ubi0: attaching mtd0 ubi0: scanning is finished ================================================================================ UBSAN: Undefined behaviour in net/netfilter/ipset/ip_set_hash_gen.h:125:6 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 1 PID: 30080 Comm: syz-executor.1 Not tainted 4.19.149-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:125 [inline] hash_ipmark_create.cold+0x19/0x27 net/netfilter/ipset/ip_set_hash_gen.h:1290 ip_set_create+0x70e/0x1380 net/netfilter/ipset/ip_set_core.c:940 nfnetlink_rcv_msg+0xeff/0x1210 net/netfilter/nfnetlink.c:233 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'. netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455 nfnetlink_rcv+0x1b2/0x41b net/netfilter/nfnetlink.c:565 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 sock_no_sendpage+0xf5/0x140 net/core/sock.c:2668 kernel_sendpage net/socket.c:3378 [inline] sock_sendpage+0xdf/0x140 net/socket.c:847 pipe_to_sendpage+0x268/0x330 fs/splice.c:452 splice_from_pipe_feed fs/splice.c:503 [inline] __splice_from_pipe+0x3af/0x820 fs/splice.c:627 splice_from_pipe fs/splice.c:662 [inline] generic_splice_sendpage+0xd4/0x140 fs/splice.c:833 do_splice_from fs/splice.c:852 [inline] do_splice fs/splice.c:1154 [inline] __do_sys_splice fs/splice.c:1428 [inline] __se_sys_splice+0xf31/0x15f0 fs/splice.c:1408 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45de29 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fd5ea138c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00000000000350c0 RCX: 000000000045de29 RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 000000000118bf78 R08: 0000000100000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007fff7eb2154f R14: 00007fd5ea1399c0 R15: 000000000118bf2c ================================================================================ ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 2231913724 ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 ubi0: background thread "ubi_bgt0d" started, PID 30082 ubi0: detaching mtd0 ubi0: mtd0 is detached netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'. ubi0: attaching mtd0 ubi0: scanning is finished print_req_error: I/O error, dev loop6, sector 0 Buffer I/O error on dev loop6, logical block 0, lost async page write print_req_error: I/O error, dev loop6, sector 8 Buffer I/O error on dev loop6, logical block 1, lost async page write print_req_error: I/O error, dev loop6, sector 16 ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) Buffer I/O error on dev loop6, logical block 2, lost async page write print_req_error: I/O error, dev loop6, sector 24 Buffer I/O error on dev loop6, logical block 3, lost async page write print_req_error: I/O error, dev loop6, sector 32 Buffer I/O error on dev loop6, logical block 4, lost async page write print_req_error: I/O error, dev loop6, sector 40 Buffer I/O error on dev loop6, logical block 5, lost async page write print_req_error: I/O error, dev loop6, sector 48 Buffer I/O error on dev loop6, logical block 6, lost async page write print_req_error: I/O error, dev loop6, sector 56 Buffer I/O error on dev loop6, logical block 7, lost async page write print_req_error: I/O error, dev loop6, sector 64 Buffer I/O error on dev loop6, logical block 8, lost async page write print_req_error: I/O error, dev loop6, sector 72 ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes Buffer I/O error on dev loop6, logical block 9, lost async page write ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 2231913724 ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 ubi0: background thread "ubi_bgt0d" started, PID 30142 ubi0: detaching mtd0 ubi0: mtd0 is detached ntfs: (device loop1): is_boot_sector_ntfs(): Invalid end of sector marker. ubi0: attaching mtd0 ubi0: scanning is finished ntfs: (device loop1): ntfs_read_block(): Failed to read from inode 0x1, attribute type 0x80, vcn 0x0, offset 0x0 because its location on disk could not be determined even after retrying (error code -5). ntfs: (device loop1): ntfs_read_block(): Failed to read from inode 0x1, attribute type 0x80, vcn 0x1, offset 0x0 because its location on disk could not be determined even after retrying (error code -5). ntfs: (device loop1): check_mft_mirror(): Failed to read $MFTMirr. ntfs: (device loop1): load_system_files(): $MFTMirr does not match $MFT. Mounting read-only. Run ntfsfix and/or chkdsk. ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 ntfs: (device loop1): load_and_init_upcase(): Failed to load $UpCase from the volume. Using default. ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 ntfs: (device loop1): map_mft_record_page(): Mft record 0x3 is corrupt. Run chkdsk. ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ntfs: (device loop1): map_mft_record(): Failed with error code 5. ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 2231913724 ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 ntfs: (device loop1): ntfs_read_locked_inode(): Failed with error code -5. Marking corrupt inode 0x3 as bad. Run chkdsk. ubi0: detaching mtd0 ntfs: (device loop1): load_system_files(): Failed to load $Volume. ntfs: (device loop1): ntfs_fill_super(): Failed to load system files. ubi0: mtd0 is detached ubi0: attaching mtd0 ubi0: scanning is finished FAT-fs (loop5): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 2231913724 ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 ubi0: background thread "ubi_bgt0d" started, PID 30234 ubi0: detaching mtd0 ubi0: mtd0 is detached EXT4-fs (loop4): Project quota feature not enabled. Cannot enable project quota enforcement. ubi0: attaching mtd0 IPVS: set_ctl: invalid protocol: 10128 255.255.255.255:45962 ubi0: scanning is finished EXT4-fs (loop4): Project quota feature not enabled. Cannot enable project quota enforcement. IPVS: set_ctl: invalid protocol: 10128 255.255.255.255:45962 audit: type=1804 audit(1602005396.717:102): pid=30288 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir419406358/syzkaller.if676L/173/file0/bus" dev="sda1" ino=16557 res=1 Enabling of bearer rejected, failed to enable media ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 2231913724 syz-executor.0 (30316): /proc/30313/oom_adj is deprecated, please use /proc/30313/oom_score_adj instead. ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 ubi0: background thread "ubi_bgt0d" started, PID 30304 audit: type=1804 audit(1602005397.647:103): pid=30298 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir419406358/syzkaller.if676L/173/file0/file0/bus" dev="sda1" ino=16536 res=1 ubi: mtd0 is already attached to ubi0 ubi: mtd0 is already attached to ubi0 audit: type=1804 audit(1602005398.057:104): pid=30347 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir419406358/syzkaller.if676L/174/file0/bus" dev="sda1" ino=16557 res=1 ubi: mtd0 is already attached to ubi0 audit: type=1804 audit(1602005398.287:105): pid=30352 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir172125907/syzkaller.Jp4Dpr/719/file0/bus" dev="sda1" ino=16604 res=1 ubi: mtd0 is already attached to ubi0 ubi: mtd0 is already attached to ubi0 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium IPVS: ftp: loaded support on port[0] = 21 BFS-fs: bfs_fill_super(): No BFS filesystem on loop5 (magic=00000000) BFS-fs: bfs_fill_super(): No BFS filesystem on loop5 (magic=00000000) kauditd_printk_skb: 20 callbacks suppressed audit: type=1326 audit(1602005400.077:126): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=30479 comm="syz-executor.4" exe="/root/syz-executor.4" sig=0 arch=c000003e syscall=228 compat=0 ip=0x460c8a code=0x50000 audit: type=1326 audit(1602005400.077:127): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=30479 comm="syz-executor.4" exe="/root/syz-executor.4" sig=0 arch=c000003e syscall=228 compat=0 ip=0x460c8a code=0x50000 audit: type=1326 audit(1602005400.077:128): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=30479 comm="syz-executor.4" exe="/root/syz-executor.4" sig=0 arch=c000003e syscall=35 compat=0 ip=0x45c2f1 code=0x50000 audit: type=1326 audit(1602005400.077:129): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=30479 comm="syz-executor.4" exe="/root/syz-executor.4" sig=0 arch=c000003e syscall=228 compat=0 ip=0x460c8a code=0x50000 audit: type=1326 audit(1602005400.077:130): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=30479 comm="syz-executor.4" exe="/root/syz-executor.4" sig=0 arch=c000003e syscall=35 compat=0 ip=0x45c2f1 code=0x50000 xt_CHECKSUM: CHECKSUM should be avoided. If really needed, restrict with "-p udp" and only use in OUTPUT audit: type=1326 audit(1602005400.077:131): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=30479 comm="syz-executor.4" exe="/root/syz-executor.4" sig=0 arch=c000003e syscall=228 compat=0 ip=0x460c8a code=0x50000 IPVS: ftp: loaded support on port[0] = 21 audit: type=1326 audit(1602005400.077:132): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=30479 comm="syz-executor.4" exe="/root/syz-executor.4" sig=0 arch=c000003e syscall=35 compat=0 ip=0x45c2f1 code=0x50000 EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue audit: type=1326 audit(1602005400.077:133): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=30479 comm="syz-executor.4" exe="/root/syz-executor.4" sig=0 arch=c000003e syscall=228 compat=0 ip=0x460c8a code=0x50000 audit: type=1326 audit(1602005400.077:134): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=30479 comm="syz-executor.4" exe="/root/syz-executor.4" sig=0 arch=c000003e syscall=35 compat=0 ip=0x45c2f1 code=0x50000 audit: type=1326 audit(1602005400.077:135): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=30479 comm="syz-executor.4" exe="/root/syz-executor.4" sig=0 arch=c000003e syscall=228 compat=0 ip=0x460c8a code=0x50000