IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready ================================================================================ UBSAN: Undefined behaviour in ./include/net/red.h:272:18 IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready shift exponent 71 is too large for 64-bit type 'long unsigned int' CPU: 1 PID: 7861 Comm: syz-executor.0 Not tainted 4.19.148-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 red_calc_qavg_from_idle_time include/net/red.h:272 [inline] red_adaptative_algo include/net/red.h:404 [inline] red_adaptative_timer+0x7ed/0x870 net/sched/sch_red.c:266 call_timer_fn+0x177/0x760 kernel/time/timer.c:1338 expire_timers+0x243/0x500 kernel/time/timer.c:1375 __run_timers kernel/time/timer.c:1703 [inline] run_timer_softirq+0x259/0x730 kernel/time/timer.c:1716 __do_softirq+0x27d/0xad2 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x22d/0x270 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:544 [inline] smp_apic_timer_interrupt+0x15f/0x5d0 arch/x86/kernel/apic/apic.c:1094 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 RIP: 0010:get_page_from_freelist+0x14eb/0x4620 mm/page_alloc.c:3372 Code: 00 48 8b 44 24 58 48 c1 e8 03 42 80 3c 38 00 0f 85 09 2d 00 00 48 8b 44 24 08 48 8b 58 10 48 89 d8 48 c1 e8 03 42 80 3c 38 00 <0f> 84 82 ee ff ff 48 89 df e8 27 f2 1a 00 e9 75 ee ff ff 48 c7 c6 RSP: 0018:ffff8880482cf308 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: 1ffff11025fffa38 RBX: ffff88812fffd1c0 RCX: ffffffff8190096c RDX: 0000000000000000 RSI: ffff88812fffb6c0 RDI: ffff88812fffb6f0 RBP: ffff88812fffbcc0 R08: 0000000000000000 R09: 000000000003a309 R10: ffff88812fffbd27 R11: 0000000000000000 R12: 0000000000002bae R13: 0000000000000002 R14: 000000000003a309 R15: dffffc0000000000 __alloc_pages_nodemask+0x3b1/0x2a60 mm/page_alloc.c:4398 alloc_pages_current+0x19d/0x2c0 mm/mempolicy.c:2197 alloc_pages include/linux/gfp.h:532 [inline] __get_free_pages+0x8/0x40 mm/page_alloc.c:4442 tlb_next_batch mm/memory.c:204 [inline] __tlb_remove_page_size+0x2ba/0x480 mm/memory.c:306 __tlb_remove_page include/asm-generic/tlb.h:161 [inline] zap_pte_range mm/memory.c:1341 [inline] zap_pmd_range mm/memory.c:1440 [inline] zap_pud_range mm/memory.c:1469 [inline] zap_p4d_range mm/memory.c:1490 [inline] unmap_page_range+0x138f/0x2ec0 mm/memory.c:1511 unmap_single_vma+0x198/0x300 mm/memory.c:1556 unmap_vmas+0xa9/0x180 mm/memory.c:1586 exit_mmap+0x2b9/0x530 mm/mmap.c:3091 __mmput kernel/fork.c:1015 [inline] mmput+0x14e/0x4a0 kernel/fork.c:1036 exit_mm kernel/exit.c:546 [inline] do_exit+0xb12/0x2d80 kernel/exit.c:874 do_group_exit+0x125/0x320 kernel/exit.c:990 get_signal+0x3f3/0x2270 kernel/signal.c:2588 do_signal+0x8f/0x1690 arch/x86/kernel/signal.c:821 exit_to_usermode_loop+0x204/0x2c0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x57c/0x670 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45e179 Code: Bad RIP value. RSP: 002b:00007fefbbf33cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 000000000118cff0 RCX: 000000000045e179 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 000000000118cff4 RBP: 000000000118cfe8 R08: 0000000000000016 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000246 R12: 000000000118cff4 R13: 00007ffe63f0c36f R14: 00007fefbbf349c0 R15: 000000000118cff4 ================================================================================ batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_0 IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 audit: type=1400 audit(1601243859.644:9): avc: denied { create } for pid=7876 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dccp_socket permissive=1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_1 IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready syz-executor.3 (8050) used greatest stack depth: 23152 bytes left audit: type=1800 audit(1601243862.444:10): pid=8054 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed comm="syz-executor.5" name="file0" dev="sda1" ino=15765 res=0 audit: type=1800 audit(1601243862.474:11): pid=8055 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed comm="syz-executor.5" name="file0" dev="sda1" ino=15765 res=0 audit: type=1800 audit(1601243862.474:12): pid=8066 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed comm="syz-executor.5" name="file0" dev="sda1" ino=15765 res=0 audit: type=1800 audit(1601243862.474:13): pid=8067 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed comm="syz-executor.5" name="file0" dev="sda1" ino=15765 res=0 IPVS: ftp: loaded support on port[0] = 21 netlink: 32 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 32 bytes leftover after parsing attributes in process `syz-executor.5'. IPVS: ftp: loaded support on port[0] = 21 audit: type=1800 audit(1601243864.124:14): pid=8184 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="loop5" ino=5 res=0 overlayfs: missing 'workdir' audit: type=1804 audit(1601243864.144:15): pid=8184 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir880407755/syzkaller.lvZoCb/3/file1/file0" dev="loop5" ino=5 res=1 overlayfs: missing 'workdir' audit: type=1800 audit(1601243864.174:16): pid=8184 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="loop5" ino=5 res=0 FAT-fs (loop4): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) audit: type=1800 audit(1601243864.414:17): pid=8211 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.3" name="file0" dev="sda1" ino=15770 res=0 9pnet: Insufficient options for proto=fd audit: type=1804 audit(1601243864.424:18): pid=8211 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir712201320/syzkaller.xoZLFN/5/file0" dev="sda1" ino=15770 res=1 audit: type=1804 audit(1601243864.524:19): pid=8219 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.3" name="/root/syzkaller-testdir712201320/syzkaller.xoZLFN/5/file0" dev="sda1" ino=15770 res=1 audit: type=1804 audit(1601243864.934:20): pid=8200 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir880407755/syzkaller.lvZoCb/3/file1/file0" dev="loop5" ino=5 res=1 9pnet: Insufficient options for proto=fd audit: type=1800 audit(1601243864.934:21): pid=8200 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="loop5" ino=5 res=0 audit: type=1804 audit(1601243865.214:22): pid=8219 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir712201320/syzkaller.xoZLFN/5/file0" dev="sda1" ino=15770 res=1 9pnet: Insufficient options for proto=fd FAT-fs (loop4): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) audit: type=1804 audit(1601243865.214:23): pid=8219 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.3" name="/root/syzkaller-testdir712201320/syzkaller.xoZLFN/5/file0" dev="sda1" ino=15770 res=1 hub 9-0:1.0: USB hub found hub 9-0:1.0: 8 ports detected 9pnet: Insufficient options for proto=fd audit: type=1800 audit(1601243865.794:24): pid=8272 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.5" name="file2" dev="sda1" ino=15762 res=0 9pnet: Insufficient options for proto=fd binder: 8278:8281 ioctl c0306201 20001440 returned -14 audit: type=1800 audit(1601243865.914:25): pid=8272 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed comm="syz-executor.5" name="file0" dev="sda1" ino=15759 res=0 binder: 8278:8284 ioctl c0306201 20001440 returned -14 audit: type=1800 audit(1601243865.914:26): pid=8280 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed comm="syz-executor.5" name="file0" dev="sda1" ino=15759 res=0 9pnet: Insufficient options for proto=fd libceph: connect [d::]:6789 error -101 libceph: mon0 [d::]:6789 connect error ceph: No mds server is up or the cluster is laggy libceph: connect [d::]:6789 error -101 libceph: mon0 [d::]:6789 connect error libceph: connect [d::]:6789 error -101 9pnet: Insufficient options for proto=fd syz-executor.5 (8310) used greatest stack depth: 22752 bytes left libceph: mon0 [d::]:6789 connect error 9pnet: Insufficient options for proto=fd ISOFS: Unable to identify CD-ROM format.