bisecting fixing commit since c7ecf3e3a71c216327980f26b1e895ce9b07ad31
building syzkaller on 25a0186eba20ef6f4f657039ff02eff52a838b1c
testing commit c7ecf3e3a71c216327980f26b1e895ce9b07ad31 with gcc (GCC) 8.1.0
kernel signature: 6b8f740c8c8b69a551bbedba511fe8d0b4bb07499ef30ae7d879e928ecacfa91
all runs: crashed: KASAN: slab-out-of-bounds Read in bacpy
testing current HEAD c37da90efff5f183bea6ae4c2af33571f61fe317
testing commit c37da90efff5f183bea6ae4c2af33571f61fe317 with gcc (GCC) 8.1.0
kernel signature: a5e9957bea8a725c54bd51cbb27e7d484bcbd90351207a36a99b6bd829ce4574
all runs: OK
# git bisect start c37da90efff5f183bea6ae4c2af33571f61fe317 c7ecf3e3a71c216327980f26b1e895ce9b07ad31
Bisecting: 2443 revisions left to test after this (roughly 11 steps)
[70764334b2bcb15c67dfbd912d9a9f7076f6d0df] media: stv06xx: add missing descriptor sanity checks
testing commit 70764334b2bcb15c67dfbd912d9a9f7076f6d0df with gcc (GCC) 8.1.0
kernel signature: ea974fab83eaf4ffab99ebff6eb80b2392d960ec254461dbf8bcfef06a2c45e3
all runs: crashed: KASAN: slab-out-of-bounds Read in bacpy
# git bisect good 70764334b2bcb15c67dfbd912d9a9f7076f6d0df
Bisecting: 1221 revisions left to test after this (roughly 10 steps)
[f2ad530b4f328e42ad180cf4729fd55514f32b58] ALSA: isa/wavefront: prevent out of bounds write in ioctl
testing commit f2ad530b4f328e42ad180cf4729fd55514f32b58 with gcc (GCC) 8.1.0
kernel signature: 7d74a9ce89d3de36ba1ed3390a38ae6e81274a804b2e857a5d32f0356ad91425
all runs: crashed: KASAN: slab-out-of-bounds Read in bacpy
# git bisect good f2ad530b4f328e42ad180cf4729fd55514f32b58
Bisecting: 610 revisions left to test after this (roughly 9 steps)
[f1db23a67fb7a864be8d161f71448ce00127ef5e] usb: xhci-mtk: fix the failure of bandwidth allocation
testing commit f1db23a67fb7a864be8d161f71448ce00127ef5e with gcc (GCC) 8.1.0
kernel signature: 03a56d5a36292e1d0a1cd754ea18db544846770cf63f06f499627c0ea9827ede
all runs: crashed: KASAN: slab-out-of-bounds Read in bacpy
# git bisect good f1db23a67fb7a864be8d161f71448ce00127ef5e
Bisecting: 305 revisions left to test after this (roughly 8 steps)
[954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d] fs/minix: reject too-large maximum file size
testing commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d with gcc (GCC) 8.1.0
kernel signature: bdcb4c32b361668636c5a059b8dd503dde705220dfe543cd93f2e1dc504e12de
all runs: OK
# git bisect bad 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d
Bisecting: 152 revisions left to test after this (roughly 7 steps)
[67b4be302ca89d49cacc37373049b421b8bcec4e] Smack: fix use-after-free in smk_write_relabel_self()
testing commit 67b4be302ca89d49cacc37373049b421b8bcec4e with gcc (GCC) 8.1.0
kernel signature: 0434ac754f8a1ba4d94dbe61cf1120ab839efb303d28350068ab464492ae75c3
all runs: OK
# git bisect bad 67b4be302ca89d49cacc37373049b421b8bcec4e
Bisecting: 75 revisions left to test after this (roughly 6 steps)
[685d55c516361cc1002fe870510ae067fecfb63c] mlxsw: core: Free EMAD transactions using kfree_rcu()
testing commit 685d55c516361cc1002fe870510ae067fecfb63c with gcc (GCC) 8.1.0
kernel signature: 2a1be1f488aa7c5981594f11b4e2a4666033bd49537d70cef790a2af8b60d046
all runs: crashed: KASAN: slab-out-of-bounds Read in bacpy
# git bisect good 685d55c516361cc1002fe870510ae067fecfb63c
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
testing commit 48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8 with gcc (GCC) 8.1.0
kernel signature: 67d2264af371d8c3738e4a369af6cb2259c3edb675071e693d82703323fa9ada
all runs: OK
# git bisect bad 48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[8c6c93ccb6bee8adc1a2bdcb1a75410bddf9e443] KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw disabled
testing commit 8c6c93ccb6bee8adc1a2bdcb1a75410bddf9e443 with gcc (GCC) 8.1.0
kernel signature: a9f152899e923941dbf06c16970d8702a3035353f1e6bb984e07fd5236e38487
all runs: crashed: KASAN: slab-out-of-bounds Read in bacpy
# git bisect good 8c6c93ccb6bee8adc1a2bdcb1a75410bddf9e443
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[961f830af0658ef5ef8a7708786d634a6115f16b] Linux 4.19.138
testing commit 961f830af0658ef5ef8a7708786d634a6115f16b with gcc (GCC) 8.1.0
kernel signature: e088b04172aa1cf2e1d3cf89894ac6912e58ab954fe2629e3ffcef73e69b6c58
all runs: crashed: KASAN: slab-out-of-bounds Read in bacpy
# git bisect good 961f830af0658ef5ef8a7708786d634a6115f16b
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[21e7fc3f69daa0fd2974edcaa02590c1df81889f] Revert "ALSA: hda: call runtime_allow() for all hda controllers"
testing commit 21e7fc3f69daa0fd2974edcaa02590c1df81889f with gcc (GCC) 8.1.0
kernel signature: 03b2c11796baf6694fec7fe397c15ee47bea5a24c2aa631d978cec7fc6454c68
all runs: crashed: KASAN: slab-out-of-bounds Read in bacpy
# git bisect good 21e7fc3f69daa0fd2974edcaa02590c1df81889f
Bisecting: 2 revisions left to test after this (roughly 1 step)
[fbe7e878fea059fb536ac55a8ec7fe72433a95dd] staging: android: ashmem: Fix lockdep warning for write operation
testing commit fbe7e878fea059fb536ac55a8ec7fe72433a95dd with gcc (GCC) 8.1.0
kernel signature: 731dbb03d7a27079b545278850cf5d96f2d2e4292270ffa51a4b129e1a4956e5
all runs: crashed: KASAN: slab-out-of-bounds Read in bacpy
# git bisect good fbe7e878fea059fb536ac55a8ec7fe72433a95dd
Bisecting: 0 revisions left to test after this (roughly 1 step)
[f2d6adb023fc32816d7962c29fd06d8cd71418ee] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
testing commit f2d6adb023fc32816d7962c29fd06d8cd71418ee with gcc (GCC) 8.1.0
kernel signature: 942e34139aca3bc72ff2b622f83437a9c7c1b7c0abcace9e1135aec33153123b
all runs: OK
# git bisect bad f2d6adb023fc32816d7962c29fd06d8cd71418ee
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[8c4a649c20fec015ebb326f36b47d4e39d9ff5b7] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
testing commit 8c4a649c20fec015ebb326f36b47d4e39d9ff5b7 with gcc (GCC) 8.1.0
kernel signature: 86fbbef0b1ae2c806f7e857023ceccbc65d941768c86582d202387ce90a4b4bc
all runs: OK
# git bisect bad 8c4a649c20fec015ebb326f36b47d4e39d9ff5b7
8c4a649c20fec015ebb326f36b47d4e39d9ff5b7 is the first bad commit
commit 8c4a649c20fec015ebb326f36b47d4e39d9ff5b7
Author: Peilin Ye <yepeilin.cs@gmail.com>
Date:   Fri Jul 10 12:09:15 2020 -0400

    Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
    
    commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream.
    
    Check upon `num_rsp` is insufficient. A malformed event packet with a
    large `num_rsp` number makes hci_extended_inquiry_result_evt() go out
    of bounds. Fix it.
    
    This patch fixes the following syzbot bug:
    
        https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2
    
    Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
    Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 net/bluetooth/hci_event.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
culprit signature: 86fbbef0b1ae2c806f7e857023ceccbc65d941768c86582d202387ce90a4b4bc
parent  signature: 731dbb03d7a27079b545278850cf5d96f2d2e4292270ffa51a4b129e1a4956e5
revisions tested: 15, total time: 4h9m1.199090544s (build: 2h33m47.550301535s, test: 1h32m30.318899804s)
first good commit: 8c4a649c20fec015ebb326f36b47d4e39d9ff5b7 Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
recipients (to): ["gregkh@linuxfoundation.org" "marcel@holtmann.org" "yepeilin.cs@gmail.com"]
recipients (cc): []