================================================================================ UBSAN: Undefined behaviour in net/netfilter/ipset/ip_set_hash_gen.h:125:6 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 0 PID: 8100 Comm: syz-executor.1 Not tainted 4.19.150-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:125 [inline] hash_netport_create.cold+0x1a/0x1f net/netfilter/ipset/ip_set_hash_gen.h:1290 ip_set_create+0x70e/0x1380 net/netfilter/ipset/ip_set_core.c:940 nfnetlink_rcv_msg+0xeff/0x1210 net/netfilter/nfnetlink.c:233 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455 nfnetlink_rcv+0x1b2/0x41b net/netfilter/nfnetlink.c:565 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x7bb/0x8f0 net/socket.c:2115 __sys_sendmsg net/socket.c:2153 [inline] __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45de59 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fbda6d72c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000029b40 RCX: 000000000045de59 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffd84a70e0f R14: 00007fbda6d739c0 R15: 000000000118bf2c ================================================================================ netlink: 44 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 'syz-executor.0': attribute type 1 has an invalid length. audit: type=1800 audit(1602821905.021:11): pid=8200 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.0" name="bus" dev="sda1" ino=15788 res=0 binder: 8219:8229 ioctl 4018620d 0 returned -22 ISOFS: Unable to identify CD-ROM format. binder: 8231:8234 ioctl 4018620d 0 returned -22 raw_sendmsg: syz-executor.1 forgot to set AF_INET. Fix it! tmpfs: Bad value 'default:70 ' for mount option 'mpol' IPVS: ftp: loaded support on port[0] = 21 tmpfs: Bad value 'default:70 ' for mount option 'mpol' syz-executor.2 (8260) used greatest stack depth: 22280 bytes left IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 netlink: 'syz-executor.5': attribute type 5 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. device ipvlan2 entered promiscuous mode netlink: 'syz-executor.5': attribute type 5 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. device ipvlan3 entered promiscuous mode netlink: 'syz-executor.5': attribute type 5 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. device ipvlan4 entered promiscuous mode ceph: device name is missing path (no : separator in U+>ƒBdD#v+[dF::]ISM7 猉"J./) ceph: device name is missing path (no : separator in U+>ƒBdD#v+[dF::]ISM7 猉"J./) F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop0): group quota file already specified F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop0): group quota file already specified F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop0): group quota file already specified nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0) overlayfs: bad mount option "redirect_dir=./file " overlayfs: bad mount option "redirect_dir=./file " input: syz1 as /devices/virtual/input/input5 FAT-fs (loop5): Directory bread(block 2571) failed FAT-fs (loop5): Directory bread(block 2572) failed FAT-fs (loop5): Directory bread(block 2573) failed FAT-fs (loop5): Directory bread(block 2574) failed FAT-fs (loop5): Directory bread(block 2575) failed FAT-fs (loop5): Directory bread(block 2576) failed FAT-fs (loop5): Directory bread(block 2577) failed FAT-fs (loop5): Directory bread(block 2578) failed FAT-fs (loop5): Directory bread(block 2579) failed FAT-fs (loop5): Directory bread(block 2580) failed TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. EXT4-fs (loop5): bad geometry: first data block 2835515476 is beyond end of filesystem (10) FAT-fs (loop3): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) EXT4-fs (loop5): bad geometry: first data block 2835515476 is beyond end of filesystem (10) audit: type=1400 audit(1602821912.761:12): avc: denied { sys_admin } for pid=8851 comm="syz-executor.4" capability=21 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=cap_userns permissive=1 IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 audit: type=1400 audit(1602821913.411:13): avc: denied { block_suspend } for pid=8953 comm="syz-executor.1" capability=36 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1