bisecting fixing commit since 14260788bbb9c94b0e36abc17294266b69dd46e4 building syzkaller on 3a75be00f50996031dd301d44b009d56db3485f0 testing commit 14260788bbb9c94b0e36abc17294266b69dd46e4 with gcc (GCC) 8.4.1 20210217 kernel signature: e513f6ed4ba1f8bd61d299d1108169781856d9a459844e90e8a661f00ad7bb3a run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #10: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #11: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #12: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #13: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #14: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #15: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #16: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #17: crashed: KASAN: null-ptr-deref in llcp_sock_getname run #18: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #19: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname testing current HEAD eb575cd5d7f60241d016fdd13a9e86d962093c9b testing commit eb575cd5d7f60241d016fdd13a9e86d962093c9b with gcc (GCC) 8.4.1 20210217 kernel signature: 771387db0b28220a7c874315eaf2ea97f4bff2c5a46c016cb5d2fe0c471b6bd6 all runs: OK # git bisect start eb575cd5d7f60241d016fdd13a9e86d962093c9b 14260788bbb9c94b0e36abc17294266b69dd46e4 Bisecting: 5021 revisions left to test after this (roughly 12 steps) [5d2195b7b6c12f69557aec631cafcabc87b98691] serial: amba-pl011: Make sure we initialize the port.lock spinlock testing commit 5d2195b7b6c12f69557aec631cafcabc87b98691 with gcc (GCC) 8.4.1 20210217 kernel signature: 684d116947f7cc5d75f9d85a34b3b14e4c579829551edc97517d0e60d9ba16d7 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #3: crashed: KASAN: null-ptr-deref in llcp_sock_getname run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #5: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #8: crashed: KASAN: null-ptr-deref in llcp_sock_getname run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname # git bisect good 5d2195b7b6c12f69557aec631cafcabc87b98691 Bisecting: 2510 revisions left to test after this (roughly 11 steps) [8f1f52f659b9e0b13bd2202fa7a558adc3b3994e] regulator: pfuze100: limit pfuze-support-disable-sw to pfuze{100,200} testing commit 8f1f52f659b9e0b13bd2202fa7a558adc3b3994e with gcc (GCC) 8.4.1 20210217 kernel signature: bdc742179e55e854309a5ec75e104f32f18c3b383065375df9ec719bd206067f run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted # git bisect good 8f1f52f659b9e0b13bd2202fa7a558adc3b3994e Bisecting: 1255 revisions left to test after this (roughly 10 steps) [77e54793da0f17b6acad19471dc6f1f938a5e7f1] PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse testing commit 77e54793da0f17b6acad19471dc6f1f938a5e7f1 with gcc (GCC) 8.4.1 20210217 kernel signature: c28e53a4b9ddf7edee578098153488884cbb7f29d5d9c8739cb9302e32901c4b run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #4: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted # git bisect good 77e54793da0f17b6acad19471dc6f1f938a5e7f1 Bisecting: 627 revisions left to test after this (roughly 9 steps) [9ffa7967f9379a0a1b924e9ffeda709d72237da7] NFSv4: Don't discard segments marked for return in _pnfs_return_layout() testing commit 9ffa7967f9379a0a1b924e9ffeda709d72237da7 with gcc (GCC) 8.4.1 20210217 kernel signature: 4875850ed9f61f81c2bcb0f3aaebc3c45c1faf50a7bfb3f7f59bbad57a434bdc run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #4: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #5: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname # git bisect good 9ffa7967f9379a0a1b924e9ffeda709d72237da7 Bisecting: 313 revisions left to test after this (roughly 8 steps) [d82da045a5da9f889a6cee316cabeb2be29cb199] ACPI / hotplug / PCI: Fix reference count leak in enable_slot() testing commit d82da045a5da9f889a6cee316cabeb2be29cb199 with gcc (GCC) 8.4.1 20210217 kernel signature: c0b33e7197b329f0eaf45d84624bfae59894e18852ebc28aff896dc97d01b498 all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free # git bisect skip d82da045a5da9f889a6cee316cabeb2be29cb199 Bisecting: 313 revisions left to test after this (roughly 8 steps) [8c4dce3dc8a5673453bc481461228713a07969e4] usb: dwc2: Fix gadget DMA unmap direction testing commit 8c4dce3dc8a5673453bc481461228713a07969e4 with gcc (GCC) 8.4.1 20210217 kernel signature: 32b9a1b55e57c4dfd4aee5f55bc47822ba12e25c9cb40b265e7db17607569c63 all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free # git bisect skip 8c4dce3dc8a5673453bc481461228713a07969e4 Bisecting: 313 revisions left to test after this (roughly 8 steps) [0f6e6872a7d819da81d2f92dd513ca7eae55369e] ASoC: cs35l33: fix an error code in probe() testing commit 0f6e6872a7d819da81d2f92dd513ca7eae55369e with gcc (GCC) 8.4.1 20210217 kernel signature: 6328988583b73bfc27005feb026e015c7bcaf2f2ec41203a7347279969394958 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #3: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #4: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #5: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #6: crashed: KASAN: null-ptr-deref in llcp_sock_getname run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #8: crashed: KASAN: null-ptr-deref in llcp_sock_getname run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname # git bisect good 0f6e6872a7d819da81d2f92dd513ca7eae55369e Bisecting: 68 revisions left to test after this (roughly 6 steps) [ed6a024f4888df6fa2b8a3e92dea5f6a63649b84] xen-pciback: redo VF placement in the virtual topology testing commit ed6a024f4888df6fa2b8a3e92dea5f6a63649b84 with gcc (GCC) 8.4.1 20210217 kernel signature: 4dce5b31b7097f8df7e7d3be0737b719cfd979e0b7f2e2992d03750676dff8b7 all runs: OK # git bisect bad ed6a024f4888df6fa2b8a3e92dea5f6a63649b84 Bisecting: 33 revisions left to test after this (roughly 5 steps) [3be863c11cab725add9fef4237ed4e232c3fc3bb] net: caif: fix memory leak in caif_device_notify testing commit 3be863c11cab725add9fef4237ed4e232c3fc3bb with gcc (GCC) 8.4.1 20210217 kernel signature: 430728c22ba45b80891143f9a49a3c0ddc5af0913e6544bc3f3e580bdc2e0f1c run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #4: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #5: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname # git bisect good 3be863c11cab725add9fef4237ed4e232c3fc3bb Bisecting: 16 revisions left to test after this (roughly 4 steps) [ac0985c8a2d8f829e7f6dfcdd543f32dd29747b7] bpf: test make sure to run unpriv test cases in test_verifier testing commit ac0985c8a2d8f829e7f6dfcdd543f32dd29747b7 with gcc (GCC) 8.4.1 20210217 kernel signature: f332adc2addb8fb2e40f93d6320a31f0fe823ad1e85a82b588b79b8904ce794c all runs: OK # git bisect bad ac0985c8a2d8f829e7f6dfcdd543f32dd29747b7 Bisecting: 7 revisions left to test after this (roughly 3 steps) [93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f] nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect testing commit 93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f with gcc (GCC) 8.4.1 20210217 kernel signature: a4ec2d6411fba315cace4482e66ad78e2d4ac31f4462702ec5fda243d3f230e2 all runs: OK # git bisect bad 93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f Bisecting: 4 revisions left to test after this (roughly 2 steps) [1294a5d725e8d19d661c8065959128da0ab7ef52] ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx testing commit 1294a5d725e8d19d661c8065959128da0ab7ef52 with gcc (GCC) 8.4.1 20210217 kernel signature: 314c2392500f3c9cdbd01f3733f227e24e601cebed22f84844d1c9d595201452 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #4: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #5: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname # git bisect good 1294a5d725e8d19d661c8065959128da0ab7ef52 Bisecting: 2 revisions left to test after this (roughly 1 step) [2132a28807cf8eda722f96628b3ab7709a236bb8] usb: dwc2: Fix build in periphal-only mode testing commit 2132a28807cf8eda722f96628b3ab7709a236bb8 with gcc (GCC) 8.4.1 20210217 kernel signature: 4a244cdd4b36a58dc14e23dcf3993a653ab43d9dd1581c4a8c4f4804a87e3185 all runs: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname # git bisect good 2132a28807cf8eda722f96628b3ab7709a236bb8 Bisecting: 0 revisions left to test after this (roughly 1 step) [cec4e857ffaa8c447f51cd8ab4e72350077b6770] ocfs2: fix data corruption by fallocate testing commit cec4e857ffaa8c447f51cd8ab4e72350077b6770 with gcc (GCC) 8.4.1 20210217 kernel signature: 7c05405970c780a6629eeff85a8c64f711ce623c00f0ea7730fcf0e3dc007df6 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #4: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname # git bisect good cec4e857ffaa8c447f51cd8ab4e72350077b6770 93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f is the first bad commit commit 93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f Author: Krzysztof Kozlowski Date: Mon May 31 09:21:38 2021 +0200 nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect commit 4ac06a1e013cf5fdd963317ffd3b968560f33bba upstream. It's possible to trigger NULL pointer dereference by local unprivileged user, when calling getsockname() after failed bind() (e.g. the bind fails because LLCP_SAP_MAX used as SAP): BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 1 PID: 426 Comm: llcp_sock_getna Not tainted 5.13.0-rc2-next-20210521+ #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014 Call Trace: llcp_sock_getname+0xb1/0xe0 __sys_getpeername+0x95/0xc0 ? lockdep_hardirqs_on_prepare+0xd5/0x180 ? syscall_enter_from_user_mode+0x1c/0x40 __x64_sys_getpeername+0x11/0x20 do_syscall_64+0x36/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xae This can be reproduced with Syzkaller C repro (bind followed by getpeername): https://syzkaller.appspot.com/x/repro.c?x=14def446e00000 Cc: Fixes: d646960f7986 ("NFC: Initial LLCP support") Reported-by: syzbot+80fb126e7f7d8b1a5914@syzkaller.appspotmail.com Reported-by: butt3rflyh4ck Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210531072138.5219-1-krzysztof.kozlowski@canonical.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman net/nfc/llcp_sock.c | 2 ++ 1 file changed, 2 insertions(+) culprit signature: a4ec2d6411fba315cace4482e66ad78e2d4ac31f4462702ec5fda243d3f230e2 parent signature: 7c05405970c780a6629eeff85a8c64f711ce623c00f0ea7730fcf0e3dc007df6 revisions tested: 16, total time: 3h27m43.843518857s (build: 2h9m55.895040875s, test: 1h16m18.523394224s) first good commit: 93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect recipients (to): ["gregkh@linuxfoundation.org" "krzysztof.kozlowski@canonical.com" "kuba@kernel.org"] recipients (cc): []