------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in ./kernel/bpf/devmap.c:385:28
index 16 is out of range for type 'struct xdp_frame *[16]'
CPU: 1 UID: 0 PID: 9581 Comm: syz.3.1256 Not tainted 6.10.0-syzkaller-12084-g28bbe4ea686a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
 bq_xmit_all+0x157/0x11d0 kernel/bpf/devmap.c:385
 __dev_flush+0x81/0x160 kernel/bpf/devmap.c:425
 xdp_do_check_flushed+0x129/0x240 net/core/filter.c:4300
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 common_interrupt+0xaa/0xd0 arch/x86/kernel/irq.c:278
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:236 [inline]
RIP: 0010:__sanitizer_cov_trace_switch+0x9d/0x120 kernel/kcov.c:341
Code: 00 00 4d 85 d2 0f 84 8b 00 00 00 4c 8b 4c 24 20 65 4c 8b 1c 25 00 d7 03 00 31 d2 eb 08 48 ff c2 49 39 d2 74 71 4c 8b 74 d6 10 <65> 8b 05 04 4e 70 7e a9 00 01 ff 00 74 11 a9 00 01 00 00 74 de 41
RSP: 0018:ffffc9001d476b80 EFLAGS: 00000202
RAX: 0000000000000002 RBX: 0000000000000000 RCX: 0000000000040000
RDX: 0000000000000006 RSI: ffffffff8e1a32a0 RDI: 0000000000000005
RBP: 0000000000000005 R08: 0000000000000005 R09: ffffffff81410f0e
R10: 0000000000000008 R11: ffff88807c569e00 R12: ffffffff8fedc018
R13: dffffc0000000000 R14: 0000000000000008 R15: 1ffff92003a8ed90
 unwind_next_frame+0x7be/0x2a00 arch/x86/kernel/unwind_orc.c:515
 arch_stack_walk+0x151/0x1b0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3988 [inline]
 slab_alloc_node mm/slub.c:4037 [inline]
 kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080
 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:664
 alloc_skb include/linux/skbuff.h:1320 [inline]
 alloc_uevent_skb+0x74/0x230 lib/kobject_uevent.c:289
 uevent_net_broadcast_untagged lib/kobject_uevent.c:326 [inline]
 kobject_uevent_net_broadcast+0x2fd/0x580 lib/kobject_uevent.c:410
 kobject_uevent_env+0x57d/0x8e0 lib/kobject_uevent.c:593
 device_add+0x63b/0xbf0 drivers/base/core.c:3660
 device_create_groups_vargs drivers/base/core.c:4371 [inline]
 device_create+0x257/0x2e0 drivers/base/core.c:4410
 vcs_make_sysfs+0x32/0x80 drivers/tty/vt/vc_screen.c:795
 vc_allocate+0x639/0x710 drivers/tty/vt/vt.c:1094
 con_install+0xa0/0x7f0 drivers/tty/vt/vt.c:3518
 tty_driver_install_tty drivers/tty/tty_io.c:1310 [inline]
 tty_init_dev+0xc1/0x4c0 drivers/tty/tty_io.c:1422
 tty_open_by_driver drivers/tty/tty_io.c:2088 [inline]
 tty_open+0x9e5/0xdf0 drivers/tty/tty_io.c:2135
 chrdev_open+0x5b0/0x630 fs/char_dev.c:414
 do_dentry_open+0x970/0x1440 fs/open.c:959
 vfs_open+0x3e/0x330 fs/open.c:1089
 do_open fs/namei.c:3727 [inline]
 path_openat+0x2b3e/0x3470 fs/namei.c:3886
 do_filp_open+0x235/0x490 fs/namei.c:3913
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1416
 do_sys_open fs/open.c:1431 [inline]
 __do_sys_openat fs/open.c:1447 [inline]
 __se_sys_openat fs/open.c:1442 [inline]
 __x64_sys_openat+0x247/0x2a0 fs/open.c:1442
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8248974950
Code: 48 89 44 24 20 75 93 44 89 54 24 0c e8 79 8d 02 00 44 8b 54 24 0c 89 da 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 38 44 89 c7 89 44 24 0c e8 cc 8d 02 00 8b 44
RSP: 002b:00007f82497f6b80 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f8248974950
RDX: 0000000000000002 RSI: 00007f82497f6c20 RDI: 00000000ffffff9c
RBP: 00007f82497f6c20 R08: 0000000000000000 R09: 00007f82497f6996
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 000000000000000b R14: 00007f8248b05f60 R15: 00007ffcd695d6f8
 </TASK>
---[ end trace ]---
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	4d 85 d2             	test   %r10,%r10
   5:	0f 84 8b 00 00 00    	je     0x96
   b:	4c 8b 4c 24 20       	mov    0x20(%rsp),%r9
  10:	65 4c 8b 1c 25 00 d7 	mov    %gs:0x3d700,%r11
  17:	03 00
  19:	31 d2                	xor    %edx,%edx
  1b:	eb 08                	jmp    0x25
  1d:	48 ff c2             	inc    %rdx
  20:	49 39 d2             	cmp    %rdx,%r10
  23:	74 71                	je     0x96
  25:	4c 8b 74 d6 10       	mov    0x10(%rsi,%rdx,8),%r14
* 2a:	65 8b 05 04 4e 70 7e 	mov    %gs:0x7e704e04(%rip),%eax        # 0x7e704e35 <-- trapping instruction
  31:	a9 00 01 ff 00       	test   $0xff0100,%eax
  36:	74 11                	je     0x49
  38:	a9 00 01 00 00       	test   $0x100,%eax
  3d:	74 de                	je     0x1d
  3f:	41                   	rex.B