================================================================== BUG: KASAN: global-out-of-bounds in llc_find_offset net/llc/llc_conn.c:682 [inline] BUG: KASAN: global-out-of-bounds in llc_qualify_conn_ev net/llc/llc_conn.c:400 [inline] BUG: KASAN: global-out-of-bounds in llc_conn_service net/llc/llc_conn.c:365 [inline] BUG: KASAN: global-out-of-bounds in llc_conn_state_process+0x7bc/0xcfc net/llc/llc_conn.c:71 Read of size 4 at addr ffffffff86eacb18 by task syz-executor.1/4069 CPU: 0 PID: 4069 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119 [] __dump_stack lib/dump_stack.c:88 [inline] [] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106 [] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255 [] __kasan_report mm/kasan/report.c:442 [inline] [] kasan_report+0x184/0x1e0 mm/kasan/report.c:459 [] check_region_inline mm/kasan/generic.c:183 [inline] [] __asan_load4+0x6e/0x96 mm/kasan/generic.c:255 [] llc_find_offset net/llc/llc_conn.c:682 [inline] [] llc_qualify_conn_ev net/llc/llc_conn.c:400 [inline] [] llc_conn_service net/llc/llc_conn.c:365 [inline] [] llc_conn_state_process+0x7bc/0xcfc net/llc/llc_conn.c:71 [] llc_process_tmr_ev net/llc/llc_c_ac.c:1445 [inline] [] llc_conn_tmr_common_cb+0x1b2/0x51e net/llc/llc_c_ac.c:1331 [] llc_conn_ack_tmr_cb+0x1e/0x28 net/llc/llc_c_ac.c:1354 [] call_timer_fn+0x164/0x698 kernel/time/timer.c:1421 [] expire_timers kernel/time/timer.c:1466 [inline] [] __run_timers.part.0+0x484/0x4e6 kernel/time/timer.c:1734 [] __run_timers kernel/time/timer.c:1715 [inline] [] run_timer_softirq+0x86/0x100 kernel/time/timer.c:1747 [] __do_softirq+0x274/0x8fc kernel/softirq.c:558 [] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] [] invoke_softirq kernel/softirq.c:439 [inline] [] __irq_exit_rcu+0x142/0x1f8 kernel/softirq.c:637 [] irq_exit+0x10/0x7a kernel/softirq.c:661 [] generic_handle_arch_irq+0x48/0x54 kernel/irq/handle.c:240 [] ret_from_exception+0x0/0x10 [] raw_spin_rq_unlock_irq kernel/sched/sched.h:1330 [inline] [] finish_lock_switch kernel/sched/core.c:4746 [inline] [] finish_task_switch.isra.0+0x152/0x420 kernel/sched/core.c:4864 The buggy address belongs to the variable: __key.0+0x38/0x40 Memory state around the buggy address: ffffffff86eaca00: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 ffffffff86eaca80: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 >ffffffff86eacb00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffffffff86eacb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff86eacc00: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 ================================================================== Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Oops [#1] Modules linked in: CPU: 0 PID: 4069 Comm: syz-executor.1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) epc : llc_qualify_conn_ev net/llc/llc_conn.c:401 [inline] epc : llc_conn_service net/llc/llc_conn.c:365 [inline] epc : llc_conn_state_process+0x190/0xcfc net/llc/llc_conn.c:71 ra : llc_qualify_conn_ev net/llc/llc_conn.c:401 [inline] ra : llc_conn_service net/llc/llc_conn.c:365 [inline] ra : llc_conn_state_process+0x190/0xcfc net/llc/llc_conn.c:71 epc : ffffffff82831ae8 ra : ffffffff82831ae8 sp : ffffaf80222d6de0 gp : ffffffff85863ac0 tp : ffffaf800f989840 t0 : ffffffff86bcb657 t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf80222d6e60 s1 : ffffffff86eac9cc a0 : 0000000000000000 a1 : 0000000000000008 a2 : 0000000000000000 a3 : ffffffff82831ae8 a4 : ffffffff85892ec8 a5 : 0000000000000001 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 s2 : ffffffffffffffff s3 : ffffaf80115873c0 s4 : ffffaf80115873e8 s5 : 0000000000000000 s6 : ffffaf8022128000 s7 : ffffaf8022128000 s8 : ffffaf80115873ee s9 : ffffaf80115873ed s10: ffffaf8022128518 s11: 0000000000000000 t3 : 0000000061736944 t4 : fffff5ef0b53910c t5 : fffff5ef0b53910d t6 : ffffaf80222d6818 status: 0000000000000120 badaddr: 0000000000000000 cause: 000000000000000d [] llc_process_tmr_ev net/llc/llc_c_ac.c:1445 [inline] [] llc_conn_tmr_common_cb+0x1b2/0x51e net/llc/llc_c_ac.c:1331 [] llc_conn_ack_tmr_cb+0x1e/0x28 net/llc/llc_c_ac.c:1354 [] call_timer_fn+0x164/0x698 kernel/time/timer.c:1421 [] expire_timers kernel/time/timer.c:1466 [inline] [] __run_timers.part.0+0x484/0x4e6 kernel/time/timer.c:1734 [] __run_timers kernel/time/timer.c:1715 [inline] [] run_timer_softirq+0x86/0x100 kernel/time/timer.c:1747 [] __do_softirq+0x274/0x8fc kernel/softirq.c:558 [] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] [] invoke_softirq kernel/softirq.c:439 [inline] [] __irq_exit_rcu+0x142/0x1f8 kernel/softirq.c:637 [] irq_exit+0x10/0x7a kernel/softirq.c:661 [] generic_handle_arch_irq+0x48/0x54 kernel/irq/handle.c:240 [] ret_from_exception+0x0/0x10 [] raw_spin_rq_unlock_irq kernel/sched/sched.h:1330 [inline] [] finish_lock_switch kernel/sched/core.c:4746 [inline] [] finish_task_switch.isra.0+0x152/0x420 kernel/sched/core.c:4864 ---[ end trace 0000000000000000 ]---