ci2 starts bisection 2023-12-22 06:33:06.835077042 +0000 UTC m=+83552.983574108 bisecting cause commit starting from 30bca9e2785b3c7cce113308b16b40132293ca34 building syzkaller on 4f9530a3b62297342999c9097c77dde726522618 ensuring issue is reproducible on original commit 30bca9e2785b3c7cce113308b16b40132293ca34 testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: db5ec12875ce94ab9e59584da0e339d9ca14277ba047a18c07f41801707ef83e all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] check whether we can drop unnecessary instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK BUG KASAN LOCKDEP], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4a9bad7360cc4f4b1277d82d1fa4f8b642f9c3c4642ec870335129974e31ca47 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] the bug reproduces without the instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK BUG], they are not needed kconfig minimization: base=5179 full=6490 leaves diff=254 split chunks (needed=false): <254> split chunk #0 of len 254 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d420868bc0c80774e31e2275a293629586a4cf8f0583b69797c04c7c400e3c05 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK BUG KASAN], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 41d11211c655ca8a6708f4d718832ed1dc96f94f62c5a0adf293383bf4c6c4d3 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ATOMIC_SLEEP HANG LEAK BUG KASAN LOCKDEP], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3ed8a0456d726490b85b2c9f1cec834e2d47c93b4c8b1e39748815f488c5ffbc all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK BUG], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2ca543dc53ad76ba327c58e03fdcb5e17aa953df7b68ce861af80ae8347309b8 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 30bca9e2785b3c7cce113308b16b40132293ca34 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building 30bca9e2785b3c7cce113308b16b40132293ca34: net/socket.c:1242: undefined reference to `wext_handle_ioctl' net/socket.c:3437: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 50 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [LEAK BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed picked [v6.1.57 v6.1.56 v6.1.29 v6.1 v6.0 v5.19 v5.17 v5.15 v5.13 v5.11 v5.9 v5.6 v5.3 v5.0 v4.19] out of 81 release tags testing release v6.1.57 testing commit 082280fe94a09462c727fb6e7b0c982efb36dede gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c705fe881007fa28ce1f1c42f5c1604714394a24d9619c07c4015e9ac61bf572 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] testing release v6.1.56 testing commit ecda77b46871007ab0e6c671fe9df5795dd8154a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 754c05543f66a92d72ab87246ca78d8c1c6c99d2668dc7903bc730763261a20a all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] testing release v6.1.29 testing commit fa74641fb6b93a19ccb50579886ecc98320230f9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9e0a21ca0d80ac612dadd65bfd280d41bd9ee7f93101050c2af3174f0adbc995 all runs: OK false negative chance: 0.000 # git bisect start ecda77b46871007ab0e6c671fe9df5795dd8154a fa74641fb6b93a19ccb50579886ecc98320230f9 Bisecting: 2159 revisions left to test after this (roughly 11 steps) [ec3e856075c54a04df13c6c862dc0bff9722917a] netfilter: nf_tables: skip bound chain in netns release path testing commit ec3e856075c54a04df13c6c862dc0bff9722917a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8f661af069f46cff2bfd00118d469dcdc801c2699a63fae5df5bee6f49840d60 all runs: OK false negative chance: 0.000 # git bisect good ec3e856075c54a04df13c6c862dc0bff9722917a Bisecting: 1079 revisions left to test after this (roughly 10 steps) [7da6250d29675335a4cd5f0fbacb23cb54420ea0] thermal/of: Fix potential uninitialized value access testing commit 7da6250d29675335a4cd5f0fbacb23cb54420ea0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cac988d687b734432a7e0c87d3abc4de58b30d39814d61a6548c67cbf6bf7d6b run #0: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh run #1: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh run #2: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh run #3: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh run #4: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh run #5: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh run #6: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh run #7: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh run #8: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh run #9: infra problem: failed to delete instance: googleapi: Error 503: The service is currently unavailable., backendError representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect bad 7da6250d29675335a4cd5f0fbacb23cb54420ea0 Bisecting: 539 revisions left to test after this (roughly 9 steps) [59bad9190ac7adbeafa8b90eaa99eba0aa8ebc54] net: hns3: add wait until mac link down testing commit 59bad9190ac7adbeafa8b90eaa99eba0aa8ebc54 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b57d460785980ad352120d08de8b6a072591c9677aeccdb2471410710f8ade69 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect bad 59bad9190ac7adbeafa8b90eaa99eba0aa8ebc54 Bisecting: 269 revisions left to test after this (roughly 8 steps) [6a90583dbd9b794071b8b54d8c36f40a459d1051] mips/cpu: Switch to arch_cpu_finalize_init() testing commit 6a90583dbd9b794071b8b54d8c36f40a459d1051 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: da17fba662b6d40556d503acae059d29cc4034da61c037c10826b181c7a082ff all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect bad 6a90583dbd9b794071b8b54d8c36f40a459d1051 Bisecting: 134 revisions left to test after this (roughly 7 steps) [17e67a071b60c881c5826f6fbb262ef61873eb0e] octeontx2-af: Fix hash extraction enable configuration testing commit 17e67a071b60c881c5826f6fbb262ef61873eb0e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3776272b13afaf7f9bd7993678b644d27007d14132039c632489b6afe5eba580 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect bad 17e67a071b60c881c5826f6fbb262ef61873eb0e Bisecting: 67 revisions left to test after this (roughly 6 steps) [13b9c5f6059fbf7d3222849986b37e4c1e77a479] PCI/ASPM: Avoid link retraining race testing commit 13b9c5f6059fbf7d3222849986b37e4c1e77a479 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2b80045679ad6c2575d2506068bb018e370c1eced3efbf5500c949a63c8ef599 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect bad 13b9c5f6059fbf7d3222849986b37e4c1e77a479 Bisecting: 33 revisions left to test after this (roughly 5 steps) [00f68f5c1be12828a6f0b1e0f1017e1399b23a73] drm/dp_mst: Clear MSG_RDY flag before sending new message testing commit 00f68f5c1be12828a6f0b1e0f1017e1399b23a73 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e356bd6bd3071c01885d8bd7b5d2dd01d2d44c592939385e90dbdacd8c7b7f55 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect bad 00f68f5c1be12828a6f0b1e0f1017e1399b23a73 Bisecting: 16 revisions left to test after this (roughly 4 steps) [f311c7680014726ad16d779e3e2b5885033331d9] tcp: annotate data-races around fastopenq.max_qlen testing commit f311c7680014726ad16d779e3e2b5885033331d9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f42f110a5dbd313e5a63dcc61a64cfa8f91ac18515ea4c7ad96d3f6913c65737 all runs: OK false negative chance: 0.000 # git bisect good f311c7680014726ad16d779e3e2b5885033331d9 Bisecting: 8 revisions left to test after this (roughly 3 steps) [dd33fbe4af2c7cd05c5f75798ca48a172302f5c6] scripts/kallsyms: update the usage in the comment block testing commit dd33fbe4af2c7cd05c5f75798ca48a172302f5c6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d89ed9fda245f4397fe6a87f258c0bc3a22da44cd9e04f5b63476a08bd1b980b all runs: OK false negative chance: 0.000 # git bisect good dd33fbe4af2c7cd05c5f75798ca48a172302f5c6 Bisecting: 4 revisions left to test after this (roughly 2 steps) [a7c1eb9cb86f764a022f7fa3e2b01a773cf73ca4] selftests/bpf: make test_align selftest more robust testing commit a7c1eb9cb86f764a022f7fa3e2b01a773cf73ca4 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7dd7790dce4c8bad3745027717d76a1a87b9f9acb74f5c0c41731ca6c9545345 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect bad a7c1eb9cb86f764a022f7fa3e2b01a773cf73ca4 Bisecting: 1 revision left to test after this (roughly 1 step) [8b57a37d0ee77013eaab53e3853825b2ee11d851] bpf: stop setting precise in current state testing commit 8b57a37d0ee77013eaab53e3853825b2ee11d851 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b11e2661117957efdaa516f75f2c860f69a9943b120a78243552e7827a774ee4 all runs: crashed: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh representative crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh, types: [UBSAN] # git bisect bad 8b57a37d0ee77013eaab53e3853825b2ee11d851 Bisecting: 0 revisions left to test after this (roughly 0 steps) [56675ddcb011fbc2b68cd898a8d98bda742b3d55] bpf: allow precision tracking for programs with subprogs testing commit 56675ddcb011fbc2b68cd898a8d98bda742b3d55 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ff9529d066f0427b2c4fdc691261933079778ac76836fecb20073ed15a338c33 all runs: OK false negative chance: 0.000 # git bisect good 56675ddcb011fbc2b68cd898a8d98bda742b3d55 8b57a37d0ee77013eaab53e3853825b2ee11d851 is the first bad commit commit 8b57a37d0ee77013eaab53e3853825b2ee11d851 Author: Andrii Nakryiko Date: Mon Jul 24 15:42:19 2023 +0300 bpf: stop setting precise in current state [ Upstream commit f63181b6ae79fd3b034cde641db774268c2c3acf ] Setting reg->precise to true in current state is not necessary from correctness standpoint, but it does pessimise the whole precision (or rather "imprecision", because that's what we want to keep as much as possible) tracking. Why is somewhat subtle and my best attempt to explain this is recorded in an extensive comment for __mark_chain_precise() function. Some more careful thinking and code reading is probably required still to grok this completely, unfortunately. Whiteboarding and a bunch of extra handwaiving in person would be even more helpful, but is deemed impractical in Git commit. Next patch pushes this imprecision property even further, building on top of the insights described in this patch. End results are pretty nice, we get reduction in number of total instructions and states verified due to a better states reuse, as some of the states are now more generic and permissive due to less unnecessary precise=true requirements. SELFTESTS RESULTS ================= $ ./veristat -C -e file,prog,insns,states ~/subprog-precise-results.csv ~/imprecise-early-results.csv | grep -v '+0' File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) --------------------------------------- ---------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- bpf_iter_ksym.bpf.linked1.o dump_ksym 347 285 -62 (-17.87%) 20 19 -1 (-5.00%) pyperf600_bpf_loop.bpf.linked1.o on_event 3678 3736 +58 (+1.58%) 276 285 +9 (+3.26%) setget_sockopt.bpf.linked1.o skops_sockopt 4038 3947 -91 (-2.25%) 347 343 -4 (-1.15%) test_l4lb.bpf.linked1.o balancer_ingress 4559 2611 -1948 (-42.73%) 118 105 -13 (-11.02%) test_l4lb_noinline.bpf.linked1.o balancer_ingress 6279 6268 -11 (-0.18%) 237 236 -1 (-0.42%) test_misc_tcp_hdr_options.bpf.linked1.o misc_estab 1307 1303 -4 (-0.31%) 100 99 -1 (-1.00%) test_sk_lookup.bpf.linked1.o ctx_narrow_access 456 447 -9 (-1.97%) 39 38 -1 (-2.56%) test_sysctl_loop1.bpf.linked1.o sysctl_tcp_mem 1389 1384 -5 (-0.36%) 26 25 -1 (-3.85%) test_tc_dtime.bpf.linked1.o egress_fwdns_prio101 518 485 -33 (-6.37%) 51 46 -5 (-9.80%) test_tc_dtime.bpf.linked1.o egress_host 519 468 -51 (-9.83%) 50 44 -6 (-12.00%) test_tc_dtime.bpf.linked1.o ingress_fwdns_prio101 842 1000 +158 (+18.76%) 73 88 +15 (+20.55%) xdp_synproxy_kern.bpf.linked1.o syncookie_tc 405757 373173 -32584 (-8.03%) 25735 22882 -2853 (-11.09%) xdp_synproxy_kern.bpf.linked1.o syncookie_xdp 479055 371590 -107465 (-22.43%) 29145 22207 -6938 (-23.81%) --------------------------------------- ---------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- Slight regression in test_tc_dtime.bpf.linked1.o/ingress_fwdns_prio101 is left for a follow up, there might be some more precision-related bugs in existing BPF verifier logic. CILIUM RESULTS ============== $ ./veristat -C -e file,prog,insns,states ~/subprog-precise-results-cilium.csv ~/imprecise-early-results-cilium.csv | grep -v '+0' File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) ------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- bpf_host.o cil_from_host 762 556 -206 (-27.03%) 43 37 -6 (-13.95%) bpf_host.o tail_handle_nat_fwd_ipv4 23541 23426 -115 (-0.49%) 1538 1537 -1 (-0.07%) bpf_host.o tail_nodeport_nat_egress_ipv4 33592 33566 -26 (-0.08%) 2163 2161 -2 (-0.09%) bpf_lxc.o tail_handle_nat_fwd_ipv4 23541 23426 -115 (-0.49%) 1538 1537 -1 (-0.07%) bpf_overlay.o tail_nodeport_nat_egress_ipv4 33581 33543 -38 (-0.11%) 2160 2157 -3 (-0.14%) bpf_xdp.o tail_handle_nat_fwd_ipv4 21659 20920 -739 (-3.41%) 1440 1376 -64 (-4.44%) bpf_xdp.o tail_handle_nat_fwd_ipv6 17084 17039 -45 (-0.26%) 907 905 -2 (-0.22%) bpf_xdp.o tail_lb_ipv4 73442 73430 -12 (-0.02%) 4370 4369 -1 (-0.02%) bpf_xdp.o tail_lb_ipv6 152114 151895 -219 (-0.14%) 6493 6479 -14 (-0.22%) bpf_xdp.o tail_nodeport_nat_egress_ipv4 17377 17200 -177 (-1.02%) 1125 1111 -14 (-1.24%) bpf_xdp.o tail_nodeport_nat_ingress_ipv6 6405 6397 -8 (-0.12%) 309 308 -1 (-0.32%) bpf_xdp.o tail_rev_nodeport_lb4 7126 6934 -192 (-2.69%) 414 402 -12 (-2.90%) bpf_xdp.o tail_rev_nodeport_lb6 18059 17905 -154 (-0.85%) 1105 1096 -9 (-0.81%) ------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20221104163649.121784-5-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Eduard Zingerman Signed-off-by: Greg Kroah-Hartman kernel/bpf/verifier.c | 103 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 91 insertions(+), 12 deletions(-) accumulated error probability: 0.00 culprit signature: b11e2661117957efdaa516f75f2c860f69a9943b120a78243552e7827a774ee4 parent signature: ff9529d066f0427b2c4fdc691261933079778ac76836fecb20073ed15a338c33 revisions tested: 21, total time: 2h47m30.479833066s (build: 1h0m19.452462293s, test: 1h39m43.36295857s) first bad commit: 8b57a37d0ee77013eaab53e3853825b2ee11d851 bpf: stop setting precise in current state recipients (to): ["andrii@kernel.org" "ast@kernel.org" "eddyz87@gmail.com" "gregkh@linuxfoundation.org"] recipients (cc): [] crash: UBSAN: shift-out-of-bounds in scalar32_min_max_arsh ================================================================================ UBSAN: shift-out-of-bounds in kernel/bpf/verifier.c:9172:63 shift exponent 1073741824 is too large for 32-bit type 's32' (aka 'int') CPU: 0 PID: 437 Comm: syz-executor.0 Not tainted 6.1.41-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x91 lib/dump_stack.c:106 dump_stack+0x10/0x19 lib/dump_stack.c:113 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x261/0x290 lib/ubsan.c:321 scalar32_min_max_arsh+0xfb/0x120 kernel/bpf/verifier.c:9172 adjust_scalar_min_max_vals kernel/bpf/verifier.c:9360 [inline] adjust_reg_min_max_vals+0x1317/0x15d0 kernel/bpf/verifier.c:9461 check_alu_op kernel/bpf/verifier.c:9632 [inline] do_check kernel/bpf/verifier.c:12478 [inline] do_check_common+0x1a89/0x2860 kernel/bpf/verifier.c:14892 do_check_main kernel/bpf/verifier.c:14955 [inline] bpf_check+0x11e0/0x49d0 kernel/bpf/verifier.c:15529 bpf_prog_load+0x5f7/0x6f0 kernel/bpf/syscall.c:2603 __sys_bpf+0x24f/0x490 kernel/bpf/syscall.c:4968 __do_sys_bpf kernel/bpf/syscall.c:5072 [inline] __se_sys_bpf kernel/bpf/syscall.c:5070 [inline] __x64_sys_bpf+0x17/0x20 kernel/bpf/syscall.c:5070 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f7a5c47cce9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7a5d28f0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f7a5c59bf80 RCX: 00007f7a5c47cce9 RDX: 0000000000000048 RSI: 00000000200054c0 RDI: 0000000000000005 RBP: 00007f7a5c4c947a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f7a5c59bf80 R15: 00007ffd01cbaae8 ================================================================================ ================================================================================ UBSAN: shift-out-of-bounds in kernel/bpf/verifier.c:9173:63 shift exponent 1073741824 is too large for 32-bit type 's32' (aka 'int') CPU: 1 PID: 437 Comm: syz-executor.0 Not tainted 6.1.41-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x91 lib/dump_stack.c:106 dump_stack+0x10/0x19 lib/dump_stack.c:113 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x261/0x290 lib/ubsan.c:321 scalar32_min_max_arsh+0x11b/0x120 kernel/bpf/verifier.c:9173 adjust_scalar_min_max_vals kernel/bpf/verifier.c:9360 [inline] adjust_reg_min_max_vals+0x1317/0x15d0 kernel/bpf/verifier.c:9461 check_alu_op kernel/bpf/verifier.c:9632 [inline] do_check kernel/bpf/verifier.c:12478 [inline] do_check_common+0x1a89/0x2860 kernel/bpf/verifier.c:14892 do_check_main kernel/bpf/verifier.c:14955 [inline] bpf_check+0x11e0/0x49d0 kernel/bpf/verifier.c:15529 bpf_prog_load+0x5f7/0x6f0 kernel/bpf/syscall.c:2603 __sys_bpf+0x24f/0x490 kernel/bpf/syscall.c:4968 __do_sys_bpf kernel/bpf/syscall.c:5072 [inline] __se_sys_bpf kernel/bpf/syscall.c:5070 [inline] __x64_sys_bpf+0x17/0x20 kernel/bpf/syscall.c:5070 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f7a5c47cce9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7a5d28f0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f7a5c59bf80 RCX: 00007f7a5c47cce9 RDX: 0000000000000048 RSI: 00000000200054c0 RDI: 0000000000000005 RBP: 00007f7a5c4c947a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f7a5c59bf80 R15: 00007ffd01cbaae8 ================================================================================