bisecting fixing commit since 66c56cfa64d9dbb9efa8a06c1aece77e8d57ea19 building syzkaller on c3f3344c78d6f69e1494297262c453f8ed10a844 testing commit 66c56cfa64d9dbb9efa8a06c1aece77e8d57ea19 with gcc (GCC) 8.1.0 kernel signature: f2eb2f82195edd13ab1699dc19474c4083521f44 run #0: crashed: WARNING in tty_set_termios run #1: crashed: WARNING in tty_set_termios run #2: crashed: WARNING in tty_set_termios run #3: crashed: WARNING in tty_set_termios run #4: crashed: WARNING in tty_set_termios run #5: crashed: WARNING in tty_set_termios run #6: crashed: WARNING in tty_set_termios run #7: crashed: WARNING in tty_set_termios run #8: crashed: WARNING in tty_set_termios run #9: crashed: WARNING in corrupted testing current HEAD e42617b825f8073569da76dc4510bfa019b1c35a testing commit e42617b825f8073569da76dc4510bfa019b1c35a with gcc (GCC) 8.1.0 kernel signature: da4ca611a3772774ec1b898151622d04448930fa all runs: OK # git bisect start e42617b825f8073569da76dc4510bfa019b1c35a 66c56cfa64d9dbb9efa8a06c1aece77e8d57ea19 Bisecting: 38178 revisions left to test after this (roughly 15 steps) [d72619706abc4aa7e540ea882dae883cee7cc3b3] Merge tag 'tty-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit d72619706abc4aa7e540ea882dae883cee7cc3b3 with gcc (GCC) 8.1.0 kernel signature: b1822aaa7d7fe99e60b7afa998e37e506d822b54 run #0: crashed: WARNING in tty_set_termios run #1: crashed: WARNING in tty_set_termios run #2: crashed: WARNING in tty_set_termios run #3: crashed: WARNING in tty_set_termios run #4: crashed: WARNING in tty_set_termios run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in corrupted run #7: crashed: WARNING in tty_set_termios run #8: crashed: WARNING in tty_set_termios run #9: crashed: WARNING in tty_set_termios # git bisect good d72619706abc4aa7e540ea882dae883cee7cc3b3 Bisecting: 19007 revisions left to test after this (roughly 14 steps) [574cc4539762561d96b456dbc0544d8898bd4c6e] Merge tag 'drm-next-2019-09-18' of git://anongit.freedesktop.org/drm/drm testing commit 574cc4539762561d96b456dbc0544d8898bd4c6e with gcc (GCC) 8.1.0 kernel signature: c37841159e5a8b4ec848b514ed2064c8efdc30df all runs: OK # git bisect bad 574cc4539762561d96b456dbc0544d8898bd4c6e Bisecting: 9585 revisions left to test after this (roughly 13 steps) [e77fafe9afb53b7f4d8176c5cd5c10c43a905bc8] Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit e77fafe9afb53b7f4d8176c5cd5c10c43a905bc8 with gcc (GCC) 8.1.0 kernel signature: bfd9a7e4dc98255e81f346f8c9e43059f76004f8 all runs: OK # git bisect bad e77fafe9afb53b7f4d8176c5cd5c10c43a905bc8 Bisecting: 4792 revisions left to test after this (roughly 12 steps) [bd98c81346468fc2f86aeeb44d4d0d6f763a62b7] objtool: Support repeated uses of the same C jump table testing commit bd98c81346468fc2f86aeeb44d4d0d6f763a62b7 with gcc (GCC) 8.1.0 kernel signature: 84ebefd659f29df7022384955133ff081a5b98fd all runs: crashed: WARNING in tty_set_termios # git bisect good bd98c81346468fc2f86aeeb44d4d0d6f763a62b7 Bisecting: 2390 revisions left to test after this (roughly 11 steps) [a507f25d1c2048c136f6834f10966510b62af987] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit a507f25d1c2048c136f6834f10966510b62af987 with gcc (GCC) 8.1.0 kernel signature: 8d1edb26a0340adaedc376fb85db5ec7d962077b all runs: OK # git bisect bad a507f25d1c2048c136f6834f10966510b62af987 Bisecting: 1491 revisions left to test after this (roughly 10 steps) [8362fd64f07eaef7155c94fca8dee91c4f99a666] Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 8362fd64f07eaef7155c94fca8dee91c4f99a666 with gcc (GCC) 8.1.0 kernel signature: fe2d2425822b77156c2e56fbe213dad103200d52 all runs: crashed: WARNING in tty_set_termios # git bisect good 8362fd64f07eaef7155c94fca8dee91c4f99a666 Bisecting: 733 revisions left to test after this (roughly 10 steps) [f65420df914a85e33b2c8b1cab310858b2abb7c0] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit f65420df914a85e33b2c8b1cab310858b2abb7c0 with gcc (GCC) 8.1.0 kernel signature: 228dfce18d4dffee0afa61f2ce625ccbe55c112d run #0: crashed: WARNING in tty_set_termios run #1: crashed: WARNING in tty_set_termios run #2: crashed: WARNING in tty_set_termios run #3: crashed: WARNING in tty_set_termios run #4: crashed: WARNING in tty_set_termios run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in tty_set_termios run #7: crashed: WARNING in tty_set_termios run #8: crashed: WARNING in tty_set_termios run #9: crashed: WARNING in tty_set_termios # git bisect good f65420df914a85e33b2c8b1cab310858b2abb7c0 Bisecting: 390 revisions left to test after this (roughly 9 steps) [3ea54d9b0d655dab5b5becc7d6456082089fc166] Merge tag 'docs-5.3-1' of git://git.lwn.net/linux testing commit 3ea54d9b0d655dab5b5becc7d6456082089fc166 with gcc (GCC) 8.1.0 kernel signature: 2c5c7ca32dc5ba68b70a4050a924ab495bd92a99 run #0: crashed: WARNING in tty_set_termios run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in tty_set_termios run #3: crashed: WARNING in tty_set_termios run #4: crashed: WARNING in corrupted run #5: crashed: WARNING in tty_set_termios run #6: crashed: WARNING in tty_set_termios run #7: crashed: WARNING in tty_set_termios run #8: crashed: WARNING in tty_set_termios run #9: crashed: WARNING in tty_set_termios # git bisect good 3ea54d9b0d655dab5b5becc7d6456082089fc166 Bisecting: 193 revisions left to test after this (roughly 8 steps) [04ce9318898b294001459b5d705795085a9eac64] Merge tag 'char-misc-5.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 04ce9318898b294001459b5d705795085a9eac64 with gcc (GCC) 8.1.0 kernel signature: 2a442714dd43962ec939487ec694c0d7dfb7b69b all runs: crashed: WARNING in tty_set_termios # git bisect good 04ce9318898b294001459b5d705795085a9eac64 Bisecting: 103 revisions left to test after this (roughly 7 steps) [42d21900b39ceebf7be1512d02d915280ba2bba5] Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit 42d21900b39ceebf7be1512d02d915280ba2bba5 with gcc (GCC) 8.1.0 kernel signature: ce385580c95a85a76bb912603ce915745f9eff29 all runs: OK # git bisect bad 42d21900b39ceebf7be1512d02d915280ba2bba5 Bisecting: 42 revisions left to test after this (roughly 6 steps) [2f6f0a996218cdd9d275aac41828f54367e6fa28] Merge tag 'linux-kselftest-5.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest testing commit 2f6f0a996218cdd9d275aac41828f54367e6fa28 with gcc (GCC) 8.1.0 kernel signature: f015f527c3ffbf5c9b8f933e6406f2d1703460ee run #0: crashed: WARNING in tty_set_termios run #1: crashed: WARNING in tty_set_termios run #2: crashed: WARNING in tty_set_termios run #3: crashed: WARNING in tty_set_termios run #4: crashed: WARNING in corrupted run #5: crashed: WARNING in tty_set_termios run #6: crashed: WARNING in tty_set_termios run #7: crashed: WARNING in tty_set_termios run #8: crashed: WARNING in tty_set_termios run #9: crashed: WARNING in tty_set_termios # git bisect good 2f6f0a996218cdd9d275aac41828f54367e6fa28 Bisecting: 21 revisions left to test after this (roughly 5 steps) [5c6207539aea8b22490f9569db5aa72ddfd0d486] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 5c6207539aea8b22490f9569db5aa72ddfd0d486 with gcc (GCC) 8.1.0 kernel signature: b02ac91f29c94b6ece8f91e9230354237bf9e25e all runs: OK # git bisect bad 5c6207539aea8b22490f9569db5aa72ddfd0d486 Bisecting: 10 revisions left to test after this (roughly 3 steps) [629f8205a6cc63d2e8e30956bad958a3507d018f] Merge tag 'for-linus-20190730' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux testing commit 629f8205a6cc63d2e8e30956bad958a3507d018f with gcc (GCC) 8.1.0 kernel signature: 428d9c4b9cbf4c8550aafa570b4d5e4edb0d93e9 run #0: crashed: WARNING in tty_set_termios run #1: crashed: WARNING in tty_set_termios run #2: crashed: WARNING in tty_set_termios run #3: crashed: WARNING in tty_set_termios run #4: crashed: WARNING in tty_set_termios run #5: crashed: WARNING in tty_set_termios run #6: crashed: WARNING in corrupted run #7: crashed: WARNING in tty_set_termios run #8: crashed: WARNING in tty_set_termios run #9: crashed: WARNING in corrupted # git bisect good 629f8205a6cc63d2e8e30956bad958a3507d018f Bisecting: 6 revisions left to test after this (roughly 3 steps) [52fde4348ccc317e7ad091a3280f5d4ae19f91ef] Merge tag 'for-linus-5.3-2' of git://github.com/cminyard/linux-ipmi testing commit 52fde4348ccc317e7ad091a3280f5d4ae19f91ef with gcc (GCC) 8.1.0 kernel signature: 0e780d214309d75c8db839e5a3f30a073dbccdcf run #0: crashed: WARNING in tty_set_termios run #1: crashed: WARNING in tty_set_termios run #2: crashed: WARNING in tty_set_termios run #3: crashed: WARNING in tty_set_termios run #4: crashed: WARNING in tty_set_termios run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in tty_set_termios run #7: crashed: WARNING in tty_set_termios run #8: crashed: WARNING in tty_set_termios run #9: crashed: WARNING in tty_set_termios # git bisect good 52fde4348ccc317e7ad091a3280f5d4ae19f91ef Bisecting: 3 revisions left to test after this (roughly 2 steps) [d2eee9fca172d0d010ef3060cdc971e0b079b87f] Merge tag 'trace-v5.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit d2eee9fca172d0d010ef3060cdc971e0b079b87f with gcc (GCC) 8.1.0 kernel signature: 31b5641c58431e284ce63c4ccdee70c855710478 all runs: crashed: WARNING in tty_set_termios # git bisect good d2eee9fca172d0d010ef3060cdc971e0b079b87f Bisecting: 1 revision left to test after this (roughly 1 step) [b36a1552d7319bbfd5cf7f08726c23c5c66d4f73] Bluetooth: hci_uart: check for missing tty operations testing commit b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 with gcc (GCC) 8.1.0 kernel signature: 90a57e7c975644cba86db5490bb1abcbb2d94e76 all runs: OK # git bisect bad b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 Bisecting: 0 revisions left to test after this (roughly 0 steps) [1b7e816fc80e668f0ccc8542cec20b9259abace1] mm: slub: Fix slab walking for init_on_free testing commit 1b7e816fc80e668f0ccc8542cec20b9259abace1 with gcc (GCC) 8.1.0 kernel signature: 05f82703499bff0ab7e2f7693ea095f57ac2bc69 run #0: crashed: WARNING in tty_set_termios run #1: crashed: WARNING in tty_set_termios run #2: crashed: WARNING in tty_set_termios run #3: crashed: WARNING in tty_set_termios run #4: crashed: WARNING in tty_set_termios run #5: crashed: WARNING in tty_set_termios run #6: crashed: WARNING in tty_set_termios run #7: crashed: WARNING in corrupted run #8: crashed: WARNING in corrupted run #9: crashed: WARNING in tty_set_termios # git bisect good 1b7e816fc80e668f0ccc8542cec20b9259abace1 b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 is the first bad commit commit b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 Author: Vladis Dronov Date: Tue Jul 30 11:33:45 2019 +0200 Bluetooth: hci_uart: check for missing tty operations Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset() functions which are called by the certain HCI UART protocols (hci_ath, hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control() or directly. This leads to an execution at NULL and can be triggered by an unprivileged user. Fix this by adding a helper function and a check for the missing tty operations in the protocols code. This fixes CVE-2019-10207. The Fixes: lines list commits where calls to tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART protocols. Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50 Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com Cc: stable@vger.kernel.org # v2.6.36+ Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip") Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions") Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate configuration support") Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support") Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990") Signed-off-by: Vladis Dronov Signed-off-by: Marcel Holtmann Reviewed-by: Yu-Chen, Cho Tested-by: Yu-Chen, Cho Signed-off-by: Linus Torvalds drivers/bluetooth/hci_ath.c | 3 +++ drivers/bluetooth/hci_bcm.c | 3 +++ drivers/bluetooth/hci_intel.c | 3 +++ drivers/bluetooth/hci_ldisc.c | 13 +++++++++++++ drivers/bluetooth/hci_mrvl.c | 3 +++ drivers/bluetooth/hci_qca.c | 3 +++ drivers/bluetooth/hci_uart.h | 1 + 7 files changed, 29 insertions(+) kernel signature: 90a57e7c975644cba86db5490bb1abcbb2d94e76 previous signature: 05f82703499bff0ab7e2f7693ea095f57ac2bc69 revisions tested: 19, total time: 3h45m35.301575313s (build: 1h54m25.122561768s, test: 1h49m5.839714117s) first good commit: b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 Bluetooth: hci_uart: check for missing tty operations cc: ["johan.hedberg@gmail.com" "linux-bluetooth@vger.kernel.org" "linux-kernel@vger.kernel.org" "marcel@holtmann.org" "torvalds@linux-foundation.org" "vdronov@redhat.com"]