bisecting fixing commit since 13af6c74b14a883366e7702c40c52ff548096e7f building syzkaller on 96dd36234d97bbf6b403f3a7f03cfc0296422879 testing commit 13af6c74b14a883366e7702c40c52ff548096e7f with gcc (GCC) 8.1.0 kernel signature: 65b587b1ff39b8ee5622a2ade3e5562c2c3af4150dd2583d48cdbc756855e850 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet testing current HEAD c37da90efff5f183bea6ae4c2af33571f61fe317 testing commit c37da90efff5f183bea6ae4c2af33571f61fe317 with gcc (GCC) 8.1.0 kernel signature: 6f0c70f1bbdd778bed9c0222dec1de2693ee2f053cae927fcee44900ca0b5242 all runs: OK # git bisect start c37da90efff5f183bea6ae4c2af33571f61fe317 13af6c74b14a883366e7702c40c52ff548096e7f Bisecting: 283 revisions left to test after this (roughly 8 steps) [ae33b1ebbce825c85dbabfdbbea7db72f51298d5] PCI: Add device even if driver attach failed testing commit ae33b1ebbce825c85dbabfdbbea7db72f51298d5 with gcc (GCC) 8.1.0 kernel signature: 7330b8323efeaf069b66e5305ffa6ca504e15c27f0e443847859f6e87aa46c2e all runs: OK # git bisect bad ae33b1ebbce825c85dbabfdbbea7db72f51298d5 Bisecting: 141 revisions left to test after this (roughly 7 steps) [98d7ab74d3346aebc3c14e012023267af4b4edda] crypto: aesni - Fix build with LLVM_IAS=1 testing commit 98d7ab74d3346aebc3c14e012023267af4b4edda with gcc (GCC) 8.1.0 kernel signature: 96e1a4f5da55dc2dd4356bafd2f9f007259d597f89e38b5f01c2cfe6b6aed1c4 all runs: OK # git bisect bad 98d7ab74d3346aebc3c14e012023267af4b4edda Bisecting: 70 revisions left to test after this (roughly 6 steps) [48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() testing commit 48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8 with gcc (GCC) 8.1.0 kernel signature: 4528dbc5dd3e7ddcda3cbe5b9bc6b4f296fec2baff0eb2874436372b69b3f768 all runs: OK # git bisect bad 48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8 Bisecting: 34 revisions left to test after this (roughly 5 steps) [37bccfa89559a70c044b5ccde3c916a91388e14a] mac80211: mesh: Free ie data when leaving mesh testing commit 37bccfa89559a70c044b5ccde3c916a91388e14a with gcc (GCC) 8.1.0 kernel signature: 34b5ab57793b5129431e5032f25bc7ece392fb8acbd782ff58101f82f156dad1 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good 37bccfa89559a70c044b5ccde3c916a91388e14a Bisecting: 17 revisions left to test after this (roughly 4 steps) [dc3d380f6eb90dede26afbce0073919c74a82a17] x86/i8259: Use printk_deferred() to prevent deadlock testing commit dc3d380f6eb90dede26afbce0073919c74a82a17 with gcc (GCC) 8.1.0 kernel signature: 6846e488b1aae5e73ff82b1a6e15bc989c6d0c0d65dc39c665df88e3a1372610 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good dc3d380f6eb90dede26afbce0073919c74a82a17 Bisecting: 8 revisions left to test after this (roughly 3 steps) [9c4f7a8c8d4d65df054540340806cb7a7bac6e0b] USB: serial: qcserial: add EM7305 QDL product ID testing commit 9c4f7a8c8d4d65df054540340806cb7a7bac6e0b with gcc (GCC) 8.1.0 kernel signature: 4eac074450f6048a9513e4cfcdc32d50b58543ada3b627f0bfc2889791373b30 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good 9c4f7a8c8d4d65df054540340806cb7a7bac6e0b Bisecting: 4 revisions left to test after this (roughly 2 steps) [21e7fc3f69daa0fd2974edcaa02590c1df81889f] Revert "ALSA: hda: call runtime_allow() for all hda controllers" testing commit 21e7fc3f69daa0fd2974edcaa02590c1df81889f with gcc (GCC) 8.1.0 kernel signature: fc33b501977f2c0c4090c6817842863410187ee77c9b64d0dca8fc6b51d54726 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good 21e7fc3f69daa0fd2974edcaa02590c1df81889f Bisecting: 2 revisions left to test after this (roughly 1 step) [fbe7e878fea059fb536ac55a8ec7fe72433a95dd] staging: android: ashmem: Fix lockdep warning for write operation testing commit fbe7e878fea059fb536ac55a8ec7fe72433a95dd with gcc (GCC) 8.1.0 kernel signature: 3bd6a960432d34b3150bcb7410ed78ca032a89e2135bab065a420ccdab54b55f all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good fbe7e878fea059fb536ac55a8ec7fe72433a95dd Bisecting: 0 revisions left to test after this (roughly 1 step) [f2d6adb023fc32816d7962c29fd06d8cd71418ee] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() testing commit f2d6adb023fc32816d7962c29fd06d8cd71418ee with gcc (GCC) 8.1.0 kernel signature: 12f096d74505eadefbce4d30e27b3d6d8e8948f0caa0a2758965da4e86ebf27a all runs: OK # git bisect bad f2d6adb023fc32816d7962c29fd06d8cd71418ee Bisecting: 0 revisions left to test after this (roughly 0 steps) [8c4a649c20fec015ebb326f36b47d4e39d9ff5b7] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() testing commit 8c4a649c20fec015ebb326f36b47d4e39d9ff5b7 with gcc (GCC) 8.1.0 kernel signature: dde8d096923bf0def8ed4489eff917b1e5e4897f1fd8d87fe788d20b92a78ec3 all runs: OK # git bisect bad 8c4a649c20fec015ebb326f36b47d4e39d9ff5b7 8c4a649c20fec015ebb326f36b47d4e39d9ff5b7 is the first bad commit commit 8c4a649c20fec015ebb326f36b47d4e39d9ff5b7 Author: Peilin Ye Date: Fri Jul 10 12:09:15 2020 -0400 Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream. Check upon `num_rsp` is insufficient. A malformed event packet with a large `num_rsp` number makes hci_extended_inquiry_result_evt() go out of bounds. Fix it. This patch fixes the following syzbot bug: https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2 Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Peilin Ye Acked-by: Greg Kroah-Hartman Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman net/bluetooth/hci_event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) culprit signature: dde8d096923bf0def8ed4489eff917b1e5e4897f1fd8d87fe788d20b92a78ec3 parent signature: 3bd6a960432d34b3150bcb7410ed78ca032a89e2135bab065a420ccdab54b55f revisions tested: 12, total time: 3h28m17.458550977s (build: 2h8m26.213348865s, test: 1h17m39.795156797s) first good commit: 8c4a649c20fec015ebb326f36b47d4e39d9ff5b7 Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() recipients (to): ["gregkh@linuxfoundation.org" "marcel@holtmann.org" "yepeilin.cs@gmail.com"] recipients (cc): []