netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. ================================================================================ UBSAN: Undefined behaviour in ./include/net/red.h:272:18 shift exponent 102 is too large for 64-bit type 'long unsigned int' CPU: 0 PID: 12380 Comm: syz-executor.3 Not tainted 4.19.148-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422 red_calc_qavg_from_idle_time include/net/red.h:272 [inline] red_adaptative_algo include/net/red.h:404 [inline] red_adaptative_timer+0x7ed/0x870 net/sched/sch_red.c:266 call_timer_fn+0x177/0x760 kernel/time/timer.c:1338 expire_timers+0x243/0x500 kernel/time/timer.c:1375 __run_timers kernel/time/timer.c:1703 [inline] run_timer_softirq+0x259/0x730 kernel/time/timer.c:1716 __do_softirq+0x27d/0xad2 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x22d/0x270 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:544 [inline] smp_apic_timer_interrupt+0x15f/0x5d0 arch/x86/kernel/apic/apic.c:1094 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0xa7/0xf0 kernel/locking/spinlock.c:184 Code: 48 c7 c0 a8 89 63 89 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 4a 48 83 3d e8 ca b2 01 00 74 21 48 89 df 57 9d <0f> 1f 44 00 00 eb b2 e8 d1 aa 4f f9 eb c0 0f 0b 48 c7 c7 80 ed 70 RSP: 0018:ffff8880414afb20 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: 1ffffffff12c7135 RBX: 0000000000000286 RCX: 1ffff110095e0d1a RDX: dffffc0000000000 RSI: ffff88804af068b0 RDI: 0000000000000286 RBP: ffffffff8d4aeac8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200 R13: ffff888051360000 R14: 0000000000000000 R15: dffffc0000000000 __debug_check_no_obj_freed lib/debugobjects.c:798 [inline] debug_check_no_obj_freed+0x201/0x482 lib/debugobjects.c:817 free_pages_prepare mm/page_alloc.c:1055 [inline] __free_pages_ok+0x238/0xe00 mm/page_alloc.c:1278 __put_page+0xe2/0x3e0 mm/swap.c:112 put_page include/linux/mm.h:963 [inline] __skb_frag_unref include/linux/skbuff.h:2816 [inline] skb_release_data+0x2f3/0x930 net/core/skbuff.c:568 device bond0 entered promiscuous mode skb_release_all net/core/skbuff.c:631 [inline] __kfree_skb net/core/skbuff.c:645 [inline] kfree_skb+0x11a/0x3f0 net/core/skbuff.c:663 kfree_skb_list net/core/skbuff.c:672 [inline] skb_release_data+0x6d3/0x930 net/core/skbuff.c:571 skb_release_all net/core/skbuff.c:631 [inline] __kfree_skb net/core/skbuff.c:645 [inline] kfree_skb+0x11a/0x3f0 net/core/skbuff.c:663 __skb_queue_purge include/linux/skbuff.h:2637 [inline] kcm_release+0x20c/0x740 net/kcm/kcmsock.c:1850 __sock_release+0xcd/0x2a0 net/socket.c:579 device bond_slave_0 entered promiscuous mode sock_close+0x15/0x20 net/socket.c:1140 __fput+0x2ce/0x8a0 fs/file_table.c:278 task_work_run+0x141/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x269/0x2c0 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x57c/0x670 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x417901 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 device bond_slave_1 entered promiscuous mode RSP: 002b:00007ffde0eb9b60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000417901 RDX: 0000000000000000 RSI: 00000000000016dd RDI: 0000000000000005 RBP: 0000000000000001 R08: 00000000ba1ad6dd R09: 00000000ba1ad6e1 R10: 00007ffde0eb9c50 R11: 0000000000000293 R12: 00000000011911e8 R13: 00000000000551ea R14: ffffffffffffffff R15: 000000000118cf4c ================================================================================ 8021q: adding VLAN 0 to HW filter on device macvlan2 device bond0 left promiscuous mode device bond_slave_0 left promiscuous mode device bond_slave_1 left promiscuous mode netlink: 'syz-executor.0': attribute type 1 has an invalid length. IPv6: ADDRCONF(NETDEV_CHANGE): vlan2: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan2: link becomes ready netlink: 'syz-executor.0': attribute type 1 has an invalid length. netlink: 'syz-executor.0': attribute type 1 has an invalid length. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. audit: type=1804 audit(1601184989.707:46): pid=12660 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir115936502/syzkaller.Ipcled/255/memory.events" dev="sda1" ino=15970 res=1 audit: type=1800 audit(1601184989.747:47): pid=12660 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.5" name="memory.events" dev="sda1" ino=15970 res=0 audit: type=1804 audit(1601184989.747:48): pid=12660 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.5" name="/root/syzkaller-testdir115936502/syzkaller.Ipcled/255/memory.events" dev="sda1" ino=15970 res=1 audit: type=1804 audit(1601184989.887:49): pid=12671 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.5" name="/root/syzkaller-testdir115936502/syzkaller.Ipcled/255/memory.events" dev="sda1" ino=15970 res=1 audit: type=1400 audit(1601184989.887:50): avc: denied { write } for pid=12657 comm="syz-executor.5" path="socket:[44597]" dev="sockfs" ino=44597 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dccp_socket permissive=1 audit: type=1800 audit(1601184990.477:51): pid=12698 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.5" name="memory.events" dev="sda1" ino=15970 res=0 audit: type=1804 audit(1601184990.477:52): pid=12698 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.5" name="/root/syzkaller-testdir115936502/syzkaller.Ipcled/255/memory.events" dev="sda1" ino=15970 res=1 audit: type=1804 audit(1601184990.527:53): pid=12699 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.5" name="/root/syzkaller-testdir115936502/syzkaller.Ipcled/255/memory.events" dev="sda1" ino=15970 res=1 IPVS: ftp: loaded support on port[0] = 21 audit: type=1804 audit(1601184991.397:54): pid=12770 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.2" name="cgroup.controllers" dev="sda1" ino=16383 res=1 IPVS: ftp: loaded support on port[0] = 21 xt_CT: No such helper "netbios-ns" xt_CT: No such helper "netbios-ns" audit: type=1804 audit(1601184993.517:55): pid=12936 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir425441745/syzkaller.WOz1fz/239/cgroup.controllers" dev="sda1" ino=16401 res=1 netlink: 'syz-executor.0': attribute type 1 has an invalid length. netlink: 'syz-executor.0': attribute type 1 has an invalid length. syz-executor.5 (12975) used greatest stack depth: 22224 bytes left kauditd_printk_skb: 2 callbacks suppressed audit: type=1804 audit(1601184994.977:58): pid=13006 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir425441745/syzkaller.WOz1fz/241/cgroup.controllers" dev="sda1" ino=15985 res=1 netlink: 'syz-executor.0': attribute type 1 has an invalid length. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. device veth7 entered promiscuous mode device veth5 entered promiscuous mode hsr1: Slave A (veth7) is not up; please bring it up to get a fully working HSR network hsr1: Slave B (veth5) is not up; please bring it up to get a fully working HSR network