------------[ cut here ]------------
sk->sk_forward_alloc
WARNING: net/ipv4/af_inet.c:162 at inet_sock_destruct+0x62d/0x740 net/ipv4/af_inet.c:162, CPU#0: syz.4.2323/15177
Modules linked in:
CPU: 0 UID: 0 PID: 15177 Comm: syz.4.2323 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:inet_sock_destruct+0x62d/0x740 net/ipv4/af_inet.c:162
Code: 0f 0b 90 e9 58 fe ff ff e8 30 69 9f f7 90 0f 0b 90 e9 8b fe ff ff e8 22 69 9f f7 90 0f 0b 90 e9 b1 fe ff ff e8 14 69 9f f7 90 <0f> 0b 90 e9 d7 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 95 fc
RSP: 0018:ffffc90000007d48 EFLAGS: 00010246
RAX: ffffffff8a2637ec RBX: dffffc0000000000 RCX: ffff888034cc3d00
RDX: 0000000000000100 RSI: 0000000000000090 RDI: 0000000000000000
RBP: 0000000000000090 R08: ffff88807ccc93a7 R09: 1ffff1100f999274
R10: dffffc0000000000 R11: ffffed100f999275 R12: ffff88807ccc9100
R13: dffffc0000000000 R14: ffff88807ccc938c R15: ffffffff8fca5540
FS: 000055556af7d500(0000) GS:ffff888125461000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000040 CR3: 0000000050e9c000 CR4: 00000000003526f0
Call Trace:
__sk_destruct+0x85/0x880 net/core/sock.c:2350
rcu_do_batch kernel/rcu/tree.c:2617 [inline]
rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
handle_softirqs+0x22a/0x870 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:unmapped_area_topdown+0x18b/0x5b0 mm/vma.c:3009
Code: ff e8 f9 a5 0f 00 4d 03 2f 4c 89 ef 4c 89 f6 e8 1b 66 a5 ff 4d 39 f5 73 0a e8 b1 63 a5 ff e9 9d 00 00 00 49 89 df 4c 8d 73 10 <4c> 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 bf a5 0f 00
RSP: 0018:ffffc90005fcf920 EFLAGS: 00000246
RAX: ffffffff82203d45 RBX: ffffc90005fcfb40 RCX: ffff888034cc3d00
RDX: 0000000000000000 RSI: 0000000000021000 RDI: 0000000000021000
RBP: ffffc90005fcfa78 R08: ffffc90005fcf9f7 R09: 0000000000000000
R10: ffffc90005fcf9a8 R11: fffff52000bf9f3f R12: dffffc0000000000
R13: 0000000000021000 R14: ffffc90005fcfb50 R15: ffffc90005fcfb40
vm_unmapped_area+0x69/0x260 mm/mmap.c:669
arch_get_unmapped_area_topdown+0x923/0xb60 arch/x86/kernel/sys_x86_64.c:227
mm_get_unmapped_area_vmflags mm/mmap.c:806 [inline]
__get_unmapped_area+0x2a7/0x450 mm/mmap.c:851
do_mmap+0x4aa/0x10c0 mm/mmap.c:407
vm_mmap_pgoff+0x2c9/0x4f0 mm/util.c:581
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f724219c502
Code: 4f 01 00 0f 1f 44 00 00 41 f7 c1 ff 0f 00 00 75 27 55 89 cd 53 48 89 fb 48 85 ff 74 3b 41 89 ea 48 89 df b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6e 5b 5d c3 0f 1f 00 48 c7 c0 e8 ff ff ff 64
RSP: 002b:00007ffda52a8aa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f724219c502
RDX: 0000000000000000 RSI: 0000000000021000 RDI: 0000000000000000
RBP: 0000000000020022 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000020022 R11: 0000000000000246 R12: 00007ffda52a8c10
R13: ffffffffffffffc0 R14: 0000000000001000 R15: 0000000000000000
----------------
Code disassembly (best guess):
0: ff ljmp (bad)
1: e8 f9 a5 0f 00 call 0xfa5ff
6: 4d 03 2f add (%r15),%r13
9: 4c 89 ef mov %r13,%rdi
c: 4c 89 f6 mov %r14,%rsi
f: e8 1b 66 a5 ff call 0xffa5662f
14: 4d 39 f5 cmp %r14,%r13
17: 73 0a jae 0x23
19: e8 b1 63 a5 ff call 0xffa563cf
1e: e9 9d 00 00 00 jmp 0xc0
23: 49 89 df mov %rbx,%r15
26: 4c 8d 73 10 lea 0x10(%rbx),%r14
* 2a: 4c 89 f0 mov %r14,%rax <-- trapping instruction
2d: 48 c1 e8 03 shr $0x3,%rax
31: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
36: 74 08 je 0x40
38: 4c 89 f7 mov %r14,%rdi
3b: e8 bf a5 0f 00 call 0xfa5ff