syzbot


UBSAN: shift-out-of-bounds in choke_enqueue

Status: fixed on 2021/03/10 01:48
Subsystems: net
[Documentation on labels]
Fix commit: bd1248f1ddbc net: sched: prevent invalid Scell_log shift count
First crash: 1197d, last: 1105d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: C syz .config
  

Sample crash report:
================================================================================
UBSAN: shift-out-of-bounds in ./include/net/red.h:310:18
shift exponent 234 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 9724 Comm: kworker/0:4 Not tainted 5.10.0-rc6-next-20201207-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 red_calc_qavg_from_idle_time include/net/red.h:310 [inline]
 red_calc_qavg include/net/red.h:351 [inline]
 choke_enqueue.cold+0x18/0x3dd net/sched/sch_choke.c:221
 __dev_xmit_skb net/core/dev.c:3789 [inline]
 __dev_queue_xmit+0x199e/0x2ec0 net/core/dev.c:4101
 neigh_hh_output include/net/neighbour.h:499 [inline]
 neigh_output include/net/neighbour.h:508 [inline]
 ip_finish_output2+0xf5d/0x2330 net/ipv4/ip_output.c:230
 __ip_finish_output net/ipv4/ip_output.c:308 [inline]
 __ip_finish_output+0x399/0x650 net/ipv4/ip_output.c:290
 ip_finish_output+0x35/0x200 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip_output+0x196/0x310 net/ipv4/ip_output.c:432
 dst_output include/net/dst.h:441 [inline]
 ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x5a3/0x9c0 net/ipv4/ip_tunnel_core.c:82
 geneve_xmit_skb drivers/net/geneve.c:971 [inline]
 geneve_xmit+0xfe0/0x3230 drivers/net/geneve.c:1071
 __netdev_start_xmit include/linux/netdevice.h:4775 [inline]
 netdev_start_xmit include/linux/netdevice.h:4789 [inline]
 xmit_one net/core/dev.c:3556 [inline]
 dev_hard_start_xmit+0x1eb/0x960 net/core/dev.c:3572
 __dev_queue_xmit+0x21de/0x2ec0 net/core/dev.c:4133
 neigh_resolve_output net/core/neighbour.c:1491 [inline]
 neigh_resolve_output+0x4d8/0x7e0 net/core/neighbour.c:1471
 neigh_output include/net/neighbour.h:510 [inline]
 ip6_finish_output2+0x68c/0x1710 net/ipv6/ip6_output.c:117
 __ip6_finish_output net/ipv6/ip6_output.c:143 [inline]
 __ip6_finish_output+0x4be/0xb80 net/ipv6/ip6_output.c:128
 ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:153
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176
 dst_output include/net/dst.h:441 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ndisc_send_skb+0xacc/0x1850 net/ipv6/ndisc.c:508
 ndisc_send_rs+0x12e/0x710 net/ipv6/ndisc.c:702
 addrconf_dad_completed+0x2fe/0xc60 net/ipv6/addrconf.c:4192
 addrconf_dad_work+0x797/0x1280 net/ipv6/addrconf.c:4102
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
================================================================================

Crashes (3853):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/08 05:53 linux-next 15ac8fdb7440 51a9082e .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2021/03/10 00:38 upstream 144c79ef3353 26967e35 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/09 05:22 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/09 01:47 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/08 21:41 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/08 01:08 upstream 3bb48a850627 75506d9c .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/07 22:38 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/07 20:28 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/07 19:10 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/07 16:23 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/07 14:54 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/07 11:59 upstream a38fd8748464 75506d9c .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 23:03 upstream a38fd8748464 e4b4d570 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 22:00 upstream a38fd8748464 e4b4d570 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 18:18 upstream a38fd8748464 e4b4d570 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 15:49 upstream a38fd8748464 e4b4d570 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 13:23 upstream a38fd8748464 e4b4d570 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 12:03 upstream a38fd8748464 e4b4d570 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 08:44 upstream 280d542f6ffa 56722561 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 05:40 upstream 280d542f6ffa 56722561 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 02:16 upstream 280d542f6ffa 56722561 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 01:14 upstream 280d542f6ffa 56722561 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/05 17:28 upstream 280d542f6ffa 9d751681 .config console log report info ci-upstream-kasan-gce-selinux-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/01 13:21 upstream fe07bfda2fb9 4c37c133 .config console log report info ci-qemu-upstream UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/10 01:47 upstream 144c79ef3353 26967e35 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/08 06:46 upstream 144c79ef3353 09fbf400 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/05 23:11 upstream 280d542f6ffa e4b4d570 .config console log report info ci-qemu-upstream-386 UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/05 18:33 upstream 280d542f6ffa 9d751681 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/09 19:48 net-old 4416e98594dc 26967e35 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/09 19:11 net-old 4416e98594dc 26967e35 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/09 02:54 net-old 29d98f54a4fe 09fbf400 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/09 00:57 net-old 29d98f54a4fe 09fbf400 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/08 09:45 net-old 9270bbe258c8 09fbf400 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/08 04:26 net-old 9270bbe258c8 09fbf400 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/08 02:38 net-old 9270bbe258c8 09fbf400 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/07 04:57 net-old 9270bbe258c8 e4b4d570 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 00:41 net-old ad5d07f4a9cd 56722561 .config console log report info ci-upstream-net-this-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/09 22:54 net-next-old d310ec03a34e 26967e35 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/09 21:15 net-next-old d310ec03a34e 26967e35 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/09 16:15 net-next-old d310ec03a34e 09fbf400 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/09 15:01 net-next-old d310ec03a34e 09fbf400 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/08 23:48 net-next-old d310ec03a34e 09fbf400 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/08 19:43 net-next-old d310ec03a34e 09fbf400 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/08 16:29 net-next-old d310ec03a34e 09fbf400 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/08 02:54 net-next-old d310ec03a34e 09fbf400 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/07 18:09 net-next-old d310ec03a34e 75506d9c .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/07 13:09 net-next-old d310ec03a34e 75506d9c .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/07 07:05 net-next-old d310ec03a34e e4b4d570 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/07 01:07 net-next-old d310ec03a34e e4b4d570 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 20:51 net-next-old d310ec03a34e e4b4d570 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 18:20 net-next-old d310ec03a34e e4b4d570 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/06 10:53 net-next-old d310ec03a34e e4b4d570 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/05 22:02 net-next-old d310ec03a34e 56722561 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/05 20:27 net-next-old d310ec03a34e 56722561 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/05 15:24 net-next-old d310ec03a34e 9d751681 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in choke_enqueue
2021/03/09 11:06 linux-next 3aa6f5082286 09fbf400 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in choke_enqueue
2021/01/17 13:11 upstream 0da0a8a0a0e1 813be542 .config console log report info ci-upstream-kasan-gce-root
2020/12/07 12:52 linux-next 15ac8fdb7440 1190297f .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.