[v5.15] UBSAN: shift-out-of-bounds in pcl812_attach

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 2f693b607545 Linux 5.15.187
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1259c68c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c91c2d91ea1a4388
dashboard link: https://syzkaller.appspot.com/bug?extid=e67c0a8e5a5ef147312c
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7769e50dbae7/disk-2f693b60.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ca8639ca4ec3/vmlinux-2f693b60.xz
kernel image: https://storage.googleapis.com/syzbot-assets/34e626fbb90f/bzImage-2f693b60.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e67c0a...@syzkaller.appspotmail.com

================================================================================
UBSAN: shift-out-of-bounds in drivers/comedi/drivers/pcl812.c:1154:10
shift exponent 1073741829 is too large for 32-bit type 'int'
CPU: 0 PID: 4698 Comm: syz.0.80 Not tainted 5.15.187-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds+0x37c/0x400 lib/ubsan.c:321
pcl812_attach+0x1bc5/0x2330 drivers/comedi/drivers/pcl812.c:1154
comedi_device_attach+0x515/0x650 drivers/comedi/drivers.c:996
do_devconfig_ioctl drivers/comedi/comedi_fops.c:851 [inline]
comedi_unlocked_ioctl+0x5ec/0xe90 drivers/comedi/comedi_fops.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f079b393929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f07991fb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f079b5bafa0 RCX: 00007f079b393929
RDX: 0000200000000280 RSI: 0000000040946400 RDI: 0000000000000004
RBP: 00007f079b415b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f079b5bafa0 R15: 00007ffe0bc9fb08
</TASK>
================================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 2f693b607545 Linux 5.15.187
git tree: linux-5.15.y

console output: https://syzkaller.appspot.com/x/log.txt?x=14fc7a8c580000

kernel config: https://syzkaller.appspot.com/x/.config?x=c91c2d91ea1a4388
dashboard link: https://syzkaller.appspot.com/bug?extid=e67c0a8e5a5ef147312c
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12fc7a8c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1292d68c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7769e50dbae7/disk-2f693b60.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ca8639ca4ec3/vmlinux-2f693b60.xz
kernel image: https://storage.googleapis.com/syzbot-assets/34e626fbb90f/bzImage-2f693b60.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e67c0a...@syzkaller.appspotmail.com

================================================================================
UBSAN: shift-out-of-bounds in drivers/comedi/drivers/pcl812.c:1154:10
shift exponent 1073741829 is too large for 32-bit type 'int'

CPU: 0 PID: 4319 Comm: syz.0.16 Not tainted 5.15.187-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds+0x37c/0x400 lib/ubsan.c:321
pcl812_attach+0x1bc5/0x2330 drivers/comedi/drivers/pcl812.c:1154
comedi_device_attach+0x515/0x650 drivers/comedi/drivers.c:996
do_devconfig_ioctl drivers/comedi/comedi_fops.c:851 [inline]
comedi_unlocked_ioctl+0x5ec/0xe90 drivers/comedi/comedi_fops.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0

RIP: 0033:0x7fc3f2059929

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffcd15fd508 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc3f2280fa0 RCX: 00007fc3f2059929
RDX: 0000200000000280 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007fc3f20dbb39 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007fc3f2280fa0 R14: 00007fc3f2280fa0 R15: 0000000000000003
</TASK>
================================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: dfc486ec9cce Linux 6.1.144
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=101b9d82580000
kernel config: https://syzkaller.appspot.com/x/.config?x=af043eb58258a24b
dashboard link: https://syzkaller.appspot.com/bug?extid=0ee699f37418ddfc18c1

compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/33f04d64fdc1/disk-dfc486ec.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ae15f823ab9f/vmlinux-dfc486ec.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c42843bce2bf/bzImage-dfc486ec.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+0ee699...@syzkaller.appspotmail.com

================================================================================
UBSAN: shift-out-of-bounds in drivers/comedi/drivers/pcl812.c:1152:10
shift exponent 8388613 is too large for 32-bit type 'int'
CPU: 1 PID: 4588 Comm: syz.3.57 Not tainted 6.1.144-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>

dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106

ubsan_epilogue+0xa/0x30 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds+0x37c/0x400 lib/ubsan.c:321

pcl812_attach+0x1bc9/0x2340 drivers/comedi/drivers/pcl812.c:1152
comedi_device_attach+0x515/0x650 drivers/comedi/drivers.c:995

do_devconfig_ioctl drivers/comedi/comedi_fops.c:851 [inline]
comedi_unlocked_ioctl+0x5ec/0xe90 drivers/comedi/comedi_fops.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]

__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfa/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fa3e598e929

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fa3e68a4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa3e5bb6080 RCX: 00007fa3e598e929
RDX: 0000200000000280 RSI: 0000000040946400 RDI: 0000000000000007
RBP: 00007fa3e5a10b39 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000001 R14: 00007fa3e5bb6080 R15: 00007ffd5c959298

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: dfc486ec9cce Linux 6.1.144
git tree: linux-6.1.y

console output: https://syzkaller.appspot.com/x/log.txt?x=15cf9d82580000

kernel config: https://syzkaller.appspot.com/x/.config?x=af043eb58258a24b
dashboard link: https://syzkaller.appspot.com/bug?extid=0ee699f37418ddfc18c1
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140d50f0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1393018c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/33f04d64fdc1/disk-dfc486ec.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ae15f823ab9f/vmlinux-dfc486ec.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c42843bce2bf/bzImage-dfc486ec.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0ee699...@syzkaller.appspotmail.com

================================================================================
UBSAN: shift-out-of-bounds in drivers/comedi/drivers/pcl812.c:1152:10
shift exponent 8388613 is too large for 32-bit type 'int'

CPU: 1 PID: 4425 Comm: syz.0.16 Not tainted 6.1.144-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds+0x37c/0x400 lib/ubsan.c:321
pcl812_attach+0x1bc9/0x2340 drivers/comedi/drivers/pcl812.c:1152
comedi_device_attach+0x515/0x650 drivers/comedi/drivers.c:995
do_devconfig_ioctl drivers/comedi/comedi_fops.c:851 [inline]
comedi_unlocked_ioctl+0x5ec/0xe90 drivers/comedi/comedi_fops.c:2131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfa/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2

RIP: 0033:0x7ff39518e929

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffd3a0c1ed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff3953b5fa0 RCX: 00007ff39518e929
RDX: 0000200000000280 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007ff395210b39 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007ff3953b5fa0 R14: 00007ff3953b5fa0 R15: 0000000000000003

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 59a2de10b81a Linux 6.6.97
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=156d07d4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ac0b29aca872266f
dashboard link: https://syzkaller.appspot.com/bug?extid=e2e9d5c0e8973a1e9950

compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/32864b54a55c/disk-59a2de10.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b0bbe4ada642/vmlinux-59a2de10.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9e3fe91e14c2/bzImage-59a2de10.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+e2e9d5...@syzkaller.appspotmail.com

================================================================================
UBSAN: shift-out-of-bounds in drivers/comedi/drivers/pcl812.c:1152:10
shift exponent 8388613 is too large for 32-bit type 'int'

CPU: 1 PID: 8867 Comm: syz.2.643 Not tainted 6.6.97-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>

dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:217
__ubsan_handle_shift_out_of_bounds+0x380/0x400 lib/ubsan.c:387
pcl812_attach+0x1cd1/0x2440 drivers/comedi/drivers/pcl812.c:1152
comedi_device_attach+0x519/0x660 drivers/comedi/drivers.c:995
do_devconfig_ioctl drivers/comedi/comedi_fops.c:855 [inline]
comedi_unlocked_ioctl+0x68d/0xf00 drivers/comedi/comedi_fops.c:2136
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7ff6aab8e929

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ff6aa9de038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff6aadb6080 RCX: 00007ff6aab8e929
RDX: 0000200000000280 RSI: 0000000040946400 RDI: 0000000000000007
RBP: 00007ff6aac10b39 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000001 R14: 00007ff6aadb6080 R15: 00007ffe763696d8

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 59a2de10b81a Linux 6.6.97
git tree: linux-6.6.y

console output: https://syzkaller.appspot.com/x/log.txt?x=110e5d82580000

kernel config: https://syzkaller.appspot.com/x/.config?x=ac0b29aca872266f
dashboard link: https://syzkaller.appspot.com/bug?extid=e2e9d5c0e8973a1e9950
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1698818c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=150e5d82580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/32864b54a55c/disk-59a2de10.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b0bbe4ada642/vmlinux-59a2de10.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9e3fe91e14c2/bzImage-59a2de10.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e2e9d5...@syzkaller.appspotmail.com

================================================================================
UBSAN: shift-out-of-bounds in drivers/comedi/drivers/pcl812.c:1152:10
shift exponent 8388613 is too large for 32-bit type 'int'

CPU: 1 PID: 5941 Comm: syz.0.16 Not tainted 6.6.97-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x30 lib/ubsan.c:217
__ubsan_handle_shift_out_of_bounds+0x380/0x400 lib/ubsan.c:387
pcl812_attach+0x1cd1/0x2440 drivers/comedi/drivers/pcl812.c:1152
comedi_device_attach+0x519/0x660 drivers/comedi/drivers.c:995
do_devconfig_ioctl drivers/comedi/comedi_fops.c:855 [inline]
comedi_unlocked_ioctl+0x68d/0xf00 drivers/comedi/comedi_fops.c:2136
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2

RIP: 0033:0x7f825b98e929

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffe47733548 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f825bbb5fa0 RCX: 00007f825b98e929
RDX: 0000200000000280 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007f825ba10b39 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f825bbb5fa0 R14: 00007f825bbb5fa0 R15: 0000000000000003

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 5bfa301e1e59a9b1a7b62a800b54852337c97416
Author: Ian Abbott <abb...@mev.co.uk>
Date: Mon Jul 7 13:34:29 2025 +0000

comedi: pcl812: Fix bit shift out of bounds

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14dadc42580000
start commit: dfc486ec9cce Linux 6.1.144
git tree: linux-6.1.y

kernel config: https://syzkaller.appspot.com/x/.config?x=af043eb58258a24b
dashboard link: https://syzkaller.appspot.com/bug?extid=0ee699f37418ddfc18c1

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12c2ce8c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=150750f0580000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: comedi: pcl812: Fix bit shift out of bounds

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.

[syzbot]