bisecting cause commit starting from d89091a4930ee0d80bee3e259a98513f3a2543ec building syzkaller on 53430d97195bc8dc0221eaa2ea913237d82e199d testing commit d89091a4930ee0d80bee3e259a98513f3a2543ec with gcc (GCC) 8.1.0 kernel signature: f77d0a1a710d4c5ebeeb532f0ddd2495b679bfa4 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in cfg80211_wext_siwfrag testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 7cf37c6559ad63cb459090cbbed29ff29699d6c6 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in cfg80211_wext_siwfrag testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: bf1260f564cf87e5f1c0dea5f80e61b456f041ce all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in cfg80211_wext_siwfrag testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 1aa22288708992ef6dbf4b1da5a218b6c62112a0 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in cfg80211_wext_siwfrag testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: f24f68fd310bc8b77d8103127c414222acf2e64e all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in cfg80211_wext_siwfrag testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 60a142a30da0dfa8988170dac28820fc71b5dae0 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: fda585765028adb0450d51cad86200a5e077944e all runs: OK # git bisect start 1c163f4c7b3f621efff9b28a47abb36f7378d783 8fe28cb58bcb235034b64cbbb7550a8a43fd88be Bisecting: 7011 revisions left to test after this (roughly 13 steps) [af7ddd8a627c62a835524b3f5b471edbbbcce025] Merge tag 'dma-mapping-4.21' of git://git.infradead.org/users/hch/dma-mapping testing commit af7ddd8a627c62a835524b3f5b471edbbbcce025 with gcc (GCC) 8.1.0 kernel signature: 0098ef31e21b1c067592dcf9a987ad85a3441cda all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call # git bisect bad af7ddd8a627c62a835524b3f5b471edbbbcce025 Bisecting: 3448 revisions left to test after this (roughly 12 steps) [792bf4d871dea8b69be2aaabdd320d7c6ed15985] Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 792bf4d871dea8b69be2aaabdd320d7c6ed15985 with gcc (GCC) 8.1.0 kernel signature: abaeb339d7b26ce71689ecdc4f5c5018b25f2643 all runs: OK # git bisect good 792bf4d871dea8b69be2aaabdd320d7c6ed15985 Bisecting: 1729 revisions left to test after this (roughly 11 steps) [aa9d6e0f33aea8a1879e7e53fe0e436943f9ce0c] linux/netlink.h: drop unnecessary extern prefix testing commit aa9d6e0f33aea8a1879e7e53fe0e436943f9ce0c with gcc (GCC) 8.1.0 kernel signature: 3c4198f3ae0b46a08c78f07170fe74e0769ff68e run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted # git bisect bad aa9d6e0f33aea8a1879e7e53fe0e436943f9ce0c Bisecting: 858 revisions left to test after this (roughly 10 steps) [2a95471c3397734ba6869ca3fa084490fb35b40b] Merge branch 'prog_test_run-improvement' testing commit 2a95471c3397734ba6869ca3fa084490fb35b40b with gcc (GCC) 8.1.0 kernel signature: f310cff0d7d62cbd2c03a63e14d85c807b962223 all runs: OK # git bisect good 2a95471c3397734ba6869ca3fa084490fb35b40b Bisecting: 412 revisions left to test after this (roughly 9 steps) [addb0679839a1f74da6ec742137558be244dd0e9] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit addb0679839a1f74da6ec742137558be244dd0e9 with gcc (GCC) 8.1.0 kernel signature: 0bbd06d8304467af3b7f20f2b7237bdeedf87643 all runs: OK # git bisect good addb0679839a1f74da6ec742137558be244dd0e9 Bisecting: 206 revisions left to test after this (roughly 8 steps) [2429f13870d3d2abbe200807d0462272e16ec830] net: fec: remove workaround to restart phylib state machine on MDIO timeout testing commit 2429f13870d3d2abbe200807d0462272e16ec830 with gcc (GCC) 8.1.0 kernel signature: f9294c1b02206a716ed7c0fdb604b00fb5eb7e8b all runs: OK # git bisect good 2429f13870d3d2abbe200807d0462272e16ec830 Bisecting: 103 revisions left to test after this (roughly 7 steps) [56d1ac3260dadfc66c81ef2689bd1a09b05731a2] drivers: net: netdevsim: use skb_sec_path helper testing commit 56d1ac3260dadfc66c81ef2689bd1a09b05731a2 with gcc (GCC) 8.1.0 kernel signature: 515d6c774f149a9cf8eb837ffe23678127210327 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call # git bisect bad 56d1ac3260dadfc66c81ef2689bd1a09b05731a2 Bisecting: 58 revisions left to test after this (roughly 6 steps) [d359bbce0601c6a19203a4b813a7e3910fcba282] mac80211: Properly access radiotap vendor data testing commit d359bbce0601c6a19203a4b813a7e3910fcba282 with gcc (GCC) 8.1.0 kernel signature: 69d7e23b792b2f94bcc013a80c7e087c900987f3 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call # git bisect bad d359bbce0601c6a19203a4b813a7e3910fcba282 Bisecting: 21 revisions left to test after this (roughly 5 steps) [c8d10cbda12f14c312dcf7c5a1748625f2c308c1] mac80211: rewrite Kconfig text for mesh testing commit c8d10cbda12f14c312dcf7c5a1748625f2c308c1 with gcc (GCC) 8.1.0 kernel signature: dfd500cceb40f1d121407ee8791900bbf8d1ca8e all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call # git bisect bad c8d10cbda12f14c312dcf7c5a1748625f2c308c1 Bisecting: 10 revisions left to test after this (roughly 4 steps) [2f98abb17dd57b9c3ebdf6741ae2726ed360d902] mac80211_hwsim: move HWSIM_ATTR_RADIO_NAME parsing last testing commit 2f98abb17dd57b9c3ebdf6741ae2726ed360d902 with gcc (GCC) 8.1.0 kernel signature: d5dffd36a9ecb88666d3ac4e84c46b12d9fa8a2b all runs: OK # git bisect good 2f98abb17dd57b9c3ebdf6741ae2726ed360d902 Bisecting: 5 revisions left to test after this (roughly 3 steps) [dbdaee7aa6e61f56aac61b71a7807e76f92cc895] {nl,mac}80211: report gate connectivity in station info testing commit dbdaee7aa6e61f56aac61b71a7807e76f92cc895 with gcc (GCC) 8.1.0 kernel signature: 3e15c9dbad0874c2c2933348ed107e50c989cfa0 all runs: boot failed: WARNING in wiphy_register # git bisect skip dbdaee7aa6e61f56aac61b71a7807e76f92cc895 Bisecting: 4 revisions left to test after this (roughly 3 steps) [01d66fbd5b18ac9f01a6a2ae1278189d19208ad5] {nl,mac}80211: add dot11MeshConnectedToMeshGate to meshconf testing commit 01d66fbd5b18ac9f01a6a2ae1278189d19208ad5 with gcc (GCC) 8.1.0 kernel signature: 32af7a3149c0f172254503774973a8752b9f011f all runs: boot failed: WARNING in wiphy_register # git bisect skip 01d66fbd5b18ac9f01a6a2ae1278189d19208ad5 Bisecting: 4 revisions left to test after this (roughly 3 steps) [e9da68ddea6030b214dfe420564d48bb579f58fc] mac80211: allow hardware scan to fall back to software testing commit e9da68ddea6030b214dfe420564d48bb579f58fc with gcc (GCC) 8.1.0 kernel signature: 25454f890438ed5d0f876f6a3dec08c981fa9e0f all runs: boot failed: WARNING in wiphy_register # git bisect skip e9da68ddea6030b214dfe420564d48bb579f58fc Bisecting: 4 revisions left to test after this (roughly 3 steps) [4a6ecd35f95b0e29b3470ca16772a1cc89607c97] mac80211: mesh: advertise gates in mesh formation testing commit 4a6ecd35f95b0e29b3470ca16772a1cc89607c97 with gcc (GCC) 8.1.0 kernel signature: d61d736ed2c5be50f950d0d727fd779c5848eb25 all runs: boot failed: WARNING in wiphy_register # git bisect skip 4a6ecd35f95b0e29b3470ca16772a1cc89607c97 Bisecting: 4 revisions left to test after this (roughly 3 steps) [cc1068eb6ad21a6cf54aa5f9ae25bf50fd5c9d4b] uapi/nl80211: fix spelling errors testing commit cc1068eb6ad21a6cf54aa5f9ae25bf50fd5c9d4b with gcc (GCC) 8.1.0 kernel signature: b8a2e7194082cd247d640f4766bc2ed3a3788021 all runs: OK # git bisect good cc1068eb6ad21a6cf54aa5f9ae25bf50fd5c9d4b Bisecting: 0 revisions left to test after this (roughly 0 steps) [c7cdba31ed8b87526db978976392802d3f93110c] mac80211-next: rtnetlink wifi simulation device testing commit c7cdba31ed8b87526db978976392802d3f93110c with gcc (GCC) 8.1.0 kernel signature: e6eee1bf81b5cb9ca48f444518c4cd6b433e71bc all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call # git bisect bad c7cdba31ed8b87526db978976392802d3f93110c c7cdba31ed8b87526db978976392802d3f93110c is the first bad commit commit c7cdba31ed8b87526db978976392802d3f93110c Author: Cody Schuffelen Date: Tue Nov 20 19:14:49 2018 -0800 mac80211-next: rtnetlink wifi simulation device This device takes over an existing network device and produces a new one that appears like a wireless connection, returning enough canned responses to nl80211 to satisfy a standard connection manager. If necessary, it can also be set up one step removed from an existing network device, such as through a vlan/80211Q or macvlan connection to not disrupt the existing network interface. To use it to wrap a bare ethernet connection: ip link add link eth0 name wlan0 type virt_wifi You may have to rename or otherwise hide the eth0 from your connection manager, as the original network link will become unusuable and only the wireless wrapper will be functional. This can also be combined with vlan or macvlan links on top of eth0 to share the network between distinct links, but that requires support outside the machine for accepting vlan-tagged packets or packets from multiple MAC addresses. This is being used for Google's Remote Android Virtual Device project, which runs Android devices in virtual machines. The standard network interfaces provided inside the virtual machines are all ethernet. However, Android is not interested in ethernet devices and would rather connect to a wireless interface. This patch allows the virtual machine guest to treat one of its network connections as wireless rather than ethernet, satisfying Android's network connection requirements. We believe this is a generally useful driver for simulating wireless network connections in other environments where a wireless connection is desired by some userspace process but is not available. This is distinct from other testing efforts such as mac80211_hwsim by being a cfg80211 device instead of mac80211 device, allowing straight pass-through on the data plane instead of forcing packaging of ethernet data into mac80211 frames. Signed-off-by: A. Cody Schuffelen Acked-by: Alistair Strachan Acked-by: Greg Hartman Acked-by: Tristan Muntsinger [make it a tristate] Signed-off-by: Johannes Berg drivers/net/wireless/Kconfig | 7 + drivers/net/wireless/Makefile | 2 + drivers/net/wireless/virt_wifi.c | 632 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 641 insertions(+) create mode 100644 drivers/net/wireless/virt_wifi.c culprit signature: e6eee1bf81b5cb9ca48f444518c4cd6b433e71bc parent signature: b8a2e7194082cd247d640f4766bc2ed3a3788021 revisions tested: 23, total time: 4h50m21.584178442s (build: 2h10m36.607136548s, test: 2h38m16.567555201s) first bad commit: c7cdba31ed8b87526db978976392802d3f93110c mac80211-next: rtnetlink wifi simulation device cc: ["astrachan@google.com" "ghartman@google.com" "johannes.berg@intel.com" "muntsinger@google.com" "schuffelen@google.com"] crash: BUG: unable to handle kernel NULL pointer dereference in ioctl_standard_call IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD a7c9e067 P4D a7c9e067 PUD a7c9f067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 1 PID: 7225 Comm: syz-executor.2 Not tainted 4.20.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010: (null) Code: Bad RIP value. RSP: 0018:ffff88009fec7a10 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8800a0668ac0 RCX: 0000000000000000 RDX: 1ffffffff0f26ed8 RSI: 0000000000000004 RDI: ffff8800a0668ac0 RBP: ffff88009fec7a50 R08: ffffed0015d65bc0 R09: ffffed0015d65bbf R10: ffffed0015d65bbf R11: ffff8800aeb2ddfb R12: ffffffff87937540 R13: ffff8800953e4280 R14: ffffffff87d2c2e0 R15: ffff88008d6200c0 FS: 00007fc8dca3d700(0000) GS:ffff8800aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000008e7cd000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ioctl_standard_call+0x8a/0x150 net/wireless/wext-core.c:1015 wireless_process_ioctl.constprop.14+0x181/0x270 net/wireless/wext-core.c:953 wext_ioctl_dispatch net/wireless/wext-core.c:986 [inline] wext_handle_ioctl+0xe9/0x170 net/wireless/wext-core.c:1047 sock_ioctl+0x299/0x510 net/socket.c:1015 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696 ksys_ioctl+0x62/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45af49 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fc8dca3cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045af49 RDX: 0000000020000040 RSI: 0800000000008b24 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc8dca3d6d4 R13: 00000000004c281a R14: 00000000004d88d0 R15: 00000000ffffffff Modules linked in: CR2: 0000000000000000 ---[ end trace ec977defca4915e9 ]--- RIP: 0010: (null) Code: Bad RIP value. RSP: 0018:ffff88009fec7a10 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8800a0668ac0 RCX: 0000000000000000 RDX: 1ffffffff0f26ed8 RSI: 0000000000000004 RDI: ffff8800a0668ac0 RBP: ffff88009fec7a50 R08: ffffed0015d65bc0 R09: ffffed0015d65bbf R10: ffffed0015d65bbf R11: ffff8800aeb2ddfb R12: ffffffff87937540 R13: ffff8800953e4280 R14: ffffffff87d2c2e0 R15: ffff88008d6200c0 FS: 00007fc8dca3d700(0000) GS:ffff8800aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000008e7cd000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400