x_tables: duplicate underflow at hook 1 ================================================================================ UBSAN: Undefined behaviour in ./include/net/red.h:272:18 shift exponent 103 is too large for 64-bit type 'long unsigned int' CPU: 1 PID: 13846 Comm: syz-executor.2 Not tainted 4.19.148-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 red_calc_qavg_from_idle_time include/net/red.h:272 [inline] red_adaptative_algo include/net/red.h:404 [inline] red_adaptative_timer+0x7ed/0x870 net/sched/sch_red.c:266 call_timer_fn+0x177/0x760 kernel/time/timer.c:1338 expire_timers+0x243/0x500 kernel/time/timer.c:1375 __run_timers kernel/time/timer.c:1703 [inline] run_timer_softirq+0x259/0x730 kernel/time/timer.c:1716 __do_softirq+0x27d/0xad2 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x22d/0x270 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:544 [inline] smp_apic_timer_interrupt+0x15f/0x5d0 arch/x86/kernel/apic/apic.c:1094 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 RIP: 0010:_vm_normal_page+0x15d/0x520 mm/memory.c:895 Code: b8 00 00 00 00 00 fc ff df 48 c7 44 05 00 00 00 00 00 48 8b 44 24 68 65 48 2b 04 25 28 00 00 00 0f 85 5d 03 00 00 48 83 c4 70 <48> 89 d8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 c0 53 d4 ff 48 89 d8 RSP: 0018:ffff888048137728 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000000 RBX: ffffea0002746680 RCX: ffffffff819d6f8c RDX: 0000000000000000 RSI: ffffffff819d6ee2 RDI: 0000000000000006 RBP: 1ffff11009026ed9 R08: 0000000000000000 R09: 000000000021ffff R10: 0000000000000006 R11: 0000000000000001 R12: 800000009d19a007 R13: ffff888096656460 R14: 00007f769ef84000 R15: ffff8880481376e8 zap_pte_range mm/memory.c:1311 [inline] zap_pmd_range mm/memory.c:1440 [inline] zap_pud_range mm/memory.c:1469 [inline] zap_p4d_range mm/memory.c:1490 [inline] unmap_page_range+0xfba/0x2ec0 mm/memory.c:1511 unmap_single_vma+0x198/0x300 mm/memory.c:1556 unmap_vmas+0xa9/0x180 mm/memory.c:1586 exit_mmap+0x2b9/0x530 mm/mmap.c:3091 __mmput kernel/fork.c:1015 [inline] mmput+0x14e/0x4a0 kernel/fork.c:1036 exit_mm kernel/exit.c:546 [inline] do_exit+0xb12/0x2d80 kernel/exit.c:874 do_group_exit+0x125/0x320 kernel/exit.c:990 get_signal+0x3f3/0x2270 kernel/signal.c:2588 do_signal+0x8f/0x1690 arch/x86/kernel/signal.c:821 exit_to_usermode_loop+0x204/0x2c0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x57c/0x670 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45dd99 Code: Bad RIP value. RSP: 002b:00007f769e34ccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 000000000118bf28 RCX: 000000000045dd99 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000118bf28 RBP: 000000000118bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffc0694ddff R14: 00007f769e34d9c0 R15: 000000000118bf2c ================================================================================ netlink: 43614 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 88 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. sock: process `syz-executor.5' is using obsolete setsockopt SO_BSDCOMPAT IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 netlink: 40027 bytes leftover after parsing attributes in process `syz-executor.2'. device lo entered promiscuous mode device tunl0 entered promiscuous mode TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. device gre0 entered promiscuous mode IPVS: ftp: loaded support on port[0] = 21 device gretap0 entered promiscuous mode device erspan0 entered promiscuous mode device ip_vti0 entered promiscuous mode device ip6_vti0 entered promiscuous mode device sit0 entered promiscuous mode device ip6tnl0 entered promiscuous mode device ip6gre0 entered promiscuous mode device ip6gretap0 entered promiscuous mode device bridge0 entered promiscuous mode device vcan0 entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device bond0 entered promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode device team0 entered promiscuous mode device team_slave_0 entered promiscuous mode device team_slave_1 entered promiscuous mode device dummy0 entered promiscuous mode device nlmon0 entered promiscuous mode device caif0 entered promiscuous mode A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. netlink: 40067 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 40027 bytes leftover after parsing attributes in process `syz-executor.2'. IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. netlink: 40067 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 43435 bytes leftover after parsing attributes in process `syz-executor.0'. IPVS: ftp: loaded support on port[0] = 21 netlink: 40067 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 16863 bytes leftover after parsing attributes in process `syz-executor.0'. IPVS: ftp: loaded support on port[0] = 21 netlink: 40027 bytes leftover after parsing attributes in process `syz-executor.2'. Cannot find del_set index 0 as target IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables IPVS: ftp: loaded support on port[0] = 21 netlink: 40027 bytes leftover after parsing attributes in process `syz-executor.2'. IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=14429 comm=syz-executor.0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1 sclass=netlink_route_socket pid=14429 comm=syz-executor.0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=14439 comm=syz-executor.5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=14444 comm=syz-executor.5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pid=14477 comm=syz-executor.5