================================================================================ UBSAN: Undefined behaviour in net/netfilter/ipset/ip_set_hash_gen.h:125:6 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 0 PID: 8822 Comm: syz-executor.0 Not tainted 4.19.148-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:125 [inline] hash_netnet_create.cold+0x1a/0x22 net/netfilter/ipset/ip_set_hash_gen.h:1290 ip_set_create+0x70e/0x1380 net/netfilter/ipset/ip_set_core.c:940 nfnetlink_rcv_msg+0xeff/0x1210 net/netfilter/nfnetlink.c:233 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455 nfnetlink_rcv+0x1b2/0x41b net/netfilter/nfnetlink.c:565 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x7bb/0x8f0 net/socket.c:2115 __sys_sendmsg net/socket.c:2153 [inline] __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45e179 Code: 3d b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fba8146ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000029b40 RCX: 000000000045e179 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c R13: 00007ffc21bb4b9f R14: 00007fba8146b9c0 R15: 000000000118cf4c ================================================================================ SELinux: unrecognized netlink message: protocol=0 nlmsg_type=105 sclass=netlink_route_socket pid=8823 comm=syz-executor.4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=105 sclass=netlink_route_socket pid=8823 comm=syz-executor.4 L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. A link change request failed with some changes committed already. Interface syz_tun may have been left with an inconsistent configuration, please check. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. audit: type=1800 audit(1601223625.706:17): pid=8992 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=15821 res=0 audit: type=1800 audit(1601223625.726:18): pid=8992 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=15821 res=0 Dev loop0: unable to read RDB block 3 loop0: unable to read partition table loop0: partition table beyond EOD, truncated loop_reread_partitions: partition scan of loop0 () failed (rc=-5) audit: type=1400 audit(1601223625.976:19): avc: denied { sys_admin } for pid=9018 comm="syz-executor.5" capability=21 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=cap_userns permissive=1 IPVS: ftp: loaded support on port[0] = 21 Dev loop0: unable to read RDB block 3 loop0: unable to read partition table loop0: partition table beyond EOD, truncated loop_reread_partitions: partition scan of loop0 () failed (rc=-5) FAT-fs (loop1): bogus number of reserved sectors FAT-fs (loop1): Can't find a valid FAT filesystem FAT-fs (loop1): bogus number of reserved sectors FAT-fs (loop1): Can't find a valid FAT filesystem IPVS: ftp: loaded support on port[0] = 21 FAT-fs (loop1): bogus number of reserved sectors FAT-fs (loop1): Can't find a valid FAT filesystem netlink: 'syz-executor.0': attribute type 5 has an invalid length. device gretap0 entered promiscuous mode device gretap0 left promiscuous mode FAT-fs (loop1): bogus number of reserved sectors FAT-fs (loop1): Can't find a valid FAT filesystem audit: type=1804 audit(1601223627.726:20): pid=9292 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir911857662/syzkaller.bMbFdm/53/bus" dev="sda1" ino=15848 res=1 audit: type=1804 audit(1601223627.756:21): pid=9292 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir911857662/syzkaller.bMbFdm/53/bus" dev="sda1" ino=15848 res=1 nla_parse: 1 callbacks suppressed netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 'syz-executor.4': attribute type 5 has an invalid length. device gretap0 entered promiscuous mode device gretap0 left promiscuous mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 'syz-executor.4': attribute type 5 has an invalid length. device gretap0 entered promiscuous mode device gretap0 left promiscuous mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. audit: type=1326 audit(1601223630.626:22): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=9770 comm="syz-executor.5" exe="/root/syz-executor.5" sig=31 arch=c000003e syscall=228 compat=0 ip=0x460fba code=0x0 audit: type=1400 audit(1601223630.836:23): avc: denied { set_context_mgr } for pid=9802 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=binder permissive=1 binder: 9802:9803 ioctl c0306201 20000180 returned -22 audit: type=1326 audit(1601223631.416:24): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=9770 comm="syz-executor.5" exe="/root/syz-executor.5" sig=31 arch=c000003e syscall=228 compat=0 ip=0x460fba code=0x0 netlink: 60 bytes leftover after parsing attributes in process `syz-executor.4'. print_req_error: I/O error, dev loop5, sector 18446744069414584384 netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'. isofs_fill_super: bread failed, dev=loop5, iso_blknum=1073741840, block=-2147483616 print_req_error: I/O error, dev loop5, sector 18446744069414584384 isofs_fill_super: bread failed, dev=loop5, iso_blknum=1073741840, block=-2147483616 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'. IPv6: addrconf: prefix option has invalid lifetime BTRFS: device fsid 1a04a925-3b50-48a8-a78e-465f3f987efb devid 1 transid 5 /dev/loop1 IPv6: addrconf: prefix option has invalid lifetime BTRFS info (device loop1): setting nodatasum BTRFS info (device loop1): disk space caching is enabled IPv6: NLM_F_CREATE should be specified when creating new route BTRFS info (device loop1): has skinny extents attempt to access beyond end of device loop1: rw=4096, want=2064, limit=267 BTRFS error (device loop1): failed to read chunk root BTRFS error (device loop1): open_ctree failed overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. BTRFS info (device loop1): setting nodatasum BTRFS info (device loop1): disk space caching is enabled BTRFS info (device loop1): has skinny extents BTRFS error (device loop1): open_ctree failed overlayfs: filesystem on './bus' not supported as upperdir netlink: 292 bytes leftover after parsing attributes in process `syz-executor.1'.