bisecting fixing commit since d13937116f1e82bf508a6325111b322c30c85eb9 building syzkaller on b4f792e401f416ff9fc75716d2500971ba63d1db testing commit d13937116f1e82bf508a6325111b322c30c85eb9 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in qca_setup testing current HEAD d45331b00ddb179e291766617259261c112db872 testing commit d45331b00ddb179e291766617259261c112db872 with gcc (GCC) 8.1.0 all runs: OK # git bisect start d45331b00ddb179e291766617259261c112db872 d13937116f1e82bf508a6325111b322c30c85eb9 Bisecting: 21639 revisions left to test after this (roughly 15 steps) [a2d635decbfa9c1e4ae15cb05b68b2559f7f827c] Merge tag 'drm-next-2019-05-09' of git://anongit.freedesktop.org/drm/drm testing commit a2d635decbfa9c1e4ae15cb05b68b2559f7f827c with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in hci_unregister_dev run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good a2d635decbfa9c1e4ae15cb05b68b2559f7f827c Bisecting: 11357 revisions left to test after this (roughly 13 steps) [8f6ccf6159aed1f04c6d179f61f6fb2691261e84] Merge tag 'clone3-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux testing commit 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in hci_unregister_dev run #1: crashed: INFO: task hung in hci_unregister_dev run #2: crashed: INFO: task hung in hci_unregister_dev run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 Bisecting: 6154 revisions left to test after this (roughly 13 steps) [168869492e7009b6861b615f1d030c99bc805e83] docs: kbuild: fix build with pdf and fix some minor issues testing commit 168869492e7009b6861b615f1d030c99bc805e83 with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in hci_unregister_dev run #1: crashed: INFO: task hung in hci_unregister_dev run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 168869492e7009b6861b615f1d030c99bc805e83 Bisecting: 3067 revisions left to test after this (roughly 12 steps) [d0411ec8ca6b98061023873e334323ef102100cc] Merge tag 'pm-5.3-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit d0411ec8ca6b98061023873e334323ef102100cc with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in hci_unregister_dev run #1: crashed: INFO: task hung in hci_unregister_dev run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good d0411ec8ca6b98061023873e334323ef102100cc Bisecting: 1516 revisions left to test after this (roughly 11 steps) [abdfd52a295fb5731ab07b5c9013e2e39f4d1cbe] Merge tag 'armsoc-defconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit abdfd52a295fb5731ab07b5c9013e2e39f4d1cbe with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in hci_unregister_dev run #1: crashed: INFO: task hung in hci_unregister_dev run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good abdfd52a295fb5731ab07b5c9013e2e39f4d1cbe Bisecting: 758 revisions left to test after this (roughly 10 steps) [b59b1baab789eacdde809135542e3d4f256f6878] cgroup: kselftest: relax fs_spec checks testing commit b59b1baab789eacdde809135542e3d4f256f6878 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad b59b1baab789eacdde809135542e3d4f256f6878 Bisecting: 374 revisions left to test after this (roughly 9 steps) [04412819652fe30f900d11e96c67b4adfdf17f6b] Merge tag 'for-linus-20190726' of git://git.kernel.dk/linux-block testing commit 04412819652fe30f900d11e96c67b4adfdf17f6b with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in hci_unregister_dev run #1: crashed: INFO: task hung in hci_unregister_dev run #2: crashed: INFO: task hung in hci_unregister_dev run #3: crashed: INFO: task hung in hci_unregister_dev run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 04412819652fe30f900d11e96c67b4adfdf17f6b Bisecting: 186 revisions left to test after this (roughly 8 steps) [750991f9af5b4019fd0232c23a4815682ff91021] Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 750991f9af5b4019fd0232c23a4815682ff91021 with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in hci_unregister_dev run #1: crashed: INFO: task hung in hci_unregister_dev run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 750991f9af5b4019fd0232c23a4815682ff91021 Bisecting: 89 revisions left to test after this (roughly 7 steps) [32a024b9a9f3b40f84bc55a6dd35eaa770ea26a4] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 32a024b9a9f3b40f84bc55a6dd35eaa770ea26a4 with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in hci_unregister_dev run #1: crashed: INFO: task hung in hci_unregister_dev run #2: crashed: INFO: task hung in hci_unregister_dev run #3: crashed: INFO: task hung in hci_unregister_dev run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 32a024b9a9f3b40f84bc55a6dd35eaa770ea26a4 Bisecting: 47 revisions left to test after this (roughly 6 steps) [234172f6bbf8e26fa8407c4bbbf2a36da30d7913] Merge tag 'arm-swiotlb-5.3' of git://git.infradead.org/users/hch/dma-mapping testing commit 234172f6bbf8e26fa8407c4bbbf2a36da30d7913 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 234172f6bbf8e26fa8407c4bbbf2a36da30d7913 Bisecting: 19 revisions left to test after this (roughly 4 steps) [d2eee9fca172d0d010ef3060cdc971e0b079b87f] Merge tag 'trace-v5.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit d2eee9fca172d0d010ef3060cdc971e0b079b87f with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in hci_unregister_dev run #1: crashed: INFO: task hung in hci_unregister_dev run #2: crashed: INFO: task hung in hci_unregister_dev run #3: crashed: INFO: task hung in hci_unregister_dev run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good d2eee9fca172d0d010ef3060cdc971e0b079b87f Bisecting: 10 revisions left to test after this (roughly 3 steps) [28f5ab1e12ba702389c41bc95d02733673020d85] Merge tag 'gpio-v5.3-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio testing commit 28f5ab1e12ba702389c41bc95d02733673020d85 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 28f5ab1e12ba702389c41bc95d02733673020d85 Bisecting: 4 revisions left to test after this (roughly 2 steps) [5c6207539aea8b22490f9569db5aa72ddfd0d486] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 5c6207539aea8b22490f9569db5aa72ddfd0d486 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 5c6207539aea8b22490f9569db5aa72ddfd0d486 Bisecting: 1 revision left to test after this (roughly 1 step) [b36a1552d7319bbfd5cf7f08726c23c5c66d4f73] Bluetooth: hci_uart: check for missing tty operations testing commit b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 Bisecting: 0 revisions left to test after this (roughly 0 steps) [1b7e816fc80e668f0ccc8542cec20b9259abace1] mm: slub: Fix slab walking for init_on_free testing commit 1b7e816fc80e668f0ccc8542cec20b9259abace1 with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in hci_unregister_dev run #1: crashed: INFO: task hung in hci_unregister_dev run #2: crashed: INFO: task hung in hci_unregister_dev run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 1b7e816fc80e668f0ccc8542cec20b9259abace1 b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 is the first bad commit commit b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 Author: Vladis Dronov Date: Tue Jul 30 11:33:45 2019 +0200 Bluetooth: hci_uart: check for missing tty operations Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset() functions which are called by the certain HCI UART protocols (hci_ath, hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control() or directly. This leads to an execution at NULL and can be triggered by an unprivileged user. Fix this by adding a helper function and a check for the missing tty operations in the protocols code. This fixes CVE-2019-10207. The Fixes: lines list commits where calls to tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART protocols. Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50 Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com Cc: stable@vger.kernel.org # v2.6.36+ Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip") Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions") Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate configuration support") Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support") Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990") Signed-off-by: Vladis Dronov Signed-off-by: Marcel Holtmann Reviewed-by: Yu-Chen, Cho Tested-by: Yu-Chen, Cho Signed-off-by: Linus Torvalds :040000 040000 43c2860eaa74658a1a8d0e277ef637276374a22e 14bc9210d4cc8fdaf78e5f957a07d521daf877ce M drivers revisions tested: 17, total time: 4h36m19.056773495s (build: 1h40m13.581538326s, test: 2h50m40.042150112s) first good commit: b36a1552d7319bbfd5cf7f08726c23c5c66d4f73 Bluetooth: hci_uart: check for missing tty operations cc: ["johan.hedberg@gmail.com" "linux-bluetooth@vger.kernel.org" "linux-kernel@vger.kernel.org" "marcel@holtmann.org" "torvalds@linux-foundation.org" "vdronov@redhat.com"]