================================================================================ UBSAN: Undefined behaviour in net/netfilter/ipset/ip_set_hash_gen.h:125:6 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 0 PID: 11395 Comm: syz-executor.2 Not tainted 4.19.148-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:125 [inline] hash_ipportnet_create.cold+0x1a/0x1f net/netfilter/ipset/ip_set_hash_gen.h:1290 ip_set_create+0x70e/0x1380 net/netfilter/ipset/ip_set_core.c:940 nfnetlink_rcv_msg+0xeff/0x1210 net/netfilter/nfnetlink.c:233 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455 nfnetlink_rcv+0x1b2/0x41b net/netfilter/nfnetlink.c:565 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x7bb/0x8f0 net/socket.c:2115 __sys_sendmsg net/socket.c:2153 [inline] __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45e179 Code: 3d b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f7f4517fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000029b40 RCX: 000000000045e179 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c R13: 00007fffe46ecaff R14: 00007f7f451809c0 R15: 000000000118cf4c ================================================================================ IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready FAT-fs (loop4): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready ********************************************************** ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE ** ** ** ** trace_printk() being used. Allocating extra memory. ** ** ** ** This means that this is a DEBUG kernel and it is ** ** unsafe for production use. ** ** ** ** If you see this message and you are not debugging ** IPVS: ftp: loaded support on port[0] = 21 ** the kernel, report this immediately to your vendor! ** ** ** ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE ** ********************************************************** IPVS: ftp: loaded support on port[0] = 21 device vlan2 entered promiscuous mode device gretap0 entered promiscuous mode device gretap0 left promiscuous mode device vlan2 entered promiscuous mode device gretap0 entered promiscuous mode device gretap0 left promiscuous mode nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. ================================================================================ UBSAN: Undefined behaviour in ./include/net/red.h:272:18 shift exponent 115 is too large for 64-bit type 'long unsigned int' CPU: 0 PID: 11655 Comm: syz-executor.4 Not tainted 4.19.148-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 red_calc_qavg_from_idle_time include/net/red.h:272 [inline] red_calc_qavg include/net/red.h:313 [inline] red_enqueue+0x2064/0x2200 net/sched/sch_red.c:68 __dev_xmit_skb net/core/dev.c:3494 [inline] __dev_queue_xmit+0x14e1/0x2ec0 net/core/dev.c:3807 neigh_hh_output include/net/neighbour.h:491 [inline] neigh_output include/net/neighbour.h:499 [inline] ip6_finish_output2+0xe78/0x2370 net/ipv6/ip6_output.c:120 ip6_finish_output+0x610/0xcc0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip6_output+0x205/0x7c0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:455 [inline] NF_HOOK include/linux/netfilter.h:289 [inline] ip6_xmit+0xe46/0x2110 net/ipv6/ip6_output.c:275 sctp_v6_xmit+0x38e/0x720 net/sctp/ipv6.c:229 sctp_packet_transmit+0x1c3c/0x3210 net/sctp/output.c:641 sctp_packet_singleton net/sctp/outqueue.c:791 [inline] sctp_outq_flush_ctrl.constprop.0+0x6d3/0xc50 net/sctp/outqueue.c:922 sctp_outq_flush net/sctp/outqueue.c:1204 [inline] sctp_outq_uncork+0x10b/0x200 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1815 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] sctp_do_sm+0x520/0x4fd0 net/sctp/sm_sideeffect.c:1170 sctp_primitive_ASSOCIATE+0x98/0xc0 net/sctp/primitive.c:88 sctp_sendmsg_to_asoc+0x7b5/0x1ef0 net/sctp/socket.c:1945 sctp_sendmsg+0xeb8/0x1530 net/sctp/socket.c:2135 inet_sendmsg+0x174/0x640 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 __sys_sendto+0x21a/0x320 net/socket.c:1787 __do_sys_sendto net/socket.c:1799 [inline] __se_sys_sendto net/socket.c:1795 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1795 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45e179 Code: 3d b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f7b77c40c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000000000002d6c0 RCX: 000000000045e179 RDX: 0000000000034000 RSI: 0000000020847fff RDI: 0000000000000006 RBP: 000000000118cf98 R08: 000000002005ffe4 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c R13: 00007ffe0347662f R14: 00007f7b77c419c0 R15: 000000000118cf4c ================================================================================ netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 76 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. EXT4-fs (loop1): mounted filesystem without journal. Opts: norecovery,,errors=continue audit: type=1804 audit(1601329958.723:37): pid=11864 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir903041281/syzkaller.taswr9/196/bus" dev="sda1" ino=16139 res=1 audit: type=1800 audit(1601329958.773:38): pid=11864 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=16139 res=0 audit: type=1804 audit(1601329958.773:39): pid=11864 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir903041281/syzkaller.taswr9/196/bus" dev="sda1" ino=16139 res=1 audit: type=1804 audit(1601329958.963:40): pid=11874 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir903041281/syzkaller.taswr9/196/bus" dev="sda1" ino=16139 res=1 audit: type=1800 audit(1601329958.963:41): pid=11874 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=16139 res=0 audit: type=1804 audit(1601329958.963:42): pid=11879 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir903041281/syzkaller.taswr9/196/bus" dev="sda1" ino=16139 res=1 audit: type=1804 audit(1601329958.963:43): pid=11864 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.2" name="/root/syzkaller-testdir903041281/syzkaller.taswr9/196/bus" dev="sda1" ino=16139 res=1 netlink: 'syz-executor.2': attribute type 5 has an invalid length. device ipvlan2 entered promiscuous mode netlink: 'syz-executor.2': attribute type 5 has an invalid length. device ipvlan2 entered promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state bridge0: port 1(bridge_slave_0) entered disabled state device bridge0 entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready device lo entered promiscuous mode device tunl0 entered promiscuous mode device gre0 entered promiscuous mode device gretap0 entered promiscuous mode device erspan0 entered promiscuous mode device ip_vti0 entered promiscuous mode device ip6_vti0 entered promiscuous mode device sit0 entered promiscuous mode device ip6tnl0 entered promiscuous mode device ip6gre0 entered promiscuous mode device syz_tun entered promiscuous mode device ip6gretap0 entered promiscuous mode device bridge0 entered promiscuous mode device vcan0 entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device bond0 entered promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode device team0 entered promiscuous mode device team_slave_0 entered promiscuous mode device team_slave_1 entered promiscuous mode device dummy0 entered promiscuous mode device nlmon0 entered promiscuous mode device caif0 entered promiscuous mode A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready