bisecting cause commit starting from 3644e2d2dda78e21edd8f5415b6d7ab03f5f54f3 building syzkaller on 04201c0669446145fd9c347c5538da0ca13ff29b testing commit 3644e2d2dda78e21edd8f5415b6d7ab03f5f54f3 with gcc (GCC) 8.1.0 kernel signature: 10da5c53c599d95cd7628c790fcdd56ce0d30f4b538ea5b74954495320dd0d37 all runs: crashed: UBSAN: shift-out-of-bounds in est_timer testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: 5890dbd4a724521c4141fab48a93c323b869b8fc76772a8d8f5dfdfb7cda23ff all runs: crashed: UBSAN: shift-out-of-bounds in est_timer testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: 009873c63d63503b9b24b1156022994368ad09e1de19ba741c1ffd56810f8eae all runs: crashed: UBSAN: shift-out-of-bounds in est_timer testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: e340a27f3e034420c52b8d9ee1bafc52040ac244d77348dbb5cfe95ddb362496 all runs: crashed: UBSAN: shift-out-of-bounds in est_timer testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: e1992b07555db0d1114efe7c2eb66de1cb5e1a10856de4661b21d4f748a3d240 all runs: crashed: UBSAN: shift-out-of-bounds in est_timer testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: cefe7ee13cc830a1cd8cae4749437488fa8e49bd6bd6eec3ebff54502b330b8b all runs: crashed: UBSAN: undefined-behaviour in est_timer testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: dccf49ca5c9e1b9de402f8f2421bf4239df2d89a13622c72d99c09dce9e3002c all runs: crashed: UBSAN: undefined-behaviour in est_timer testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 446571ac676ddbed19db2579c5acf6a11ebd121ecbdb14eb2ba0512fc483634f all runs: crashed: UBSAN: undefined-behaviour in est_timer testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: ce9367509403d2095107fbb279b5255973f0209cd82e00985c7d85645d08a7cc all runs: crashed: UBSAN: undefined-behaviour in est_timer testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 78b3cf7f7e7909ee1ca028c184aca224f2171991c626678f98134f3ab77c1473 all runs: OK # git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36 Bisecting: 7848 revisions left to test after this (roughly 13 steps) [43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.1.0 kernel signature: dc2113fde0362fba17bbeb6b0d328742514c299c1e2de1bde81636d4f59d8656 all runs: OK # git bisect good 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 Bisecting: 3922 revisions left to test after this (roughly 12 steps) [0e2a5b5bd9a6aaec85df347dd71432a1d2d10763] Merge branch 'parisc-5.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux testing commit 0e2a5b5bd9a6aaec85df347dd71432a1d2d10763 with gcc (GCC) 8.1.0 kernel signature: bba458972295750470cf717e39ec7689dbfa3e06e7c3a5b7311a9d561d35a680 all runs: OK # git bisect good 0e2a5b5bd9a6aaec85df347dd71432a1d2d10763 Bisecting: 1961 revisions left to test after this (roughly 11 steps) [12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea] perf record: Fix module size on s390 testing commit 12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea with gcc (GCC) 8.1.0 kernel signature: 9eee2e54fdb24591d881c98f095e2df0b6547bab8a7c307ad4a2d6b0c9361ef5 all runs: OK # git bisect good 12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea Bisecting: 984 revisions left to test after this (roughly 10 steps) [85d8d3b172eb37b23dcdbe9fa7a85e343642bfea] Merge tag 'hyperv-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux testing commit 85d8d3b172eb37b23dcdbe9fa7a85e343642bfea with gcc (GCC) 8.1.0 kernel signature: 3278600b5b6316c60559b32cb9612f352464e1e0003152393b496236f5b07ccb all runs: OK # git bisect good 85d8d3b172eb37b23dcdbe9fa7a85e343642bfea Bisecting: 496 revisions left to test after this (roughly 9 steps) [6525771f58cbc6ab97b5cff9069865cde8283346] Merge tag 'arc-5.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc testing commit 6525771f58cbc6ab97b5cff9069865cde8283346 with gcc (GCC) 8.1.0 kernel signature: 45810f94449895abe08450edd09435fe5bcd84a7bc699abad88ab987456aae72 all runs: OK # git bisect good 6525771f58cbc6ab97b5cff9069865cde8283346 Bisecting: 251 revisions left to test after this (roughly 8 steps) [345464fb760d1b772e891538b498e111c588b692] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 345464fb760d1b772e891538b498e111c588b692 with gcc (GCC) 8.1.0 kernel signature: 3530e343ac4c2440ae763281935b9c90ca0e1cdbdb284ddd551044c124704e3e all runs: OK # git bisect good 345464fb760d1b772e891538b498e111c588b692 Bisecting: 126 revisions left to test after this (roughly 7 steps) [840ce8f8073edb3ff3d2c2c7a6ef211f4176961c] Merge tag 'pinctrl-v5.3-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 840ce8f8073edb3ff3d2c2c7a6ef211f4176961c with gcc (GCC) 8.1.0 kernel signature: cb4b5ea3b15a1aa7a593440bef5aa7c1171d27412c3c24d47958ce961c2bd2dd all runs: OK # git bisect good 840ce8f8073edb3ff3d2c2c7a6ef211f4176961c Bisecting: 63 revisions left to test after this (roughly 6 steps) [c3dc1fa72249e4472b90ecef4dbafe25f0f07889] net: hns3: fix spelling mistake "undeflow" -> "underflow" testing commit c3dc1fa72249e4472b90ecef4dbafe25f0f07889 with gcc (GCC) 8.1.0 kernel signature: aeb65d55fca54efefd764ac3f3d46d9a181c58c368762408767e0394ac642b22 all runs: OK # git bisect good c3dc1fa72249e4472b90ecef4dbafe25f0f07889 Bisecting: 30 revisions left to test after this (roughly 5 steps) [1c4c5e2528af0c803fb1171632074f4070229a75] Merge tag 'mmc-v5.3-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc testing commit 1c4c5e2528af0c803fb1171632074f4070229a75 with gcc (GCC) 8.1.0 kernel signature: 7c8b7c2e4b54818017d82a78b79fe7c5e5c8ae5ab8b88657e194a42d7e115b2d all runs: OK # git bisect good 1c4c5e2528af0c803fb1171632074f4070229a75 Bisecting: 14 revisions left to test after this (roughly 4 steps) [ae3b06ed55b1554e9a91bf959c6b0b5e212e7f4d] Merge branch 'sctp_do_bind-leak' testing commit ae3b06ed55b1554e9a91bf959c6b0b5e212e7f4d with gcc (GCC) 8.1.0 kernel signature: 651c5db6ccd8444c5cd5048d7e131f8606e998aa94992bc1ac739f1ab8c8c5b6 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor818468544" "root@10.128.10.63:./syz-executor818468544"]: exit status 1 Connection timed out during banner exchange lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good ae3b06ed55b1554e9a91bf959c6b0b5e212e7f4d Bisecting: 8 revisions left to test after this (roughly 3 steps) [a9c20bb0206ae9384bd470a6832dd8913730add9] Merge tag 'kvm-s390-master-5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into kvm-master testing commit a9c20bb0206ae9384bd470a6832dd8913730add9 with gcc (GCC) 8.1.0 kernel signature: 332ec28fcf7002744b7f023e275bdd607bafdd98ad24af3405f20090dfcfdf30 all runs: OK # git bisect good a9c20bb0206ae9384bd470a6832dd8913730add9 Bisecting: 4 revisions left to test after this (roughly 2 steps) [b03c036e6f96340dd311817c7b964dad183c4141] Merge tag 'riscv/for-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux testing commit b03c036e6f96340dd311817c7b964dad183c4141 with gcc (GCC) 8.1.0 kernel signature: 7efee81167a107fcf45b29d258ca689367d18a5f9adcb37585ce998bd248b1e2 all runs: OK # git bisect good b03c036e6f96340dd311817c7b964dad183c4141 Bisecting: 2 revisions left to test after this (roughly 1 step) [1f9c632cde0c3d781463a88ce430a8dd4a7c1a0e] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit 1f9c632cde0c3d781463a88ce430a8dd4a7c1a0e with gcc (GCC) 8.1.0 kernel signature: 7b52b66daa4c6ad92178433e9e175d27956271055090769d110e53ac016eed3d run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor835044671" "root@10.128.0.126:./syz-executor835044671"]: exit status 1 Connection timed out during banner exchange lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 1f9c632cde0c3d781463a88ce430a8dd4a7c1a0e Bisecting: 0 revisions left to test after this (roughly 1 step) [72dbcf72156641fde4d8ea401e977341bfd35a05] Revert "ext4: make __ext4_get_inode_loc plug" testing commit 72dbcf72156641fde4d8ea401e977341bfd35a05 with gcc (GCC) 8.1.0 kernel signature: ac122c5872bb6146357f1abbd71cc5df5ff58d095e6c698d211579c44cc9ba58 all runs: OK # git bisect good 72dbcf72156641fde4d8ea401e977341bfd35a05 4d856f72c10ecb060868ed10ff1b1453943fc6c8 is the first bad commit commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 Author: Linus Torvalds Date: Sun Sep 15 14:19:32 2019 -0700 Linux 5.3 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) culprit signature: ce9367509403d2095107fbb279b5255973f0209cd82e00985c7d85645d08a7cc parent signature: ac122c5872bb6146357f1abbd71cc5df5ff58d095e6c698d211579c44cc9ba58 revisions tested: 24, total time: 5h16m57.898159749s (build: 2h8m47.783508056s, test: 3h5m27.416988043s) first bad commit: 4d856f72c10ecb060868ed10ff1b1453943fc6c8 Linux 5.3 recipients (to): ["linux-kbuild@vger.kernel.org" "michal.lkml@markovi.net" "torvalds@linux-foundation.org" "yamada.masahiro@socionext.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: UBSAN: undefined-behaviour in est_timer ================================================================================ UBSAN: Undefined behaviour in net/core/gen_estimator.c:83:38 shift exponent -1 is negative CPU: 0 PID: 10355 Comm: syz-executor.2 Not tainted 5.3.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x86/0xca lib/dump_stack.c:113 ubsan_epilogue+0xd/0x3a lib/ubsan.c:158 __ubsan_handle_shift_out_of_bounds.cold.14+0x21/0x68 lib/ubsan.c:404 est_timer.cold.0+0x158/0x206 net/core/gen_estimator.c:83 call_timer_fn+0x169/0x5b0 kernel/time/timer.c:1322 expire_timers+0x2b9/0x420 kernel/time/timer.c:1366 __run_timers kernel/time/timer.c:1685 [inline] run_timer_softirq+0x219/0x630 kernel/time/timer.c:1698 __do_softirq+0x251/0xa63 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x170/0x1a0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:537 [inline] smp_apic_timer_interrupt+0x1d5/0x6a0 arch/x86/kernel/apic/apic.c:1137 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline] RIP: 0010:__close_fd+0x22/0x1b0 fs/file.c:627 Code: ff eb c8 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 4c 8d b7 c0 00 00 00 41 55 41 89 f5 41 54 53 48 89 fb 4c 89 f7 e8 1e 0a 83 06 <48> 8d 7b 50 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 RSP: 0018:ffff88807d21feb8 EFLAGS: 00000296 ORIG_RAX: ffffffffffffff13 RAX: ffffffff81ae1342 RBX: ffff88809bc08000 RCX: ffffffff8151e353 RDX: 1ffff1101378101a RSI: 0000000000000004 RDI: ffff88807d21fe20 RBP: ffff88807d21fee0 R08: 0000000000000004 R09: ffffed100fa43fc4 R10: ffffed100fa43fc4 R11: 0000000000000003 R12: ffff88807d21ff58 R13: 000000000000001b R14: ffff88809bc080c0 R15: 0000000000000000 __do_sys_close fs/open.c:1185 [inline] __se_sys_close+0x3f/0x80 fs/open.c:1183 __x64_sys_close+0x2c/0x40 fs/open.c:1183 do_syscall_64+0x96/0x450 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x417aa1 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffcadcc3670 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 000000000000001c RCX: 0000000000417aa1 RDX: fffffffffffffff7 RSI: 0000000000000081 RDI: 000000000000001b RBP: 0000000000000000 R08: 00000000011a08d0 R09: 0000000000000000 R10: 00007ffcadcc3590 R11: 0000000000000293 R12: 0000000000000001 R13: 00007ffcadcc36b0 R14: 00007ffcadcc36c0 R15: 0000000000000001 ================================================================================ ================================================================================ UBSAN: Undefined behaviour in net/core/gen_estimator.c:86:46 shift exponent -1 is negative CPU: 0 PID: 10355 Comm: syz-executor.2 Not tainted 5.3.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x86/0xca lib/dump_stack.c:113 ubsan_epilogue+0xd/0x3a lib/ubsan.c:158 __ubsan_handle_shift_out_of_bounds.cold.14+0x21/0x68 lib/ubsan.c:404 est_timer.cold.0+0x72/0x206 net/core/gen_estimator.c:86 call_timer_fn+0x169/0x5b0 kernel/time/timer.c:1322 expire_timers+0x2b9/0x420 kernel/time/timer.c:1366 __run_timers kernel/time/timer.c:1685 [inline] run_timer_softirq+0x219/0x630 kernel/time/timer.c:1698 __do_softirq+0x251/0xa63 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x170/0x1a0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:537 [inline] smp_apic_timer_interrupt+0x1d5/0x6a0 arch/x86/kernel/apic/apic.c:1137 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline] RIP: 0010:__close_fd+0x22/0x1b0 fs/file.c:627 Code: ff eb c8 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 4c 8d b7 c0 00 00 00 41 55 41 89 f5 41 54 53 48 89 fb 4c 89 f7 e8 1e 0a 83 06 <48> 8d 7b 50 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 RSP: 0018:ffff88807d21feb8 EFLAGS: 00000296 ORIG_RAX: ffffffffffffff13 RAX: ffffffff81ae1342 RBX: ffff88809bc08000 RCX: ffffffff8151e353 RDX: 1ffff1101378101a RSI: 0000000000000004 RDI: ffff88807d21fe20 RBP: ffff88807d21fee0 R08: 0000000000000004 R09: ffffed100fa43fc4 R10: ffffed100fa43fc4 R11: 0000000000000003 R12: ffff88807d21ff58 R13: 000000000000001b R14: ffff88809bc080c0 R15: 0000000000000000 __do_sys_close fs/open.c:1185 [inline] __se_sys_close+0x3f/0x80 fs/open.c:1183 __x64_sys_close+0x2c/0x40 fs/open.c:1183 do_syscall_64+0x96/0x450 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x417aa1 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffcadcc3670 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 000000000000001c RCX: 0000000000417aa1 RDX: fffffffffffffff7 RSI: 0000000000000081 RDI: 000000000000001b RBP: 0000000000000000 R08: 00000000011a08d0 R09: 0000000000000000 R10: 00007ffcadcc3590 R11: 0000000000000293 R12: 0000000000000001 R13: 00007ffcadcc36b0 R14: 00007ffcadcc36c0 R15: 0000000000000001 ================================================================================