bisecting fixing commit since 420f51f4ab6bce6e580390729fadb89c31123636 building syzkaller on a4718693a3d9fcabb02299b2ec07c19d8208c539 testing commit 420f51f4ab6bce6e580390729fadb89c31123636 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in vhci_hub_control run #1: crashed: KASAN: use-after-free Read in vhci_hub_control run #2: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #3: crashed: KASAN: use-after-free Read in vhci_hub_control run #4: crashed: KASAN: use-after-free Read in vhci_hub_control run #5: crashed: KASAN: use-after-free Read in vhci_hub_control run #6: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #7: crashed: KASAN: use-after-free Read in vhci_hub_control run #8: OK run #9: OK testing current HEAD 33920f1ec5bf47c5c0a1d2113989bdd9dfb3fae9 testing commit 33920f1ec5bf47c5c0a1d2113989bdd9dfb3fae9 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 33920f1ec5bf47c5c0a1d2113989bdd9dfb3fae9 420f51f4ab6bce6e580390729fadb89c31123636 Bisecting: 37225 revisions left to test after this (roughly 15 steps) [f1ebe04f5ba2f49fd672f12cdef46acda73cd9cf] ACPI: implement acpi_handle_debug in terms of _dynamic_func_call testing commit f1ebe04f5ba2f49fd672f12cdef46acda73cd9cf with gcc (GCC) 8.1.0 all runs: OK # git bisect bad f1ebe04f5ba2f49fd672f12cdef46acda73cd9cf Bisecting: 18558 revisions left to test after this (roughly 14 steps) [e69fbf31ca2cf6d6a2afedd0f8b30dcd10e76049] Merge tag 'wireless-drivers-next-for-davem-2018-12-20' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit e69fbf31ca2cf6d6a2afedd0f8b30dcd10e76049 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad e69fbf31ca2cf6d6a2afedd0f8b30dcd10e76049 Bisecting: 9291 revisions left to test after this (roughly 13 steps) [685f7e4f161425b137056abe35ba8ef7b669d83d] Merge tag 'powerpc-4.20-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 685f7e4f161425b137056abe35ba8ef7b669d83d with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 685f7e4f161425b137056abe35ba8ef7b669d83d Bisecting: 5170 revisions left to test after this (roughly 12 steps) [3f80e08f40cdb308589a49077c87632fa4508b21] tcp: add tcp_reset_xmit_timer() helper testing commit 3f80e08f40cdb308589a49077c87632fa4508b21 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 3f80e08f40cdb308589a49077c87632fa4508b21 Bisecting: 2001 revisions left to test after this (roughly 11 steps) [d793fb46822ff7408a1767313ef6b12e811baa55] Merge tag 'wireless-drivers-next-for-davem-2018-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit d793fb46822ff7408a1767313ef6b12e811baa55 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in vhci_hub_control run #1: crashed: KASAN: use-after-free Read in vhci_hub_control run #2: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #3: crashed: KASAN: use-after-free Read in vhci_hub_control run #4: crashed: KASAN: use-after-free Read in vhci_hub_control run #5: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #6: crashed: KASAN: use-after-free Read in vhci_hub_control run #7: crashed: KASAN: use-after-free Read in vhci_hub_control run #8: OK run #9: OK # git bisect good d793fb46822ff7408a1767313ef6b12e811baa55 Bisecting: 1000 revisions left to test after this (roughly 10 steps) [7579d84be12c4645672deeac5bb0eace7dbd6cb5] isdn/hisax: amd7930_fn: Remove unnecessary parentheses testing commit 7579d84be12c4645672deeac5bb0eace7dbd6cb5 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #1: crashed: KASAN: use-after-free Read in vhci_hub_control run #2: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #3: crashed: KASAN: use-after-free Read in vhci_hub_control run #4: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #5: crashed: KASAN: use-after-free Read in vhci_hub_control run #6: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #7: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #8: crashed: KASAN: use-after-free Read in vhci_hub_control run #9: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control # git bisect good 7579d84be12c4645672deeac5bb0eace7dbd6cb5 Bisecting: 500 revisions left to test after this (roughly 9 steps) [e85679511e48168b0f066b6ae585556b5e0d8f5b] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit e85679511e48168b0f066b6ae585556b5e0d8f5b with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in vhci_hub_control run #1: crashed: KASAN: use-after-free Read in vhci_hub_control run #2: crashed: KASAN: use-after-free Read in vhci_hub_control run #3: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #4: crashed: KASAN: use-after-free Read in vhci_hub_control run #5: crashed: KASAN: use-after-free Read in vhci_hub_control run #6: crashed: KASAN: use-after-free Read in vhci_hub_control run #7: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #8: crashed: KASAN: use-after-free Read in vhci_hub_control run #9: crashed: KASAN: use-after-free Read in vhci_hub_control # git bisect good e85679511e48168b0f066b6ae585556b5e0d8f5b Bisecting: 217 revisions left to test after this (roughly 8 steps) [2e2d6f0342be7f73a34526077fa96f42f0e8c661] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 2e2d6f0342be7f73a34526077fa96f42f0e8c661 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #1: crashed: KASAN: use-after-free Read in vhci_hub_control run #2: crashed: KASAN: use-after-free Read in vhci_hub_control run #3: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #4: crashed: KASAN: use-after-free Read in vhci_hub_control run #5: crashed: KASAN: use-after-free Read in vhci_hub_control run #6: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #7: crashed: KASAN: use-after-free Read in vhci_hub_control run #8: OK run #9: OK # git bisect good 2e2d6f0342be7f73a34526077fa96f42f0e8c661 Bisecting: 122 revisions left to test after this (roughly 7 steps) [92303c86b7e9b7d3895ccafb441a0354143e2a18] Merge branch 'net-simplify-getting-driver_data' testing commit 92303c86b7e9b7d3895ccafb441a0354143e2a18 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 92303c86b7e9b7d3895ccafb441a0354143e2a18 Bisecting: 43 revisions left to test after this (roughly 6 steps) [b0d04fb56b3173626a15406d69f3026ca313057f] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit b0d04fb56b3173626a15406d69f3026ca313057f with gcc (GCC) 8.1.0 all runs: OK # git bisect bad b0d04fb56b3173626a15406d69f3026ca313057f Bisecting: 26 revisions left to test after this (roughly 5 steps) [270b77a0f30e7bc61a9081b86d74dbb62fa6a69d] Merge tag 'drm-fixes-2018-10-20-1' of git://anongit.freedesktop.org/drm/drm testing commit 270b77a0f30e7bc61a9081b86d74dbb62fa6a69d with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 270b77a0f30e7bc61a9081b86d74dbb62fa6a69d Bisecting: 9 revisions left to test after this (roughly 4 steps) [c7b70a641df26002e8f26e2b8122fcb6a1d815a1] Merge tag 'usb-4.19-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit c7b70a641df26002e8f26e2b8122fcb6a1d815a1 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad c7b70a641df26002e8f26e2b8122fcb6a1d815a1 Bisecting: 6 revisions left to test after this (roughly 3 steps) [c02588a352defaf985fc1816eb6232663159e1b8] usb: xhci: pci: Enable Intel USB role mux on Apollo Lake platforms testing commit c02588a352defaf985fc1816eb6232663159e1b8 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad c02588a352defaf985fc1816eb6232663159e1b8 Bisecting: 3 revisions left to test after this (roughly 2 steps) [9397940ed812b942c520e0c25ed4b2c64d57e8b9] cdc-acm: fix race between reset and control messaging testing commit 9397940ed812b942c520e0c25ed4b2c64d57e8b9 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 9397940ed812b942c520e0c25ed4b2c64d57e8b9 Bisecting: 0 revisions left to test after this (roughly 1 step) [81f7567c51ad97668d1c3a48e8ecc482e64d4161] usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control() testing commit 81f7567c51ad97668d1c3a48e8ecc482e64d4161 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 81f7567c51ad97668d1c3a48e8ecc482e64d4161 Bisecting: 0 revisions left to test after this (roughly 0 steps) [4b0aaacee51eb6592a03fdefd5ce97558518e291] selftests: usbip: add wait after attach and before checking port status testing commit 4b0aaacee51eb6592a03fdefd5ce97558518e291 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in vhci_hub_control run #1: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #2: crashed: KASAN: use-after-free Read in vhci_hub_control run #3: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #4: crashed: KASAN: use-after-free Read in vhci_hub_control run #5: crashed: KASAN: use-after-free Read in vhci_hub_control run #6: crashed: KASAN: slab-out-of-bounds Read in vhci_hub_control run #7: crashed: KASAN: use-after-free Read in vhci_hub_control run #8: OK run #9: OK # git bisect good 4b0aaacee51eb6592a03fdefd5ce97558518e291 81f7567c51ad97668d1c3a48e8ecc482e64d4161 is the first bad commit commit 81f7567c51ad97668d1c3a48e8ecc482e64d4161 Author: Shuah Khan (Samsung OSG) Date: Fri Oct 5 16:17:44 2018 -0600 usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control() vhci_hub_control() accesses port_status array with out of bounds port value. Fix it to reference port_status[] only with a valid rhport value when invalid_rhport flag is true. The invalid_rhport flag is set early on after detecting in port value is within the bounds or not. The following is used reproduce the problem and verify the fix: C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ed8ab6400000 Reported-by: syzbot+bccc1fe10b70fadc78d0@syzkaller.appspotmail.com Cc: stable Signed-off-by: Shuah Khan (Samsung OSG) Signed-off-by: Greg Kroah-Hartman :040000 040000 5188649916d5ca9094d1a3e353da8da64c2e76c2 1cfea8a20142772b367e5c0440681a7c14474e8f M drivers revisions tested: 18, total time: 4h39m33.276252702s (build: 1h21m19.121372779s, test: 3h11m52.569068745s) first good commit: 81f7567c51ad97668d1c3a48e8ecc482e64d4161 usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control() cc: ["gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org" "linux-usb@vger.kernel.org" "shuah@kernel.org" "valentina.manea.m@gmail.com"]