bisecting fixing commit since 4d552acf337038028f7e2f63a927afb7adf65fc1 building syzkaller on 505ab413c77ce8c6bd4658ea5e68ea2534d47b39 testing commit 4d552acf337038028f7e2f63a927afb7adf65fc1 with gcc (GCC) 8.1.0 kernel signature: d901ea75d3628c3645d64e2b8aa321faaf7635db all runs: crashed: WARNING in tty_set_termios testing current HEAD 174651bdf802a2139065e8e31ce950e2f3fc4a94 testing commit 174651bdf802a2139065e8e31ce950e2f3fc4a94 with gcc (GCC) 8.1.0 kernel signature: a9fcac3b623e9f3314b648f88f74c4bd479987d2 all runs: OK # git bisect start 174651bdf802a2139065e8e31ce950e2f3fc4a94 4d552acf337038028f7e2f63a927afb7adf65fc1 Bisecting: 2752 revisions left to test after this (roughly 12 steps) [ce7d4fe4e52bf60bff9e70e977f3ead097a8854b] Input: usbtouchscreen - initialize PM mutex before using it testing commit ce7d4fe4e52bf60bff9e70e977f3ead097a8854b with gcc (GCC) 8.1.0 kernel signature: 88d0e1611a1a8ab08ccee3554e78f5000a4d8e7b all runs: OK # git bisect bad ce7d4fe4e52bf60bff9e70e977f3ead097a8854b Bisecting: 1376 revisions left to test after this (roughly 11 steps) [8a652fd142c38d03f6e83a054cff40f2e6878beb] Btrfs: incremental send, fix file corruption when no-holes feature is enabled testing commit 8a652fd142c38d03f6e83a054cff40f2e6878beb with gcc (GCC) 8.1.0 kernel signature: 3d94c5440f3efbc0216dac60f894ee016542f5fe all runs: crashed: WARNING in tty_set_termios # git bisect good 8a652fd142c38d03f6e83a054cff40f2e6878beb Bisecting: 688 revisions left to test after this (roughly 10 steps) [bd9604022eb36742cca4feb02e7d3d50a49f0993] x86/tls: Fix possible spectre-v1 in do_get_thread_area() testing commit bd9604022eb36742cca4feb02e7d3d50a49f0993 with gcc (GCC) 8.1.0 kernel signature: 56aa55c61ffc006fd96892561598b03e83b58e1a all runs: crashed: WARNING in tty_set_termios # git bisect good bd9604022eb36742cca4feb02e7d3d50a49f0993 Bisecting: 344 revisions left to test after this (roughly 9 steps) [03e6a668ea1f3dd03d579a94388eb861c1c7f5d2] net: mvmdio: allow up to four clocks to be specified for orion-mdio testing commit 03e6a668ea1f3dd03d579a94388eb861c1c7f5d2 with gcc (GCC) 8.1.0 kernel signature: 3c08e80ed7dc74db521dc59e5c138eabd6336799 all runs: crashed: WARNING in tty_set_termios # git bisect good 03e6a668ea1f3dd03d579a94388eb861c1c7f5d2 Bisecting: 172 revisions left to test after this (roughly 8 steps) [01eea1cbba9d8309851f63356fa2f20a790af98f] NFS: Fix dentry revalidation on NFSv4 lookup testing commit 01eea1cbba9d8309851f63356fa2f20a790af98f with gcc (GCC) 8.1.0 kernel signature: f311539a5910a6fdc172b1d874c9d2c97eb13724 all runs: crashed: WARNING in tty_set_termios # git bisect good 01eea1cbba9d8309851f63356fa2f20a790af98f Bisecting: 86 revisions left to test after this (roughly 7 steps) [001f93d95d6c2432e397c48a68e80adfbfaba2a3] cgroup: kselftest: relax fs_spec checks testing commit 001f93d95d6c2432e397c48a68e80adfbfaba2a3 with gcc (GCC) 8.1.0 kernel signature: 769fc76cc19c453ee253f8a58d652fffb900a9a4 all runs: OK # git bisect bad 001f93d95d6c2432e397c48a68e80adfbfaba2a3 Bisecting: 42 revisions left to test after this (roughly 6 steps) [85d854b421130b3f9a6bee50be9f159e578e6b6d] clk: tegra210: fix PLLU and PLLU_OUT1 testing commit 85d854b421130b3f9a6bee50be9f159e578e6b6d with gcc (GCC) 8.1.0 kernel signature: d399452dae18e2262f148db8def4db2dd1a5df60 all runs: OK # git bisect bad 85d854b421130b3f9a6bee50be9f159e578e6b6d Bisecting: 21 revisions left to test after this (roughly 5 steps) [48046e092ad557a01d7daf53205624944793b19d] sched/fair: Don't free p->numa_faults with concurrent readers testing commit 48046e092ad557a01d7daf53205624944793b19d with gcc (GCC) 8.1.0 kernel signature: 5536f932638cf16e32162bc365dbb02393e94fd2 all runs: OK # git bisect bad 48046e092ad557a01d7daf53205624944793b19d Bisecting: 10 revisions left to test after this (roughly 3 steps) [8b44cc225e6024174508164931cab9f01c79dca2] media: cpia2_usb: first wake up, then free in disconnect testing commit 8b44cc225e6024174508164931cab9f01c79dca2 with gcc (GCC) 8.1.0 kernel signature: 68673706552ac0212308ece4b1f50d82a52d1ec7 all runs: crashed: WARNING in tty_set_termios # git bisect good 8b44cc225e6024174508164931cab9f01c79dca2 Bisecting: 5 revisions left to test after this (roughly 3 steps) [3a0c22cbc5d0b570a2cc9a7cffa1ac715fe564b7] iommu/iova: Fix compilation error with !CONFIG_IOMMU_IOVA testing commit 3a0c22cbc5d0b570a2cc9a7cffa1ac715fe564b7 with gcc (GCC) 8.1.0 kernel signature: 5813c70663cd5f8d5e41359a2d2ff996e8608d83 all runs: crashed: WARNING in tty_set_termios # git bisect good 3a0c22cbc5d0b570a2cc9a7cffa1ac715fe564b7 Bisecting: 2 revisions left to test after this (roughly 2 steps) [3af3b843aee41ed22343b011a4cf3812a80d2f38] vhost_net: fix possible infinite loop testing commit 3af3b843aee41ed22343b011a4cf3812a80d2f38 with gcc (GCC) 8.1.0 kernel signature: 305db807de2f37d53331276eaaec650f3663de9f all runs: OK # git bisect bad 3af3b843aee41ed22343b011a4cf3812a80d2f38 Bisecting: 0 revisions left to test after this (roughly 1 step) [ad5fc8953d61b99f445db447ac1eadc99a00d47e] vhost: introduce vhost_exceeds_weight() testing commit ad5fc8953d61b99f445db447ac1eadc99a00d47e with gcc (GCC) 8.1.0 kernel signature: a08549491687fd2f0e5f08aa8b32b8feb48b487d all runs: OK # git bisect bad ad5fc8953d61b99f445db447ac1eadc99a00d47e Bisecting: 0 revisions left to test after this (roughly 0 steps) [56966212e23f82ced10831f7cca02f7339147428] Bluetooth: hci_uart: check for missing tty operations testing commit 56966212e23f82ced10831f7cca02f7339147428 with gcc (GCC) 8.1.0 kernel signature: f6e2052706b90f41230bd448d6dda3bd346be061 all runs: OK # git bisect bad 56966212e23f82ced10831f7cca02f7339147428 56966212e23f82ced10831f7cca02f7339147428 is the first bad commit commit 56966212e23f82ced10831f7cca02f7339147428 Author: Vladis Dronov Date: Tue Jul 30 11:33:45 2019 +0200 Bluetooth: hci_uart: check for missing tty operations commit b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 upstream. Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset() functions which are called by the certain HCI UART protocols (hci_ath, hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control() or directly. This leads to an execution at NULL and can be triggered by an unprivileged user. Fix this by adding a helper function and a check for the missing tty operations in the protocols code. This fixes CVE-2019-10207. The Fixes: lines list commits where calls to tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART protocols. Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50 Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com Cc: stable@vger.kernel.org # v2.6.36+ Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip") Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions") Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate configuration support") Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support") Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990") Signed-off-by: Vladis Dronov Signed-off-by: Marcel Holtmann Reviewed-by: Yu-Chen, Cho Tested-by: Yu-Chen, Cho Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman drivers/bluetooth/hci_ath.c | 3 +++ drivers/bluetooth/hci_bcm.c | 3 +++ drivers/bluetooth/hci_intel.c | 3 +++ drivers/bluetooth/hci_ldisc.c | 13 +++++++++++++ drivers/bluetooth/hci_mrvl.c | 3 +++ drivers/bluetooth/hci_qca.c | 3 +++ drivers/bluetooth/hci_uart.h | 1 + 7 files changed, 29 insertions(+) kernel signature: f6e2052706b90f41230bd448d6dda3bd346be061 previous signature: 5813c70663cd5f8d5e41359a2d2ff996e8608d83 revisions tested: 15, total time: 3h53m46.860735267s (build: 2h6m10.161612297s, test: 1h43m0.957971818s) first good commit: 56966212e23f82ced10831f7cca02f7339147428 Bluetooth: hci_uart: check for missing tty operations cc: ["acho@suse.com" "gregkh@linuxfoundation.org" "marcel@holtmann.org" "torvalds@linux-foundation.org" "vdronov@redhat.com"]