------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in ./kernel/bpf/devmap.c:385:33
index 16 is out of range for type 'xdp_frame *[16]'
CPU: 1 UID: 0 PID: 9573 Comm: syz.3.1374 Not tainted 6.11.0-rc1-syzkaller-00042-g6b5faec9f564 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:119
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x110/0x150 lib/ubsan.c:429
bq_xmit_all+0xbec/0xdd0 kernel/bpf/devmap.c:385
__dev_flush+0x85/0x1e0 kernel/bpf/devmap.c:425
xdp_do_check_flushed+0x26b/0x4e0 net/core/filter.c:4307
__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
common_interrupt+0xb0/0xd0 arch/x86/kernel/irq.c:278
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:arch_static_branch arch/x86/include/asm/jump_label.h:27 [inline]
RIP: 0010:static_key_false include/linux/jump_label.h:207 [inline]
RIP: 0010:native_write_msr arch/x86/include/asm/msr.h:162 [inline]
RIP: 0010:wrmsrl arch/x86/include/asm/msr.h:277 [inline]
RIP: 0010:native_x2apic_icr_write arch/x86/include/asm/apic.h:230 [inline]
RIP: 0010:__x2apic_send_IPI_dest+0x28/0x40 arch/x86/kernel/apic/x2apic_phys.c:113
Code: 90 90 66 0f 1f 00 89 f0 b9 30 08 00 00 09 d0 80 ce 04 83 fe 02 0f 44 c2 48 89 fa 48 c1 e2 20 89 c0 48 09 d0 48 c1 ea 20 0f 30 <66> 90 c3 cc cc cc cc 31 d2 48 89 c6 bf 30 08 00 00 e9 c2 90 78 03
RSP: 0000:ffffc900040b7a98 EFLAGS: 00000202
RAX: 00000001000008fb RBX: 0000000000000001 RCX: 0000000000000830
RDX: 0000000000000001 RSI: 00000000000000fb RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc900040b7cb8 R14: 0000000000000000 R15: 0000000000000000
arch_send_call_function_single_ipi arch/x86/include/asm/smp.h:94 [inline]
send_call_function_single_ipi kernel/smp.c:118 [inline]
__smp_call_single_queue+0x174/0x1e0 kernel/smp.c:383
generic_exec_single+0xb4/0x390 kernel/smp.c:416
smp_call_function_single_async+0x68/0xd0 kernel/smp.c:696
rdmsr_safe_on_cpu+0x105/0x210 arch/x86/lib/msr-smp.c:179
msr_read+0x1a4/0x250 arch/x86/kernel/msr.c:66
vfs_read+0x1d4/0xbd0 fs/read_write.c:474
ksys_read+0x12f/0x260 fs/read_write.c:619
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffaf9577299
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffafa3af048 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007ffaf9705f80 RCX: 00007ffaf9577299
RDX: 0000000000018ff8 RSI: 0000000020019680 RDI: 0000000000000006
RBP: 00007ffaf95e48e6 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007ffaf9705f80 R15: 00007ffc8020b008
---[ end trace ]---
----------------
Code disassembly (best guess):
0: 90 nop
1: 90 nop
2: 66 0f 1f 00 nopw (%rax)
6: 89 f0 mov %esi,%eax
8: b9 30 08 00 00 mov $0x830,%ecx
d: 09 d0 or %edx,%eax
f: 80 ce 04 or $0x4,%dh
12: 83 fe 02 cmp $0x2,%esi
15: 0f 44 c2 cmove %edx,%eax
18: 48 89 fa mov %rdi,%rdx
1b: 48 c1 e2 20 shl $0x20,%rdx
1f: 89 c0 mov %eax,%eax
21: 48 09 d0 or %rdx,%rax
24: 48 c1 ea 20 shr $0x20,%rdx
28: 0f 30 wrmsr
* 2a: 66 90 xchg %ax,%ax <-- trapping instruction
2c: c3 ret
2d: cc int3
2e: cc int3
2f: cc int3
30: cc int3
31: 31 d2 xor %edx,%edx
33: 48 89 c6 mov %rax,%rsi
36: bf 30 08 00 00 mov $0x830,%edi
3b: e9 c2 90 78 03 jmp 0x3789102