audit: type=1400 audit(1602822515.275:9): avc: denied { sys_admin } for pid=8146 comm="syz-executor.4" capability=21 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=cap_userns permissive=1 ================================================================================ UBSAN: Undefined behaviour in net/netfilter/ipset/ip_set_hash_gen.h:125:6 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 0 PID: 8158 Comm: syz-executor.5 Not tainted 4.19.150-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:125 [inline] hash_ipport_create.cold+0x1a/0x2d net/netfilter/ipset/ip_set_hash_gen.h:1290 ip_set_create+0x70e/0x1380 net/netfilter/ipset/ip_set_core.c:940 nfnetlink_rcv_msg+0xeff/0x1210 net/netfilter/nfnetlink.c:233 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455 nfnetlink_rcv+0x1b2/0x41b net/netfilter/nfnetlink.c:565 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x7bb/0x8f0 net/socket.c:2115 __sys_sendmsg net/socket.c:2153 [inline] __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45de59 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f1b80d08c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000029b40 RCX: 000000000045de59 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffcd6c6c50f R14: 00007f1b80d099c0 R15: 000000000118bf2c ================================================================================ IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 EXT4-fs: Warning: mounting with data=journal disables delayed allocation and O_DIRECT support! FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 8308 Comm: syz-executor.5 Not tainted 4.19.150-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 handle_userfault+0xc44/0x1aa0 fs/userfaultfd.c:442 do_huge_pmd_anonymous_page+0x86e/0x1d70 mm/huge_memory.c:717 create_huge_pmd mm/memory.c:4025 [inline] __handle_mm_fault+0x2905/0x4370 mm/memory.c:4229 handle_mm_fault+0x489/0xb90 mm/memory.c:4295 __do_page_fault+0x6d8/0xe00 arch/x86/mm/fault.c:1412 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1205 RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20 arch/x86/lib/copy_user_64.S:181 Code: 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 31 c0 0f 1f 00 c3 0f 1f 80 00 00 00 00 0f 1f 00 83 fa 40 0f 82 70 ff ff ff 89 d1 a4 31 c0 0f 1f 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 83 EXT4-fs (loop2): encrypted files will use data=ordered instead of data journaling mode RSP: 0018:ffff8880502df998 EFLAGS: 00010206 RAX: ffffed10092d6800 RBX: 0000000000001000 RCX: 0000000000001000 RDX: 0000000000001000 RSI: 0000000020349000 RDI: ffff8880496b3000 RBP: 0000000020349000 R08: 0000000000000001 R09: ffffed10092d67ff R10: ffff8880496b3fff R11: 0000000000000000 R12: 000000002034a000 R13: ffff8880496b3000 R14: 00007ffffffff000 R15: 0000000000000000 copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline] raw_copy_from_user arch/x86/include/asm/uaccess_64.h:71 [inline] _copy_from_user+0xfc/0x130 lib/usercopy.c:13 copy_from_user include/linux/uaccess.h:147 [inline] __mcopy_atomic mm/userfaultfd.c:569 [inline] mcopy_atomic+0x1758/0x2740 mm/userfaultfd.c:608 userfaultfd_copy fs/userfaultfd.c:1734 [inline] userfaultfd_ioctl+0x4b4/0x39c0 fs/userfaultfd.c:1884 IPVS: Error joining to the multicast group vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 EXT4-fs (loop2): Couldn't mount because of unsupported optional features (fe0000) ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45de59 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f1b80d08c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 IPVS: Error joining to the multicast group RAX: ffffffffffffffda RBX: 000000000001a800 RCX: 000000000045de59 RDX: 0000000020000000 RSI: 00000000c028aa03 RDI: 0000000000000003 RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffcd6c6c50f R14: 00007f1b80d099c0 R15: 000000000118bf2c ------------[ cut here ]------------ wlan1: Failed check-sdata-in-driver check, flags: 0x4 WARNING: CPU: 0 PID: 8365 at net/mac80211/driver-ops.h:17 check_sdata_in_driver net/mac80211/driver-ops.h:17 [inline] WARNING: CPU: 0 PID: 8365 at net/mac80211/driver-ops.h:17 drv_bss_info_changed net/mac80211/driver-ops.h:173 [inline] WARNING: CPU: 0 PID: 8365 at net/mac80211/driver-ops.h:17 ieee80211_bss_info_change_notify+0x886/0x980 net/mac80211/main.c:204