bisecting cause commit starting from 051143e1602d90ea71887d92363edd539d411de5
building syzkaller on 9682898d6f14dd27f95c419d059fd867bb91b22b
testing commit 051143e1602d90ea71887d92363edd539d411de5 with gcc (GCC) 8.1.0
kernel signature: bd8ec28f59e8d9d8f341281da754cb7117be43f08e338539ea4d5d656ed881ab
all runs: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: e52f49ac1a9ea24aec69923596badd422cb30ff4a6293e4758dc4c7ff24438c5
all runs: OK
# git bisect start 051143e1602d90ea71887d92363edd539d411de5 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 7236 revisions left to test after this (roughly 13 steps)
[f365ab31efacb70bed1e821f7435626e0b2528a6] Merge tag 'drm-next-2020-04-01' of git://anongit.freedesktop.org/drm/drm
testing commit f365ab31efacb70bed1e821f7435626e0b2528a6 with gcc (GCC) 8.1.0
kernel signature: 18b4ad17f53fc7e0d7e70faf0ebd54019db67d7004bb0d1dedef5b604d16abda
all runs: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
# git bisect bad f365ab31efacb70bed1e821f7435626e0b2528a6
Bisecting: 4110 revisions left to test after this (roughly 12 steps)
[56a451b780676bc1cdac011735fe2869fa2e9abf] Merge tag 'ntb-5.7' of git://github.com/jonmason/ntb
testing commit 56a451b780676bc1cdac011735fe2869fa2e9abf with gcc (GCC) 8.1.0
kernel signature: d0e2f00f19b8b5e9d4076710b93e09a56dd5d3052eff336821f96d88d0b0e13e
all runs: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
# git bisect bad 56a451b780676bc1cdac011735fe2869fa2e9abf
Bisecting: 1643 revisions left to test after this (roughly 11 steps)
[49835c15a55225e9b3ff9cc9317135b334ea2d49] Merge tag 'pm-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
testing commit 49835c15a55225e9b3ff9cc9317135b334ea2d49 with gcc (GCC) 8.1.0
kernel signature: a004999616e5d3df0292fa091c912eb6ec7dc59a691cbc8059787e79cefe8ed3
run #0: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #1: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #2: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #3: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #4: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #5: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #6: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #7: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #8: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #9: boot failed: can't ssh into the instance
# git bisect bad 49835c15a55225e9b3ff9cc9317135b334ea2d49
Bisecting: 934 revisions left to test after this (roughly 10 steps)
[063d1942247668eb0bb800aef5afbbef337344be] Merge tag 'media/v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
testing commit 063d1942247668eb0bb800aef5afbbef337344be with gcc (GCC) 8.1.0
kernel signature: e2dded454b33893908369cf061d7f07ef46ad92a41d794e8908b410952d4b4dc
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect good 063d1942247668eb0bb800aef5afbbef337344be
Bisecting: 516 revisions left to test after this (roughly 9 steps)
[e681bb287f40e7a9dbcb04cef80fd87a2511ab86] staging: vt6656: Use DIV_ROUND_UP macro instead of specific code
testing commit e681bb287f40e7a9dbcb04cef80fd87a2511ab86 with gcc (GCC) 8.1.0
kernel signature: 1dfd8598f212b97d12bc79219e6f70a53c9976e48fdfb56d6843cc8d12977274
all runs: OK
# git bisect good e681bb287f40e7a9dbcb04cef80fd87a2511ab86
Bisecting: 266 revisions left to test after this (roughly 8 steps)
[db34c5ffee649e2c4c870d1031a996398a187cf5] Merge tag 'usb-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
testing commit db34c5ffee649e2c4c870d1031a996398a187cf5 with gcc (GCC) 8.1.0
kernel signature: 031ceda88541d98a192163de5a9d0d24abf9bf80f6ea11520df29daa3d3f7e89
all runs: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
# git bisect bad db34c5ffee649e2c4c870d1031a996398a187cf5
Bisecting: 121 revisions left to test after this (roughly 7 steps)
[a8ab3e76297ea85d92f4ee0833bd469816a13ccf] Merge tag 'usb-for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next
testing commit a8ab3e76297ea85d92f4ee0833bd469816a13ccf with gcc (GCC) 8.1.0
kernel signature: 2abe44357698bf692b424acfe78ca5ffdabce952d94a83893ba3b6e776af24f7
all runs: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
# git bisect bad a8ab3e76297ea85d92f4ee0833bd469816a13ccf
Bisecting: 63 revisions left to test after this (roughly 6 steps)
[d1c6a769cdf466053ae211789f2b0671c8a72331] usb: typec: mux: Allow the mux handles to be requested with fwnode
testing commit d1c6a769cdf466053ae211789f2b0671c8a72331 with gcc (GCC) 8.1.0
kernel signature: aa71011d0724820e3212fd232a5fc1a00cf0fb68d443d423be2356e1d6226105
all runs: OK
# git bisect good d1c6a769cdf466053ae211789f2b0671c8a72331
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[eeead847487f726fa177d0f4060c4f0816ad9cd9] usb: gadget: amd5536udc: fix spelling mistake "reserverd" -> "reserved"
testing commit eeead847487f726fa177d0f4060c4f0816ad9cd9 with gcc (GCC) 8.1.0
kernel signature: ce944332610127d4ee0bb5e8f70589abe4d123dacba5ae5aee97f73f31cbc181
all runs: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
# git bisect bad eeead847487f726fa177d0f4060c4f0816ad9cd9
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[3d157c28d2289edf0439e8308e8de3a06acaaf0e] doc: dt: bindings: usb: dwc3: Update entries for disabling SS instances in park mode
testing commit 3d157c28d2289edf0439e8308e8de3a06acaaf0e with gcc (GCC) 8.1.0
kernel signature: 91efc12e83fc09c9ee2f76074689bd956dd5daaf5eaf965829364de825ef5cfc
all runs: OK
# git bisect good 3d157c28d2289edf0439e8308e8de3a06acaaf0e
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[0227cc84c44417a29c8102e41db8ec2c11ebc6b2] usb: dwc3: core: don't do suspend for device mode if already suspended
testing commit 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 with gcc (GCC) 8.1.0
kernel signature: 05b7a72ac2e25dca08921a654976e7e452102548d1b7c9f1be8213a97498b4e3
all runs: OK
# git bisect good 0227cc84c44417a29c8102e41db8ec2c11ebc6b2
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[95b18f28979e12539cc02f6ec4e2c776e8551f39] dt-bindings: usb: dwc2: add compatible property for rk3328 usb
testing commit 95b18f28979e12539cc02f6ec4e2c776e8551f39 with gcc (GCC) 8.1.0
kernel signature: 42b9f8d09d2932142e75992e7a94ba7e88203b7faa1a2b45920f5f6df3823a70
run #0: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #1: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #2: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #3: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #4: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #5: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #6: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #7: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #8: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
run #9: boot failed: can't ssh into the instance
# git bisect bad 95b18f28979e12539cc02f6ec4e2c776e8551f39
Bisecting: 1 revision left to test after this (roughly 1 step)
[1a0808cb9e417170ed6ab97254cf319dc3e3c310] usb: dwc2: Implement set_selfpowered()
testing commit 1a0808cb9e417170ed6ab97254cf319dc3e3c310 with gcc (GCC) 8.1.0
kernel signature: 3deda9a3f327295810eab9d1acdc8fabf0d81c6131f9f3b61991f48a2e08e19a
all runs: OK
# git bisect good 1a0808cb9e417170ed6ab97254cf319dc3e3c310
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10] usb: gadget: add raw-gadget interface
testing commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 with gcc (GCC) 8.1.0
kernel signature: 7f53bd9f0f2908276fda64c853ee1aadbd54fd6ce26d90763b3fe911b8fc4d65
all runs: crashed: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
# git bisect bad f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 is the first bad commit
commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
Author: Andrey Konovalov <andreyknvl@google.com>
Date:   Mon Feb 24 17:13:03 2020 +0100

    usb: gadget: add raw-gadget interface
    
    USB Raw Gadget is a kernel module that provides a userspace interface for
    the USB Gadget subsystem. Essentially it allows to emulate USB devices
    from userspace. Enabled with CONFIG_USB_RAW_GADGET. Raw Gadget is
    currently a strictly debugging feature and shouldn't be used in
    production.
    
    Raw Gadget is similar to GadgetFS, but provides a more low-level and
    direct access to the USB Gadget layer for the userspace. The key
    differences are:
    
    1. Every USB request is passed to the userspace to get a response, while
       GadgetFS responds to some USB requests internally based on the provided
       descriptors. However note, that the UDC driver might respond to some
       requests on its own and never forward them to the Gadget layer.
    
    2. GadgetFS performs some sanity checks on the provided USB descriptors,
       while Raw Gadget allows you to provide arbitrary data as responses to
       USB requests.
    
    3. Raw Gadget provides a way to select a UDC device/driver to bind to,
       while GadgetFS currently binds to the first available UDC.
    
    4. Raw Gadget uses predictable endpoint names (handles) across different
       UDCs (as long as UDCs have enough endpoints of each required transfer
       type).
    
    5. Raw Gadget has ioctl-based interface instead of a filesystem-based one.
    
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Felipe Balbi <balbi@kernel.org>

 Documentation/usb/index.rst            |    1 +
 Documentation/usb/raw-gadget.rst       |   61 ++
 drivers/usb/gadget/legacy/Kconfig      |   11 +
 drivers/usb/gadget/legacy/Makefile     |    1 +
 drivers/usb/gadget/legacy/raw_gadget.c | 1078 ++++++++++++++++++++++++++++++++
 include/uapi/linux/usb/raw_gadget.h    |  167 +++++
 6 files changed, 1319 insertions(+)
 create mode 100644 Documentation/usb/raw-gadget.rst
 create mode 100644 drivers/usb/gadget/legacy/raw_gadget.c
 create mode 100644 include/uapi/linux/usb/raw_gadget.h
culprit signature: 7f53bd9f0f2908276fda64c853ee1aadbd54fd6ce26d90763b3fe911b8fc4d65
parent  signature: 3deda9a3f327295810eab9d1acdc8fabf0d81c6131f9f3b61991f48a2e08e19a
revisions tested: 16, total time: 3h47m11.591121949s (build: 1h48m43.011640264s, test: 1h57m12.972696782s)
first bad commit: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 usb: gadget: add raw-gadget interface
cc: ["andreyknvl@google.com" "balbi@kernel.org" "gregkh@linuxfoundation.org"]
crash: KASAN: slab-out-of-bounds Read in dlfb_usb_probe
==================================================================
BUG: KASAN: slab-out-of-bounds in hex_string+0x389/0x500 lib/vsprintf.c:1137
Read of size 1 at addr ffff88809dae549b by task kworker/0:38/2803

CPU: 0 PID: 2803 Comm: kworker/0:38 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374
 __kasan_report.cold.11+0x1c/0x34 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 hex_string+0x389/0x500 lib/vsprintf.c:1137
 pointer+0x145/0x510 lib/vsprintf.c:2193
 vsnprintf+0x3f7/0x1190 lib/vsprintf.c:2578
 va_format.isra.10+0xf7/0x160 lib/vsprintf.c:1652
 pointer+0x224/0x510 lib/vsprintf.c:2221
 vsnprintf+0x3f7/0x1190 lib/vsprintf.c:2578
 vscnprintf+0x9/0x30 lib/vsprintf.c:2677
 vprintk_store+0x34/0x360 kernel/printk/printk.c:1917
 vprintk_emit+0xfc/0x560 kernel/printk/printk.c:1978
 dev_vprintk_emit+0x400/0x445 drivers/base/core.c:3616
 dev_printk_emit+0x90/0xb6 drivers/base/core.c:3627
 _dev_info+0xc8/0xf6 drivers/base/core.c:3685
 dlfb_parse_vendor_descriptor drivers/video/fbdev/udlfb.c:1589 [inline]
 dlfb_usb_probe.cold.23+0xea7/0x1a0a drivers/video/fbdev/udlfb.c:1672
 usb_probe_interface+0x268/0x6c0 drivers/usb/core/driver.c:361
 really_probe+0x1f9/0x5e0 drivers/base/dd.c:551
 driver_probe_device+0xc9/0x1b0 drivers/base/dd.c:724
 bus_for_each_drv+0x117/0x1a0 drivers/base/bus.c:431
 __device_attach+0x1be/0x2c0 drivers/base/dd.c:897
 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491
 device_add+0x10d0/0x1900 drivers/base/core.c:2500
 usb_set_configuration+0xc02/0x1560 drivers/usb/core/message.c:2023
 generic_probe+0x61/0x8a drivers/usb/core/generic.c:210
 really_probe+0x1f9/0x5e0 drivers/base/dd.c:551
 driver_probe_device+0xc9/0x1b0 drivers/base/dd.c:724
 bus_for_each_drv+0x117/0x1a0 drivers/base/bus.c:431
 __device_attach+0x1be/0x2c0 drivers/base/dd.c:897
 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491
 device_add+0x10d0/0x1900 drivers/base/core.c:2500
 usb_new_device.cold.66+0x679/0xe85 drivers/usb/core/hub.c:2548
 hub_port_connect drivers/usb/core/hub.c:5195 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
 port_event drivers/usb/core/hub.c:5481 [inline]
 hub_event+0x15fe/0x2d60 drivers/usb/core/hub.c:5563
 process_one_work+0x903/0x15c0 kernel/workqueue.c:2264
 worker_thread+0x82/0xb50 kernel/workqueue.c:2410
 kthread+0x31d/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 2803:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc+0x164/0x7b0 mm/slab.c:3665
 kmalloc include/linux/slab.h:560 [inline]
 usb_get_configuration+0x2a9/0x3880 drivers/usb/core/config.c:919
 usb_enumerate_device drivers/usb/core/hub.c:2381 [inline]
 usb_new_device+0x345/0x6d0 drivers/usb/core/hub.c:2517
 hub_port_connect drivers/usb/core/hub.c:5195 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
 port_event drivers/usb/core/hub.c:5481 [inline]
 hub_event+0x15fe/0x2d60 drivers/usb/core/hub.c:5563
 process_one_work+0x903/0x15c0 kernel/workqueue.c:2264
 worker_thread+0x82/0xb50 kernel/workqueue.c:2410
 kthread+0x31d/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 0:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:476
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x107/0x2b0 mm/slab.c:3757
 security_cred_free+0xa2/0x100 security/security.c:1580
 put_cred_rcu+0xe6/0x430 kernel/cred.c:114
 rcu_do_batch kernel/rcu/tree.c:2186 [inline]
 rcu_core+0x584/0x1290 kernel/rcu/tree.c:2410
 __do_softirq+0x26e/0x9b2 kernel/softirq.c:292

The buggy address belongs to the object at ffff88809dae5480
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 27 bytes inside of
 32-byte region [ffff88809dae5480, ffff88809dae54a0)
The buggy address belongs to the page:
page:ffffea000276b940 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff88809dae5fc1
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002a5c8c8 ffffea00027404c8 ffff8880aa4001c0
raw: ffff88809dae5fc1 ffff88809dae5000 000000010000003b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809dae5380: fb fb fb fb fc fc fc fc 00 00 00 04 fc fc fc fc
 ffff88809dae5400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>ffff88809dae5480: 00 00 00 03 fc fc fc fc fb fb fb fb fc fc fc fc
                            ^
 ffff88809dae5500: fb fb fb fb fc fc fc fc 05 fc fc fc fc fc fc fc
 ffff88809dae5580: 05 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================