audit: type=1804 audit(1601739115.372:14): pid=8139 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir644684926/syzkaller.9MFvNp/5/file0/bus" dev="ramfs" ino=29479 res=1
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
================================================================================
UBSAN: Undefined behaviour in net/netfilter/ipset/ip_set_hash_gen.h:125:6
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 8141 Comm: syz-executor.0 Not tainted 4.19.149-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x22c/0x33e lib/dump_stack.c:118
 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161
 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422
 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:125 [inline]
 hash_ipmark_create.cold+0x19/0x27 net/netfilter/ipset/ip_set_hash_gen.h:1290
 ip_set_create+0x70e/0x1380 net/netfilter/ipset/ip_set_core.c:940
 nfnetlink_rcv_msg+0xeff/0x1210 net/netfilter/nfnetlink.c:233
 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455
 nfnetlink_rcv+0x1b2/0x41b net/netfilter/nfnetlink.c:565
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xc7/0x130 net/socket.c:632
 ___sys_sendmsg+0x7bb/0x8f0 net/socket.c:2115
 __sys_sendmsg net/socket.c:2153 [inline]
 __do_sys_sendmsg net/socket.c:2162 [inline]
 __se_sys_sendmsg net/socket.c:2160 [inline]
 __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160
 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45dea9
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa324c17c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000029b40 RCX: 000000000045dea9
RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffffcb4be2f R14: 00007fa324c189c0 R15: 000000000118bf2c
================================================================================
audit: type=1800 audit(1601739116.752:15): pid=8173 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=15799 res=0
audit: type=1800 audit(1601739116.782:16): pid=8173 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=15799 res=0
audit: type=1800 audit(1601739116.902:17): pid=8180 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=15810 res=0
audit: type=1800 audit(1601739116.912:18): pid=8180 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=15810 res=0
syz-executor.4 (8194) used greatest stack depth: 23872 bytes left
audit: type=1800 audit(1601739117.132:19): pid=8194 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=15799 res=0
audit: type=1800 audit(1601739117.162:20): pid=8194 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=15799 res=0
netlink: 92 bytes leftover after parsing attributes in process `syz-executor.4'.
netlink: 92 bytes leftover after parsing attributes in process `syz-executor.4'.
audit: type=1800 audit(1601739119.762:21): pid=8303 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=15799 res=0
audit: type=1800 audit(1601739119.802:22): pid=8303 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=15799 res=0
syz-executor.5 (8299) used greatest stack depth: 23344 bytes left
audit: type=1800 audit(1601739120.542:23): pid=8348 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=15810 res=0
audit: type=1800 audit(1601739120.562:24): pid=8348 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=15810 res=0
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 36 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 36 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 36 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 36 bytes leftover after parsing attributes in process `syz-executor.3'.
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
================================================================================
UBSAN: Undefined behaviour in ./include/net/red.h:272:18
shift exponent 113 is too large for 64-bit type 'long unsigned int'
CPU: 1 PID: 8560 Comm: syz-executor.0 Not tainted 4.19.149-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x22c/0x33e lib/dump_stack.c:118
 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161
 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422
 red_calc_qavg_from_idle_time include/net/red.h:272 [inline]
 red_calc_qavg include/net/red.h:313 [inline]
 choke_enqueue+0x2a7e/0x2cc0 net/sched/sch_choke.c:231
 __dev_xmit_skb net/core/dev.c:3494 [inline]
 __dev_queue_xmit+0x14e1/0x2ec0 net/core/dev.c:3807
 neigh_hh_output include/net/neighbour.h:491 [inline]
 neigh_output include/net/neighbour.h:499 [inline]
 ip_finish_output2+0xc04/0x1640 net/ipv4/ip_output.c:230
 ip_finish_output+0x88e/0xd80 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip_output+0x203/0x650 net/ipv4/ip_output.c:406
 dst_output include/net/dst.h:455 [inline]
 ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125
 iptunnel_xmit+0x63e/0xa30 net/ipv4/ip_tunnel_core.c:91
 geneve_xmit_skb drivers/net/geneve.c:865 [inline]
 geneve_xmit+0xf46/0x2ac0 drivers/net/geneve.c:938
 __netdev_start_xmit include/linux/netdevice.h:4333 [inline]
 netdev_start_xmit include/linux/netdevice.h:4347 [inline]
 xmit_one net/core/dev.c:3256 [inline]
 dev_hard_start_xmit+0x1a8/0x960 net/core/dev.c:3272
 __dev_queue_xmit+0x276a/0x2ec0 net/core/dev.c:3838
 neigh_hh_output include/net/neighbour.h:491 [inline]
 neigh_output include/net/neighbour.h:499 [inline]
 ip6_finish_output2+0xe78/0x2370 net/ipv6/ip6_output.c:120
 ip6_finish_output+0x610/0xcc0 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip6_output+0x205/0x7c0 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:455 [inline]
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ndisc_send_skb+0xa6b/0x1860 net/ipv6/ndisc.c:491
 ndisc_send_rs+0x131/0x6a0 net/ipv6/ndisc.c:685
 addrconf_rs_timer+0x2d9/0x640 net/ipv6/addrconf.c:3834
 call_timer_fn+0x177/0x760 kernel/time/timer.c:1338
 expire_timers+0x243/0x500 kernel/time/timer.c:1375
 __run_timers kernel/time/timer.c:1703 [inline]
 run_timer_softirq+0x259/0x730 kernel/time/timer.c:1716
 __do_softirq+0x27d/0xad2 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x22d/0x270 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:544 [inline]
 smp_apic_timer_interrupt+0x15f/0x5d0 arch/x86/kernel/apic/apic.c:1094
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
 </IRQ>
RIP: 0010:__vmcs_readl arch/x86/kvm/vmx.c:2305 [inline]
RIP: 0010:vmcs_read32 arch/x86/kvm/vmx.c:2323 [inline]
RIP: 0010:vmx_read_guest_seg_ar+0x15f/0x2f0 arch/x86/kvm/vmx.c:2541
Code: 38 d0 7c 08 84 d2 0f 85 47 01 00 00 48 89 e8 48 c1 e0 04 44 8b a0 4c 26 04 88 0f 1f 44 00 00 e8 17 aa 55 00 4c 89 e2 0f 78 d0 <eb> 05 e8 7a 2f ef ff 41 89 c4 e8 02 aa 55 00 48 8d 44 6d 00 48 8d
RSP: 0018:ffff88804b6c7470 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000093 RBX: ffff888041ee0100 RCX: ffffc90005b34000
RDX: 0000000000004818 RSI: ffffffff811c2849 RDI: ffffffff8804266c
RBP: 0000000000000002 R08: ffff888041ee3a08 R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000001 R12: 0000000000004818
R13: 0000000000000000 R14: 0000000000100000 R15: ffff888041ee3a08
 vmx_get_cpl+0x57/0x90 arch/x86/kvm/vmx.c:5448
 kvm_fetch_guest_virt+0x5b/0x1a0 arch/x86/kvm/x86.c:5022
 __do_insn_fetch_bytes+0x2ec/0x690 arch/x86/kvm/emulate.c:896
 x86_decode_insn+0x19d2/0x5290 arch/x86/kvm/emulate.c:5119
 x86_emulate_instruction+0x94e/0x1dd0 arch/x86/kvm/x86.c:6349
 kvm_emulate_instruction arch/x86/kvm/x86.c:6464 [inline]
 handle_ud+0xc8/0x2b0 arch/x86/kvm/x86.c:5161