==================================================================
BUG: KASAN: user-memory-access in sk_fullsock include/net/sock.h:2734 [inline]
BUG: KASAN: user-memory-access in sk_validate_xmit_skb include/net/sock.h:2776 [inline]
BUG: KASAN: user-memory-access in validate_xmit_skb+0x376/0x838 net/core/dev.c:3547
Read of size 1 at addr 00000000000c6012 by task syz-executor.1/2038

CPU: 0 PID: 2038 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff80474da6>] __kasan_report mm/kasan/report.c:446 [inline]
[<ffffffff80474da6>] kasan_report+0x1de/0x1e0 mm/kasan/report.c:459
[<ffffffff804757da>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff804757da>] __asan_load1+0x54/0x6c mm/kasan/generic.c:253
[<ffffffff827360dc>] sk_fullsock include/net/sock.h:2734 [inline]
[<ffffffff827360dc>] sk_validate_xmit_skb include/net/sock.h:2776 [inline]
[<ffffffff827360dc>] validate_xmit_skb+0x376/0x838 net/core/dev.c:3547
[<ffffffff82736636>] validate_xmit_skb_list+0x98/0xca net/core/dev.c:3604
[<ffffffff828492b0>] sch_direct_xmit+0x3bc/0x464 net/sched/sch_generic.c:327
[<ffffffff82738a0e>] __dev_xmit_skb net/core/dev.c:3700 [inline]
[<ffffffff82738a0e>] __dev_queue_xmit+0x137a/0x248c net/core/dev.c:4081
[<ffffffff82739b3c>] dev_queue_xmit+0x1c/0x26 net/core/dev.c:4149
[<ffffffff82af61da>] neigh_hh_output include/net/neighbour.h:525 [inline]
[<ffffffff82af61da>] neigh_output include/net/neighbour.h:539 [inline]
[<ffffffff82af61da>] ip_finish_output2+0x8ac/0x1720 net/ipv4/ip_output.c:221
[<ffffffff82af8978>] __ip_finish_output net/ipv4/ip_output.c:299 [inline]
[<ffffffff82af8978>] __ip_finish_output+0x25a/0x3ee net/ipv4/ip_output.c:281
[<ffffffff82af8b4a>] ip_finish_output+0x3e/0x176 net/ipv4/ip_output.c:309
[<ffffffff82af8e52>] NF_HOOK_COND include/linux/netfilter.h:296 [inline]
[<ffffffff82af8e52>] ip_output+0x1d0/0x2d0 net/ipv4/ip_output.c:423
[<ffffffff82afbbce>] dst_output include/net/dst.h:451 [inline]
[<ffffffff82afbbce>] ip_local_out net/ipv4/ip_output.c:126 [inline]
[<ffffffff82afbbce>] __ip_queue_xmit+0x4a0/0xeb2 net/ipv4/ip_output.c:525
[<ffffffff82afc616>] ip_queue_xmit+0x36/0x44 net/ipv4/ip_output.c:539
[<ffffffff82b4fd54>] __tcp_transmit_skb+0xce4/0x1f5e net/ipv4/tcp_output.c:1402
[<ffffffff82b53b32>] __tcp_send_ack.part.0+0x1ce/0x350 net/ipv4/tcp_output.c:3956
[<ffffffff82b5bdc0>] __tcp_send_ack net/ipv4/tcp_output.c:3962 [inline]
[<ffffffff82b5bdc0>] tcp_send_ack+0x60/0x74 net/ipv4/tcp_output.c:3962
[<ffffffff82b2d58c>] __tcp_ack_snd_check+0xc0/0x5e8 net/ipv4/tcp_input.c:5478
[<ffffffff82b44218>] tcp_rcv_established+0x1442/0x15e6 net/ipv4/tcp_input.c:5912
[<ffffffff82b6c712>] tcp_v4_do_rcv+0x4b4/0x66e net/ipv4/tcp_ipv4.c:1719
[<ffffffff82b710c2>] tcp_v4_rcv+0x1d22/0x1f46 net/ipv4/tcp_ipv4.c:2119
[<ffffffff82aeb282>] ip_protocol_deliver_rcu+0x9c/0x8c0 net/ipv4/ip_input.c:204
[<ffffffff82aebbd2>] ip_local_deliver_finish+0x12c/0x278 net/ipv4/ip_input.c:231
[<ffffffff82aec01a>] NF_HOOK include/linux/netfilter.h:307 [inline]
[<ffffffff82aec01a>] NF_HOOK include/linux/netfilter.h:301 [inline]
[<ffffffff82aec01a>] ip_local_deliver+0x2fc/0x464 net/ipv4/ip_input.c:252
[<ffffffff82ae91b6>] dst_input include/net/dst.h:461 [inline]
[<ffffffff82ae91b6>] ip_sublist_rcv_finish+0x64/0x1b2 net/ipv4/ip_input.c:551
[<ffffffff82aea91a>] ip_list_rcv_finish net/ipv4/ip_input.c:601 [inline]
[<ffffffff82aea91a>] ip_sublist_rcv+0x420/0x738 net/ipv4/ip_input.c:609
[<ffffffff82aec7a8>] ip_list_rcv+0x268/0x2c0 net/ipv4/ip_input.c:644
[<ffffffff8273e7f8>] __netif_receive_skb_list_ptype net/core/dev.c:5394 [inline]
[<ffffffff8273e7f8>] __netif_receive_skb_list_core+0x3e4/0x520 net/core/dev.c:5442
[<ffffffff8273efda>] __netif_receive_skb_list net/core/dev.c:5494 [inline]
[<ffffffff8273efda>] netif_receive_skb_list_internal+0x50c/0x816 net/core/dev.c:5585
[<ffffffff827b3858>] gro_normal_list include/net/gro.h:425 [inline]
[<ffffffff827b3858>] gro_normal_one include/net/gro.h:438 [inline]
[<ffffffff827b3858>] napi_gro_complete.constprop.0+0x400/0x438 net/core/gro.c:282
[<ffffffff827b43f0>] dev_gro_receive+0x7fe/0x1238 net/core/gro.c:507
[<ffffffff827b4fa8>] napi_gro_receive+0x17e/0x9ba net/core/gro.c:612
[<ffffffff817e9480>] receive_buf+0x7cc/0x3e50 drivers/net/virtio_net.c:1177
[<ffffffff817ecea0>] virtnet_receive drivers/net/virtio_net.c:1441 [inline]
[<ffffffff817ecea0>] virtnet_poll+0x39c/0x986 drivers/net/virtio_net.c:1550
[<ffffffff82740c14>] __napi_poll+0x7c/0x358 net/core/dev.c:6365
[<ffffffff827418a0>] napi_poll net/core/dev.c:6432 [inline]
[<ffffffff827418a0>] net_rx_action+0x5d0/0x702 net/core/dev.c:6519
[<ffffffff831b082c>] __do_softirq+0x274/0x8fc kernel/softirq.c:558
[<ffffffff80061288>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
[<ffffffff80061288>] invoke_softirq kernel/softirq.c:439 [inline]
[<ffffffff80061288>] __irq_exit_rcu+0x142/0x1f8 kernel/softirq.c:637
[<ffffffff80061596>] irq_exit+0x10/0x7a kernel/softirq.c:661
[<ffffffff831a1a2c>] generic_handle_arch_irq+0x48/0x54 kernel/irq/handle.c:240
[<ffffffff80005724>] ret_from_exception+0x0/0x10
[<ffffffff8000a038>] walk_stackframe+0x102/0x260 arch/riscv/kernel/stacktrace.c:52
==================================================================
Unable to handle kernel paging request at virtual address 00000000000c6012
Oops [#1]
Modules linked in:
CPU: 0 PID: 2038 Comm: syz-executor.1 Tainted: G    B             5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
epc : sk_fullsock include/net/sock.h:2734 [inline]
epc : sk_validate_xmit_skb include/net/sock.h:2776 [inline]
epc : validate_xmit_skb+0x376/0x838 net/core/dev.c:3547
 ra : sk_fullsock include/net/sock.h:2734 [inline]
 ra : sk_validate_xmit_skb include/net/sock.h:2776 [inline]
 ra : validate_xmit_skb+0x376/0x838 net/core/dev.c:3547
epc : ffffffff827360dc ra : ffffffff827360dc sp : ffffaf800e5bc1e0
 gp : ffffffff85863ac0 tp : ffffaf800e649840 t0 : ffffffff86bcb657
 t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800e5bc250
 s1 : ffffaf800e5bb8c0 a0 : 0000000000000001 a1 : 0000000000000003
 a2 : 1ffff5f001cc9309 a3 : ffffffff831afd3a a4 : 0000000000000000
 a5 : ffffaf800e64a840 a6 : 0000000000f00000 a7 : ffffaf805a9c8863
 s2 : 00000000000c6000 s3 : 0000000000004220 s4 : ffffaf800e8cc000
 s5 : ffffaf800e5bc2d0 s6 : ffffaf800e5bb942 s7 : ffffffff85889780
 s8 : ffffaf800b9fd000 s9 : 0000000000000001 s10: ffffaf7ffff92a00
 s11: ffffaf800b9fd240 t3 : 0000000061736944 t4 : fffff5ef0b53910c
 t5 : fffff5ef0b53910d t6 : ffffaf800e5bbc18
status: 0000000000000120 badaddr: 00000000000c6012 cause: 000000000000000d
[<ffffffff82736636>] validate_xmit_skb_list+0x98/0xca net/core/dev.c:3604
[<ffffffff828492b0>] sch_direct_xmit+0x3bc/0x464 net/sched/sch_generic.c:327
[<ffffffff82738a0e>] __dev_xmit_skb net/core/dev.c:3700 [inline]
[<ffffffff82738a0e>] __dev_queue_xmit+0x137a/0x248c net/core/dev.c:4081
[<ffffffff82739b3c>] dev_queue_xmit+0x1c/0x26 net/core/dev.c:4149
[<ffffffff82af61da>] neigh_hh_output include/net/neighbour.h:525 [inline]
[<ffffffff82af61da>] neigh_output include/net/neighbour.h:539 [inline]
[<ffffffff82af61da>] ip_finish_output2+0x8ac/0x1720 net/ipv4/ip_output.c:221
[<ffffffff82af8978>] __ip_finish_output net/ipv4/ip_output.c:299 [inline]
[<ffffffff82af8978>] __ip_finish_output+0x25a/0x3ee net/ipv4/ip_output.c:281
[<ffffffff82af8b4a>] ip_finish_output+0x3e/0x176 net/ipv4/ip_output.c:309
[<ffffffff82af8e52>] NF_HOOK_COND include/linux/netfilter.h:296 [inline]
[<ffffffff82af8e52>] ip_output+0x1d0/0x2d0 net/ipv4/ip_output.c:423
[<ffffffff82afbbce>] dst_output include/net/dst.h:451 [inline]
[<ffffffff82afbbce>] ip_local_out net/ipv4/ip_output.c:126 [inline]
[<ffffffff82afbbce>] __ip_queue_xmit+0x4a0/0xeb2 net/ipv4/ip_output.c:525
[<ffffffff82afc616>] ip_queue_xmit+0x36/0x44 net/ipv4/ip_output.c:539
[<ffffffff82b4fd54>] __tcp_transmit_skb+0xce4/0x1f5e net/ipv4/tcp_output.c:1402
[<ffffffff82b53b32>] __tcp_send_ack.part.0+0x1ce/0x350 net/ipv4/tcp_output.c:3956
[<ffffffff82b5bdc0>] __tcp_send_ack net/ipv4/tcp_output.c:3962 [inline]
[<ffffffff82b5bdc0>] tcp_send_ack+0x60/0x74 net/ipv4/tcp_output.c:3962
[<ffffffff82b2d58c>] __tcp_ack_snd_check+0xc0/0x5e8 net/ipv4/tcp_input.c:5478
[<ffffffff82b44218>] tcp_rcv_established+0x1442/0x15e6 net/ipv4/tcp_input.c:5912
[<ffffffff82b6c712>] tcp_v4_do_rcv+0x4b4/0x66e net/ipv4/tcp_ipv4.c:1719
[<ffffffff82b710c2>] tcp_v4_rcv+0x1d22/0x1f46 net/ipv4/tcp_ipv4.c:2119
[<ffffffff82aeb282>] ip_protocol_deliver_rcu+0x9c/0x8c0 net/ipv4/ip_input.c:204
[<ffffffff82aebbd2>] ip_local_deliver_finish+0x12c/0x278 net/ipv4/ip_input.c:231
[<ffffffff82aec01a>] NF_HOOK include/linux/netfilter.h:307 [inline]
[<ffffffff82aec01a>] NF_HOOK include/linux/netfilter.h:301 [inline]
[<ffffffff82aec01a>] ip_local_deliver+0x2fc/0x464 net/ipv4/ip_input.c:252
[<ffffffff82ae91b6>] dst_input include/net/dst.h:461 [inline]
[<ffffffff82ae91b6>] ip_sublist_rcv_finish+0x64/0x1b2 net/ipv4/ip_input.c:551
[<ffffffff82aea91a>] ip_list_rcv_finish net/ipv4/ip_input.c:601 [inline]
[<ffffffff82aea91a>] ip_sublist_rcv+0x420/0x738 net/ipv4/ip_input.c:609
[<ffffffff82aec7a8>] ip_list_rcv+0x268/0x2c0 net/ipv4/ip_input.c:644
[<ffffffff8273e7f8>] __netif_receive_skb_list_ptype net/core/dev.c:5394 [inline]
[<ffffffff8273e7f8>] __netif_receive_skb_list_core+0x3e4/0x520 net/core/dev.c:5442
[<ffffffff8273efda>] __netif_receive_skb_list net/core/dev.c:5494 [inline]
[<ffffffff8273efda>] netif_receive_skb_list_internal+0x50c/0x816 net/core/dev.c:5585
[<ffffffff827b3858>] gro_normal_list include/net/gro.h:425 [inline]
[<ffffffff827b3858>] gro_normal_one include/net/gro.h:438 [inline]
[<ffffffff827b3858>] napi_gro_complete.constprop.0+0x400/0x438 net/core/gro.c:282
[<ffffffff827b43f0>] dev_gro_receive+0x7fe/0x1238 net/core/gro.c:507
[<ffffffff827b4fa8>] napi_gro_receive+0x17e/0x9ba net/core/gro.c:612
[<ffffffff817e9480>] receive_buf+0x7cc/0x3e50 drivers/net/virtio_net.c:1177
[<ffffffff817ecea0>] virtnet_receive drivers/net/virtio_net.c:1441 [inline]
[<ffffffff817ecea0>] virtnet_poll+0x39c/0x986 drivers/net/virtio_net.c:1550
[<ffffffff82740c14>] __napi_poll+0x7c/0x358 net/core/dev.c:6365
[<ffffffff827418a0>] napi_poll net/core/dev.c:6432 [inline]
[<ffffffff827418a0>] net_rx_action+0x5d0/0x702 net/core/dev.c:6519
[<ffffffff831b082c>] __do_softirq+0x274/0x8fc kernel/softirq.c:558
[<ffffffff80061288>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
[<ffffffff80061288>] invoke_softirq kernel/softirq.c:439 [inline]
[<ffffffff80061288>] __irq_exit_rcu+0x142/0x1f8 kernel/softirq.c:637
[<ffffffff80061596>] irq_exit+0x10/0x7a kernel/softirq.c:661
[<ffffffff831a1a2c>] generic_handle_arch_irq+0x48/0x54 kernel/irq/handle.c:240
[<ffffffff80005724>] ret_from_exception+0x0/0x10
[<ffffffff8000a038>] walk_stackframe+0x102/0x260 arch/riscv/kernel/stacktrace.c:52
---[ end trace 0000000000000000 ]---