[Android 6.1] UBSAN: array-index-out-of-bounds in check_stack_range_initialized

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 4292d259032a FROMGIT: usb: xhci: Add error handling in xhc..
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=152cb1be180000
kernel config: https://syzkaller.appspot.com/x/.config?x=54c503ca94c7e582
dashboard link: https://syzkaller.appspot.com/bug?extid=aafd0513053a1cbf52ef
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=107266be180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12ff3ffa180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/653c57b7c948/disk-4292d259.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ba2eb02e62cc/vmlinux-4292d259.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8abe93fef46b/bzImage-4292d259.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aafd05...@syzkaller.appspotmail.com

================================================================================
UBSAN: array-index-out-of-bounds in kernel/bpf/verifier.c:5393:12
index -1 is out of range for type 'u8[8]' (aka 'unsigned char[8]')
CPU: 0 PID: 295 Comm: syz-executor149 Not tainted 6.1.68-syzkaller-00062-g4292d259032a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
dump_stack+0x15/0x1b lib/dump_stack.c:113
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x13a/0x160 lib/ubsan.c:282
check_stack_range_initialized+0x1349/0x1770 kernel/bpf/verifier.c:5393
check_helper_mem_access+0x4c3/0xf80 kernel/bpf/verifier.c:5497
check_helper_call+0x2fcf/0x6cd0 kernel/bpf/verifier.c:7564
do_check+0x78b7/0xe040 kernel/bpf/verifier.c:12672
do_check_common+0x6ce/0xed0 kernel/bpf/verifier.c:14940
do_check_main kernel/bpf/verifier.c:15003 [inline]
bpf_check+0x673b/0x16560 kernel/bpf/verifier.c:15577
bpf_prog_load+0x1304/0x1bf0 kernel/bpf/syscall.c:2605
__sys_bpf+0x52c/0x7f0 kernel/bpf/syscall.c:4972
__do_sys_bpf kernel/bpf/syscall.c:5076 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5074 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5074
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7faf2fcf9629
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe1bf61ca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007ffe1bf61e78 RCX: 00007faf2fcf9629
RDX: 0000000000000090 RSI: 00000000200000c0 RDI: 0000000000000005
RBP: 00007faf2fd6c610 R08: 0000000000000000 R09: 00007ffe1bf61e78
R10: 00000000fffffff8 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffe1bf61e68 R14: 0000000000000001 R15: 0000000000000001
</TASK>
================================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

Bug presence analysis results: the bug reproduces only on Android 6.1.

syzbot has run the reproducer on other relevant kernel trees and got
the following results:

android14-6.1 (commit e623dd5ac2ac) on 2024/03/19:
UBSAN: array-index-out-of-bounds in check_stack_range_initialized
Report: https://syzkaller.appspot.com/x/report.txt?x=17cbd231180000

lts (commit 883d1a956208) on 2024/03/19:
Didn't crash.

upstream (commit b3603fcb79b1) on 2024/03/19:
Didn't crash.

More details can be found at:
https://syzkaller.appspot.com/bug?extid=aafd0513053a1cbf52ef

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 3ca4271578e1cc2bcf4fceb08d794c56b9fd58b8
Author: Greg Kroah-Hartman <gre...@google.com>
Date: Thu Mar 28 12:36:28 2024 +0000

Reapply "Merge tag 'android14-6.1.75_r00' into android14-6.1"

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12c1d354980000
start commit: 4292d259032a FROMGIT: usb: xhci: Add error handling in xhc..
git tree: android14-6.1

kernel config: https://syzkaller.appspot.com/x/.config?x=54c503ca94c7e582
dashboard link: https://syzkaller.appspot.com/bug?extid=aafd0513053a1cbf52ef

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ff3ffa180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10da4681180000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: Reapply "Merge tag 'android14-6.1.75_r00' into android14-6.1"

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.