ci2 starts bisection 2025-10-05 03:34:27.306828369 +0000 UTC m=+228948.947884387 bisecting fixing commit since 3594f306da129190de25938b823f353ef7f9e322 building syzkaller on f8f2b4da0e6eaaf0aeed6f6d613d86d599aafcd3 ensuring issue is reproducible on original commit 3594f306da129190de25938b823f353ef7f9e322 testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: bd928bbfb672e6aca776a1d6f7e60423d72e78f53085ac801a0bfe1a652b3207 all runs: crashed: UBSAN: shift-out-of-bounds in pcl726_attach representative crash: UBSAN: shift-out-of-bounds in pcl726_attach, types: [UBSAN] check whether we can drop unnecessary instrumentation disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 45a43d0f32cd2b9624ea6479b422d6110a69f46675eb8b7257f01d5de75286e3 all runs: crashed: UBSAN: shift-out-of-bounds in pcl726_attach representative crash: UBSAN: shift-out-of-bounds in pcl726_attach, types: [UBSAN] the bug reproduces without the instrumentation disabling configs for [hang memleak bug_or_warning kasan locking atomic_sleep], they are not needed kconfig minimization: base=3829 full=7619 leaves diff=2129 split chunks (needed=false): <2129> split chunk #0 of len 2129 into 5 parts testing without sub-chunk 1/5 disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 7a8395990b52ce7fc3b4d64e4cbb0176fb30f9d525c9b3d92e18323bf6ad6e2b all runs: OK false negative chance: 0.000 testing without sub-chunk 2/5 disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: a82f8c94600163bc7638a045c495e483f3e75efdbb387ad63886ee7426217de1 all runs: crashed: UBSAN: shift-out-of-bounds in pcl726_attach representative crash: UBSAN: shift-out-of-bounds in pcl726_attach, types: [UBSAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [memleak bug_or_warning kasan locking atomic_sleep hang], they are not needed testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 78d963b69c102aad8646d28b673e990227e0fe970f3426a2c3fce4389d0f37cc all runs: crashed: UBSAN: shift-out-of-bounds in pcl726_attach representative crash: UBSAN: shift-out-of-bounds in pcl726_attach, types: [UBSAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 8dc774e22fe5831487f7f684971ecab7377d43515335b401896e41f8d4da745e all runs: crashed: UBSAN: shift-out-of-bounds in pcl726_attach representative crash: UBSAN: shift-out-of-bounds in pcl726_attach, types: [UBSAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 5c8b0ec582f8e87a17fe172d20764d14af2ad63127e4e584bd6665b58cb44586 all runs: crashed: UBSAN: shift-out-of-bounds in pcl726_attach representative crash: UBSAN: shift-out-of-bounds in pcl726_attach, types: [UBSAN] the chunk can be dropped minimized to 426 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_NFIT ACPI_PLATFORM_PROFILE ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMD_SFH_HID AMIGA_PARTITION ANDROID_BINDERFS ANDROID_BINDER_IPC ANON_VMA_NAME APERTURE_HELPERS APPLE_MFI_FASTCHARGE AR5523 ARCH_ENABLE_THP_MIGRATION ASM_MODVERSIONS ASUS_TF103C_DOCK ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATH10K ATH10K_CE ATH10K_PCI ATH10K_USB ATH11K ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_COMMON_SPECTRAL ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AUXILIARY_BUS AX25 AX25_DAMA_SLAVE AX88796B_PHY BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BLK_CGROUP_RWSTAT BLK_DEBUG_FS_ZONED BLK_DEV_BSGLIB BLK_DEV_INTEGRITY BLK_DEV_INTEGRITY_T10 BLK_DEV_NBD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_NVME BLK_DEV_PMEM BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_THROTTLING BLK_ICQ BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_MQ_RDMA BLK_WBT BLK_WBT_MQ BONDING BOOT_VESA_SUPPORT BPF_EVENTS BPF_JIT BPF_JIT_ALWAYS_ON BPF_JIT_DEFAULT_ON BPF_LSM BPF_PRELOAD BPF_PRELOAD_UMD BPF_SYSCALL BPQETHER BRIDGE BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_IGMP_SNOOPING BRIDGE_MRP BRIDGE_NF_EBTABLES BRIDGE_VLAN_FILTERING BSD_DISKLABEL BSD_PROCESS_ACCT_V3 BT BTRFS_ASSERT BTRFS_FS BTRFS_FS_POSIX_ACL BTRFS_FS_REF_VERIFY BTT BT_6LOWPAN BT_ATH3K BT_BCM BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_BREDR BT_CMTP BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB BT_HCIBTUSB_AUTOSUSPEND BT_HCIBTUSB_BCM BT_HCIBTUSB_MTK BT_HCIBTUSB_RTL BT_HCIUART BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIUART_H4 BT_HCIUART_LL BT_HCIUART_MRVL BT_HCIUART_QCA BT_HCIUART_SERDEV BT_HCIVHCI BT_HIDP BT_HS BT_INTEL BT_LE BT_LEDS BT_MSFTEXT BT_MTK BT_QCA BT_RFCOMM BT_RFCOMM_TTY BT_RTL CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN CAN_8DEV_USB CAN_BCM CAN_CALC_BITTIMING CAN_DEV CAN_EMS_USB CAN_ESD_USB CAN_ETAS_ES58X CAN_GS_USB CAN_GW CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_NETLINK CAN_PEAK_USB CAN_RAW CAN_SLCAN CAN_UCAN CAN_VCAN CAN_VXCAN CAPI_TRACE CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CEC_CORE CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CHARGER_ISP1704 CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLS_U32_MARK CLS_U32_PERF CMA CMA_SIZE_SEL_MBYTES CMDLINE_PARTITION COMEDI COMEDI_8254 COMEDI_8255 COMEDI_8255_PCI COMEDI_8255_SA COMEDI_ADL_PCI9118 COMEDI_ADQ12B COMEDI_AIO_AIO12_8 COMEDI_AIO_IIRO_16 COMEDI_AMPLC_DIO200 COMEDI_AMPLC_DIO200_ISA COMEDI_AMPLC_PC236 COMEDI_AMPLC_PC236_ISA COMEDI_AMPLC_PC263_ISA COMEDI_BOND COMEDI_C6XDIGIO COMEDI_DAC02 COMEDI_DAS08 COMEDI_DAS08_ISA COMEDI_DAS16M1 COMEDI_DAS1800 COMEDI_DAS6402 COMEDI_DAS800 COMEDI_DMM32AT COMEDI_DT2801 COMEDI_DT2811 COMEDI_DT2814 COMEDI_DT2815 COMEDI_DT2817 COMEDI_DT282X COMEDI_DT9812 COMEDI_FL512 COMEDI_ISADMA COMEDI_ISA_DRIVERS COMEDI_KCOMEDILIB COMEDI_MISC_DRIVERS COMEDI_MPC624 COMEDI_MULTIQ3 COMEDI_NI_ATMIO16D COMEDI_NI_AT_A2150 COMEDI_NI_AT_AO COMEDI_NI_DAQ_700_CS COMEDI_NI_LABPC COMEDI_NI_LABPC_CS COMEDI_NI_LABPC_ISA COMEDI_NI_LABPC_ISADMA COMEDI_NI_LABPC_PCI COMEDI_NI_USB6501 COMEDI_PARPORT COMEDI_PCI_DRIVERS COMEDI_PCL711 COMEDI_PCL724 COMEDI_PCL726 COMEDI_PCL730 COMEDI_PCL812 COMEDI_PCL816 COMEDI_PCL818 COMEDI_PCM3724 COMEDI_PCMAD COMEDI_PCMCIA_DRIVERS COMEDI_PCMDA12 COMEDI_PCMMIO COMEDI_PCMUIO COMEDI_RTI800 COMEDI_RTI802 COMEDI_S526 COMEDI_TEST COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES COUNTER CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC4 CRC64 CRC64_ROCKSOFT CRC7 CRC8 CRC_ITU_T CRC_T10DIF CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AEGIS128_AESNI_SSE2 CRYPTO_AES_NI_INTEL CRYPTO_AES_TI CRYPTO_ANSI_CPRNG CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_BLAKE2S CRYPTO_ARCH_HAVE_LIB_CHACHA CRYPTO_ARCH_HAVE_LIB_CURVE25519 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_ARIA CRYPTO_ARIA_AESNI_AVX_X86_64 CRYPTO_BLAKE2B CRYPTO_BLAKE2S_X86 CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_BLOWFISH_X86_64 CRYPTO_CAMELLIA CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 CRYPTO_CAMELLIA_AESNI_AVX_X86_64 CRYPTO_CAMELLIA_X86_64 CRYPTO_CAST5 CRYPTO_CAST5_AVX_X86_64 CRYPTO_CAST6 CRYPTO_CAST6_AVX_X86_64 CRYPTO_CAST_COMMON CRYPTO_CHACHA20 CRYPTO_CHACHA20POLY1305 CRYPTO_CHACHA20_X86_64 CRYPTO_CRC32 CRYPTO_CRC32C_INTEL CRYPTO_CRC32_PCLMUL CRYPTO_CRC64_ROCKSOFT CRYPTO_CRCT10DIF CRYPTO_CRCT10DIF_PCLMUL CRYPTO_CRYPTD CRYPTO_CTS CRYPTO_CURVE25519 CRYPTO_CURVE25519_X86 CRYPTO_DEFLATE CRYPTO_DES CRYPTO_DES3_EDE_X86_64 CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_PADLOCK CRYPTO_DEV_PADLOCK_AES CRYPTO_DEV_PADLOCK_SHA CRYPTO_DEV_QAT CRYPTO_DEV_QAT_C3XXX CRYPTO_DEV_QAT_C3XXXVF CRYPTO_DEV_QAT_C62X CRYPTO_DEV_QAT_C62XVF CRYPTO_DEV_QAT_DH895xCC CRYPTO_DEV_QAT_DH895xCCVF CRYPTO_DEV_VIRTIO CRYPTO_DH CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECB CRYPTO_ECC CRYPTO_ECDH CRYPTO_ECRDSA CRYPTO_ENGINE CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_GHASH_CLMUL_NI_INTEL CRYPTO_HCTR2 CRYPTO_KDF800108_CTR CRYPTO_KEYWRAP CRYPTO_KHAZAD CRYPTO_KPP CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CHACHA_GENERIC CRYPTO_LIB_CURVE25519 CRYPTO_LIB_CURVE25519_GENERIC CRYPTO_LIB_DES CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LRW CRYPTO_MICHAEL_MIC CRYPTO_NHPOLY1305 CRYPTO_NHPOLY1305_AVX2 CRYPTO_NHPOLY1305_SSE2 CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_X86_64 CRYPTO_POLYVAL CRYPTO_POLYVAL_CLMUL_NI CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SERPENT CRYPTO_SERPENT_AVX2_X86_64 CRYPTO_SERPENT_AVX_X86_64 CRYPTO_SERPENT_SSE2_X86_64 CRYPTO_SHA1_SSSE3 CRYPTO_SHA256_SSSE3 CRYPTO_SHA3 CRYPTO_SHA512_SSSE3 CRYPTO_SIMD CRYPTO_SM2 CRYPTO_SM3 CRYPTO_SM3_AVX_X86_64 CRYPTO_SM4 CRYPTO_SM4_AESNI_AVX2_X86_64 CRYPTO_SM4_AESNI_AVX_X86_64 CRYPTO_SM4_GENERIC CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_AVX_X86_64 CRYPTO_TWOFISH_COMMON CRYPTO_TWOFISH_X86_64 CRYPTO_TWOFISH_X86_64_3WAY CRYPTO_USER CRYPTO_USER_API CRYPTO_USER_API_AEAD CRYPTO_USER_API_ENABLE_OBSOLETE CRYPTO_USER_API_HASH CRYPTO_USER_API_RNG CRYPTO_USER_API_SKCIPHER CRYPTO_VMAC CRYPTO_WP512 CRYPTO_XCBC CRYPTO_XCTR CRYPTO_XTS CRYPTO_XXHASH CUSE CYPRESS_FIRMWARE DAMON DAMON_DBGFS DAMON_PADDR DAMON_RECLAIM DAMON_VADDR DCA DCB DEFAULT_PFIFO_FAST DEVICE_MIGRATION DMA_CMA FSCACHE FUSE_FS GPIOLIB HAMRADIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_RTRS_CLIENT IOSCHED_BFQ ISDN ISDN_CAPI LIBNVDIMM MAC80211 MAC80211_LEDS MEDIA_SUPPORT MTD NET_CLS_U32 NET_SCH_DEFAULT PARTITION_ADVANCED PCCARD PCMCIA RFKILL SERIAL_DEV_BUS TLS TLS_DEVICE USB_GADGET USB_PHY VLAN_8021Q WANT_COMPAT_NETLINK_MESSAGES WEXT_CORE WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ATH] disabling configs for [memleak bug_or_warning kasan locking atomic_sleep hang], they are not needed testing current HEAD 882efbdd9d34ebaf03da2dd0246f07f251b0aed2 testing commit 882efbdd9d34ebaf03da2dd0246f07f251b0aed2 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 1986efeeb119112954960ab551506686c780e82496b46a56d50307ee15feefa3 all runs: OK false negative chance: 0.000 # git bisect start 882efbdd9d34ebaf03da2dd0246f07f251b0aed2 3594f306da129190de25938b823f353ef7f9e322 Bisecting: 555 revisions left to test after this (roughly 9 steps) [945994f5977352646f1ace300de70055957ef6bb] pwm: mediatek: Fix duty and period setting determine whether the revision contains the guilty commit revision 3594f306da129190de25938b823f353ef7f9e322 crashed and is reachable testing commit 945994f5977352646f1ace300de70055957ef6bb gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 1b7d2db8462ea5753bae709378352560b2d8d9a26a5e6cf960a1481fe7f64033 all runs: crashed: UBSAN: shift-out-of-bounds in pcl726_attach representative crash: UBSAN: shift-out-of-bounds in pcl726_attach, types: [UBSAN] # git bisect good 945994f5977352646f1ace300de70055957ef6bb Bisecting: 277 revisions left to test after this (roughly 8 steps) [eceb44e1f94bd641b2a4e8c09b64c797c4eabc15] mm: move page table sync declarations to linux/pgtable.h determine whether the revision contains the guilty commit revision 945994f5977352646f1ace300de70055957ef6bb crashed and is reachable testing commit eceb44e1f94bd641b2a4e8c09b64c797c4eabc15 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 0f82edff2ab22cb72a6151ca26f9241fdcb8409c7fed85f6cc50b31786d3e2c8 all runs: OK false negative chance: 0.000 # git bisect bad eceb44e1f94bd641b2a4e8c09b64c797c4eabc15 Bisecting: 138 revisions left to test after this (roughly 7 steps) [434b22dea528b7cdbc5971813ad9f0996ee436a3] mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn determine whether the revision contains the guilty commit revision 3594f306da129190de25938b823f353ef7f9e322 crashed and is reachable testing commit 434b22dea528b7cdbc5971813ad9f0996ee436a3 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 8c96478e6078c0dfac92ba28139a56d724fceb274b8f11ae167c1793ee136f1c all runs: OK false negative chance: 0.000 # git bisect bad 434b22dea528b7cdbc5971813ad9f0996ee436a3 Bisecting: 69 revisions left to test after this (roughly 6 steps) [f9fda2a88bd924704c8e3e807d6285022e55177b] usb: musb: omap2430: fix device leak at unbind determine whether the revision contains the guilty commit revision 945994f5977352646f1ace300de70055957ef6bb crashed and is reachable testing commit f9fda2a88bd924704c8e3e807d6285022e55177b gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: f8b4cc13ae8d7edb91608c8d07ed0fbba74315d785b3e4488d2e19e940dd7815 all runs: crashed: UBSAN: shift-out-of-bounds in pcl726_attach representative crash: UBSAN: shift-out-of-bounds in pcl726_attach, types: [UBSAN] # git bisect good f9fda2a88bd924704c8e3e807d6285022e55177b Bisecting: 34 revisions left to test after this (roughly 5 steps) [524e90e58a267dad11e23351d9e4b1f941490976] smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() determine whether the revision contains the guilty commit revision 945994f5977352646f1ace300de70055957ef6bb crashed and is reachable testing commit 524e90e58a267dad11e23351d9e4b1f941490976 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 85198eabd8d4a82136ec5a4e7ea4763f49352c0e55406401970e0127a6abe356 all runs: crashed: UBSAN: shift-out-of-bounds in pcl726_attach representative crash: UBSAN: shift-out-of-bounds in pcl726_attach, types: [UBSAN] # git bisect good 524e90e58a267dad11e23351d9e4b1f941490976 Bisecting: 17 revisions left to test after this (roughly 4 steps) [b5e5b6c5f8facf85ad4c8280215a2c9fb6bda6b7] usb: dwc3: Ignore late xferNotReady event to prevent halt timeout determine whether the revision contains the guilty commit revision f9fda2a88bd924704c8e3e807d6285022e55177b crashed and is reachable testing commit b5e5b6c5f8facf85ad4c8280215a2c9fb6bda6b7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: f132d125fcf70997f272e22cc15783a1c3c33588d0a8b5400bd41016f832fa53 all runs: OK false negative chance: 0.000 # git bisect bad b5e5b6c5f8facf85ad4c8280215a2c9fb6bda6b7 Bisecting: 8 revisions left to test after this (roughly 3 steps) [7065d0c685caea366ba2fb309b7ee0596687bdc4] usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive determine whether the revision contains the guilty commit revision 945994f5977352646f1ace300de70055957ef6bb crashed and is reachable testing commit 7065d0c685caea366ba2fb309b7ee0596687bdc4 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 69973efeb88db7bff4bdf7a498531ae3863b9b9dad80c614a734bdc9514b5861 all runs: crashed: UBSAN: shift-out-of-bounds in pcl726_attach representative crash: UBSAN: shift-out-of-bounds in pcl726_attach, types: [UBSAN] # git bisect good 7065d0c685caea366ba2fb309b7ee0596687bdc4 Bisecting: 4 revisions left to test after this (roughly 2 steps) [d7277e69a70bf832ebc5be9036ae62895b319d18] usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test determine whether the revision contains the guilty commit revision 3594f306da129190de25938b823f353ef7f9e322 crashed and is reachable testing commit d7277e69a70bf832ebc5be9036ae62895b319d18 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 8e2543771050c1389951bbc4cf92300a2c1021ebe8fa8d8c8d9db0350f85085f all runs: OK false negative chance: 0.000 # git bisect bad d7277e69a70bf832ebc5be9036ae62895b319d18 Bisecting: 1 revision left to test after this (roughly 1 step) [5a33d07c94ba91306093e823112a7aa9727549f6] comedi: pcl726: Prevent invalid irq number determine whether the revision contains the guilty commit revision 945994f5977352646f1ace300de70055957ef6bb crashed and is reachable testing commit 5a33d07c94ba91306093e823112a7aa9727549f6 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 8907d04d0d57c8c197f6169f3ed3107a56556886972bde6271b4c37be253e249 all runs: OK false negative chance: 0.000 # git bisect bad 5a33d07c94ba91306093e823112a7aa9727549f6 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b] comedi: Make insn_rw_emulate_bits() do insn->n samples determine whether the revision contains the guilty commit revision 7065d0c685caea366ba2fb309b7ee0596687bdc4 crashed and is reachable testing commit ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c164ec4a6f784dd26f52e9585b3fea283a9aed833cd9796234bd6d0d5b427b1e all runs: crashed: UBSAN: shift-out-of-bounds in pcl726_attach representative crash: UBSAN: shift-out-of-bounds in pcl726_attach, types: [UBSAN] # git bisect good ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b 5a33d07c94ba91306093e823112a7aa9727549f6 is the first bad commit commit 5a33d07c94ba91306093e823112a7aa9727549f6 Author: Edward Adam Davis Date: Mon Jul 7 20:39:58 2025 +0800 comedi: pcl726: Prevent invalid irq number commit 96cb948408b3adb69df7e451ba7da9d21f814d00 upstream. The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob. Added an interrupt number check to prevent users from passing in an irq number that was too large. If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid because it shifts a 1-bit into the sign bit (which is UB in C). Possible solutions include reducing the upper bound on the `it->options[1]` value to 30 or lower, or using `1U << it->options[1]`. The old code would just not attempt to request the IRQ if the `options[1]` value were invalid. And it would still configure the device without interrupts even if the call to `request_irq` returned an error. So it would be better to combine this test with the test below. Fixes: fff46207245c ("staging: comedi: pcl726: enable the interrupt support code") Cc: stable # 5.13+ Reported-by: syzbot+5cd373521edd68bebcb3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=5cd373521edd68bebcb3 Tested-by: syzbot+5cd373521edd68bebcb3@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis Reviewed-by: Ian Abbott Link: https://lore.kernel.org/r/tencent_3C66983CC1369E962436264A50759176BF09@qq.com Signed-off-by: Greg Kroah-Hartman drivers/comedi/drivers/pcl726.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: 8907d04d0d57c8c197f6169f3ed3107a56556886972bde6271b4c37be253e249 parent signature: c164ec4a6f784dd26f52e9585b3fea283a9aed833cd9796234bd6d0d5b427b1e revisions tested: 18, total time: 4h36m27.734062297s (build: 1h56m32.41667184s, test: 1h59m26.47335558s) first good commit: 5a33d07c94ba91306093e823112a7aa9727549f6 comedi: pcl726: Prevent invalid irq number recipients (to): ["abbotti@mev.co.uk" "eadavis@qq.com" "gregkh@linuxfoundation.org" "syzbot+5cd373521edd68bebcb3@syzkaller.appspotmail.com"] recipients (cc): []