ci2 starts bisection 2025-07-25 08:21:55.797316631 +0000 UTC m=+33933.502777687 bisecting fixing commit since 05ef4ccb57746f921003b9340fc2f0532c177f41 building syzkaller on 3222d10cbe77bbedb5a7c455e5bcb6b7081a63b7 ensuring issue is reproducible on original commit 05ef4ccb57746f921003b9340fc2f0532c177f41 testing commit 05ef4ccb57746f921003b9340fc2f0532c177f41 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5e0de3766555c0a9066c98845122a9ae3b5b74807e8db3bcc1b9793f499a319b all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] check whether we can drop unnecessary instrumentation disabling configs for [locking atomic_sleep hang memleak bug_or_warning kasan], they are not needed testing commit 05ef4ccb57746f921003b9340fc2f0532c177f41 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0453187aa890a6981531bd9fcecbf4742533fd90a3787d864c83df20c38ccdcb all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] the bug reproduces without the instrumentation disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed kconfig minimization: base=4921 full=6161 leaves diff=243 split chunks (needed=false): <243> split chunk #0 of len 243 into 5 parts testing without sub-chunk 1/5 disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed testing commit 05ef4ccb57746f921003b9340fc2f0532c177f41 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 90fdb0b41e57d4b179c1863827f06a6e709db9da1e327c04c5b7a4ae851b3454 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [atomic_sleep hang memleak bug_or_warning kasan locking], they are not needed testing commit 05ef4ccb57746f921003b9340fc2f0532c177f41 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9485c5251786d074aeca0ac10b62b9ba322d89967cb149eada938729f3c9d296 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [memleak bug_or_warning kasan locking atomic_sleep hang], they are not needed testing commit 05ef4ccb57746f921003b9340fc2f0532c177f41 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 45c5408b3b9e7aaeadbe7dc307a4e9ac136d1c7a89fd3fba9443b5d3d4c2e6bb all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [locking atomic_sleep hang memleak bug_or_warning kasan], they are not needed testing commit 05ef4ccb57746f921003b9340fc2f0532c177f41 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 796904841bc14d3271326a8898dd8cc865c4d133f4b38c7b18763f12c40fc85b all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [kasan locking atomic_sleep hang memleak bug_or_warning], they are not needed testing commit 05ef4ccb57746f921003b9340fc2f0532c177f41 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 05ef4ccb57746f921003b9340fc2f0532c177f41: net/socket.c:1189: undefined reference to `wext_handle_ioctl' net/socket.c:3383: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 47 configs; suspects: [HID_ZEROPLUS USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [kasan locking atomic_sleep hang memleak bug_or_warning], they are not needed testing current HEAD a71626bd56a5492d6fb4b63184db87006490a810 testing commit a71626bd56a5492d6fb4b63184db87006490a810 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b79ae630cdb615f43a710209f8c6002823c9a4cf75dc9f0d357aabc3ac7f00ea all runs: OK false negative chance: 0.000 # git bisect start a71626bd56a5492d6fb4b63184db87006490a810 05ef4ccb57746f921003b9340fc2f0532c177f41 Bisecting: 5319 revisions left to test after this (roughly 12 steps) [131ee27d0c5c70a33fd514f2cc0fb5ef81040d9c] dmaengine: dw: Add memory bus width verification determine whether the revision contains the guilty commit checking the merge base 2a910f4af54d11deaefdc445f895724371645a97 no existing result, test the revision testing commit 2a910f4af54d11deaefdc445f895724371645a97 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e92f7327d87efca88a5565b8116fa5f1d7613cd54ef89301e093acfd713b2316 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] testing commit 131ee27d0c5c70a33fd514f2cc0fb5ef81040d9c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 99654666b8f4cd8f74964e43d0bce572dbebfd3b4c8127cbf3f5730d01ea0453 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect good 131ee27d0c5c70a33fd514f2cc0fb5ef81040d9c Bisecting: 2661 revisions left to test after this (roughly 11 steps) [ef305447885e2884837104d529c82a0c54c4041c] arp: switch to dev_getbyhwaddr() in arp_req_set_public() determine whether the revision contains the guilty commit revision 2a910f4af54d11deaefdc445f895724371645a97 crashed and is reachable testing commit ef305447885e2884837104d529c82a0c54c4041c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 71d53759ad5e201aa8ec725fd3acbfc43430a5892482449c9014e9ba394f2d4a all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect good ef305447885e2884837104d529c82a0c54c4041c Bisecting: 1330 revisions left to test after this (roughly 10 steps) [694456462ed63a06adbb0b7f2396a2eb5cc153c0] net: mdio: C22 is now optional, EOPNOTSUPP if not provided determine whether the revision contains the guilty commit revision 2a910f4af54d11deaefdc445f895724371645a97 crashed and is reachable testing commit 694456462ed63a06adbb0b7f2396a2eb5cc153c0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dc37f57505882abd21fca06efa5b7a50bde1ffc58ceafff14082a6239bbafe43 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect good 694456462ed63a06adbb0b7f2396a2eb5cc153c0 Bisecting: 672 revisions left to test after this (roughly 9 steps) [c56338685e9061ffb018ad3cd19997b1ee426b30] Merge 1e5cc8d5b121 ("drm/amd/display: increase MAX_SURFACES to the value supported by hw") into android13-5.15-lts determine whether the revision contains the guilty commit revision 05ef4ccb57746f921003b9340fc2f0532c177f41 crashed and is reachable testing commit c56338685e9061ffb018ad3cd19997b1ee426b30 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 29ae4781a4c38cf48c38a7af68da4ffae58cb223b7b75a741ed21523ef1cade4 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect good c56338685e9061ffb018ad3cd19997b1ee426b30 Bisecting: 336 revisions left to test after this (roughly 8 steps) [34d3e10ab905f06445f8dbd8a3d9697095e71bae] drm/amd/display: Add null pointer check for get_first_active_display() determine whether the revision contains the guilty commit revision 2a910f4af54d11deaefdc445f895724371645a97 crashed and is reachable testing commit 34d3e10ab905f06445f8dbd8a3d9697095e71bae gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d8540c769d338409ddbaf76cd375f524835dd5e89ebe9b3e49f3377c31077ca8 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect good 34d3e10ab905f06445f8dbd8a3d9697095e71bae Bisecting: 165 revisions left to test after this (roughly 7 steps) [25a456b541bbd2d159a29c5978b6ed288999429c] Merge tag 'android13-5.15.185_r00' into android13-5.15 determine whether the revision contains the guilty commit revision 2a910f4af54d11deaefdc445f895724371645a97 crashed and is reachable testing commit 25a456b541bbd2d159a29c5978b6ed288999429c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4871d29619a760416c5a3748779c6cbf91bded6fe20722e54142e5a5a5b3e403 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect good 25a456b541bbd2d159a29c5978b6ed288999429c Bisecting: 82 revisions left to test after this (roughly 6 steps) [36a439049b34cca0b3661276049b84a1f76cc21a] vsock: Fix transport_* TOCTOU determine whether the revision contains the guilty commit revision 2a910f4af54d11deaefdc445f895724371645a97 crashed and is reachable testing commit 36a439049b34cca0b3661276049b84a1f76cc21a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d288eb64a9c0125fcb48a9738cd4106d97af95b51f71e9183b87e5ff5b056e50 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect good 36a439049b34cca0b3661276049b84a1f76cc21a Bisecting: 41 revisions left to test after this (roughly 5 steps) [3435a2048972c84e0253174e152c139bf306a492] usb: dwc3: Abort suspend on soft disconnect failure determine whether the revision contains the guilty commit revision 34d3e10ab905f06445f8dbd8a3d9697095e71bae crashed and is reachable testing commit 3435a2048972c84e0253174e152c139bf306a492 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0d64db2e99c36fc68dd04381ab5596133508f22c35b32f4e541beb951a924f36 all runs: OK false negative chance: 0.000 # git bisect bad 3435a2048972c84e0253174e152c139bf306a492 Bisecting: 20 revisions left to test after this (roughly 4 steps) [e3154a48fd0bf558ab882422d3a60a01b066d714] x86/mce: Make sure CMCI banks are cleared during shutdown on Intel determine whether the revision contains the guilty commit revision 36a439049b34cca0b3661276049b84a1f76cc21a crashed and is reachable testing commit e3154a48fd0bf558ab882422d3a60a01b066d714 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e39cdb483c4299fc2b919fa4eb95bbc5339e16b702ee21079bbd6fdd725e2b3e all runs: OK false negative chance: 0.000 # git bisect bad e3154a48fd0bf558ab882422d3a60a01b066d714 Bisecting: 9 revisions left to test after this (roughly 3 steps) [d30910170f7efe1d04e0646e2775dadf29b4f181] ice: safer stats processing determine whether the revision contains the guilty commit revision 2a910f4af54d11deaefdc445f895724371645a97 crashed and is reachable testing commit d30910170f7efe1d04e0646e2775dadf29b4f181 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: abdc24a22f8fc02870bf6f0ec1b98293bb31b8cc284537dff0de01b49ff967b4 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect good d30910170f7efe1d04e0646e2775dadf29b4f181 Bisecting: 4 revisions left to test after this (roughly 2 steps) [65ad600b9bde68d2d28709943ab00b51ca8f0a1d] bpf, sockmap: Fix skb refcnt race after locking changes determine whether the revision contains the guilty commit revision 2a910f4af54d11deaefdc445f895724371645a97 crashed and is reachable testing commit 65ad600b9bde68d2d28709943ab00b51ca8f0a1d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 93aa177b5841e119626762fd756b36dcfd5faea993fd8a3fb5abc6ad77d76bde all runs: OK false negative chance: 0.000 # git bisect bad 65ad600b9bde68d2d28709943ab00b51ca8f0a1d Bisecting: 2 revisions left to test after this (roughly 1 step) [e37e3b6cc8dcc5a4f47a46eee39f3890abac16ea] bpf: fix precision backtracking instruction iteration determine whether the revision contains the guilty commit revision 36a439049b34cca0b3661276049b84a1f76cc21a crashed and is reachable testing commit e37e3b6cc8dcc5a4f47a46eee39f3890abac16ea gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 54327ef4443d1faddbeb29fa1cee70bd3ca318b596218a3fbb2a6f00abc2c549 all runs: OK false negative chance: 0.000 # git bisect bad e37e3b6cc8dcc5a4f47a46eee39f3890abac16ea Bisecting: 0 revisions left to test after this (roughly 0 steps) [f5e72b7824d08c206ce106d30cb37c4642900ccc] rxrpc: Fix oops due to non-existence of prealloc backlog struct determine whether the revision contains the guilty commit revision d30910170f7efe1d04e0646e2775dadf29b4f181 crashed and is reachable testing commit f5e72b7824d08c206ce106d30cb37c4642900ccc gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 530fb2a4a1fb36ac4d16a587603d1622a2de55d7dd15c20bde07b8c84d1353a1 all runs: crashed: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals representative crash: UBSAN: shift-out-of-bounds in adjust_reg_min_max_vals, types: [UBSAN] # git bisect good f5e72b7824d08c206ce106d30cb37c4642900ccc e37e3b6cc8dcc5a4f47a46eee39f3890abac16ea is the first bad commit commit e37e3b6cc8dcc5a4f47a46eee39f3890abac16ea Author: Andrii Nakryiko Date: Thu Nov 9 16:26:37 2023 -0800 bpf: fix precision backtracking instruction iteration commit 4bb7ea946a370707315ab774432963ce47291946 upstream. Fix an edge case in __mark_chain_precision() which prematurely stops backtracking instructions in a state if it happens that state's first and last instruction indexes are the same. This situations doesn't necessarily mean that there were no instructions simulated in a state, but rather that we starting from the instruction, jumped around a bit, and then ended up at the same instruction before checkpointing or marking precision. To distinguish between these two possible situations, we need to consult jump history. If it's empty or contain a single record "bridging" parent state and first instruction of processed state, then we indeed backtracked all instructions in this state. But if history is not empty, we are definitely not done yet. Move this logic inside get_prev_insn_idx() to contain it more nicely. Use -ENOENT return code to denote "we are out of instructions" situation. This bug was exposed by verifier_loop1.c's bounded_recursion subtest, once the next fix in this patch set is applied. Acked-by: Eduard Zingerman Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking") Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20231110002638.4168352-3-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Aaron Lu Reported-by: Wei Wei Closes: https://lore.kernel.org/all/20250605070921.GA3795@bytedance/ Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman kernel/bpf/verifier.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) accumulated error probability: 0.00 culprit signature: 54327ef4443d1faddbeb29fa1cee70bd3ca318b596218a3fbb2a6f00abc2c549 parent signature: 530fb2a4a1fb36ac4d16a587603d1622a2de55d7dd15c20bde07b8c84d1353a1 revisions tested: 21, total time: 8h9m57.483455924s (build: 5h29m11.350271186s, test: 2h32m49.339925764s) first good commit: e37e3b6cc8dcc5a4f47a46eee39f3890abac16ea bpf: fix precision backtracking instruction iteration recipients (to): ["andrii@kernel.org" "ast@kernel.org" "eddyz87@gmail.com" "gregkh@linuxfoundation.org" "ziqianlu@bytedance.com"] recipients (cc): []