================================================================================ UBSAN: shift-out-of-bounds in net/sched/sch_api.c:580:10 shift exponent 95 is too large for 32-bit type 'int' CPU: 0 PID: 18085 Comm: syz-executor.3 Not tainted 5.15.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:330 __qdisc_calculate_pkt_len.cold+0x1b/0xcf net/sched/sch_api.c:580 qdisc_calculate_pkt_len include/net/sch_generic.h:841 [inline] __dev_xmit_skb net/core/dev.c:3788 [inline] __dev_queue_xmit+0x115c/0x36e0 net/core/dev.c:4172 neigh_resolve_output net/core/neighbour.c:1492 [inline] neigh_resolve_output+0x50e/0x820 net/core/neighbour.c:1472 neigh_output include/net/neighbour.h:510 [inline] ip_finish_output2+0x813/0x2140 net/ipv4/ip_output.c:221 __ip_finish_output net/ipv4/ip_output.c:299 [inline] __ip_finish_output+0x396/0x640 net/ipv4/ip_output.c:281 ip_finish_output+0x32/0x200 net/ipv4/ip_output.c:309 NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip_output+0x196/0x310 net/ipv4/ip_output.c:423 dst_output include/net/dst.h:450 [inline] ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:126 igmpv3_send_cr net/ipv4/igmp.c:719 [inline] igmp_ifc_timer_expire+0x75b/0xf80 net/ipv4/igmp.c:808 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 irq_exit_rcu+0x5/0x20 kernel/softirq.c:648 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:lock_acquire+0x1ef/0x510 kernel/locking/lockdep.c:5593 Code: 93 a6 7e 83 f8 01 0f 85 b4 02 00 00 9c 58 f6 c4 02 0f 85 9f 02 00 00 48 83 7c 24 08 00 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24 RSP: 0018:ffffc9000458f020 EFLAGS: 00000206 RAX: dffffc0000000000 RBX: 1ffff920008b1e06 RCX: ffffffff815b145f RDX: 1ffff110068acbee RSI: 0000000000000001 RDI: 0000000000000000 RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffff8fcfe937 R10: fffffbfff1f9fd26 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: ffff888089876438 R15: 0000000000000000 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:363 [inline] follow_page_pte+0x193/0xc60 mm/gup.c:491 follow_pmd_mask mm/gup.c:706 [inline] follow_pud_mask mm/gup.c:751 [inline] follow_p4d_mask mm/gup.c:777 [inline] follow_page_mask+0xb9e/0x1520 mm/gup.c:836 __get_user_pages+0x439/0xf80 mm/gup.c:1156 __get_user_pages_locked mm/gup.c:1343 [inline] get_user_pages_unlocked+0x1b3/0x760 mm/gup.c:2067 __gup_longterm_unlocked mm/gup.c:2646 [inline] internal_get_user_pages_fast+0x1550/0x25a0 mm/gup.c:2734 get_user_pages_fast+0x66/0xa0 mm/gup.c:2826 iov_iter_get_pages+0x163/0xe30 lib/iov_iter.c:1488 __bio_iov_iter_get_pages block/bio.c:1103 [inline] bio_iov_iter_get_pages block/bio.c:1214 [inline] bio_iov_iter_get_pages+0x1f8/0x1900 block/bio.c:1200 iomap_dio_bio_iter+0x975/0x1270 fs/iomap/direct-io.c:317 iomap_dio_iter fs/iomap/direct-io.c:421 [inline] __iomap_dio_rw+0x863/0x1980 fs/iomap/direct-io.c:569 iomap_dio_rw+0x30/0x90 fs/iomap/direct-io.c:649 ext4_dio_read_iter fs/ext4/file.c:77 [inline] ext4_file_read_iter+0x419/0x5d0 fs/ext4/file.c:128 call_read_iter include/linux/fs.h:2157 [inline] do_iter_readv_writev+0x56d/0x750 fs/read_write.c:727 do_iter_read+0x2f8/0x760 fs/read_write.c:790 vfs_readv+0xe5/0x150 fs/read_write.c:910 do_preadv fs/read_write.c:1002 [inline] __do_sys_preadv fs/read_write.c:1052 [inline] __se_sys_preadv fs/read_write.c:1047 [inline] __x64_sys_preadv+0x231/0x310 fs/read_write.c:1047 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fb6f8892709 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb6f5de8188 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 RAX: ffffffffffffffda RBX: 00007fb6f8997020 RCX: 00007fb6f8892709 RDX: 0000000000000003 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007fb6f88eccb4 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000003f200 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc8fe1269f R14: 00007fb6f5de8300 R15: 0000000000022000 ================================================================================ ---------------- Code disassembly (best guess): 0: 93 xchg %eax,%ebx 1: a6 cmpsb %es:(%rdi),%ds:(%rsi) 2: 7e 83 jle 0xffffff87 4: f8 clc 5: 01 0f add %ecx,(%rdi) 7: 85 b4 02 00 00 9c 58 test %esi,0x589c0000(%rdx,%rax,1) e: f6 c4 02 test $0x2,%ah 11: 0f 85 9f 02 00 00 jne 0x2b6 17: 48 83 7c 24 08 00 cmpq $0x0,0x8(%rsp) 1d: 74 01 je 0x20 1f: fb sti 20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 27: fc ff df * 2a: 48 01 c3 add %rax,%rbx <-- trapping instruction 2d: 48 c7 03 00 00 00 00 movq $0x0,(%rbx) 34: 48 c7 43 08 00 00 00 movq $0x0,0x8(%rbx) 3b: 00 3c: 48 rex.W 3d: 8b .byte 0x8b 3e: 84 .byte 0x84 3f: 24 .byte 0x24