From: Niklas Cassel <cassel@kernel.org>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Damien Le Moal <dlemoal@kernel.org>,
syzbot <syzbot+1f77b8ca15336fff21ff@syzkaller.appspotmail.com>,
linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: [syzbot] [ide?] UBSAN: shift-out-of-bounds in ata_qc_issue
Date: Fri, 20 Feb 2026 10:27:43 +0100 [thread overview]
Message-ID: <aZgo7wa9_eOv7No6@ryzen> (raw)
In-Reply-To: <CACT4Y+bASk262w_axUwpYdS=sNgnaXfhDEJ0S3JFCBVdwJidOA@mail.gmail.com>
Hello Dmitry,
On Fri, Feb 20, 2026 at 10:17:05AM +0100, Dmitry Vyukov wrote:
> Some info I can infer from these 4 crashes.
>
> There is some kind of race, or very rare timing is likely to be
> involved. Only 4 crashes is not much. Usually the fuzzer triggers them
> more often.
>
> The crash happens in kworker, this makes it impossible to infer when
> test programs may be involved.
>
> In all 4 cases there is a preceding USB disconnect message:
> [ 644.391966][ T5992] usb 11-1: USB disconnect, device number 24
> It may be related. These devices can be connected via USB, right?
>
> Unfortunately, I cannot infer much more.
> These USB device numbers may theoretically allow to infer the test
> program, but I think it's currently not possible.
>
> It may be possible to reply these logs for longer to see if they
> trigger the crash.
It seems that my suspicion that the bug occurs after a block layer timeout,
was correct.
Damien managed to reproduce the bug and have sent a fix:
https://lore.kernel.org/linux-ide/20260220050053.390135-1-dlemoal@kernel.org/T/#t
A lot of thanks to syzbot for finding this bug that we failed to find
during review.
Kind regards,
Niklas
next prev parent reply other threads:[~2026-02-20 9:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 20:55 [syzbot] [ide?] UBSAN: shift-out-of-bounds in ata_qc_issue syzbot
2026-02-18 9:45 ` Niklas Cassel
2026-02-19 1:33 ` Damien Le Moal
2026-02-20 0:55 ` Niklas Cassel
2026-02-20 1:06 ` Damien Le Moal
2026-02-20 9:17 ` Dmitry Vyukov
2026-02-20 9:27 ` Niklas Cassel [this message]
2026-02-19 22:44 ` Niklas Cassel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZgo7wa9_eOv7No6@ryzen \
--to=cassel@kernel.org \
--cc=dlemoal@kernel.org \
--cc=dvyukov@google.com \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+1f77b8ca15336fff21ff@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox