================================================================================ UBSAN: Undefined behaviour in ./include/net/red.h:272:18 shift exponent 75 is too large for 64-bit type 'long unsigned int' CPU: 0 PID: 10282 Comm: syz-executor.4 Not tainted 4.19.152-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 red_calc_qavg_from_idle_time include/net/red.h:272 [inline] red_calc_qavg include/net/red.h:313 [inline] choke_enqueue+0x2a7e/0x2cc0 net/sched/sch_choke.c:231 __dev_xmit_skb net/core/dev.c:3494 [inline] __dev_queue_xmit+0x14e1/0x2ec0 net/core/dev.c:3807 neigh_hh_output include/net/neighbour.h:491 [inline] neigh_output include/net/neighbour.h:499 [inline] ip_finish_output2+0xc04/0x1640 net/ipv4/ip_output.c:230 ip_finish_output+0x88e/0xd80 net/ipv4/ip_output.c:318 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip_output+0x203/0x650 net/ipv4/ip_output.c:406 dst_output include/net/dst.h:455 [inline] ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125 __ip_queue_xmit+0x8a0/0x1bd0 net/ipv4/ip_output.c:506 __tcp_transmit_skb+0x1c72/0x36c0 net/ipv4/tcp_output.c:1148 tcp_transmit_skb net/ipv4/tcp_output.c:1164 [inline] tcp_xmit_probe_skb+0x2e8/0x390 net/ipv4/tcp_output.c:3679 tcp_write_wakeup+0x1bd/0x610 net/ipv4/tcp_output.c:3732 tcp_send_probe0+0x46/0x413 net/ipv4/tcp_output.c:3747 tcp_probe_timer net/ipv4/tcp_timer.c:385 [inline] tcp_write_timer_handler+0x8b8/0xb50 net/ipv4/tcp_timer.c:602 tcp_write_timer+0x103/0x1b0 net/ipv4/tcp_timer.c:618 call_timer_fn+0x177/0x760 kernel/time/timer.c:1338 expire_timers+0x243/0x500 kernel/time/timer.c:1375 __run_timers kernel/time/timer.c:1703 [inline] run_timer_softirq+0x259/0x730 kernel/time/timer.c:1716 __do_softirq+0x27d/0xad2 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x22d/0x270 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:544 [inline] smp_apic_timer_interrupt+0x15f/0x5d0 arch/x86/kernel/apic/apic.c:1094 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x50 kernel/kcov.c:97 Code: 48 c7 c7 20 04 0f 88 4c 89 25 0c eb bc 0b 41 bc f4 ff ff ff e8 c0 7b e9 ff 48 c7 05 f6 ea bc 0b 00 00 00 00 e9 39 ec ff ff 90 <48> 8b 34 24 65 48 8b 04 25 40 ee 01 00 65 8b 15 ec 1a 90 7e 81 e2 RSP: 0018:ffff88804e55ed88 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000002 RBX: ffff888047ed6430 RCX: ffffffff81914e6e RDX: 0000000000000001 RSI: ffff88804cd42640 RDI: 0000000000000001 RBP: ffffea000121bfc0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000001 R13: ffff88821585e8c0 R14: ffffea000121bfc8 R15: ffffea00010c8bc8 __read_once_size include/linux/compiler.h:193 [inline] unlocked_inode_to_wb_begin include/linux/backing-dev.h:371 [inline] clear_page_dirty_for_io+0x3a5/0xff0 mm/page-writeback.c:2697 mpage_submit_page+0x80/0x260 fs/ext4/inode.c:2207 mpage_process_page_bufs+0x577/0x6f0 fs/ext4/inode.c:2337 mpage_prepare_extent_to_map+0x9f0/0xff0 fs/ext4/inode.c:2699 ext4_writepages+0x115d/0x3a90 fs/ext4/inode.c:2827 do_writepages+0xe5/0x290 mm/page-writeback.c:2344 __filemap_fdatawrite_range+0x27d/0x350 mm/filemap.c:446 file_write_and_wait_range+0x93/0x100 mm/filemap.c:776 __generic_file_fsync+0x74/0x1f0 fs/libfs.c:983 ext4_sync_file+0xa7e/0x1380 fs/ext4/fsync.c:118 vfs_fsync_range+0x13a/0x220 fs/sync.c:197 generic_write_sync include/linux/fs.h:2751 [inline] ext4_file_write_iter+0x786/0xfb0 fs/ext4/file.c:283 call_write_iter include/linux/fs.h:1821 [inline] do_iter_readv_writev+0x668/0x7a0 fs/read_write.c:681 do_iter_write+0x182/0x5d0 fs/read_write.c:960 vfs_iter_write+0x70/0xa0 fs/read_write.c:973 iter_file_splice_write+0x62a/0xbd0 fs/splice.c:750 do_splice_from fs/splice.c:852 [inline] direct_splice_actor+0x115/0x160 fs/splice.c:1025 splice_direct_to_actor+0x33f/0x8d0 fs/splice.c:980 do_splice_direct+0x1a7/0x270 fs/splice.c:1068 do_sendfile+0x550/0xc30 fs/read_write.c:1447 __do_sys_sendfile64 fs/read_write.c:1508 [inline] __se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45de59 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f813a2acc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 0000000000027ec0 RCX: 000000000045de59 RDX: 0000000000000000 RSI: 0000000000000009 RDI: 0000000000000008 RBP: 000000000118bf68 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000001c500 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffff393f7cf R14: 00007f813a2ad9c0 R15: 000000000118bf2c ================================================================================ audit: type=1804 audit(1602963201.831:43): pid=10295 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir890968322/syzkaller.iroKNx/49/file1/file0" dev="sda1" ino=15950 res=1 netlink: 'syz-executor.0': attribute type 5 has an invalid length. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. audit: type=1804 audit(1602963202.371:44): pid=10337 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir890968322/syzkaller.iroKNx/50/file1/file0" dev="loop4" ino=3 res=1 netlink: 40 bytes leftover after parsing attributes in process `syz-executor.3'. syz-executor.3 (10336) used greatest stack depth: 22744 bytes left netlink: 40 bytes leftover after parsing attributes in process `syz-executor.3'. syz-executor.3 (10361) used greatest stack depth: 22696 bytes left netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. xt_CT: No such timeout policy "syz1" netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. squashfs: SQUASHFS error: Can't find a SQUASHFS superblock on loop5 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. ceph: device name is missing path (no : separator in 01777777777777777777777g>@D-/üi%rLw5) ceph: device name is missing path (no : separator in 01777777777777777777777g>@D-/üi%rLw5) xt_CT: You must specify a L4 protocol and not use inversions on it EXT4-fs (loop1): Unrecognized mount option "" or missing value FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) audit: type=1804 audit(1602963210.351:45): pid=10590 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir622670311/syzkaller.F45SB8/55/cgroup.controllers" dev="sda1" ino=16004 res=1 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.