bisecting fixing commit since 2c85ebc57b3e1817b6ce1a6b703928e113a90442 building syzkaller on 97183ed760478c5b970c8c549d99c8147a72e293 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: 87f5503eff62e8578cfd6ff35b5330650e6ed19f77678e98dde8a1a8ce7131e1 all runs: crashed: WARNING in input_register_device testing current HEAD e2da783614bb8930aa89753d3c3cd53d5604665d testing commit e2da783614bb8930aa89753d3c3cd53d5604665d with gcc (GCC) 8.1.0 kernel signature: 731bc5aeff3b3053b64e4f2b06fa1aca058d62861398e55bb59e1a4826896c43 all runs: OK # git bisect start e2da783614bb8930aa89753d3c3cd53d5604665d 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 7140 revisions left to test after this (roughly 13 steps) [2dda5700ef6af806e0358f63d81eb436a0d280fa] Merge tag 'regulator-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator testing commit 2dda5700ef6af806e0358f63d81eb436a0d280fa with gcc (GCC) 8.1.0 kernel signature: f1bb79f10581917cae464ece9549ae16eafe9fb75f32fcd001c4149445c36982 all runs: crashed: WARNING in input_register_device # git bisect good 2dda5700ef6af806e0358f63d81eb436a0d280fa Bisecting: 3688 revisions left to test after this (roughly 12 steps) [9805529ec544ea7a82d891d5239a8ebd3dbb2a3e] Merge tag 'arm-soc-dt-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e with gcc (GCC) 8.1.0 kernel signature: e07134accee6402a94e0a446a67128a00a8cbf519db319c7c81c7e705ecc55f0 all runs: crashed: WARNING in input_register_device # git bisect good 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e Bisecting: 1854 revisions left to test after this (roughly 11 steps) [6a447b0e3151893f6d4a889956553c06d2e775c6] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 6a447b0e3151893f6d4a889956553c06d2e775c6 with gcc (GCC) 8.1.0 kernel signature: 6bf006b799667a7c8ec69293d913a97aa4d4873b1e94a5b9a6df653eb2d28975 all runs: crashed: WARNING in input_register_device # git bisect good 6a447b0e3151893f6d4a889956553c06d2e775c6 Bisecting: 927 revisions left to test after this (roughly 10 steps) [eda809aef53426d044b519405d25d9da55319b76] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit eda809aef53426d044b519405d25d9da55319b76 with gcc (GCC) 8.1.0 kernel signature: 87564d7621d6ee19a790b1719b0c11fe5cf9626effbfde90dc392b9f75c07f1c all runs: crashed: WARNING in input_register_device # git bisect good eda809aef53426d044b519405d25d9da55319b76 Bisecting: 476 revisions left to test after this (roughly 9 steps) [0653161f0faca68b77b3f36fb4b4b9b8b07050e5] Merge tag 'arc-5.11-rc3-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc testing commit 0653161f0faca68b77b3f36fb4b4b9b8b07050e5 with gcc (GCC) 8.1.0 kernel signature: 2e27f2b3db9442fb5ad1b8b2519d9edad8a13b62e2d84518574093152cedefa9 all runs: crashed: WARNING in input_register_device # git bisect good 0653161f0faca68b77b3f36fb4b4b9b8b07050e5 Bisecting: 205 revisions left to test after this (roughly 8 steps) [e8c13a6bc8ebbef7bd099ec1061633d1c9c94d5b] Merge tag 'net-5.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit e8c13a6bc8ebbef7bd099ec1061633d1c9c94d5b with gcc (GCC) 8.1.0 kernel signature: 94bbae5e5d2c581318a06fd1f11c9377b75af0f4d1fa757dbdd14a7433511b95 all runs: OK # git bisect bad e8c13a6bc8ebbef7bd099ec1061633d1c9c94d5b Bisecting: 136 revisions left to test after this (roughly 7 steps) [c912fd05fab97934e4cf579654d0dc4835b4758c] Merge tag 'nfsd-5.11-1' of git://git.linux-nfs.org/projects/cel/cel-2.6 testing commit c912fd05fab97934e4cf579654d0dc4835b4758c with gcc (GCC) 8.1.0 kernel signature: e3c8b29b665379f94daaec80743b132396e42f1e84afff42083a12c75b650ed9 all runs: OK # git bisect bad c912fd05fab97934e4cf579654d0dc4835b4758c Bisecting: 62 revisions left to test after this (roughly 6 steps) [28318f53503090fcd8fd27c49445396ea2ace44b] Merge tag 'usb-5.11-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit 28318f53503090fcd8fd27c49445396ea2ace44b with gcc (GCC) 8.1.0 kernel signature: 6660b94b4f32bda52d60a272d0634e39977849b62792b14719a22ee3ca2dbc9a all runs: OK # git bisect bad 28318f53503090fcd8fd27c49445396ea2ace44b Bisecting: 35 revisions left to test after this (roughly 5 steps) [6c75c2bad36cfb43b144e6a0a76a69993c72097f] usb: typec: Send uevent for num_altmodes update testing commit 6c75c2bad36cfb43b144e6a0a76a69993c72097f with gcc (GCC) 8.1.0 kernel signature: 9512fa1326fd49b6049119c1b1d5660cb8e95c958aa9be753cc72e42c3a5f06b all runs: OK # git bisect bad 6c75c2bad36cfb43b144e6a0a76a69993c72097f Bisecting: 17 revisions left to test after this (roughly 4 steps) [e5f4ca3fce90a37b23a77bfcc86800d484a80514] usb: dwc3: ulpi: Fix USB2.0 HS/FS/LS PHY suspend regression testing commit e5f4ca3fce90a37b23a77bfcc86800d484a80514 with gcc (GCC) 8.1.0 kernel signature: 234396d14b9ad3b16ba2c99af0c2eedfb3ed849c53820fa08e9b13bd86bb6d66 all runs: crashed: WARNING in input_register_device # git bisect good e5f4ca3fce90a37b23a77bfcc86800d484a80514 Bisecting: 8 revisions left to test after this (roughly 3 steps) [6cd0fe91387917be48e91385a572a69dfac2f3f7] usb: gadget: configfs: Preserve function ordering after bind failure testing commit 6cd0fe91387917be48e91385a572a69dfac2f3f7 with gcc (GCC) 8.1.0 kernel signature: 147c8bdc90ce9443f42a1a79d9c38fcd32bcaa3dee38a2eee17e37c712390c09 all runs: OK # git bisect bad 6cd0fe91387917be48e91385a572a69dfac2f3f7 Bisecting: 4 revisions left to test after this (roughly 2 steps) [718bf42b119de652ebcc93655a1f33a9c0d04b3c] usb: usbip: vhci_hcd: protect shift size testing commit 718bf42b119de652ebcc93655a1f33a9c0d04b3c with gcc (GCC) 8.1.0 kernel signature: fdb0eb371c79a1f00d4c798af87945c968236ad1662307b4b4504d48b3566f4d all runs: OK # git bisect bad 718bf42b119de652ebcc93655a1f33a9c0d04b3c Bisecting: 1 revision left to test after this (roughly 1 step) [c318840fb2a42ce25febc95c4c19357acf1ae5ca] USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug testing commit c318840fb2a42ce25febc95c4c19357acf1ae5ca with gcc (GCC) 8.1.0 kernel signature: 5f9d68f90ff13ff0b07e4b33b2d922b7c68f71d8b4b0f6252b6c35c867cc138e all runs: OK # git bisect bad c318840fb2a42ce25febc95c4c19357acf1ae5ca Bisecting: 0 revisions left to test after this (roughly 0 steps) [9389044f27081d6ec77730c36d5bf9a1288bcda2] usb: gadget: f_uac2: reset wMaxPacketSize testing commit 9389044f27081d6ec77730c36d5bf9a1288bcda2 with gcc (GCC) 8.1.0 kernel signature: 79db6d2b51dc85fad5a43400b5710e3995971e60587c2a02c170a748bdeb45cb all runs: crashed: WARNING in input_register_device # git bisect good 9389044f27081d6ec77730c36d5bf9a1288bcda2 c318840fb2a42ce25febc95c4c19357acf1ae5ca is the first bad commit commit c318840fb2a42ce25febc95c4c19357acf1ae5ca Author: Alan Stern Date: Wed Dec 30 11:20:44 2020 -0500 USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug The dummy-hcd driver was written under the assumption that all the parameters in URBs sent to its root hub would be valid. With URBs sent from userspace via usbfs, that assumption can be violated. In particular, the driver doesn't fully check the port-feature values stored in the wValue entry of Clear-Port-Feature and Set-Port-Feature requests. Values that are too large can cause the driver to perform an invalid left shift of more than 32 bits. Ironically, two of those left shifts are unnecessary, because they implement Set-Port-Feature requests that hubs are not required to support, according to section 11.24.2.13 of the USB-2.0 spec. This patch adds the appropriate checks for the port feature selector values and removes the unnecessary feature settings. It also rejects requests to set the TEST feature or to set or clear the INDICATOR and C_OVERCURRENT features, as none of these are relevant to dummy-hcd's root-hub emulation. CC: Reported-and-tested-by: syzbot+5925509f78293baa7331@syzkaller.appspotmail.com Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/20201230162044.GA727759@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman drivers/usb/gadget/udc/dummy_hcd.c | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) culprit signature: 5f9d68f90ff13ff0b07e4b33b2d922b7c68f71d8b4b0f6252b6c35c867cc138e parent signature: 79db6d2b51dc85fad5a43400b5710e3995971e60587c2a02c170a748bdeb45cb revisions tested: 16, total time: 3h8m20.745634533s (build: 1h16m27.465770063s, test: 1h50m28.43368138s) first good commit: c318840fb2a42ce25febc95c4c19357acf1ae5ca USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug recipients (to): ["gregkh@linuxfoundation.org" "stern@rowland.harvard.edu" "syzbot+5925509f78293baa7331@syzkaller.appspotmail.com"] recipients (cc): []