bisecting cause commit starting from ddef1e8e3f6eb26034833b7255e3fa584d54a230 building syzkaller on 5ea87a6638e52a94361b26b8576a1605585815fb testing commit ddef1e8e3f6eb26034833b7255e3fa584d54a230 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #5: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname testing release v4.14.150 testing commit b98aebd298246df37b472c52a2ee1023256d02e3 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #4: crashed: BUG: unable to handle kernel run #5: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname testing release v4.14.149 testing commit e132c8d7b58d8dc2c1888f5768454550d1f3ea7b with gcc (GCC) 8.1.0 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #4: crashed: BUG: unable to handle kernel run #5: crashed: KASAN: null-ptr-deref in llcp_sock_getname run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname testing release v4.14.148 testing commit 42327896f194f256e5a361e0069985bc8d209b42 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: KASAN: null-ptr-deref in llcp_sock_getname run #4: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #5: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #8: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #9: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname testing release v4.14.147 testing commit db1892238c55c5138801f131a837ccd0056f002e with gcc (GCC) 8.1.0 all runs: OK # git bisect start 42327896f194f256e5a361e0069985bc8d209b42 db1892238c55c5138801f131a837ccd0056f002e Bisecting: 34 revisions left to test after this (roughly 5 steps) [1edc3a5f82a4a3d2486ba5776d39970e85474963] ARM: 8898/1: mm: Don't treat faults reported from cache maintenance as writes testing commit 1edc3a5f82a4a3d2486ba5776d39970e85474963 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 1edc3a5f82a4a3d2486ba5776d39970e85474963 Bisecting: 17 revisions left to test after this (roughly 4 steps) [78c014433cb9a8be74a99abab1d7881d047dd8cc] hso: fix NULL-deref on tty open testing commit 78c014433cb9a8be74a99abab1d7881d047dd8cc with gcc (GCC) 8.1.0 all runs: OK # git bisect good 78c014433cb9a8be74a99abab1d7881d047dd8cc Bisecting: 8 revisions left to test after this (roughly 3 steps) [f4e58dc5f8b5ae154853887ffda7a2380243bd64] net/rds: Fix error handling in rds_ib_add_one() testing commit f4e58dc5f8b5ae154853887ffda7a2380243bd64 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname # git bisect bad f4e58dc5f8b5ae154853887ffda7a2380243bd64 Bisecting: 4 revisions left to test after this (roughly 2 steps) [1e24f532c736b3f99f3fe7c4be66414c40df5f02] net: Unpublish sk from sk_reuseport_cb before call_rcu testing commit 1e24f532c736b3f99f3fe7c4be66414c40df5f02 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 1e24f532c736b3f99f3fe7c4be66414c40df5f02 Bisecting: 2 revisions left to test after this (roughly 1 step) [af849a18cdc741261fe61d2d8423be0865af3334] qmi_wwan: add support for Cinterion CLS8 devices testing commit af849a18cdc741261fe61d2d8423be0865af3334 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname # git bisect bad af849a18cdc741261fe61d2d8423be0865af3334 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f7b1e143d1ade0881d8e5670f7d6789be7d068ad] nfc: fix memory leak in llcp_sock_bind() testing commit f7b1e143d1ade0881d8e5670f7d6789be7d068ad with gcc (GCC) 8.1.0 run #0: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #1: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #2: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #3: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #4: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #5: crashed: BUG: unable to handle kernel run #6: crashed: KASAN: null-ptr-deref Read in llcp_sock_getname run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #8: crashed: BUG: unable to handle kernel run #9: crashed: BUG: unable to handle kernel # git bisect bad f7b1e143d1ade0881d8e5670f7d6789be7d068ad f7b1e143d1ade0881d8e5670f7d6789be7d068ad is the first bad commit commit f7b1e143d1ade0881d8e5670f7d6789be7d068ad Author: Eric Dumazet Date: Fri Oct 4 11:08:34 2019 -0700 nfc: fix memory leak in llcp_sock_bind() [ Upstream commit a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d ] sysbot reported a memory leak after a bind() has failed. While we are at it, abort the operation if kmemdup() has failed. BUG: memory leak unreferenced object 0xffff888105d83ec0 (size 32): comm "syz-executor067", pid 7207, jiffies 4294956228 (age 19.430s) hex dump (first 32 bytes): 00 69 6c 65 20 72 65 61 64 00 6e 65 74 3a 5b 34 .ile read.net:[4 30 32 36 35 33 33 30 39 37 5d 00 00 00 00 00 00 026533097]...... backtrace: [<0000000036bac473>] kmemleak_alloc_recursive /./include/linux/kmemleak.h:43 [inline] [<0000000036bac473>] slab_post_alloc_hook /mm/slab.h:522 [inline] [<0000000036bac473>] slab_alloc /mm/slab.c:3319 [inline] [<0000000036bac473>] __do_kmalloc /mm/slab.c:3653 [inline] [<0000000036bac473>] __kmalloc_track_caller+0x169/0x2d0 /mm/slab.c:3670 [<000000000cd39d07>] kmemdup+0x27/0x60 /mm/util.c:120 [<000000008e57e5fc>] kmemdup /./include/linux/string.h:432 [inline] [<000000008e57e5fc>] llcp_sock_bind+0x1b3/0x230 /net/nfc/llcp_sock.c:107 [<000000009cb0b5d3>] __sys_bind+0x11c/0x140 /net/socket.c:1647 [<00000000492c3bbc>] __do_sys_bind /net/socket.c:1658 [inline] [<00000000492c3bbc>] __se_sys_bind /net/socket.c:1656 [inline] [<00000000492c3bbc>] __x64_sys_bind+0x1e/0x30 /net/socket.c:1656 [<0000000008704b2a>] do_syscall_64+0x76/0x1a0 /arch/x86/entry/common.c:296 [<000000009f4c57a4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 30cc4587659e ("NFC: Move LLCP code to the NFC top level diirectory") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/nfc/llcp_sock.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) revisions tested: 11, total time: 2h34m30.85131841s (build: 1h24m46.09257516s, test: 1h6m29.651479165s) first bad commit: f7b1e143d1ade0881d8e5670f7d6789be7d068ad nfc: fix memory leak in llcp_sock_bind() cc: ["davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org" "linux-wireless@vger.kernel.org" "netdev@vger.kernel.org" "sameo@linux.intel.com"] crash: BUG: unable to handle kernel IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready 8021q: adding VLAN 0 to HW filter on device batadv0 ================================================================== BUG: unable to handle kernel BUG: KASAN: null-ptr-deref in memcpy include/linux/string.h:347 [inline] BUG: KASAN: null-ptr-deref in llcp_sock_getname+0x378/0x480 net/nfc/llcp_sock.c:532 NULL pointer dereference at (null) Read of size 43 at addr (null) by task syz-executor.2/6974 IP: memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54 PGD 9574c067 CPU: 0 PID: 6974 Comm: syz-executor.2 Not tainted 4.14.147+ #0 P4D 9574c067 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 PUD 9045f067 Call Trace: PMD 0 __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xed/0x13b lib/dump_stack.c:53 Oops: 0000 [#1] PREEMPT SMP KASAN kasan_report_error mm/kasan/report.c:349 [inline] kasan_report.cold.8+0x6d/0x2d3 mm/kasan/report.c:409 Modules linked in: check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 CPU: 1 PID: 6976 Comm: syz-executor.0 Not tainted 4.14.147+ #0 memcpy+0x23/0x50 mm/kasan/kasan.c:302 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 memcpy include/linux/string.h:347 [inline] llcp_sock_getname+0x378/0x480 net/nfc/llcp_sock.c:532 task: ffff8880941de000 task.stack: ffff888097ba8000 SYSC_getpeername+0x122/0x250 net/socket.c:1715 RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:54 RSP: 0018:ffff888097bafcb8 EFLAGS: 00010246 RAX: ffff888097bafe22 RBX: 000000000000002b RCX: 000000000000002b RDX: 000000000000002b RSI: 0000000000000000 RDI: ffff888097bafe22 RBP: ffff888097bafcd8 R08: ffffed1012f75fca R09: ffffed1012f75fc4 R10: ffffed1012f75fc9 R11: ffff888097bafe4c R12: ffff888097bafe22 SyS_getpeername+0x9/0x10 net/socket.c:1699 R13: 0000000000000000 R14: ffff888095e59b50 R15: 0000000000000000 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292 FS: 00007fc1c3bc5700(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 entry_SYSCALL_64_after_hwframe+0x42/0xb7 CR2: 0000000000000000 CR3: 00000000962bd000 CR4: 00000000001406e0 RIP: 0033:0x459f49 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 RSP: 002b:00007fe37738ac78 EFLAGS: 00000246 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ORIG_RAX: 0000000000000034 Call Trace: RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459f49 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 memcpy include/linux/string.h:347 [inline] llcp_sock_getname+0x378/0x480 net/nfc/llcp_sock.c:532 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 SYSC_getpeername+0x122/0x250 net/socket.c:1715 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe37738b6d4 R13: 00000000004c0bf0 R14: 00000000004d37a8 R15: 00000000ffffffff ==================================================================