aa48a8f44b80c4030f5 all runs: OK # git bisect start 2646738520338211e74394857e36df7c455a8a91 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 10692 revisions left to test after this (roughly 13 steps) [937d6eefc716a9071f0e3bada19200de1bb9d048] Merge tag 'docs-5.5a' of git://git.lwn.net/linux testing commit 937d6eefc716a9071f0e3bada19200de1bb9d048 with gcc (GCC) 8.1.0 kernel signature: 55690b9f5265cd3e05db67927a93cb9c3f50bd0a all runs: OK # git bisect good 937d6eefc716a9071f0e3bada19200de1bb9d048 Bisecting: 5345 revisions left to test after this (roughly 12 steps) [7f289d91dac2503fb4ccfb0130169071c8ee612a] Merge remote-tracking branch 'fsverity/fsverity' testing commit 7f289d91dac2503fb4ccfb0130169071c8ee612a with gcc (GCC) 8.1.0 kernel signature: c99316fbb8662a857fe552c236da05bc15654683 all runs: OK # git bisect good 7f289d91dac2503fb4ccfb0130169071c8ee612a Bisecting: 2418 revisions left to test after this (roughly 11 steps) [92809edb7f696247363b508bf5a95ea6e0122123] Merge remote-tracking branch 'drm/drm-next' testing commit 92809edb7f696247363b508bf5a95ea6e0122123 with gcc (GCC) 8.1.0 kernel signature: c6ac28e9ec9ca33b1ccb557dee441e12d4d489b5 run #0: crashed: KASAN: null-ptr-deref Write in video_usercopy run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in video_usercopy run #2: crashed: KASAN: null-ptr-deref Write in video_usercopy run #3: crashed: KASAN: null-ptr-deref Write in video_usercopy run #4: crashed: KASAN: null-ptr-deref Write in video_usercopy run #5: crashed: KASAN: null-ptr-deref Write in video_usercopy run #6: crashed: KASAN: null-ptr-deref Write in video_usercopy run #7: crashed: KASAN: null-ptr-deref Write in video_usercopy run #8: crashed: KASAN: null-ptr-deref Write in video_usercopy run #9: crashed: KASAN: null-ptr-deref Write in video_usercopy # git bisect bad 92809edb7f696247363b508bf5a95ea6e0122123 Bisecting: 1460 revisions left to test after this (roughly 11 steps) [e741fa867dda5db35c9e1cbbb6a5908a9caf545e] Merge remote-tracking branch 'net-next/master' testing commit e741fa867dda5db35c9e1cbbb6a5908a9caf545e with gcc (GCC) 8.1.0 kernel signature: c0fc5c6635961f376d7bb0e402810b9e98bf6b33 run #0: crashed: KASAN: null-ptr-deref Write in video_usercopy run #1: crashed: KASAN: null-ptr-deref Write in video_usercopy run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in video_usercopy run #3: crashed: KASAN: null-ptr-deref Write in video_usercopy run #4: crashed: KASAN: null-ptr-deref Write in video_usercopy run #5: crashed: KASAN: null-ptr-deref Write in video_usercopy run #6: crashed: KASAN: null-ptr-deref Write in video_usercopy run #7: crashed: KASAN: null-ptr-deref Write in video_usercopy run #8: crashed: KASAN: null-ptr-deref Write in video_usercopy run #9: crashed: KASAN: null-ptr-deref Write in video_usercopy # git bisect bad e741fa867dda5db35c9e1cbbb6a5908a9caf545e Bisecting: 732 revisions left to test after this (roughly 10 steps) [6517798dd3432a0002109809bf74e4fcf9bb0c7d] enetc: Make MDIO accessors more generic and export to include/linux/fsl testing commit 6517798dd3432a0002109809bf74e4fcf9bb0c7d with gcc (GCC) 8.1.0 kernel signature: 7e74b4a99bc35e3660f50ad452a660d3d075afc0 all runs: OK # git bisect good 6517798dd3432a0002109809bf74e4fcf9bb0c7d Bisecting: 337 revisions left to test after this (roughly 9 steps) [b0a4e4729f73e698598ba286d35a749315bcc7ec] Merge remote-tracking branch 'hid/for-next' testing commit b0a4e4729f73e698598ba286d35a749315bcc7ec with gcc (GCC) 8.1.0 kernel signature: 436d8dfce3768ff825955ce1a6df78866d3a7708 all runs: OK # git bisect good b0a4e4729f73e698598ba286d35a749315bcc7ec Bisecting: 148 revisions left to test after this (roughly 7 steps) [159b7bdb6fa305ab65298e73a86257cfe21f7f4d] Merge remote-tracking branch 'v4l-dvb/master' testing commit 159b7bdb6fa305ab65298e73a86257cfe21f7f4d with gcc (GCC) 8.1.0 kernel signature: 6a2a89826afb5fcfdcf711f47aef5d386d9e868f run #0: crashed: KASAN: null-ptr-deref Write in video_usercopy run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in video_usercopy run #2: crashed: KASAN: null-ptr-deref Write in video_usercopy run #3: crashed: KASAN: null-ptr-deref Write in video_usercopy run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in video_usercopy run #5: crashed: KASAN: null-ptr-deref Write in video_usercopy run #6: crashed: KASAN: null-ptr-deref Write in video_usercopy run #7: crashed: KASAN: null-ptr-deref Write in video_usercopy run #8: crashed: KASAN: null-ptr-deref Write in video_usercopy run #9: crashed: KASAN: null-ptr-deref Write in video_usercopy # git bisect bad 159b7bdb6fa305ab65298e73a86257cfe21f7f4d Bisecting: 94 revisions left to test after this (roughly 7 steps) [906870770431cbeb64e73da2111a4636d227f1e0] media: pulse8-cec: queue received messages in an array testing commit 906870770431cbeb64e73da2111a4636d227f1e0 with gcc (GCC) 8.1.0 kernel signature: 2362aff1aa9e0fd503a773f5e75c7a6648f50397 all runs: OK # git bisect good 906870770431cbeb64e73da2111a4636d227f1e0 Bisecting: 41 revisions left to test after this (roughly 6 steps) [aabe85397bfca0eac5d7b020dc249ec1bccbf36e] Merge remote-tracking branch 'jc_docs/docs-next' testing commit aabe85397bfca0eac5d7b020dc249ec1bccbf36e with gcc (GCC) 8.1.0 kernel signature: 0ef4f8a169c02f2ee474f37758537cb95a0df4d0 all runs: OK # git bisect good aabe85397bfca0eac5d7b020dc249ec1bccbf36e Bisecting: 20 revisions left to test after this (roughly 4 steps) [8b9aac1a990b2fa590026b46b4e4ec45ebe8dfea] media: dvb_dummy_fe: Add blank line after declaration testing commit 8b9aac1a990b2fa590026b46b4e4ec45ebe8dfea with gcc (GCC) 8.1.0 kernel signature: 630f8dd0acdd72229c8d0dc4303285f3c49e1b74 run #0: crashed: KASAN: null-ptr-deref Write in video_usercopy run #1: crashed: KASAN: null-ptr-deref Write in video_usercopy run #2: crashed: KASAN: null-ptr-deref Write in video_usercopy run #3: crashed: KASAN: null-ptr-deref Write in video_usercopy run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in video_usercopy run #5: crashed: KASAN: null-ptr-deref Write in video_usercopy run #6: crashed: KASAN: null-ptr-deref Write in video_usercopy run #7: crashed: KASAN: null-ptr-deref Write in video_usercopy run #8: crashed: KASAN: null-ptr-deref Write in video_usercopy run #9: crashed: KASAN: null-ptr-deref Write in video_usercopy # git bisect bad 8b9aac1a990b2fa590026b46b4e4ec45ebe8dfea Bisecting: 10 revisions left to test after this (roughly 3 steps) [c8ef1a6076bfb986052ff8fd8f5eb3b3a3f1048e] media: v4l2-core: split out data copy from video_usercopy testing commit c8ef1a6076bfb986052ff8fd8f5eb3b3a3f1048e with gcc (GCC) 8.1.0 kernel signature: 28bf1fb5d7bb706af3a3199313f255f54d3aaf1e run #0: crashed: KASAN: null-ptr-deref Write in video_usercopy run #1: crashed: KASAN: null-ptr-deref Write in video_usercopy run #2: crashed: KASAN: null-ptr-deref Write in video_usercopy run #3: crashed: KASAN: null-ptr-deref Write in video_usercopy run #4: crashed: KASAN: null-ptr-deref Write in video_usercopy run #5: crashed: KASAN: null-ptr-deref Write in video_usercopy run #6: crashed: KASAN: null-ptr-deref Write in video_usercopy run #7: crashed: KASAN: null-ptr-deref Write in video_usercopy run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in video_usercopy run #9: crashed: KASAN: null-ptr-deref Write in video_usercopy # git bisect bad c8ef1a6076bfb986052ff8fd8f5eb3b3a3f1048e Bisecting: 4 revisions left to test after this (roughly 2 steps) [095c21d31b7bd04d91d81a4a8c703a9d25c3658a] media: v4l2-ioctl.c: allow multiplanar for touch testing commit 095c21d31b7bd04d91d81a4a8c703a9d25c3658a with gcc (GCC) 8.1.0 kernel signature: 1cd76d2147ae22d447dc7d62feb708a4c058160b all runs: OK # git bisect good 095c21d31b7bd04d91d81a4a8c703a9d25c3658a Bisecting: 2 revisions left to test after this (roughly 1 step) [71e37d2e4b3b9b5ab143ee52f9ebb43e01068594] media: documentation: fix video_event description testing commit 71e37d2e4b3b9b5ab143ee52f9ebb43e01068594 with gcc (GCC) 8.1.0 kernel signature: 44bc21b39a512a2b4a0b343618504e9844b7dba1 all runs: OK # git bisect good 71e37d2e4b3b9b5ab143ee52f9ebb43e01068594 Bisecting: 0 revisions left to test after this (roughly 1 step) [4a873f3fa5d6ca52e446d306dd7194dd86a09422] media: v4l2-core: compat: ignore native command codes testing commit 4a873f3fa5d6ca52e446d306dd7194dd86a09422 with gcc (GCC) 8.1.0 kernel signature: 4472ebbbbaf4f3612796ab66dbde504c2069aaba all runs: OK # git bisect good 4a873f3fa5d6ca52e446d306dd7194dd86a09422 c8ef1a6076bfb986052ff8fd8f5eb3b3a3f1048e is the first bad commit commit c8ef1a6076bfb986052ff8fd8f5eb3b3a3f1048e Author: Arnd Bergmann Date: Mon Dec 16 15:15:02 2019 +0100 media: v4l2-core: split out data copy from video_usercopy The copy-in/out portions of video_usercopy() are about to get more complex, so turn then into separate functions as a cleanup first. Signed-off-by: Arnd Bergmann Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/v4l2-core/v4l2-ioctl.c | 108 ++++++++++++++++++++++------------- 1 file changed, 69 insertions(+), 39 deletions(-) culprit signature: 28bf1fb5d7bb706af3a3199313f255f54d3aaf1e parent signature: 4472ebbbbaf4f3612796ab66dbde504c2069aaba revisions tested: 16, total time: 3h46m26.840012725s (build: 1h40m54.994291834s, test: 2h3m51.903412569s) first bad commit: c8ef1a6076bfb986052ff8fd8f5eb3b3a3f1048e media: v4l2-core: split out data copy from video_usercopy cc: ["arnd@arndb.de" "hverkuil-cisco@xs4all.nl" "mchehab+huawei@kernel.org"] crash: KASAN: null-ptr-deref Write in video_usercopy ================================================================== BUG: KASAN: null-ptr-deref in memset include/linux/string.h:365 [inline] BUG: KASAN: null-ptr-deref in video_get_user drivers/media/v4l2-core/v4l2-ioctl.c:3038 [inline] BUG: KASAN: null-ptr-deref in video_usercopy+0x30f/0xd80 drivers/media/v4l2-core/v4l2-ioctl.c:3117 Write of size 512 at addr 0000000000000000 by task syz-executor.0/8037 CPU: 1 PID: 8037 Comm: syz-executor.0 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 __kasan_report.cold.11+0x5/0x3a mm/kasan/report.c:510 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x153/0x1d0 mm/kasan/generic.c:192 memset+0x23/0x40 mm/kasan/common.c:108 memset include/linux/string.h:365 [inline] video_get_user drivers/media/v4l2-core/v4l2-ioctl.c:3038 [inline] video_usercopy+0x30f/0xd80 drivers/media/v4l2-core/v4l2-ioctl.c:3117 video_ioctl2+0x10/0x12 drivers/media/v4l2-core/v4l2-ioctl.c:3181 v4l2_ioctl+0x191/0x210 drivers/media/v4l2-core/v4l2-dev.c:360 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x196/0x1190 fs/ioctl.c:732 ksys_ioctl+0x62/0x90 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:754 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45af49 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f76a7a27c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045af49 RDX: 0000000000000000 RSI: 0000001002008914 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f76a7a286d4 R13: 00000000004c2837 R14: 00000000004d8b30 R15: 00000000ffffffff ==================================================================