UBSAN: undefined-behaviour in hash_ipport_create

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: a87f9628 Linux 4.19.145
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=133e5b11900000
kernel config: https://syzkaller.appspot.com/x/.config?x=9688ecb5b728ce13
dashboard link: https://syzkaller.appspot.com/bug?extid=79d91cf8b60b378e38f5
compiler: gcc (GCC) 10.1.0-syz 20200507

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+79d91c...@syzkaller.appspotmail.com

================================================================================
UBSAN: Undefined behaviour in net/netfilter/ipset/ip_set_hash_gen.h:125:6
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 9778 Comm: syz-executor.3 Not tainted 4.19.145-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x22c/0x33e lib/dump_stack.c:118
ubsan_epilogue+0xe/0x3a lib/ubsan.c:161
__ubsan_handle_shift_out_of_bounds.cold+0x1c4/0x250 lib/ubsan.c:422
htable_bits net/netfilter/ipset/ip_set_hash_gen.h:125 [inline]
hash_ipport_create.cold+0x1a/0x2d net/netfilter/ipset/ip_set_hash_gen.h:1290
ip_set_create+0x70e/0x1380 net/netfilter/ipset/ip_set_core.c:940
nfnetlink_rcv_msg+0xeff/0x1210 net/netfilter/nfnetlink.c:233
netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455
nfnetlink_rcv+0x1b2/0x41b net/netfilter/nfnetlink.c:565
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xc7/0x130 net/socket.c:632
sock_no_sendpage+0xf5/0x140 net/core/sock.c:2668
kernel_sendpage net/socket.c:3378 [inline]
sock_sendpage+0xdf/0x140 net/socket.c:847
pipe_to_sendpage+0x268/0x330 fs/splice.c:452
splice_from_pipe_feed fs/splice.c:503 [inline]
__splice_from_pipe+0x3af/0x820 fs/splice.c:627
splice_from_pipe fs/splice.c:662 [inline]
generic_splice_sendpage+0xd4/0x140 fs/splice.c:833
do_splice_from fs/splice.c:852 [inline]
do_splice fs/splice.c:1154 [inline]
__do_sys_splice fs/splice.c:1428 [inline]
__se_sys_splice+0xf31/0x15f0 fs/splice.c:1408
do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45d5f9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa0dc224c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 0000000000033a00 RCX: 000000000045d5f9
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000000118cf98 R08: 0000000100000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffe619a578f R14: 00007fa0dc2259c0 R15: 000000000118cf4c
================================================================================
device erspan0 entered promiscuous mode
device erspan0 left promiscuous mode
device erspan0 entered promiscuous mode
device erspan0 left promiscuous mode
device erspan0 entered promiscuous mode
device erspan0 left promiscuous mode
device erspan0 entered promiscuous mode
device erspan0 left promiscuous mode
xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables
xt_CT: You must specify a L4 protocol and not use inversions on it
device erspan0 entered promiscuous mode
device erspan0 left promiscuous mode
xt_CT: You must specify a L4 protocol and not use inversions on it
xt_CT: You must specify a L4 protocol and not use inversions on it
device erspan0 entered promiscuous mode
device erspan0 left promiscuous mode
xt_CT: You must specify a L4 protocol and not use inversions on it
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team0 entered promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team0 entered promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team0 left promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 left promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team0 left promiscuous mode
device team0 left promiscuous mode
device team0 entered promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team0 entered promiscuous mode
device team0 left promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 015e94d0 Linux 4.19.146
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10bdd51d900000
kernel config: https://syzkaller.appspot.com/x/.config?x=243dd74ad58a8a57

dashboard link: https://syzkaller.appspot.com/bug?extid=79d91cf8b60b378e38f5
compiler: gcc (GCC) 10.1.0-syz 20200507

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11838ad5900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11d8ca9b900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+79d91c...@syzkaller.appspotmail.com

audit: type=1400 audit(1600622204.993:8): avc: denied { execmem } for pid=6474 comm="syz-executor599" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1

================================================================================
UBSAN: Undefined behaviour in net/netfilter/ipset/ip_set_hash_gen.h:125:6
shift exponent 32 is too large for 32-bit type 'unsigned int'

CPU: 0 PID: 6474 Comm: syz-executor599 Not tainted 4.19.146-syzkaller #0

RIP: 0033:0x4404d9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcb33f3cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 0000000