================================================================================
UBSAN: shift-out-of-bounds in ./include/net/red.h:312:18
shift exponent 109 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 18584 Comm: syz-executor.0 Not tainted 5.12.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
 red_calc_qavg_from_idle_time include/net/red.h:312 [inline]
 red_calc_qavg include/net/red.h:353 [inline]
 red_enqueue.cold+0x64/0x452 net/sched/sch_red.c:77
 __dev_xmit_skb net/core/dev.c:3837 [inline]
 __dev_queue_xmit+0x1943/0x2e00 net/core/dev.c:4150
 neigh_resolve_output net/core/neighbour.c:1491 [inline]
 neigh_resolve_output+0x50e/0x820 net/core/neighbour.c:1471
 neigh_output include/net/neighbour.h:510 [inline]
 ip_finish_output2+0x83d/0x21f0 net/ipv4/ip_output.c:230
 __ip_finish_output net/ipv4/ip_output.c:308 [inline]
 __ip_finish_output+0x396/0x640 net/ipv4/ip_output.c:290
 ip_finish_output+0x35/0x200 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip_output+0x196/0x310 net/ipv4/ip_output.c:432
 dst_output include/net/dst.h:448 [inline]
 ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:126
 igmpv3_send_cr net/ipv4/igmp.c:719 [inline]
 igmp_ifc_timer_expire+0x7a7/0xf30 net/ipv4/igmp.c:807
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1431
 expire_timers kernel/time/timer.c:1476 [inline]
 __run_timers.part.0+0x67c/0xa50 kernel/time/timer.c:1745
 __run_timers kernel/time/timer.c:1726 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1758
 __do_softirq+0x29b/0x9f6 kernel/softirq.c:345
 invoke_softirq kernel/softirq.c:221 [inline]
 __irq_exit_rcu kernel/softirq.c:422 [inline]
 irq_exit_rcu+0x134/0x200 kernel/softirq.c:434
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100
 </IRQ>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:191
Code: 74 24 10 e8 3a d0 51 f8 48 89 ef e8 62 86 52 f8 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 03 80 46 f8 65 8b 05 5c 5d fa 76 85 c0 74 0a 5b 5d c3 e8 30 fb
RSP: 0018:ffffc90001e4f838 EFLAGS: 00000206
RAX: 0000000000000002 RBX: 0000000000000200 RCX: 1ffffffff1f5a4ea
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff90096490 R08: 0000000000000001 R09: ffffffff8fac5887
R10: 0000000000000001 R11: 000000000000003f R12: 1ffffffff2012c91
R13: 0000000000000000 R14: dead000000000100 R15: dffffc0000000000
 __debug_check_no_obj_freed lib/debugobjects.c:997 [inline]
 debug_check_no_obj_freed+0x20c/0x420 lib/debugobjects.c:1018
 slab_free_hook mm/slub.c:1554 [inline]
 slab_free_freelist_hook+0x147/0x210 mm/slub.c:1600
 slab_free mm/slub.c:3161 [inline]
 kmem_cache_free+0x8a/0x740 mm/slub.c:3177
 anon_vma_chain_free mm/rmap.c:141 [inline]
 unlink_anon_vmas+0x16e/0x860 mm/rmap.c:414
 free_pgtables+0x1ab/0x2f0 mm/memory.c:427
 exit_mmap+0x2b7/0x590 mm/mmap.c:3219
 __mmput+0x122/0x470 kernel/fork.c:1082
 mmput+0x58/0x60 kernel/fork.c:1103
 exit_mm kernel/exit.c:501 [inline]
 do_exit+0xb0a/0x2a60 kernel/exit.c:812
 do_group_exit+0x125/0x310 kernel/exit.c:922
 get_signal+0x42c/0x2100 kernel/signal.c:2773
 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811
 handle_signal_work kernel/entry/common.c:147 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:208
 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x465f69
Code: Unable to access opcode bytes at RIP 0x465f3f.
RSP: 002b:00007fb02301d218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 000000000056c010 RCX: 0000000000465f69
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 000000000056c014
RBP: 000000000056c008 R08: 000000000000000e R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c014
R13: 00007ffc47c39d5f R14: 00007fb02301d300 R15: 0000000000022000
================================================================================