bisecting fixing commit since 7f2c5eb458b8855655a19c44cd0043f7f83c595f building syzkaller on 96dd36234d97bbf6b403f3a7f03cfc0296422879 testing commit 7f2c5eb458b8855655a19c44cd0043f7f83c595f with gcc (GCC) 8.1.0 kernel signature: fb8eef6c3f2a7c42a113cced8c8d8368df77e936696b15463e50e2f9e3b4d54c all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet testing current HEAD 2f166cdcf8a92fcf85524f2b5526cb28e16f0a60 testing commit 2f166cdcf8a92fcf85524f2b5526cb28e16f0a60 with gcc (GCC) 8.1.0 kernel signature: c1827e8ceeaf4b0df6f43f7e368a2a0191e358af346a8d0ad71fbb0ce49bbd74 all runs: OK # git bisect start 2f166cdcf8a92fcf85524f2b5526cb28e16f0a60 7f2c5eb458b8855655a19c44cd0043f7f83c595f Bisecting: 212 revisions left to test after this (roughly 8 steps) [ff114bcd7635211d051c6031fac800fd45424ece] ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109 testing commit ff114bcd7635211d051c6031fac800fd45424ece with gcc (GCC) 8.1.0 kernel signature: 860ee05551f75d51fe71463e46376e809eebdc6633cf39e71f3983fc59de1ab2 all runs: OK # git bisect bad ff114bcd7635211d051c6031fac800fd45424ece Bisecting: 106 revisions left to test after this (roughly 7 steps) [59b5331268406b08016e6b58d89bae30042d844e] arm64: dts: rockchip: fix rk3399-puma gmac reset gpio testing commit 59b5331268406b08016e6b58d89bae30042d844e with gcc (GCC) 8.1.0 kernel signature: 4924d9fefa3da8404929b7dc4be50eb6a34d12926867736aa9abc6207c12a87d all runs: OK # git bisect bad 59b5331268406b08016e6b58d89bae30042d844e Bisecting: 52 revisions left to test after this (roughly 6 steps) [8dacd74f7987c1e744e988cb12fd18ab1aa2d6e0] random32: remove net_rand_state from the latent entropy gcc plugin testing commit 8dacd74f7987c1e744e988cb12fd18ab1aa2d6e0 with gcc (GCC) 8.1.0 kernel signature: 029948f15cb61ddd93240841f59f4514b2835a674daa2bd3d70c85ad911648ad all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good 8dacd74f7987c1e744e988cb12fd18ab1aa2d6e0 Bisecting: 26 revisions left to test after this (roughly 5 steps) [fb49251695b1e735860b5fd953d691f6cf817873] i2c: slave: improve sanity check when registering testing commit fb49251695b1e735860b5fd953d691f6cf817873 with gcc (GCC) 8.1.0 kernel signature: 250cc212f3b11809c1018a45621924ccf5da0170095b9143b77c60a413d73c6c all runs: OK # git bisect bad fb49251695b1e735860b5fd953d691f6cf817873 Bisecting: 12 revisions left to test after this (roughly 4 steps) [8b0861f956f65f063662f9553a4dcad574a95b37] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() testing commit 8b0861f956f65f063662f9553a4dcad574a95b37 with gcc (GCC) 8.1.0 kernel signature: a54c52b5464445994628cab2128392e23f085b66bad3d6087ff6a8477623d40c all runs: OK # git bisect bad 8b0861f956f65f063662f9553a4dcad574a95b37 Bisecting: 6 revisions left to test after this (roughly 3 steps) [ec2cbe4b8abf949a16574ba81d8255e52980186c] net/mlx5e: Don't support phys switch id if not in switchdev mode testing commit ec2cbe4b8abf949a16574ba81d8255e52980186c with gcc (GCC) 8.1.0 kernel signature: 07e45c20dc19b8a8cb194583746bb425431f5ae47cb5956033389f5c380b635b all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good ec2cbe4b8abf949a16574ba81d8255e52980186c Bisecting: 3 revisions left to test after this (roughly 2 steps) [c5021d4fa888ad248b4168947eb1e569de75fdb1] usb: xhci: Fix ASMedia ASM1142 DMA addressing testing commit c5021d4fa888ad248b4168947eb1e569de75fdb1 with gcc (GCC) 8.1.0 kernel signature: c1e2fe3dec4049e747f6d1e1cf28b8dcdc1e2f84fe137604f2fbe3c50e6af9e4 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good c5021d4fa888ad248b4168947eb1e569de75fdb1 Bisecting: 1 revision left to test after this (roughly 1 step) [79c70607e5403d31d267e31a1a34e5334318326d] staging: android: ashmem: Fix lockdep warning for write operation testing commit 79c70607e5403d31d267e31a1a34e5334318326d with gcc (GCC) 8.1.0 kernel signature: 4d91d4f5cd8a64f43402d347882c06195d2c3b09182bf082a9b34a676179c929 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good 79c70607e5403d31d267e31a1a34e5334318326d Bisecting: 0 revisions left to test after this (roughly 0 steps) [d91299b8382b129156708708d69876e753b9ade6] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() testing commit d91299b8382b129156708708d69876e753b9ade6 with gcc (GCC) 8.1.0 kernel signature: 3240158b233910a14748a5d6545b1fc09c0d16a872f33bc92e73fa7ee45d5fd5 all runs: OK # git bisect bad d91299b8382b129156708708d69876e753b9ade6 d91299b8382b129156708708d69876e753b9ade6 is the first bad commit commit d91299b8382b129156708708d69876e753b9ade6 Author: Peilin Ye Date: Fri Jul 10 12:09:15 2020 -0400 Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream. Check upon `num_rsp` is insufficient. A malformed event packet with a large `num_rsp` number makes hci_extended_inquiry_result_evt() go out of bounds. Fix it. This patch fixes the following syzbot bug: https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2 Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Peilin Ye Acked-by: Greg Kroah-Hartman Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman net/bluetooth/hci_event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) culprit signature: 3240158b233910a14748a5d6545b1fc09c0d16a872f33bc92e73fa7ee45d5fd5 parent signature: 4d91d4f5cd8a64f43402d347882c06195d2c3b09182bf082a9b34a676179c929 revisions tested: 11, total time: 3h14m45.106765286s (build: 1h58m23.030208522s, test: 1h14m7.210668159s) first good commit: d91299b8382b129156708708d69876e753b9ade6 Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() recipients (to): ["gregkh@linuxfoundation.org" "marcel@holtmann.org" "yepeilin.cs@gmail.com"] recipients (cc): []