bisecting fixing commit since 13d2ce42de8cb98ff952f8de6307f896203854c2 building syzkaller on 04201c0669446145fd9c347c5538da0ca13ff29b testing commit 13d2ce42de8cb98ff952f8de6307f896203854c2 with gcc (GCC) 8.4.1 20210217 kernel signature: 07f582718c477455fc00998f1b17e4139d5804d830d3bfa02f3d8d252e930989 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in amp_read_loc_assoc_final_data testing current HEAD 2034d6f0838e465dd8f120c4e946d8444b4bb5df testing commit 2034d6f0838e465dd8f120c4e946d8444b4bb5df with gcc (GCC) 8.4.1 20210217 kernel signature: 552fc7b9f84f1d450b53590d69a068511300ee78ee36acb6f7b3a080ae8ad201 all runs: OK # git bisect start 2034d6f0838e465dd8f120c4e946d8444b4bb5df 13d2ce42de8cb98ff952f8de6307f896203854c2 Bisecting: 709 revisions left to test after this (roughly 10 steps) [52b4c58bac0e03732961d6d1c29c21a1eb7364e5] objtool: Don't fail on missing symbol table testing commit 52b4c58bac0e03732961d6d1c29c21a1eb7364e5 with gcc (GCC) 8.4.1 20210217 kernel signature: 6b76daf5bf3441be19ddbad3fad58e5bfbc2c6968936573afd756dc258978568 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in amp_read_loc_assoc_final_data # git bisect good 52b4c58bac0e03732961d6d1c29c21a1eb7364e5 Bisecting: 354 revisions left to test after this (roughly 9 steps) [51442dbcbe115c4ce2ad83fafa05345a57202d03] dm era: Use correct value size in equality function of writeset tree testing commit 51442dbcbe115c4ce2ad83fafa05345a57202d03 with gcc (GCC) 8.4.1 20210217 kernel signature: 70ace1b9788fe9c8be0e9cc34997b59025dd9168911d10b689b82e45eac34a1a all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in amp_read_loc_assoc_final_data # git bisect good 51442dbcbe115c4ce2ad83fafa05345a57202d03 Bisecting: 177 revisions left to test after this (roughly 8 steps) [cbee45861fe8046c021faaab3f137cb629e649f9] Goodix Fingerprint device is not a modem testing commit cbee45861fe8046c021faaab3f137cb629e649f9 with gcc (GCC) 8.4.1 20210217 kernel signature: 436ec1eee57a3a0b88bd53c0b36bb15a15bacd9c1a7eca27693d5030f8e3c9af all runs: OK # git bisect bad cbee45861fe8046c021faaab3f137cb629e649f9 Bisecting: 88 revisions left to test after this (roughly 7 steps) [6a9a45616bd97030841dc62a92e0e6f443d483d5] net: dsa: add GRO support via gro_cells testing commit 6a9a45616bd97030841dc62a92e0e6f443d483d5 with gcc (GCC) 8.4.1 20210217 kernel signature: db2d5146b86769f63b8f150dae331c140e5c19bf630883bf8d1fed4fdfecc088 all runs: OK # git bisect bad 6a9a45616bd97030841dc62a92e0e6f443d483d5 Bisecting: 43 revisions left to test after this (roughly 6 steps) [946a7377b27dfc60a16ee358e0af842704fbe826] staging: most: sound: add sanity check for function argument testing commit 946a7377b27dfc60a16ee358e0af842704fbe826 with gcc (GCC) 8.4.1 20210217 kernel signature: acbe26ced5c2f8bdcf21348968f5548c2f7a4d118fc5f359768751a1d6865eab all runs: OK # git bisect bad 946a7377b27dfc60a16ee358e0af842704fbe826 Bisecting: 21 revisions left to test after this (roughly 5 steps) [5ef8dff99f434480e02cbe383ce2bb47057fc71b] arm64: Use correct ll/sc atomic constraints testing commit 5ef8dff99f434480e02cbe383ce2bb47057fc71b with gcc (GCC) 8.4.1 20210217 kernel signature: ff683c773af7c424018fefafb08423548a09eefe5e217578c5d6c0a7219d9bca all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in amp_read_loc_assoc_final_data # git bisect good 5ef8dff99f434480e02cbe383ce2bb47057fc71b Bisecting: 10 revisions left to test after this (roughly 4 steps) [995d733edbefb8dba7dd85c649abaab171673c74] rsi: Fix TX EAPOL packet handling against iwlwifi AP testing commit 995d733edbefb8dba7dd85c649abaab171673c74 with gcc (GCC) 8.4.1 20210217 kernel signature: b89944f8f9d138e9d3c9f34da81c28b4d393b297df03de1c17c60932e579f98a all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in amp_read_loc_assoc_final_data # git bisect good 995d733edbefb8dba7dd85c649abaab171673c74 Bisecting: 5 revisions left to test after this (roughly 3 steps) [656499e69c1ced43724bb377f6ca7ffb9d913959] wlcore: Fix command execute failure 19 for wl12xx testing commit 656499e69c1ced43724bb377f6ca7ffb9d913959 with gcc (GCC) 8.4.1 20210217 kernel signature: 4486a35b03742e0f77e75722cea51cd83bd4b9935c58540e385c75d063d14957 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in amp_read_loc_assoc_final_data # git bisect good 656499e69c1ced43724bb377f6ca7ffb9d913959 Bisecting: 2 revisions left to test after this (roughly 2 steps) [e0ea994b77a32763138b33ac784ab91cfb91eefd] ath10k: fix wmi mgmt tx queue full due to race condition testing commit e0ea994b77a32763138b33ac784ab91cfb91eefd with gcc (GCC) 8.4.1 20210217 kernel signature: bd0844e4cca2af1f0c2b735b48f696d2162a6d4bcf227fd7af355085b54352ae all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in amp_read_loc_assoc_final_data # git bisect good e0ea994b77a32763138b33ac784ab91cfb91eefd Bisecting: 0 revisions left to test after this (roughly 1 step) [99c2c8b009c42cbffd2bc5291ea8e1f27c3a9559] Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data testing commit 99c2c8b009c42cbffd2bc5291ea8e1f27c3a9559 with gcc (GCC) 8.4.1 20210217 kernel signature: acbe26ced5c2f8bdcf21348968f5548c2f7a4d118fc5f359768751a1d6865eab all runs: OK # git bisect bad 99c2c8b009c42cbffd2bc5291ea8e1f27c3a9559 Bisecting: 0 revisions left to test after this (roughly 0 steps) [e4ebd7072e755003d0174ac550dac20bb8740308] x86/build: Treat R_386_PLT32 relocation as R_386_PC32 testing commit e4ebd7072e755003d0174ac550dac20bb8740308 with gcc (GCC) 8.4.1 20210217 kernel signature: bd0844e4cca2af1f0c2b735b48f696d2162a6d4bcf227fd7af355085b54352ae all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in amp_read_loc_assoc_final_data # git bisect good e4ebd7072e755003d0174ac550dac20bb8740308 99c2c8b009c42cbffd2bc5291ea8e1f27c3a9559 is the first bad commit commit 99c2c8b009c42cbffd2bc5291ea8e1f27c3a9559 Author: Gopal Tiwari Date: Tue Feb 2 15:12:30 2021 +0530 Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data [ Upstream commit e8bd76ede155fd54d8c41d045dda43cd3174d506 ] kernel panic trace looks like: #5 [ffffb9e08698fc80] do_page_fault at ffffffffb666e0d7 #6 [ffffb9e08698fcb0] page_fault at ffffffffb70010fe [exception RIP: amp_read_loc_assoc_final_data+63] RIP: ffffffffc06ab54f RSP: ffffb9e08698fd68 RFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8c8845a5a000 RCX: 0000000000000004 RDX: 0000000000000000 RSI: ffff8c8b9153d000 RDI: ffff8c8845a5a000 RBP: ffffb9e08698fe40 R8: 00000000000330e0 R9: ffffffffc0675c94 R10: ffffb9e08698fe58 R11: 0000000000000001 R12: ffff8c8b9cbf6200 R13: 0000000000000000 R14: 0000000000000000 R15: ffff8c8b2026da0b ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffffb9e08698fda8] hci_event_packet at ffffffffc0676904 [bluetooth] #8 [ffffb9e08698fe50] hci_rx_work at ffffffffc06629ac [bluetooth] #9 [ffffb9e08698fe98] process_one_work at ffffffffb66f95e7 hcon->amp_mgr seems NULL triggered kernel panic in following line inside function amp_read_loc_assoc_final_data set_bit(READ_LOC_AMP_ASSOC_FINAL, &mgr->state); Fixed by checking NULL for mgr. Signed-off-by: Gopal Tiwari Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin net/bluetooth/amp.c | 3 +++ 1 file changed, 3 insertions(+) culprit signature: acbe26ced5c2f8bdcf21348968f5548c2f7a4d118fc5f359768751a1d6865eab parent signature: bd0844e4cca2af1f0c2b735b48f696d2162a6d4bcf227fd7af355085b54352ae revisions tested: 13, total time: 2h59m0.755311636s (build: 1h50m15.75263389s, test: 1h7m32.108861702s) first good commit: 99c2c8b009c42cbffd2bc5291ea8e1f27c3a9559 Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data recipients (to): ["gtiwari@redhat.com" "marcel@holtmann.org" "sashal@kernel.org"] recipients (cc): []