bisecting cause commit starting from 7ae77150d94d3b535c7b85e6b3647113095e79bf building syzkaller on 81abc33188b4caf19873b9676ab1d8dc0e3511ca testing commit 7ae77150d94d3b535c7b85e6b3647113095e79bf with gcc (GCC) 8.1.0 kernel signature: 5fbf7231524d17c3cf53f6488a838ee98fac792ad0ae9d6ffd7cca22b59617bb all runs: crashed: KASAN: slab-out-of-bounds Write in snd_usb_mixer_notify_id testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: 61c13b9b3e20132014a926829f88a95d0c22a8621942998687e8f0b9e6c207d4 all runs: crashed: KASAN: slab-out-of-bounds Write in snd_usb_mixer_notify_id testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 8ba0f6d42f823306e7f07c08cd230655e967bb6608ff46e2168b11539b06fa2d all runs: OK # git bisect start 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 7542 revisions left to test after this (roughly 13 steps) [50a5de895dbe5df947b3a695777db5b2c313e065] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 50a5de895dbe5df947b3a695777db5b2c313e065 with gcc (GCC) 8.1.0 kernel signature: 1d163c71320ed4bf8f5d378fe97c4d309f2b5bee29dd7076ff8a9ddc43807e33 all runs: crashed: KASAN: slab-out-of-bounds Write in snd_usb_mixer_notify_id # git bisect bad 50a5de895dbe5df947b3a695777db5b2c313e065 Bisecting: 4204 revisions left to test after this (roughly 12 steps) [56a451b780676bc1cdac011735fe2869fa2e9abf] Merge tag 'ntb-5.7' of git://github.com/jonmason/ntb testing commit 56a451b780676bc1cdac011735fe2869fa2e9abf with gcc (GCC) 8.1.0 kernel signature: 7a18d24cb080f59ef5ad3035b104ba030844d713930fe61a0d4fe7c0a6a93639 all runs: crashed: KASAN: slab-out-of-bounds Write in snd_usb_mixer_notify_id # git bisect bad 56a451b780676bc1cdac011735fe2869fa2e9abf Bisecting: 1643 revisions left to test after this (roughly 11 steps) [49835c15a55225e9b3ff9cc9317135b334ea2d49] Merge tag 'pm-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 49835c15a55225e9b3ff9cc9317135b334ea2d49 with gcc (GCC) 8.1.0 kernel signature: ee72e1670844cd05cbed0b672211c7bd7f09460f9f2974560ee55970cccc0694 all runs: crashed: KASAN: slab-out-of-bounds Write in snd_usb_mixer_notify_id # git bisect bad 49835c15a55225e9b3ff9cc9317135b334ea2d49 Bisecting: 934 revisions left to test after this (roughly 10 steps) [063d1942247668eb0bb800aef5afbbef337344be] Merge tag 'media/v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 063d1942247668eb0bb800aef5afbbef337344be with gcc (GCC) 8.1.0 kernel signature: db5bd2a740dc1dd696ee96cc351adca86a446e08519b64e994309ecc40954ec3 all runs: OK # git bisect good 063d1942247668eb0bb800aef5afbbef337344be Bisecting: 516 revisions left to test after this (roughly 9 steps) [e681bb287f40e7a9dbcb04cef80fd87a2511ab86] staging: vt6656: Use DIV_ROUND_UP macro instead of specific code testing commit e681bb287f40e7a9dbcb04cef80fd87a2511ab86 with gcc (GCC) 8.1.0 kernel signature: 72e3b6320e158c02d133d0127d2c92c4bfc503834e466f49fab3aca2821cf030 all runs: OK # git bisect good e681bb287f40e7a9dbcb04cef80fd87a2511ab86 Bisecting: 266 revisions left to test after this (roughly 8 steps) [db34c5ffee649e2c4c870d1031a996398a187cf5] Merge tag 'usb-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit db34c5ffee649e2c4c870d1031a996398a187cf5 with gcc (GCC) 8.1.0 kernel signature: 7678b48b8896213d1186e6706b492e32b813d3113f4b6383909d8de032260fe9 all runs: crashed: KASAN: slab-out-of-bounds Write in snd_usb_mixer_notify_id # git bisect bad db34c5ffee649e2c4c870d1031a996398a187cf5 Bisecting: 121 revisions left to test after this (roughly 7 steps) [a8ab3e76297ea85d92f4ee0833bd469816a13ccf] Merge tag 'usb-for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next testing commit a8ab3e76297ea85d92f4ee0833bd469816a13ccf with gcc (GCC) 8.1.0 kernel signature: dc5cd37de361205eacb2e945b42f4bdd143d63828407ca4a980c2d3583896838 all runs: crashed: KASAN: slab-out-of-bounds Write in snd_usb_mixer_notify_id # git bisect bad a8ab3e76297ea85d92f4ee0833bd469816a13ccf Bisecting: 63 revisions left to test after this (roughly 6 steps) [d1c6a769cdf466053ae211789f2b0671c8a72331] usb: typec: mux: Allow the mux handles to be requested with fwnode testing commit d1c6a769cdf466053ae211789f2b0671c8a72331 with gcc (GCC) 8.1.0 kernel signature: d673eaa12913d95027381e73bbd7122cf396bb59a41ad7e44337f12e38ea473f all runs: OK # git bisect good d1c6a769cdf466053ae211789f2b0671c8a72331 Bisecting: 31 revisions left to test after this (roughly 5 steps) [eeead847487f726fa177d0f4060c4f0816ad9cd9] usb: gadget: amd5536udc: fix spelling mistake "reserverd" -> "reserved" testing commit eeead847487f726fa177d0f4060c4f0816ad9cd9 with gcc (GCC) 8.1.0 kernel signature: d94515c69161fb7434c63dbeff17142633d2dd8cfd99898545ae2104f431b4d4 all runs: crashed: KASAN: slab-out-of-bounds Write in snd_usb_mixer_notify_id # git bisect bad eeead847487f726fa177d0f4060c4f0816ad9cd9 Bisecting: 15 revisions left to test after this (roughly 4 steps) [3d157c28d2289edf0439e8308e8de3a06acaaf0e] doc: dt: bindings: usb: dwc3: Update entries for disabling SS instances in park mode testing commit 3d157c28d2289edf0439e8308e8de3a06acaaf0e with gcc (GCC) 8.1.0 kernel signature: cc46e02cf4ae42b1dd911a0daeeabcb7e9b98fb6e9be47018f15de2533401eda all runs: OK # git bisect good 3d157c28d2289edf0439e8308e8de3a06acaaf0e Bisecting: 7 revisions left to test after this (roughly 3 steps) [0227cc84c44417a29c8102e41db8ec2c11ebc6b2] usb: dwc3: core: don't do suspend for device mode if already suspended testing commit 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 with gcc (GCC) 8.1.0 kernel signature: 5ef1cd3ef28851a71a2f932195e6f47f09d1c9629201b7399d3a37e121bd10fd all runs: OK # git bisect good 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 Bisecting: 3 revisions left to test after this (roughly 2 steps) [95b18f28979e12539cc02f6ec4e2c776e8551f39] dt-bindings: usb: dwc2: add compatible property for rk3328 usb testing commit 95b18f28979e12539cc02f6ec4e2c776e8551f39 with gcc (GCC) 8.1.0 kernel signature: a0c38c031c186b19150a8447cb2776b000df90df048d7ae453e9cd17c950f5c5 all runs: crashed: KASAN: slab-out-of-bounds Write in snd_usb_mixer_notify_id # git bisect bad 95b18f28979e12539cc02f6ec4e2c776e8551f39 Bisecting: 1 revision left to test after this (roughly 1 step) [1a0808cb9e417170ed6ab97254cf319dc3e3c310] usb: dwc2: Implement set_selfpowered() testing commit 1a0808cb9e417170ed6ab97254cf319dc3e3c310 with gcc (GCC) 8.1.0 kernel signature: 0a197df25b5d45ea875bfa305e6a0edbb7307c0815ae389d936c6fe593dba2d4 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect good 1a0808cb9e417170ed6ab97254cf319dc3e3c310 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10] usb: gadget: add raw-gadget interface testing commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 with gcc (GCC) 8.1.0 kernel signature: 5b26f6c72ea05ca60f17835492b7422eb91fcff0d67acd4b89382b24dfbb8f9e all runs: crashed: KASAN: slab-out-of-bounds Write in snd_usb_mixer_notify_id # git bisect bad f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 is the first bad commit commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 Author: Andrey Konovalov Date: Mon Feb 24 17:13:03 2020 +0100 usb: gadget: add raw-gadget interface USB Raw Gadget is a kernel module that provides a userspace interface for the USB Gadget subsystem. Essentially it allows to emulate USB devices from userspace. Enabled with CONFIG_USB_RAW_GADGET. Raw Gadget is currently a strictly debugging feature and shouldn't be used in production. Raw Gadget is similar to GadgetFS, but provides a more low-level and direct access to the USB Gadget layer for the userspace. The key differences are: 1. Every USB request is passed to the userspace to get a response, while GadgetFS responds to some USB requests internally based on the provided descriptors. However note, that the UDC driver might respond to some requests on its own and never forward them to the Gadget layer. 2. GadgetFS performs some sanity checks on the provided USB descriptors, while Raw Gadget allows you to provide arbitrary data as responses to USB requests. 3. Raw Gadget provides a way to select a UDC device/driver to bind to, while GadgetFS currently binds to the first available UDC. 4. Raw Gadget uses predictable endpoint names (handles) across different UDCs (as long as UDCs have enough endpoints of each required transfer type). 5. Raw Gadget has ioctl-based interface instead of a filesystem-based one. Reviewed-by: Greg Kroah-Hartman Signed-off-by: Andrey Konovalov Signed-off-by: Felipe Balbi Documentation/usb/index.rst | 1 + Documentation/usb/raw-gadget.rst | 61 ++ drivers/usb/gadget/legacy/Kconfig | 11 + drivers/usb/gadget/legacy/Makefile | 1 + drivers/usb/gadget/legacy/raw_gadget.c | 1078 ++++++++++++++++++++++++++++++++ include/uapi/linux/usb/raw_gadget.h | 167 +++++ 6 files changed, 1319 insertions(+) create mode 100644 Documentation/usb/raw-gadget.rst create mode 100644 drivers/usb/gadget/legacy/raw_gadget.c create mode 100644 include/uapi/linux/usb/raw_gadget.h culprit signature: 5b26f6c72ea05ca60f17835492b7422eb91fcff0d67acd4b89382b24dfbb8f9e parent signature: 0a197df25b5d45ea875bfa305e6a0edbb7307c0815ae389d936c6fe593dba2d4 revisions tested: 17, total time: 3h30m11.684739587s (build: 1h41m52.223698771s, test: 1h47m2.895032337s) first bad commit: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 usb: gadget: add raw-gadget interface cc: ["andreyknvl@google.com" "balbi@kernel.org" "gregkh@linuxfoundation.org"] crash: KASAN: slab-out-of-bounds Write in snd_usb_mixer_notify_id ================================================================== BUG: KASAN: slab-out-of-bounds in snd_usb_mixer_notify_id+0x106/0x160 sound/usb/mixer.c:3175 Write of size 4 at addr ffff8880a22297e0 by task kworker/0:8/4056 CPU: 0 PID: 4056 Comm: kworker/0:8 Not tainted 5.6.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374 __kasan_report.cold.11+0x1c/0x34 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:641 snd_usb_mixer_notify_id+0x106/0x160 sound/usb/mixer.c:3175 snd_usb_mixer_interrupt+0x462/0x720 sound/usb/mixer.c:3312 __usb_hcd_giveback_urb+0x1d9/0x370 drivers/usb/core/hcd.c:1648 dummy_timer+0xfe6/0x2b10 drivers/usb/gadget/udc/dummy_hcd.c:1966 call_timer_fn+0x167/0x570 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] run_timer_softirq+0xc8c/0x1170 kernel/time/timer.c:1786 __do_softirq+0x26e/0x9b2 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x191/0x1d0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x1a1/0x5f0 arch/x86/kernel/apic/apic.c:1146 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:759 [inline] RIP: 0010:console_unlock+0x8bb/0xbd0 kernel/printk/printk.c:2481 Code: 40 5c b3 88 48 89 f8 48 c1 e8 03 42 80 3c 30 00 0f 85 b7 02 00 00 48 83 3d f1 0f 60 07 00 0f 84 0e 01 00 00 48 8b 7d c8 57 9d <0f> 1f 44 00 00 e9 9c f8 ff ff 49 8d 7f 08 48 89 f8 48 c1 e8 03 42 RSP: 0018:ffffc90001f373b0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 RAX: 1ffffffff1166b88 RBX: 0000000000000200 RCX: 0000000000000006 RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000282 RBP: ffffc90001f37428 R08: fffffbfff165a795 R09: fffffbfff165a795 R10: fffffbfff165a794 R11: ffffffff8b2d3ca7 R12: 0000000000000000 R13: ffffffff89306f10 R14: dffffc0000000000 R15: 0000000000000000 vprintk_emit+0x19c/0x560 kernel/printk/printk.c:1996 dev_vprintk_emit+0x400/0x445 drivers/base/core.c:3616 dev_printk_emit+0x90/0xb6 drivers/base/core.c:3627 _dev_warn+0xc8/0xf6 drivers/base/core.c:3683 usb_parse_endpoint drivers/usb/core/config.c:411 [inline] usb_parse_interface drivers/usb/core/config.c:582 [inline] usb_parse_configuration drivers/usb/core/config.c:795 [inline] usb_get_configuration.cold.10+0x87f/0x1878 drivers/usb/core/config.c:944 usb_enumerate_device drivers/usb/core/hub.c:2381 [inline] usb_new_device+0x345/0x6d0 drivers/usb/core/hub.c:2517 hub_port_connect drivers/usb/core/hub.c:5195 [inline] hub_port_connect_change drivers/usb/core/hub.c:5335 [inline] port_event drivers/usb/core/hub.c:5481 [inline] hub_event+0x15fe/0x2d60 drivers/usb/core/hub.c:5563 process_one_work+0x903/0x15c0 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 4054: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515 kmem_cache_alloc_trace+0x156/0x780 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] add_single_ctl_with_resume+0x55/0x1b0 sound/usb/mixer_quirks.c:146 snd_mbox1_create_sync_switch sound/usb/mixer_quirks.c:718 [inline] snd_usb_mixer_apply_create_quirk+0x111f/0x1930 sound/usb/mixer_quirks.c:2234 snd_usb_create_mixer+0x743/0x18e0 sound/usb/mixer.c:3471 create_composite_quirk+0x18c/0x3b0 sound/usb/quirks.c:48 usb_audio_probe+0x492/0x1c90 sound/usb/card.c:650 usb_probe_interface+0x268/0x6c0 drivers/usb/core/driver.c:361 really_probe+0x1f9/0x5e0 drivers/base/dd.c:551 driver_probe_device+0xc9/0x1b0 drivers/base/dd.c:724 bus_for_each_drv+0x117/0x1a0 drivers/base/bus.c:431 __device_attach+0x1be/0x2c0 drivers/base/dd.c:897 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491 device_add+0x10d0/0x1900 drivers/base/core.c:2500 usb_set_configuration+0xc02/0x1560 drivers/usb/core/message.c:2023 generic_probe+0x61/0x8a drivers/usb/core/generic.c:210 really_probe+0x1f9/0x5e0 drivers/base/dd.c:551 driver_probe_device+0xc9/0x1b0 drivers/base/dd.c:724 bus_for_each_drv+0x117/0x1a0 drivers/base/bus.c:431 __device_attach+0x1be/0x2c0 drivers/base/dd.c:897 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491 device_add+0x10d0/0x1900 drivers/base/core.c:2500 usb_new_device.cold.66+0x679/0xe85 drivers/usb/core/hub.c:2548 hub_port_connect drivers/usb/core/hub.c:5195 [inline] hub_port_connect_change drivers/usb/core/hub.c:5335 [inline] port_event drivers/usb/core/hub.c:5481 [inline] hub_event+0x15fe/0x2d60 drivers/usb/core/hub.c:5563 process_one_work+0x903/0x15c0 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8880a2229780 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 32 bytes to the right of 64-byte region [ffff8880a2229780, ffff8880a22297c0) The buggy address belongs to the page: page:ffffea0002888a40 refcount:1 mapcount:0 mapping:ffff8880aa400380 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002479e48 ffff8880aa401348 ffff8880aa400380 raw: 0000000000000000 ffff8880a2229000 0000000100000020 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a2229680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880a2229700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc >ffff8880a2229780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff8880a2229800: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ffff8880a2229880: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ==================================================================