bisecting cause commit starting from 08897940f458ee55416cf80ab13d2d8b9f20038e building syzkaller on 912f5df7fadf1d0214995def5446208d0f26c54b testing commit 08897940f458ee55416cf80ab13d2d8b9f20038e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fd300ebe31c20b007125b1a6672dd8c6e7dd129341b264cecf535d34f1083f52 all runs: crashed: KASAN: null-ptr-deref Read in ida_free testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7d491c096dcb17e6821b803c83c94c38b6aea0addd6ddbcac7b6924cf4da0365 all runs: OK # git bisect start 08897940f458ee55416cf80ab13d2d8b9f20038e 4b0986a3613c92f4ec1bdc7f60ec66fea135991f Bisecting: 10081 revisions left to test after this (roughly 13 steps) [6f664045c8688c40ad0591abd6ab89db9ecd7945] Merge tag 'mm-nonmm-stable-2022-05-26' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 6f664045c8688c40ad0591abd6ab89db9ecd7945 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 25de1638027ef7688f3ede8338df131e1a8b1bb9edcce6b4fc6ad2998c853e09 all runs: OK # git bisect good 6f664045c8688c40ad0591abd6ab89db9ecd7945 Bisecting: 5062 revisions left to test after this (roughly 12 steps) [d289f4cb0f7f16b1821364e6c13808e37bf3b527] Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux-mem-ctrl.git testing commit d289f4cb0f7f16b1821364e6c13808e37bf3b527 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 66f92f091f8671331ad11cda94ec05ebf7c9d5602c0c100198d5791a4e3753c2 all runs: crashed: KASAN: null-ptr-deref Read in ida_free # git bisect bad d289f4cb0f7f16b1821364e6c13808e37bf3b527 Bisecting: 2679 revisions left to test after this (roughly 11 steps) [04d93b2b8bc7a68ec45a6a156f34a611ede5aa60] Merge tag 'spdx-5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx testing commit 04d93b2b8bc7a68ec45a6a156f34a611ede5aa60 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 58b2aa774434b600c857ba95f609add9b42790af451687c0dd24b8abd2292424 run #0: boot failed: INFO: task hung in add_early_randomness run #1: boot failed: INFO: task hung in add_early_randomness run #2: boot failed: INFO: task hung in add_early_randomness run #3: boot failed: INFO: task hung in add_early_randomness run #4: boot failed: INFO: task hung in add_early_randomness run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 04d93b2b8bc7a68ec45a6a156f34a611ede5aa60 Bisecting: 1338 revisions left to test after this (roughly 10 steps) [23df9ba64bb9e26cfee6b34f5c3ece49a8a61ee1] Merge tag 'for-5.19/parisc-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux testing commit 23df9ba64bb9e26cfee6b34f5c3ece49a8a61ee1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: be9620305210afb7d4b734905c1d5e531ba3e5cd6336d2db33376942002ce443 run #0: boot failed: INFO: task hung in add_early_randomness run #1: boot failed: INFO: task hung in add_early_randomness run #2: boot failed: INFO: task hung in add_early_randomness run #3: boot failed: INFO: task hung in add_early_randomness run #4: boot failed: INFO: task hung in add_early_randomness run #5: boot failed: INFO: task hung in add_early_randomness run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 23df9ba64bb9e26cfee6b34f5c3ece49a8a61ee1 Bisecting: 667 revisions left to test after this (roughly 9 steps) [f0ec9c65a8d67e50a16745e62a336355ddf5d03e] Merge tag 'char-misc-5.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit f0ec9c65a8d67e50a16745e62a336355ddf5d03e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3c47d32f70ed20371f02b6e463cb7121433d0e59cc1ccdc4b2a362d6378c570c all runs: OK # git bisect good f0ec9c65a8d67e50a16745e62a336355ddf5d03e Bisecting: 333 revisions left to test after this (roughly 8 steps) [cebe93493430c43bf260d9e58aaff6bedd9e687d] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git testing commit cebe93493430c43bf260d9e58aaff6bedd9e687d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 625299e5c1970572fcc825c9fb45736ed9bb978c7fbe5131928c869fd6159d78 all runs: OK # git bisect good cebe93493430c43bf260d9e58aaff6bedd9e687d Bisecting: 171 revisions left to test after this (roughly 7 steps) [6e4100b09af5d669e282ba14d4bf90cd6cd55c6d] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git testing commit 6e4100b09af5d669e282ba14d4bf90cd6cd55c6d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e5ddf559bedfb6d51544f61181ffbe7b9c0f4b309fdb005fca2d29cad4611792 run #0: crashed: KASAN: null-ptr-deref Read in ida_free run #1: crashed: KASAN: null-ptr-deref Read in ida_free run #2: crashed: KASAN: null-ptr-deref Read in ida_free run #3: crashed: KASAN: null-ptr-deref Read in ida_free run #4: crashed: KASAN: null-ptr-deref Read in ida_free run #5: crashed: KASAN: null-ptr-deref Read in ida_free run #6: crashed: KASAN: null-ptr-deref Read in ida_free run #7: crashed: KASAN: null-ptr-deref Read in ida_free run #8: crashed: KASAN: null-ptr-deref Read in ida_free run #9: boot failed: can't ssh into the instance # git bisect bad 6e4100b09af5d669e282ba14d4bf90cd6cd55c6d Bisecting: 88 revisions left to test after this (roughly 6 steps) [a256adcd628c9dbea45272dbbe8567e1f99d7f6d] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy.git testing commit a256adcd628c9dbea45272dbbe8567e1f99d7f6d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 76775ca2ebcb284195556d4a7de67de5a9c8cfda380b460b2e9aca3c6cfff88e all runs: crashed: KASAN: null-ptr-deref Read in ida_free # git bisect bad a256adcd628c9dbea45272dbbe8567e1f99d7f6d Bisecting: 36 revisions left to test after this (roughly 5 steps) [81d74ddae83fbd85c9006835f36c362114127a7a] ASoC: wm_adsp: Fix event for preloader testing commit 81d74ddae83fbd85c9006835f36c362114127a7a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b2538ba505d404bff007a1791147c94b7b3ec6f77093b355f0c01a486c8c3aee run #0: boot failed: INFO: task hung in add_early_randomness run #1: boot failed: INFO: task hung in add_early_randomness run #2: boot failed: INFO: task hung in add_early_randomness run #3: boot failed: INFO: task hung in add_early_randomness run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 81d74ddae83fbd85c9006835f36c362114127a7a Bisecting: 18 revisions left to test after this (roughly 4 steps) [82c4178fc9695444e1781feb9dd8af08fc841adc] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator.git testing commit 82c4178fc9695444e1781feb9dd8af08fc841adc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 77bed03111bc9b61834bd01827e0502f2155ab4198d7806a18bc811ca4b4926c all runs: OK # git bisect good 82c4178fc9695444e1781feb9dd8af08fc841adc Bisecting: 12 revisions left to test after this (roughly 3 steps) [9ef165406308515dcf2e3f6e97b39a1c56d86db5] usb: typec: wcove: Drop wrong dependency to INTEL_SOC_PMIC testing commit 9ef165406308515dcf2e3f6e97b39a1c56d86db5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 05559029e060a8817e3d72b6ef82341c3f60c10cd9bfc0c3135b7d746439733b all runs: crashed: KASAN: null-ptr-deref Read in ida_free # git bisect bad 9ef165406308515dcf2e3f6e97b39a1c56d86db5 Bisecting: 2 revisions left to test after this (roughly 2 steps) [0f074c1c95ea496dc91279b6c4b9845a337517fa] dt-bindings: usb: ohci: Increase the number of PHYs testing commit 0f074c1c95ea496dc91279b6c4b9845a337517fa compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ca523ead6fea37700d5a858f158770fb9147b76c6bcc66e8f561aaee6bda8415 all runs: crashed: KASAN: null-ptr-deref Read in ida_free # git bisect bad 0f074c1c95ea496dc91279b6c4b9845a337517fa Bisecting: 0 revisions left to test after this (roughly 1 step) [f2d8c2606825317b77db1f9ba0fc26ef26160b30] usb: gadget: Fix non-unique driver names in raw-gadget driver testing commit f2d8c2606825317b77db1f9ba0fc26ef26160b30 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8a16979bf4d8b835fa14f28fdde49408bba6cb4150e0adc153426eaca5548713 all runs: crashed: KASAN: null-ptr-deref Read in ida_free # git bisect bad f2d8c2606825317b77db1f9ba0fc26ef26160b30 Bisecting: 0 revisions left to test after this (roughly 0 steps) [dbab764ed5e987306480f827775876b99b81429e] MAINTAINERS: add include/dt-bindings/usb to USB SUBSYSTEM testing commit dbab764ed5e987306480f827775876b99b81429e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5aba0919ae327b33deb0c352f1c5ac50a47878d1a902ee8237fab9803a0a8863 all runs: OK # git bisect good dbab764ed5e987306480f827775876b99b81429e f2d8c2606825317b77db1f9ba0fc26ef26160b30 is the first bad commit commit f2d8c2606825317b77db1f9ba0fc26ef26160b30 Author: Alan Stern Date: Mon Jun 13 10:17:03 2022 -0400 usb: gadget: Fix non-unique driver names in raw-gadget driver In a report for a separate bug (which has already been fixed by commit 5f0b5f4d50fa "usb: gadget: fix race when gadget driver register via ioctl") in the raw-gadget driver, the syzbot console log included error messages caused by attempted registration of a new driver with the same name as an existing driver: > kobject_add_internal failed for raw-gadget with -EEXIST, don't try to register things with the same name in the same directory. > UDC core: USB Raw Gadget: driver registration failed: -17 > misc raw-gadget: fail, usb_gadget_register_driver returned -17 These errors arise because raw_gadget.c registers a separate UDC driver for each of the UDC instances it creates, but these drivers all have the same name: "raw-gadget". Until recently this wasn't a problem, but when the "gadget" bus was added and UDC drivers were registered on this bus, it became possible for name conflicts to cause the registrations to fail. The reason is simply that the bus code in the driver core uses the driver name as a sysfs directory name (e.g., /sys/bus/gadget/drivers/raw-gadget/), and you can't create two directories with the same pathname. To fix this problem, the driver names used by raw-gadget are made distinct by appending a unique ID number: "raw-gadget.N", with a different value of N for each driver instance. And to avoid the proliferation of error handling code in the raw_ioctl_init() routine, the error return paths are refactored into the common pattern (goto statements leading to cleanup code at the end of the routine). Link: https://lore.kernel.org/all/0000000000008c664105dffae2eb@google.com/ Fixes: fc274c1e9973 "USB: gadget: Add a new bus for gadgets" CC: Andrey Konovalov CC: Reported-and-tested-by: syzbot+02b16343704b3af1667e@syzkaller.appspotmail.com Reviewed-by: Andrey Konovalov Acked-by: Hillf Danton Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/YqdG32w+3h8c1s7z@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman drivers/usb/gadget/legacy/raw_gadget.c | 62 +++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 16 deletions(-) culprit signature: 8a16979bf4d8b835fa14f28fdde49408bba6cb4150e0adc153426eaca5548713 parent signature: 5aba0919ae327b33deb0c352f1c5ac50a47878d1a902ee8237fab9803a0a8863 revisions tested: 16, total time: 3h58m29.807668452s (build: 1h49m6.625562054s, test: 2h7m40.747966672s) first bad commit: f2d8c2606825317b77db1f9ba0fc26ef26160b30 usb: gadget: Fix non-unique driver names in raw-gadget driver recipients (to): ["andreyknvl@gmail.com" "gregkh@linuxfoundation.org" "hdanton@sina.com" "stern@rowland.harvard.edu" "syzbot+02b16343704b3af1667e@syzkaller.appspotmail.com"] recipients (cc): [] crash: KASAN: null-ptr-deref Read in ida_free ================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline] BUG: KASAN: null-ptr-deref in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline] BUG: KASAN: null-ptr-deref in ida_free+0x135/0x210 lib/idr.c:510 Read of size 8 at addr 0000000000000000 by task syz-executor.0/4101 CPU: 0 PID: 4101 Comm: syz-executor.0 Not tainted 5.19.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_report mm/kasan/report.c:432 [inline] kasan_report.cold+0x61/0x1c6 mm/kasan/report.c:491 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:71 [inline] test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline] ida_free+0x135/0x210 lib/idr.c:510 dev_free+0xd3/0x680 drivers/usb/gadget/legacy/raw_gadget.c:212 kref_put include/linux/kref.h:65 [inline] raw_release+0x165/0x1e0 drivers/usb/gadget/legacy/raw_gadget.c:424 __fput+0x1f5/0x8c0 fs/file_table.c:317 task_work_run+0xc0/0x160 kernel/task_work.c:177 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:169 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f1b3a43bd4b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffc96461180 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007f1b3a43bd4b RDX: ffffffffffffffb8 RSI: ffffffffffffffff RDI: 0000000000000004 RBP: 00007f1b3a59d960 R08: 0000000000000000 R09: 00007f1b3a5a0910 R10: 00007ffc96461280 R11: 0000000000000293 R12: 00000000000125c4 R13: 00007ffc96461280 R14: 00007f1b3a59bf60 R15: 0000000000000bea ==================================================================