ci starts bisection 2023-12-17 16:42:41.727352656 +0000 UTC m=+333291.077039233 bisecting cause commit starting from b1dfc0f76231bbf395c59d20a2070684620d5d0f building syzkaller on 3222d10cbe77bbedb5a7c455e5bcb6b7081a63b7 ensuring issue is reproducible on original commit b1dfc0f76231bbf395c59d20a2070684620d5d0f testing commit b1dfc0f76231bbf395c59d20a2070684620d5d0f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5f8a779a8940a556325a42467c4bd4f3afc52246c6eb1ea748deb732dcd50ec3 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] check whether we can drop unnecessary instrumentation disabling configs for [LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit b1dfc0f76231bbf395c59d20a2070684620d5d0f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 872e36e52275a256918464326b51f105000ea66ea76e7ceebfd085e2adfb4185 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] the bug reproduces without the instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK BUG], they are not needed kconfig minimization: base=3923 full=7659 leaves diff=2005 split chunks (needed=false): <2005> split chunk #0 of len 2005 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit b1dfc0f76231bbf395c59d20a2070684620d5d0f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3c58327010f61431943f6121fda1caf4fdbbfe3f56dd74c3ee89330cdd58d217 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit b1dfc0f76231bbf395c59d20a2070684620d5d0f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d34431522d920531c7fdff65cd5bae47ff2f241d6d16711bc8217c899d3e2e48 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK BUG], they are not needed testing commit b1dfc0f76231bbf395c59d20a2070684620d5d0f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 270561cbfff0c8cbb2f37a8815f4dee0815f0ff344cb3a0717b973d265ab4adb all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit b1dfc0f76231bbf395c59d20a2070684620d5d0f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f6da5a035b3906426b8c06f8ba965490ce86b6cdf565d5035f4f3696e60f4dbb all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit b1dfc0f76231bbf395c59d20a2070684620d5d0f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 66de459fdfe867c93036c381256b209924ca40228136ed9e85a7d9d9fda36e15 all runs: OK false negative chance: 0.000 minimized to 401 configs; suspects: [ARCH_ENABLE_MEMORY_HOTREMOVE ATM BCMA BLK_DEV_ZONED BPF_SYSCALL CARDBUS CFG80211 CFG80211_WEXT CMA COMMON_CLK CONTIG_ALLOC CRYPTO_842 CRYPTO_LZ4 CRYPTO_LZ4HC CRYPTO_LZO CRYPTO_ZSTD DVB_CORE EXTCON FB GPIOLIB HID_ZEROPLUS I2C_MUX IIO IOMMUFD IRQ_REMAP KVM KVM_INTEL LIBNVDIMM MEDIA_ANALOG_TV_SUPPORT MEDIA_CAMERA_SUPPORT MEDIA_CEC_SUPPORT MEDIA_CONTROLLER MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_VIPERBOARD PARPORT PCCARD PCMCIA PHONET RADIO_ADAPTERS RADIO_SI470X RADIO_SI4713 RC_CORE RFKILL SND SOUND SPI SSB TAP TARGET_CORE TUN USB_AMD5536UDC USB_ATM USB_CONFIGFS USB_CONFIGFS_F_FS USB_CONFIGFS_F_HID USB_CONFIGFS_F_LB_SS USB_CONFIGFS_F_MIDI USB_CONFIGFS_F_PRINTER USB_CONFIGFS_F_TCM USB_CONFIGFS_F_UAC1 USB_CONFIGFS_F_UAC1_LEGACY USB_CONFIGFS_F_UAC2 USB_CONFIGFS_F_UVC USB_CONFIGFS_MASS_STORAGE USB_CONFIGFS_NCM USB_CONFIGFS_OBEX USB_CONFIGFS_PHONET USB_CONFIGFS_RNDIS USB_CONFIGFS_SERIAL USB_CXACRU USB_CYPRESS_CY7C63 USB_CYTHERM USB_DSBR USB_DUMMY_HCD USB_DWC2 USB_DWC2_HOST USB_DWC2_PCI USB_DWC3 USB_DWC3_GADGET USB_DWC3_OF_SIMPLE USB_DWC3_PCI USB_DWC3_ULPI USB_DYNAMIC_MINORS USB_EG20T USB_EHCI_HCD_PLATFORM USB_EHCI_ROOT_HUB_TT USB_EHSET_TEST_FIXTURE USB_EMI26 USB_EMI62 USB_EPSON2888 USB_EZUSB_FX2 USB_FEW_INIT_RETRIES USB_F_ACM USB_F_ECM USB_F_EEM USB_F_FS USB_F_HID USB_F_MASS_STORAGE USB_F_MIDI USB_F_NCM USB_F_OBEX USB_F_PHONET USB_F_PRINTER USB_F_RNDIS USB_F_SERIAL USB_F_SS_LB USB_F_SUBSET USB_F_TCM USB_F_UAC1 USB_F_UAC1_LEGACY USB_F_UAC2 USB_F_UVC USB_GADGET USB_GADGETFS USB_GADGET_DEBUG_FILES USB_GADGET_DEBUG_FS USB_GL860 USB_GOKU USB_GPIO_VBUS USB_GR_UDC USB_GSPCA USB_GSPCA_BENQ USB_GSPCA_CONEX USB_GSPCA_CPIA1 USB_GSPCA_DTCS033 USB_GSPCA_ETOMS USB_GSPCA_FINEPIX USB_GSPCA_JEILINJ USB_GSPCA_JL2005BCD USB_GSPCA_KINECT USB_GSPCA_KONICA USB_GSPCA_MARS USB_GSPCA_MR97310A USB_GSPCA_NW80X USB_GSPCA_OV519 USB_GSPCA_OV534 USB_GSPCA_OV534_9 USB_GSPCA_PAC207 USB_GSPCA_PAC7302 USB_GSPCA_PAC7311 USB_GSPCA_SE401 USB_GSPCA_SN9C2028 USB_GSPCA_SN9C20X USB_GSPCA_SONIXB USB_GSPCA_SONIXJ USB_GSPCA_SPCA1528 USB_GSPCA_SPCA500 USB_GSPCA_SPCA501 USB_GSPCA_SPCA505 USB_GSPCA_SPCA506 USB_GSPCA_SPCA508 USB_GSPCA_SPCA561 USB_GSPCA_SQ905 USB_GSPCA_SQ905C USB_GSPCA_SQ930X USB_GSPCA_STK014 USB_GSPCA_STK1135 USB_GSPCA_STV0680 USB_GSPCA_SUNPLUS USB_GSPCA_T613 USB_GSPCA_TOPRO USB_GSPCA_TOUPTEK USB_GSPCA_TV8532 USB_GSPCA_VC032X USB_GSPCA_VICAM USB_GSPCA_XIRLINK_CIT USB_GSPCA_ZC3XX USB_HACKRF USB_HCD_BCMA USB_HCD_SSB USB_HSIC_USB3503 USB_HSIC_USB4604 USB_HSO USB_HUB_USB251XB USB_IDMOUSE USB_IOWARRIOR USB_IPHETH USB_ISIGHTFW USB_ISP116X_HCD USB_ISP1301 USB_ISP1760 USB_ISP1760_DUAL_ROLE USB_ISP1760_HCD USB_ISP1761_UDC USB_KAWETH USB_KC2190 USB_KEENE USB_LAN78XX USB_LCD USB_LD USB_LEDS_TRIGGER_USBPORT USB_LED_TRIG USB_LEGOTOWER USB_LIBCOMPOSITE USB_LINK_LAYER_TEST USB_M5602 USB_MA901 USB_MAX3421_HCD USB_MDC800 USB_MICROTEK USB_MR800 USB_MSI2500 USB_MUSB_DUAL_ROLE USB_MUSB_HDRC USB_MV_U3D USB_MV_UDC USB_NET2272 USB_NET2272_DMA USB_NET2280 USB_NET_AX88179_178A USB_NET_AX8817X USB_NET_CDCETHER USB_NET_CDC_EEM USB_NET_CDC_MBIM USB_NET_CDC_NCM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_CH9200 USB_NET_CX82310_ETH USB_NET_DM9601 USB_NET_GL620A USB_NET_HUAWEI_CDC_NCM USB_NET_INT51X1 USB_NET_KALMIA USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_QMI_WWAN USB_NET_RNDIS_HOST USB_NET_RNDIS_WLAN USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_OXU210HP_HCD USB_PEGASUS USB_PULSE8_CEC USB_PWC USB_PWC_INPUT_EVDEV USB_PXA27X USB_R8A66597 USB_R8A66597_HCD USB_RAINSHADOW_CEC USB_RAREMONO USB_RAW_GADGET USB_RTL8150 USB_RTL8152 USB_RTL8153_ECM USB_S2255 USB_SERIAL USB_SERIAL_AIRCABLE USB_SERIAL_ARK3116 USB_SERIAL_BELKIN USB_SERIAL_CH341 USB_SERIAL_CONSOLE USB_SERIAL_CP210X USB_SERIAL_CYBERJACK USB_SERIAL_CYPRESS_M8 USB_SERIAL_DEBUG USB_SERIAL_DIGI_ACCELEPORT USB_SERIAL_EDGEPORT USB_SERIAL_EDGEPORT_TI USB_SERIAL_EMPEG USB_SERIAL_F81232 USB_SERIAL_F8153X USB_SERIAL_FTDI_SIO USB_SERIAL_GARMIN USB_SERIAL_GENERIC USB_SERIAL_IPAQ USB_SERIAL_IPW USB_SERIAL_IR USB_SERIAL_IUU USB_SERIAL_KEYSPAN USB_SERIAL_KEYSPAN_PDA USB_SERIAL_KLSI USB_SERIAL_KOBIL_SCT USB_SERIAL_MCT_U232 USB_SERIAL_METRO USB_SERIAL_MOS7715_PARPORT USB_SERIAL_MOS7720 USB_SERIAL_MOS7840 USB_SERIAL_MXUPORT USB_SERIAL_NAVMAN USB_SERIAL_OMNINET USB_SERIAL_OPTICON USB_SERIAL_OPTION USB_SERIAL_OTI6858 USB_SERIAL_PL2303 USB_SERIAL_QCAUX USB_SERIAL_QT2 USB_SERIAL_QUALCOMM USB_SERIAL_SAFE USB_SERIAL_SIERRAWIRELESS USB_SERIAL_SIMPLE USB_SERIAL_SPCP8X5 USB_SERIAL_SSU100 USB_SERIAL_SYMBOL USB_SERIAL_TI USB_SERIAL_UPD78F0730 USB_SERIAL_VISOR USB_SERIAL_WHITEHEAT USB_SERIAL_WISHBONE USB_SERIAL_WWAN USB_SERIAL_XR USB_SERIAL_XSENS_MT USB_SEVSEG USB_SI470X USB_SI4713 USB_SIERRA_NET USB_SISUSBVGA USB_SL811_CS USB_SL811_HCD USB_SL811_HCD_ISO USB_SNP_CORE USB_SPEEDTOUCH USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_ENE_UB6250 USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_STV06XX USB_TEST USB_TMC USB_TRANCEVIBRATOR USB_UAS USB_UEAGLEATM USB_ULPI_BUS USB_USBNET USB_USS720 USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_VIDEO_CLASS USB_VIDEO_CLASS_INPUT_EVDEV USB_VL600 USB_WDM USB_XHCI_DBGCAP USB_XHCI_PLATFORM USB_XUSBATM USB_YUREX USERFAULTFD USERIO USERMODE_DRIVER USER_RETURN_NOTIFIER UVC_COMMON U_SERIAL_CONSOLE V4L2_MEM2MEM_DEV V4L_TEST_DRIVERS VALIDATE_FS_PARSER VDPA VDPA_SIM VDPA_SIM_BLOCK VDPA_SIM_NET VDPA_USER VETH VFIO VFIO_DEVICE_CDEV VFIO_PCI VFIO_PCI_CORE VFIO_PCI_INTX VFIO_PCI_MMAP VFIO_VIRQFD VGASTATE VHOST VHOST_CROSS_ENDIAN_LEGACY VHOST_IOTLB VHOST_NET VHOST_RING VHOST_TASK VHOST_VDPA VHOST_VSOCK VIDEOBUF2_CORE VIDEOBUF2_DMA_CONTIG VIDEOBUF2_DMA_SG VIDEOBUF2_MEMOPS VIDEOBUF2_V4L2 VIDEOBUF2_VMALLOC VIDEOMODE_HELPERS VIDEO_AU0828 VIDEO_AU0828_RC VIDEO_AU0828_V4L2 VIDEO_CMDLINE VIDEO_CS53L32A VIDEO_CX231XX VIDEO_CX231XX_ALSA VIDEO_CX231XX_DVB VIDEO_CX231XX_RC VIDEO_CX2341X VIDEO_CX25840 VIDEO_DEV VIDEO_EM28XX VIDEO_EM28XX_ALSA VIDEO_EM28XX_DVB VIDEO_EM28XX_RC VIDEO_EM28XX_V4L2 VIDEO_GO7007 VIDEO_GO7007_LOADER VIDEO_GO7007_USB VIDEO_GO7007_USB_S2250_BOARD VIDEO_HDPVR VIDEO_MSP3400 VIDEO_NOMODESET VIDEO_PVRUSB2 VIDEO_PVRUSB2_DVB VIDEO_PVRUSB2_SYSFS VIDEO_SAA711X VIDEO_STK1160 VIDEO_TUNER VIDEO_TVEEPROM VIDEO_USBTV VIDEO_V4L2_I2C VIDEO_V4L2_SUBDEV_API VIDEO_V4L2_TPG VIDEO_VICODEC VIDEO_VIM2M VIDEO_VIMC VIDEO_VIVID VIDEO_VIVID_CEC VIDEO_WM8775 VIPERBOARD_ADC VIRTIO_BALLOON VIRTIO_DMA_SHARED_BUFFER VIRTIO_MEM VIRTIO_MMIO VIRTIO_MMIO_CMDLINE_DEVICES VIRTIO_PMEM VIRTIO_VDPA VIRTIO_VSOCKETS VIRTIO_VSOCKETS_COMMON VIRT_WIFI VLAN_8021Q VLAN_8021Q_GVRP VLAN_8021Q_MVRP VMAP_PFN VMWARE_VMCI VMXNET3 VP_VDPA VSOCKETS VSOCKETS_DIAG VSOCKETS_LOOPBACK VSOCKMON VT_HW_CONSOLE_BINDING VXFS_FS WANT_DEV_COREDUMP WEXT_CORE WEXT_PRIV WEXT_PROC WIREGUARD WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ADMTEK WLAN_VENDOR_PURELIFI WLAN_VENDOR_SILABS X86_SGX X86_SGX_KVM X86_USER_SHADOW_STACK X86_X2APIC X86_X32_ABI XARRAY_MULTI XDP_SOCKETS XDP_SOCKETS_DIAG XFRM_ESPINTCP XFRM_INTERFACE XFRM_IPCOMP XFRM_MIGRATE XFRM_OFFLOAD XFRM_STATISTICS XFRM_SUB_POLICY XFRM_USER_COMPAT XFS_FS XFS_POSIX_ACL XFS_QUOTA XFS_RT XOR_BLOCKS YENTA YENTA_ENE_TUNE YENTA_O2 YENTA_RICOH YENTA_TI YENTA_TOSHIBA ZEROPLUS_FF ZLIB_DEFLATE ZONEFS_FS ZPOOL ZRAM ZRAM_DEF_COMP_LZORLE ZSMALLOC ZSTD_COMPRESS ZSWAP ZSWAP_COMPRESSOR_DEFAULT_LZO ZSWAP_DEFAULT_ON ZSWAP_ZPOOL_DEFAULT_ZSMALLOC] disabling configs for [HANG LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed picked [v6.6 v6.5 v6.4 v6.2 v6.0 v5.18 v5.16 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 29 release tags testing release v6.6 testing commit ffc253263a1375a65fa6c9f62a893e9767fbebfa gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9b99f8b52c3a5a34f68a06c18b6a7bd39dfc3a25a15e48f63dda7619bc8791e0 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] testing release v6.5 testing commit 2dde18cd1d8fac735875f2e4987f11817cc0bc2c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1f0b9af692db7ea326c3a312283836117e5a5c8b90b0f0cb451f35b686b84d04 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] testing release v6.4 testing commit 6995e2de6891c724bfeb2db33d7b87775f913ad1 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3ac113503beef9adf57792e2ee512765523c7214c8240ff40b106bfe9e5cf760 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] testing release v6.2 testing commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 44ab7922964e30388532b0e855c078c6d4e3b540ffcc42690366894d4706b2bc all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] testing release v6.0 testing commit 4fe89d07dcc2804c8b562f6c7896a45643d34b2f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f8e1dcd9397370b8a050ea3c85c46c038fbdfdd83f3c6ff8e353c1b6c6be3f22 all runs: OK false negative chance: 0.000 # git bisect start c9c3395d5e3dcc6daee66c6908354d47bf98cb0c 4fe89d07dcc2804c8b562f6c7896a45643d34b2f Bisecting: 16118 revisions left to test after this (roughly 14 steps) [fe8f5b2f7bec504021b395d24f7efca415d21e2b] Merge tag 'amd-drm-fixes-6.2-2022-12-21' of https://gitlab.freedesktop.org/agd5f/linux into drm-next testing commit fe8f5b2f7bec504021b395d24f7efca415d21e2b gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 40d89e309bb58a45abadba17a74208e948fa8e845bbe21f949b0caa619cc2fc5 all runs: OK false negative chance: 0.000 # git bisect good fe8f5b2f7bec504021b395d24f7efca415d21e2b Bisecting: 7173 revisions left to test after this (roughly 13 steps) [7e68dd7d07a28faa2e6574dd6b9dbd90cdeaae91] Merge tag 'net-next-6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 7e68dd7d07a28faa2e6574dd6b9dbd90cdeaae91 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 893680faf238120b6eba71dadd78e8f8bbbf89753b64055af6184515d4b08dd4 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect bad 7e68dd7d07a28faa2e6574dd6b9dbd90cdeaae91 Bisecting: 4534 revisions left to test after this (roughly 12 steps) [8715c6d3100fc7c6edddf29af4a399a1c12d028c] Merge tag 'for-6.2/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm testing commit 8715c6d3100fc7c6edddf29af4a399a1c12d028c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c898b91692eddd43b2cc4832449b25f5f3553f31e603acb0c639babd4538bd9d all runs: OK false negative chance: 0.000 # git bisect good 8715c6d3100fc7c6edddf29af4a399a1c12d028c Bisecting: 2279 revisions left to test after this (roughly 11 steps) [3ef3ace4e2ecf4aa4c8ddff1d35683671a09b05e] Merge tag 'x86_cpu_for_v6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 3ef3ace4e2ecf4aa4c8ddff1d35683671a09b05e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cf8c98a492d5953c78432fa9b1aee644799bc1cdf76a493ddac852fe41d41d6a all runs: OK false negative chance: 0.000 # git bisect good 3ef3ace4e2ecf4aa4c8ddff1d35683671a09b05e Bisecting: 1139 revisions left to test after this (roughly 10 steps) [6830604ec0c73ff8ecafb48046db7332210e58fd] dt-bindings: describe the support of "clock-frequency" in mdio testing commit 6830604ec0c73ff8ecafb48046db7332210e58fd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c67567f1ce4117e714258bf5344a7c952a56ae70093a8d3973db3f242b4e5933 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect bad 6830604ec0c73ff8ecafb48046db7332210e58fd Bisecting: 569 revisions left to test after this (roughly 9 steps) [0884aaf37afaac69dd31cb501b67635569483bb3] Merge branch 'bridge-add-mac-authentication-bypass-mab-support' testing commit 0884aaf37afaac69dd31cb501b67635569483bb3 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ed1cafa85f1ce5cd464a29370dc7a4147eb24063836520da7c1d10cf99dc9685 all runs: OK false negative chance: 0.000 # git bisect good 0884aaf37afaac69dd31cb501b67635569483bb3 Bisecting: 278 revisions left to test after this (roughly 8 steps) [f4c4ca70dedc1bce8e7b1648e652aa9be1d3fcd7] Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit f4c4ca70dedc1bce8e7b1648e652aa9be1d3fcd7 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 588915799820eab58fa09731cc0087ee1dc2c38f2bd8503995288775cc492eb7 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect bad f4c4ca70dedc1bce8e7b1648e652aa9be1d3fcd7 Bisecting: 142 revisions left to test after this (roughly 7 steps) [3ca6c3b43c72a5fd0399d9ee1c7e5af978895ff1] Merge tag 'rxrpc-next-20221108' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs testing commit 3ca6c3b43c72a5fd0399d9ee1c7e5af978895ff1 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b2bc5c92af7830029edf337e064887f62d435b3aca7c8ff31de5a64be8e2964b all runs: OK false negative chance: 0.000 # git bisect good 3ca6c3b43c72a5fd0399d9ee1c7e5af978895ff1 Bisecting: 71 revisions left to test after this (roughly 6 steps) [6c646de3f9e967f5f6992ee3613e003b57ef09fc] Merge branch 'lan966x-xdp' testing commit 6c646de3f9e967f5f6992ee3613e003b57ef09fc gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b547af39c36d85ab79dd75e96b69023f9c5a05b6ac6a255fba630f821e3f3a1c all runs: OK false negative chance: 0.000 # git bisect good 6c646de3f9e967f5f6992ee3613e003b57ef09fc Bisecting: 35 revisions left to test after this (roughly 5 steps) [c302378bc157f6a73b6cae4ca67f5f6aa931dcec] libbpf: Hashmap interface update to allow both long and void* keys/values testing commit c302378bc157f6a73b6cae4ca67f5f6aa931dcec gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 54152b5ecf492dbb536216188c622333b9ead45bfd9c5fa4005bae53128c2584 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect bad c302378bc157f6a73b6cae4ca67f5f6aa931dcec Bisecting: 17 revisions left to test after this (roughly 4 steps) [af085f55329ca72c8c6f78a11f352ef7a7a4d1d7] Merge branch 'veristat: replay, filtering, sorting' testing commit af085f55329ca72c8c6f78a11f352ef7a7a4d1d7 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4b5951bba01262d06615180f6498bb97175dbda4f816fea8ee67b08a6596e638 all runs: OK false negative chance: 0.000 # git bisect good af085f55329ca72c8c6f78a11f352ef7a7a4d1d7 Bisecting: 8 revisions left to test after this (roughly 3 steps) [07d90c72efbef9767042b1b110420b9a41b6b978] Merge branch 'BPF verifier precision tracking improvements' testing commit 07d90c72efbef9767042b1b110420b9a41b6b978 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ae05fae03eebca97ca6b3212cd9607d3f988fb77d707cefedd8c7606c9c7a421 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect bad 07d90c72efbef9767042b1b110420b9a41b6b978 Bisecting: 4 revisions left to test after this (roughly 2 steps) [529409ea92d590659be487ba0839710329bd8074] bpf: propagate precision across all frames, not just the last one testing commit 529409ea92d590659be487ba0839710329bd8074 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 34552449ee7fd19cd3c367299f9bacec19d46c906a7c9e2d8e9dff999d1cfdba all runs: OK false negative chance: 0.000 # git bisect good 529409ea92d590659be487ba0839710329bd8074 Bisecting: 2 revisions left to test after this (roughly 1 step) [f63181b6ae79fd3b034cde641db774268c2c3acf] bpf: stop setting precise in current state testing commit f63181b6ae79fd3b034cde641db774268c2c3acf gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f50aa0f15598affcd4f02eaa46b940b0ffa1105669d1e62f473ca51e1cd16b45 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect bad f63181b6ae79fd3b034cde641db774268c2c3acf Bisecting: 0 revisions left to test after this (roughly 0 steps) [be2ef8161572ec1973124ebc50f56dafc2925e07] bpf: allow precision tracking for programs with subprogs testing commit be2ef8161572ec1973124ebc50f56dafc2925e07 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e33da3f5ca87ce223c01c6e682f6a7d7a0bbd3a9873640c435ded5b28ee80f1e all runs: OK false negative chance: 0.000 # git bisect good be2ef8161572ec1973124ebc50f56dafc2925e07 f63181b6ae79fd3b034cde641db774268c2c3acf is the first bad commit commit f63181b6ae79fd3b034cde641db774268c2c3acf Author: Andrii Nakryiko Date: Fri Nov 4 09:36:47 2022 -0700 bpf: stop setting precise in current state Setting reg->precise to true in current state is not necessary from correctness standpoint, but it does pessimise the whole precision (or rather "imprecision", because that's what we want to keep as much as possible) tracking. Why is somewhat subtle and my best attempt to explain this is recorded in an extensive comment for __mark_chain_precise() function. Some more careful thinking and code reading is probably required still to grok this completely, unfortunately. Whiteboarding and a bunch of extra handwaiving in person would be even more helpful, but is deemed impractical in Git commit. Next patch pushes this imprecision property even further, building on top of the insights described in this patch. End results are pretty nice, we get reduction in number of total instructions and states verified due to a better states reuse, as some of the states are now more generic and permissive due to less unnecessary precise=true requirements. SELFTESTS RESULTS ================= $ ./veristat -C -e file,prog,insns,states ~/subprog-precise-results.csv ~/imprecise-early-results.csv | grep -v '+0' File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) --------------------------------------- ---------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- bpf_iter_ksym.bpf.linked1.o dump_ksym 347 285 -62 (-17.87%) 20 19 -1 (-5.00%) pyperf600_bpf_loop.bpf.linked1.o on_event 3678 3736 +58 (+1.58%) 276 285 +9 (+3.26%) setget_sockopt.bpf.linked1.o skops_sockopt 4038 3947 -91 (-2.25%) 347 343 -4 (-1.15%) test_l4lb.bpf.linked1.o balancer_ingress 4559 2611 -1948 (-42.73%) 118 105 -13 (-11.02%) test_l4lb_noinline.bpf.linked1.o balancer_ingress 6279 6268 -11 (-0.18%) 237 236 -1 (-0.42%) test_misc_tcp_hdr_options.bpf.linked1.o misc_estab 1307 1303 -4 (-0.31%) 100 99 -1 (-1.00%) test_sk_lookup.bpf.linked1.o ctx_narrow_access 456 447 -9 (-1.97%) 39 38 -1 (-2.56%) test_sysctl_loop1.bpf.linked1.o sysctl_tcp_mem 1389 1384 -5 (-0.36%) 26 25 -1 (-3.85%) test_tc_dtime.bpf.linked1.o egress_fwdns_prio101 518 485 -33 (-6.37%) 51 46 -5 (-9.80%) test_tc_dtime.bpf.linked1.o egress_host 519 468 -51 (-9.83%) 50 44 -6 (-12.00%) test_tc_dtime.bpf.linked1.o ingress_fwdns_prio101 842 1000 +158 (+18.76%) 73 88 +15 (+20.55%) xdp_synproxy_kern.bpf.linked1.o syncookie_tc 405757 373173 -32584 (-8.03%) 25735 22882 -2853 (-11.09%) xdp_synproxy_kern.bpf.linked1.o syncookie_xdp 479055 371590 -107465 (-22.43%) 29145 22207 -6938 (-23.81%) --------------------------------------- ---------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- Slight regression in test_tc_dtime.bpf.linked1.o/ingress_fwdns_prio101 is left for a follow up, there might be some more precision-related bugs in existing BPF verifier logic. CILIUM RESULTS ============== $ ./veristat -C -e file,prog,insns,states ~/subprog-precise-results-cilium.csv ~/imprecise-early-results-cilium.csv | grep -v '+0' File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) ------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- bpf_host.o cil_from_host 762 556 -206 (-27.03%) 43 37 -6 (-13.95%) bpf_host.o tail_handle_nat_fwd_ipv4 23541 23426 -115 (-0.49%) 1538 1537 -1 (-0.07%) bpf_host.o tail_nodeport_nat_egress_ipv4 33592 33566 -26 (-0.08%) 2163 2161 -2 (-0.09%) bpf_lxc.o tail_handle_nat_fwd_ipv4 23541 23426 -115 (-0.49%) 1538 1537 -1 (-0.07%) bpf_overlay.o tail_nodeport_nat_egress_ipv4 33581 33543 -38 (-0.11%) 2160 2157 -3 (-0.14%) bpf_xdp.o tail_handle_nat_fwd_ipv4 21659 20920 -739 (-3.41%) 1440 1376 -64 (-4.44%) bpf_xdp.o tail_handle_nat_fwd_ipv6 17084 17039 -45 (-0.26%) 907 905 -2 (-0.22%) bpf_xdp.o tail_lb_ipv4 73442 73430 -12 (-0.02%) 4370 4369 -1 (-0.02%) bpf_xdp.o tail_lb_ipv6 152114 151895 -219 (-0.14%) 6493 6479 -14 (-0.22%) bpf_xdp.o tail_nodeport_nat_egress_ipv4 17377 17200 -177 (-1.02%) 1125 1111 -14 (-1.24%) bpf_xdp.o tail_nodeport_nat_ingress_ipv6 6405 6397 -8 (-0.12%) 309 308 -1 (-0.32%) bpf_xdp.o tail_rev_nodeport_lb4 7126 6934 -192 (-2.69%) 414 402 -12 (-2.90%) bpf_xdp.o tail_rev_nodeport_lb6 18059 17905 -154 (-0.85%) 1105 1096 -9 (-0.81%) ------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20221104163649.121784-5-andrii@kernel.org Signed-off-by: Alexei Starovoitov kernel/bpf/verifier.c | 103 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 91 insertions(+), 12 deletions(-) accumulated error probability: 0.00 culprit signature: f50aa0f15598affcd4f02eaa46b940b0ffa1105669d1e62f473ca51e1cd16b45 parent signature: e33da3f5ca87ce223c01c6e682f6a7d7a0bbd3a9873640c435ded5b28ee80f1e revisions tested: 27, total time: 7h31m3.517663198s (build: 3h45m25.871586693s, test: 3h29m16.641505314s) first bad commit: f63181b6ae79fd3b034cde641db774268c2c3acf bpf: stop setting precise in current state recipients (to): ["andrii@kernel.org" "ast@kernel.org" "ast@kernel.org" "bpf@vger.kernel.org" "daniel@iogearbox.net"] recipients (cc): ["andrii@kernel.org" "davem@davemloft.net" "haoluo@google.com" "hawk@kernel.org" "john.fastabend@gmail.com" "jolsa@kernel.org" "kpsingh@kernel.org" "kuba@kernel.org" "linux-kernel@vger.kernel.org" "martin.lau@linux.dev" "netdev@vger.kernel.org" "sdf@google.com" "song@kernel.org" "yhs@fb.com"] crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals ================================================================================ UBSAN: shift-out-of-bounds in kernel/bpf/verifier.c:9038:63 shift exponent 1073741824 is too large for 32-bit type 'int' CPU: 0 PID: 2035 Comm: syz-executor.0 Not tainted 6.1.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x44/0x60 lib/dump_stack.c:106 ubsan_epilogue+0x5/0x36 lib/ubsan.c:151 __ubsan_handle_shift_out_of_bounds.cold+0x6a/0x108 lib/ubsan.c:322 scalar32_min_max_arsh kernel/bpf/verifier.c:9038 [inline] adjust_scalar_min_max_vals kernel/bpf/verifier.c:9226 [inline] adjust_reg_min_max_vals.cold+0x105/0x124 kernel/bpf/verifier.c:9327 do_check kernel/bpf/verifier.c:12342 [inline] do_check_common+0x103f/0x3e80 kernel/bpf/verifier.c:14750 do_check_main kernel/bpf/verifier.c:14813 [inline] bpf_check+0x2179/0x3230 kernel/bpf/verifier.c:15383 bpf_prog_load+0x573/0xbf0 kernel/bpf/syscall.c:2571 __sys_bpf+0xa9f/0x2a30 kernel/bpf/syscall.c:4931 __do_sys_bpf kernel/bpf/syscall.c:5035 [inline] __se_sys_bpf kernel/bpf/syscall.c:5033 [inline] __x64_sys_bpf+0x19/0x20 kernel/bpf/syscall.c:5033 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f308b950ba9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f308b4d30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f308ba6ff80 RCX: 00007f308b950ba9 RDX: 0000000000000048 RSI: 00000000200054c0 RDI: 0000000000000005 RBP: 00007f308b99c47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f308ba6ff80 R15: 00007fffaf633dc8 ================================================================================