syzbot

==================================================================
BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 arch/riscv/kernel/stacktrace.c:57
Read of size 8 at addr ffffaf800cc97fd0 by task syz-executor.0/2045

CPU: 0 PID: 2045 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8000a052>] walk_stackframe+0x11c/0x260 arch/riscv/kernel/stacktrace.c:57
[<ffffffff8000a4a4>] arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:146

Allocated by task 0:
(stack is not available)

The buggy address belongs to the object at ffffaf800cc97800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 976 bytes to the right of
 1024-byte region [ffffaf800cc97800, ffffaf800cc97c00)
The buggy address belongs to the page:
page:ffffaf807a9e1880 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffaf800cc96000 pfn:0x8ce90
head:ffffaf807a9e1880 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8800010200(slab|head|section=17|node=0|zone=0)
raw: 0000008800010200 ffffaf807ab51b08 ffffaf807a9c58c8 ffffaf8007201dc0
raw: ffffaf800cc96000 000000000010000e 00000001ffffffff 0000000000000000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1991, ts 506899338600, free_ts 506813467100
 __set_page_owner+0x48/0x136 mm/page_owner.c:183
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0xd0/0x10a mm/page_alloc.c:2427
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0x8da/0x12d8 mm/page_alloc.c:4165
 __alloc_pages+0x150/0x3b6 mm/page_alloc.c:5389
 alloc_pages+0x132/0x2a6 mm/mempolicy.c:2271
 alloc_slab_page.constprop.0+0xc2/0xfa mm/slub.c:1799
 allocate_slab mm/slub.c:1944 [inline]
 new_slab+0x76/0x2cc mm/slub.c:2004
 ___slab_alloc+0x56e/0x918 mm/slub.c:3018
 __slab_alloc.constprop.0+0x50/0x8c mm/slub.c:3105
 slab_alloc_node mm/slub.c:3196 [inline]
 __kmalloc_node_track_caller+0x26c/0x362 mm/slub.c:4957
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0xee/0x2e4 net/core/skbuff.c:426
 __napi_alloc_skb+0x72/0x214 net/core/skbuff.c:568
 napi_alloc_skb include/linux/skbuff.h:3005 [inline]
 page_to_skb+0x16e/0x70e drivers/net/virtio_net.c:437
 receive_mergeable drivers/net/virtio_net.c:1039 [inline]
 receive_buf+0xa20/0x3e50 drivers/net/virtio_net.c:1149
 virtnet_receive drivers/net/virtio_net.c:1441 [inline]
 virtnet_poll+0x39c/0x986 drivers/net/virtio_net.c:1550
 __napi_poll+0x7c/0x358 net/core/dev.c:6365
page last free stack trace:
 __reset_page_owner+0x4a/0xea mm/page_owner.c:142
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x29c/0x45e mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x6a/0x31e mm/page_alloc.c:3404
 free_the_page mm/page_alloc.c:706 [inline]
 free_compound_page+0x70/0x8a mm/page_alloc.c:729
 destroy_compound_page include/linux/mm.h:889 [inline]
 __put_compound_page+0x7c/0xb0 mm/swap.c:112
 __put_page+0x48/0x100 mm/swap.c:128
 folio_put include/linux/mm.h:1199 [inline]
 put_page include/linux/mm.h:1237 [inline]
 __skb_frag_unref include/linux/skbuff.h:3178 [inline]
 skb_release_data+0x2f8/0x3c4 net/core/skbuff.c:672
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb+0x38/0x50 net/core/skbuff.c:756
 __sk_defer_free_flush+0x52/0x68 net/ipv4/tcp.c:1592
 sk_defer_free_flush include/net/tcp.h:1378 [inline]
 tcp_v4_rcv+0x1bbc/0x1f46 net/ipv4/tcp_ipv4.c:2114
 ip_protocol_deliver_rcu+0x9c/0x8c0 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x12c/0x278 net/ipv4/ip_input.c:231
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_local_deliver+0x160/0x464 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:461 [inline]
 ip_sublist_rcv_finish+0x64/0x1b2 net/ipv4/ip_input.c:551
 ip_list_rcv_finish net/ipv4/ip_input.c:601 [inline]
 ip_sublist_rcv+0x420/0x738 net/ipv4/ip_input.c:609
 ip_list_rcv+0x268/0x2c0 net/ipv4/ip_input.c:644

Memory state around the buggy address:
 ffffaf800cc97e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffffaf800cc97f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffffaf800cc97f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                 ^
 ffffaf800cc98000: 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3
 ffffaf800cc98080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================