bisecting cause commit starting from dbb5afad100a828c97e012c6106566d99f041db6 building syzkaller on ed7d41c582d6f194ff35353d8bfdf7681dc0718e testing commit dbb5afad100a828c97e012c6106566d99f041db6 with gcc (GCC) 10.2.1 20210217 kernel signature: fb9f0da2ebbc2c7fcbc36753b88d794ee9af2ab407c0c86e98829652464468e2 run #0: crashed: BUG: corrupted list in usb_hcd_link_urb_to_ep run #1: crashed: WARNING in cm109_input_open/usb_submit_urb run #2: crashed: WARNING in cm109_input_open/usb_submit_urb run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK reproducer seems to be flaky testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 with gcc (GCC) 10.2.1 20210217 kernel signature: 57524b8e5faf3884e6362a3ad6e2e4f755adc3965c55def8283883a0466c6dcd run #0: crashed: WARNING in cm109_input_open/usb_submit_urb run #1: OK run #2: OK run #3: crashed: BUG: corrupted list in usb_hcd_link_urb_to_ep run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: 159488a0c5a4b311f87fff258019dcffec62dae5bbc49c48e1d0329045725b45 run #0: crashed: BUG: corrupted list in usb_hcd_link_urb_to_ep run #1: crashed: BUG: corrupted list in usb_hcd_link_urb_to_ep run #2: crashed: BUG: corrupted list in usb_hcd_link_urb_to_ep run #3: OK run #4: OK run #5: OK run #6: crashed: WARNING in cm109_input_open/usb_submit_urb run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217 kernel signature: ce2c82a0b040823c2e613484ec3dbce0cc1bae41b61de2df6b539b3f8c63c9ad run #0: crashed: BUG: corrupted list in usb_hcd_link_urb_to_ep run #1: crashed: WARNING in cm109_input_open/usb_submit_urb run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217 kernel signature: 51fc4290c1b10776531a588127382eb0aa33ffa54dfff8280327c300a1d3d8f7 all runs: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.4.1 20210217 kernel signature: f66601bd351a7861769f93ada572658b51d29287ef2e24a1b67eecf6300b480b all runs: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.4.1 20210217 kernel signature: 5af3fe3745f724d4b8fd23c5742be4f50d012a82ffce7b32b7add3e94d5d72ee all runs: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.4.1 20210217 kernel signature: 50655865de9cdc527083d08316d437bad09c32a06068c65e3fbf49d30d465e49 all runs: OK # git bisect start 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 7542 revisions left to test after this (roughly 13 steps) [50a5de895dbe5df947b3a695777db5b2c313e065] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 50a5de895dbe5df947b3a695777db5b2c313e065 with gcc (GCC) 8.4.1 20210217 kernel signature: 821ac304a3c8317c4ddd0db528cd9f5122b88e14ea48f23a9bce945fe51d977b all runs: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb # git bisect bad 50a5de895dbe5df947b3a695777db5b2c313e065 Bisecting: 4204 revisions left to test after this (roughly 12 steps) [56a451b780676bc1cdac011735fe2869fa2e9abf] Merge tag 'ntb-5.7' of git://github.com/jonmason/ntb testing commit 56a451b780676bc1cdac011735fe2869fa2e9abf with gcc (GCC) 8.4.1 20210217 kernel signature: 887274964afffcf64729666051774a7453efd9355e6f848498bd4c94b5ac7184 all runs: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb # git bisect bad 56a451b780676bc1cdac011735fe2869fa2e9abf Bisecting: 1643 revisions left to test after this (roughly 11 steps) [49835c15a55225e9b3ff9cc9317135b334ea2d49] Merge tag 'pm-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 49835c15a55225e9b3ff9cc9317135b334ea2d49 with gcc (GCC) 8.4.1 20210217 kernel signature: 461bcdda93e4ca4d53a35e91bfbe559b6b959aca6478eb0bebfa35f75c336c1e run #0: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #1: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #2: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #3: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #4: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #5: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #6: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #7: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #8: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #9: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #10: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #11: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #12: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #13: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #14: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #15: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #16: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #17: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #18: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb run #19: boot failed: can't ssh into the instance # git bisect bad 49835c15a55225e9b3ff9cc9317135b334ea2d49 Bisecting: 934 revisions left to test after this (roughly 10 steps) [063d1942247668eb0bb800aef5afbbef337344be] Merge tag 'media/v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 063d1942247668eb0bb800aef5afbbef337344be with gcc (GCC) 8.4.1 20210217 kernel signature: 03149ea7e07759c37dea6477acc7c52c71222a8a51f18bfe87762545b4556acf all runs: OK # git bisect good 063d1942247668eb0bb800aef5afbbef337344be Bisecting: 516 revisions left to test after this (roughly 9 steps) [e681bb287f40e7a9dbcb04cef80fd87a2511ab86] staging: vt6656: Use DIV_ROUND_UP macro instead of specific code testing commit e681bb287f40e7a9dbcb04cef80fd87a2511ab86 with gcc (GCC) 8.4.1 20210217 kernel signature: 782d0f89de88bc978cfca18b01adfa2242ee741dcbc07abbed8733994fd7e540 all runs: OK # git bisect good e681bb287f40e7a9dbcb04cef80fd87a2511ab86 Bisecting: 266 revisions left to test after this (roughly 8 steps) [db34c5ffee649e2c4c870d1031a996398a187cf5] Merge tag 'usb-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit db34c5ffee649e2c4c870d1031a996398a187cf5 with gcc (GCC) 8.4.1 20210217 kernel signature: b6a17e0e92e36241239d740e3c124a8bed65b621119ec163133ee9540e935f96 all runs: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb # git bisect bad db34c5ffee649e2c4c870d1031a996398a187cf5 Bisecting: 121 revisions left to test after this (roughly 7 steps) [a8ab3e76297ea85d92f4ee0833bd469816a13ccf] Merge tag 'usb-for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next testing commit a8ab3e76297ea85d92f4ee0833bd469816a13ccf with gcc (GCC) 8.4.1 20210217 kernel signature: 20ca6dea6a06542cc2ebdec03fa04f240bfefba81df73d07559efa6ddb61fd71 all runs: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb # git bisect bad a8ab3e76297ea85d92f4ee0833bd469816a13ccf Bisecting: 63 revisions left to test after this (roughly 6 steps) [d1c6a769cdf466053ae211789f2b0671c8a72331] usb: typec: mux: Allow the mux handles to be requested with fwnode testing commit d1c6a769cdf466053ae211789f2b0671c8a72331 with gcc (GCC) 8.4.1 20210217 kernel signature: 7bd84cdb0b32f280a75c9aab99795272834f8afb3bbda751e42acb95eca73b2c all runs: OK # git bisect good d1c6a769cdf466053ae211789f2b0671c8a72331 Bisecting: 31 revisions left to test after this (roughly 5 steps) [eeead847487f726fa177d0f4060c4f0816ad9cd9] usb: gadget: amd5536udc: fix spelling mistake "reserverd" -> "reserved" testing commit eeead847487f726fa177d0f4060c4f0816ad9cd9 with gcc (GCC) 8.4.1 20210217 kernel signature: 0d863f91e8de2146ea5e5e5787591d62b16ac2b6275b59aa88ffdab349acebd7 all runs: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb # git bisect bad eeead847487f726fa177d0f4060c4f0816ad9cd9 Bisecting: 15 revisions left to test after this (roughly 4 steps) [3d157c28d2289edf0439e8308e8de3a06acaaf0e] doc: dt: bindings: usb: dwc3: Update entries for disabling SS instances in park mode testing commit 3d157c28d2289edf0439e8308e8de3a06acaaf0e with gcc (GCC) 8.4.1 20210217 kernel signature: 8911702f1f959f1659c76e7125fc977b3ad2632be9be36f215c6924093e5e15a all runs: OK # git bisect good 3d157c28d2289edf0439e8308e8de3a06acaaf0e Bisecting: 7 revisions left to test after this (roughly 3 steps) [0227cc84c44417a29c8102e41db8ec2c11ebc6b2] usb: dwc3: core: don't do suspend for device mode if already suspended testing commit 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 with gcc (GCC) 8.4.1 20210217 kernel signature: 7041a5661e7f44972655fb4fe990339c3a731ca4818f686e6b0dcea4cca624cd all runs: OK # git bisect good 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 Bisecting: 3 revisions left to test after this (roughly 2 steps) [95b18f28979e12539cc02f6ec4e2c776e8551f39] dt-bindings: usb: dwc2: add compatible property for rk3328 usb testing commit 95b18f28979e12539cc02f6ec4e2c776e8551f39 with gcc (GCC) 8.4.1 20210217 kernel signature: 7a74dcd5f2d4bbff9429358bd7fe7121ab947693167097b8a9589d50307de67e all runs: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb # git bisect bad 95b18f28979e12539cc02f6ec4e2c776e8551f39 Bisecting: 1 revision left to test after this (roughly 1 step) [1a0808cb9e417170ed6ab97254cf319dc3e3c310] usb: dwc2: Implement set_selfpowered() testing commit 1a0808cb9e417170ed6ab97254cf319dc3e3c310 with gcc (GCC) 8.4.1 20210217 kernel signature: 7041a5661e7f44972655fb4fe990339c3a731ca4818f686e6b0dcea4cca624cd all runs: OK # git bisect good 1a0808cb9e417170ed6ab97254cf319dc3e3c310 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10] usb: gadget: add raw-gadget interface testing commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 with gcc (GCC) 8.4.1 20210217 kernel signature: 7a74dcd5f2d4bbff9429358bd7fe7121ab947693167097b8a9589d50307de67e all runs: crashed: WARNING in cm109_submit_buzz_toggle/usb_submit_urb # git bisect bad f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 is the first bad commit commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 Author: Andrey Konovalov Date: Mon Feb 24 17:13:03 2020 +0100 usb: gadget: add raw-gadget interface USB Raw Gadget is a kernel module that provides a userspace interface for the USB Gadget subsystem. Essentially it allows to emulate USB devices from userspace. Enabled with CONFIG_USB_RAW_GADGET. Raw Gadget is currently a strictly debugging feature and shouldn't be used in production. Raw Gadget is similar to GadgetFS, but provides a more low-level and direct access to the USB Gadget layer for the userspace. The key differences are: 1. Every USB request is passed to the userspace to get a response, while GadgetFS responds to some USB requests internally based on the provided descriptors. However note, that the UDC driver might respond to some requests on its own and never forward them to the Gadget layer. 2. GadgetFS performs some sanity checks on the provided USB descriptors, while Raw Gadget allows you to provide arbitrary data as responses to USB requests. 3. Raw Gadget provides a way to select a UDC device/driver to bind to, while GadgetFS currently binds to the first available UDC. 4. Raw Gadget uses predictable endpoint names (handles) across different UDCs (as long as UDCs have enough endpoints of each required transfer type). 5. Raw Gadget has ioctl-based interface instead of a filesystem-based one. Reviewed-by: Greg Kroah-Hartman Signed-off-by: Andrey Konovalov Signed-off-by: Felipe Balbi Documentation/usb/index.rst | 1 + Documentation/usb/raw-gadget.rst | 61 ++ drivers/usb/gadget/legacy/Kconfig | 11 + drivers/usb/gadget/legacy/Makefile | 1 + drivers/usb/gadget/legacy/raw_gadget.c | 1078 ++++++++++++++++++++++++++++++++ include/uapi/linux/usb/raw_gadget.h | 167 +++++ 6 files changed, 1319 insertions(+) create mode 100644 Documentation/usb/raw-gadget.rst create mode 100644 drivers/usb/gadget/legacy/raw_gadget.c create mode 100644 include/uapi/linux/usb/raw_gadget.h culprit signature: 7a74dcd5f2d4bbff9429358bd7fe7121ab947693167097b8a9589d50307de67e parent signature: 7041a5661e7f44972655fb4fe990339c3a731ca4818f686e6b0dcea4cca624cd Reproducer flagged being flaky revisions tested: 22, total time: 5h12m10.085888173s (build: 2h36m4.1188114s, test: 2h33m9.553618065s) first bad commit: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 usb: gadget: add raw-gadget interface recipients (to): ["andreyknvl@google.com" "balbi@kernel.org" "gregkh@linuxfoundation.org"] recipients (cc): [] crash: WARNING in cm109_submit_buzz_toggle/usb_submit_urb ------------[ cut here ]------------ URB 00000000b08439bf submitted while active WARNING: CPU: 1 PID: 10741 at drivers/usb/core/urb.c:363 usb_submit_urb+0xde1/0x11a0 drivers/usb/core/urb.c:363 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 10741 Comm: syz-executor.2 Not tainted 5.6.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x96/0xe0 lib/dump_stack.c:118 panic+0x2a1/0x52a kernel/panic.c:221 __warn.cold.10+0x25/0x2f kernel/panic.c:582 report_bug+0x1aa/0x260 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:174 [inline] fixup_bug arch/x86/kernel/traps.c:169 [inline] do_error_trap+0x12d/0x1e0 arch/x86/kernel/traps.c:267 do_invalid_op+0x31/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x2d/0x40 arch/x86/entry/entry_64.S:1027 RIP: 0010:usb_submit_urb+0xde1/0x11a0 drivers/usb/core/urb.c:363 Code: 00 00 83 e3 01 b8 f0 ff ff ff 0f 85 1e f7 ff ff 4c 89 e6 48 c7 c7 40 91 f4 88 89 44 24 04 c6 05 30 9d 86 07 01 e8 bb 63 70 fc <0f> 0b 8b 44 24 04 e9 f9 f6 ff ff c7 44 24 08 01 00 00 00 e9 77 f7 RSP: 0018:ffffc90009b2f6f8 EFLAGS: 00010086 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000003 RSI: 0000000000000007 RDI: ffffffff8e4db220 RBP: ffff888234c24c18 R08: ffffed10173e43e9 R09: ffffed10173e43e9 R10: ffffed10173e43e8 R11: ffff8880b9f21f43 R12: ffff8880b2fb0100 R13: 0000000000000046 R14: ffff8880a19df1d8 R15: ffff8880a19df210 cm109_submit_buzz_toggle+0xbd/0x140 drivers/input/misc/cm109.c:351 cm109_toggle_buzzer_async+0x7f/0xa0 drivers/input/misc/cm109.c:487 cm109_input_ev+0x113/0x150 drivers/input/misc/cm109.c:621 input_handle_event+0x993/0x1270 drivers/input/input.c:375 input_inject_event+0x229/0x242 drivers/input/input.c:470 kd_sound_helper+0xe9/0x200 drivers/tty/vt/keyboard.c:237 input_handler_for_each_handle+0xd4/0x1b0 drivers/input/input.c:2355 kd_mksound+0x7e/0xf0 drivers/tty/vt/keyboard.c:261 do_con_trol+0x3f9/0x5960 drivers/tty/vt/vt.c:2116 do_con_write.part.15+0xa3b/0x1aa0 drivers/tty/vt/vt.c:2808 do_con_write drivers/tty/vt/vt.c:2576 [inline] con_write+0x1a/0x80 drivers/tty/vt/vt.c:3144 process_output_block drivers/tty/n_tty.c:595 [inline] n_tty_write+0x463/0xe80 drivers/tty/n_tty.c:2333 do_tty_write drivers/tty/tty_io.c:962 [inline] tty_write+0x3c8/0x8b0 drivers/tty/tty_io.c:1046 vfs_write+0x185/0x490 fs/read_write.c:558 ksys_write+0xe6/0x1c0 fs/read_write.c:611 do_syscall_64+0x98/0x560 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8c0c886188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665d9 RDX: 0000000000001006 RSI: 0000000020001440 RDI: 0000000000000005 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007fffa2026b9f R14: 00007f8c0c886300 R15: 0000000000022000 Kernel Offset: disabled Rebooting in 86400 seconds..