ci starts bisection 2024-03-12 01:07:08.888358398 +0000 UTC m=+228345.185547538 bisecting cause commit starting from c8a5c731fd1223090af57da33838c671a7fc6a78 building syzkaller on 6ee49f2e61b06b3d64c676dd2232a5ac362902a6 ensuring issue is reproducible on original commit c8a5c731fd1223090af57da33838c671a7fc6a78 testing commit c8a5c731fd1223090af57da33838c671a7fc6a78 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0433ffaa9be9324c5ef789bff149a2a201431334f62ac503a47002f2e278be1a all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] check whether we can drop unnecessary instrumentation disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit c8a5c731fd1223090af57da33838c671a7fc6a78 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 219fca455c2aa025ea164431d1c7f5c54b9abb832ba41502783f0b7a929f3ab2 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] the bug reproduces without the instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK BUG KASAN LOCKDEP], they are not needed kconfig minimization: base=3937 full=7963 leaves diff=2020 split chunks (needed=false): <2020> split chunk #0 of len 2020 into 5 parts testing without sub-chunk 1/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit c8a5c731fd1223090af57da33838c671a7fc6a78 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f726cb2e597ea6633d48cd3668bee9c75c8c5c3d5a3af049a3a30c66ed1629f9 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK BUG KASAN], they are not needed testing commit c8a5c731fd1223090af57da33838c671a7fc6a78 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b0011fd69f84774c33102227a69f15e10ff25f5094f18d1a84edf1b614b2dde3 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit c8a5c731fd1223090af57da33838c671a7fc6a78 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 079ad2641451ed07204034f67094c87f5e33eb81cc280587a730bdb6976fcef3 all runs: OK false negative chance: 0.000 testing without sub-chunk 4/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit c8a5c731fd1223090af57da33838c671a7fc6a78 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 42371d25878bf7b98bd26a2ed8f3213b4ff7b32e789daafffc8c42c8208b8b4d all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit c8a5c731fd1223090af57da33838c671a7fc6a78 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dc92fb635c019419c88e8a2d71a695ae9e3c44f839faddc8eeca8f7887a8c47b all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] the chunk can be dropped minimized to 404 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE DVB_CORE FB_CORE HAMRADIO HSR INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE IP6_NF_RAW IPV6_MULTIPLE_TABLES IP_NF_RAW IP_SET IP_VS IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IRQ_BYPASS_MANAGER IRQ_POLL IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TTUSBIR ISDN ISDN_CAPI_MIDDLEWARE JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMMON KVM_COMPAT KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_GENERIC_HARDWARE_ENABLING KVM_GENERIC_MEMORY_ATTRIBUTES KVM_GENERIC_MMU_NOTIFIER KVM_GENERIC_PRIVATE_MEM KVM_HYPERV KVM_MMIO KVM_PRIVATE_MEM KVM_PROVE_MMU KVM_SW_PROTECTED_VM KVM_VFIO KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_TRIGGER_AUDIO LEGACY_PTYS LIBCRC32C LIBNVDIMM LINEAR_RANGES LLC LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LRU_GEN LRU_GEN_ENABLED LRU_GEN_WALKS_MMU LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_HOTPLUG_DEFAULT_ONLINE MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MMU_NOTIFIER MODULE_SRCVERSION_ALL MODVERSIONS MOST MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_BPF_LINK NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_GLUE_CT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XTABLES_COMPAT NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETLABEL NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_IPT NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_DEVLINK NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MQPRIO_LIB NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_CONNLIMIT NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_OVS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_TFTP NF_CONNTRACK_TIMEOUT NF_CONNTRACK_TIMESTAMP NF_CONNTRACK_ZONES NF_CT_NETLINK_HELPER NF_CT_NETLINK_TIMEOUT NF_CT_PROTO_DCCP NF_CT_PROTO_GRE NF_CT_PROTO_SCTP NF_CT_PROTO_UDPLITE NF_DUP_IPV4 NF_DUP_IPV6 NF_DUP_NETDEV NF_FLOW_TABLE NF_FLOW_TABLE_INET NF_NAT_AMANDA NF_NAT_H323 NF_NAT_OVS NF_TABLES NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV PARTITION_ADVANCED PSAMPLE RC_CORE RC_DEVICES RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV WAN WATCH_QUEUE WIRELESS WLAN WWAN X25 X86_X32_ABI] disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK BUG], they are not needed picked [v6.7 v6.6 v6.5 v6.3 v6.1 v5.19 v5.17 v5.15 v5.12 v5.9 v5.6 v5.3 v5.0 v4.19] out of 30 release tags testing release v6.7 testing commit 0dd3ee31125508cd67f7e7172247f05b7fd1753a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 45e807f64fc18acf5488d7f2400e1ff8e301b190978a72b29382630e5ad6eefc all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] testing release v6.6 testing commit ffc253263a1375a65fa6c9f62a893e9767fbebfa gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8e46b829f8d2224206671095e58bb861fc0f8bf49e3faa2ce997a69de5885978 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] testing release v6.5 testing commit 2dde18cd1d8fac735875f2e4987f11817cc0bc2c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 60160ba7b21b5ea04b225353f756e809462b74faa6a3a7287230679263c9a915 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4f5b1dfe7da93b8e18c14df7c8a2e658bf5a4279b92131647a9476374f259ef0 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] testing release v6.1 testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8fdfb3b50ae213e6aa3c9c30b1fe97496399093b512fbd77036bbf8c5ad1c8e5 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] testing release v5.19 testing commit 3d7cb6b04c3f3115719235cc6866b10326de34cd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: de11eb417dca7dc2de2e2a42589018764c80f663d409457fea80562bb9350723 all runs: OK false negative chance: 0.000 # git bisect start 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 3d7cb6b04c3f3115719235cc6866b10326de34cd Bisecting: 15849 revisions left to test after this (roughly 14 steps) [26f6a2aefd3167a06ac0e9de1fb09b8900878eea] Merge patch series "can: gs_usb: hardware timestamp support" testing commit 26f6a2aefd3167a06ac0e9de1fb09b8900878eea gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5463b34563dd30d8a952006c36361660c00ef467598f1b4b320255354166f078 all runs: OK false negative chance: 0.000 # git bisect good 26f6a2aefd3167a06ac0e9de1fb09b8900878eea Bisecting: 7888 revisions left to test after this (roughly 13 steps) [e08466a7c00733a501d3c5328d29ec974478d717] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit e08466a7c00733a501d3c5328d29ec974478d717 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 45b480ab9e02c9e24efd1a46280b301d7b62adfd8e8320cc03ff76c67e4cac1e all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] # git bisect bad e08466a7c00733a501d3c5328d29ec974478d717 Bisecting: 3980 revisions left to test after this (roughly 12 steps) [a47e60729d9624e931f988709ab76e043e2ee8b9] Merge tag 'backlight-next-6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight testing commit a47e60729d9624e931f988709ab76e043e2ee8b9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 67cad58e36ff6a235dcacf46384be66458899645ea0bcd10368718a1c03b6f5e all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] # git bisect bad a47e60729d9624e931f988709ab76e043e2ee8b9 Bisecting: 1990 revisions left to test after this (roughly 11 steps) [c645c11a2dba116bad3ee43e08e330db8f03ede6] Merge tag 'audit-pr-20221003' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit testing commit c645c11a2dba116bad3ee43e08e330db8f03ede6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d88fbc233bb250fdf6ed77d519ee08126e73a95c38e9428fad5f9f4de39ff903 all runs: OK false negative chance: 0.000 # git bisect good c645c11a2dba116bad3ee43e08e330db8f03ede6 Bisecting: 898 revisions left to test after this (roughly 10 steps) [915b96c52763e2988e6368b538b487a7138b8fa4] Merge tag 'wireless-next-2022-09-30' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next testing commit 915b96c52763e2988e6368b538b487a7138b8fa4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 64a29546f45c9517874389f47170c19c11873e2f940c58480eccc3d721bb8280 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] # git bisect bad 915b96c52763e2988e6368b538b487a7138b8fa4 Bisecting: 545 revisions left to test after this (roughly 9 steps) [b25a575c9cd08a08fbe8a9569abd81d362cbfb85] net: dsa: mv88e6xxx: remove unnecessary dev_set_drvdata() testing commit b25a575c9cd08a08fbe8a9569abd81d362cbfb85 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6c599c78b174c0f9b0e5269eac4d36d9e682b429d1fd127830b50edae55e758c all runs: OK false negative chance: 0.000 # git bisect good b25a575c9cd08a08fbe8a9569abd81d362cbfb85 Bisecting: 272 revisions left to test after this (roughly 8 steps) [308ce1426509c18b4203dcaa38b9da858312a765] tsnep: Add EtherType RX flow classification support testing commit 308ce1426509c18b4203dcaa38b9da858312a765 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 248c8d363be6f36334fcadbee71834fd870c64c8998c244b6e6a537d51bfb088 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] # git bisect bad 308ce1426509c18b4203dcaa38b9da858312a765 Bisecting: 136 revisions left to test after this (roughly 7 steps) [62e56ef57c04c0cacb33433d7984a4d71b690b3f] net: tls: Add ARIA-GCM algorithm testing commit 62e56ef57c04c0cacb33433d7984a4d71b690b3f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9d89b1ffff60a91886647c922a0d7f930aecabda6d1f4be0fd98dc40172c4dc0 all runs: OK false negative chance: 0.000 # git bisect good 62e56ef57c04c0cacb33433d7984a4d71b690b3f Bisecting: 68 revisions left to test after this (roughly 6 steps) [044d447a801f2d0c03e153ef41835aebf66ca2d6] net: dsa: felix: use DEFINE_RES_MEM_NAMED for resources testing commit 044d447a801f2d0c03e153ef41835aebf66ca2d6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c5d0da914308b95f5cf1eaa34cef99a5397b1ba5603306a7bdd8ef668ca8120f all runs: OK false negative chance: 0.000 # git bisect good 044d447a801f2d0c03e153ef41835aebf66ca2d6 Bisecting: 34 revisions left to test after this (roughly 5 steps) [258e655c00734d2e4b5fd8ee2827f76cd0fe39c4] net/mlx5e: Make dma_info array dynamic in struct mlx5e_mpw_info testing commit 258e655c00734d2e4b5fd8ee2827f76cd0fe39c4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 03755b02a9c53b9717763bf65f2620472886665d136400c84a0245af11865f8a all runs: OK false negative chance: 0.000 # git bisect good 258e655c00734d2e4b5fd8ee2827f76cd0fe39c4 Bisecting: 17 revisions left to test after this (roughly 4 steps) [aac4daa8941ea6566563ac001e9e5d4e54a674e2] net/sched: query offload capabilities through ndo_setup_tc() testing commit aac4daa8941ea6566563ac001e9e5d4e54a674e2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0e426896b79330b3b9b60724079f9d50e23b9833153783a4f664e651339842fd all runs: OK false negative chance: 0.000 # git bisect good aac4daa8941ea6566563ac001e9e5d4e54a674e2 Bisecting: 8 revisions left to test after this (roughly 3 steps) [b5155ddd22bc2427465a97c494bbe6289152e80a] net: phy: Convert to use sysfs_emit() APIs testing commit b5155ddd22bc2427465a97c494bbe6289152e80a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: eebfb06f21daf09f3daac2835a8f345240531cc75b0d4c0c804d4d1064f07ab0 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] # git bisect bad b5155ddd22bc2427465a97c494bbe6289152e80a Bisecting: 4 revisions left to test after this (roughly 2 steps) [a745c697830b74e4787b0c849f763941928aa06d] net: dsa: hellcreek: Offload per-tc max SDU from tc-taprio testing commit a745c697830b74e4787b0c849f763941928aa06d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dd2f0d1ab56791569672fbd1edb5a324aef57f0d8f71bd1d57472e61c8619d83 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] # git bisect bad a745c697830b74e4787b0c849f763941928aa06d Bisecting: 1 revision left to test after this (roughly 1 step) [1712be05a8a7713d2f564d01cf0bbf25d4310cb2] net: dsa: felix: offload per-tc max SDU from tc-taprio testing commit 1712be05a8a7713d2f564d01cf0bbf25d4310cb2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d89d7a757d40ec57f2b7f978dac50f71baf39189c18ff3982be4a2ceb794502b all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] # git bisect bad 1712be05a8a7713d2f564d01cf0bbf25d4310cb2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [a54fc09e4cba3004443aa05979f8c678196c8226] net/sched: taprio: allow user input of per-tc max SDU testing commit a54fc09e4cba3004443aa05979f8c678196c8226 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 39a9fcd6099365639a9175b3f890136bd03fcd377458abd943d24914746a17a8 all runs: crashed: UBSAN: shift-out-of-bounds in taprio_change representative crash: UBSAN: shift-out-of-bounds in taprio_change, types: [UBSAN] # git bisect bad a54fc09e4cba3004443aa05979f8c678196c8226 a54fc09e4cba3004443aa05979f8c678196c8226 is the first bad commit commit a54fc09e4cba3004443aa05979f8c678196c8226 Author: Vladimir Oltean Date: Wed Sep 28 12:51:58 2022 +0300 net/sched: taprio: allow user input of per-tc max SDU IEEE 802.1Q clause 12.29.1.1 "The queueMaxSDUTable structure and data types" and 8.6.8.4 "Enhancements for scheduled traffic" talk about the existence of a per traffic class limitation of maximum frame sizes, with a fallback on the port-based MTU. As far as I am able to understand, the 802.1Q Service Data Unit (SDU) represents the MAC Service Data Unit (MSDU, i.e. L2 payload), excluding any number of prepended VLAN headers which may be otherwise present in the MSDU. Therefore, the queueMaxSDU is directly comparable to the device MTU (1500 means L2 payload sizes are accepted, or frame sizes of 1518 octets, or 1522 plus one VLAN header). Drivers which offload this are directly responsible of translating into other units of measurement. To keep the fast path checks optimized, we keep 2 arrays in the qdisc, one for max_sdu translated into frame length (so that it's comparable to skb->len), and another for offloading and for dumping back to the user. Signed-off-by: Vladimir Oltean Signed-off-by: Jakub Kicinski include/net/pkt_sched.h | 5 ++ include/uapi/linux/pkt_sched.h | 11 +++ net/sched/sch_taprio.c | 152 ++++++++++++++++++++++++++++++++++++++++- 3 files changed, 167 insertions(+), 1 deletion(-) accumulated error probability: 0.00 culprit signature: 39a9fcd6099365639a9175b3f890136bd03fcd377458abd943d24914746a17a8 parent signature: 0e426896b79330b3b9b60724079f9d50e23b9833153783a4f664e651339842fd revisions tested: 28, total time: 5h21m4.837667944s (build: 2h45m57.623149424s, test: 2h20m24.469805102s) first bad commit: a54fc09e4cba3004443aa05979f8c678196c8226 net/sched: taprio: allow user input of per-tc max SDU recipients (to): ["davem@davemloft.net" "edumazet@google.com" "jhs@mojatatu.com" "jiri@resnulli.us" "kuba@kernel.org" "kuba@kernel.org" "netdev@vger.kernel.org" "pabeni@redhat.com" "vinicius.gomes@intel.com" "vladimir.oltean@nxp.com" "xiyou.wangcong@gmail.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: UBSAN: shift-out-of-bounds in taprio_change ================================================================================ UBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1430:18 shift exponent -2147418108 is negative CPU: 0 PID: 2822 Comm: syz-executor.0 Not tainted 6.0.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xf4/0x17e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x358/0x3a0 lib/ubsan.c:322 taprio_parse_tc_entry net/sched/sch_taprio.c:1430 [inline] taprio_parse_tc_entries net/sched/sch_taprio.c:1469 [inline] taprio_change+0x556/0x2230 net/sched/sch_taprio.c:1564 qdisc_create+0x42f/0x820 net/sched/sch_api.c:1271 tc_modify_qdisc+0x540/0xcc0 rtnetlink_rcv_msg+0x681/0x750 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x112/0x1e0 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x473/0x540 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x583/0x670 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x405/0x420 net/socket.c:2482 ___sys_sendmsg+0x2f0/0x330 net/socket.c:2536 __sys_sendmsg net/socket.c:2565 [inline] __do_sys_sendmsg net/socket.c:2574 [inline] __se_sys_sendmsg+0x142/0x1c0 net/socket.c:2572 do_syscall_64+0x46/0xc0 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7fa4e0419da9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa4dff9b0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fa4e0547f80 RCX: 00007fa4e0419da9 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004 RBP: 00007fa4e046647a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007fa4e0547f80 R15: 00007ffd912fc468 ================================================================================