bisecting cause commit starting from 1fc596a56b334f4d593a2b49e5ff55af6aaa0816 building syzkaller on be531bb42381b245eed805e49fd889d1c2118c76 testing commit 1fc596a56b334f4d593a2b49e5ff55af6aaa0816 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 337e6e7983d574fb9fccf7a643b042a756e30548853ac6b9222d42dca52e04ef all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e7f82353780f7353f2b9831acf2c3b929072ab7502510d2c9ec919816098867b all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb testing release v5.13 testing commit 62fb9874f5da54fdb243003b386128037319b219 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3893288ffb73b25437d9014c3a302e9da56e6c80694523f6acbeb8e844d7d15a all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fef6bbeef0730e250dce5c4d00ca978c6faccee48182ecededef71f007012dae all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e70248e93361f34dd873e40495a67fb19d7b2d6e1499d9fc363168f631887141 all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c6eee30e83a4bfc1d174b45494b852005166c4538581c49180638cb8462d3b3a all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8abfd263d08f5a1944abf7487b0cd3fa8a13d2cbbae2833d87ee62892ed94117 run #0: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb run #1: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb run #2: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb run #3: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb run #4: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb run #5: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb run #6: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb run #7: crashed: WARNING in corrupted/usb_submit_urb run #8: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb run #9: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 261e40aa3ea66f2994281fd1f1351c40218e8d2382abca2a698e489c42cf9ad6 all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 compiler: gcc version 8.4.1 20210217 (GCC), GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f465b659524de2aa97eb77e7ad8a4bb7936a3b1791edd7cd15bf833edd9dac3a all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 0fc1f3346314f13db78f40d21279d9cf424c7ca11f4fd63953c5fc19806ea298 all runs: OK # git bisect start 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 7542 revisions left to test after this (roughly 13 steps) [50a5de895dbe5df947b3a695777db5b2c313e065] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 50a5de895dbe5df947b3a695777db5b2c313e065 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: e8a17d2807fa7179549af5690613f4f70578927b4dc983d6732340f6b8a63581 all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb # git bisect bad 50a5de895dbe5df947b3a695777db5b2c313e065 Bisecting: 4204 revisions left to test after this (roughly 12 steps) [56a451b780676bc1cdac011735fe2869fa2e9abf] Merge tag 'ntb-5.7' of git://github.com/jonmason/ntb testing commit 56a451b780676bc1cdac011735fe2869fa2e9abf compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 19b0a2d4906ae8857577c08a191da4f8fd477acbc38ac566d12030872e6e391b all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb # git bisect bad 56a451b780676bc1cdac011735fe2869fa2e9abf Bisecting: 1643 revisions left to test after this (roughly 11 steps) [49835c15a55225e9b3ff9cc9317135b334ea2d49] Merge tag 'pm-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 49835c15a55225e9b3ff9cc9317135b334ea2d49 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: ffa8ccb3921f03e4bef6159211df699ef7e0cba77f141b42663fdeb5b10eeb71 all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb # git bisect bad 49835c15a55225e9b3ff9cc9317135b334ea2d49 Bisecting: 934 revisions left to test after this (roughly 10 steps) [063d1942247668eb0bb800aef5afbbef337344be] Merge tag 'media/v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 063d1942247668eb0bb800aef5afbbef337344be compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 10775fb4a923053ad714d405503eee7220571ab0cf63a161f6b1c7df08fcc945 all runs: OK # git bisect good 063d1942247668eb0bb800aef5afbbef337344be Bisecting: 516 revisions left to test after this (roughly 9 steps) [e681bb287f40e7a9dbcb04cef80fd87a2511ab86] staging: vt6656: Use DIV_ROUND_UP macro instead of specific code testing commit e681bb287f40e7a9dbcb04cef80fd87a2511ab86 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: ff03de9721916286e45f78d068b100a664f43b70691d1f2210c45babf95c5da0 all runs: OK # git bisect good e681bb287f40e7a9dbcb04cef80fd87a2511ab86 Bisecting: 266 revisions left to test after this (roughly 8 steps) [db34c5ffee649e2c4c870d1031a996398a187cf5] Merge tag 'usb-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit db34c5ffee649e2c4c870d1031a996398a187cf5 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 8dc3e07bb443f9866889d87693143216dde2c46dd3947f238d83e5cee1070a3b all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb # git bisect bad db34c5ffee649e2c4c870d1031a996398a187cf5 Bisecting: 121 revisions left to test after this (roughly 7 steps) [a8ab3e76297ea85d92f4ee0833bd469816a13ccf] Merge tag 'usb-for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next testing commit a8ab3e76297ea85d92f4ee0833bd469816a13ccf compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 3b36a1fa06281c931acc86eff0df08c3e67ddda34ab89081aba2dc87936285ab all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb # git bisect bad a8ab3e76297ea85d92f4ee0833bd469816a13ccf Bisecting: 63 revisions left to test after this (roughly 6 steps) [d1c6a769cdf466053ae211789f2b0671c8a72331] usb: typec: mux: Allow the mux handles to be requested with fwnode testing commit d1c6a769cdf466053ae211789f2b0671c8a72331 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 75df459c9f4d9534b5cc3a4995d8ae607fd6eeb10535b8eca1064a9dfede4c79 all runs: OK # git bisect good d1c6a769cdf466053ae211789f2b0671c8a72331 Bisecting: 31 revisions left to test after this (roughly 5 steps) [eeead847487f726fa177d0f4060c4f0816ad9cd9] usb: gadget: amd5536udc: fix spelling mistake "reserverd" -> "reserved" testing commit eeead847487f726fa177d0f4060c4f0816ad9cd9 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 2ad07d11d7ac954dd5d5212c1e5790b6e9723357d98cc76392e4d94cb96cbd28 all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb # git bisect bad eeead847487f726fa177d0f4060c4f0816ad9cd9 Bisecting: 15 revisions left to test after this (roughly 4 steps) [3d157c28d2289edf0439e8308e8de3a06acaaf0e] doc: dt: bindings: usb: dwc3: Update entries for disabling SS instances in park mode testing commit 3d157c28d2289edf0439e8308e8de3a06acaaf0e compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: ad5526e846bd09ade9328fb99f3976a7fc2972a2bf60cba7b2843ab9cddb66a2 all runs: OK # git bisect good 3d157c28d2289edf0439e8308e8de3a06acaaf0e Bisecting: 7 revisions left to test after this (roughly 3 steps) [0227cc84c44417a29c8102e41db8ec2c11ebc6b2] usb: dwc3: core: don't do suspend for device mode if already suspended testing commit 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 7a3c9319cdb32363e2d709ec6fe58924bced2d8ab8ebc75375209b067fffeccc all runs: OK # git bisect good 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 Bisecting: 3 revisions left to test after this (roughly 2 steps) [95b18f28979e12539cc02f6ec4e2c776e8551f39] dt-bindings: usb: dwc2: add compatible property for rk3328 usb testing commit 95b18f28979e12539cc02f6ec4e2c776e8551f39 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 83324d812b31a6330392826a10f3d1e479a9ca883a388ecf01595983bd7a1ac0 all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb # git bisect bad 95b18f28979e12539cc02f6ec4e2c776e8551f39 Bisecting: 1 revision left to test after this (roughly 1 step) [1a0808cb9e417170ed6ab97254cf319dc3e3c310] usb: dwc2: Implement set_selfpowered() testing commit 1a0808cb9e417170ed6ab97254cf319dc3e3c310 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 7a3c9319cdb32363e2d709ec6fe58924bced2d8ab8ebc75375209b067fffeccc all runs: OK # git bisect good 1a0808cb9e417170ed6ab97254cf319dc3e3c310 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10] usb: gadget: add raw-gadget interface testing commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 83324d812b31a6330392826a10f3d1e479a9ca883a388ecf01595983bd7a1ac0 all runs: crashed: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb # git bisect bad f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 is the first bad commit commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 Author: Andrey Konovalov Date: Mon Feb 24 17:13:03 2020 +0100 usb: gadget: add raw-gadget interface USB Raw Gadget is a kernel module that provides a userspace interface for the USB Gadget subsystem. Essentially it allows to emulate USB devices from userspace. Enabled with CONFIG_USB_RAW_GADGET. Raw Gadget is currently a strictly debugging feature and shouldn't be used in production. Raw Gadget is similar to GadgetFS, but provides a more low-level and direct access to the USB Gadget layer for the userspace. The key differences are: 1. Every USB request is passed to the userspace to get a response, while GadgetFS responds to some USB requests internally based on the provided descriptors. However note, that the UDC driver might respond to some requests on its own and never forward them to the Gadget layer. 2. GadgetFS performs some sanity checks on the provided USB descriptors, while Raw Gadget allows you to provide arbitrary data as responses to USB requests. 3. Raw Gadget provides a way to select a UDC device/driver to bind to, while GadgetFS currently binds to the first available UDC. 4. Raw Gadget uses predictable endpoint names (handles) across different UDCs (as long as UDCs have enough endpoints of each required transfer type). 5. Raw Gadget has ioctl-based interface instead of a filesystem-based one. Reviewed-by: Greg Kroah-Hartman Signed-off-by: Andrey Konovalov Signed-off-by: Felipe Balbi Documentation/usb/index.rst | 1 + Documentation/usb/raw-gadget.rst | 61 ++ drivers/usb/gadget/legacy/Kconfig | 11 + drivers/usb/gadget/legacy/Makefile | 1 + drivers/usb/gadget/legacy/raw_gadget.c | 1078 ++++++++++++++++++++++++++++++++ include/uapi/linux/usb/raw_gadget.h | 167 +++++ 6 files changed, 1319 insertions(+) create mode 100644 Documentation/usb/raw-gadget.rst create mode 100644 drivers/usb/gadget/legacy/raw_gadget.c create mode 100644 include/uapi/linux/usb/raw_gadget.h culprit signature: 83324d812b31a6330392826a10f3d1e479a9ca883a388ecf01595983bd7a1ac0 parent signature: 7a3c9319cdb32363e2d709ec6fe58924bced2d8ab8ebc75375209b067fffeccc revisions tested: 24, total time: 5h5m24.893974793s (build: 2h40m27.939862989s, test: 2h22m7.930222575s) first bad commit: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 usb: gadget: add raw-gadget interface recipients (to): ["andreyknvl@google.com" "balbi@kernel.org" "gregkh@linuxfoundation.org"] recipients (cc): [] crash: WARNING in carl9170_usb_send_rx_irq_urb/usb_submit_urb usb 3-1: driver API: 1.9.9 2016-02-15 [1-1] usb 3-1: firmware API: 1.9.6 2012-07-07 ------------[ cut here ]------------ usb 3-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 1 PID: 3573 at drivers/usb/core/urb.c:479 usb_submit_urb+0x8c2/0x11a0 drivers/usb/core/urb.c:478 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 3573 Comm: kworker/1:51 Not tainted 5.6.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x96/0xe0 lib/dump_stack.c:118 panic+0x2a1/0x52a kernel/panic.c:221 __warn.cold.10+0x25/0x2f kernel/panic.c:582 report_bug+0x1aa/0x260 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:174 [inline] fixup_bug arch/x86/kernel/traps.c:169 [inline] do_error_trap+0x12d/0x1e0 arch/x86/kernel/traps.c:267 do_invalid_op+0x31/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x2d/0x40 arch/x86/entry/entry_64.S:1027 RIP: 0010:usb_submit_urb+0x8c2/0x11a0 drivers/usb/core/urb.c:478 Code: 02 00 00 48 89 c7 48 89 54 24 10 e8 d8 41 27 ff 48 8b 54 24 10 45 89 f0 44 89 e9 48 89 c6 48 c7 c7 40 24 f4 88 e8 aa 6e 70 fc <0f> 0b 80 fb 01 41 be 86 03 00 00 74 1b 84 db 0f 84 ac 01 00 00 83 RSP: 0018:ffffc9000187fc18 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff89ddafc8 RDI: ffffffff8e4da220 RBP: ffff8880a848d05c R08: ffffed10173e9c79 R09: ffffed10173e9c79 R10: ffffed10173e9c78 R11: ffff8880b9f4e3c7 R12: ffff8880a848d000 R13: 0000000000000001 R14: 0000000000000003 R15: ffff88809440a000 carl9170_usb_send_rx_irq_urb+0x269/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] carl9170_usb_firmware_step2+0xbf/0x170 drivers/net/wireless/ath/carl9170/usb.c:1028 request_firmware_work_func+0x121/0x23e drivers/base/firmware_loader/main.c:976 process_one_work+0x8ff/0x1690 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Kernel Offset: disabled Rebooting in 86400 seconds..