ci2 starts bisection 2024-04-19 20:24:53.134757888 +0000 UTC m=+133016.623696487 bisecting fixing commit since 30bca9e2785b3c7cce113308b16b40132293ca34 building syzkaller on 4f9530a3b62297342999c9097c77dde726522618 ensuring issue is reproducible on original commit 30bca9e2785b3c7cce113308b16b40132293ca34 testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 38bf48f1da8b0bc39c7601d58be857dd267e15d3f074e5dfcb2eea891d377ea2 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] check whether we can drop unnecessary instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK BUG KASAN], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4f36752a283c5be9b66ba20e1309a3ce6041e6a686bb4963d7f63bf088010ee1 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] the bug reproduces without the instrumentation disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=5179 full=6490 leaves diff=254 split chunks (needed=false): <254> split chunk #0 of len 254 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3011ce583530e6ba7113c0844f96abea8f50ad75638b88a80674c3b12883bd08 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ebc4302518ac0645f0f49e96726c84680dcdc01fd6c2ad715d2f877d7f68da62 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK BUG], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f9b469b2510c58b5ecf3a9763eb22b609a02b8302b496f649b2878e8fc6b9813 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK BUG], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad34a93686c650b946a9f527d9bd1f2def4a8142154d088f1071a1e9eadf2492 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building 30bca9e2785b3c7cce113308b16b40132293ca34: net/socket.c:1242: undefined reference to `wext_handle_ioctl' net/socket.c:3437: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 50 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [ATOMIC_SLEEP HANG LEAK BUG KASAN LOCKDEP], they are not needed testing current HEAD dcb09569bbff14d203a6b2ffa40da7b724665e31 testing commit dcb09569bbff14d203a6b2ffa40da7b724665e31 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 10c899f5ce49b1b1c84078c38cbf832793dc13df610e7685b0864b5b25673f71 all runs: OK false negative chance: 0.000 # git bisect start dcb09569bbff14d203a6b2ffa40da7b724665e31 30bca9e2785b3c7cce113308b16b40132293ca34 Bisecting: 1537 revisions left to test after this (roughly 11 steps) [bfe5a5e2f9e96e17c05c296f70b09088ab2fe991] io_uring: fix mutex_unlock with unreferenced ctx determine whether the revision contains the guilty commit checking the merge base 082280fe94a09462c727fb6e7b0c982efb36dede no existing result, test the revision testing commit 082280fe94a09462c727fb6e7b0c982efb36dede gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bfdf489920138b629d8388583e914587288f1496b507eaf135e1c7567a0ea20f all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] testing commit bfe5a5e2f9e96e17c05c296f70b09088ab2fe991 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 30859f85c3837f4860db68754eaa09e2ab3faf9e0a91ffbd70109be665be76f7 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect good bfe5a5e2f9e96e17c05c296f70b09088ab2fe991 Bisecting: 768 revisions left to test after this (roughly 10 steps) [9435bbc8d9ead08181d6862416c292c55237b392] scsi: fnic: Return error if vmalloc() failed determine whether the revision contains the guilty commit revision 082280fe94a09462c727fb6e7b0c982efb36dede crashed and is reachable testing commit 9435bbc8d9ead08181d6862416c292c55237b392 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dde8963a9bc77a93fce3ac5bd781e3c62dc8d6a1617040429fa68181565b553f all runs: OK false negative chance: 0.000 # git bisect bad 9435bbc8d9ead08181d6862416c292c55237b392 Bisecting: 384 revisions left to test after this (roughly 9 steps) [04b8e04f8f89f255ae3fec250b149e3ffd724a7c] ksmbd: avoid duplicate opinfo_put() call on error of smb21_lease_break_ack() determine whether the revision contains the guilty commit revision bfe5a5e2f9e96e17c05c296f70b09088ab2fe991 crashed and is reachable testing commit 04b8e04f8f89f255ae3fec250b149e3ffd724a7c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e78b2061daa71dc842a0ffbe35ec0268b4b0fdf396ce09a92a26a5308042a031 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect good 04b8e04f8f89f255ae3fec250b149e3ffd724a7c Bisecting: 192 revisions left to test after this (roughly 8 steps) [0c880e1e38ea90a32ed6d261dc952128cfe7561f] wifi: avoid offset calculation on NULL pointer determine whether the revision contains the guilty commit revision 082280fe94a09462c727fb6e7b0c982efb36dede crashed and is reachable testing commit 0c880e1e38ea90a32ed6d261dc952128cfe7561f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e52517399b4b4d4b0bf517478887051021e0daef223a8283f029e621b513707a all runs: OK false negative chance: 0.000 # git bisect bad 0c880e1e38ea90a32ed6d261dc952128cfe7561f Bisecting: 95 revisions left to test after this (roughly 7 steps) [2489502fb1f5e5cf86824dadb45a9bac02fbd3aa] ipv4, ipv6: Use splice_eof() to flush determine whether the revision contains the guilty commit revision 082280fe94a09462c727fb6e7b0c982efb36dede crashed and is reachable testing commit 2489502fb1f5e5cf86824dadb45a9bac02fbd3aa gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dc2ca32a95f6608c3caffb3db8ac07eaa6338eeef9c7e1a48a03c0e08074105c all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect good 2489502fb1f5e5cf86824dadb45a9bac02fbd3aa Bisecting: 47 revisions left to test after this (roughly 6 steps) [aeeb4e4e49f8118d00cf803581555a2a2905759c] genirq/affinity: Don't pass irq_affinity_desc array to irq_build_affinity_masks determine whether the revision contains the guilty commit revision 2489502fb1f5e5cf86824dadb45a9bac02fbd3aa crashed and is reachable testing commit aeeb4e4e49f8118d00cf803581555a2a2905759c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 15e4ec1fe533d5a467a2adf209b3ef2f02ddfbee56e13c328c108a286350f44c all runs: OK false negative chance: 0.000 # git bisect bad aeeb4e4e49f8118d00cf803581555a2a2905759c Bisecting: 23 revisions left to test after this (roughly 5 steps) [84a8d913fb532793122f45b59b73224b63c3307e] f2fs: clean up i_compress_flag and i_compress_level usage determine whether the revision contains the guilty commit revision bfe5a5e2f9e96e17c05c296f70b09088ab2fe991 crashed and is reachable testing commit 84a8d913fb532793122f45b59b73224b63c3307e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3755cf21413a78e0e6e1a5d7d0ce044a27262ae064dd9fafc5421b3f60b17dbf all runs: OK false negative chance: 0.000 # git bisect bad 84a8d913fb532793122f45b59b73224b63c3307e Bisecting: 11 revisions left to test after this (roughly 4 steps) [eb4f2e17886ad8d830044916ee614abf88c56349] fbdev: imsttfb: fix double free in probe() determine whether the revision contains the guilty commit revision 04b8e04f8f89f255ae3fec250b149e3ffd724a7c crashed and is reachable testing commit eb4f2e17886ad8d830044916ee614abf88c56349 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 862fbdd1ea0dfce4f57873eb2778b8805da695dc10cbc8d794186d8d7fcc646b all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect good eb4f2e17886ad8d830044916ee614abf88c56349 Bisecting: 5 revisions left to test after this (roughly 3 steps) [b08acd5c4602365e6443226a65c9ed2809cd85b0] bpf: handle ldimm64 properly in check_cfg() determine whether the revision contains the guilty commit revision 2489502fb1f5e5cf86824dadb45a9bac02fbd3aa crashed and is reachable testing commit b08acd5c4602365e6443226a65c9ed2809cd85b0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ced418682a318d9bff4924f7efef1f17dea2fb0bfbd8f3eb1038cb0aa0eed03e all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect good b08acd5c4602365e6443226a65c9ed2809cd85b0 Bisecting: 2 revisions left to test after this (roughly 2 steps) [31051f722db23335cfbfc04911ea5eed762e872e] net/mlx5: Increase size of irq name buffer determine whether the revision contains the guilty commit revision eb4f2e17886ad8d830044916ee614abf88c56349 crashed and is reachable testing commit 31051f722db23335cfbfc04911ea5eed762e872e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: afd8eef4c2e48e2c7ea5be20a232277f24fd06e5a329cb3a4325e0e5359f7349 all runs: OK false negative chance: 0.000 # git bisect bad 31051f722db23335cfbfc04911ea5eed762e872e Bisecting: 0 revisions left to test after this (roughly 1 step) [b5c8e0ff76d10f6bf70a7237678f27c20cf59bc9] blk-mq: make sure active queue usage is held for bio_integrity_prep() determine whether the revision contains the guilty commit revision 082280fe94a09462c727fb6e7b0c982efb36dede crashed and is reachable testing commit b5c8e0ff76d10f6bf70a7237678f27c20cf59bc9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e26133ca8b95be28ae17394c8b780bff65f5d5ed5ba174fc5b9b95ef8dd84122 all runs: OK false negative chance: 0.000 # git bisect bad b5c8e0ff76d10f6bf70a7237678f27c20cf59bc9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [803fb6109fcfa939d78907ad34161a720b37848d] bpf: fix precision backtracking instruction iteration determine whether the revision contains the guilty commit revision b08acd5c4602365e6443226a65c9ed2809cd85b0 crashed and is reachable testing commit 803fb6109fcfa939d78907ad34161a720b37848d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6becbf348b45a25f31919da9f0f576fbb73e1581b3e65fd05e54a2b82e4a5a70 all runs: OK false negative chance: 0.000 # git bisect bad 803fb6109fcfa939d78907ad34161a720b37848d 803fb6109fcfa939d78907ad34161a720b37848d is the first bad commit commit 803fb6109fcfa939d78907ad34161a720b37848d Author: Andrii Nakryiko Date: Thu Nov 9 16:26:37 2023 -0800 bpf: fix precision backtracking instruction iteration [ Upstream commit 4bb7ea946a370707315ab774432963ce47291946 ] Fix an edge case in __mark_chain_precision() which prematurely stops backtracking instructions in a state if it happens that state's first and last instruction indexes are the same. This situations doesn't necessarily mean that there were no instructions simulated in a state, but rather that we starting from the instruction, jumped around a bit, and then ended up at the same instruction before checkpointing or marking precision. To distinguish between these two possible situations, we need to consult jump history. If it's empty or contain a single record "bridging" parent state and first instruction of processed state, then we indeed backtracked all instructions in this state. But if history is not empty, we are definitely not done yet. Move this logic inside get_prev_insn_idx() to contain it more nicely. Use -ENOENT return code to denote "we are out of instructions" situation. This bug was exposed by verifier_loop1.c's bounded_recursion subtest, once the next fix in this patch set is applied. Acked-by: Eduard Zingerman Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking") Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20231110002638.4168352-3-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin kernel/bpf/verifier.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) accumulated error probability: 0.00 culprit signature: 6becbf348b45a25f31919da9f0f576fbb73e1581b3e65fd05e54a2b82e4a5a70 parent signature: ced418682a318d9bff4924f7efef1f17dea2fb0bfbd8f3eb1038cb0aa0eed03e revisions tested: 20, total time: 3h47m33.944435059s (build: 1h33m6.108421608s, test: 2h5m18.142501755s) first good commit: 803fb6109fcfa939d78907ad34161a720b37848d bpf: fix precision backtracking instruction iteration recipients (to): ["andrii@kernel.org" "ast@kernel.org" "eddyz87@gmail.com" "sashal@kernel.org"] recipients (cc): []