bisecting fixing commit since 205a42ce2861f2d0dea8eb5090d05262e1cfa049 building syzkaller on 8df85ed9883abc2a200858f44f22c11c602d218a testing commit 205a42ce2861f2d0dea8eb5090d05262e1cfa049 with gcc (GCC) 8.1.0 kernel signature: ef407eef1be6e961660d1c8c1c2347065da0395bc8be963b78242c7ec27491f7 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet testing current HEAD c37da90efff5f183bea6ae4c2af33571f61fe317 testing commit c37da90efff5f183bea6ae4c2af33571f61fe317 with gcc (GCC) 8.1.0 kernel signature: 3195fc53a40b664e7c9594f1f1b6543eaad5651c0dab553052a3370c9438c097 all runs: OK # git bisect start c37da90efff5f183bea6ae4c2af33571f61fe317 205a42ce2861f2d0dea8eb5090d05262e1cfa049 Bisecting: 292 revisions left to test after this (roughly 8 steps) [8e22f6848fc80c34ce7e7bf2bdbd5c8fb54e2fe4] irqdomain/treewide: Free firmware node after domain removal testing commit 8e22f6848fc80c34ce7e7bf2bdbd5c8fb54e2fe4 with gcc (GCC) 8.1.0 kernel signature: 04d3c30f23efe003f94a3964dd290b6b0bec045be84c028c51177ca835e5909b all runs: OK # git bisect bad 8e22f6848fc80c34ce7e7bf2bdbd5c8fb54e2fe4 Bisecting: 145 revisions left to test after this (roughly 7 steps) [473a0cdc8529ee271758b770c477418f0fe430c8] platform/x86: intel-vbtn: Fix return value check in check_acpi_dev() testing commit 473a0cdc8529ee271758b770c477418f0fe430c8 with gcc (GCC) 8.1.0 kernel signature: 96a7ff64d763fa909df889cc226f0e5cf40658a3703aa434bc8d7ef33550062f all runs: OK # git bisect bad 473a0cdc8529ee271758b770c477418f0fe430c8 Bisecting: 72 revisions left to test after this (roughly 6 steps) [546271c2c8d3a4f2d5fd07d43faf49d0b4423dde] ARM: percpu.h: fix build error testing commit 546271c2c8d3a4f2d5fd07d43faf49d0b4423dde with gcc (GCC) 8.1.0 kernel signature: df21e0a838658cfd53788c6f6491d3b3e1021dcebb56946add6f6ed2d0b23bdb all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good 546271c2c8d3a4f2d5fd07d43faf49d0b4423dde Bisecting: 36 revisions left to test after this (roughly 5 steps) [fabe9d6cc1663deafba59499829e0c4c28971345] xattr: break delegations in {set,remove}xattr testing commit fabe9d6cc1663deafba59499829e0c4c28971345 with gcc (GCC) 8.1.0 kernel signature: 36d2e0e258ac29065262a6f5c7134dafe2f5853117a217fe3d109638437ba4ef all runs: OK # git bisect bad fabe9d6cc1663deafba59499829e0c4c28971345 Bisecting: 17 revisions left to test after this (roughly 4 steps) [61219546f3036d2b4a1898be7a38da22e97a3b62] vgacon: Fix for missing check in scrollback handling testing commit 61219546f3036d2b4a1898be7a38da22e97a3b62 with gcc (GCC) 8.1.0 kernel signature: 8660b5e0f350255087a9bb4b93cfc84bfb1909c3e3f538e6982d4b37126125e0 all runs: OK # git bisect bad 61219546f3036d2b4a1898be7a38da22e97a3b62 Bisecting: 8 revisions left to test after this (roughly 3 steps) [8efb2159c956a28b892fd4c169729b2959c25483] usb: xhci: Fix ASMedia ASM1142 DMA addressing testing commit 8efb2159c956a28b892fd4c169729b2959c25483 with gcc (GCC) 8.1.0 kernel signature: ff5368f1c1a68776044813ec6c65025069134e95bd53fbf0f7c7b3f2e73155b8 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good 8efb2159c956a28b892fd4c169729b2959c25483 Bisecting: 4 revisions left to test after this (roughly 2 steps) [8c4a649c20fec015ebb326f36b47d4e39d9ff5b7] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() testing commit 8c4a649c20fec015ebb326f36b47d4e39d9ff5b7 with gcc (GCC) 8.1.0 kernel signature: 88feabc7c97aa1c1a1c80e44f7141c9fd924dcc7808e35494cf322947f86b1e1 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good 8c4a649c20fec015ebb326f36b47d4e39d9ff5b7 Bisecting: 2 revisions left to test after this (roughly 1 step) [48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() testing commit 48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8 with gcc (GCC) 8.1.0 kernel signature: 56a88375d95bffcc1d9bf722b84ddd2e0e8b55ef606fb0a0b3b18afbd1f7972a all runs: OK # git bisect bad 48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f2d6adb023fc32816d7962c29fd06d8cd71418ee] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() testing commit f2d6adb023fc32816d7962c29fd06d8cd71418ee with gcc (GCC) 8.1.0 kernel signature: dda07526a1be0f42489c55e6b3c0dd4e27b5848b4d80b5d47c08ea0194c01f32 all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet # git bisect good f2d6adb023fc32816d7962c29fd06d8cd71418ee 48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8 is the first bad commit commit 48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8 Author: Peilin Ye Date: Fri Jul 10 17:45:26 2020 -0400 Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() commit 629b49c848ee71244203934347bd7730b0ddee8d upstream. Check `num_rsp` before using it as for-loop counter. Add `unlock` label. Cc: stable@vger.kernel.org Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman net/bluetooth/hci_event.c | 7 +++++++ 1 file changed, 7 insertions(+) culprit signature: 56a88375d95bffcc1d9bf722b84ddd2e0e8b55ef606fb0a0b3b18afbd1f7972a parent signature: dda07526a1be0f42489c55e6b3c0dd4e27b5848b4d80b5d47c08ea0194c01f32 revisions tested: 11, total time: 3h16m36.675707538s (build: 1h59m40.015141785s, test: 1h14m43.886661999s) first good commit: 48f70ecd6a22f5cf2a6d2670fbc3523fe64bcae8 Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() recipients (to): ["gregkh@linuxfoundation.org" "marcel@holtmann.org" "yepeilin.cs@gmail.com"] recipients (cc): []