program: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f00000000c0)=0x7a, 0x4) socket$nl_netfilter(0x10, 0x3, 0xc) r1 = openat$comedi(0xffffff9c, &(0x7f0000000040)='/dev/comedi3\x00', 0x2000, 0x0) ioctl$COMEDI_DEVCONFIG(r1, 0x40946400, &(0x7f0000000400)={'aio_iiro_16\x00', [0xedd, 0x80000000, 0x2, 0x100000, 0x88db, 0xffffffc0, 0xfffffffd, 0xf, 0x2, 0x3, 0x7f, 0xfff, 0x344, 0x2001, 0x6, 0x200, 0x9, 0x3, 0x84, 0xe, 0x0, 0x0, 0x80, 0x7ff, 0x5, 0xffffffff, 0x800b0c4, 0x807df, 0x8, 0x1]}) ioctl$AUTOFS_DEV_IOCTL_OPENMOUNT(r0, 0xc0189374, &(0x7f0000000100)={{0x1, 0x1, 0x18, r1, {0xf40e}}, './file0\x00'}) bind$inet(r0, &(0x7f0000000000)={0x2, 0x4e23, @local}, 0x10) sendmsg$nl_generic(r2, &(0x7f0000000240)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000200)={&(0x7f0000000180)={0x5c, 0x41, 0x1, 0x70bd26, 0x25dfdbfc, {0x19}, [@nested={0x47, 0xf0, 0x0, 0x1, [@typed={0x8, 0xe1, 0x0, 0x0, @uid}, @generic="ca7ade5fbf3e26d9dca52ff99d83a502620a1ea79657e37ad1184d521c9d63c58873fde340d7af64813586", @nested={0x4, 0x1}, @typed={0x8, 0x37, 0x0, 0x0, @ipv4=@dev={0xac, 0x14, 0x14, 0x44}}, @nested={0x4, 0x14d}]}]}, 0x5c}, 0x1, 0x0, 0x0, 0x8000}, 0x20000001) mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) bpf$MAP_CREATE(0x100000000000000, &(0x7f00000000c0)=@base={0x12, 0x8a, 0x8, 0x800002}, 0x50) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x3d) setsockopt$sock_int(r0, 0x1, 0x2f, &(0x7f0000000600)=0x801dfc, 0x4) ioctl$sock_SIOCSIFVLAN_GET_VLAN_REALDEV_NAME_CMD(r0, 0x8983, &(0x7f0000000040)={0x8, 'tunl0\x00', {'ip6_vti0\x00'}, 0x4}) sendto$inet(r0, &(0x7f00000012c0)="09268a927f1f6588b967481241ba7860fcfaf65ac618ded8974895abeaf4b4834ff922b3f1e0b02bd67aa03059bcecc7a95425a3a07e758044ab4ea6f7ae55d88fecf90b1a7511bf746bec66ba", 0x20c8, 0x11, 0x0, 0x27) recvmmsg(r0, 0x0, 0x0, 0x40, 0x0) [ 68.163087][ T5320] Bluetooth: hci0: command tx timeout [ 68.187362][ T5341] ------------[ cut here ]------------ [ 68.194611][ T5341] UBSAN: shift-out-of-bounds in drivers/comedi/drivers/aio_iiro_16.c:180:9 [ 68.198242][ T5341] shift exponent -2147483648 is negative [ 68.200612][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted 6.16.0-rc6-syzkaller-00253-g4871b7cb27f4 #0 PREEMPT(full) [ 68.200627][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.200634][ T5341] Call Trace: [ 68.200641][ T5341] [ 68.200648][ T5341] dump_stack_lvl+0x189/0x250 [ 68.204290][ T5341] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.204437][ T5341] ? __pfx__printk+0x10/0x10 [ 68.204539][ T5341] ? __pfx___request_region_locked+0x10/0x10 [ 68.204643][ T5341] ubsan_epilogue+0xa/0x40 [ 68.204674][ T5341] __ubsan_handle_shift_out_of_bounds+0x386/0x410 [ 68.206477][ T5341] ? __request_region+0xc2/0xe0 [ 68.206569][ T5341] ? comedi_request_region+0x7b/0x180 [ 68.206788][ T5341] aio_iiro_16_attach+0x5e8/0x790 [ 68.206877][ T5341] comedi_device_attach+0x51d/0x670 [ 68.206960][ T5341] comedi_unlocked_ioctl+0x686/0xf40 [ 68.207013][ T5341] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 68.207370][ T5341] ? __lock_acquire+0xab9/0xd20 [ 68.207460][ T5341] ? __fget_files+0x2a/0x420 [ 68.207578][ T5341] ? __fget_files+0x2a/0x420 [ 68.207725][ T5341] ? __fget_files+0x3a0/0x420 [ 68.207740][ T5341] ? __fget_files+0x2a/0x420 [ 68.207788][ T5341] ? bpf_lsm_file_ioctl+0x9/0x20 [ 68.207919][ T5341] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 68.208224][ T5341] __se_sys_ioctl+0xf9/0x170 [ 68.208244][ T5341] do_syscall_64+0xfa/0x3b0 [ 68.208533][ T5341] ? lockdep_hardirqs_on+0x9c/0x150 [ 68.208665][ T5341] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.208705][ T5341] ? clear_bhb_loop+0x60/0xb0 [ 68.208874][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.208886][ T5341] RIP: 0033:0x7f7281d8e9a9 [ 68.209033][ T5341] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.209043][ T5341] RSP: 002b:00007f7282c67038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 68.209071][ T5341] RAX: ffffffffffffffda RBX: 00007f7281fb5fa0 RCX: 00007f7281d8e9a9 [ 68.209113][ T5341] RDX: 0000200000000400 RSI: 0000000040946400 RDI: 0000000000000005 [ 68.209150][ T5341] RBP: 00007f7281e10d69 R08: 0000000000000000 R09: 0000000000000000 [ 68.209200][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.209208][ T5341] R13: 0000000000000000 R14: 00007f7281fb5fa0 R15: 00007ffc24396f58 [ 68.209227][ T5341] [ 68.341889][ T5341] ---[ end trace ]--- [ 68.346654][ T5341] Kernel panic - not syncing: UBSAN: panic_on_warn set ... [ 68.349823][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted 6.16.0-rc6-syzkaller-00253-g4871b7cb27f4 #0 PREEMPT(full) [ 68.354809][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.359599][ T5341] Call Trace: [ 68.361164][ T5341] [ 68.362540][ T5341] dump_stack_lvl+0x99/0x250 [ 68.364608][ T5341] ? __asan_memcpy+0x40/0x70 [ 68.366657][ T5341] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.368998][ T5341] ? __pfx__printk+0x10/0x10 [ 68.371007][ T5341] panic+0x2db/0x790 [ 68.372748][ T5341] ? __pfx_panic+0x10/0x10 [ 68.374607][ T5341] ? _printk+0xcf/0x120 [ 68.376528][ T5341] ? __pfx__printk+0x10/0x10 [ 68.378596][ T5341] check_panic_on_warn+0x89/0xb0 [ 68.380769][ T5341] __ubsan_handle_shift_out_of_bounds+0x386/0x410 [ 68.383434][ T5341] ? __request_region+0xc2/0xe0 [ 68.385366][ T5341] ? comedi_request_region+0x7b/0x180 [ 68.387564][ T5341] aio_iiro_16_attach+0x5e8/0x790 [ 68.389607][ T5341] comedi_device_attach+0x51d/0x670 [ 68.391704][ T5341] comedi_unlocked_ioctl+0x686/0xf40 [ 68.393930][ T5341] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 68.396381][ T5341] ? __lock_acquire+0xab9/0xd20 [ 68.398447][ T5341] ? __fget_files+0x2a/0x420 [ 68.400339][ T5341] ? __fget_files+0x2a/0x420 [ 68.402255][ T5341] ? __fget_files+0x3a0/0x420 [ 68.404233][ T5341] ? __fget_files+0x2a/0x420 [ 68.406208][ T5341] ? bpf_lsm_file_ioctl+0x9/0x20 [ 68.408390][ T5341] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 68.410846][ T5341] __se_sys_ioctl+0xf9/0x170 [ 68.413164][ T5341] do_syscall_64+0xfa/0x3b0 [ 68.415102][ T5341] ? lockdep_hardirqs_on+0x9c/0x150 [ 68.417251][ T5341] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.419705][ T5341] ? clear_bhb_loop+0x60/0xb0 [ 68.421547][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.423844][ T5341] RIP: 0033:0x7f7281d8e9a9 [ 68.425536][ T5341] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.433413][ T5341] RSP: 002b:00007f7282c67038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 68.436993][ T5341] RAX: ffffffffffffffda RBX: 00007f7281fb5fa0 RCX: 00007f7281d8e9a9 [ 68.440473][ T5341] RDX: 0000200000000400 RSI: 0000000040946400 RDI: 0000000000000005 [ 68.443694][ T5341] RBP: 00007f7281e10d69 R08: 0000000000000000 R09: 0000000000000000 [ 68.446946][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.450195][ T5341] R13: 0000000000000000 R14: 00007f7281fb5fa0 R15: 00007ffc24396f58 [ 68.453516][ T5341] [ 68.455237][ T5341] Kernel Offset: disabled [ 68.457209][ T5341] Rebooting in 86400 seconds..