bond18 (uninitialized): Released all slaves EXT4-fs (loop5): Unrecognized mount option "dioread_looldalloc" or missing value SET target dimension over the limit! ================================================================================ UBSAN: Undefined behaviour in net/sched/sch_api.c:561:7 shift exponent 129 is too large for 32-bit type 'int' CPU: 1 PID: 22859 Comm: syz-executor.4 Not tainted 4.19.150-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 __qdisc_calculate_pkt_len+0x3bb/0x570 net/sched/sch_api.c:561 qdisc_calculate_pkt_len include/net/sch_generic.h:697 [inline] __dev_xmit_skb net/core/dev.c:3443 [inline] __dev_queue_xmit+0x1372/0x2ec0 net/core/dev.c:3807 neigh_hh_output include/net/neighbour.h:491 [inline] neigh_output include/net/neighbour.h:499 [inline] ip_finish_output2+0xc04/0x1640 net/ipv4/ip_output.c:230 ip_finish_output+0x88e/0xd80 net/ipv4/ip_output.c:318 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip_output+0x203/0x650 net/ipv4/ip_output.c:406 dst_output include/net/dst.h:455 [inline] ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125 iptunnel_xmit+0x63e/0xa30 net/ipv4/ip_tunnel_core.c:91 geneve_xmit_skb drivers/net/geneve.c:865 [inline] geneve_xmit+0xf46/0x2ac0 drivers/net/geneve.c:938 __netdev_start_xmit include/linux/netdevice.h:4333 [inline] netdev_start_xmit include/linux/netdevice.h:4347 [inline] xmit_one net/core/dev.c:3256 [inline] dev_hard_start_xmit+0x1a8/0x960 net/core/dev.c:3272 __dev_queue_xmit+0x276a/0x2ec0 net/core/dev.c:3838 neigh_hh_output include/net/neighbour.h:491 [inline] neigh_output include/net/neighbour.h:499 [inline] ip6_finish_output2+0xe78/0x2370 net/ipv6/ip6_output.c:120 ip6_finish_output+0x610/0xcc0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip6_output+0x205/0x7c0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:455 [inline] NF_HOOK include/linux/netfilter.h:289 [inline] ndisc_send_skb+0xa6b/0x1860 net/ipv6/ndisc.c:491 ndisc_send_rs+0x131/0x6a0 net/ipv6/ndisc.c:685 addrconf_rs_timer+0x2d9/0x640 net/ipv6/addrconf.c:3834 call_timer_fn+0x177/0x760 kernel/time/timer.c:1338 expire_timers+0x243/0x500 kernel/time/timer.c:1375 __run_timers kernel/time/timer.c:1703 [inline] run_timer_softirq+0x259/0x730 kernel/time/timer.c:1716 __do_softirq+0x27d/0xad2 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x22d/0x270 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:544 [inline] smp_apic_timer_interrupt+0x15f/0x5d0 arch/x86/kernel/apic/apic.c:1094 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 RIP: 0010:__fb_pad_aligned_buffer include/linux/fb.h:674 [inline] RIP: 0010:bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] RIP: 0010:bit_putcs+0x639/0xd35 drivers/video/fbdev/core/bitblit.c:185 Code: 01 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 42 0f b6 04 38 38 d0 7f 08 84 c0 0f 85 af 05 00 00 48 89 d8 48 89 da 44 0f b6 6d ff <48> c1 e8 03 83 e2 07 42 0f b6 04 38 38 d0 7f 08 84 c0 0f 85 7f 05 RSP: 0018:ffff888045d26e98 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: ffff8880a529d367 RBX: ffff8880a529d367 RCX: ffffc9000e36c000 RDX: ffff8880a529d367 RSI: ffffffff83c59109 RDI: ffffffff88545e70 RBP: ffffffff88545e71 R08: 0000000000000014 R09: 0000000000000000 R10: 0000000000000005 R11: 0000000000000005 R12: 000000000000000b R13: 0000000000000000 R14: 000000000000000f R15: dffffc0000000000 fbcon_putcs+0x389/0x5d0 drivers/video/fbdev/core/fbcon.c:1269 fbcon_redraw.constprop.0+0x27a/0x4a0 drivers/video/fbdev/core/fbcon.c:1628 fbcon_scroll+0x5fb/0x3990 drivers/video/fbdev/core/fbcon.c:1754 con_scroll+0x5f8/0x720 drivers/tty/vt/vt.c:637 lf+0x262/0x2b0 drivers/tty/vt/vt.c:1491 do_con_trol+0x1df/0x5d50 drivers/tty/vt/vt.c:2159 do_con_write+0x68e/0x1f40 drivers/tty/vt/vt.c:2810 con_write+0x22/0xb0 drivers/tty/vt/vt.c:3145 do_output_char+0x5de/0x850 drivers/tty/n_tty.c:445 process_output drivers/tty/n_tty.c:512 [inline] n_tty_write+0x46e/0xff0 drivers/tty/n_tty.c:2343 do_tty_write drivers/tty/tty_io.c:960 [inline] tty_write+0x496/0x890 drivers/tty/tty_io.c:1044 __vfs_write+0xf7/0x770 fs/read_write.c:485 __kernel_write+0x109/0x370 fs/read_write.c:506 write_pipe_buf+0x153/0x1f0 fs/splice.c:798 splice_from_pipe_feed fs/splice.c:503 [inline] __splice_from_pipe+0x3af/0x820 fs/splice.c:627 splice_from_pipe fs/splice.c:662 [inline] default_file_splice_write+0xd8/0x180 fs/splice.c:810 do_splice_from fs/splice.c:852 [inline] direct_splice_actor+0x115/0x160 fs/splice.c:1025 splice_direct_to_actor+0x33f/0x8d0 fs/splice.c:980 do_splice_direct+0x1a7/0x270 fs/splice.c:1068 do_sendfile+0x550/0xc30 fs/read_write.c:1447 __do_sys_sendfile64 fs/read_write.c:1508 [inline] __se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45de59 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f31a6c73c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 0000000000027ec0 RCX: 000000000045de59 RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000005 RBP: 000000000118bf68 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000040000006 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffc841c1e4f R14: 00007f31a6c749c0 R15: 000000000118bf2c ================================================================================ nla_parse: 3 callbacks suppressed netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. EXT4-fs (loop5): Unrecognized mount option "dioread_looldalloc" or missing value netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. gfs2: can't find protocol audit: type=1804 audit(1602714377.870:56): pid=23487 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir662372887/syzkaller.xfbxcW/979/file0/bus" dev="ramfs" ino=82802 res=1 audit: type=1804 audit(1602714377.890:57): pid=23487 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.2" name="/root/syzkaller-testdir662372887/syzkaller.xfbxcW/979/file0/bus" dev="ramfs" ino=82802 res=1 audit: type=1804 audit(1602714377.910:58): pid=23487 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.2" name="/root/syzkaller-testdir662372887/syzkaller.xfbxcW/979/file0/bus" dev="ramfs" ino=82802 res=1 bond27 (uninitialized): Released all slaves bond27 (uninitialized): Released all slaves audit: type=1804 audit(1602714378.460:59): pid=23487 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir662372887/syzkaller.xfbxcW/979/file0/file0/bus" dev="ramfs" ino=82828 res=1 tmpfs: Bad value 'al)û' for mount option 'huge' audit: type=1804 audit(1602714378.500:60): pid=23606 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.2" name="/root/syzkaller-testdir662372887/syzkaller.xfbxcW/979/file0/file0/bus" dev="ramfs" ino=82828 res=1 bond27 (uninitialized): Released all slaves audit: type=1804 audit(1602714378.500:61): pid=23487 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.2" name="/root/syzkaller-testdir662372887/syzkaller.xfbxcW/979/file0/file0/bus" dev="ramfs" ino=82828 res=1 tmpfs: Bad value 'al)û' for mount option 'huge' audit: type=1804 audit(1602714378.760:62): pid=23621 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir662372887/syzkaller.xfbxcW/980/file0/bus" dev="ramfs" ino=82849 res=1 nla_parse: 5 callbacks suppressed netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. audit: type=1804 audit(1602714378.820:63): pid=23621 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.2" name="/root/syzkaller-testdir662372887/syzkaller.xfbxcW/980/file0/bus" dev="ramfs" ino=82849 res=1 bond27 (uninitialized): Released all slaves netlink: 'syz-executor.5': attribute type 4 has an invalid length. nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. audit: type=1804 audit(1602714378.820:64): pid=23621 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.2" name="/root/syzkaller-testdir662372887/syzkaller.xfbxcW/980/file0/bus" dev="ramfs" ino=82849 res=1 IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready netlink: 'syz-executor.5': attribute type 4 has an invalid length. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. bond27 (uninitialized): Released all slaves netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. bond27 (uninitialized): Released all slaves netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. bond27 (uninitialized): Released all slaves netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. bond27 (uninitialized): Released all slaves netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. bond27 (uninitialized): Released all slaves netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=43 sclass=netlink_route_socket pid=23902 comm=syz-executor.5 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=43 sclass=netlink_route_socket pid=23898 comm=syz-executor.5