================================================================================ UBSAN: shift-out-of-bounds in ./include/net/sch_generic.h:1193:7 shift exponent 129 is too large for 32-bit type 'int' CPU: 0 PID: 8888 Comm: syz-executor.5 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 qdisc_l2t include/net/sch_generic.h:1193 [inline] cbq_update net/sched/sch_cbq.c:562 [inline] cbq_dequeue.cold+0x186/0x18b net/sched/sch_cbq.c:809 dequeue_skb net/sched/sch_generic.c:263 [inline] qdisc_restart net/sched/sch_generic.c:366 [inline] __qdisc_run+0x1ab/0x1610 net/sched/sch_generic.c:384 __dev_xmit_skb net/core/dev.c:3813 [inline] __dev_queue_xmit+0x1abb/0x2ec0 net/core/dev.c:4119 neigh_hh_output include/net/neighbour.h:499 [inline] neigh_output include/net/neighbour.h:508 [inline] ip_finish_output2+0xf5d/0x2330 net/ipv4/ip_output.c:230 __ip_finish_output net/ipv4/ip_output.c:308 [inline] __ip_finish_output+0x399/0x650 net/ipv4/ip_output.c:290 ip_finish_output+0x35/0x200 net/ipv4/ip_output.c:318 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip_output+0x196/0x310 net/ipv4/ip_output.c:432 dst_output include/net/dst.h:441 [inline] ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:126 iptunnel_xmit+0x5a3/0x9c0 net/ipv4/ip_tunnel_core.c:82 geneve_xmit_skb drivers/net/geneve.c:959 [inline] geneve_xmit+0xfe0/0x3230 drivers/net/geneve.c:1059 __netdev_start_xmit include/linux/netdevice.h:4776 [inline] netdev_start_xmit include/linux/netdevice.h:4790 [inline] xmit_one net/core/dev.c:3574 [inline] dev_hard_start_xmit+0x1eb/0x960 net/core/dev.c:3590 __dev_queue_xmit+0x21de/0x2ec0 net/core/dev.c:4151 neigh_hh_output include/net/neighbour.h:499 [inline] neigh_output include/net/neighbour.h:508 [inline] ip6_finish_output2+0x8cc/0x1710 net/ipv6/ip6_output.c:117 __ip6_finish_output net/ipv6/ip6_output.c:143 [inline] __ip6_finish_output+0x4be/0xb80 net/ipv6/ip6_output.c:128 ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:153 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176 dst_output include/net/dst.h:441 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ndisc_send_skb+0xacc/0x1850 net/ipv6/ndisc.c:508 ndisc_send_rs+0x12e/0x710 net/ipv6/ndisc.c:702 addrconf_rs_timer+0x3f2/0x820 net/ipv6/addrconf.c:3874 call_timer_fn+0x1a5/0x710 kernel/time/timer.c:1417 expire_timers kernel/time/timer.c:1462 [inline] __run_timers.part.0+0x692/0xa80 kernel/time/timer.c:1731 __run_timers kernel/time/timer.c:1712 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1744 __do_softirq+0x2bc/0xa77 kernel/softirq.c:343 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:226 [inline] __irq_exit_rcu+0x17f/0x200 kernel/softirq.c:420 irq_exit_rcu+0x5/0x20 kernel/softirq.c:432 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1096 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:628 RIP: 0010:unwind_next_frame+0x27/0x2460 arch/x86/kernel/unwind_orc.c:418 Code: 0f 1f 00 48 b8 00 00 00 00 00 fc ff df 41 57 49 89 ff 41 56 41 55 41 54 55 53 48 81 ec b0 00 00 00 48 c7 44 24 50 b3 8a b5 41 <48> 8d 5c 24 50 48 c7 44 24 58 39 5d f0 8a 48 c1 eb 03 48 c7 44 24 RSP: 0018:ffffc90001b0f3f8 EFLAGS: 00000282 RAX: dffffc0000000000 RBX: ffffffff8161a190 RCX: 0000000000000000 RDX: 1ffff92000361ec8 RSI: ffffffff87462282 RDI: ffffc90001b0f4e0 RBP: ffffc90001b0f568 R08: ffffffff8e72c498 R09: 0000000000000001 R10: fffff52000361ea7 R11: 0000000000000001 R12: ffffc90001b0f598 R13: 0000000000000000 R14: ffff888065a98000 R15: ffffc90001b0f4e0 arch_stack_walk+0x7d/0xe0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:121 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:401 [inline] ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429 kasan_slab_alloc include/linux/kasan.h:205 [inline] slab_post_alloc_hook mm/slab.h:512 [inline] slab_alloc_node mm/slub.c:2892 [inline] kmem_cache_alloc_node_trace+0x16d/0x2c0 mm/slub.c:2942 kmalloc_node include/linux/slab.h:570 [inline] kzalloc_node include/linux/slab.h:693 [inline] __get_vm_area_node+0xd3/0x380 mm/vmalloc.c:2089 __vmalloc_node_range mm/vmalloc.c:2569 [inline] __vmalloc_node mm/vmalloc.c:2617 [inline] vzalloc+0xf2/0x1a0 mm/vmalloc.c:2670 alloc_counters net/ipv4/netfilter/ip_tables.c:800 [inline] compat_copy_entries_to_user net/ipv4/netfilter/ip_tables.c:1553 [inline] compat_get_entries+0x360/0x750 net/ipv4/netfilter/ip_tables.c:1596 do_ipt_get_ctl+0x4d2/0x9d0 net/ipv4/netfilter/ip_tables.c:1657 nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116 ip_getsockopt net/ipv4/ip_sockglue.c:1777 [inline] ip_getsockopt+0x164/0x1c0 net/ipv4/ip_sockglue.c:1756 tcp_getsockopt+0x86/0xd0 net/ipv4/tcp.c:4141 __sys_getsockopt+0x219/0x4c0 net/socket.c:2156 __do_compat_sys_socketcall+0x513/0x660 net/compat.c:495 do_syscall_32_irqs_on arch/x86/entry/common.c:78 [inline] __do_fast_syscall_32+0x56/0x80 arch/x86/entry/common.c:137 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:160 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7f22549 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000090bf6c0 EFLAGS: 00000202 ORIG_RAX: 0000000000000066 RAX: ffffffffffffffda RBX: 000000000000000f RCX: 00000000090bf6dc RDX: 00000000090bf788 RSI: 00000000090bf788 RDI: 00000000090bfdac RBP: 0000000008160be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ================================================================================