================================================================================ UBSAN: Undefined behaviour in ./include/net/red.h:272:18 shift exponent 75 is too large for 64-bit type 'long unsigned int' CPU: 1 PID: 19240 Comm: syz-executor.2 Not tainted 4.19.150-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 red_calc_qavg_from_idle_time include/net/red.h:272 [inline] red_calc_qavg include/net/red.h:313 [inline] choke_enqueue+0x2a7e/0x2cc0 net/sched/sch_choke.c:231 __dev_xmit_skb net/core/dev.c:3494 [inline] __dev_queue_xmit+0x14e1/0x2ec0 net/core/dev.c:3807 neigh_hh_output include/net/neighbour.h:491 [inline] neigh_output include/net/neighbour.h:499 [inline] ip_finish_output2+0xc04/0x1640 net/ipv4/ip_output.c:230 ip_finish_output+0x88e/0xd80 net/ipv4/ip_output.c:318 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip_output+0x203/0x650 net/ipv4/ip_output.c:406 dst_output include/net/dst.h:455 [inline] ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125 __ip_queue_xmit+0x8a0/0x1bd0 net/ipv4/ip_output.c:506 __tcp_transmit_skb+0x1c72/0x36c0 net/ipv4/tcp_output.c:1148 tcp_transmit_skb net/ipv4/tcp_output.c:1164 [inline] tcp_write_xmit+0x839/0x5050 net/ipv4/tcp_output.c:2389 __tcp_push_pending_frames+0xae/0x280 net/ipv4/tcp_output.c:2568 tcp_push+0x4b7/0x6b0 net/ipv4/tcp.c:743 do_tcp_sendpages+0x147a/0x1970 net/ipv4/tcp.c:1078 tcp_sendpage_locked net/ipv4/tcp.c:1104 [inline] tcp_sendpage_locked net/ipv4/tcp.c:1096 [inline] tcp_sendpage+0x80/0xd0 net/ipv4/tcp.c:1114 inet_sendpage+0x1a4/0x700 net/ipv4/af_inet.c:815 kernel_sendpage net/socket.c:3378 [inline] sock_sendpage+0xdf/0x140 net/socket.c:847 pipe_to_sendpage+0x268/0x330 fs/splice.c:452 splice_from_pipe_feed fs/splice.c:503 [inline] __splice_from_pipe+0x3af/0x820 fs/splice.c:627 splice_from_pipe fs/splice.c:662 [inline] generic_splice_sendpage+0xd4/0x140 fs/splice.c:833 do_splice_from fs/splice.c:852 [inline] direct_splice_actor+0x115/0x160 fs/splice.c:1025 splice_direct_to_actor+0x33f/0x8d0 fs/splice.c:980 do_splice_direct+0x1a7/0x270 fs/splice.c:1068 do_sendfile+0x550/0xc30 fs/read_write.c:1447 __do_sys_sendfile64 fs/read_write.c:1508 [inline] __se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45de59 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f5dd3dbcc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 0000000000027ec0 RCX: 000000000045de59 XFS (loop0): Invalid superblock magic number RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005 RBP: 000000000118bf68 R08: 0000000000000000 R09: 0000000000000000 R10: 000000010000edbe R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffc0d2473af R14: 00007f5dd3dbd9c0 R15: 000000000118bf2c ================================================================================ f2fs_msg: 30 callbacks suppressed F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop4): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop4): Can't find valid F2FS filesystem in 2th superblock F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop4): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop4): Can't find valid F2FS filesystem in 2th superblock F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop4): Can't find valid F2FS filesystem in 1th superblock audit: type=1804 audit(1602805663.942:25): pid=19341 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir494596523/syzkaller.tDwlDk/684/cgroup.controllers" dev="sda1" ino=16615 res=1 nvme_fabrics: missing parameter 'transport=%s' nvme_fabrics: missing parameter 'nqn=%s' nvme_fabrics: missing parameter 'transport=%s' nvme_fabrics: missing parameter 'nqn=%s' nvme_fabrics: missing parameter 'transport=%s' nvme_fabrics: missing parameter 'nqn=%s' nvme_fabrics: missing parameter 'transport=%s' nvme_fabrics: missing parameter 'nqn=%s' nvme_fabrics: missing parameter 'transport=%s' nvme_fabrics: missing parameter 'nqn=%s' nvme_fabrics: missing parameter 'transport=%s' nvme_fabrics: missing parameter 'nqn=%s' nvme_fabrics: missing parameter 'transport=%s' nvme_fabrics: missing parameter 'nqn=%s' nvme_fabrics: missing parameter 'transport=%s' nvme_fabrics: missing parameter 'nqn=%s' nvme_fabrics: missing parameter 'transport=%s' nvme_fabrics: missing parameter 'nqn=%s' nvme_fabrics: missing parameter 'transport=%s' nvme_fabrics: missing parameter 'nqn=%s' f2fs_msg: 166 callbacks suppressed F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop4): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop4): Invalid Fs Meta Ino: node(1) meta(0) root(7) F2FS-fs (loop4): Can't find valid F2FS filesystem in 2th superblock F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop4): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop4): Invalid Fs Meta Ino: node(1) meta(0) root(7) F2FS-fs (loop4): Can't find valid F2FS filesystem in 2th superblock F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop4): Can't find valid F2FS filesystem in 1th superblock overlayfs: bad mount option "redirect_dir=./" audit: type=1800 audit(1602805670.092:26): pid=19992 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed comm="syz-executor.1" name="memory.events" dev="sda1" ino=16225 res=0 overlayfs: bad mount option "redirect_dir=./" overlayfs: upperdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. overlayfs: failed to resolve './file0': -2 overlayfs: bad mount option "redirect_dir=./" overlayfs: failed to resolve './file0': -2 overlayfs: bad mount option "redirect_dir=./" overlayfs: bad mount option "redirect_dir=./" overlayfs: bad mount option "redirect_dir=./" IPv6: addrconf: prefix option has invalid lifetime netlink: 'syz-executor.4': attribute type 1 has an invalid length. overlayfs: bad mount option "redirect_dir=./" bond1: Enslaving veth3 as a backup interface with a down link bond1 (unregistering): Releasing backup interface veth3 bond1 (unregistering): Released all slaves netlink: 'syz-executor.4': attribute type 1 has an invalid length. bond1: Enslaving veth5 as a backup interface with a down link