L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. ================================================================================ UBSAN: Undefined behaviour in net/sched/cls_tcindex.c:238:29 hrtimer: interrupt took 43904 ns shift exponent 511 is too large for 32-bit type 'int' CPU: 0 PID: 8121 Comm: syz-executor.1 Not tainted 4.19.147-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 valid_perfect_hash net/sched/cls_tcindex.c:238 [inline] tcindex_set_parms.cold+0x170/0x22f net/sched/cls_tcindex.c:398 tcindex_change+0x220/0x2f3 net/sched/cls_tcindex.c:518 tc_new_tfilter+0xb38/0x1570 net/sched/cls_api.c:1320 rtnetlink_rcv_msg+0x498/0xc10 net/core/rtnetlink.c:4778 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x3b3/0x8f0 net/socket.c:2115 __sys_sendmmsg+0x195/0x470 net/socket.c:2210 __do_sys_sendmmsg net/socket.c:2239 [inline] __se_sys_sendmmsg net/socket.c:2236 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2236 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45e179 Code: 3d b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4a357b9c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 0000000000027ac0 RCX: 000000000045e179 RDX: 04924924924926d3 RSI: 0000000020000200 RDI: 0000000000000008 RBP: 000000000118d180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118d144 R13: 00007fff2caf6adf R14: 00007f4a357ba9c0 R15: 000000000118d144 ================================================================================ netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. IPVS: ftp: loaded support on port[0] = 21 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. REISERFS warning (device loop5): super-6502 reiserfs_getopt: unknown mount option "" netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. ntfs: (device loop0): parse_options(): Invalid errors option argument: c REISERFS warning (device loop5): super-6502 reiserfs_getopt: unknown mount option "" ntfs: (device loop0): parse_options(): Invalid errors option argument: c Cannot find add_set index 0 as target netlink: 68 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. ntfs: (device loop0): parse_options(): Invalid errors option argument: c ntfs: (device loop4): parse_options(): The errors option requires an argument. ntfs: (device loop0): parse_options(): Invalid errors option argument: c ntfs: (device loop4): parse_options(): The errors option requires an argument. ntfs: (device loop0): parse_options(): Invalid errors option argument: c Cannot find add_set index 0 as target ntfs: (device loop0): parse_options(): Invalid errors option argument: c __ntfs_error: 1 callbacks suppressed ntfs: (device loop0): parse_options(): Invalid errors option argument: c ntfs: (device loop0): parse_options(): Invalid errors option argument: c 9pnet: p9_fd_create_tcp (8624): problem connecting socket to 127.0.0.1 9pnet: p9_fd_create_tcp (8631): problem connecting socket to 127.0.0.1 gfs2: not a GFS2 filesystem nla_parse: 10 callbacks suppressed netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. gfs2: not a GFS2 filesystem netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 184 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. ntfs: (device loop2): ntfs_fill_super(): Unable to determine device size. ntfs: (device loop2): ntfs_fill_super(): Unable to determine device size. ntfs: (device loop0): ntfs_fill_super(): Unable to determine device size. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. ntfs: (device loop0): ntfs_fill_super(): Unable to determine device size. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. ntfs: (device loop0): ntfs_fill_super(): Unable to determine device size. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. ntfs: (device loop0): ntfs_fill_super(): Unable to determine device size. ntfs: (device loop0): ntfs_fill_super(): Unable to determine device size. ntfs: (device loop0): ntfs_fill_super(): Unable to determine device size. __ntfs_error: 3 callbacks suppressed ntfs: (device loop0): ntfs_fill_super(): Unable to determine device size. ntfs: (device loop0): ntfs_fill_super(): Unable to determine device size. ntfs: (device loop0): ntfs_fill_super(): Unable to determine device size. ntfs: (device loop0): parse_options(): Unrecognized mount option sho.