ci starts bisection 2022-12-29 12:22:13.01906705 +0000 UTC m=+157283.561772634 bisecting fixing commit since 42e66b1cc3a070671001f8a1e933a80818a192bf building syzkaller on a805568e4d02790fde7024112cf476d48c43c06b ensuring issue is reproducible on original commit 42e66b1cc3a070671001f8a1e933a80818a192bf testing commit 42e66b1cc3a070671001f8a1e933a80818a192bf gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ef11d586b38ac9ebe5a41f2bf93fcd4943fc57ff675b1079f8f88eea2732f49a all runs: crashed: UBSAN: shift-out-of-bounds in snto32 testing current HEAD 1b929c02afd37871d5afb9d498426f83432e71c2 testing commit 1b929c02afd37871d5afb9d498426f83432e71c2 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c422076b7eaf3742f28afcb65d8277c7c392283bdd58ad28ef0e726ae724ec1a all runs: OK # git bisect start 1b929c02afd37871d5afb9d498426f83432e71c2 42e66b1cc3a070671001f8a1e933a80818a192bf Bisecting: 15518 revisions left to test after this (roughly 14 steps) [1f63d1a106e98db5cd378b21a471f7ddd710d1b5] Merge tag 'char-misc-6.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 1f63d1a106e98db5cd378b21a471f7ddd710d1b5 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 39b335e233531575ea09f5f54122231af46e626c3616a5ff5ce4d87abef817be all runs: crashed: UBSAN: shift-out-of-bounds in snto32 # git bisect good 1f63d1a106e98db5cd378b21a471f7ddd710d1b5 Bisecting: 7764 revisions left to test after this (roughly 13 steps) [86a0b4255e84563739d137ad374af6c7215bb3ff] Merge tag 'input-for-v6.2-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input testing commit 86a0b4255e84563739d137ad374af6c7215bb3ff gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9d58a9d5935a3ba7caa9052563f81a5bc2e4248a2ec146922f526fba840761aa all runs: OK # git bisect bad 86a0b4255e84563739d137ad374af6c7215bb3ff Bisecting: 3905 revisions left to test after this (roughly 12 steps) [97971df811b8854882c0f6c6631e23ab8cdcc44f] Merge tag 'dlm-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm testing commit 97971df811b8854882c0f6c6631e23ab8cdcc44f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7c1964e7d5cf8f91c0d2731efe385638b763c3cb681321f8060e6f77142d52b0 all runs: OK # git bisect bad 97971df811b8854882c0f6c6631e23ab8cdcc44f Bisecting: 2289 revisions left to test after this (roughly 11 steps) [8e17b16a2c13406c56a4d292df3ca083f8729666] Merge tag 'soc-drivers-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 8e17b16a2c13406c56a4d292df3ca083f8729666 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ff774593755d4999ffad109f8ce7c89f7591397686b9f94d8a6c6defbfc27f76 all runs: OK # git bisect bad 8e17b16a2c13406c56a4d292df3ca083f8729666 Bisecting: 778 revisions left to test after this (roughly 10 steps) [1506fba28b53fd159c7028c4809a4a3143a38eb7] KEYS: trusted: tee: Make registered shm dependency explicit testing commit 1506fba28b53fd159c7028c4809a4a3143a38eb7 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ae915509a305bfc1ea3102c537efe71ec80a1096f5086b476630c2bd9856a6a0 all runs: crashed: UBSAN: shift-out-of-bounds in snto32 # git bisect good 1506fba28b53fd159c7028c4809a4a3143a38eb7 Bisecting: 389 revisions left to test after this (roughly 9 steps) [164f59000c19fa1ee5d09327a8055ec9f9b9905a] Merge tag 'microblaze-v6.2' of git://git.monstr.eu/linux-2.6-microblaze testing commit 164f59000c19fa1ee5d09327a8055ec9f9b9905a gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 178d7b91c8840d25b8b97b9916783ad6ee9fa3b7607dd0e296f5a34a1243a0d2 all runs: OK # git bisect bad 164f59000c19fa1ee5d09327a8055ec9f9b9905a Bisecting: 188 revisions left to test after this (roughly 8 steps) [1fab45ab6e823f9d7e5bc9520b2aa6564d6d58a7] Merge tag 'rcu.2022.12.02a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu testing commit 1fab45ab6e823f9d7e5bc9520b2aa6564d6d58a7 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 67de1977bbc61d580ce81a959e01c5c7b644ee5017fd840acb80e437e35dd6c2 all runs: OK # git bisect bad 1fab45ab6e823f9d7e5bc9520b2aa6564d6d58a7 Bisecting: 113 revisions left to test after this (roughly 7 steps) [f8bac7f9fdb0017b32157957ffffd490f95faa07] net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() testing commit f8bac7f9fdb0017b32157957ffffd490f95faa07 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4fa176bfbdd61bca50bd4284c95f37944022b4056ea47aaa4067a8869d9b7b9d all runs: crashed: UBSAN: shift-out-of-bounds in snto32 # git bisect good f8bac7f9fdb0017b32157957ffffd490f95faa07 Bisecting: 53 revisions left to test after this (roughly 6 steps) [4cee37b3a4e68c42b867c87a6218e11bc571ba66] Merge tag 'mm-hotfixes-stable-2022-12-10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 4cee37b3a4e68c42b867c87a6218e11bc571ba66 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3d69aa2c1ccd7a6a6b2438c6759b37ebe9386003ac9e460cfb083bbbbb8f7b0e all runs: OK # git bisect bad 4cee37b3a4e68c42b867c87a6218e11bc571ba66 Bisecting: 29 revisions left to test after this (roughly 5 steps) [af145500afa53fce55c9ee98e405fd0d65f018d0] Merge tag 'io_uring-6.1-2022-12-08' of git://git.kernel.dk/linux testing commit af145500afa53fce55c9ee98e405fd0d65f018d0 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: eb008d16c456ca3d3b4dbb47f0f0bf8ac387d07f19e911c8c4687f7fd3c28a57 all runs: OK # git bisect bad af145500afa53fce55c9ee98e405fd0d65f018d0 Bisecting: 15 revisions left to test after this (roughly 4 steps) [7f043b7662b6a9cfa981c02199ac939ed1c11372] Merge tag 'loongarch-fixes-6.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson testing commit 7f043b7662b6a9cfa981c02199ac939ed1c11372 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2c333ad1bc519cd48e35b5dd0468437032948104604195049267486dd755e220 all runs: crashed: UBSAN: shift-out-of-bounds in snto32 # git bisect good 7f043b7662b6a9cfa981c02199ac939ed1c11372 Bisecting: 7 revisions left to test after this (roughly 3 steps) [40f2432b53a01b6d5e3a9057f1d5c406930e1360] Revert "HID: logitech-hidpp: Remove special-casing of Bluetooth devices" testing commit 40f2432b53a01b6d5e3a9057f1d5c406930e1360 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1cba121aeeb7fbe451c519a6b84c2208766743251e52cce3f8ae3181d0029337 all runs: OK # git bisect bad 40f2432b53a01b6d5e3a9057f1d5c406930e1360 Bisecting: 3 revisions left to test after this (roughly 2 steps) [2afac81dd16544d825f309fd992d2af6304353df] HID: fix I2C_HID not selected when I2C_HID_OF_ELAN is testing commit 2afac81dd16544d825f309fd992d2af6304353df gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c76b095182a40e0cd68087bcb5503c4a78d6af80c4b98dc6573a2988b4c51e7e all runs: crashed: UBSAN: shift-out-of-bounds in snto32 # git bisect good 2afac81dd16544d825f309fd992d2af6304353df Bisecting: 1 revision left to test after this (roughly 1 step) [ec61b41918587be530398b0d1c9a0d16619397e5] HID: core: fix shift-out-of-bounds in hid_report_raw_event testing commit ec61b41918587be530398b0d1c9a0d16619397e5 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 19ae84f2999eeca8347eea29edadea3e47b45591d75913e2852b1b326a545265 all runs: OK # git bisect bad ec61b41918587be530398b0d1c9a0d16619397e5 Bisecting: 0 revisions left to test after this (roughly 0 steps) [3405a4beaaa852f3ed2a5eb3b5149932d5c3779b] HID: uclogic: Add HID_QUIRK_HIDINPUT_FORCE quirk testing commit 3405a4beaaa852f3ed2a5eb3b5149932d5c3779b gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a88a70df5b06f5fc407e8842179bd6196272accc756108562e68ca5174ca588d all runs: crashed: UBSAN: shift-out-of-bounds in snto32 # git bisect good 3405a4beaaa852f3ed2a5eb3b5149932d5c3779b ec61b41918587be530398b0d1c9a0d16619397e5 is the first bad commit commit ec61b41918587be530398b0d1c9a0d16619397e5 Author: ZhangPeng Date: Wed Nov 16 07:14:28 2022 +0000 HID: core: fix shift-out-of-bounds in hid_report_raw_event Syzbot reported shift-out-of-bounds in hid_report_raw_event. microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0) ====================================================================== UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 shift exponent 127 is too large for 32-bit type 'int' CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 snto32 drivers/hid/hid-core.c:1323 [inline] hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] hid_process_report drivers/hid/hid-core.c:1665 [inline] hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers+0x76a/0x980 kernel/time/timer.c:1790 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 __do_softirq+0x277/0x75b kernel/softirq.c:571 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 ====================================================================== If the size of the integer (unsigned n) is bigger than 32 in snto32(), shift exponent will be too large for 32-bit type 'int', resulting in a shift-out-of-bounds bug. Fix this by adding a check on the size of the integer (unsigned n) in snto32(). To add support for n greater than 32 bits, set n to 32, if n is greater than 32. Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") Signed-off-by: ZhangPeng Signed-off-by: Jiri Kosina drivers/hid/hid-core.c | 3 +++ 1 file changed, 3 insertions(+) culprit signature: 19ae84f2999eeca8347eea29edadea3e47b45591d75913e2852b1b326a545265 parent signature: a88a70df5b06f5fc407e8842179bd6196272accc756108562e68ca5174ca588d revisions tested: 17, total time: 4h1m31.639817158s (build: 2h8m41.190988073s, test: 1h48m53.470178013s) first good commit: ec61b41918587be530398b0d1c9a0d16619397e5 HID: core: fix shift-out-of-bounds in hid_report_raw_event recipients (to): ["benjamin.tissoires@redhat.com" "jikos@kernel.org" "jkosina@suse.cz" "linux-input@vger.kernel.org" "zhangpeng362@huawei.com"] recipients (cc): ["linux-kernel@vger.kernel.org"]