bisecting fixing commit since e5a54aa2d312e75fe4bc66c7b84400b02266e946 building syzkaller on 8df85ed9883abc2a200858f44f22c11c602d218a testing commit e5a54aa2d312e75fe4bc66c7b84400b02266e946 with gcc (GCC) 8.1.0 kernel signature: 9068654344a2349766c03b7ec49b627f96bc3950c0616930c17b9cf42c3167d7 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet testing current HEAD cbfa1702aaf69b2311ea1b35e04f113c48368c67 testing commit cbfa1702aaf69b2311ea1b35e04f113c48368c67 with gcc (GCC) 8.1.0 kernel signature: 6dbea39768577555a5ea6a8c9dfb7beddd53be9e33e1a6ccb1af872c1d6721dd all runs: OK # git bisect start cbfa1702aaf69b2311ea1b35e04f113c48368c67 e5a54aa2d312e75fe4bc66c7b84400b02266e946 Bisecting: 259 revisions left to test after this (roughly 8 steps) [c3bb307dc629225a9730bff0bb9b73b0cd726361] tracing/hwlat: Honor the tracing_cpumask testing commit c3bb307dc629225a9730bff0bb9b73b0cd726361 with gcc (GCC) 8.1.0 kernel signature: 7e7343d203a1f9d9cb9e6a0735e3fd687c783ba7b26b678a8a447124b3f82605 all runs: OK # git bisect bad c3bb307dc629225a9730bff0bb9b73b0cd726361 Bisecting: 129 revisions left to test after this (roughly 7 steps) [ce5a8ad3ad9ecab4544f8352d5a7953321a6ec7e] ARM: at91: pm: add missing put_device() call in at91_pm_sram_init() testing commit ce5a8ad3ad9ecab4544f8352d5a7953321a6ec7e with gcc (GCC) 8.1.0 kernel signature: cfa8ecd785727e9a9e8223019e4692c2feff2aa0e443136399e93a3bb7df7ff6 all runs: OK # git bisect bad ce5a8ad3ad9ecab4544f8352d5a7953321a6ec7e Bisecting: 64 revisions left to test after this (roughly 6 steps) [2d6a7108ed74e0c857f78809d74511f52dbf9c85] Revert "scsi: libsas: direct call probe and destruct" testing commit 2d6a7108ed74e0c857f78809d74511f52dbf9c85 with gcc (GCC) 8.1.0 kernel signature: e23d44bd1bc9b60f37d9e88bc772da2111c65d293e865694fa856cee0fd92f9f all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good 2d6a7108ed74e0c857f78809d74511f52dbf9c85 Bisecting: 32 revisions left to test after this (roughly 5 steps) [df1a89577ebbb6165f3f1d9e1da84fda80dd7e01] cfg80211: check vendor command doit pointer before use testing commit df1a89577ebbb6165f3f1d9e1da84fda80dd7e01 with gcc (GCC) 8.1.0 kernel signature: 843dca7755468f37f07325029271233ba3f2d744c90e74dc6d478c8c96cb1d5d all runs: OK # git bisect bad df1a89577ebbb6165f3f1d9e1da84fda80dd7e01 Bisecting: 15 revisions left to test after this (roughly 4 steps) [d91299b8382b129156708708d69876e753b9ade6] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() testing commit d91299b8382b129156708708d69876e753b9ade6 with gcc (GCC) 8.1.0 kernel signature: f8299d4e35309b8f6b8847c06843d88566a60d5d37cd2ab73acdc9ce3a3c21ec all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good d91299b8382b129156708708d69876e753b9ade6 Bisecting: 7 revisions left to test after this (roughly 3 steps) [1452c5ffe79f34ded327310a84a67d653a00e68e] leds: da903x: fix use-after-free on unbind testing commit 1452c5ffe79f34ded327310a84a67d653a00e68e with gcc (GCC) 8.1.0 kernel signature: 2e1f60de4dd99c84da26e33f220b1afb09e11394628a557f8e1965495db54e63 all runs: OK # git bisect bad 1452c5ffe79f34ded327310a84a67d653a00e68e Bisecting: 3 revisions left to test after this (roughly 2 steps) [f40f289b96bf856e1613f17bf9426140e8b89393] binder: Prevent context manager from incrementing ref 0 testing commit f40f289b96bf856e1613f17bf9426140e8b89393 with gcc (GCC) 8.1.0 kernel signature: cfc355a2a9d7ff2a05acbf28009ebb1b4d01e28f70cdf62a25e20542ebac72f0 all runs: OK # git bisect bad f40f289b96bf856e1613f17bf9426140e8b89393 Bisecting: 1 revision left to test after this (roughly 1 step) [68bb9eddbf5da767131079325b2097341ab05dca] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() testing commit 68bb9eddbf5da767131079325b2097341ab05dca with gcc (GCC) 8.1.0 kernel signature: 0eec8fbcb1af253a31011bf6f2831242e12e8a3dbffe6067cbb9cb08e6af8849 all runs: OK # git bisect bad 68bb9eddbf5da767131079325b2097341ab05dca Bisecting: 0 revisions left to test after this (roughly 0 steps) [8b0861f956f65f063662f9553a4dcad574a95b37] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() testing commit 8b0861f956f65f063662f9553a4dcad574a95b37 with gcc (GCC) 8.1.0 kernel signature: d07075fdd3aa47916ff37c9eec49ff8450f88259a0896525ce4788670746794d all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good 8b0861f956f65f063662f9553a4dcad574a95b37 68bb9eddbf5da767131079325b2097341ab05dca is the first bad commit commit 68bb9eddbf5da767131079325b2097341ab05dca Author: Peilin Ye Date: Fri Jul 10 17:45:26 2020 -0400 Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() commit 629b49c848ee71244203934347bd7730b0ddee8d upstream. Check `num_rsp` before using it as for-loop counter. Add `unlock` label. Cc: stable@vger.kernel.org Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman net/bluetooth/hci_event.c | 7 +++++++ 1 file changed, 7 insertions(+) culprit signature: 0eec8fbcb1af253a31011bf6f2831242e12e8a3dbffe6067cbb9cb08e6af8849 parent signature: d07075fdd3aa47916ff37c9eec49ff8450f88259a0896525ce4788670746794d revisions tested: 11, total time: 2h48m47.144657856s (build: 1h26m56.17169553s, test: 1h20m49.541020709s) first good commit: 68bb9eddbf5da767131079325b2097341ab05dca Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() recipients (to): ["gregkh@linuxfoundation.org" "marcel@holtmann.org" "yepeilin.cs@gmail.com"] recipients (cc): []