Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: array-index-out-of-bounds in usbhid_parse

usb 1-1: string descriptor 0 read error: -22
usb 1-1: New USB device found, idVendor=080e, idProduct=4eb9, bcdDevice=d7.f6
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
================================================================================
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1026:18
index 1 is out of range for type 'hid_class_descriptor [1]'
CPU: 0 PID: 5070 Comm: kworker/0:5 Not tainted 6.7.0-rc6-syzkaller-00248-g5254c0cbc92d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
 usbhid_parse+0x99d/0xa10 drivers/hid/usbhid/hid-core.c:1026
 hid_add_device+0x189/0xa60 drivers/hid/hid-core.c:2790
 usbhid_probe+0xd0a/0x1360 drivers/hid/usbhid/hid-core.c:1431
 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3625
 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207
 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3625
 usb_new_device+0xd80/0x19f0 drivers/usb/core/hub.c:2576
 hub_port_connect drivers/usb/core/hub.c:5440 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
 port_event drivers/usb/core/hub.c:5740 [inline]
 hub_event+0x2dac/0x4e10 drivers/usb/core/hub.c:5822
 process_one_work+0x884/0x15c0 kernel/workqueue.c:2627
 process_scheduled_works kernel/workqueue.c:2700 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2781
 kthread+0x33c/0x440 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>
================================================================================


Tested on:

commit:         5254c0cb Merge tag 'block-6.7-2023-12-22' of git://git..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14446681e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7c68d9298a873f9e
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13af6e26e80000

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: array-index-out-of-bounds in usbhid_parse

usb 1-1: string descriptor 0 read error: -22
usb 1-1: New USB device found, idVendor=080e, idProduct=4eb9, bcdDevice=d7.f6
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
================================================================================
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1026:18
index 1 is out of range for type 'hid_class_descriptor [1]'
CPU: 1 PID: 23 Comm: kworker/1:0 Not tainted 6.7.0-rc2-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
 usbhid_parse+0x99d/0xa10 drivers/hid/usbhid/hid-core.c:1026
 hid_add_device+0x189/0xa60 drivers/hid/hid-core.c:2783
 usbhid_probe+0xd0a/0x1360 drivers/hid/usbhid/hid-core.c:1431
 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3625
 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207
 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3625
 usb_new_device+0xd80/0x19f0 drivers/usb/core/hub.c:2599
 hub_port_connect drivers/usb/core/hub.c:5463 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5603 [inline]
 port_event drivers/usb/core/hub.c:5763 [inline]
 hub_event+0x2dac/0x4e10 drivers/usb/core/hub.c:5845
 process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
 kthread+0x33c/0x440 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>
================================================================================


Tested on:

commit:         98b1cc82 Linux 6.7-rc2
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=17127f58e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7445bf05fbfd240c
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=112520af680000

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: array-index-out-of-bounds in usbhid_parse

usb 1-1: string descriptor 0 read error: -22
usb 1-1: New USB device found, idVendor=080e, idProduct=4eb9, bcdDevice=d7.f6
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
================================================================================
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1024:18
index 1 is out of range for type 'hid_class_descriptor [1]'
CPU: 0 PID: 778 Comm: kworker/0:2 Not tainted 6.7.0-rc1-syzkaller-00125-g7475e51b8796 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
 usbhid_parse+0x94a/0xa20 drivers/hid/usbhid/hid-core.c:1024
 hid_add_device+0x189/0xa60 drivers/hid/hid-core.c:2783
 usbhid_probe+0xd0a/0x1360 drivers/hid/usbhid/hid-core.c:1429
 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3625
 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207
 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3625
 usb_new_device+0xd80/0x19f0 drivers/usb/core/hub.c:2599
 hub_port_connect drivers/usb/core/hub.c:5463 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5603 [inline]
 port_event drivers/usb/core/hub.c:5763 [inline]
 hub_event+0x2dac/0x4e10 drivers/usb/core/hub.c:5845
 process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
 kthread+0x33c/0x440 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>
================================================================================


Tested on:

commit:         7475e51b Merge tag 'net-6.7-rc2' of git://git.kernel.o..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=158e7800e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=54e2bd738b08eef2
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com

Tested on:

commit:         213f8915 Merge tag 'probes-fixes-v6.6-rc6' of git://gi..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=11583ee5680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3c2b0838e2a16cba
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17da2e19680000

Note: testing is done by a robot and is best-effort only.

[syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ad7f1baed071 Merge tag 'acpi-6.6-rc6' of git://git.kernel...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1056d5c5680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=32d0b9b42ceb8b10
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1081f1e5680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16c7bc4d680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e3074ad3ff92/disk-ad7f1bae.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/94b298a1e285/vmlinux-ad7f1bae.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1ad5cd9c2a48/bzImage-ad7f1bae.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com

usb 1-1: string descriptor 0 read error: -22
usb 1-1: New USB device found, idVendor=080e, idProduct=4eb9, bcdDevice=d7.f6
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
================================================================================
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1024:18
index 1 is out of range for type 'hid_class_descriptor [1]'
CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.6.0-rc5-syzkaller-00227-gad7f1baed071 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
 usbhid_parse+0x94a/0xa20 drivers/hid/usbhid/hid-core.c:1024
 hid_add_device+0x189/0xa60 drivers/hid/hid-core.c:2783
 usbhid_probe+0xd0a/0x1360 drivers/hid/usbhid/hid-core.c:1429
 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3624
 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207
 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3624
 usb_new_device+0xd80/0x1960 drivers/usb/core/hub.c:2589
 hub_port_connect drivers/usb/core/hub.c:5440 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
 port_event drivers/usb/core/hub.c:5740 [inline]
 hub_event+0x2daf/0x4e00 drivers/usb/core/hub.c:5822
 process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
 kthread+0x33c/0x440 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
================================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[Nikita Zhandarovich]

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
 drivers/hid/usbhid/hid-core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a90ed2ceae84..f38a4bd3a20e 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1020,6 +1020,9 @@ static int usbhid_parse(struct hid_device *hid)
 	num_descriptors = min_t(int, hdesc->bNumDescriptors,
 	       (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
 
+	if (num_descriptors > ARRAY_SIZE(hdesc->desc))
+		num_descriptors = ARRAY_SIZE(hdesc->desc);
+
 	for (n = 0; n < num_descriptors; n++)
 		if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
 			rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com

Tested on:

commit:         b4d88a60 Merge tag 'block-6.10-20240523' of git://git...
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=117100d8980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=34e05c35ec964e75
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1293b80c980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[Nikita Zhandarovich]

Test to see that changes made to hid_descriptor are fine.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
 drivers/hid/usbhid/hid-core.c       |  2 +-
 drivers/usb/gadget/function/f_fs.c  |  3 ++-
 drivers/usb/gadget/function/f_hid.c | 22 ++++++++++++++--------
 include/linux/hid.h                 |  2 +-
 4 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a6eb6fe6130d..eb4807785d6d 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1010,7 +1010,7 @@ static int usbhid_parse(struct hid_device *hid)
 		return -ENODEV;
 	}
 
-	if (hdesc->bLength < sizeof(struct hid_descriptor)) {
+	if (hdesc->bLength < struct_size(hdesc, desc, hdesc->bNumDescriptors)) {
 		dbg_hid("hid descriptor is too short\n");
 		return -EINVAL;
 	}
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 2dea9e42a0f8..a4b6d7cbf56d 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2550,7 +2550,8 @@ static int __must_check ffs_do_single_desc(char *data, unsigned len,
 	case USB_TYPE_CLASS | 0x01:
 		if (*current_class == USB_INTERFACE_CLASS_HID) {
 			pr_vdebug("hid descriptor\n");
-			if (length != sizeof(struct hid_descriptor))
+			if (length < sizeof(struct hid_descriptor) +
+				     sizeof(struct hid_class_descriptor))
 				goto inv_length;
 			break;
 		} else if (*current_class == USB_INTERFACE_CLASS_CCID) {
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 740311c4fa24..ec8c2e2d6812 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -139,13 +139,17 @@ static struct usb_interface_descriptor hidg_interface_desc = {
 };
 
 static struct hid_descriptor hidg_desc = {
-	.bLength			= sizeof hidg_desc,
+	.bLength			= struct_size(&hidg_desc, desc, 1),
 	.bDescriptorType		= HID_DT_HID,
 	.bcdHID				= cpu_to_le16(0x0101),
 	.bCountryCode			= 0x00,
 	.bNumDescriptors		= 0x1,
-	/*.desc[0].bDescriptorType	= DYNAMIC */
-	/*.desc[0].wDescriptorLenght	= DYNAMIC */
+	.desc				= {
+		{
+			.bDescriptorType	= 0, /* DYNAMIC */
+			.wDescriptorLength	= 0, /* DYNAMIC */
+		}
+	}
 };
 
 /* Super-Speed Support */
@@ -936,16 +940,18 @@ static int hidg_setup(struct usb_function *f,
 		switch (value >> 8) {
 		case HID_DT_HID:
 		{
-			struct hid_descriptor hidg_desc_copy = hidg_desc;
+			DEFINE_FLEX(struct hid_descriptor, hidg_desc_copy,
+				desc, bNumDescriptors, 1);
+			*hidg_desc_copy = hidg_desc;
 
 			VDBG(cdev, "USB_REQ_GET_DESCRIPTOR: HID\n");
-			hidg_desc_copy.desc[0].bDescriptorType = HID_DT_REPORT;
-			hidg_desc_copy.desc[0].wDescriptorLength =
+			hidg_desc_copy->desc[0].bDescriptorType = HID_DT_REPORT;
+			hidg_desc_copy->desc[0].wDescriptorLength =
 				cpu_to_le16(hidg->report_desc_length);
 
 			length = min_t(unsigned short, length,
-						   hidg_desc_copy.bLength);
-			memcpy(req->buf, &hidg_desc_copy, length);
+						   hidg_desc_copy->bLength);
+			memcpy(req->buf, hidg_desc_copy, length);
 			goto respond;
 			break;
 		}
diff --git a/include/linux/hid.h b/include/linux/hid.h
index cdc0dc13c87f..85a58ae2c4a0 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -739,7 +739,7 @@ struct hid_descriptor {
 	__u8  bCountryCode;
 	__u8  bNumDescriptors;
 
-	struct hid_class_descriptor desc[1];
+	struct hid_class_descriptor desc[] __counted_by(bNumDescriptors);
 } __attribute__ ((packed));
 
 #define HID_DEVICE(b, g, ven, prod)					\

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

 61.124748][   T29] audit: type=1400 audit(1738246367.103:107): avc:  denied  { mounton } for  pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp" dev="sda1" ino=1933 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[   61.149125][   T29] audit: type=1400 audit(1738246367.103:108): avc:  denied  { mount } for  pid=5824 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[   61.172056][   T29] audit: type=1400 audit(1738246367.103:109): avc:  denied  { mounton } for  pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[   61.199012][   T29] audit: type=1400 audit(1738246367.103:110): avc:  denied  { mount } for  pid=5824 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[   61.220940][   T29] audit: type=1400 audit(1738246367.113:111): avc:  denied  { mounton } for  pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1
[   61.226696][ T5824] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   61.248122][   T29] audit: type=1400 audit(1738246367.113:112): avc:  denied  { mounton } for  pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=4910 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1
[   61.407846][ T5829] ==================================================================
[   61.415938][ T5829] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[   61.423696][ T5829] Write of size 8 at addr ffff888033ad8c08 by task syz-executor/5829
[   61.431852][ T5829] 
[   61.434171][ T5829] CPU: 1 UID: 0 PID: 5829 Comm: syz-executor Not tainted 6.13.0-syzkaller-09485-g72deda0abee6-dirty #0
[   61.434185][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   61.434196][ T5829] Call Trace:
[   61.434201][ T5829]  <TASK>
[   61.434206][ T5829]  dump_stack_lvl+0x116/0x1f0
[   61.434227][ T5829]  print_report+0xc3/0x620
[   61.434239][ T5829]  ? __virt_addr_valid+0x5e/0x590
[   61.434250][ T5829]  ? __phys_addr+0xc6/0x150
[   61.434261][ T5829]  kasan_report+0xd9/0x110
[   61.434271][ T5829]  ? binder_add_device+0xa4/0xb0
[   61.434284][ T5829]  ? binder_add_device+0xa4/0xb0
[   61.434296][ T5829]  binder_add_device+0xa4/0xb0
[   61.434308][ T5829]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   61.434325][ T5829]  binderfs_fill_super+0x8d6/0x1360
[   61.434341][ T5829]  ? __pfx_binderfs_fill_super+0x10/0x10
[   61.434360][ T5829]  ? shrinker_register+0x1a8/0x260
[   61.434375][ T5829]  ? sget_fc+0x808/0xc20
[   61.434390][ T5829]  ? __pfx_set_anon_super_fc+0x10/0x10
[   61.434405][ T5829]  ? __pfx_binderfs_fill_super+0x10/0x10
[   61.434418][ T5829]  get_tree_nodev+0xda/0x190
[   61.434433][ T5829]  vfs_get_tree+0x8b/0x340
[   61.434446][ T5829]  path_mount+0x14e6/0x1f10
[   61.434458][ T5829]  ? kmem_cache_free+0x2e2/0x4d0
[   61.434468][ T5829]  ? __pfx_path_mount+0x10/0x10
[   61.434479][ T5829]  ? putname+0x13c/0x180
[   61.434491][ T5829]  __x64_sys_mount+0x28f/0x310
[   61.434502][ T5829]  ? __pfx___x64_sys_mount+0x10/0x10
[   61.434514][ T5829]  do_syscall_64+0xcd/0x250
[   61.434528][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   61.434543][ T5829] RIP: 0033:0x7f92ed5816ba
[   61.434553][ T5829] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   61.434566][ T5829] RSP: 002b:00007f92ed86ff68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   61.434577][ T5829] RAX: ffffffffffffffda RBX: 00007f92ed5f3d49 RCX: 00007f92ed5816ba
[   61.434584][ T5829] RDX: 00007f92ed5ff2fa RSI: 00007f92ed5f3d49 RDI: 00007f92ed5ff2fa
[   61.434591][ T5829] RBP: 00007f92ed5f3f58 R08: 0000000000000000 R09: 0000000000000100
[   61.434597][ T5829] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f92ed5de068
[   61.434603][ T5829] R13: 00007f92ed5de048 R14: 0000000000000009 R15: 0000000000000000
[   61.434612][ T5829]  </TASK>
[   61.434616][ T5829] 
[   61.662253][ T5829] Allocated by task 5824:
[   61.666566][ T5829]  kasan_save_stack+0x33/0x60
[   61.671232][ T5829]  kasan_save_track+0x14/0x30
[   61.675901][ T5829]  __kasan_kmalloc+0xaa/0xb0
[   61.680489][ T5829]  binderfs_binder_device_create.isra.0+0x17a/0xb70
[   61.687072][ T5829]  binderfs_fill_super+0x8d6/0x1360
[   61.692351][ T5829]  get_tree_nodev+0xda/0x190
[   61.697019][ T5829]  vfs_get_tree+0x8b/0x340
[   61.701427][ T5829]  path_mount+0x14e6/0x1f10
[   61.705952][ T5829]  __x64_sys_mount+0x28f/0x310
[   61.710702][ T5829]  do_syscall_64+0xcd/0x250
[   61.715192][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   61.721074][ T5829] 
[   61.723377][ T5829] Freed by task 5824:
[   61.727338][ T5829]  kasan_save_stack+0x33/0x60
[   61.732087][ T5829]  kasan_save_track+0x14/0x30
[   61.736952][ T5829]  kasan_save_free_info+0x3b/0x60
[   61.741970][ T5829]  __kasan_slab_free+0x51/0x70
[   61.746718][ T5829]  kfree+0x2c4/0x4d0
[   61.750815][ T5829]  binderfs_evict_inode+0x1e0/0x250
[   61.756001][ T5829]  evict+0x409/0x960
[   61.759886][ T5829]  iput+0x52a/0x890
[   61.763678][ T5829]  dentry_unlink_inode+0x29c/0x480
[   61.768789][ T5829]  __dentry_kill+0x1d0/0x600
[   61.773365][ T5829]  shrink_dentry_list+0x140/0x5d0
[   61.778385][ T5829]  shrink_dcache_parent+0xe2/0x530
[   61.783483][ T5829]  shrink_dcache_for_umount+0xa1/0x3e0
[   61.788936][ T5829]  generic_shutdown_super+0x6c/0x390
[   61.794210][ T5829]  kill_litter_super+0x70/0xa0
[   61.798990][ T5829]  binderfs_kill_super+0x3b/0xa0
[   61.804029][ T5829]  deactivate_locked_super+0xbe/0x1a0
[   61.809396][ T5829]  deactivate_super+0xde/0x100
[   61.814448][ T5829]  cleanup_mnt+0x222/0x450
[   61.818866][ T5829]  task_work_run+0x14e/0x250
[   61.823450][ T5829]  do_exit+0xad8/0x2d70
[   61.827590][ T5829]  do_group_exit+0xd3/0x2a0
[   61.832085][ T5829]  get_signal+0x24ed/0x26c0
[   61.836576][ T5829]  arch_do_signal_or_restart+0x90/0x7e0
[   61.842192][ T5829]  syscall_exit_to_user_mode+0x150/0x2a0
[   61.847808][ T5829]  do_syscall_64+0xda/0x250
[   61.852298][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   61.858209][ T5829] 
[   61.860544][ T5829] The buggy address belongs to the object at ffff888033ad8c00
[   61.860544][ T5829]  which belongs to the cache kmalloc-512 of size 512
[   61.874601][ T5829] The buggy address is located 8 bytes inside of
[   61.874601][ T5829]  freed 512-byte region [ffff888033ad8c00, ffff888033ad8e00)
[   61.888229][ T5829] 
[   61.890535][ T5829] The buggy address belongs to the physical page:
[   61.896943][ T5829] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33ad8
[   61.905689][ T5829] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   61.914167][ T5829] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   61.921715][ T5829] page_type: f5(slab)
[   61.925679][ T5829] raw: 00fff00000000040 ffff88801b041c80 dead000000000100 dead000000000122
[   61.934259][ T5829] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   61.942830][ T5829] head: 00fff00000000040 ffff88801b041c80 dead000000000100 dead000000000122
[   61.951499][ T5829] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   61.960156][ T5829] head: 00fff00000000002 ffffea0000ceb601 ffffffffffffffff 0000000000000000
[   61.968812][ T5829] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   61.977484][ T5829] page dumped because: kasan: bad access detected
[   61.983891][ T5829] page_owner tracks the page as allocated
[   61.989672][ T5829] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5204, tgid 5204 (udevd), ts 20443550863, free_ts 19532985486
[   62.010416][ T5829]  post_alloc_hook+0x181/0x1b0
[   62.015177][ T5829]  get_page_from_freelist+0xfce/0x2f80
[   62.020624][ T5829]  __alloc_frozen_pages_noprof+0x221/0x2470
[   62.026501][ T5829]  alloc_pages_mpol+0x1fc/0x540
[   62.031336][ T5829]  new_slab+0x23d/0x330
[   62.035480][ T5829]  ___slab_alloc+0xc5d/0x1720
[   62.040177][ T5829]  __slab_alloc.constprop.0+0x56/0xb0
[   62.045542][ T5829]  __kmalloc_cache_noprof+0xfa/0x410
[   62.050830][ T5829]  kernfs_fop_open+0x28b/0xdb0
[   62.055588][ T5829]  do_dentry_open+0x735/0x1c40
[   62.060366][ T5829]  vfs_open+0x82/0x3f0
[   62.064419][ T5829]  path_openat+0x1e88/0x2d80
[   62.068988][ T5829]  do_filp_open+0x20c/0x470
[   62.073484][ T5829]  do_sys_openat2+0x17a/0x1e0
[   62.078160][ T5829]  __x64_sys_openat+0x175/0x210
[   62.082997][ T5829]  do_syscall_64+0xcd/0x250
[   62.087498][ T5829] page last free pid 5205 tgid 5205 stack trace:
[   62.093813][ T5829]  free_frozen_pages+0x6db/0xfb0
[   62.098734][ T5829]  rcu_core+0x79d/0x14d0
[   62.102960][ T5829]  handle_softirqs+0x213/0x8f0
[   62.107713][ T5829]  __irq_exit_rcu+0x109/0x170
[   62.112387][ T5829]  irq_exit_rcu+0x9/0x30
[   62.116624][ T5829]  sysvec_apic_timer_interrupt+0xa4/0xc0
[   62.122243][ T5829]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   62.128212][ T5829] 
[   62.130521][ T5829] Memory state around the buggy address:
[   62.136131][ T5829]  ffff888033ad8b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   62.144174][ T5829]  ffff888033ad8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   62.152216][ T5829] >ffff888033ad8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.160266][ T5829]                       ^
[   62.164578][ T5829]  ffff888033ad8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.172621][ T5829]  ffff888033ad8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.180658][ T5829] ==================================================================
[   62.199606][ T5829] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   62.206872][ T5829] CPU: 1 UID: 0 PID: 5829 Comm: syz-executor Not tainted 6.13.0-syzkaller-09485-g72deda0abee6-dirty #0
[   62.217884][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   62.227922][ T5829] Call Trace:
[   62.231187][ T5829]  <TASK>
[   62.234103][ T5829]  dump_stack_lvl+0x3d/0x1f0
[   62.238731][ T5829]  panic+0x71d/0x800
[   62.242615][ T5829]  ? __pfx_panic+0x10/0x10
[   62.247018][ T5829]  ? irqentry_exit+0x3b/0x90
[   62.251593][ T5829]  ? lockdep_hardirqs_on+0x7c/0x110
[   62.256789][ T5829]  ? preempt_schedule_thunk+0x1a/0x30
[   62.262169][ T5829]  ? preempt_schedule_common+0x44/0xc0
[   62.267619][ T5829]  ? check_panic_on_warn+0x1f/0xb0
[   62.272717][ T5829]  check_panic_on_warn+0xab/0xb0
[   62.277728][ T5829]  end_report+0x117/0x180
[   62.282070][ T5829]  kasan_report+0xe9/0x110
[   62.286521][ T5829]  ? binder_add_device+0xa4/0xb0
[   62.291449][ T5829]  ? binder_add_device+0xa4/0xb0
[   62.296389][ T5829]  binder_add_device+0xa4/0xb0
[   62.301141][ T5829]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   62.307722][ T5829]  binderfs_fill_super+0x8d6/0x1360
[   62.313001][ T5829]  ? __pfx_binderfs_fill_super+0x10/0x10
[   62.318631][ T5829]  ? shrinker_register+0x1a8/0x260
[   62.323733][ T5829]  ? sget_fc+0x808/0xc20
[   62.327964][ T5829]  ? __pfx_set_anon_super_fc+0x10/0x10
[   62.333409][ T5829]  ? __pfx_binderfs_fill_super+0x10/0x10
[   62.339029][ T5829]  get_tree_nodev+0xda/0x190
[   62.343610][ T5829]  vfs_get_tree+0x8b/0x340
[   62.348123][ T5829]  path_mount+0x14e6/0x1f10
[   62.352612][ T5829]  ? kmem_cache_free+0x2e2/0x4d0
[   62.357536][ T5829]  ? __pfx_path_mount+0x10/0x10
[   62.362372][ T5829]  ? putname+0x13c/0x180
[   62.366603][ T5829]  __x64_sys_mount+0x28f/0x310
[   62.371360][ T5829]  ? __pfx___x64_sys_mount+0x10/0x10
[   62.376630][ T5829]  do_syscall_64+0xcd/0x250
[   62.381121][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   62.387019][ T5829] RIP: 0033:0x7f92ed5816ba
[   62.391443][ T5829] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   62.411242][ T5829] RSP: 002b:00007f92ed86ff68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   62.419651][ T5829] RAX: ffffffffffffffda RBX: 00007f92ed5f3d49 RCX: 00007f92ed5816ba
[   62.427605][ T5829] RDX: 00007f92ed5ff2fa RSI: 00007f92ed5f3d49 RDI: 00007f92ed5ff2fa
[   62.435561][ T5829] RBP: 00007f92ed5f3f58 R08: 0000000000000000 R09: 0000000000000100
[   62.443515][ T5829] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f92ed5de068
[   62.451492][ T5829] R13: 00007f92ed5de048 R14: 0000000000000009 R15: 0000000000000000
[   62.459483][ T5829]  </TASK>
[   62.462725][ T5829] Kernel Offset: disabled
[   62.467031][ T5829] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3526199464=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at b50eb251af
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241203-163055'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd\"
/usr/bin/ld: /tmp/ccVS4jTw.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=10b9a324580000


Tested on:

commit:         72deda0a Merge tag 'soundwire-6.14-rc1' of git://git.k..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=d1d4677fc8e45064
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10fa0b64580000

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[Nikita Zhandarovich]

Test if upstream is broken.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1
[   63.252248][   T29] audit: type=1400 audit(1738309108.737:112): avc:  denied  { mounton } for  pid=5825 comm="syz-executor" path="/root/syzkaller.4uglaD/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=4883 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1
[   63.279716][   T29] audit: type=1400 audit(1738309108.737:113): avc:  denied  { unmount } for  pid=5825 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1
[   63.299322][   T29] audit: type=1400 audit(1738309108.757:114): avc:  denied  { mounton } for  pid=5825 comm="syz-executor" path="/dev/binderfs" dev="devtmpfs" ino=2723 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1
[   63.322245][   T29] audit: type=1400 audit(1738309108.757:115): avc:  denied  { mount } for  pid=5825 comm="syz-executor" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1
[   63.345302][   T29] audit: type=1400 audit(1738309108.757:116): avc:  denied  { mounton } for  pid=5825 comm="syz-executor" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1
[   63.349349][ T5825] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   63.601832][ T5830] ==================================================================
[   63.609917][ T5830] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[   63.617631][ T5830] Write of size 8 at addr ffff888033fc6c08 by task syz-executor/5830
[   63.625684][ T5830] 
[   63.628098][ T5830] CPU: 0 UID: 0 PID: 5830 Comm: syz-executor Not tainted 6.13.0-syzkaller-09760-g69e858e0b8b2 #0
[   63.628112][ T5830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   63.628121][ T5830] Call Trace:
[   63.628126][ T5830]  <TASK>
[   63.628134][ T5830]  dump_stack_lvl+0x116/0x1f0
[   63.628154][ T5830]  print_report+0xc3/0x620
[   63.628166][ T5830]  ? __virt_addr_valid+0x5e/0x590
[   63.628178][ T5830]  ? __phys_addr+0xc6/0x150
[   63.628188][ T5830]  kasan_report+0xd9/0x110
[   63.628198][ T5830]  ? binder_add_device+0xa4/0xb0
[   63.628212][ T5830]  ? binder_add_device+0xa4/0xb0
[   63.628226][ T5830]  binder_add_device+0xa4/0xb0
[   63.628238][ T5830]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   63.628255][ T5830]  binderfs_fill_super+0x8d6/0x1360
[   63.628271][ T5830]  ? __pfx_binderfs_fill_super+0x10/0x10
[   63.628290][ T5830]  ? shrinker_register+0x1a8/0x260
[   63.628305][ T5830]  ? sget_fc+0x808/0xc20
[   63.628320][ T5830]  ? __pfx_set_anon_super_fc+0x10/0x10
[   63.628335][ T5830]  ? __pfx_binderfs_fill_super+0x10/0x10
[   63.628349][ T5830]  get_tree_nodev+0xda/0x190
[   63.628364][ T5830]  vfs_get_tree+0x8b/0x340
[   63.628377][ T5830]  path_mount+0x14e6/0x1f10
[   63.628389][ T5830]  ? kmem_cache_free+0x2e2/0x4d0
[   63.628399][ T5830]  ? __pfx_path_mount+0x10/0x10
[   63.628410][ T5830]  ? putname+0x13c/0x180
[   63.628423][ T5830]  __x64_sys_mount+0x28f/0x310
[   63.628434][ T5830]  ? __pfx___x64_sys_mount+0x10/0x10
[   63.628446][ T5830]  do_syscall_64+0xcd/0x250
[   63.628461][ T5830]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   63.628476][ T5830] RIP: 0033:0x7f5c0fd816ba
[   63.628486][ T5830] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   63.628499][ T5830] RSP: 002b:00007ffc2db5bbc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   63.628510][ T5830] RAX: ffffffffffffffda RBX: 00007f5c0fdf3d49 RCX: 00007f5c0fd816ba
[   63.628517][ T5830] RDX: 00007f5c0fdff2fa RSI: 00007f5c0fdf3d49 RDI: 00007f5c0fdff2fa
[   63.628524][ T5830] RBP: 00007f5c0fdf3f58 R08: 0000000000000000 R09: 00000000000001ff
[   63.628531][ T5830] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c0fdde068
[   63.628537][ T5830] R13: 00007f5c0fdde048 R14: 0000000000000009 R15: 0000000000000000
[   63.628546][ T5830]  </TASK>
[   63.628550][ T5830] 
[   63.855639][ T5830] Allocated by task 5825:
[   63.859939][ T5830]  kasan_save_stack+0x33/0x60
[   63.864593][ T5830]  kasan_save_track+0x14/0x30
[   63.869241][ T5830]  __kasan_kmalloc+0xaa/0xb0
[   63.873802][ T5830]  binderfs_binder_device_create.isra.0+0x17a/0xb70
[   63.880372][ T5830]  binderfs_fill_super+0x8d6/0x1360
[   63.885551][ T5830]  get_tree_nodev+0xda/0x190
[   63.890132][ T5830]  vfs_get_tree+0x8b/0x340
[   63.894529][ T5830]  path_mount+0x14e6/0x1f10
[   63.899013][ T5830]  __x64_sys_mount+0x28f/0x310
[   63.903753][ T5830]  do_syscall_64+0xcd/0x250
[   63.908236][ T5830]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   63.914106][ T5830] 
[   63.916406][ T5830] Freed by task 5825:
[   63.920358][ T5830]  kasan_save_stack+0x33/0x60
[   63.925013][ T5830]  kasan_save_track+0x14/0x30
[   63.929663][ T5830]  kasan_save_free_info+0x3b/0x60
[   63.934667][ T5830]  __kasan_slab_free+0x51/0x70
[   63.939409][ T5830]  kfree+0x2c4/0x4d0
[   63.943291][ T5830]  binderfs_evict_inode+0x1e0/0x250
[   63.948494][ T5830]  evict+0x409/0x960
[   63.952454][ T5830]  iput+0x52a/0x890
[   63.956240][ T5830]  dentry_unlink_inode+0x29c/0x480
[   63.961341][ T5830]  __dentry_kill+0x1d0/0x600
[   63.965923][ T5830]  shrink_dentry_list+0x140/0x5d0
[   63.970955][ T5830]  shrink_dcache_parent+0xe2/0x530
[   63.976049][ T5830]  shrink_dcache_for_umount+0xa1/0x3e0
[   63.981488][ T5830]  generic_shutdown_super+0x6c/0x390
[   63.986757][ T5830]  kill_litter_super+0x70/0xa0
[   63.991514][ T5830]  binderfs_kill_super+0x3b/0xa0
[   63.996437][ T5830]  deactivate_locked_super+0xbe/0x1a0
[   64.001818][ T5830]  deactivate_super+0xde/0x100
[   64.006607][ T5830]  cleanup_mnt+0x222/0x450
[   64.011006][ T5830]  task_work_run+0x14e/0x250
[   64.015574][ T5830]  do_exit+0xad8/0x2d70
[   64.019705][ T5830]  do_group_exit+0xd3/0x2a0
[   64.024189][ T5830]  get_signal+0x24ed/0x26c0
[   64.028671][ T5830]  arch_do_signal_or_restart+0x90/0x7e0
[   64.034189][ T5830]  syscall_exit_to_user_mode+0x150/0x2a0
[   64.039798][ T5830]  do_syscall_64+0xda/0x250
[   64.044368][ T5830]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   64.050240][ T5830] 
[   64.052537][ T5830] The buggy address belongs to the object at ffff888033fc6c00
[   64.052537][ T5830]  which belongs to the cache kmalloc-512 of size 512
[   64.066582][ T5830] The buggy address is located 8 bytes inside of
[   64.066582][ T5830]  freed 512-byte region [ffff888033fc6c00, ffff888033fc6e00)
[   64.080181][ T5830] 
[   64.082483][ T5830] The buggy address belongs to the physical page:
[   64.088873][ T5830] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33fc4
[   64.097612][ T5830] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   64.106608][ T5830] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   64.114131][ T5830] page_type: f5(slab)
[   64.118088][ T5830] raw: 00fff00000000040 ffff88801b041c80 ffffea0000d64600 dead000000000002
[   64.126660][ T5830] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   64.135218][ T5830] head: 00fff00000000040 ffff88801b041c80 ffffea0000d64600 dead000000000002
[   64.143878][ T5830] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   64.152610][ T5830] head: 00fff00000000002 ffffea0000cff101 ffffffffffffffff 0000000000000000
[   64.161253][ T5830] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   64.169911][ T5830] page dumped because: kasan: bad access detected
[   64.176303][ T5830] page_owner tracks the page as allocated
[   64.182001][ T5830] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5204, tgid 5204 (udevd), ts 19812150758, free_ts 19804332293
[   64.202759][ T5830]  post_alloc_hook+0x181/0x1b0
[   64.207510][ T5830]  get_page_from_freelist+0xfce/0x2f80
[   64.212945][ T5830]  __alloc_frozen_pages_noprof+0x221/0x2470
[   64.218837][ T5830]  alloc_pages_mpol+0x1fc/0x540
[   64.223678][ T5830]  new_slab+0x23d/0x330
[   64.227813][ T5830]  ___slab_alloc+0xc5d/0x1720
[   64.232469][ T5830]  __slab_alloc.constprop.0+0x56/0xb0
[   64.237817][ T5830]  __kmalloc_cache_noprof+0xfa/0x410
[   64.243092][ T5830]  kernfs_fop_open+0x28b/0xdb0
[   64.247841][ T5830]  do_dentry_open+0x735/0x1c40
[   64.252589][ T5830]  vfs_open+0x82/0x3f0
[   64.256632][ T5830]  path_openat+0x1e88/0x2d80
[   64.261192][ T5830]  do_filp_open+0x20c/0x470
[   64.265666][ T5830]  do_sys_openat2+0x17a/0x1e0
[   64.270318][ T5830]  __x64_sys_openat+0x175/0x210
[   64.275142][ T5830]  do_syscall_64+0xcd/0x250
[   64.279635][ T5830] page last free pid 5198 tgid 5198 stack trace:
[   64.285933][ T5830]  free_frozen_pages+0x6db/0xfb0
[   64.290843][ T5830]  qlist_free_all+0x4e/0x120
[   64.295415][ T5830]  kasan_quarantine_reduce+0x195/0x1e0
[   64.300872][ T5830]  __kasan_slab_alloc+0x69/0x90
[   64.305697][ T5830]  __kmalloc_node_noprof+0x1d0/0x510
[   64.310962][ T5830]  __kvmalloc_node_noprof+0xad/0x1a0
[   64.316225][ T5830]  seq_read_iter+0x82a/0x12b0
[   64.320886][ T5830]  kernfs_fop_read_iter+0x414/0x580
[   64.326074][ T5830]  vfs_read+0x886/0xbf0
[   64.330216][ T5830]  ksys_read+0x12b/0x250
[   64.334453][ T5830]  do_syscall_64+0xcd/0x250
[   64.338943][ T5830]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   64.344831][ T5830] 
[   64.347142][ T5830] Memory state around the buggy address:
[   64.352755][ T5830]  ffff888033fc6b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.360791][ T5830]  ffff888033fc6b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.368826][ T5830] >ffff888033fc6c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.376859][ T5830]                       ^
[   64.381176][ T5830]  ffff888033fc6c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.389211][ T5830]  ffff888033fc6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.397245][ T5830] ==================================================================
[   64.407234][ T5830] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   64.414448][ T5830] CPU: 0 UID: 0 PID: 5830 Comm: syz-executor Not tainted 6.13.0-syzkaller-09760-g69e858e0b8b2 #0
[   64.424947][ T5830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   64.434979][ T5830] Call Trace:
[   64.438234][ T5830]  <TASK>
[   64.441141][ T5830]  dump_stack_lvl+0x3d/0x1f0
[   64.445803][ T5830]  panic+0x71d/0x800
[   64.449679][ T5830]  ? __pfx_panic+0x10/0x10
[   64.454073][ T5830]  ? irqentry_exit+0x3b/0x90
[   64.458641][ T5830]  ? lockdep_hardirqs_on+0x7c/0x110
[   64.463817][ T5830]  ? preempt_schedule_thunk+0x1a/0x30
[   64.469166][ T5830]  ? preempt_schedule_common+0x44/0xc0
[   64.474602][ T5830]  ? check_panic_on_warn+0x1f/0xb0
[   64.479709][ T5830]  check_panic_on_warn+0xab/0xb0
[   64.484639][ T5830]  end_report+0x117/0x180
[   64.488943][ T5830]  kasan_report+0xe9/0x110
[   64.493336][ T5830]  ? binder_add_device+0xa4/0xb0
[   64.498264][ T5830]  ? binder_add_device+0xa4/0xb0
[   64.503177][ T5830]  binder_add_device+0xa4/0xb0
[   64.507917][ T5830]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   64.514492][ T5830]  binderfs_fill_super+0x8d6/0x1360
[   64.519674][ T5830]  ? __pfx_binderfs_fill_super+0x10/0x10
[   64.525314][ T5830]  ? shrinker_register+0x1a8/0x260
[   64.530418][ T5830]  ? sget_fc+0x808/0xc20
[   64.534643][ T5830]  ? __pfx_set_anon_super_fc+0x10/0x10
[   64.540095][ T5830]  ? __pfx_binderfs_fill_super+0x10/0x10
[   64.545718][ T5830]  get_tree_nodev+0xda/0x190
[   64.550288][ T5830]  vfs_get_tree+0x8b/0x340
[   64.554683][ T5830]  path_mount+0x14e6/0x1f10
[   64.559166][ T5830]  ? kmem_cache_free+0x2e2/0x4d0
[   64.564081][ T5830]  ? __pfx_path_mount+0x10/0x10
[   64.568905][ T5830]  ? putname+0x13c/0x180
[   64.573125][ T5830]  __x64_sys_mount+0x28f/0x310
[   64.577872][ T5830]  ? __pfx___x64_sys_mount+0x10/0x10
[   64.583142][ T5830]  do_syscall_64+0xcd/0x250
[   64.587624][ T5830]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   64.593497][ T5830] RIP: 0033:0x7f5c0fd816ba
[   64.597888][ T5830] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   64.617482][ T5830] RSP: 002b:00007ffc2db5bbc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   64.625976][ T5830] RAX: ffffffffffffffda RBX: 00007f5c0fdf3d49 RCX: 00007f5c0fd816ba
[   64.633954][ T5830] RDX: 00007f5c0fdff2fa RSI: 00007f5c0fdf3d49 RDI: 00007f5c0fdff2fa
[   64.641918][ T5830] RBP: 00007f5c0fdf3f58 R08: 0000000000000000 R09: 00000000000001ff
[   64.649864][ T5830] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c0fdde068
[   64.657812][ T5830] R13: 00007f5c0fdde048 R14: 0000000000000009 R15: 0000000000000000
[   64.665767][ T5830]  </TASK>
[   64.668899][ T5830] Kernel Offset: disabled
[   64.673206][ T5830] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2275386146=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at b50eb251af
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241203-163055'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd\"
/usr/bin/ld: /tmp/ccVVKqYN.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14b5e5f8580000


Tested on:

commit:         69e858e0 Merge tag 'uml-for-linus-6.14-rc1' of git://g..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=d1d4677fc8e45064
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.