================================================================================ UBSAN: shift-out-of-bounds in net/core/gen_estimator.c:83:38 shift exponent -2 is negative CPU: 1 PID: 3014 Comm: syz-executor.5 Not tainted 5.11.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 est_timer.cold+0xbb/0x12d net/core/gen_estimator.c:83 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1417 expire_timers kernel/time/timer.c:1462 [inline] __run_timers.part.0+0x67c/0xa50 kernel/time/timer.c:1731 __run_timers kernel/time/timer.c:1712 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1744 __do_softirq+0x2bc/0xa29 kernel/softirq.c:343 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 do_softirq kernel/softirq.c:246 [inline] do_softirq+0xb5/0xe0 kernel/softirq.c:233 __local_bh_enable_ip+0xf4/0x110 kernel/softirq.c:196 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:737 [inline] ip6_finish_output2+0x71f/0x16c0 net/ipv6/ip6_output.c:118 __ip6_finish_output net/ipv6/ip6_output.c:182 [inline] __ip6_finish_output+0x4c1/0xe10 net/ipv6/ip6_output.c:161 ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:215 dst_output include/net/dst.h:441 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] NF_HOOK include/linux/netfilter.h:295 [inline] ip6_xmit+0x127e/0x1eb0 net/ipv6/ip6_output.c:319 inet6_csk_xmit+0x358/0x630 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x188c/0x38f0 net/ipv4/tcp_output.c:1405 tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline] tcp_write_xmit+0xde7/0x6140 net/ipv4/tcp_output.c:2689 __tcp_push_pending_frames+0xaa/0x390 net/ipv4/tcp_output.c:2869 tcp_push_pending_frames include/net/tcp.h:1867 [inline] tcp_data_snd_check net/ipv4/tcp_input.c:5393 [inline] tcp_rcv_established+0x8c9/0x1eb0 net/ipv4/tcp_input.c:5888 tcp_v6_do_rcv+0x41d/0x12b0 net/ipv6/tcp_ipv6.c:1482 sk_backlog_rcv include/net/sock.h:1016 [inline] __release_sock+0x134/0x3a0 net/core/sock.c:2542 release_sock+0x54/0x1b0 net/core/sock.c:3066 sk_stream_wait_memory+0x608/0xed0 net/core/stream.c:145 tcp_sendmsg_locked+0x1072/0x2e40 net/ipv4/tcp.c:1419 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1459 inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:638 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 __sys_sendto+0x21c/0x320 net/socket.c:1975 __do_sys_sendto net/socket.c:1987 [inline] __se_sys_sendto net/socket.c:1983 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1983 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e219 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f820603fc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045e219 RDX: 00000000fffffdef RSI: 0000000020000080 RDI: 0000000000000003 RBP: 000000000119c128 R08: 0000000000000000 R09: 000000000e000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c0dc R13: 00007ffceb22f14f R14: 00007f82060409c0 R15: 000000000119c0dc ================================================================================