bisecting fixing commit since 2c85ebc57b3e1817b6ce1a6b703928e113a90442 building syzkaller on 97183ed760478c5b970c8c549d99c8147a72e293 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: 87f5503eff62e8578cfd6ff35b5330650e6ed19f77678e98dde8a1a8ce7131e1 run #0: crashed: WARNING in pvr2_i2c_core_done run #1: crashed: WARNING in pvr2_i2c_core_done run #2: crashed: WARNING in pvr2_i2c_core_done run #3: crashed: WARNING in pvr2_i2c_core_done run #4: crashed: WARNING in put_i2c_dev run #5: crashed: WARNING in pvr2_i2c_core_done run #6: crashed: WARNING in pvr2_i2c_core_done run #7: crashed: WARNING in pvr2_i2c_core_done run #8: crashed: WARNING in pvr2_i2c_core_done run #9: crashed: WARNING in pvr2_i2c_core_done testing current HEAD 65f0d2414b7079556fbbcc070b3d1c9f9587606d testing commit 65f0d2414b7079556fbbcc070b3d1c9f9587606d with gcc (GCC) 8.1.0 kernel signature: a6722c0f90522193e72846f09233b714fa61da73f1652b4aa891321bcb001d1b all runs: OK # git bisect start 65f0d2414b7079556fbbcc070b3d1c9f9587606d 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 6983 revisions left to test after this (roughly 13 steps) [ef72cd3c5ce168829c6684ecb2cae047d3493690] ethtool: fix error paths in ethnl_set_channels() testing commit ef72cd3c5ce168829c6684ecb2cae047d3493690 with gcc (GCC) 8.1.0 kernel signature: 1d9b77dc5dba68c88a2842a5082fe47273259ecd5e73a6e04c07829181f311ac all runs: crashed: WARNING in pvr2_i2c_core_done # git bisect good ef72cd3c5ce168829c6684ecb2cae047d3493690 Bisecting: 3383 revisions left to test after this (roughly 12 steps) [9805529ec544ea7a82d891d5239a8ebd3dbb2a3e] Merge tag 'arm-soc-dt-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e with gcc (GCC) 8.1.0 kernel signature: e07134accee6402a94e0a446a67128a00a8cbf519db319c7c81c7e705ecc55f0 all runs: crashed: WARNING in pvr2_i2c_core_done # git bisect good 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e Bisecting: 1755 revisions left to test after this (roughly 11 steps) [f4a2f7866faaf89ea1595b136e01fcb336b46aab] Merge tag 'rtc-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux testing commit f4a2f7866faaf89ea1595b136e01fcb336b46aab with gcc (GCC) 8.1.0 kernel signature: 221b9a05158222d9c641da02152d07361fa45a8d7393da7fe1cd6afb50e772d6 all runs: crashed: WARNING in pvr2_i2c_core_done # git bisect good f4a2f7866faaf89ea1595b136e01fcb336b46aab Bisecting: 882 revisions left to test after this (roughly 10 steps) [771e7e4161053e606592b9cd056ef7e2ea2316d5] Merge tag 'block-5.11-2020-12-23' of git://git.kernel.dk/linux-block testing commit 771e7e4161053e606592b9cd056ef7e2ea2316d5 with gcc (GCC) 8.1.0 kernel signature: 182bbcf8ff83e6961035235296ea11d6a14d09b7fda208788a2fdb51ffff16db all runs: crashed: WARNING in pvr2_i2c_core_done # git bisect good 771e7e4161053e606592b9cd056ef7e2ea2316d5 Bisecting: 441 revisions left to test after this (roughly 9 steps) [0b9902c1fcc59ba75268386c0420a554f8844168] s390/qeth: fix deadlock during recovery testing commit 0b9902c1fcc59ba75268386c0420a554f8844168 with gcc (GCC) 8.1.0 kernel signature: ef15fe1f4ef405dcf98bb36967735e8b25297beffb522656859266aa6e5ee9f3 all runs: crashed: WARNING in pvr2_i2c_core_done # git bisect good 0b9902c1fcc59ba75268386c0420a554f8844168 Bisecting: 226 revisions left to test after this (roughly 8 steps) [caab314792aca89f327abc8b9f730526d3080366] Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit caab314792aca89f327abc8b9f730526d3080366 with gcc (GCC) 8.1.0 kernel signature: 1f22cb7d9e020abe71da04df32e0e90375e5a6b6e8515dd1a33997e8673bb342 all runs: crashed: WARNING in pvr2_i2c_core_done # git bisect good caab314792aca89f327abc8b9f730526d3080366 Bisecting: 107 revisions left to test after this (roughly 7 steps) [d430adfea8d2c5baa186cabb130235f72fecbd5b] Merge tag 'io_uring-5.11-2021-01-10' of git://git.kernel.dk/linux-block testing commit d430adfea8d2c5baa186cabb130235f72fecbd5b with gcc (GCC) 8.1.0 kernel signature: 1e0ba0ce160d366516bb7f7987f89294acc0fe6a2631324b217aa243911a03ae all runs: OK # git bisect bad d430adfea8d2c5baa186cabb130235f72fecbd5b Bisecting: 55 revisions left to test after this (roughly 6 steps) [e07cd2f3e7e525fa8df334d11beceb4c1bdcc74e] Merge tag 'char-misc-5.11-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit e07cd2f3e7e525fa8df334d11beceb4c1bdcc74e with gcc (GCC) 8.1.0 kernel signature: b646dc86674872d03dcfc14c2cc6f20177acc8fdcf4a899cc927ca3b393f77c4 all runs: crashed: WARNING in pvr2_i2c_core_done # git bisect good e07cd2f3e7e525fa8df334d11beceb4c1bdcc74e Bisecting: 28 revisions left to test after this (roughly 5 steps) [96ebc9c871d8a28fb22aa758dd9188a4732df482] usb: uas: Add PNY USB Portable SSD to unusual_uas testing commit 96ebc9c871d8a28fb22aa758dd9188a4732df482 with gcc (GCC) 8.1.0 kernel signature: b9e3e3f045ce7194f9c71fff4d87754fc644fbf4d473f0f9fde97682ddba5106 all runs: OK # git bisect bad 96ebc9c871d8a28fb22aa758dd9188a4732df482 Bisecting: 13 revisions left to test after this (roughly 4 steps) [83a43ff80a566de8718dfc6565545a0080ec1fb5] usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() testing commit 83a43ff80a566de8718dfc6565545a0080ec1fb5 with gcc (GCC) 8.1.0 kernel signature: 1c0389ee8b6ede87a6ad51307767624625339bb692d46224178601ee049903de run #0: crashed: WARNING in pvr2_i2c_core_done run #1: crashed: WARNING in pvr2_i2c_core_done run #2: crashed: WARNING in pvr2_i2c_core_done run #3: crashed: WARNING in pvr2_i2c_core_done run #4: crashed: WARNING in pvr2_i2c_core_done run #5: crashed: WARNING in put_i2c_dev run #6: crashed: WARNING in pvr2_i2c_core_done run #7: crashed: WARNING in pvr2_i2c_core_done run #8: crashed: WARNING in pvr2_i2c_core_done run #9: crashed: WARNING in pvr2_i2c_core_done # git bisect good 83a43ff80a566de8718dfc6565545a0080ec1fb5 Bisecting: 6 revisions left to test after this (roughly 3 steps) [020a1f453449294926ca548d8d5ca970926e8dfd] USB: usblp: fix DMA to stack testing commit 020a1f453449294926ca548d8d5ca970926e8dfd with gcc (GCC) 8.1.0 kernel signature: 4c72735a31d1b297d439bc5ebfb9d6f638816233b9eafe3435f05dc6d3ee18b9 all runs: OK # git bisect bad 020a1f453449294926ca548d8d5ca970926e8dfd Bisecting: 3 revisions left to test after this (roughly 2 steps) [fca3f138105727c3a22edda32d02f91ce1bf11c9] usb: dwc3: ulpi: Replace CPU-based busyloop with Protocol-based one testing commit fca3f138105727c3a22edda32d02f91ce1bf11c9 with gcc (GCC) 8.1.0 kernel signature: 0f2517030d048af4f43962a3246fbc7e534b6fae597a3a2164fc28ec9571bf4b all runs: crashed: WARNING in pvr2_i2c_core_done # git bisect good fca3f138105727c3a22edda32d02f91ce1bf11c9 Bisecting: 1 revision left to test after this (roughly 1 step) [9389044f27081d6ec77730c36d5bf9a1288bcda2] usb: gadget: f_uac2: reset wMaxPacketSize testing commit 9389044f27081d6ec77730c36d5bf9a1288bcda2 with gcc (GCC) 8.1.0 kernel signature: 79db6d2b51dc85fad5a43400b5710e3995971e60587c2a02c170a748bdeb45cb all runs: crashed: WARNING in pvr2_i2c_core_done # git bisect good 9389044f27081d6ec77730c36d5bf9a1288bcda2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [c318840fb2a42ce25febc95c4c19357acf1ae5ca] USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug testing commit c318840fb2a42ce25febc95c4c19357acf1ae5ca with gcc (GCC) 8.1.0 kernel signature: 5f9d68f90ff13ff0b07e4b33b2d922b7c68f71d8b4b0f6252b6c35c867cc138e all runs: OK # git bisect bad c318840fb2a42ce25febc95c4c19357acf1ae5ca c318840fb2a42ce25febc95c4c19357acf1ae5ca is the first bad commit commit c318840fb2a42ce25febc95c4c19357acf1ae5ca Author: Alan Stern Date: Wed Dec 30 11:20:44 2020 -0500 USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug The dummy-hcd driver was written under the assumption that all the parameters in URBs sent to its root hub would be valid. With URBs sent from userspace via usbfs, that assumption can be violated. In particular, the driver doesn't fully check the port-feature values stored in the wValue entry of Clear-Port-Feature and Set-Port-Feature requests. Values that are too large can cause the driver to perform an invalid left shift of more than 32 bits. Ironically, two of those left shifts are unnecessary, because they implement Set-Port-Feature requests that hubs are not required to support, according to section 11.24.2.13 of the USB-2.0 spec. This patch adds the appropriate checks for the port feature selector values and removes the unnecessary feature settings. It also rejects requests to set the TEST feature or to set or clear the INDICATOR and C_OVERCURRENT features, as none of these are relevant to dummy-hcd's root-hub emulation. CC: Reported-and-tested-by: syzbot+5925509f78293baa7331@syzkaller.appspotmail.com Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/20201230162044.GA727759@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman drivers/usb/gadget/udc/dummy_hcd.c | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) culprit signature: 5f9d68f90ff13ff0b07e4b33b2d922b7c68f71d8b4b0f6252b6c35c867cc138e parent signature: 79db6d2b51dc85fad5a43400b5710e3995971e60587c2a02c170a748bdeb45cb revisions tested: 16, total time: 2h46m54.018869456s (build: 1h17m24.660014709s, test: 1h28m6.161516736s) first good commit: c318840fb2a42ce25febc95c4c19357acf1ae5ca USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug recipients (to): ["gregkh@linuxfoundation.org" "stern@rowland.harvard.edu" "syzbot+5925509f78293baa7331@syzkaller.appspotmail.com"] recipients (cc): []