UBSAN: shift-out-of-bounds in sfq

UBSAN: shift-out-of-bounds in sfq_init
Status: fixed on 2021/03/10 01:48
Reported-by: syzbot+97c5bd9cc81eca63d36e@syzkaller.appspotmail.com
Fix commit: bd1248f1 net: sched: prevent invalid Scell_log shift count
First crash: 113d, last: 95d

Cause bisection: introduced by (bisect log) [release commit]:
commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Sep 15 21:19:32 2019 +0000

Linux 5.3

Crash: UBSAN: undefined-behaviour in sfq_init (log)
Repro: C syz .config

duplicates (1):
Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
UBSAN: shift-out-of-bounds in choke_change	C	inconclusive		15	44d	102d	0/22	closed as dup on 2020/12/29 20:08

Sample crash report:

================================================================================
UBSAN: shift-out-of-bounds in ./include/net/red.h:252:22
shift exponent 72 is too large for 32-bit type 'int'
CPU: 1 PID: 8479 Comm: syz-executor063 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 red_set_parms include/net/red.h:252 [inline]
 sfq_change net/sched/sch_sfq.c:674 [inline]
 sfq_init.cold+0x4f/0xd5 net/sched/sch_sfq.c:762
 qdisc_create+0x4ba/0x13a0 net/sched/sch_api.c:1246
 tc_modify_qdisc+0x4c8/0x1a30 net/sched/sch_api.c:1662
 rtnetlink_rcv_msg+0x498/0xb80 net/core/rtnetlink.c:5564
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4404f9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffef145e18 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004404f9
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 00000000ffffffff R09: 00000000004002c8
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401d00
R13: 0000000000401d90 R14: 0000000000000000 R15: 0000000000000000
================================================================================

Crashes (8):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info
ci-upstream-kasan-gce	2020/12/19 01:25	upstream	a409ed15	04201c06	.config	log	report	syz	C
ci-upstream-net-this-kasan-gce	2020/12/19 01:49	net	d64c6f96	04201c06	.config	log	report	syz	C
ci-upstream-kasan-gce	2020/12/19 01:07	upstream	a409ed15	04201c06	.config	log	report			info
ci-upstream-net-this-kasan-gce	2020/12/25 15:54	net	1f45dc22	b982b3ea	.config	log	report			info
ci-upstream-net-kasan-gce	2021/01/05 22:18	net-next	3db1a3fa	a0234d98	.config	log	report			info
ci-upstream-net-kasan-gce	2021/01/02 12:05	net-next	3db1a3fa	79264ae3	.config	log	report			info
ci-upstream-net-kasan-gce	2020/12/30 08:53	net-next	3db1a3fa	0fa352f2	.config	log	report			info
ci-upstream-net-kasan-gce	2020/12/29 01:15	net-next	3db1a3fa	8259d56c	.config	log	report			info