bisecting cause commit starting from a9e26cb5f2615cd638f911ea96d4fff5b4d93690
building syzkaller on 40cc414d10dabacf34877f4902279729ca3bc011
testing commit a9e26cb5f2615cd638f911ea96d4fff5b4d93690 with gcc (GCC) 8.1.0
kernel signature: 92a38665aec38e5310ae8d24322b25579e2c7c12ea0e391081ba0b39f6db0dfa
all runs: crashed: UBSAN: shift-out-of-bounds in strset_parse_request
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0
kernel signature: 0a239a63f936e094afcdc973a4a1640a49766a3338df273434ed919c9d53b108
all runs: crashed: UBSAN: shift-out-of-bounds in strset_parse_request
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 43a299fc537e8c714d4f291e0dd750ca62379f64f4e403b6386c91532496a188
all runs: crashed: UBSAN: shift-out-of-bounds in strset_parse_request
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 9d59fff760a571f9aef85675458244dad39af3409ec46744bf8b4640c1f90dc9
all runs: crashed: UBSAN: shift-out-of-bounds in strset_parse_request
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 5a651a957f7b2d0a6c6a5e0d01901f2c562ec4a7117c85fb3ead69e0c7d7e9d0
all runs: crashed: UBSAN: undefined-behaviour in strset_parse_request
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: 45db3359cea7d227a48aa67f77f64e309fe5579e273b03525727363462e79b2e
all runs: OK
# git bisect start 7111951b8d4973bda27ff663f2cf18b663d15b48 d5226fa6dbae0569ee43ecfc08bdcd6770fc4755
Bisecting: 6113 revisions left to test after this (roughly 13 steps)
[9f68e3655aae6d49d6ba05dd263f99f33c2567af] Merge tag 'drm-next-2020-01-30' of git://anongit.freedesktop.org/drm/drm
testing commit 9f68e3655aae6d49d6ba05dd263f99f33c2567af with gcc (GCC) 8.1.0
kernel signature: d2460b42d1e46a423f7b821064fa9f221f143b81f25f09a9e6cdbc6b308b348c
all runs: crashed: UBSAN: undefined-behaviour in strset_parse_request
# git bisect bad 9f68e3655aae6d49d6ba05dd263f99f33c2567af
Bisecting: 3686 revisions left to test after this (roughly 12 steps)
[fb95aae6e67c4e319a24b3eea32032d4246a5335] Merge tag 'sound-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
testing commit fb95aae6e67c4e319a24b3eea32032d4246a5335 with gcc (GCC) 8.1.0
kernel signature: 0f5f9921d72f7e6bea7acc234411ae95805564340701e56d7df08d0364012f22
all runs: crashed: UBSAN: undefined-behaviour in strset_parse_request
# git bisect bad fb95aae6e67c4e319a24b3eea32032d4246a5335
Bisecting: 2267 revisions left to test after this (roughly 11 steps)
[f76e4c167ea2212e23c15ee7e601a865e822c291] net: phy: add default ARCH_BCM_IPROC for MDIO_BCM_IPROC
testing commit f76e4c167ea2212e23c15ee7e601a865e822c291 with gcc (GCC) 8.1.0
kernel signature: c7e1495b35e43b5977a78cc697a2300f29a335a6bbd38be77187eda2dd8869df
all runs: crashed: UBSAN: undefined-behaviour in strset_parse_request
# git bisect bad f76e4c167ea2212e23c15ee7e601a865e822c291
Bisecting: 810 revisions left to test after this (roughly 10 steps)
[f41aa387a7896c193b384c5fb531cd2cb9e00128] Merge branch 'selftest-makefile-cleanup'
testing commit f41aa387a7896c193b384c5fb531cd2cb9e00128 with gcc (GCC) 8.1.0
kernel signature: d93ece11dcabfa1fec39e9b0e943e1331d88073a00375fb228688a57db1420f7
all runs: crashed: UBSAN: undefined-behaviour in strset_parse_request
# git bisect bad f41aa387a7896c193b384c5fb531cd2cb9e00128
Bisecting: 404 revisions left to test after this (roughly 9 steps)
[9f6cff995e98258b6b81cc864532f633e5b3a081] Merge branch 'Simplify-IPv6-route-offload-API'
testing commit 9f6cff995e98258b6b81cc864532f633e5b3a081 with gcc (GCC) 8.1.0
kernel signature: c2568391f0c3094c22bdd775f63c281b3dd8a3b3ac8cd285a3c316e4111dd1a1
all runs: OK
# git bisect good 9f6cff995e98258b6b81cc864532f633e5b3a081
Bisecting: 203 revisions left to test after this (roughly 8 steps)
[1a1fda57b400160c79287479dc05d8b8b3f7113d] Merge branch 'DSA-TX-tstamp'
testing commit 1a1fda57b400160c79287479dc05d8b8b3f7113d with gcc (GCC) 8.1.0
kernel signature: ad7452923e05c6b31126d0f1f5f177408ca5c2f34164e72e407c50680df8a79f
all runs: crashed: UBSAN: undefined-behaviour in strset_parse_request
# git bisect bad 1a1fda57b400160c79287479dc05d8b8b3f7113d
Bisecting: 100 revisions left to test after this (roughly 7 steps)
[0536b85239b8440735cdd910aae0eb076ebbb439] xdp: Simplify devmap cleanup
testing commit 0536b85239b8440735cdd910aae0eb076ebbb439 with gcc (GCC) 8.1.0
kernel signature: a3ad38c6b9e8388b9909f1410aa6c7e4aaf0d204e4b380dbaf0c64c8c8e1e2f0
all runs: OK
# git bisect good 0536b85239b8440735cdd910aae0eb076ebbb439
Bisecting: 60 revisions left to test after this (roughly 6 steps)
[7c8dce4b166113743adad131b5a24c4acc12f92c] bpftool: Make skeleton C code compilable with C++ compiler
testing commit 7c8dce4b166113743adad131b5a24c4acc12f92c with gcc (GCC) 8.1.0
kernel signature: 5ac61db7f64a36029a521c9c873169526e57e9408fd77704d404f977f7bc18cd
all runs: OK
# git bisect good 7c8dce4b166113743adad131b5a24c4acc12f92c
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[9e41fbf3dd38327d440a8f3ba0c234519dbb5280] Merge branch 's390-qeth-next'
testing commit 9e41fbf3dd38327d440a8f3ba0c234519dbb5280 with gcc (GCC) 8.1.0
kernel signature: 37728cdc12542aebd1cb74f259af0bb7fd78a0cff223af8233491c73ee637d2c
all runs: OK
# git bisect good 9e41fbf3dd38327d440a8f3ba0c234519dbb5280
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[10b518d4e6dd5390e40f7d8de0f08753c1195a7e] ethtool: netlink bitset handling
testing commit 10b518d4e6dd5390e40f7d8de0f08753c1195a7e with gcc (GCC) 8.1.0
kernel signature: f620985ddd0906c349e4e1f727265ff0f8c9d76001d596f7a79e547cf901f866
all runs: OK
# git bisect good 10b518d4e6dd5390e40f7d8de0f08753c1195a7e
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[f625aa9be8c10f2e4dc677837e240730a25feda7] ethtool: provide link mode information with LINKMODES_GET request
testing commit f625aa9be8c10f2e4dc677837e240730a25feda7 with gcc (GCC) 8.1.0
kernel signature: 9c192b6e5568a42e321d3f948f44e04cb47089d19321c316f49bf15dd4d4a7fe
all runs: crashed: UBSAN: undefined-behaviour in strset_parse_request
# git bisect bad f625aa9be8c10f2e4dc677837e240730a25feda7
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[459e0b81b37043545d90629fdfb243444151e77d] ethtool: provide link settings with LINKINFO_GET request
testing commit 459e0b81b37043545d90629fdfb243444151e77d with gcc (GCC) 8.1.0
kernel signature: 3bcdbf5a3deb4e948caf09e37a1ce85c121406811315316a31f405bf52008bad
all runs: crashed: UBSAN: undefined-behaviour in strset_parse_request
# git bisect bad 459e0b81b37043545d90629fdfb243444151e77d
Bisecting: 1 revision left to test after this (roughly 1 step)
[728480f1244200fe294073afeb612c583a2080d2] ethtool: default handlers for GET requests
testing commit 728480f1244200fe294073afeb612c583a2080d2 with gcc (GCC) 8.1.0
kernel signature: e9b28a86df520a4d3470d9276190b7c57adec360fdc14692792c555d8984cb95
all runs: OK
# git bisect good 728480f1244200fe294073afeb612c583a2080d2
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[71921690f9745fef60a2bad425f30adf8cdc9da0] ethtool: provide string sets with STRSET_GET request
testing commit 71921690f9745fef60a2bad425f30adf8cdc9da0 with gcc (GCC) 8.1.0
kernel signature: 02dab1362fa382e6b9bd3d29359e80db81ae3d1fc39ba8c0bd1dc94ed4b6672d
all runs: crashed: UBSAN: undefined-behaviour in strset_parse_request
# git bisect bad 71921690f9745fef60a2bad425f30adf8cdc9da0
71921690f9745fef60a2bad425f30adf8cdc9da0 is the first bad commit
commit 71921690f9745fef60a2bad425f30adf8cdc9da0
Author: Michal Kubecek <mkubecek@suse.cz>
Date:   Fri Dec 27 15:55:43 2019 +0100

    ethtool: provide string sets with STRSET_GET request
    
    Requests a contents of one or more string sets, i.e. indexed arrays of
    strings; this information is provided by ETHTOOL_GSSET_INFO and
    ETHTOOL_GSTRINGS commands of ioctl interface. Unlike ioctl interface, all
    information can be retrieved with one request and mulitple string sets can
    be requested at once.
    
    There are three types of requests:
    
      - no NLM_F_DUMP, no device: get "global" stringsets
      - no NLM_F_DUMP, with device: get string sets related to the device
      - NLM_F_DUMP, no device: get device related string sets for all devices
    
    Client can request either all string sets of given type (global or device
    related) or only specific sets. With ETHTOOL_A_STRSET_COUNTS flag set, only
    set sizes (numbers of strings) are returned.
    
    Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 Documentation/networking/ethtool-netlink.rst |  75 ++++-
 include/uapi/linux/ethtool.h                 |   3 +
 include/uapi/linux/ethtool_netlink.h         |  56 ++++
 net/ethtool/Makefile                         |   2 +-
 net/ethtool/netlink.c                        |   8 +
 net/ethtool/netlink.h                        |   4 +
 net/ethtool/strset.c                         | 425 +++++++++++++++++++++++++++
 7 files changed, 570 insertions(+), 3 deletions(-)
 create mode 100644 net/ethtool/strset.c
culprit signature: 02dab1362fa382e6b9bd3d29359e80db81ae3d1fc39ba8c0bd1dc94ed4b6672d
parent  signature: e9b28a86df520a4d3470d9276190b7c57adec360fdc14692792c555d8984cb95
revisions tested: 20, total time: 3h46m36.745345327s (build: 1h56m33.375876106s, test: 1h47m50.760023381s)
first bad commit: 71921690f9745fef60a2bad425f30adf8cdc9da0 ethtool: provide string sets with STRSET_GET request
recipients (to): ["davem@davemloft.net" "f.fainelli@gmail.com" "mkubecek@suse.cz"]
recipients (cc): []
crash: UBSAN: undefined-behaviour in strset_parse_request
================================================================================
UBSAN: Undefined behaviour in net/ethtool/strset.c:164:28
shift exponent 3476603555 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 11016 Comm: syz-executor.1 Not tainted 5.5.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x96/0xe0 lib/dump_stack.c:118
 ubsan_epilogue+0x5/0x21 lib/ubsan.c:154
 __ubsan_handle_shift_out_of_bounds.cold.13+0x14/0x98 lib/ubsan.c:390
 strset_parse_request.cold.7+0x2c/0x35 net/ethtool/strset.c:164
 ethnl_default_parse+0x1c4/0x2b0 net/ethtool/netlink.c:242
 ethnl_default_start+0x203/0x520 net/ethtool/netlink.c:463
 __netlink_dump_start+0x4d0/0x8e0 net/netlink/af_netlink.c:2342
 genl_family_rcv_msg_dumpit net/netlink/genetlink.c:629 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:714 [inline]
 genl_rcv_msg+0x90e/0xf10 net/netlink/genetlink.c:734
 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477
 genl_rcv+0x1f/0x30 net/netlink/genetlink.c:745
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x421/0x610 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x761/0xc80 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:643 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:663
 ____sys_sendmsg+0x54e/0x760 net/socket.c:2342
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2396
 __sys_sendmsg+0xce/0x170 net/socket.c:2429
 do_syscall_64+0x8e/0x4f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45e0f9
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fd212a10c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e0f9
RDX: 0000000000000000 RSI: 0000000020000fc0 RDI: 0000000000000003
RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034
R13: 00007ffc6924ea7f R14: 00007fd212a119c0 R15: 000000000119c034
================================================================================