syzbot

 sign-in | mailing list | source | docs
🐞 Open [1533]
Subsystems
🐞 Fixed [6448]
🐞 Invalid [16334]
Missing Backports [199]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

UBSAN: shift-out-of-bounds in sctp_transport_update_rto

Status: upstream: reported on 2025/07/21 19:06
Subsystems: sctp
[Documentation on labels]
Reported-by: syzbot+2e455dd90ca648e48cea@syzkaller.appspotmail.com
First crash: 4d10h, last: 4d10h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [sctp?] UBSAN: shift-out-of-bounds in sctp_transport_update_rto 0 (1) 2025/07/21 19:06

Sample crash report:
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41
shift exponent 237 is too large for 32-bit type 'unsigned int'
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc6-syzkaller-00121-g6832a9317eee #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:233 [inline]
 __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494
 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509
 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502
 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338
 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline]
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1204 [inline]
 sctp_do_sm+0x36df/0x5c80 net/sctp/sm_sideeffect.c:1175
 sctp_assoc_bh_rcv+0x392/0x6f0 net/sctp/associola.c:1034
 sctp_inq_push+0x1db/0x270 net/sctp/inqueue.c:88
 sctp_rcv+0x14d8/0x3c60 net/sctp/input.c:243
 ip_protocol_deliver_rcu+0x447/0x4c0 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x316/0x570 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:317 [inline]
 NF_HOOK include/linux/netfilter.h:311 [inline]
 ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:469 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:448 [inline]
 NF_HOOK include/linux/netfilter.h:317 [inline]
 NF_HOOK include/linux/netfilter.h:311 [inline]
 ip_rcv+0x2c3/0x5d0 net/ipv4/ip_input.c:568
 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5977
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6090
 process_backlog+0x442/0x15e0 net/core/dev.c:6442
 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:7414
 napi_poll net/core/dev.c:7478 [inline]
 net_rx_action+0xa9f/0xfe0 net/core/dev.c:7605
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:82
Code: 0b 6f 02 c3 cc cc cc cc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d d3 77 25 00 fb f4 <e9> 8c fb 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
RSP: 0018:ffffffff8e207e08 EFLAGS: 000002c6
RAX: 0000000000448811 RBX: 0000000000000000 RCX: ffffffff8b849c69
RDX: 0000000000000000 RSI: ffffffff8de2d10c RDI: ffffffff8c157960
RBP: fffffbfff1c52ef0 R08: 0000000000000001 R09: ffffed1017086645
R10: ffff8880b843322b R11: 0000000000000001 R12: 0000000000000000
R13: ffffffff8e297780 R14: ffffffff90a9a650 R15: 0000000000000000
 arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 default_idle+0x13/0x20 arch/x86/kernel/process.c:749
 default_idle_call+0x6d/0xb0 kernel/sched/idle.c:117
 cpuidle_idle_call kernel/sched/idle.c:185 [inline]
 do_idle+0x391/0x510 kernel/sched/idle.c:325
 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:423
 rest_init+0x16b/0x2b0 init/main.c:745
 start_kernel+0x3ee/0x4d0 init/main.c:1102
 x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:307
 x86_64_start_kernel+0x130/0x190 arch/x86/kernel/head64.c:288
 common_startup_64+0x13e/0x148
 </TASK>
---[ end trace ]---
----------------
Code disassembly (best guess):
   0:	0b 6f 02             	or     0x2(%rdi),%ebp
   3:	c3                   	ret
   4:	cc                   	int3
   5:	cc                   	int3
   6:	cc                   	int3
   7:	cc                   	int3
   8:	0f 1f 00             	nopl   (%rax)
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	90                   	nop
  19:	90                   	nop
  1a:	90                   	nop
  1b:	f3 0f 1e fa          	endbr64
  1f:	66 90                	xchg   %ax,%ax
  21:	0f 00 2d d3 77 25 00 	verw   0x2577d3(%rip)        # 0x2577fb
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	e9 8c fb 02 00       	jmp    0x2fbbb <-- trapping instruction
  2f:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  36:	00 00 00
  39:	66 90                	xchg   %ax,%ax
  3b:	90                   	nop
  3c:	90                   	nop
  3d:	90                   	nop
  3e:	90                   	nop
  3f:	90                   	nop

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/07/18 07:27 upstream 6832a9317eee 88248e14 .config console log report info [disk image] [vmlinux] [kernel image] ci-qemu-gce-upstream-auto UBSAN: shift-out-of-bounds in sctp_transport_update_rto
* Struck through repros no longer work on HEAD.