bisecting fixing commit since a844dc4c544291470aa69edbe2434b040794e269 building syzkaller on 1508f45368a309a3b1196a342b3d64ce7be4cc43 testing commit a844dc4c544291470aa69edbe2434b040794e269 with gcc (GCC) 8.4.1 20210217 kernel signature: 3be9988f9e761ea82c1706b67f156e20e3027ebea8782e74b7f1897fb4b8418e all runs: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname testing current HEAD 7d7d1c0ab3eb7c8d8f63a126535018007823b207 testing commit 7d7d1c0ab3eb7c8d8f63a126535018007823b207 with gcc (GCC) 8.4.1 20210217 kernel signature: d88593c34bbdde4a86a88b745d5f4457ab5334695a8e089ccd4bb181c4c8a165 all runs: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname revisions tested: 2, total time: 28m50.588931813s (build: 22m6.214752644s, test: 6m9.003398797s) the crash still happens on HEAD commit msg: Linux 4.14.232 crash: KASAN: null-ptr-deref Read in llcp_sock_getname IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready ================================================================== BUG: KASAN: null-ptr-deref in memcpy include/linux/string.h:376 [inline] BUG: KASAN: null-ptr-deref in llcp_sock_getname+0x378/0x480 net/nfc/llcp_sock.c:534 IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready Read of size 43 at addr (null) by task syz-executor.1/6595 CPU: 0 PID: 6595 Comm: syz-executor.1 Not tainted 4.14.232-syzkaller #0 IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xf7/0x137 lib/dump_stack.c:58 kasan_report_error mm/kasan/report.c:349 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold.8+0x6d/0x2d3 mm/kasan/report.c:393 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:376 [inline] llcp_sock_getname+0x378/0x480 net/nfc/llcp_sock.c:534 SYSC_getpeername+0x122/0x250 net/socket.c:1715 SyS_getpeername+0x9/0x10 net/socket.c:1699 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x462079 RSP: 002b:00007f68c64f71a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000034 RAX: ffffffffffffffda RBX: 000000000052bf00 RCX: 0000000000462079 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000004ee838 R14: 00000000004ad1ad R15: 00007f68c64f76bc ================================================================== BUG: unable to handle kernel IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready NULL pointer dereference at (null) IP: memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54 PGD 1cf30e067 P4D 1cf30e067 PUD 1cf30f067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 6595 Comm: syz-executor.1 Tainted: G B 4.14.232-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8881cf2a8340 task.stack: ffff8881e1580000 RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54 RSP: 0018:ffff8881e1587cb8 EFLAGS: 00010246 RAX: ffff8881e1587e22 RBX: 000000000000002b RCX: 000000000000002b RDX: 000000000000002b RSI: 0000000000000000 RDI: ffff8881e1587e22 RBP: ffff8881e1587cd8 R08: ffffed103c2b0fca R09: ffffed103c2b0fc4 R10: ffffed103c2b0fc9 R11: ffff8881e1587e4c R12: ffff8881e1587e22 R13: 0000000000000000 R14: ffff8881cf2b7850 R15: 0000000000000000 FS: 00007f68c64f7700(0000) GS:ffff8881f6600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001cf305004 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: memcpy include/linux/string.h:376 [inline] llcp_sock_getname+0x378/0x480 net/nfc/llcp_sock.c:534 SYSC_getpeername+0x122/0x250 net/socket.c:1715 SyS_getpeername+0x9/0x10 net/socket.c:1699 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x462079 RSP: 002b:00007f68c64f71a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000034 RAX: ffffffffffffffda RBX: 000000000052bf00 RCX: 0000000000462079 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000004ee838 R14: 00000000004ad1ad R15: 00007f68c64f76bc Code: 90 90 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 RIP: memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54 RSP: ffff8881e1587cb8 CR2: 0000000000000000 IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready ---[ end trace 47257d087f935349 ]--- IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready