================================================================================ UBSAN: shift-out-of-bounds in ./include/net/red.h:312:18 shift exponent 135 is too large for 64-bit type 'long unsigned int' CPU: 1 PID: 19721 Comm: syz-executor.0 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 red_calc_qavg_from_idle_time include/net/red.h:312 [inline] red_calc_qavg include/net/red.h:353 [inline] choke_enqueue.cold+0x18/0x3dd net/sched/sch_choke.c:221 __dev_xmit_skb net/core/dev.c:3837 [inline] __dev_queue_xmit+0x1943/0x2e00 net/core/dev.c:4150 br_dev_queue_push_xmit+0x252/0x740 net/bridge/br_forward.c:51 NF_HOOK include/linux/netfilter.h:301 [inline] NF_HOOK include/linux/netfilter.h:295 [inline] br_forward_finish net/bridge/br_forward.c:64 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] NF_HOOK include/linux/netfilter.h:295 [inline] __br_forward+0x46d/0x610 net/bridge/br_forward.c:108 br_flood+0x3b2/0x450 net/bridge/br_forward.c:233 br_dev_xmit+0xdf0/0x1690 net/bridge/br_device.c:95 __netdev_start_xmit include/linux/netdevice.h:4793 [inline] netdev_start_xmit include/linux/netdevice.h:4807 [inline] xmit_one net/core/dev.c:3593 [inline] dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3609 __dev_queue_xmit+0x2121/0x2e00 net/core/dev.c:4182 neigh_resolve_output net/core/neighbour.c:1491 [inline] neigh_resolve_output+0x50e/0x820 net/core/neighbour.c:1471 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0x6ee/0x1700 net/ipv6/ip6_output.c:117 __ip6_finish_output net/ipv6/ip6_output.c:182 [inline] __ip6_finish_output+0x4c1/0xe10 net/ipv6/ip6_output.c:161 ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:215 dst_output include/net/dst.h:448 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ndisc_send_skb+0xa99/0x1750 net/ipv6/ndisc.c:508 ndisc_send_rs+0x12e/0x700 net/ipv6/ndisc.c:702 addrconf_rs_timer+0x3f2/0x820 net/ipv6/addrconf.c:3877 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1431 expire_timers kernel/time/timer.c:1476 [inline] __run_timers.part.0+0x67c/0xa50 kernel/time/timer.c:1745 __run_timers kernel/time/timer.c:1726 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1758 __do_softirq+0x29b/0x9f6 kernel/softirq.c:343 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 do_softirq.part.0+0xa7/0xe0 kernel/softirq.c:246 do_softirq kernel/softirq.c:238 [inline] __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:196 spin_unlock_bh include/linux/spinlock.h:399 [inline] nf_conntrack_tcp_packet+0x12eb/0x5ae0 net/netfilter/nf_conntrack_proto_tcp.c:1132 nf_conntrack_handle_packet net/netfilter/nf_conntrack_core.c:1756 [inline] nf_conntrack_in+0x606/0x1330 net/netfilter/nf_conntrack_core.c:1847 nf_hook_entry_hookfn include/linux/netfilter.h:136 [inline] nf_hook_slow+0xc5/0x1e0 net/netfilter/core.c:589 nf_hook+0x3a1/0x670 include/linux/netfilter.h:256 NF_HOOK include/linux/netfilter.h:299 [inline] ip6_xmit+0xdf8/0x1eb0 net/ipv6/ip6_output.c:320 inet6_csk_xmit+0x358/0x630 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x188c/0x38f0 net/ipv4/tcp_output.c:1405 tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline] tcp_write_xmit+0xde5/0x6030 net/ipv4/tcp_output.c:2689 __tcp_push_pending_frames+0xaa/0x390 net/ipv4/tcp_output.c:2869 tcp_push_pending_frames include/net/tcp.h:1886 [inline] tcp_data_snd_check net/ipv4/tcp_input.c:5388 [inline] tcp_rcv_established+0x13a5/0x1eb0 net/ipv4/tcp_input.c:5798 tcp_v6_do_rcv+0x41d/0x12b0 net/ipv6/tcp_ipv6.c:1485 sk_backlog_rcv include/net/sock.h:1016 [inline] __release_sock+0x134/0x3b0 net/core/sock.c:2556 release_sock+0x54/0x1b0 net/core/sock.c:3080 sk_stream_wait_memory+0x608/0xed0 net/core/stream.c:145 tcp_sendmsg_locked+0x1072/0x2e40 net/ipv4/tcp.c:1417 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1457 inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:642 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 __sys_sendto+0x21c/0x320 net/socket.c:1975 __do_sys_sendto net/socket.c:1987 [inline] __se_sys_sendto net/socket.c:1983 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1983 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x465f69 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f89dbf86188 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465f69 RDX: 00000000fffffdef RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00000000004bfa3f R08: 0000000000000000 R09: 0000000005000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007fffe3b381cf R14: 00007f89dbf86300 R15: 0000000000022000 ================================================================================