bisecting fixing commit since c076c79e03c6094e578df5d210fde808b3ad32e6 building syzkaller on 4ca1c0ea446d2c09b1fb49a85ae645e3754f1058 testing commit c076c79e03c6094e578df5d210fde808b3ad32e6 with gcc (GCC) 8.1.0 kernel signature: 9344c69121b3d4fb4541af73f33a62d5add7fbe36e8b847bebe7351fa660016d run #0: crashed: WARNING: ODEBUG bug in bt_link_release run #1: crashed: WARNING: ODEBUG bug in bt_link_release run #2: crashed: WARNING: ODEBUG bug in bt_link_release run #3: crashed: WARNING: ODEBUG bug in bt_link_release run #4: crashed: KASAN: use-after-free Write in sco_chan_del run #5: crashed: WARNING: ODEBUG bug in bt_link_release run #6: crashed: WARNING: ODEBUG bug in bt_link_release run #7: crashed: WARNING: ODEBUG bug in bt_link_release run #8: crashed: WARNING: ODEBUG bug in corrupted run #9: crashed: WARNING: ODEBUG bug in bt_link_release testing current HEAD 3207316b3beec7e38e5dbe2f463df0cec71e0b97 testing commit 3207316b3beec7e38e5dbe2f463df0cec71e0b97 with gcc (GCC) 8.1.0 kernel signature: fee5c09f21691e4573e2e5130cd2a91b4bde16301a2a0494868ddc972b6a3e79 all runs: OK # git bisect start 3207316b3beec7e38e5dbe2f463df0cec71e0b97 c076c79e03c6094e578df5d210fde808b3ad32e6 Bisecting: 1173 revisions left to test after this (roughly 10 steps) [d7b164f4d6021ed1b3eea043bc9e21b6cdbdbbf8] crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() testing commit d7b164f4d6021ed1b3eea043bc9e21b6cdbdbbf8 with gcc (GCC) 8.1.0 kernel signature: 734b394e4d534e6c109b0df20c0d275cd027cbfdff3709f6116bcdda76f27b39 run #0: crashed: KASAN: use-after-free Write in sco_chan_del run #1: crashed: WARNING: ODEBUG bug in corrupted run #2: crashed: KASAN: use-after-free Write in sco_chan_del run #3: crashed: WARNING: ODEBUG bug in bt_link_release run #4: crashed: WARNING: ODEBUG bug in bt_link_release run #5: crashed: WARNING: ODEBUG bug in corrupted run #6: crashed: WARNING: ODEBUG bug in bt_link_release run #7: crashed: WARNING: ODEBUG bug in bt_link_release run #8: crashed: KASAN: use-after-free Write in sco_chan_del run #9: crashed: KASAN: use-after-free Write in sco_chan_del # git bisect good d7b164f4d6021ed1b3eea043bc9e21b6cdbdbbf8 Bisecting: 586 revisions left to test after this (roughly 9 steps) [9a6cea8220c608f6d59763fab06ff196185cc3ff] Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint" testing commit 9a6cea8220c608f6d59763fab06ff196185cc3ff with gcc (GCC) 8.1.0 kernel signature: e08010e7d2d9ed96a6f99503e17c70b7aafdb526d07d1866b6db5984b682cea7 run #0: crashed: WARNING: ODEBUG bug in bt_link_release run #1: crashed: KASAN: use-after-free Write in sco_chan_del run #2: crashed: WARNING: ODEBUG bug in corrupted run #3: crashed: WARNING: ODEBUG bug in bt_link_release run #4: crashed: WARNING: ODEBUG bug in corrupted run #5: crashed: WARNING: ODEBUG bug in bt_link_release run #6: crashed: WARNING: ODEBUG bug in bt_link_release run #7: crashed: WARNING: ODEBUG bug in bt_link_release run #8: crashed: WARNING: ODEBUG bug in bt_link_release run #9: crashed: WARNING: ODEBUG bug in bt_link_release # git bisect good 9a6cea8220c608f6d59763fab06ff196185cc3ff Bisecting: 293 revisions left to test after this (roughly 8 steps) [96fd4981791602ba6f4cbe23c4bd9386408940c1] arm64: lse: Fix LSE atomics with LLVM testing commit 96fd4981791602ba6f4cbe23c4bd9386408940c1 with gcc (GCC) 8.1.0 kernel signature: aaa4b49ca366ae613d7e8126dc3f5d4970af6b5b988abcde56fa080dbbecea0b run #0: crashed: WARNING: ODEBUG bug in bt_link_release run #1: crashed: KASAN: use-after-free Write in sco_chan_del run #2: crashed: WARNING: ODEBUG bug in bt_link_release run #3: crashed: KASAN: use-after-free Write in sco_chan_del run #4: crashed: KASAN: use-after-free Write in sco_chan_del run #5: crashed: KASAN: use-after-free Write in sco_chan_del run #6: crashed: WARNING: ODEBUG bug in bt_link_release run #7: crashed: WARNING: ODEBUG bug in bt_link_release run #8: crashed: KASAN: use-after-free Write in sco_chan_del run #9: crashed: KASAN: use-after-free Write in sco_chan_del # git bisect good 96fd4981791602ba6f4cbe23c4bd9386408940c1 Bisecting: 146 revisions left to test after this (roughly 7 steps) [f9b158b58f213d76f5c0b25b3885b63136b74511] ASoC: jz4740-i2s: add missed checks for clk_get() testing commit f9b158b58f213d76f5c0b25b3885b63136b74511 with gcc (GCC) 8.1.0 kernel signature: 6943cf976b0abd689f177b7dfadbb2738823b2d5ee5ae1a61a5cf76a737fd51a all runs: OK # git bisect bad f9b158b58f213d76f5c0b25b3885b63136b74511 Bisecting: 73 revisions left to test after this (roughly 6 steps) [b7d60a1b3020550849bb2ac498b7247b2237559b] spi: spi-ti-qspi: fix reference leak in ti_qspi_setup testing commit b7d60a1b3020550849bb2ac498b7247b2237559b with gcc (GCC) 8.1.0 kernel signature: 29e1a4fa6733b13ffa02b90296b43ade473dd12e7162eddacb07fc5216cef5af all runs: OK # git bisect bad b7d60a1b3020550849bb2ac498b7247b2237559b Bisecting: 36 revisions left to test after this (roughly 5 steps) [c9f589923f03a15402ea1e691e76897be65bb564] coresight: tmc-etr: Check if page is valid before dma_map_page() testing commit c9f589923f03a15402ea1e691e76897be65bb564 with gcc (GCC) 8.1.0 kernel signature: b568ef14963ab2a5eb5a153f94c400e50a57248144e64bda46c385c982c0d4b7 all runs: crashed: KASAN: use-after-free Write in sco_chan_del # git bisect good c9f589923f03a15402ea1e691e76897be65bb564 Bisecting: 18 revisions left to test after this (roughly 4 steps) [620974102ad8ed5641f805dfec7e75765c3d2df9] ARM: dts: aspeed: s2600wf: Fix VGA memory region location testing commit 620974102ad8ed5641f805dfec7e75765c3d2df9 with gcc (GCC) 8.1.0 kernel signature: a4cc2e21467f1076bca859d1d29207be4a940c6d3025bdfac91a4295524f40b0 all runs: crashed: KASAN: use-after-free Write in sco_chan_del # git bisect good 620974102ad8ed5641f805dfec7e75765c3d2df9 Bisecting: 9 revisions left to test after this (roughly 3 steps) [413de08ca4d81e78e50299293f4db4079615bbab] crypto: inside-secure - Fix sizeof() mismatch testing commit 413de08ca4d81e78e50299293f4db4079615bbab with gcc (GCC) 8.1.0 kernel signature: c7ff09067b201cfa8db88847e3b022d36d7960c57d63d3de16ec52d8aab7dc2d all runs: crashed: KASAN: use-after-free Write in sco_chan_del # git bisect good 413de08ca4d81e78e50299293f4db4079615bbab Bisecting: 4 revisions left to test after this (roughly 2 steps) [87294e61dafc7be280188581191722eac8b87932] selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling testing commit 87294e61dafc7be280188581191722eac8b87932 with gcc (GCC) 8.1.0 kernel signature: 8e524af56ec3aef98530aa320818aa7f800fdb761d619f43446f606642fea033 run #0: crashed: KASAN: use-after-free Write in sco_chan_del run #1: crashed: KASAN: use-after-free Write in sco_chan_del run #2: crashed: WARNING: ODEBUG bug in bt_link_release run #3: crashed: KASAN: use-after-free Write in sco_chan_del run #4: crashed: KASAN: use-after-free Write in sco_chan_del run #5: crashed: KASAN: use-after-free Write in sco_chan_del run #6: crashed: KASAN: use-after-free Write in sco_chan_del run #7: crashed: KASAN: use-after-free Write in sco_chan_del run #8: crashed: KASAN: use-after-free Write in sco_chan_del run #9: crashed: KASAN: use-after-free Write in sco_chan_del # git bisect good 87294e61dafc7be280188581191722eac8b87932 Bisecting: 2 revisions left to test after this (roughly 1 step) [4da6c1af4d3115b19092f0fd1267163ce91dc796] arm64: dts: exynos: Correct psci compatible used on Exynos7 testing commit 4da6c1af4d3115b19092f0fd1267163ce91dc796 with gcc (GCC) 8.1.0 kernel signature: 8e524af56ec3aef98530aa320818aa7f800fdb761d619f43446f606642fea033 all runs: crashed: KASAN: use-after-free Write in sco_chan_del # git bisect good 4da6c1af4d3115b19092f0fd1267163ce91dc796 Bisecting: 0 revisions left to test after this (roughly 1 step) [a15989ce987c3b112d5ec4fdabb755dbdc1d923b] Bluetooth: hci_h5: fix memory leak in h5_close testing commit a15989ce987c3b112d5ec4fdabb755dbdc1d923b with gcc (GCC) 8.1.0 kernel signature: 29e1a4fa6733b13ffa02b90296b43ade473dd12e7162eddacb07fc5216cef5af all runs: OK # git bisect bad a15989ce987c3b112d5ec4fdabb755dbdc1d923b Bisecting: 0 revisions left to test after this (roughly 0 steps) [abae100355c011d14c75cabbf9eb773c231187ee] Bluetooth: Fix null pointer dereference in hci_event_packet() testing commit abae100355c011d14c75cabbf9eb773c231187ee with gcc (GCC) 8.1.0 kernel signature: 7ac2924d2a4a009c7a807892839e5cf089108ffc188af50167669d98a47b7b88 all runs: OK # git bisect bad abae100355c011d14c75cabbf9eb773c231187ee abae100355c011d14c75cabbf9eb773c231187ee is the first bad commit commit abae100355c011d14c75cabbf9eb773c231187ee Author: Anmol Karn Date: Wed Sep 30 19:48:13 2020 +0530 Bluetooth: Fix null pointer dereference in hci_event_packet() [ Upstream commit 6dfccd13db2ff2b709ef60a50163925d477549aa ] AMP_MGR is getting derefernced in hci_phy_link_complete_evt(), when called from hci_event_packet() and there is a possibility, that hcon->amp_mgr may not be found when accessing after initialization of hcon. - net/bluetooth/hci_event.c:4945 The bug seems to get triggered in this line: bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon; Fix it by adding a NULL check for the hcon->amp_mgr before checking the ev-status. Fixes: d5e911928bd8 ("Bluetooth: AMP: Process Physical Link Complete evt") Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f Signed-off-by: Anmol Karn Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin net/bluetooth/hci_event.c | 5 +++++ 1 file changed, 5 insertions(+) culprit signature: 7ac2924d2a4a009c7a807892839e5cf089108ffc188af50167669d98a47b7b88 parent signature: 8e524af56ec3aef98530aa320818aa7f800fdb761d619f43446f606642fea033 revisions tested: 14, total time: 3h24m1.96143411s (build: 2h3m9.479435904s, test: 1h19m34.942520405s) first good commit: abae100355c011d14c75cabbf9eb773c231187ee Bluetooth: Fix null pointer dereference in hci_event_packet() recipients (to): ["anmol.karan123@gmail.com" "marcel@holtmann.org" "sashal@kernel.org" "syzbot+0bef568258653cff272f@syzkaller.appspotmail.com"] recipients (cc): []