skbuff: skb_over_panic: text:ffffffff8302bd69 len:184 put:172 head:ffff8881180b4c00 data:ffff8881180b4c00 tail:0xb8 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:110!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 4850 Comm: sed Not tainted 5.10.153-syzkaller-00570-g673a7341bdab #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:skb_panic+0x14c/0x150 net/core/skbuff.c:106
Code: c7 40 39 79 85 48 8b 75 c0 48 8b 55 b8 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 31 c0 53 41 56 41 55 41 54 e8 35 0b d1 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 78 4c
RSP: 0018:ffffc90000006eb8 EFLAGS: 00010286
RAX: 0000000000000087 RBX: ffffffff857939c0 RCX: 776f35013eb05e00
RDX: 0000000000000704 RSI: 0000000000000704 RDI: 0000000000000000
RBP: ffffc90000006f00 R08: ffffffff8153d238 R09: fffff52000000cfd
R10: fffff52000000cfd R11: 1ffff92000000cfc R12: ffff8881180b4c00
R13: 00000000000000b8 R14: 0000000000000080 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0eac406038 CR3: 000000011eb40000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 skb_over_panic net/core/skbuff.c:115 [inline]
 skb_put+0x153/0x210 net/core/skbuff.c:1877
 skb_put_zero include/linux/skbuff.h:2309 [inline]
 cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1118 [inline]
 cdc_ncm_fill_tx_frame+0x1229/0x3db0 drivers/net/usb/cdc_ncm.c:1295
 cdc_ncm_tx_fixup+0xa2/0xf0 drivers/net/usb/cdc_ncm.c:1516
 usbnet_start_xmit+0x116/0x19f0 drivers/net/usb/usbnet.c:1336
 __netdev_start_xmit include/linux/netdevice.h:4839 [inline]
 netdev_start_xmit include/linux/netdevice.h:4853 [inline]
 xmit_one+0x16a/0x480 net/core/dev.c:3593
 dev_hard_start_xmit+0xad/0x1c0 net/core/dev.c:3609
 sch_direct_xmit+0x28f/0x9b0 net/sched/sch_generic.c:336
 qdisc_restart net/sched/sch_generic.c:401 [inline]
 __qdisc_run+0x245/0x3e0 net/sched/sch_generic.c:409
 qdisc_run include/net/pkt_sched.h:127 [inline]
 __dev_xmit_skb net/core/dev.c:3785 [inline]
 __dev_queue_xmit+0xe77/0x2a20 net/core/dev.c:4141
 dev_queue_xmit+0x17/0x20 net/core/dev.c:4209
 neigh_resolve_output+0x6d3/0x780 net/core/neighbour.c:1517
 neigh_output include/net/neighbour.h:524 [inline]
 ip6_finish_output2+0x108d/0x1950 net/ipv6/ip6_output.c:145
 __ip6_finish_output+0x653/0x810 net/ipv6/ip6_output.c:210
 ip6_finish_output+0x1c9/0x1e0 net/ipv6/ip6_output.c:220
 NF_HOOK_COND include/linux/netfilter.h:293 [inline]
 ip6_output+0x211/0x4c0 net/ipv6/ip6_output.c:243
 dst_output include/net/dst.h:443 [inline]
 NF_HOOK include/linux/netfilter.h:304 [inline]
 mld_sendpack+0x5d7/0xaf0 net/ipv6/mcast.c:1676
 mld_send_cr net/ipv6/mcast.c:1972 [inline]
 mld_ifc_timer_expire+0x85b/0xc50 net/ipv6/mcast.c:2471
 call_timer_fn+0x35/0x270 kernel/time/timer.c:1420
 expire_timers+0x21b/0x3a0 kernel/time/timer.c:1465
 __run_timers+0x598/0x6f0 kernel/time/timer.c:1759
 run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1772
 __do_softirq+0x27e/0x596 kernel/softirq.c:305
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:402 [inline]
 __irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:check_kcov_mode kernel/kcov.c:165 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:218 [inline]
RIP: 0010:__sanitizer_cov_trace_cmp8+0x31/0xa0 kernel/kcov.c:264
Code: 08 65 48 8b 14 25 80 6d 02 00 65 8b 0d 44 87 95 7e f7 c1 00 01 ff 00 74 11 f7 c1 00 01 00 00 74 76 83 ba ac 0a 00 00 00 74 6d <8b> 8a 88 0a 00 00 83 f9 03 75 62 48 8b 8a 90 0a 00 00 44 8b 8a 8c
RSP: 0018:ffffc900046d7790 EFLAGS: 00000246
RAX: 1ffff110231fcd0a RBX: 0000000000003000 RCX: 0000000080000001
RDX: ffff88811aba13c0 RSI: 000000f0f88b2000 RDI: 0000000000003000
RBP: ffffc900046d7790 R08: ffffffff819de8f5 R09: ffff888118fe6968
R10: ffffed10231fcd2f R11: 1ffff110231fcd2d R12: ffff88811e04f818
R13: dffffc0000000000 R14: 000000f0f88b2000 R15: 1ffff110231fcd0a
 vma_gap_callbacks_compute_max mm/mmap.c:453 [inline]
 vma_gap_callbacks_propagate mm/mmap.c:453 [inline]
 vma_gap_update mm/mmap.c:475 [inline]
 __vma_link_rb+0x4f5/0x5e0 mm/mmap.c:691
 __vma_link mm/mmap.c:721 [inline]
 vma_link+0xca/0x290 mm/mmap.c:735
 insert_vm_struct+0x32e/0x360 mm/mmap.c:3389
 __install_special_mapping+0x1ee/0x330 mm/mmap.c:3627
 _install_special_mapping+0x3c/0x50 mm/mmap.c:3664
 map_vdso+0x19f/0x290 arch/x86/entry/vdso/vma.c:297
 map_vdso_randomized arch/x86/entry/vdso/vma.c:366 [inline]
 arch_setup_additional_pages+0x119/0x130 arch/x86/entry/vdso/vma.c:411
 load_elf_binary+0x1f27/0x27e0 fs/binfmt_elf.c:1261
 search_binary_handler fs/exec.c:1714 [inline]
 exec_binprm+0x2a8/0xbc0 fs/exec.c:1755
 bprm_execve+0x6fc/0x9f0 fs/exec.c:1831
 do_execveat_common+0x905/0xa90 fs/exec.c:1942
 do_execve fs/exec.c:2012 [inline]
 __do_sys_execve fs/exec.c:2088 [inline]
 __se_sys_execve fs/exec.c:2083 [inline]
 __x64_sys_execve+0x92/0xb0 fs/exec.c:2083
 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f932672b337
Code: Unable to access opcode bytes at RIP 0x7f932672b30d.
RSP: 002b:00007ffea325f838 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 000055cbb6812c80 RCX: 00007f932672b337
RDX: 000055cbb6812ca8 RSI: 000055cbb6812c80 RDI: 000055cbb6812d38
RBP: 000055cbb6812d38 R08: 000055cbb6812d3d R09: 00007f932691d000
R10: 00007f93265c1800 R11: 0000000000000246 R12: 000055cbb6812ca8
R13: 00007f93268d0ff4 R14: 000055cbb6812ca8 R15: 0000000000000000
Modules linked in:
---[ end trace 8a9e5979a69d8489 ]---
RIP: 0010:skb_panic+0x14c/0x150 net/core/skbuff.c:106
Code: c7 40 39 79 85 48 8b 75 c0 48 8b 55 b8 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 31 c0 53 41 56 41 55 41 54 e8 35 0b d1 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 78 4c
RSP: 0018:ffffc90000006eb8 EFLAGS: 00010286
RAX: 0000000000000087 RBX: ffffffff857939c0 RCX: 776f35013eb05e00
RDX: 0000000000000704 RSI: 0000000000000704 RDI: 0000000000000000
RBP: ffffc90000006f00 R08: ffffffff8153d238 R09: fffff52000000cfd
R10: fffff52000000cfd R11: 1ffff92000000cfc R12: ffff8881180b4c00
R13: 00000000000000b8 R14: 0000000000000080 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f932672b30d CR3: 000000011eb40000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	08 65 48             	or     %ah,0x48(%rbp)
   3:	8b 14 25 80 6d 02 00 	mov    0x26d80,%edx
   a:	65 8b 0d 44 87 95 7e 	mov    %gs:0x7e958744(%rip),%ecx        # 0x7e958755
  11:	f7 c1 00 01 ff 00    	test   $0xff0100,%ecx
  17:	74 11                	je     0x2a
  19:	f7 c1 00 01 00 00    	test   $0x100,%ecx
  1f:	74 76                	je     0x97
  21:	83 ba ac 0a 00 00 00 	cmpl   $0x0,0xaac(%rdx)
  28:	74 6d                	je     0x97
* 2a:	8b 8a 88 0a 00 00    	mov    0xa88(%rdx),%ecx <-- trapping instruction
  30:	83 f9 03             	cmp    $0x3,%ecx
  33:	75 62                	jne    0x97
  35:	48 8b 8a 90 0a 00 00 	mov    0xa90(%rdx),%rcx
  3c:	44                   	rex.R
  3d:	8b                   	.byte 0x8b
  3e:	8a                   	.byte 0x8a
  3f:	8c                   	.byte 0x8c