syzbot

skbuff: skb_over_panic: text:ffffffff82c3fc69 len:184 put:172 head:ffff8881e1266800 data:ffff8881e1266800 tail:0xb8 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:109!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 2206 Comm: udevd Not tainted 5.4.210-syzkaller-00006-gc80a5b2e7f63 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:skb_panic+0x14a/0x150 net/core/skbuff.c:105
Code: f4 2e 85 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 49 89 e9 31 c0 53 41 55 41 54 41 57 e8 c1 8d d0 00 48 83 c4 20 <0f> 0b 0f 1f 40 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 68 4d 89
RSP: 0018:ffff8881f6f09048 EFLAGS: 00010286
RAX: 0000000000000087 RBX: ffffffff852ef500 RCX: 383a564d35436100
RDX: 0000000080000703 RSI: 0000000080000703 RDI: 0000000000000000
RBP: ffff8881e1266800 R08: ffffffff814e34d7 R09: 0000000000000003
R10: ffffed103ede117d R11: 1ffff1103ede117c R12: 00000000000000b8
R13: 0000000000000080 R14: dffffc0000000000 R15: ffff8881e1266800
FS:  00007f1447894840(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffedeb6dfb8 CR3: 00000001dc9d2000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 skb_over_panic net/core/skbuff.c:114 [inline]
 skb_put+0x148/0x1f0 net/core/skbuff.c:1877
 skb_put_zero include/linux/skbuff.h:2267 [inline]
 cdc_ncm_ndp drivers/net/usb/cdc_ncm.c:1106 [inline]
 cdc_ncm_fill_tx_frame+0xcd9/0x2ce0 drivers/net/usb/cdc_ncm.c:1213
 cdc_ncm_tx_fixup+0x6c/0xb0 drivers/net/usb/cdc_ncm.c:1407
 usbnet_start_xmit+0x109/0x18a0 drivers/net/usb/usbnet.c:1363
 __netdev_start_xmit include/linux/netdevice.h:4519 [inline]
 netdev_start_xmit include/linux/netdevice.h:4533 [inline]
 xmit_one+0xfa/0x4a0 net/core/dev.c:3209
 dev_hard_start_xmit+0xac/0x1b0 net/core/dev.c:3225
 sch_direct_xmit+0x28c/0xa20 net/sched/sch_generic.c:336
 qdisc_restart net/sched/sch_generic.c:401 [inline]
 __qdisc_run+0x245/0x420 net/sched/sch_generic.c:409
 qdisc_run include/net/pkt_sched.h:122 [inline]
 __dev_xmit_skb net/core/dev.c:3401 [inline]
 __dev_queue_xmit+0xd89/0x2a20 net/core/dev.c:3755
 neigh_output include/net/neighbour.h:525 [inline]
 ip6_finish_output2+0xfb9/0x18d0 net/ipv6/ip6_output.c:144
 NF_HOOK_COND include/linux/netfilter.h:297 [inline]
 ip6_output+0x1c1/0x420 net/ipv6/ip6_output.c:242
 dst_output include/net/dst.h:444 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 mld_sendpack+0x5e1/0xb00 net/ipv6/mcast.c:1679
 mld_send_cr net/ipv6/mcast.c:1975 [inline]
 mld_ifc_timer_expire+0x864/0xc50 net/ipv6/mcast.c:2474
 call_timer_fn+0x31/0x350 kernel/time/timer.c:1418
 expire_timers+0x21e/0x400 kernel/time/timer.c:1463
 __run_timers+0x5e0/0x700 kernel/time/timer.c:1787
 run_timer_softirq+0x46/0x80 kernel/time/timer.c:1800
 __do_softirq+0x23e/0x643 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:538 [inline]
 smp_apic_timer_interrupt+0x113/0x440 arch/x86/kernel/apic/apic.c:1150
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:831
 </IRQ>
RIP: 0010:putname+0x4b/0x150 fs/namei.c:255
Code: 89 fd 49 c1 ed 03 43 8a 44 25 00 84 c0 0f 85 ce 00 00 00 41 8b 1f bf 01 00 00 00 89 de e8 7d fe ca ff 85 db 0f 8e f3 00 00 00 <8d> 6b ff 43 8a 44 25 00 84 c0 0f 85 c5 00 00 00 41 89 2f bf 01 00
RSP: 0018:ffff8881dcbc7dc8 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13
RAX: ffffffff819a4400 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff8881ddb00fc0 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffff8881dcbc7f10 R08: ffffffff819a44a3 R09: ffff8881dcbc7d60
R10: ffffed103b978fb0 R11: 1ffff1103b978fac R12: dffffc0000000000
R13: 1ffff1103be6b222 R14: ffff8881df359100 R15: ffff8881df359110
 do_sys_open+0x63e/0x7e0 fs/open.c:1122
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f14479eb697
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffcd049b8e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 000055cc05e73860 RCX: 00007f14479eb697
RDX: 0000000000080000 RSI: 00007ffcd049b9f8 RDI: 00000000ffffff9c
RBP: 00007ffcd049b9f8 R08: 000055cc04d8de6a R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000080000
R13: 000055cc05e73950 R14: 00007ffcd049b9f8 R15: 0000000000000002
Modules linked in:
---[ end trace 044dc00b2e9ac07d ]---
RIP: 0010:skb_panic+0x14a/0x150 net/core/skbuff.c:105
Code: f4 2e 85 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 49 89 e9 31 c0 53 41 55 41 54 41 57 e8 c1 8d d0 00 48 83 c4 20 <0f> 0b 0f 1f 40 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 68 4d 89
RSP: 0018:ffff8881f6f09048 EFLAGS: 00010286
RAX: 0000000000000087 RBX: ffffffff852ef500 RCX: 383a564d35436100
RDX: 0000000080000703 RSI: 0000000080000703 RDI: 0000000000000000
RBP: ffff8881e1266800 R08: ffffffff814e34d7 R09: 0000000000000003
R10: ffffed103ede117d R11: 1ffff1103ede117c R12: 00000000000000b8
R13: 0000000000000080 R14: dffffc0000000000 R15: ffff8881e1266800
FS:  00007f1447894840(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffedeb6dfb8 CR3: 00000001dc9d2000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	89 fd                	mov    %edi,%ebp
   2:	49 c1 ed 03          	shr    $0x3,%r13
   6:	43 8a 44 25 00       	mov    0x0(%r13,%r12,1),%al
   b:	84 c0                	test   %al,%al
   d:	0f 85 ce 00 00 00    	jne    0xe1
  13:	41 8b 1f             	mov    (%r15),%ebx
  16:	bf 01 00 00 00       	mov    $0x1,%edi
  1b:	89 de                	mov    %ebx,%esi
  1d:	e8 7d fe ca ff       	callq  0xffcafe9f
  22:	85 db                	test   %ebx,%ebx
  24:	0f 8e f3 00 00 00    	jle    0x11d
* 2a:	8d 6b ff             	lea    -0x1(%rbx),%ebp <-- trapping instruction
  2d:	43 8a 44 25 00       	mov    0x0(%r13,%r12,1),%al
  32:	84 c0                	test   %al,%al
  34:	0f 85 c5 00 00 00    	jne    0xff
  3a:	41 89 2f             	mov    %ebp,(%r15)
  3d:	bf                   	.byte 0xbf
  3e:	01 00                	add    %eax,(%rax)