bisecting cause commit starting from 82ad862115c25dcd6d3b1e25f99d24408ddf6851 building syzkaller on 426631ddb41a12ad156d0254fea375a9dfa607fc testing commit 82ad862115c25dcd6d3b1e25f99d24408ddf6851 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #4: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in llcp_sock_getname run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 82ad862115c25dcd6d3b1e25f99d24408ddf6851 v5.3 Bisecting: 6232 revisions left to test after this (roughly 13 steps) [81160dda9a7aad13c04e78bb2cfd3c4630e3afab] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 81160dda9a7aad13c04e78bb2cfd3c4630e3afab with gcc (GCC) 8.1.0 all runs: OK # git bisect good 81160dda9a7aad13c04e78bb2cfd3c4630e3afab Bisecting: 3055 revisions left to test after this (roughly 12 steps) [45824fc0da6e46cc5d563105e1eaaf3098a686f9] Merge tag 'powerpc-5.4-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 45824fc0da6e46cc5d563105e1eaaf3098a686f9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 45824fc0da6e46cc5d563105e1eaaf3098a686f9 Bisecting: 1527 revisions left to test after this (roughly 11 steps) [4b526de50e39b38cd828396267379183c7c21354] KVM: x86: Check kvm_rebooting in kvm_spurious_fault() testing commit 4b526de50e39b38cd828396267379183c7c21354 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4b526de50e39b38cd828396267379183c7c21354 Bisecting: 757 revisions left to test after this (roughly 10 steps) [d0e00bc5ada53bda296ce8bfffc2f2be9eb22632] Merge branch 'for-5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux testing commit d0e00bc5ada53bda296ce8bfffc2f2be9eb22632 with gcc (GCC) 8.1.0 all runs: OK # git bisect good d0e00bc5ada53bda296ce8bfffc2f2be9eb22632 Bisecting: 378 revisions left to test after this (roughly 9 steps) [8353da9fa69722b54cba82b2ec740afd3d438748] hso: fix NULL-deref on tty open testing commit 8353da9fa69722b54cba82b2ec740afd3d438748 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8353da9fa69722b54cba82b2ec740afd3d438748 Bisecting: 192 revisions left to test after this (roughly 8 steps) [50dfd03d9579cde9150679e90f8f244c626b7a09] Merge tag 'for-linus-5.4-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit 50dfd03d9579cde9150679e90f8f244c626b7a09 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 50dfd03d9579cde9150679e90f8f244c626b7a09 Bisecting: 89 revisions left to test after this (roughly 7 steps) [9819a30c11ea439e5e3c81f5539c4d42d6c76314] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 9819a30c11ea439e5e3c81f5539c4d42d6c76314 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in llcp_sock_getname run #5: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in llcp_sock_getname # git bisect bad 9819a30c11ea439e5e3c81f5539c4d42d6c76314 Bisecting: 55 revisions left to test after this (roughly 6 steps) [4ea655343ce4180fe9b2c7ec8cb8ef9884a47901] Merge tag 'mips_fixes_5.4_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit 4ea655343ce4180fe9b2c7ec8cb8ef9884a47901 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4ea655343ce4180fe9b2c7ec8cb8ef9884a47901 Bisecting: 27 revisions left to test after this (roughly 5 steps) [a54cdeeb04fc719e4c7f19d6e28dba7ea86cee5b] r8152: Set macpassthru in reset_resume callback testing commit a54cdeeb04fc719e4c7f19d6e28dba7ea86cee5b with gcc (GCC) 8.1.0 all runs: OK # git bisect good a54cdeeb04fc719e4c7f19d6e28dba7ea86cee5b Bisecting: 13 revisions left to test after this (roughly 4 steps) [d0dea733f60efe94257d08ae6eba81d0b511d0a9] KVM: s390: mark __insn32_query() as __always_inline testing commit d0dea733f60efe94257d08ae6eba81d0b511d0a9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good d0dea733f60efe94257d08ae6eba81d0b511d0a9 Bisecting: 6 revisions left to test after this (roughly 3 steps) [06d5f3441b2e80eeb6deb0885aefa00589e463c1] net: phy: at803x: use operating parameters from PHY-specific status testing commit 06d5f3441b2e80eeb6deb0885aefa00589e463c1 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 06d5f3441b2e80eeb6deb0885aefa00589e463c1 Bisecting: 3 revisions left to test after this (roughly 2 steps) [a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d] nfc: fix memory leak in llcp_sock_bind() testing commit a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d with gcc (GCC) 8.1.0 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #4: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in llcp_sock_getname run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname # git bisect bad a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d Bisecting: 0 revisions left to test after this (roughly 1 step) [474f0813a3002cb299bb73a5a93aa1f537a80ca8] sch_dsmark: fix potential NULL deref in dsmark_init() testing commit 474f0813a3002cb299bb73a5a93aa1f537a80ca8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 474f0813a3002cb299bb73a5a93aa1f537a80ca8 a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d is the first bad commit commit a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d Author: Eric Dumazet Date: Fri Oct 4 11:08:34 2019 -0700 nfc: fix memory leak in llcp_sock_bind() sysbot reported a memory leak after a bind() has failed. While we are at it, abort the operation if kmemdup() has failed. BUG: memory leak unreferenced object 0xffff888105d83ec0 (size 32): comm "syz-executor067", pid 7207, jiffies 4294956228 (age 19.430s) hex dump (first 32 bytes): 00 69 6c 65 20 72 65 61 64 00 6e 65 74 3a 5b 34 .ile read.net:[4 30 32 36 35 33 33 30 39 37 5d 00 00 00 00 00 00 026533097]...... backtrace: [<0000000036bac473>] kmemleak_alloc_recursive /./include/linux/kmemleak.h:43 [inline] [<0000000036bac473>] slab_post_alloc_hook /mm/slab.h:522 [inline] [<0000000036bac473>] slab_alloc /mm/slab.c:3319 [inline] [<0000000036bac473>] __do_kmalloc /mm/slab.c:3653 [inline] [<0000000036bac473>] __kmalloc_track_caller+0x169/0x2d0 /mm/slab.c:3670 [<000000000cd39d07>] kmemdup+0x27/0x60 /mm/util.c:120 [<000000008e57e5fc>] kmemdup /./include/linux/string.h:432 [inline] [<000000008e57e5fc>] llcp_sock_bind+0x1b3/0x230 /net/nfc/llcp_sock.c:107 [<000000009cb0b5d3>] __sys_bind+0x11c/0x140 /net/socket.c:1647 [<00000000492c3bbc>] __do_sys_bind /net/socket.c:1658 [inline] [<00000000492c3bbc>] __se_sys_bind /net/socket.c:1656 [inline] [<00000000492c3bbc>] __x64_sys_bind+0x1e/0x30 /net/socket.c:1656 [<0000000008704b2a>] do_syscall_64+0x76/0x1a0 /arch/x86/entry/common.c:296 [<000000009f4c57a4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 30cc4587659e ("NFC: Move LLCP code to the NFC top level diirectory") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller :040000 040000 37f55ef613d111ba3b2a300e9844a40d35e559f4 97c71de92907744ef3f3d2c2bd486a3a3957bc7f M net revisions tested: 15, total time: 3h56m7.539491563s (build: 1h27m52.549799516s, test: 2h23m20.432611704s) first bad commit: a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d nfc: fix memory leak in llcp_sock_bind() cc: ["allison@lohutok.net" "davem@davemloft.net" "edumazet@google.com" "kgraul@linux.ibm.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "opensource@jilayne.com" "pakki001@umn.edu" "tglx@linutronix.de"] crash: KASAN: null-ptr-deref Read in llcp_sock_getname ================================================================== BUG: KASAN: null-ptr-deref in memcpy include/linux/string.h:359 [inline] BUG: KASAN: null-ptr-deref in llcp_sock_getname+0x341/0x440 net/nfc/llcp_sock.c:519 Read of size 63 at addr 0000000000000000 by task syz-executor.5/7865 CPU: 1 PID: 7865 Comm: syz-executor.5 Not tainted 5.3.0+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 __kasan_report.cold.11+0x5/0x3a mm/kasan/report.c:510 kasan_report+0x12/0x20 mm/kasan/common.c:634 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x153/0x1d0 mm/kasan/generic.c:192 memcpy+0x23/0x50 mm/kasan/common.c:122 memcpy include/linux/string.h:359 [inline] llcp_sock_getname+0x341/0x440 net/nfc/llcp_sock.c:519 sock_getsockopt+0xb8f/0x1952 net/core/sock.c:1392 __sys_getsockopt+0x254/0x2e0 net/socket.c:2125 __do_sys_getsockopt net/socket.c:2144 [inline] __se_sys_getsockopt net/socket.c:2141 [inline] __x64_sys_getsockopt+0xb9/0x150 net/socket.c:2141 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459a59 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f69ebe70c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459a59 RDX: 000000000000001c RSI: 0000000000000001 RDI: 0000000000000004 RBP: 000000000075bf20 R08: 0000000020000140 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f69ebe716d4 R13: 00000000004c0da3 R14: 00000000004d41a0 R15: 00000000ffffffff ==================================================================