ci2 starts bisection 2025-10-03 01:38:40.280059911 +0000 UTC m=+49201.921115909 bisecting fixing commit since 145c7fad733f13d7a8f4aa156785f40d38e966da building syzkaller on 7117feecc9626dc60b06fb3e91c0f7632d99d30b ensuring issue is reproducible on original commit 145c7fad733f13d7a8f4aa156785f40d38e966da testing commit 145c7fad733f13d7a8f4aa156785f40d38e966da gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 7bdf8d082cdf4cec8084a44ece4c6305270c66f7fb442b1dc23ad923b4ce7eac all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] check whether we can drop unnecessary instrumentation disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 145c7fad733f13d7a8f4aa156785f40d38e966da gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 30ea1bfb7f6f06a557a5e9c764d127b8b94d032d158457f95bb386b098626b92 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] the bug reproduces without the instrumentation disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed kconfig minimization: base=5186 full=6555 leaves diff=264 split chunks (needed=false): <264> split chunk #0 of len 264 into 5 parts testing without sub-chunk 1/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 145c7fad733f13d7a8f4aa156785f40d38e966da gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: a18d4c879c5327d01b4f3bc4f67a94c5c2eb78e364ed8d9879ebdb5fb3f9c414 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 145c7fad733f13d7a8f4aa156785f40d38e966da gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 719d453692fc2a7d50f1848832593a7b1c35a4d4233e2a27b985777307870b0c all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing commit 145c7fad733f13d7a8f4aa156785f40d38e966da gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c4691e708832ac2bd6653e86627f534707938a3efff940ef728e2a7a6a391f52 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing commit 145c7fad733f13d7a8f4aa156785f40d38e966da gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 08570b673f3b6295340c8a52f00407a7719bd31bca0d8c42473da6eb7921a672 all runs: OK false negative chance: 0.000 testing without sub-chunk 5/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 145c7fad733f13d7a8f4aa156785f40d38e966da gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 failed building 145c7fad733f13d7a8f4aa156785f40d38e966da: ld.lld: error: undefined symbol: wext_proc_init ld.lld: error: undefined symbol: wext_proc_exit ld.lld: error: undefined symbol: wext_handle_ioctl ld.lld: error: undefined symbol: compat_wext_handle_ioctl minimized to 105 configs; suspects: [COMMON_CLK HID_ZEROPLUS SND SOUND USB_ARMLINUX USB_BELKIN USB_CONFIGFS USB_CONFIGFS_ACM USB_CONFIGFS_ECM USB_CONFIGFS_ECM_SUBSET USB_CONFIGFS_EEM USB_CONFIGFS_F_ACC USB_CONFIGFS_F_AUDIO_SRC USB_CONFIGFS_F_FS USB_CONFIGFS_F_HID USB_CONFIGFS_F_LB_SS USB_CONFIGFS_F_MIDI USB_CONFIGFS_F_PRINTER USB_CONFIGFS_F_UAC1 USB_CONFIGFS_F_UAC1_LEGACY USB_CONFIGFS_F_UAC2 USB_CONFIGFS_F_UVC USB_CONFIGFS_MASS_STORAGE USB_CONFIGFS_NCM USB_CONFIGFS_OBEX USB_CONFIGFS_RNDIS USB_CONFIGFS_SERIAL USB_CONFIGFS_UEVENT USB_DWC3_OF_SIMPLE USB_EHSET_TEST_FIXTURE USB_F_ACC USB_F_ACM USB_F_AUDIO_SRC USB_F_ECM USB_F_EEM USB_F_FS USB_F_HID USB_F_MASS_STORAGE USB_F_MIDI USB_F_NCM USB_F_OBEX USB_F_PRINTER USB_F_RNDIS USB_F_SERIAL USB_F_SS_LB USB_F_SUBSET USB_F_UAC1 USB_F_UAC1_LEGACY USB_F_UAC2 USB_F_UVC USB_GADGET_DEBUG_FILES USB_GADGET_DEBUG_FS USB_IPHETH USB_ISP1760 USB_ISP1760_HCD USB_ISP1760_HOST_ROLE USB_LIBCOMPOSITE USB_LINK_LAYER_TEST USB_MON USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS ZEROPLUS_FF] disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing current HEAD f6787ec80e171530bdd83fa0d3b6b89ad8891e71 testing commit f6787ec80e171530bdd83fa0d3b6b89ad8891e71 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 21451311f3bba5cce50ff98ab8855b7d8a5aea680f17211343dbb77e1f034974 all runs: OK false negative chance: 0.000 # git bisect start f6787ec80e171530bdd83fa0d3b6b89ad8891e71 145c7fad733f13d7a8f4aa156785f40d38e966da Bisecting: 975 revisions left to test after this (roughly 10 steps) [1ba9f9d8dbf6a2a84adfebfe444f3c0519f11304] soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS determine whether the revision contains the guilty commit checking the merge base 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 no existing result, test the revision testing commit 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: d9e5fde998d9bf3069023e808e9890bb81e023d6feb2f990fbdd485863fed56b all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] testing commit 1ba9f9d8dbf6a2a84adfebfe444f3c0519f11304 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 976d0e172184f777eb86197559e982cb1f06160d4d4424ba1140f7c546bda3fb all runs: OK false negative chance: 0.000 # git bisect bad 1ba9f9d8dbf6a2a84adfebfe444f3c0519f11304 Bisecting: 487 revisions left to test after this (roughly 9 steps) [058dd4a370f23a5553a9449f2db53d5bfa88d45e] calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). determine whether the revision contains the guilty commit revision 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 crashed and is reachable testing commit 058dd4a370f23a5553a9449f2db53d5bfa88d45e gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: ac0484df5b4169c6e74fc8fe73e860f128f203bb6096a3396c62bc007a912b29 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] # git bisect good 058dd4a370f23a5553a9449f2db53d5bfa88d45e Bisecting: 243 revisions left to test after this (roughly 8 steps) [5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17] vsock: Fix transport_{g2h,h2g} TOCTOU determine whether the revision contains the guilty commit revision 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 crashed and is reachable testing commit 5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: ab9e010726aec0ce2d51c9f8f62166c0b09cf02a739a3b14c0dab7d58040fb3e all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] # git bisect good 5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17 Bisecting: 121 revisions left to test after this (roughly 7 steps) [61d5fa45ed13e42af14c7e959baba9908b8ee6d4] bpf: Reject %p% format string in bprintf-like helpers determine whether the revision contains the guilty commit revision 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 crashed and is reachable testing commit 61d5fa45ed13e42af14c7e959baba9908b8ee6d4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 3cf1df13a3c6fc65bc3eb1389045fc602a8c12e4a06299602f1ea6905c62bf51 all runs: OK false negative chance: 0.000 # git bisect bad 61d5fa45ed13e42af14c7e959baba9908b8ee6d4 Bisecting: 60 revisions left to test after this (roughly 6 steps) [bbed1761b8d9fb49f61d06a5ab66a267235ecfd1] bnxt_en: Fix DCB ETS validation determine whether the revision contains the guilty commit revision 58485ff1a74f6c5be9e7c6aafb7293e4337348e7 crashed and is reachable testing commit bbed1761b8d9fb49f61d06a5ab66a267235ecfd1 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 997a81fff8bd8b401258964bb1e40026e2b030e56f2b997c6cd4a406d25edeb7 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] # git bisect good bbed1761b8d9fb49f61d06a5ab66a267235ecfd1 Bisecting: 30 revisions left to test after this (roughly 5 steps) [a95807db965d7ef9ce6c50070ab3dfb69eaabd13] HID: core: ensure __hid_request reserves the report ID as the first byte determine whether the revision contains the guilty commit revision bbed1761b8d9fb49f61d06a5ab66a267235ecfd1 crashed and is reachable testing commit a95807db965d7ef9ce6c50070ab3dfb69eaabd13 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: de0c2f1e513c6d74c5a06d6497772c38605d35ac0541e8910ca98250a7573afd all runs: OK false negative chance: 0.000 # git bisect bad a95807db965d7ef9ce6c50070ab3dfb69eaabd13 Bisecting: 14 revisions left to test after this (roughly 4 steps) [8c90dbc93f637c929a9d9aa51e53cb976f479f89] x86: Fix X86_FEATURE_VERW_CLEAR definition determine whether the revision contains the guilty commit revision 5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17 crashed and is reachable testing commit 8c90dbc93f637c929a9d9aa51e53cb976f479f89 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 7257a441c18cd0adaa928c95618de623f2dcabd51222f2399c6659e6acdbe787 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] # git bisect good 8c90dbc93f637c929a9d9aa51e53cb976f479f89 Bisecting: 7 revisions left to test after this (roughly 3 steps) [c50cf5371a2e7bf2f201174fd25bffa203063202] USB: serial: option: add Foxconn T99W640 determine whether the revision contains the guilty commit revision 5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17 crashed and is reachable testing commit c50cf5371a2e7bf2f201174fd25bffa203063202 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 47a041cf615c0b5040e91819c74b43d3c5bfb5fa393b1142b43bb5c543f4e772 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] # git bisect good c50cf5371a2e7bf2f201174fd25bffa203063202 Bisecting: 3 revisions left to test after this (roughly 2 steps) [8089f38f3ed41502d41e916c47f44dae7952be17] thunderbolt: Fix bit masking in tb_dp_port_set_hops() determine whether the revision contains the guilty commit revision c50cf5371a2e7bf2f201174fd25bffa203063202 crashed and is reachable testing commit 8089f38f3ed41502d41e916c47f44dae7952be17 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: b51ff5b69655fb0c14e12e659a8df08751e0a9a6eed47f3f0b341e0f552584a4 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] # git bisect good 8089f38f3ed41502d41e916c47f44dae7952be17 Bisecting: 1 revision left to test after this (roughly 1 step) [9e1deb757e4f76e3b1a9afd9e44ca391b0f22e14] pch_uart: Fix dma_sync_sg_for_device() nents value determine whether the revision contains the guilty commit revision 8c90dbc93f637c929a9d9aa51e53cb976f479f89 crashed and is reachable testing commit 9e1deb757e4f76e3b1a9afd9e44ca391b0f22e14 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: fcf97165f47966c1145211a54e0457490cb9d557d51dd16d5a91fe3ab0da7e5c all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] # git bisect good 9e1deb757e4f76e3b1a9afd9e44ca391b0f22e14 Bisecting: 0 revisions left to test after this (roughly 0 steps) [d3ed1d84a84538a39b3eb2055d6a97a936c108f2] HID: core: ensure the allocated report buffer can contain the reserved report ID determine whether the revision contains the guilty commit revision 9e1deb757e4f76e3b1a9afd9e44ca391b0f22e14 crashed and is reachable testing commit d3ed1d84a84538a39b3eb2055d6a97a936c108f2 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: fdea44fd4d9824b9d560e0c2e91ca7a54e2c55b7642a05b3f65fb03ca2b8beaa all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] # git bisect good d3ed1d84a84538a39b3eb2055d6a97a936c108f2 a95807db965d7ef9ce6c50070ab3dfb69eaabd13 is the first bad commit commit a95807db965d7ef9ce6c50070ab3dfb69eaabd13 Author: Benjamin Tissoires Date: Thu Jul 10 16:01:34 2025 +0200 HID: core: ensure __hid_request reserves the report ID as the first byte commit 0d0777ccaa2d46609d05b66ba0096802a2746193 upstream. The low level transport driver expects the first byte to be the report ID, even when the report ID is not use (in which case they just shift the buffer). However, __hid_request() whas not offsetting the buffer it used by one in this case, meaning that the raw_request() callback emitted by the transport driver would be stripped of the first byte. Note: this changes the API for uhid devices when a request is made through hid_hw_request. However, several considerations makes me think this is fine: - every request to a HID device made through hid_hw_request() would see that change, but every request made through hid_hw_raw_request() already has the new behaviour. So that means that the users are already facing situations where they might have or not the first byte being the null report ID when it is 0. We are making things more straightforward in the end. - uhid is mainly used for BLE devices - uhid is also used for testing, but I don't see that change a big issue - for BLE devices, we can check which kernel module is calling hid_hw_request() - and in those modules, we can check which are using a Bluetooth device - and then we can check if the command is used with a report ID or not. - surprise: none of the kernel module are using a report ID 0 - and finally, bluez, in its function set_report()[0], does the same shift if the report ID is 0 and the given buffer has a size > 0. [0] https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/profiles/input/hog-lib.c#n879 Reported-by: Alan Stern Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@rowland.harvard.edu/ Reported-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8258d5439c49d4c35f43 Tested-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Fixes: 4fa5a7f76cc7 ("HID: core: implement generic .request()") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20250710-report-size-null-v2-2-ccf922b7c4e5@kernel.org Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman drivers/hid/hid-core.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) accumulated error probability: 0.00 culprit signature: de0c2f1e513c6d74c5a06d6497772c38605d35ac0541e8910ca98250a7573afd parent signature: fdea44fd4d9824b9d560e0c2e91ca7a54e2c55b7642a05b3f65fb03ca2b8beaa revisions tested: 19, total time: 4h33m36.240216259s (build: 2h15m48.023222342s, test: 2h9m28.480384896s) first good commit: a95807db965d7ef9ce6c50070ab3dfb69eaabd13 HID: core: ensure __hid_request reserves the report ID as the first byte recipients (to): ["bentiss@kernel.org" "gregkh@linuxfoundation.org" "syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com"] recipients (cc): []