bisecting cause commit starting from 5e60366d56c630e32befce7ef05c569e04391ca3
building syzkaller on 04201c0669446145fd9c347c5538da0ca13ff29b
testing commit 5e60366d56c630e32befce7ef05c569e04391ca3 with gcc (GCC) 8.1.0
kernel signature: 01825cbba90804af60ff77ae0ded5055a816f397fe535df94df4bfbd1e90d5f6
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
reproducer seems to be flaky
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0
kernel signature: f5760b2c445d15f5ece92b856df5a49be8c93d3d22f6cda3cb5ed85afe8f4ee1
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0
kernel signature: 48a44b356059ba46606be11d05f4af2fd4977ae6064a111f191a24ab366037c1
all runs: OK
# git bisect start 2c85ebc57b3e1817b6ce1a6b703928e113a90442 bbf5c979011a099af5dc76498918ed7df445635b
Bisecting: 9594 revisions left to test after this (roughly 13 steps)
[4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions

testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 8.1.0
kernel signature: b93fd7fbbd40c632c0a34af0a126ffc0172e292a2253217913f3ddae9e4277dc
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 4d0e9df5e43dba52d38b251e3b909df8fa1110be
Bisecting: 3935 revisions left to test after this (roughly 12 steps)
[f888bdf9823c85fe945c4eb3ba353f749dec3856] Merge tag 'devicetree-for-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

testing commit f888bdf9823c85fe945c4eb3ba353f749dec3856 with gcc (GCC) 8.1.0
kernel signature: 00ffdb21441b24802b89470ec784a6219ddce0f401730691ac4d38ef91d3608f
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad f888bdf9823c85fe945c4eb3ba353f749dec3856
Bisecting: 1997 revisions left to test after this (roughly 11 steps)
[57218d7f2e87069f73c7a841b6ed6c1cc7acf616] Merge tag 'regmap-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap

testing commit 57218d7f2e87069f73c7a841b6ed6c1cc7acf616 with gcc (GCC) 8.1.0
kernel signature: 75f244c0fccaacc196e4ad78f55c69cdea2bb56d126f5c422b9908fa98cc30e6
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 57218d7f2e87069f73c7a841b6ed6c1cc7acf616
Bisecting: 873 revisions left to test after this (roughly 10 steps)
[39a5101f989e8d2be557136704d53990f9b402c8] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

testing commit 39a5101f989e8d2be557136704d53990f9b402c8 with gcc (GCC) 8.1.0
kernel signature: 97f318694eafb50562205e3a971238f58102e1e6c5e32d71cf7dd0a1fc47dd5b
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 39a5101f989e8d2be557136704d53990f9b402c8
Bisecting: 521 revisions left to test after this (roughly 9 steps)
[ed016af52ee3035b4799ebd7d53f9ae59d5782c4] Merge tag 'locking-core-2020-10-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit ed016af52ee3035b4799ebd7d53f9ae59d5782c4 with gcc (GCC) 8.1.0
kernel signature: 98a2bbdb85e305c0f2c07366d4be469c1e0890e89feacce5220711f8a0df535f
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #2: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad ed016af52ee3035b4799ebd7d53f9ae59d5782c4
Bisecting: 274 revisions left to test after this (roughly 8 steps)
[f94ab231136c53ee26b1ddda76b29218018834ff] Merge tag 'x86_cleanups_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit f94ab231136c53ee26b1ddda76b29218018834ff with gcc (GCC) 8.1.0
kernel signature: 5db9b780ceefe0e28807f5440e6f5e6ba7a956b787d020a0bb6c276d1fb69094
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad f94ab231136c53ee26b1ddda76b29218018834ff
Bisecting: 124 revisions left to test after this (roughly 7 steps)
[baab853229ec1f291cec6a70ed61ce93159d0997] Merge branch 'for-next/mte' into for-next/core

testing commit baab853229ec1f291cec6a70ed61ce93159d0997 with gcc (GCC) 8.1.0
kernel signature: 2b35ce1aca4aa0b230fb866502423e05ef8cb05ea6099e974b4d902a32a861ef
all runs: OK
# git bisect good baab853229ec1f291cec6a70ed61ce93159d0997
Bisecting: 56 revisions left to test after this (roughly 6 steps)
[ca1b66922a702316734bcd5ea2100e5fb8f3caa3] Merge tag 'ras_updates_for_v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit ca1b66922a702316734bcd5ea2100e5fb8f3caa3 with gcc (GCC) 8.1.0
kernel signature: 8f5016d59ebe9feb551b15f560a9aaea1b57f58a1a29a1eeb8194ffbf1194afa
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #2: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad ca1b66922a702316734bcd5ea2100e5fb8f3caa3
Bisecting: 36 revisions left to test after this (roughly 5 steps)
[af9db1d6632b726a2351426ab8f34374f6f38690] Merge tag 'm68k-for-v5.10-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k

testing commit af9db1d6632b726a2351426ab8f34374f6f38690 with gcc (GCC) 8.1.0
kernel signature: d512be9c013b284e9afd0cfe6360d222df62adb41a143dab7aa9a697a1708294
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad af9db1d6632b726a2351426ab8f34374f6f38690
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[6734e20e39207556e17d72b5c4950d8f3a4f2de2] Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

testing commit 6734e20e39207556e17d72b5c4950d8f3a4f2de2 with gcc (GCC) 8.1.0
kernel signature: d512be9c013b284e9afd0cfe6360d222df62adb41a143dab7aa9a697a1708294
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #2: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 6734e20e39207556e17d72b5c4950d8f3a4f2de2
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[d433ab42fdc2c8a32e5df7d53833310f0ab9822c] arm64: random: Remove no longer needed prototypes

testing commit d433ab42fdc2c8a32e5df7d53833310f0ab9822c with gcc (GCC) 8.1.0
kernel signature: 58aed28f314e634740b07ddaf7ce332cdd2f7de3db71959fb46ef5aaff5b57ad
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad d433ab42fdc2c8a32e5df7d53833310f0ab9822c
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[53ec81d232134f61806dfd93025320caa1aaf559] kselftest/arm64: Verify all different mmap MTE options

testing commit 53ec81d232134f61806dfd93025320caa1aaf559 with gcc (GCC) 8.1.0
kernel signature: 58aed28f314e634740b07ddaf7ce332cdd2f7de3db71959fb46ef5aaff5b57ad
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #2: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 53ec81d232134f61806dfd93025320caa1aaf559
Bisecting: 1 revision left to test after this (roughly 1 step)
[f3b2a26ca78da2ef36cf76d5511e3c94baee96a1] kselftest/arm64: Verify mte tag inclusion via prctl

testing commit f3b2a26ca78da2ef36cf76d5511e3c94baee96a1 with gcc (GCC) 8.1.0
kernel signature: 58aed28f314e634740b07ddaf7ce332cdd2f7de3db71959fb46ef5aaff5b57ad
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad f3b2a26ca78da2ef36cf76d5511e3c94baee96a1
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[e9b60476bea058d85f8029e6701d9476f7fdb92f] kselftest/arm64: Add utilities and a test to validate mte memory

testing commit e9b60476bea058d85f8029e6701d9476f7fdb92f with gcc (GCC) 8.1.0
kernel signature: 58aed28f314e634740b07ddaf7ce332cdd2f7de3db71959fb46ef5aaff5b57ad
run #0: crashed: UBSAN: shift-out-of-bounds in red_adaptative_timer
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad e9b60476bea058d85f8029e6701d9476f7fdb92f
e9b60476bea058d85f8029e6701d9476f7fdb92f is the first bad commit
commit e9b60476bea058d85f8029e6701d9476f7fdb92f
Author: Amit Daniel Kachhap <amit.kachhap@arm.com>
Date:   Fri Oct 2 17:26:25 2020 +0530

    kselftest/arm64: Add utilities and a test to validate mte memory
    
    This test checks that the memory tag is present after mte allocation and
    the memory is accessible with those tags. This testcase verifies all
    sync, async and none mte error reporting mode. The allocated mte buffers
    are verified for Allocated range (no error expected while accessing
    buffer), Underflow range, and Overflow range.
    
    Different test scenarios covered here are,
    * Verify that mte memory are accessible at byte/block level.
    * Force underflow and overflow to occur and check the data consistency.
    * Check to/from between tagged and untagged memory.
    * Check that initial allocated memory to have 0 tag.
    
    This change also creates the necessary infrastructure to add mte test
    cases. MTE kselftests can use the several utility functions provided here
    to add wide variety of mte test scenarios.
    
    GCC compiler need flag '-march=armv8.5-a+memtag' so those flags are
    verified before compilation.
    
    The mte testcases can be launched with kselftest framework as,
    
    make TARGETS=arm64 ARM64_SUBTARGETS=mte kselftest
    
    or compiled as,
    
    make -C tools/testing/selftests TARGETS=arm64 ARM64_SUBTARGETS=mte CC='compiler'
    
    Co-developed-by: Gabor Kertesz <gabor.kertesz@arm.com>
    Signed-off-by: Gabor Kertesz <gabor.kertesz@arm.com>
    Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
    Tested-by: Catalin Marinas <catalin.marinas@arm.com>
    Acked-by: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Shuah Khan <shuah@kernel.org>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Link: https://lore.kernel.org/r/20201002115630.24683-2-amit.kachhap@arm.com
    Signed-off-by: Will Deacon <will@kernel.org>

 tools/testing/selftests/arm64/Makefile             |   2 +-
 tools/testing/selftests/arm64/mte/.gitignore       |   1 +
 tools/testing/selftests/arm64/mte/Makefile         |  29 ++
 .../selftests/arm64/mte/check_buffer_fill.c        | 475 +++++++++++++++++++++
 .../testing/selftests/arm64/mte/mte_common_util.c  | 341 +++++++++++++++
 .../testing/selftests/arm64/mte/mte_common_util.h  | 117 +++++
 tools/testing/selftests/arm64/mte/mte_def.h        |  60 +++
 tools/testing/selftests/arm64/mte/mte_helper.S     | 114 +++++
 8 files changed, 1138 insertions(+), 1 deletion(-)
 create mode 100644 tools/testing/selftests/arm64/mte/.gitignore
 create mode 100644 tools/testing/selftests/arm64/mte/Makefile
 create mode 100644 tools/testing/selftests/arm64/mte/check_buffer_fill.c
 create mode 100644 tools/testing/selftests/arm64/mte/mte_common_util.c
 create mode 100644 tools/testing/selftests/arm64/mte/mte_common_util.h
 create mode 100644 tools/testing/selftests/arm64/mte/mte_def.h
 create mode 100644 tools/testing/selftests/arm64/mte/mte_helper.S

parent commit f75aef392f869018f78cfedf3c320a6b3fcfda6b wasn't tested
testing commit f75aef392f869018f78cfedf3c320a6b3fcfda6b with gcc (GCC) 8.1.0
kernel signature: 58aed28f314e634740b07ddaf7ce332cdd2f7de3db71959fb46ef5aaff5b57ad
culprit signature: 58aed28f314e634740b07ddaf7ce332cdd2f7de3db71959fb46ef5aaff5b57ad
parent  signature: 58aed28f314e634740b07ddaf7ce332cdd2f7de3db71959fb46ef5aaff5b57ad
Reproducer flagged being flaky
revisions tested: 17, total time: 4h0m48.923286049s (build: 1h19m5.602779181s, test: 2h40m1.80358095s)
first bad commit: e9b60476bea058d85f8029e6701d9476f7fdb92f kselftest/arm64: Add utilities and a test to validate mte memory
recipients (to): ["amit.kachhap@arm.com" "catalin.marinas@arm.com" "gabor.kertesz@arm.com" "will@kernel.org"]
recipients (cc): []
crash: UBSAN: shift-out-of-bounds in red_adaptative_timer
neighbour: ndisc_cache: neighbor table overflow!
================================================================================
UBSAN: shift-out-of-bounds in ./include/net/red.h:310:18
shift exponent 71 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 26 Comm: kworker/u4:2 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: phy15 ieee80211_iface_work
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x77/0xa0 lib/dump_stack.c:118
 ubsan_epilogue+0x5/0x40 lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold.13+0x14/0x98 lib/ubsan.c:395
 red_calc_qavg_from_idle_time include/net/red.h:310 [inline]
 red_adaptative_algo include/net/red.h:442 [inline]
 red_adaptative_timer+0x1eb/0x200 net/sched/sch_red.c:324
 call_timer_fn+0xa7/0x370 kernel/time/timer.c:1413
 expire_timers kernel/time/timer.c:1458 [inline]
 __run_timers kernel/time/timer.c:1755 [inline]
 run_timer_softirq+0x259/0x690 kernel/time/timer.c:1768
 __do_softirq+0xee/0x631 kernel/softirq.c:298
 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
 do_softirq_own_stack+0x73/0x90 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:393 [inline]
 __irq_exit_rcu kernel/softirq.c:423 [inline]
 irq_exit_rcu+0xc9/0xf0 kernel/softirq.c:435
 sysvec_apic_timer_interrupt+0x57/0xe0 arch/x86/kernel/apic/apic.c:1091
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581
RIP: 0010:console_unlock+0x2f2/0x5c0 kernel/printk/printk.c:2534
Code: 00 e8 12 ba fe ff 48 c7 c6 74 e8 28 81 48 c7 c7 a0 f3 f3 84 e8 ff b9 fe ff e8 2a 2c 00 00 4d 85 ed 0f 85 b8 02 00 00 41 56 9d <48> 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 8b 0d 08 0a cb 03
RSP: 0018:ffffc90000d3bca0 EFLAGS: 00000297
RAX: 00000000000a39eb RBX: 0000000000000001 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffffff84ab720e RDI: ffffffff8495ea86
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88813acd8000 R11: 0000000000000046 R12: 0000000000000057
R13: 0000000000000200 R14: 0000000000000297 R15: ffffffff870fce20
 vprintk_emit+0x1fd/0x300 kernel/printk/printk.c:2029
 printk+0x53/0x6a kernel/printk/printk.c:2078
 ieee80211_sta_find_ibss net/mac80211/ibss.c:1481 [inline]
 ieee80211_ibss_work.cold.28+0x194/0x2d3 net/mac80211/ibss.c:1707
 process_one_work+0x26a/0x650 kernel/workqueue.c:2269
 worker_thread+0x38/0x390 kernel/workqueue.c:2415
 kthread+0x148/0x170 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
================================================================================