syzbot


UBSAN: shift-out-of-bounds in red_enqueue

Status: fixed on 2021/03/10 01:48
Subsystems: net
[Documentation on labels]
Fix commit: bd1248f1ddbc net: sched: prevent invalid Scell_log shift count
First crash: 1284d, last: 1192d
Cause bisection: introduced by (bisect log) [merge commit]:
commit a45ff5994c9cde41af627c46abb9f32beae68943
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: Thu Jul 11 13:14:16 2019 +0000

  Merge tag 'kvm-arm-for-5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD

Crash: general protection fault in batadv_iv_ogm_queue_add (log)
Repro: C syz .config
  

Sample crash report:
================================================================================
UBSAN: shift-out-of-bounds in ./include/net/red.h:312:18
shift exponent 65 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.11.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 red_calc_qavg_from_idle_time include/net/red.h:312 [inline]
 red_calc_qavg include/net/red.h:353 [inline]
 red_enqueue.cold+0x64/0x452 net/sched/sch_red.c:77
 __dev_xmit_skb net/core/dev.c:3807 [inline]
 __dev_queue_xmit+0x1913/0x2dd0 net/core/dev.c:4119
 neigh_hh_output include/net/neighbour.h:499 [inline]
 neigh_output include/net/neighbour.h:508 [inline]
 ip_finish_output2+0xeb6/0x21b0 net/ipv4/ip_output.c:230
 __ip_finish_output net/ipv4/ip_output.c:308 [inline]
 __ip_finish_output+0x396/0x640 net/ipv4/ip_output.c:290
 ip_finish_output+0x35/0x200 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip_output+0x196/0x310 net/ipv4/ip_output.c:432
 dst_output include/net/dst.h:441 [inline]
 ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x5a3/0x9c0 net/ipv4/ip_tunnel_core.c:82
 geneve_xmit_skb drivers/net/geneve.c:959 [inline]
 geneve_xmit+0xde1/0x2f60 drivers/net/geneve.c:1059
 __netdev_start_xmit include/linux/netdevice.h:4776 [inline]
 netdev_start_xmit include/linux/netdevice.h:4790 [inline]
 xmit_one net/core/dev.c:3574 [inline]
 dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3590
 __dev_queue_xmit+0x21db/0x2dd0 net/core/dev.c:4151
 neigh_resolve_output net/core/neighbour.c:1491 [inline]
 neigh_resolve_output+0x4d8/0x7e0 net/core/neighbour.c:1471
 neigh_output include/net/neighbour.h:510 [inline]
 ip6_finish_output2+0x6b8/0x16c0 net/ipv6/ip6_output.c:117
 __ip6_finish_output net/ipv6/ip6_output.c:182 [inline]
 __ip6_finish_output+0x4c1/0xe10 net/ipv6/ip6_output.c:161
 ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:192
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:215
 dst_output include/net/dst.h:441 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ndisc_send_skb+0xa90/0x1750 net/ipv6/ndisc.c:508
 ndisc_send_ns+0x3a9/0x850 net/ipv6/ndisc.c:650
 addrconf_dad_work+0xc1c/0x1280 net/ipv6/addrconf.c:4117
 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
================================================================================

Crashes (4906):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/28 10:27 upstream 76c057c84d28 eefc07f2 .config console log report syz C ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/01/21 01:58 upstream 75439bc439e0 d4f4eca5 .config console log report syz C ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/01/18 07:28 upstream a1339d6355ac fd103621 .config console log report syz C ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/02/10 04:13 net-old 49c2547b82c6 2bd9619f .config console log report syz C ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/02/02 06:38 net-old 5e9eff5dfa46 e6b95f32 .config console log report syz C ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/01/25 13:22 net-old 344db93ae3ee 52e37319 .config console log report syz C ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/02/10 05:11 net-next-old fc1a8db3d560 2bd9619f .config console log report syz C ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/02/06 21:40 net-next-old c90597bdebb5 0655e081 .config console log report syz C ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/02/02 05:05 net-next-old 1a2b60f6f165 e6b95f32 .config console log report syz C ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/01/25 12:18 net-next-old a61e4b60761f 52e37319 .config console log report syz C ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2020/12/17 08:46 upstream 5e60366d56c6 04201c06 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2021/01/10 20:33 net-old f97844f9c518 2c1f2513 .config console log report syz C ci-upstream-net-this-kasan-gce
2021/01/10 20:02 net-next-old 73b7a6047971 2c1f2513 .config console log report syz C ci-upstream-net-kasan-gce
2020/12/11 02:49 linux-next 14240d4c5b25 f900b48c .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/12/08 07:58 linux-next 15ac8fdb7440 51a9082e .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2021/03/10 00:24 upstream 144c79ef3353 26967e35 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 16:57 upstream 280d542f6ffa 26967e35 .config console log report info ci-qemu-upstream UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 08:25 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 05:17 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 04:09 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-selinux-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 00:32 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 23:11 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 21:50 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 20:05 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-selinux-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 17:22 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 11:21 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 07:26 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 06:35 upstream 3bb48a850627 09fbf400 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 05:31 upstream 3bb48a850627 09fbf400 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 01:18 upstream 280d542f6ffa 09fbf400 .config console log report info ci-qemu-upstream UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 19:17 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 17:17 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 14:28 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 12:01 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 10:51 upstream 280d542f6ffa c599ed12 .config console log report info ci-qemu-upstream UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 07:24 upstream a38fd8748464 e4b4d570 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/06 21:27 upstream a38fd8748464 e4b4d570 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/06 18:49 upstream a38fd8748464 e4b4d570 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 22:09 upstream 280d542f6ffa 26967e35 .config console log report info ci-qemu-upstream-386 UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 12:34 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 01:36 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 16:15 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 12:25 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 04:04 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 22:44 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 22:13 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 20:43 upstream 280d542f6ffa 09fbf400 .config console log report info ci-qemu-upstream-386 UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 16:05 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in red_enqueue
2021/03/06 19:50 upstream a38fd8748464 e4b4d570 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 22:54 net-old 4416e98594dc 26967e35 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 19:49 net-old 4416e98594dc 26967e35 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 15:46 net-old 4416e98594dc 09fbf400 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 14:40 net-old 4416e98594dc 09fbf400 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 03:04 net-old 29d98f54a4fe 09fbf400 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 10:05 net-old 9270bbe258c8 09fbf400 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 09:03 net-old 9270bbe258c8 09fbf400 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 02:57 net-old 9270bbe258c8 09fbf400 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 00:05 net-old 9270bbe258c8 75506d9c .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 04:29 net-old 9270bbe258c8 e4b4d570 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 21:06 net-next-old d310ec03a34e 26967e35 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 12:19 net-next-old d310ec03a34e 09fbf400 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/09 06:58 net-next-old d310ec03a34e 09fbf400 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 18:50 net-next-old d310ec03a34e 09fbf400 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 13:02 net-next-old d310ec03a34e 75506d9c .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/07 02:06 net-next-old d310ec03a34e e4b4d570 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in red_enqueue
2021/03/08 14:33 linux-next 4641b32307b3 09fbf400 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/03/06 22:52 linux-next 4641b32307b3 e4b4d570 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in red_enqueue
2021/01/17 13:45 upstream 0da0a8a0a0e1 813be542 .config console log report info ci-upstream-kasan-gce
2020/12/07 12:37 linux-next 15ac8fdb7440 1190297f .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.