nla_parse: 1 callbacks suppressed netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. ================================================================================ UBSAN: Undefined behaviour in net/sched/cls_tcindex.c:238:29 shift exponent 28560 is too large for 32-bit type 'int' CPU: 1 PID: 14185 Comm: syz-executor.4 Not tainted 4.19.148-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 valid_perfect_hash net/sched/cls_tcindex.c:238 [inline] tcindex_set_parms.cold+0x170/0x22f net/sched/cls_tcindex.c:398 tcindex_change+0x220/0x2f3 net/sched/cls_tcindex.c:518 tc_new_tfilter+0xb38/0x1570 net/sched/cls_api.c:1320 rtnetlink_rcv_msg+0x498/0xc10 net/core/rtnetlink.c:4778 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x3b3/0x8f0 net/socket.c:2115 __sys_sendmmsg+0x195/0x470 net/socket.c:2210 __do_sys_sendmmsg net/socket.c:2239 [inline] __se_sys_sendmmsg net/socket.c:2236 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2236 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45dd99 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fe5315a6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 0000000000027f40 RCX: 000000000045dd99 RDX: 010efe10675dec16 RSI: 0000000020000200 RDI: 0000000000000005 RBP: 000000000118c010 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bfd4 R13: 00007ffce8cb73ef R14: 00007fe5315a79c0 R15: 000000000118bfd4 ================================================================================ netlink: 'syz-executor.5': attribute type 5 has an invalid length. device team_slave_0 entered promiscuous mode device team_slave_1 entered promiscuous mode device macsec1 entered promiscuous mode device team0 entered promiscuous mode device team0 left promiscuous mode device team_slave_0 left promiscuous mode device team_slave_1 left promiscuous mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. syz-executor.4 (14265) used greatest stack depth: 22896 bytes left bridge0: port 3(bond1) entered blocking state bridge0: port 3(bond1) entered disabled state device bond1 entered promiscuous mode netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. bridge1: port 1(syz_tun) entered blocking state bridge1: port 1(syz_tun) entered disabled state SELinux: unrecognized netlink message: protocol=0 nlmsg_type=106 sclass=netlink_route_socket pid=14364 comm=syz-executor.3 device syz_tun entered promiscuous mode bridge1: port 1(syz_tun) entered blocking state bridge1: port 1(syz_tun) entered forwarding state device syz_tun left promiscuous mode bridge1: port 1(syz_tun) entered disabled state ptrace attach of "/root/syz-executor.2"[14428] was attempted by "/root/syz-executor.2"[14429] EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue kauditd_printk_skb: 6 callbacks suppressed audit: type=1804 audit(1601441600.576:54): pid=14469 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.1" name="bus" dev="sda1" ino=16714 res=1 audit: type=1804 audit(1601441600.626:55): pid=14469 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.1" name="bus" dev="sda1" ino=16714 res=1 ptrace attach of "/root/syz-executor.5"[14485] was attempted by "/root/syz-executor.5"[14486] ********************************************************** ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE ** ** ** ** trace_printk() being used. Allocating extra memory. ** ** ** ** This means that this is a DEBUG kernel and it is ** audit: type=1804 audit(1601441602.266:56): pid=14559 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir561964354/syzkaller.qUDaBI/1302/bus" dev="sda1" ino=16727 res=1 ** unsafe for production use. ** ** ** ** If you see this message and you are not debugging ** audit: type=1804 audit(1601441602.366:57): pid=14563 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.4" name="/root/syzkaller-testdir561964354/syzkaller.qUDaBI/1302/bus" dev="sda1" ino=16727 res=1 ** the kernel, report this immediately to your vendor! ** ** ** ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE ** ********************************************************** audit: type=1804 audit(1601441602.636:58): pid=14554 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir561964354/syzkaller.qUDaBI/1302/bus" dev="sda1" ino=16727 res=1 audit: type=1804 audit(1601441602.646:59): pid=14554 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.4" name="/root/syzkaller-testdir561964354/syzkaller.qUDaBI/1302/bus" dev="sda1" ino=16727 res=1 xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables audit: type=1400 audit(1601441603.616:60): avc: denied { create } for pid=14613 comm="syz-executor.3" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dccp_socket permissive=1 rtc_cmos 00:00: Alarms can be up to one day in the future rtc_cmos 00:00: Alarms can be up to one day in the future rtc_cmos 00:00: Alarms can be up to one day in the future rtc_cmos 00:00: Alarms can be up to one day in the future rtc_cmos 00:00: Alarms can be up to one day in the future rtc rtc0: __rtc_set_alarm: err=-22 rtc_cmos 00:00: Alarms can be up to one day in the future audit: type=1800 audit(1601441604.636:61): pid=14657 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.1" name="bus" dev="sda1" ino=16433 res=0 audit: type=1800 audit(1601441604.716:62): pid=14662 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.1" name="bus" dev="sda1" ino=16433 res=0 rtc_cmos 00:00: Alarms can be up to one day in the future rtc_cmos 00:00: Alarms can be up to one day in the future rtc_cmos 00:00: Alarms can be up to one day in the future rtc_cmos 00:00: Alarms can be up to one day in the future audit: type=1400 audit(1601441605.176:63): avc: denied { sys_admin } for pid=14689 comm="syz-executor.3" capability=21 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=cap_userns permissive=1 rtc rtc0: __rtc_set_alarm: err=-22