From: Niklas Cassel <cassel@kernel.org>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Damien Le Moal <dlemoal@kernel.org>,
syzbot <syzbot+1f77b8ca15336fff21ff@syzkaller.appspotmail.com>,
linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: [syzbot] [ide?] UBSAN: shift-out-of-bounds in ata_qc_issue
Date: Fri, 20 Feb 2026 10:27:43 +0100 [thread overview]
Message-ID: <aZgo7wa9_eOv7No6@ryzen> (raw)
In-Reply-To: <CACT4Y+bASk262w_axUwpYdS=sNgnaXfhDEJ0S3JFCBVdwJidOA@mail.gmail.com>
Hello Dmitry,
On Fri, Feb 20, 2026 at 10:17:05AM +0100, Dmitry Vyukov wrote:
> Some info I can infer from these 4 crashes.
>
> There is some kind of race, or very rare timing is likely to be
> involved. Only 4 crashes is not much. Usually the fuzzer triggers them
> more often.
>
> The crash happens in kworker, this makes it impossible to infer when
> test programs may be involved.
>
> In all 4 cases there is a preceding USB disconnect message:
> [ 644.391966][ T5992] usb 11-1: USB disconnect, device number 24
> It may be related. These devices can be connected via USB, right?
>
> Unfortunately, I cannot infer much more.
> These USB device numbers may theoretically allow to infer the test
> program, but I think it's currently not possible.
>
> It may be possible to reply these logs for longer to see if they
> trigger the crash.
It seems that my suspicion that the bug occurs after a block layer timeout,
was correct.
Damien managed to reproduce the bug and have sent a fix:
https://lore.kernel.org/linux-ide/20260220050053.390135-1-dlemoal@kernel.org/T/#t
A lot of thanks to syzbot for finding this bug that we failed to find
during review.
Kind regards,
Niklas
next prev parent reply other threads:[~2026-02-20 9:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 20:55 [syzbot] [ide?] UBSAN: shift-out-of-bounds in ata_qc_issue syzbot
2026-02-18 9:45 ` Niklas Cassel
2026-02-19 1:33 ` Damien Le Moal
2026-02-20 0:55 ` Niklas Cassel
2026-02-20 1:06 ` Damien Le Moal
2026-02-20 9:17 ` Dmitry Vyukov
2026-02-20 9:27 ` Niklas Cassel [this message]
2026-02-19 22:44 ` Niklas Cassel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZgo7wa9_eOv7No6@ryzen \
--to=cassel@kernel.org \
--cc=dlemoal@kernel.org \
--cc=dvyukov@google.com \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+1f77b8ca15336fff21ff@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.