bisecting fixing commit since cd796ed3345030aa1bb332fe5c793b3dddaf56e7 building syzkaller on a7f7f4a49efe0adb56a41e1cc91aeb106d428eb2 testing commit cd796ed3345030aa1bb332fe5c793b3dddaf56e7 with gcc (GCC) 8.1.0 kernel signature: 6fad324636360980d226f39f6ea80294b4e3f2574fefab5092cf1871aca9a46c all runs: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb testing current HEAD e609571b5ffa3528bf85292de1ceaddac342bc1c testing commit e609571b5ffa3528bf85292de1ceaddac342bc1c with gcc (GCC) 8.1.0 kernel signature: 98e19ec1d797d677c45ed3bbf2ec806c375803e14655c66448027065e194731e all runs: OK # git bisect start e609571b5ffa3528bf85292de1ceaddac342bc1c cd796ed3345030aa1bb332fe5c793b3dddaf56e7 Bisecting: 6968 revisions left to test after this (roughly 13 steps) [3db1a3fa98808aa90f95ec3e0fa2fc7abf28f5c9] Merge tag 'staging-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 3db1a3fa98808aa90f95ec3e0fa2fc7abf28f5c9 with gcc (GCC) 8.1.0 kernel signature: bf5c86e5ab8bba3aa0a94d9231f468c032d319db677ca6e3ee048c8e772387c5 all runs: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb # git bisect good 3db1a3fa98808aa90f95ec3e0fa2fc7abf28f5c9 Bisecting: 3368 revisions left to test after this (roughly 12 steps) [9805529ec544ea7a82d891d5239a8ebd3dbb2a3e] Merge tag 'arm-soc-dt-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e with gcc (GCC) 8.1.0 kernel signature: e07134accee6402a94e0a446a67128a00a8cbf519db319c7c81c7e705ecc55f0 all runs: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb # git bisect good 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e Bisecting: 1719 revisions left to test after this (roughly 11 steps) [f4a2f7866faaf89ea1595b136e01fcb336b46aab] Merge tag 'rtc-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux testing commit f4a2f7866faaf89ea1595b136e01fcb336b46aab with gcc (GCC) 8.1.0 kernel signature: 221b9a05158222d9c641da02152d07361fa45a8d7393da7fe1cd6afb50e772d6 all runs: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb # git bisect good f4a2f7866faaf89ea1595b136e01fcb336b46aab Bisecting: 867 revisions left to test after this (roughly 10 steps) [1f13d2f7d8a407be09e841f17805b2451271d493] Merge tag 'libnvdimm-for-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm testing commit 1f13d2f7d8a407be09e841f17805b2451271d493 with gcc (GCC) 8.1.0 kernel signature: 2c6a3bbb2e9ba1cffc32c68c4ce6e6112747b42302dfc01d0e2bc4de21af4193 all runs: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb # git bisect good 1f13d2f7d8a407be09e841f17805b2451271d493 Bisecting: 433 revisions left to test after this (roughly 9 steps) [6ee49118f87cf02b36f68812bc49855b7b627a2b] MAINTAINERS: Update MCAN MMIO device driver maintainer testing commit 6ee49118f87cf02b36f68812bc49855b7b627a2b with gcc (GCC) 8.1.0 kernel signature: 2772f0551327044c1690e4329976d8e05f01ee634eef9c538278a975d943b03b run #0: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb run #1: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb run #2: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb run #3: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb run #4: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb run #5: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb run #6: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb run #7: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb run #8: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb run #9: crashed: WARNING in corrupted/usb_submit_urb # git bisect good 6ee49118f87cf02b36f68812bc49855b7b627a2b Bisecting: 215 revisions left to test after this (roughly 8 steps) [fb9ca0be63b49eece304f50023e736a678cc4159] Merge tag 'acpi-5.11-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit fb9ca0be63b49eece304f50023e736a678cc4159 with gcc (GCC) 8.1.0 kernel signature: 753af450ad9dfb820e669f6c8b7f1f83a3b5ed441911b850094583eed3a43977 all runs: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb # git bisect good fb9ca0be63b49eece304f50023e736a678cc4159 Bisecting: 122 revisions left to test after this (roughly 7 steps) [4ad9a28f56d70b950b1232151b2354636853727a] Merge tag 'staging-5.11-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 4ad9a28f56d70b950b1232151b2354636853727a with gcc (GCC) 8.1.0 kernel signature: 2aa6558ced05fa9a29de7a756cb251189a3b4958a0e5a70b9a856ef38df5555f all runs: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb # git bisect good 4ad9a28f56d70b950b1232151b2354636853727a Bisecting: 71 revisions left to test after this (roughly 6 steps) [d430adfea8d2c5baa186cabb130235f72fecbd5b] Merge tag 'io_uring-5.11-2021-01-10' of git://git.kernel.dk/linux-block testing commit d430adfea8d2c5baa186cabb130235f72fecbd5b with gcc (GCC) 8.1.0 kernel signature: 1e0ba0ce160d366516bb7f7987f89294acc0fe6a2631324b217aa243911a03ae all runs: OK # git bisect bad d430adfea8d2c5baa186cabb130235f72fecbd5b Bisecting: 25 revisions left to test after this (roughly 5 steps) [d7889c2020e08caab0d7e36e947f642d91015bd0] usb: gadget: select CONFIG_CRC32 testing commit d7889c2020e08caab0d7e36e947f642d91015bd0 with gcc (GCC) 8.1.0 kernel signature: 5ffedb687de9340902a9b58c77b3f01cc5ba79dfea1343deb15ac6c4c58feea2 all runs: OK # git bisect bad d7889c2020e08caab0d7e36e947f642d91015bd0 Bisecting: 12 revisions left to test after this (roughly 4 steps) [0a88fa221ce911c331bf700d2214c5b2f77414d3] usb: gadget: u_ether: Fix MTU size mismatch with RX packet size testing commit 0a88fa221ce911c331bf700d2214c5b2f77414d3 with gcc (GCC) 8.1.0 kernel signature: 2bd3796a61a07073ea16be948dc68541d6752cb971059fa51e472d32b6410719 all runs: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb # git bisect good 0a88fa221ce911c331bf700d2214c5b2f77414d3 Bisecting: 6 revisions left to test after this (roughly 3 steps) [9389044f27081d6ec77730c36d5bf9a1288bcda2] usb: gadget: f_uac2: reset wMaxPacketSize testing commit 9389044f27081d6ec77730c36d5bf9a1288bcda2 with gcc (GCC) 8.1.0 kernel signature: 79db6d2b51dc85fad5a43400b5710e3995971e60587c2a02c170a748bdeb45cb all runs: crashed: WARNING in sisusb_send_bulk_msg/usb_submit_urb # git bisect good 9389044f27081d6ec77730c36d5bf9a1288bcda2 Bisecting: 3 revisions left to test after this (roughly 2 steps) [718bf42b119de652ebcc93655a1f33a9c0d04b3c] usb: usbip: vhci_hcd: protect shift size testing commit 718bf42b119de652ebcc93655a1f33a9c0d04b3c with gcc (GCC) 8.1.0 kernel signature: fdb0eb371c79a1f00d4c798af87945c968236ad1662307b4b4504d48b3566f4d all runs: OK # git bisect bad 718bf42b119de652ebcc93655a1f33a9c0d04b3c Bisecting: 0 revisions left to test after this (roughly 1 step) [020a1f453449294926ca548d8d5ca970926e8dfd] USB: usblp: fix DMA to stack testing commit 020a1f453449294926ca548d8d5ca970926e8dfd with gcc (GCC) 8.1.0 kernel signature: 4c72735a31d1b297d439bc5ebfb9d6f638816233b9eafe3435f05dc6d3ee18b9 all runs: OK # git bisect bad 020a1f453449294926ca548d8d5ca970926e8dfd Bisecting: 0 revisions left to test after this (roughly 0 steps) [c318840fb2a42ce25febc95c4c19357acf1ae5ca] USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug testing commit c318840fb2a42ce25febc95c4c19357acf1ae5ca with gcc (GCC) 8.1.0 kernel signature: 5f9d68f90ff13ff0b07e4b33b2d922b7c68f71d8b4b0f6252b6c35c867cc138e run #0: boot failed: can't ssh into the instance run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad c318840fb2a42ce25febc95c4c19357acf1ae5ca c318840fb2a42ce25febc95c4c19357acf1ae5ca is the first bad commit commit c318840fb2a42ce25febc95c4c19357acf1ae5ca Author: Alan Stern Date: Wed Dec 30 11:20:44 2020 -0500 USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug The dummy-hcd driver was written under the assumption that all the parameters in URBs sent to its root hub would be valid. With URBs sent from userspace via usbfs, that assumption can be violated. In particular, the driver doesn't fully check the port-feature values stored in the wValue entry of Clear-Port-Feature and Set-Port-Feature requests. Values that are too large can cause the driver to perform an invalid left shift of more than 32 bits. Ironically, two of those left shifts are unnecessary, because they implement Set-Port-Feature requests that hubs are not required to support, according to section 11.24.2.13 of the USB-2.0 spec. This patch adds the appropriate checks for the port feature selector values and removes the unnecessary feature settings. It also rejects requests to set the TEST feature or to set or clear the INDICATOR and C_OVERCURRENT features, as none of these are relevant to dummy-hcd's root-hub emulation. CC: Reported-and-tested-by: syzbot+5925509f78293baa7331@syzkaller.appspotmail.com Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/20201230162044.GA727759@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman drivers/usb/gadget/udc/dummy_hcd.c | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) culprit signature: 5f9d68f90ff13ff0b07e4b33b2d922b7c68f71d8b4b0f6252b6c35c867cc138e parent signature: 79db6d2b51dc85fad5a43400b5710e3995971e60587c2a02c170a748bdeb45cb revisions tested: 16, total time: 2h54m32.648243403s (build: 1h14m30.41140061s, test: 1h38m37.834190393s) first good commit: c318840fb2a42ce25febc95c4c19357acf1ae5ca USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug recipients (to): ["gregkh@linuxfoundation.org" "stern@rowland.harvard.edu" "syzbot+5925509f78293baa7331@syzkaller.appspotmail.com"] recipients (cc): []