------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in kernel/bpf/core.c:2380:29 index 16 is out of range for type ' *[16]' CPU: 1 UID: 0 PID: 6092 Comm: syz.0.954 Not tainted 6.12.0-syzkaller-07749-g28eb75e178d3 #0 Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xdc/0xf4 lib/dump_stack.c:120 dump_stack+0x1c/0x28 lib/dump_stack.c:129 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xb0/0xe8 lib/ubsan.c:429 bpf_prog_select_func kernel/bpf/core.c:2380 [inline] bpf_prog_select_runtime+0x54c/0x578 kernel/bpf/core.c:2411 bpf_prog_load+0xe34/0x1c60 kernel/bpf/syscall.c:2950 __sys_bpf+0x1140/0x306c kernel/bpf/syscall.c:5759 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline] __se_sys_bpf kernel/bpf/syscall.c:5864 [inline] __arm64_sys_bpf+0x70/0xa4 kernel/bpf/syscall.c:5864 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x50/0x180 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x10c/0x138 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 ---[ end trace ]--- ================================================================== BUG: KASAN: global-out-of-bounds in bpf_prog_select_func kernel/bpf/core.c:2380 [inline] BUG: KASAN: global-out-of-bounds in bpf_prog_select_runtime+0x554/0x578 kernel/bpf/core.c:2411 Read of size 8 at addr ffff80008536eec0 by task syz.0.954/6092 CPU: 1 UID: 0 PID: 6092 Comm: syz.0.954 Not tainted 6.12.0-syzkaller-07749-g28eb75e178d3 #0 Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xa4/0xf4 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xf4/0x5a4 mm/kasan/report.c:488 kasan_report+0xc8/0x108 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 bpf_prog_select_func kernel/bpf/core.c:2380 [inline] bpf_prog_select_runtime+0x554/0x578 kernel/bpf/core.c:2411 bpf_prog_load+0xe34/0x1c60 kernel/bpf/syscall.c:2950 __sys_bpf+0x1140/0x306c kernel/bpf/syscall.c:5759 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline] __se_sys_bpf kernel/bpf/syscall.c:5864 [inline] __arm64_sys_bpf+0x70/0xa4 kernel/bpf/syscall.c:5864 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x50/0x180 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x10c/0x138 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the variable: interpreters+0x80/0xee0 The buggy address belongs to the virtual mapping at [ffff8000852a0000, ffff800086a10000) created by: declare_kernel_vmas arch/arm64/mm/mmu.c:771 [inline] paging_init+0x384/0x564 arch/arm64/mm/mmu.c:815 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4556e flags: 0x1ffc00000002000(reserved|node=0|zone=0|lastcpupid=0x7ff) raw: 01ffc00000002000 fffffdffc0155b88 fffffdffc0155b88 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff80008536ed80: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 ffff80008536ee00: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 >ffff80008536ee80: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 03 f9 ^ ffff80008536ef00: f9 f9 f9 f9 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 ffff80008536ef80: 00 00 02 f9 f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 ==================================================================