Re: [syzbot] [ide?] UBSAN: shift-out-of-bounds in ata_qc_issue

Next message: Thomas Wei&#xDF;schuh: "Fwd: [PATCH v4 07/17] kbuild: generate module BTF based on vmlinux.unstripped"
Previous message: Konrad Dybcio: "Re: [PATCH v1] arm64: dts: qcom: qcm6490-idp: Fix WCD9370 reset GPIO polarity"
In reply to: Dmitry Vyukov: "Re: [syzbot] [ide?] UBSAN: shift-out-of-bounds in ata_qc_issue"
Next in thread: Niklas Cassel: "Re: [syzbot] [ide?] UBSAN: shift-out-of-bounds in ata_qc_issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Niklas Cassel

Date: Fri Feb 20 2026 - 04:29:05 EST

Hello Dmitry,

On Fri, Feb 20, 2026 at 10:17:05AM +0100, Dmitry Vyukov wrote:
> Some info I can infer from these 4 crashes.
>
> There is some kind of race, or very rare timing is likely to be
> involved. Only 4 crashes is not much. Usually the fuzzer triggers them
> more often.
>
> The crash happens in kworker, this makes it impossible to infer when
> test programs may be involved.
>
> In all 4 cases there is a preceding USB disconnect message:
> [ 644.391966][ T5992] usb 11-1: USB disconnect, device number 24
> It may be related. These devices can be connected via USB, right?
>
> Unfortunately, I cannot infer much more.
> These USB device numbers may theoretically allow to infer the test
> program, but I think it's currently not possible.
>
> It may be possible to reply these logs for longer to see if they
> trigger the crash.

It seems that my suspicion that the bug occurs after a block layer timeout,
was correct.

Damien managed to reproduce the bug and have sent a fix:
https://lore.kernel.org/linux-ide/20260220050053.390135-1-dlemoal@xxxxxxxxxx/T/#t

A lot of thanks to syzbot for finding this bug that we failed to find
during review.

Kind regards,
Niklas