bisecting cause commit starting from b85051e755b0e9d6dd8f17ef1da083851b83287d building syzkaller on 1f30020f856c65ba64fd0e7a663b1fb39c27c990 testing commit b85051e755b0e9d6dd8f17ef1da083851b83287d with gcc (GCC) 8.1.0 kernel signature: 644f00416136a5611d500deb71f96b80610978c6d028e937e7a110afde93abeb all runs: crashed: WARNING in media_create_pad_link testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 2aac37242af53d584d48ceee9894be60b5dbc64e6c0f8eeaef47abde7ac406c6 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect start b85051e755b0e9d6dd8f17ef1da083851b83287d 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 7218 revisions left to test after this (roughly 13 steps) [f365ab31efacb70bed1e821f7435626e0b2528a6] Merge tag 'drm-next-2020-04-01' of git://anongit.freedesktop.org/drm/drm testing commit f365ab31efacb70bed1e821f7435626e0b2528a6 with gcc (GCC) 8.1.0 kernel signature: be158143ac2f2a95b0ad9823cbfda2a6dce2b563538578e8def2ad10db5473ef all runs: crashed: WARNING in media_create_pad_link # git bisect bad f365ab31efacb70bed1e821f7435626e0b2528a6 Bisecting: 4110 revisions left to test after this (roughly 12 steps) [56a451b780676bc1cdac011735fe2869fa2e9abf] Merge tag 'ntb-5.7' of git://github.com/jonmason/ntb testing commit 56a451b780676bc1cdac011735fe2869fa2e9abf with gcc (GCC) 8.1.0 kernel signature: 3014e4f64cbe1fd03d92e762e64394add279c388838d5a32e6f4fe6de08f591c all runs: crashed: WARNING in media_create_pad_link # git bisect bad 56a451b780676bc1cdac011735fe2869fa2e9abf Bisecting: 1643 revisions left to test after this (roughly 11 steps) [49835c15a55225e9b3ff9cc9317135b334ea2d49] Merge tag 'pm-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 49835c15a55225e9b3ff9cc9317135b334ea2d49 with gcc (GCC) 8.1.0 kernel signature: 12447c5c40293666a42777e15b20c50512ec3384562bb320dcfe1f3fbe27ac6a all runs: crashed: WARNING in media_create_pad_link # git bisect bad 49835c15a55225e9b3ff9cc9317135b334ea2d49 Bisecting: 934 revisions left to test after this (roughly 10 steps) [063d1942247668eb0bb800aef5afbbef337344be] Merge tag 'media/v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 063d1942247668eb0bb800aef5afbbef337344be with gcc (GCC) 8.1.0 kernel signature: 045abc17a413db7d3f57ea9340df509f6c5311b679cc3666acfb3ab6648a60e1 all runs: OK # git bisect good 063d1942247668eb0bb800aef5afbbef337344be Bisecting: 516 revisions left to test after this (roughly 9 steps) [e681bb287f40e7a9dbcb04cef80fd87a2511ab86] staging: vt6656: Use DIV_ROUND_UP macro instead of specific code testing commit e681bb287f40e7a9dbcb04cef80fd87a2511ab86 with gcc (GCC) 8.1.0 kernel signature: 7f2e2ed5f7e5a437b2b6b7a59fdcff2fca1b263668fc7eb408f5326b05aab18f all runs: OK # git bisect good e681bb287f40e7a9dbcb04cef80fd87a2511ab86 Bisecting: 266 revisions left to test after this (roughly 8 steps) [db34c5ffee649e2c4c870d1031a996398a187cf5] Merge tag 'usb-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit db34c5ffee649e2c4c870d1031a996398a187cf5 with gcc (GCC) 8.1.0 kernel signature: 1aedf262af2d3338687db3467577d903220a90344877ecc37228cf84d501310b all runs: crashed: WARNING in media_create_pad_link # git bisect bad db34c5ffee649e2c4c870d1031a996398a187cf5 Bisecting: 121 revisions left to test after this (roughly 7 steps) [a8ab3e76297ea85d92f4ee0833bd469816a13ccf] Merge tag 'usb-for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next testing commit a8ab3e76297ea85d92f4ee0833bd469816a13ccf with gcc (GCC) 8.1.0 kernel signature: f984f569d2baf31c0cc51933ce81433ff761a6082bb752ee0b2e070b6230955a all runs: crashed: KASAN: use-after-free Read in __media_entity_remove_links # git bisect bad a8ab3e76297ea85d92f4ee0833bd469816a13ccf Bisecting: 63 revisions left to test after this (roughly 6 steps) [d1c6a769cdf466053ae211789f2b0671c8a72331] usb: typec: mux: Allow the mux handles to be requested with fwnode testing commit d1c6a769cdf466053ae211789f2b0671c8a72331 with gcc (GCC) 8.1.0 kernel signature: 1aaffe4f175159f6e0111426b5ecc5c50b6a391fb49594b01e3cee81d7eb5648 all runs: OK # git bisect good d1c6a769cdf466053ae211789f2b0671c8a72331 Bisecting: 31 revisions left to test after this (roughly 5 steps) [eeead847487f726fa177d0f4060c4f0816ad9cd9] usb: gadget: amd5536udc: fix spelling mistake "reserverd" -> "reserved" testing commit eeead847487f726fa177d0f4060c4f0816ad9cd9 with gcc (GCC) 8.1.0 kernel signature: 7a800a7f9a574b83417f0a42ba93e0736ec0c9af7e162a12eed99e779600620c all runs: crashed: KASAN: use-after-free Read in __media_entity_remove_links # git bisect bad eeead847487f726fa177d0f4060c4f0816ad9cd9 Bisecting: 15 revisions left to test after this (roughly 4 steps) [3d157c28d2289edf0439e8308e8de3a06acaaf0e] doc: dt: bindings: usb: dwc3: Update entries for disabling SS instances in park mode testing commit 3d157c28d2289edf0439e8308e8de3a06acaaf0e with gcc (GCC) 8.1.0 kernel signature: 684cf21e7566dea4e8329d8b641107c5e36c045571b00bbaf813bbf3ccda810d all runs: OK # git bisect good 3d157c28d2289edf0439e8308e8de3a06acaaf0e Bisecting: 7 revisions left to test after this (roughly 3 steps) [0227cc84c44417a29c8102e41db8ec2c11ebc6b2] usb: dwc3: core: don't do suspend for device mode if already suspended testing commit 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 with gcc (GCC) 8.1.0 kernel signature: 9164ab642d2ee88c7229dc6b0f6b94268e2d950e0a4aaa82cbc63c0e25694406 all runs: OK # git bisect good 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 Bisecting: 3 revisions left to test after this (roughly 2 steps) [95b18f28979e12539cc02f6ec4e2c776e8551f39] dt-bindings: usb: dwc2: add compatible property for rk3328 usb testing commit 95b18f28979e12539cc02f6ec4e2c776e8551f39 with gcc (GCC) 8.1.0 kernel signature: 2ec35f7a1232a4b3788078d355c487b3ae20d4f8f73c58f8158ea6cc3facd3cb all runs: crashed: KASAN: use-after-free Read in __media_entity_remove_links # git bisect bad 95b18f28979e12539cc02f6ec4e2c776e8551f39 Bisecting: 1 revision left to test after this (roughly 1 step) [1a0808cb9e417170ed6ab97254cf319dc3e3c310] usb: dwc2: Implement set_selfpowered() testing commit 1a0808cb9e417170ed6ab97254cf319dc3e3c310 with gcc (GCC) 8.1.0 kernel signature: 23b281c8ba825c5f7eee9f1456e0bc078a9d212ba957829172464817053d1c35 all runs: OK # git bisect good 1a0808cb9e417170ed6ab97254cf319dc3e3c310 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10] usb: gadget: add raw-gadget interface testing commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 with gcc (GCC) 8.1.0 kernel signature: 59ba5a92b0c2a2cf1299fa575f08fb04d1c3a17fba969331a8c1aba3737a27dc all runs: crashed: KASAN: use-after-free Read in __media_entity_remove_links # git bisect bad f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 is the first bad commit commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 Author: Andrey Konovalov Date: Mon Feb 24 17:13:03 2020 +0100 usb: gadget: add raw-gadget interface USB Raw Gadget is a kernel module that provides a userspace interface for the USB Gadget subsystem. Essentially it allows to emulate USB devices from userspace. Enabled with CONFIG_USB_RAW_GADGET. Raw Gadget is currently a strictly debugging feature and shouldn't be used in production. Raw Gadget is similar to GadgetFS, but provides a more low-level and direct access to the USB Gadget layer for the userspace. The key differences are: 1. Every USB request is passed to the userspace to get a response, while GadgetFS responds to some USB requests internally based on the provided descriptors. However note, that the UDC driver might respond to some requests on its own and never forward them to the Gadget layer. 2. GadgetFS performs some sanity checks on the provided USB descriptors, while Raw Gadget allows you to provide arbitrary data as responses to USB requests. 3. Raw Gadget provides a way to select a UDC device/driver to bind to, while GadgetFS currently binds to the first available UDC. 4. Raw Gadget uses predictable endpoint names (handles) across different UDCs (as long as UDCs have enough endpoints of each required transfer type). 5. Raw Gadget has ioctl-based interface instead of a filesystem-based one. Reviewed-by: Greg Kroah-Hartman Signed-off-by: Andrey Konovalov Signed-off-by: Felipe Balbi Documentation/usb/index.rst | 1 + Documentation/usb/raw-gadget.rst | 61 ++ drivers/usb/gadget/legacy/Kconfig | 11 + drivers/usb/gadget/legacy/Makefile | 1 + drivers/usb/gadget/legacy/raw_gadget.c | 1078 ++++++++++++++++++++++++++++++++ include/uapi/linux/usb/raw_gadget.h | 167 +++++ 6 files changed, 1319 insertions(+) create mode 100644 Documentation/usb/raw-gadget.rst create mode 100644 drivers/usb/gadget/legacy/raw_gadget.c create mode 100644 include/uapi/linux/usb/raw_gadget.h culprit signature: 59ba5a92b0c2a2cf1299fa575f08fb04d1c3a17fba969331a8c1aba3737a27dc parent signature: 23b281c8ba825c5f7eee9f1456e0bc078a9d212ba957829172464817053d1c35 revisions tested: 16, total time: 3h37m27.173009031s (build: 1h51m47.603938387s, test: 1h44m11.715442753s) first bad commit: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 usb: gadget: add raw-gadget interface cc: ["andreyknvl@google.com" "balbi@kernel.org" "gregkh@linuxfoundation.org"] crash: KASAN: use-after-free Read in __media_entity_remove_links usb 4-1: USB disconnect, device number 2 ================================================================== BUG: KASAN: use-after-free in __media_entity_remove_links+0x120/0x150 drivers/media/mc/mc-entity.c:779 Read of size 8 at addr ffff888097ac1820 by task kworker/0:28/2859 CPU: 0 PID: 2859 Comm: kworker/0:28 Not tainted 5.6.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374 __kasan_report.cold.11+0x1c/0x34 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:641 __media_entity_remove_links+0x120/0x150 drivers/media/mc/mc-entity.c:779 __media_device_unregister_entity+0x161/0x2a0 drivers/media/mc/mc-device.c:596 media_device_unregister_entity+0x3e/0x60 drivers/media/mc/mc-device.c:688 v4l2_device_unregister_subdev+0x211/0x330 drivers/media/v4l2-core/v4l2-device.c:283 v4l2_device_unregister+0xf5/0x1c0 drivers/media/v4l2-core/v4l2-device.c:100 uvc_unregister_video+0xe7/0x1b0 drivers/media/usb/uvc/uvc_driver.c:1957 uvc_disconnect+0x98/0x100 drivers/media/usb/uvc/uvc_driver.c:2270 usb_unbind_interface+0x15c/0x870 drivers/usb/core/driver.c:423 __device_release_driver drivers/base/dd.c:1137 [inline] device_release_driver_internal+0x1d2/0x470 drivers/base/dd.c:1168 bus_remove_device+0x293/0x460 drivers/base/bus.c:533 device_del+0x421/0xc00 drivers/base/core.c:2677 usb_disable_device+0x1ae/0x580 drivers/usb/core/message.c:1237 usb_disconnect+0x227/0x850 drivers/usb/core/hub.c:2211 hub_port_connect drivers/usb/core/hub.c:5046 [inline] hub_port_connect_change drivers/usb/core/hub.c:5335 [inline] port_event drivers/usb/core/hub.c:5481 [inline] hub_event+0x1048/0x2d60 drivers/usb/core/hub.c:5563 process_one_work+0x903/0x15c0 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 3103: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515 kmem_cache_alloc_trace+0x156/0x780 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] media_add_link+0x43/0x150 drivers/media/mc/mc-entity.c:592 media_create_pad_link+0x1b6/0x590 drivers/media/mc/mc-entity.c:684 uvc_mc_create_links drivers/media/usb/uvc/uvc_entity.c:50 [inline] uvc_mc_register_entities+0x3fc/0x706 drivers/media/usb/uvc/uvc_entity.c:114 uvc_register_chains drivers/media/usb/uvc/uvc_driver.c:2103 [inline] uvc_probe.cold.19+0x186a/0x292c drivers/media/usb/uvc/uvc_driver.c:2229 usb_probe_interface+0x268/0x6c0 drivers/usb/core/driver.c:361 really_probe+0x1f9/0x5e0 drivers/base/dd.c:551 driver_probe_device+0xc9/0x1b0 drivers/base/dd.c:724 bus_for_each_drv+0x117/0x1a0 drivers/base/bus.c:431 __device_attach+0x1be/0x2c0 drivers/base/dd.c:897 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491 device_add+0x10d0/0x1900 drivers/base/core.c:2500 usb_set_configuration+0xc02/0x1560 drivers/usb/core/message.c:2023 generic_probe+0x61/0x8a drivers/usb/core/generic.c:210 really_probe+0x1f9/0x5e0 drivers/base/dd.c:551 driver_probe_device+0xc9/0x1b0 drivers/base/dd.c:724 bus_for_each_drv+0x117/0x1a0 drivers/base/bus.c:431 __device_attach+0x1be/0x2c0 drivers/base/dd.c:897 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491 device_add+0x10d0/0x1900 drivers/base/core.c:2500 usb_new_device.cold.66+0x679/0xe85 drivers/usb/core/hub.c:2548 hub_port_connect drivers/usb/core/hub.c:5195 [inline] hub_port_connect_change drivers/usb/core/hub.c:5335 [inline] port_event drivers/usb/core/hub.c:5481 [inline] hub_event+0x15fe/0x2d60 drivers/usb/core/hub.c:5563 process_one_work+0x903/0x15c0 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 2859: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:476 __cache_free mm/slab.c:3426 [inline] kfree+0x107/0x2b0 mm/slab.c:3757 __media_entity_remove_link+0x22a/0x5e0 drivers/media/mc/mc-entity.c:622 __media_entity_remove_links+0x75/0x150 drivers/media/mc/mc-entity.c:780 __media_device_unregister_entity+0x161/0x2a0 drivers/media/mc/mc-device.c:596 media_device_unregister_entity+0x3e/0x60 drivers/media/mc/mc-device.c:688 v4l2_device_unregister_subdev+0x211/0x330 drivers/media/v4l2-core/v4l2-device.c:283 v4l2_device_unregister+0xf5/0x1c0 drivers/media/v4l2-core/v4l2-device.c:100 uvc_unregister_video+0xe7/0x1b0 drivers/media/usb/uvc/uvc_driver.c:1957 uvc_disconnect+0x98/0x100 drivers/media/usb/uvc/uvc_driver.c:2270 usb_unbind_interface+0x15c/0x870 drivers/usb/core/driver.c:423 __device_release_driver drivers/base/dd.c:1137 [inline] device_release_driver_internal+0x1d2/0x470 drivers/base/dd.c:1168 bus_remove_device+0x293/0x460 drivers/base/bus.c:533 device_del+0x421/0xc00 drivers/base/core.c:2677 usb_disable_device+0x1ae/0x580 drivers/usb/core/message.c:1237 usb_disconnect+0x227/0x850 drivers/usb/core/hub.c:2211 hub_port_connect drivers/usb/core/hub.c:5046 [inline] hub_port_connect_change drivers/usb/core/hub.c:5335 [inline] port_event drivers/usb/core/hub.c:5481 [inline] hub_event+0x1048/0x2d60 drivers/usb/core/hub.c:5563 process_one_work+0x903/0x15c0 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff888097ac1800 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 32 bytes inside of 96-byte region [ffff888097ac1800, ffff888097ac1860) The buggy address belongs to the page: page:ffffea00025eb040 refcount:1 mapcount:0 mapping:ffff8880aa400540 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00024b0288 ffffea00023a8e48 ffff8880aa400540 raw: 0000000000000000 ffff888097ac1000 0000000100000020 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888097ac1700: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc ffff888097ac1780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc >ffff888097ac1800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888097ac1880: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888097ac1900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ==================================================================