Re: [syzbot] [ide?] UBSAN: shift-out-of-bounds in ata_qc_issue
From: Damien Le Moal
Date: Wed Feb 18 2026 - 20:38:46 EST
On 2/18/26 6:45 PM, Niklas Cassel wrote:
> On Tue, Feb 17, 2026 at 12:55:35PM -0800, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: ca4ee40bf13d Partly revert "drm/hyperv: Remove reference t..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=13c6c722580000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=a771bfd268751cd6
>> dashboard link: https://syzkaller.appspot.com/bug?extid=1f77b8ca15336fff21ff
>> compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>>
>> Downloadable assets:
>> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ca4ee40b.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/c714adf37ddd/vmlinux-ca4ee40b.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/4d56cd9f6175/bzImage-ca4ee40b.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+1f77b8ca15336fff21ff@xxxxxxxxxxxxxxxxxxxxxxxxx
>>
>> ------------[ cut here ]------------
>> UBSAN: shift-out-of-bounds in drivers/ata/libata-core.c:5166:24
>> shift exponent 4210818301 is too large for 64-bit type 'long long unsigned int'
>
> 4210818301 is 0xfafbfcfd
>
> 0xfafbfcfd is ATA_TAG_POISON.
>
> ATA_TAG_POISON is set by ata_qc_free(), so it appears that
> ata_scsi_deferred_qc_work() is trying to issue a QC that has
> already been freed.
I checked the code but I fail to see any path that can lead to this happening.
I did more tests using qemu q35 machine as used by syzbot, and everything looks
fine. So not sure what is happening here. I will dig further.
--
Damien Le Moal
Western Digital Research