ci2 starts bisection 2025-09-30 15:20:36.707780308 +0000 UTC m=+114.212257100 bisecting fixing commit since 1154f779f3f3d196ace7d5084498f5d7f418ba64 building syzkaller on bf27483f963359281b2d9b6d6efd36289f82e282 ensuring issue is reproducible on original commit 1154f779f3f3d196ace7d5084498f5d7f418ba64 testing commit 1154f779f3f3d196ace7d5084498f5d7f418ba64 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6215e9d9df81d19322c4ef6a5f271293c6d69e659353d37f13bd6a546dd8aa91 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] check whether we can drop unnecessary instrumentation disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 1154f779f3f3d196ace7d5084498f5d7f418ba64 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 68788092342c9692d03af3dacdbb8ce048b5c5ae7b1bf42e1b20b0865b447fb1 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] the bug reproduces without the instrumentation disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed kconfig minimization: base=4788 full=6025 leaves diff=247 split chunks (needed=false): <247> split chunk #0 of len 247 into 5 parts testing without sub-chunk 1/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 1154f779f3f3d196ace7d5084498f5d7f418ba64 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1bbd4d44d54d8dbf3a8f28a73d790e5f6f49a44b68bd55a3b730709ad6d91594 run #0: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event run #1: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event run #2: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event run #3: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event run #4: crashed: KFENCE: out-of-bounds read in mon_bin_event run #5: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event run #6: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event run #7: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event run #8: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event run #9: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit 1154f779f3f3d196ace7d5084498f5d7f418ba64 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9c1f5ce64dbd5f18e83a3cf813a092c1ea0a85f1b5baca5c0b9d124d3aa40a39 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 1154f779f3f3d196ace7d5084498f5d7f418ba64 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: eda1bf11d41917bb60947c2b8120de0c7c7ac41de8dca4851a7d7ed9e153e683 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit 1154f779f3f3d196ace7d5084498f5d7f418ba64 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4b24f163eadd375cd4082f3e9e5079fb414e1e9dac6cef2a6fccb407422c6660 all runs: OK false negative chance: 0.000 testing without sub-chunk 5/5 disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing commit 1154f779f3f3d196ace7d5084498f5d7f418ba64 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 1154f779f3f3d196ace7d5084498f5d7f418ba64: net/socket.c:1128: undefined reference to `wext_handle_ioctl' net/socket.c:3397: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:346: undefined reference to `wext_proc_exit' net/core/net-procfs.c:330: undefined reference to `wext_proc_init' minimized to 97 configs; suspects: [HID_ZEROPLUS SND SOUND USB_CONFIGFS USB_CONFIGFS_EEM USB_CONFIGFS_F_ACC USB_CONFIGFS_F_AUDIO_SRC USB_CONFIGFS_F_FS USB_CONFIGFS_F_HID USB_CONFIGFS_F_LB_SS USB_CONFIGFS_F_MIDI USB_CONFIGFS_F_PRINTER USB_CONFIGFS_F_UAC1 USB_CONFIGFS_F_UAC1_LEGACY USB_CONFIGFS_F_UAC2 USB_CONFIGFS_F_UVC USB_CONFIGFS_MASS_STORAGE USB_CONFIGFS_NCM USB_CONFIGFS_OBEX USB_CONFIGFS_RNDIS USB_CONFIGFS_SERIAL USB_CONFIGFS_UEVENT USB_EHCI_ROOT_HUB_TT USB_EHSET_TEST_FIXTURE USB_F_ACC USB_F_ACM USB_F_AUDIO_SRC USB_F_ECM USB_F_EEM USB_F_FS USB_F_HID USB_F_MASS_STORAGE USB_F_MIDI USB_F_NCM USB_F_OBEX USB_F_PRINTER USB_F_RNDIS USB_F_SERIAL USB_F_SS_LB USB_F_SUBSET USB_F_UAC1 USB_F_UAC1_LEGACY USB_F_UAC2 USB_F_UVC USB_GADGET_DEBUG_FILES USB_GADGET_DEBUG_FS USB_IPHETH USB_ISP1760 USB_ISP1760_HCD USB_ISP1760_HOST_ROLE USB_LIBCOMPOSITE USB_LINK_LAYER_TEST USB_MON USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS ZEROPLUS_FF] disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing current HEAD 0a91f603159ed277ddc143367a5851ffde3d0f5a testing commit 0a91f603159ed277ddc143367a5851ffde3d0f5a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1490705dd4a5b6e5c78ffc8a60a8b0f8a1511a10be3021f4f53fb94750d62362 all runs: OK false negative chance: 0.000 # git bisect start 0a91f603159ed277ddc143367a5851ffde3d0f5a 1154f779f3f3d196ace7d5084498f5d7f418ba64 Bisecting: 325 revisions left to test after this (roughly 8 steps) [6f6958846ed7a8fd81a3bd64e75555a1d2b54e45] ipmi: Use dev_warn_ratelimited() for incorrect message warnings determine whether the revision contains the guilty commit checking the merge base d5eca7ebcf6f64c4aebf9684c365c130a3a069b3 no existing result, test the revision testing commit d5eca7ebcf6f64c4aebf9684c365c130a3a069b3 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9eb4f4e7fd3c3345b8bfa0b1719b7eb9b15b4a19a152d40eec6818e212ca6c08 all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] testing commit 6f6958846ed7a8fd81a3bd64e75555a1d2b54e45 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d0a6bb4217d218a5dc42d099aadacaead7b5dcf185c5edcf676e3db5d7d2a6bc all runs: OK false negative chance: 0.000 # git bisect bad 6f6958846ed7a8fd81a3bd64e75555a1d2b54e45 Bisecting: 162 revisions left to test after this (roughly 7 steps) [bbdac60ed1a7edf2c822fcfbef3bfa5e7c646e5c] PCI: pnv_php: Work around switches with broken presence detection determine whether the revision contains the guilty commit revision d5eca7ebcf6f64c4aebf9684c365c130a3a069b3 crashed and is reachable testing commit bbdac60ed1a7edf2c822fcfbef3bfa5e7c646e5c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7981d42ec97d2a16e36edd4e8806857467b8005b1be870ce1b36f48540b01c09 all runs: OK false negative chance: 0.000 # git bisect bad bbdac60ed1a7edf2c822fcfbef3bfa5e7c646e5c Bisecting: 80 revisions left to test after this (roughly 6 steps) [5a837d4d1fc64af35c0360a4aad46c28114591ba] ARM: dts: vfxxx: Correctly use two tuples for timer address determine whether the revision contains the guilty commit revision d5eca7ebcf6f64c4aebf9684c365c130a3a069b3 crashed and is reachable testing commit 5a837d4d1fc64af35c0360a4aad46c28114591ba gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 29a6eff5cc7278a89e75a34f959dc14f93165b97d7f67f677f47fb08e14ee3a2 all runs: OK false negative chance: 0.000 # git bisect bad 5a837d4d1fc64af35c0360a4aad46c28114591ba Bisecting: 40 revisions left to test after this (roughly 5 steps) [375f468915ee2af7a34ae81851c76163b25fe0cf] Bluetooth: SMP: If an unallowed command is received consider it a failure determine whether the revision contains the guilty commit revision d5eca7ebcf6f64c4aebf9684c365c130a3a069b3 crashed and is reachable testing commit 375f468915ee2af7a34ae81851c76163b25fe0cf gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9d8a76b6a69956987303bb05f06bd893ff852c4c55b2402dc91f6ec70d3630fb all runs: OK false negative chance: 0.000 # git bisect bad 375f468915ee2af7a34ae81851c76163b25fe0cf Bisecting: 19 revisions left to test after this (roughly 4 steps) [bb4ec4c12030d68d46af56fcc1e6e8885905c42e] mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models determine whether the revision contains the guilty commit revision d5eca7ebcf6f64c4aebf9684c365c130a3a069b3 crashed and is reachable testing commit bb4ec4c12030d68d46af56fcc1e6e8885905c42e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 82beebb7447454aa6a1281dfa0ac5ec1d332bbb44028bc0e099cab00bb658198 all runs: OK false negative chance: 0.000 # git bisect bad bb4ec4c12030d68d46af56fcc1e6e8885905c42e Bisecting: 9 revisions left to test after this (roughly 3 steps) [9f2892f7233a8f1320fe671d0f95f122191bfbcd] HID: core: ensure the allocated report buffer can contain the reserved report ID determine whether the revision contains the guilty commit revision d5eca7ebcf6f64c4aebf9684c365c130a3a069b3 crashed and is reachable testing commit 9f2892f7233a8f1320fe671d0f95f122191bfbcd gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7621ab29442284e3c4ff32aa71192dc8b0edd60f56227e47c1ea2d2ccb4d35ff all runs: crashed: KASAN: slab-out-of-bounds Read in mon_bin_event representative crash: KASAN: slab-out-of-bounds Read in mon_bin_event, types: [KASAN-READ] # git bisect good 9f2892f7233a8f1320fe671d0f95f122191bfbcd Bisecting: 4 revisions left to test after this (roughly 2 steps) [fee68f6a655b26f3112f65980737a914fe4c18a1] af_packet: fix soft lockup issue caused by tpacket_snd() determine whether the revision contains the guilty commit revision d5eca7ebcf6f64c4aebf9684c365c130a3a069b3 crashed and is reachable testing commit fee68f6a655b26f3112f65980737a914fe4c18a1 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a25971035cb33d233d8bc68d95554da3c0f947d874a857a85587a31aac62866b all runs: OK false negative chance: 0.000 # git bisect bad fee68f6a655b26f3112f65980737a914fe4c18a1 Bisecting: 2 revisions left to test after this (roughly 1 step) [40e25aa7e4e0f2440c73a683ee448e41c7c344ed] HID: core: do not bypass hid_hw_raw_request determine whether the revision contains the guilty commit revision d5eca7ebcf6f64c4aebf9684c365c130a3a069b3 crashed and is reachable testing commit 40e25aa7e4e0f2440c73a683ee448e41c7c344ed gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e685e94d82196214c51cafb5e5dfc7a1335f48c2036da3d690a6a5247e18e62b all runs: OK false negative chance: 0.000 # git bisect bad 40e25aa7e4e0f2440c73a683ee448e41c7c344ed Bisecting: 0 revisions left to test after this (roughly 0 steps) [293812d1a97d02be3720b46ccb9dcd8d46644489] HID: core: ensure __hid_request reserves the report ID as the first byte determine whether the revision contains the guilty commit revision d5eca7ebcf6f64c4aebf9684c365c130a3a069b3 crashed and is reachable testing commit 293812d1a97d02be3720b46ccb9dcd8d46644489 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1d5f9bdbaaabe550cb64c6747f5d6d4e01fc07dbb6b55f349a0ad2986e220b4e all runs: OK false negative chance: 0.000 # git bisect bad 293812d1a97d02be3720b46ccb9dcd8d46644489 293812d1a97d02be3720b46ccb9dcd8d46644489 is the first bad commit commit 293812d1a97d02be3720b46ccb9dcd8d46644489 Author: Benjamin Tissoires Date: Thu Jul 10 16:01:34 2025 +0200 HID: core: ensure __hid_request reserves the report ID as the first byte commit 0d0777ccaa2d46609d05b66ba0096802a2746193 upstream. The low level transport driver expects the first byte to be the report ID, even when the report ID is not use (in which case they just shift the buffer). However, __hid_request() whas not offsetting the buffer it used by one in this case, meaning that the raw_request() callback emitted by the transport driver would be stripped of the first byte. Note: this changes the API for uhid devices when a request is made through hid_hw_request. However, several considerations makes me think this is fine: - every request to a HID device made through hid_hw_request() would see that change, but every request made through hid_hw_raw_request() already has the new behaviour. So that means that the users are already facing situations where they might have or not the first byte being the null report ID when it is 0. We are making things more straightforward in the end. - uhid is mainly used for BLE devices - uhid is also used for testing, but I don't see that change a big issue - for BLE devices, we can check which kernel module is calling hid_hw_request() - and in those modules, we can check which are using a Bluetooth device - and then we can check if the command is used with a report ID or not. - surprise: none of the kernel module are using a report ID 0 - and finally, bluez, in its function set_report()[0], does the same shift if the report ID is 0 and the given buffer has a size > 0. [0] https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/profiles/input/hog-lib.c#n879 Reported-by: Alan Stern Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@rowland.harvard.edu/ Reported-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8258d5439c49d4c35f43 Tested-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Fixes: 4fa5a7f76cc7 ("HID: core: implement generic .request()") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20250710-report-size-null-v2-2-ccf922b7c4e5@kernel.org Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman drivers/hid/hid-core.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) accumulated error probability: 0.00 culprit signature: 1d5f9bdbaaabe550cb64c6747f5d6d4e01fc07dbb6b55f349a0ad2986e220b4e parent signature: 7621ab29442284e3c4ff32aa71192dc8b0edd60f56227e47c1ea2d2ccb4d35ff revisions tested: 17, total time: 4h58m49.83192253s (build: 52m41.120083084s, test: 2h47m51.553697686s) first good commit: 293812d1a97d02be3720b46ccb9dcd8d46644489 HID: core: ensure __hid_request reserves the report ID as the first byte recipients (to): ["bentiss@kernel.org" "gregkh@linuxfoundation.org" "syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com"] recipients (cc): []