Hi, This bug was found in Linux Kernel v4.18-rc2 $ cat report10 ================================================================================ UBSAN: Undefined behaviour in drivers/scsi/sr_ioctl.c:428:9 signed integer overflow: 810238276 * 177 cannot be represented in type 'int' CPU: 0 PID: 3712 Comm: syz-executor1 Not tainted 4.18.0-rc1 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x122/0x1c8 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x86 lib/ubsan.c:159 handle_overflow+0x1c2/0x21f lib/ubsan.c:190 __ubsan_handle_mul_overflow+0x2a/0x38 lib/ubsan.c:214 sr_select_speed+0x184/0x1b0 drivers/scsi/sr_ioctl.c:428 cdrom_ioctl_select_speed drivers/cdrom/cdrom.c:2432 [inline] cdrom_ioctl+0x517/0x340e drivers/cdrom/cdrom.c:3344 sr_block_ioctl+0x10e/0x1b0 drivers/scsi/sr.c:576 __blkdev_driver_ioctl block/ioctl.c:303 [inline] blkdev_ioctl+0xb03/0x1fc0 block/ioctl.c:601 block_ioctl+0xf5/0x160 fs/block_dev.c:1880 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1e8/0x1340 fs/ioctl.c:686 ksys_ioctl+0x9c/0xb0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x81/0xd0 fs/ioctl.c:706 do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455a09 Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f26b265ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f26b265b6d4 RCX: 0000000000455a09 RDX: 00000000304b4144 RSI: 0000000000005322 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000001dc R14: 00000000006f7d40 R15: 0000000000000000 ================================================================================ netlink: 36 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 36 bytes leftover after parsing attributes in process `syz-executor1'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3864 comm=syz-executor0 sr 1:0:0:0: [sr0] unaligned transfer sr 1:0:0:0: [sr0] unaligned transfer sg_write: data in/out 17982/46 bytes for SCSI command 0x0-- guessing data in; program syz-executor0 not setting count and/or reply_len properly sg_write: data in/out 17982/46 bytes for SCSI command 0x0-- guessing data in; program syz-executor0 not setting count and/or reply_len properly ================================================================================ UBSAN: Undefined behaviour in net/sunrpc/xprt.c:568:22 shift exponent 536870976 is too large for 64-bit type 'long unsigned int' CPU: 0 PID: 4174 Comm: syz-executor1 Not tainted 4.18.0-rc1 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x122/0x1c8 lib/dump_stack.c:113 ubsan_epilogue+0x12/0x86 lib/ubsan.c:159 __ubsan_handle_shift_out_of_bounds+0x29a/0x2ff lib/ubsan.c:425 xprt_reset_majortimeo+0x323/0x440 net/sunrpc/xprt.c:568 xprt_request_init+0x4d2/0x730 net/sunrpc/xprt.c:1330 call_reserveresult+0x9d/0x240 net/sunrpc/clnt.c:1549 __rpc_execute+0x23a/0xc20 net/sunrpc/sched.c:784 rpc_execute+0xf5/0x250 net/sunrpc/sched.c:852 rpc_run_task+0x4a1/0x9f0 net/sunrpc/clnt.c:1053 rpc_call_sync+0xcf/0x1a0 net/sunrpc/clnt.c:1082 rpc_ping+0xde/0x140 net/sunrpc/clnt.c:2514 rpc_create_xprt+0x1e8/0x590 net/sunrpc/clnt.c:479 rpc_create+0x3a9/0x600 net/sunrpc/clnt.c:587 nfs_create_rpc_client+0x3a1/0x4d0 fs/nfs/client.c:523 nfs_init_client+0x7b/0x100 fs/nfs/client.c:634 nfs_get_client+0xa74/0x1440 fs/nfs/client.c:425 nfs_init_server+0x236/0xdf0 fs/nfs/client.c:670 nfs_create_server+0x9a/0x750 fs/nfs/client.c:953 nfs_try_mount+0x270/0xaf0 fs/nfs/super.c:1884 nfs_fs_mount+0x151f/0x30e0 fs/nfs/super.c:2695 mount_fs+0xaf/0x330 fs/super.c:1277 vfs_kern_mount+0xfc/0x4d0 fs/namespace.c:1037 do_new_mount fs/namespace.c:2518 [inline] do_mount+0x46f/0x2fa0 fs/namespace.c:2848 ksys_mount+0xb0/0x120 fs/namespace.c:3064 __do_sys_mount fs/namespace.c:3078 [inline] __se_sys_mount fs/namespace.c:3075 [inline] __x64_sys_mount+0xcc/0x170 fs/namespace.c:3075 do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455a09 Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f26b265ac68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f26b265b6d4 RCX: 0000000000455a09 RDX: 00000000200001c0 RSI: 0000000020000100 RDI: 0000000020000200 RBP: 000000000072bea0 R08: 0000000020000180 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004d1 R14: 00000000006fc438 R15: 0000000000000000 ================================================================================ capability: warning: `syz-executor1' uses deprecated v2 capabilities in a way that may be insecure This bug can be repro, if you need this, please tell me. Thanks, Icytxw