Re: [syzbot] [ide?] UBSAN: shift-out-of-bounds in ata_qc_issue

Next message: Niklas Cassel: "Re: pci-epf-test.c:undefined reference to `config_group_init_type_name'"
Previous message: Sean Rhodes: "[PATCH v3] ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter"
In reply to: syzbot: "[syzbot] [ide?] UBSAN: shift-out-of-bounds in ata_qc_issue"
Next in thread: Damien Le Moal: "Re: [syzbot] [ide?] UBSAN: shift-out-of-bounds in ata_qc_issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Niklas Cassel

Date: Wed Feb 18 2026 - 04:46:23 EST

On Tue, Feb 17, 2026 at 12:55:35PM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: ca4ee40bf13d Partly revert "drm/hyperv: Remove reference t..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13c6c722580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a771bfd268751cd6
> dashboard link: https://syzkaller.appspot.com/bug?extid=1f77b8ca15336fff21ff
> compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ca4ee40b.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/c714adf37ddd/vmlinux-ca4ee40b.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/4d56cd9f6175/bzImage-ca4ee40b.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+1f77b8ca15336fff21ff@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> ------------[ cut here ]------------
> UBSAN: shift-out-of-bounds in drivers/ata/libata-core.c:5166:24
> shift exponent 4210818301 is too large for 64-bit type 'long long unsigned int'

4210818301 is 0xfafbfcfd

0xfafbfcfd is ATA_TAG_POISON.

ATA_TAG_POISON is set by ata_qc_free(), so it appears that
ata_scsi_deferred_qc_work() is trying to issue a QC that has
already been freed.

Kind regards,
Niklas