program: r0 = socket$nl_xfrm(0x10, 0x3, 0x6) (async) r1 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000002c0)=@updpolicy={0xb8, 0x19, 0x1, 0x0, 0x0, {{@in=@multicast1, @in6=@local, 0x800, 0x3, 0x0, 0x0, 0xa, 0x0, 0x80, 0x6}, {0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x2}, {}, 0x20000, 0x0, 0x0, 0x0, 0x2}}, 0xb8}}, 0x10) (async, rerun: 32) r2 = openat$comedi(0xffffff9c, &(0x7f0000000040)='/dev/comedi3\x00', 0x2000, 0x0) (rerun: 32) ioctl$COMEDI_DEVCONFIG(r2, 0x40946400, &(0x7f0000000200)={'pcl726\x00', [0x4f0, 0xfffffc60, 0x2, 0x6, 0x6, 0x1ff, 0x0, 0x9, 0xd7, 0x7, 0x3, 0x8, 0xfffffffe, 0xf408, 0x3, 0xffffffff, 0xa, 0x5, 0x4, 0x8, 0x79b, 0x35, 0x9, 0xa7b1, 0x0, 0x1, 0x7, 0xf7f, 0x4d, 0x9, 0x7]}) (async) ioctl$COMEDI_SUBDINFO(r2, 0x80486402, &(0x7f0000000080)) (async, rerun: 32) mkdir(&(0x7f0000000000)='./cgroup/../file0\x00', 0x0) (rerun: 32) r3 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r4 = openat$cgroup_ro(r3, &(0x7f00000001c0)='pids.events\x00', 0x0, 0x0) read$msr(r4, &(0x7f0000000040)=""/42, 0x2a) (async, rerun: 64) sendmsg$nl_xfrm(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000380)=ANY=[@ANYBLOB="bc0000001d0001000000000000000000e000400b1940000000000000000000bdd3503f1927c632b100000000000000000100000000000000000a00000000000def1ac1cf70681220cce53fa80ff0a10662048ea8cc3a738b0d9dd90465ca5c0d2fc9474aa95a9a133b4ae2cba9ec1488befa6c10230f68e021980101c330a2ac1d921e154e34ee40bca8638ed8056cea0a08436593dd3ac6ac3cb601c5df", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB='\x00'/112], 0xb8}}, 0x0) (async, rerun: 64) r5 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000040)=@updpolicy={0xb8, 0x19, 0xfd3649826d894c67, 0x0, 0x0, {{@in6=@dev, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0xa}}}, 0xb8}}, 0x0) (async, rerun: 32) sendmsg$key(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000004c0)=ANY=[@ANYBLOB="021380ee02"], 0x10}}, 0x0) (rerun: 32) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r7, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$KVM_SET_GSI_ROUTING(r7, 0x4008ae6a, &(0x7f0000000000)=ANY=[@ANYBLOB="040000000000000001"]) (async) ioctl$KVM_SET_SREGS(r8, 0x4138ae84, &(0x7f0000000100)={{0x7000, 0xdddd1000, 0x4, 0x0, 0x8, 0x8, 0x0, 0x2, 0x0, 0x6, 0x9, 0x10}, {0x8080000, 0x0, 0xc, 0x8, 0x0, 0x0, 0x0, 0x0, 0x7, 0x7, 0x0, 0xff}, {0x3000, 0x5000, 0xc, 0x0, 0x7, 0x4, 0x0, 0x0, 0x9, 0x0, 0x0, 0xfc}, {0x100000, 0xd000, 0x0, 0x0, 0x5, 0x0, 0xff, 0x0, 0x0, 0x0, 0x4}, {0xeeee8000, 0x3000, 0x9, 0x0, 0xff, 0x4, 0x0, 0xe, 0x0, 0x3c}, {0x0, 0x0, 0xd, 0x8, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x80}, {0x8080000, 0x0, 0xa, 0x6, 0x5, 0x0, 0x3}, {0x80a0000, 0xdddd0000, 0x0, 0x0, 0x0, 0x1, 0x0, 0xa, 0x26}, {0x80a0000}, {0xeeef0000}, 0xfdfcffdb, 0x0, 0x0, 0x28, 0xb, 0xf801, 0x0, [0x0, 0x0, 0x1]}) r9 = socket$key(0xf, 0x3, 0x2) sendmmsg(r9, &(0x7f0000000180), 0x32bc45944b084a6, 0x0) (async) r10 = socket$nl_generic(0x10, 0x3, 0x10) r11 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) (async) ioctl$sock_SIOCGIFINDEX_80211(r10, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r10, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r11, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r12}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r10, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r11, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r12}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}, 0x1, 0x0, 0x0, 0x800}, 0x0) (async) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x12}]}, @void, @void, @void, @void, @void, @void}, 0x2f) (async) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) (async) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000400)=@mgmt_frame=@auth={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x1}}, 0x0, 0x2, 0x0, @void}, 0x1e) [ 68.442110][ T5333] Bluetooth: hci0: command tx timeout [ 68.536586][ T5353] ------------[ cut here ]------------ [ 68.539161][ T5353] UBSAN: shift-out-of-bounds in drivers/comedi/drivers/pcl726.c:331:46 [ 68.577238][ T5353] shift exponent -928 is negative [ 68.579898][ T5353] CPU: 0 UID: 0 PID: 5353 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 68.579918][ T5353] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.579926][ T5353] Call Trace: [ 68.579933][ T5353] [ 68.579940][ T5353] dump_stack_lvl+0x189/0x250 [ 68.580037][ T5353] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.580053][ T5353] ? __pfx__printk+0x10/0x10 [ 68.580074][ T5353] ubsan_epilogue+0xa/0x40 [ 68.580092][ T5353] __ubsan_handle_shift_out_of_bounds+0x386/0x410 [ 68.580147][ T5353] ? __kmalloc_noprof+0x29b/0x4f0 [ 68.580165][ T5353] pcl726_attach+0xac4/0xd50 [ 68.580215][ T5353] ? rcu_is_watching+0x15/0xb0 [ 68.580227][ T5353] comedi_device_attach+0x51f/0x720 [ 68.580243][ T5353] comedi_unlocked_ioctl+0x5ff/0x1020 [ 68.580261][ T5353] ? rcu_is_watching+0x15/0xb0 [ 68.580271][ T5353] ? lock_release+0x4b/0x3e0 [ 68.580286][ T5353] ? tomoyo_path_number_perm+0x47a/0x5a0 [ 68.580300][ T5353] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 68.580322][ T5353] ? __might_fault+0xb0/0x130 [ 68.580341][ T5353] ? lock_release+0x4b/0x3e0 [ 68.580357][ T5353] ? __fget_files+0x2a/0x420 [ 68.580372][ T5353] ? __fget_files+0x3a0/0x420 [ 68.580389][ T5353] ? __fget_files+0x2a/0x420 [ 68.580403][ T5353] ? bpf_lsm_file_ioctl+0x9/0x20 [ 68.580415][ T5353] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 68.580431][ T5353] __se_sys_ioctl+0xfc/0x170 [ 68.580443][ T5353] do_syscall_64+0xfa/0x3b0 [ 68.580490][ T5353] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.580502][ T5353] ? clear_bhb_loop+0x60/0xb0 [ 68.580514][ T5353] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.580525][ T5353] RIP: 0033:0x7f991598ebe9 [ 68.580561][ T5353] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.580572][ T5353] RSP: 002b:00007f99167a6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 68.580586][ T5353] RAX: ffffffffffffffda RBX: 00007f9915bb5fa0 RCX: 00007f991598ebe9 [ 68.580595][ T5353] RDX: 0000200000000200 RSI: 0000000040946400 RDI: 0000000000000005 [ 68.580602][ T5353] RBP: 00007f9915a11e19 R08: 0000000000000000 R09: 0000000000000000 [ 68.580610][ T5353] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.580617][ T5353] R13: 00007f9915bb6038 R14: 00007f9915bb5fa0 R15: 00007fffd9d0d5f8 [ 68.580630][ T5353] [ 68.686618][ T5353] ---[ end trace ]--- [ 68.688370][ T5353] Kernel panic - not syncing: UBSAN: panic_on_warn set ... [ 68.691616][ T5353] CPU: 0 UID: 0 PID: 5353 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 68.695580][ T5353] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.700551][ T5353] Call Trace: [ 68.702126][ T5353] [ 68.703504][ T5353] dump_stack_lvl+0x99/0x250 [ 68.705544][ T5353] ? __asan_memcpy+0x40/0x70 [ 68.707519][ T5353] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.709740][ T5353] ? __pfx__printk+0x10/0x10 [ 68.711708][ T5353] vpanic+0x281/0x750 [ 68.713490][ T5353] ? __pfx_vpanic+0x10/0x10 [ 68.715456][ T5353] panic+0xb9/0xc0 [ 68.717127][ T5353] ? __pfx_panic+0x10/0x10 [ 68.719060][ T5353] ? __pfx__printk+0x10/0x10 [ 68.721006][ T5353] check_panic_on_warn+0x89/0xb0 [ 68.723021][ T5353] __ubsan_handle_shift_out_of_bounds+0x386/0x410 [ 68.725597][ T5353] ? __kmalloc_noprof+0x29b/0x4f0 [ 68.727775][ T5353] pcl726_attach+0xac4/0xd50 [ 68.729811][ T5353] ? rcu_is_watching+0x15/0xb0 [ 68.731967][ T5353] comedi_device_attach+0x51f/0x720 [ 68.734362][ T5353] comedi_unlocked_ioctl+0x5ff/0x1020 [ 68.736731][ T5353] ? rcu_is_watching+0x15/0xb0 [ 68.738866][ T5353] ? lock_release+0x4b/0x3e0 [ 68.740901][ T5353] ? tomoyo_path_number_perm+0x47a/0x5a0 [ 68.743380][ T5353] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 68.745929][ T5353] ? __might_fault+0xb0/0x130 [ 68.748146][ T5353] ? lock_release+0x4b/0x3e0 [ 68.750346][ T5353] ? __fget_files+0x2a/0x420 [ 68.752410][ T5353] ? __fget_files+0x3a0/0x420 [ 68.754461][ T5353] ? __fget_files+0x2a/0x420 [ 68.756516][ T5353] ? bpf_lsm_file_ioctl+0x9/0x20 [ 68.758653][ T5353] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 68.761201][ T5353] __se_sys_ioctl+0xfc/0x170 [ 68.763158][ T5353] do_syscall_64+0xfa/0x3b0 [ 68.765130][ T5353] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.767727][ T5353] ? clear_bhb_loop+0x60/0xb0 [ 68.769789][ T5353] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.772385][ T5353] RIP: 0033:0x7f991598ebe9 [ 68.774334][ T5353] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.782798][ T5353] RSP: 002b:00007f99167a6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 68.786854][ T5353] RAX: ffffffffffffffda RBX: 00007f9915bb5fa0 RCX: 00007f991598ebe9 [ 68.790331][ T5353] RDX: 0000200000000200 RSI: 0000000040946400 RDI: 0000000000000005 [ 68.793776][ T5353] RBP: 00007f9915a11e19 R08: 0000000000000000 R09: 0000000000000000 [ 68.797204][ T5353] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.800475][ T5353] R13: 00007f9915bb6038 R14: 00007f9915bb5fa0 R15: 00007fffd9d0d5f8 [ 68.803779][ T5353] [ 68.805474][ T5353] Kernel Offset: disabled [ 68.807307][ T5353] Rebooting in 86400 seconds..