skbuff: skb_over_panic: text:ffffffff8436243e len:76 put:20 head:ffff88814f6d7400 data:ffff88814f6d7440 tail:0x8c end:0x80 dev:ip6gretap0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:110! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 10093 Comm: syz-executor.3 Not tainted 5.10.106-syzkaller-00514-g5287773dba0d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_panic+0x14f/0x160 net/core/skbuff.c:106 Code: 87 85 48 8b 75 c0 48 8b 55 b8 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 b8 00 00 00 00 53 41 56 41 55 41 54 e8 fc bf 8e fd 48 83 c4 20 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 55 48 89 e5 41 RSP: 0018:ffffc90000007af8 EFLAGS: 00010282 RAX: 0000000000000089 RBX: ffff888147e4c000 RCX: 9d75bfbc4e5e0200 RDX: 0000000000000502 RSI: 0000000000000502 RDI: 0000000000000000 RBP: ffffc90000007b40 R08: ffffffff81544d28 R09: ffffed103ee0a5d8 R10: ffffed103ee0a5d8 R11: 0000000000000000 R12: ffff88814f6d7440 R13: 000000000000008c R14: 0000000000000080 R15: dffffc0000000000 FS: 00007efdbd8dc700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2df24000 CR3: 0000000148551000 CR4: 00000000003526b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_over_panic+0x2c/0x30 net/core/skbuff.c:115 skb_put+0x205/0x210 net/core/skbuff.c:1877 add_grhead net/ipv6/mcast.c:1711 [inline] add_grec+0xf5e/0x1370 net/ipv6/mcast.c:1838 mld_send_cr net/ipv6/mcast.c:1964 [inline] mld_ifc_timer_expire+0x781/0xc50 net/ipv6/mcast.c:2471 call_timer_fn+0x35/0x280 kernel/time/timer.c:1420 expire_timers+0x21f/0x3b0 kernel/time/timer.c:1465 __run_timers+0x548/0x680 kernel/time/timer.c:1756 run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1769 __do_softirq+0x27e/0x598 kernel/softirq.c:305 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:402 [inline] __irq_exit_rcu+0x128/0x150 kernel/softirq.c:432 irq_exit_rcu+0x9/0x10 kernel/softirq.c:444 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 RIP: 0010:__vmcs_writel arch/x86/kvm/vmx/vmx_ops.h:176 [inline] RIP: 0010:vmcs_writel arch/x86/kvm/vmx/vmx_ops.h:215 [inline] RIP: 0010:seg_setup+0x88/0x230 arch/x86/kvm/vmx/vmx.c:3605 Code: 84 35 e5 84 48 89 d8 48 c1 e8 03 42 8a 04 38 84 c0 0f 85 d3 00 00 00 0f 1f 44 00 00 8b 1b e8 7f a0 4b 00 0f 79 1d 00 ca a6 04 <2e> 0f 86 34 01 00 00 49 8d 9c 24 88 35 e5 84 48 89 d8 48 c1 e8 03 RSP: 0018:ffffc9000654f868 EFLAGS: 00000202 RAX: ffffffff81214e01 RBX: 000000000000680a RCX: 0000000000040000 RDX: ffffc90004103000 RSI: 000000000000162c RDI: 000000000000162d RBP: ffffc9000654f890 R08: ffffffff81214e51 R09: fffff52000cc73ae R10: fffff52000cc73ae R11: 0000000000000000 R12: 0000000000000020 R13: ffff88810f3b0000 R14: 0000000000000002 R15: dffffc0000000000 vmx_vcpu_reset+0x27d/0xe80 arch/x86/kvm/vmx/vmx.c:4427 kvm_vcpu_reset+0x77a/0x910 arch/x86/kvm/x86.c:10202 kvm_arch_vcpu_create+0x82b/0x9a0 arch/x86/kvm/x86.c:10058 kvm_vm_ioctl_create_vcpu arch/x86/kvm/../../../virt/kvm/kvm_main.c:3173 [inline] kvm_vm_ioctl+0xf6d/0x1fa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3734 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0x115/0x190 fs/ioctl.c:739 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7efdbe766049 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007efdbd8dc168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007efdbe878f60 RCX: 00007efdbe766049 RDX: 0000000000000000 RSI: 000000000000ae41 RDI: 0000000000000004 RBP: 00007efdbe7c008d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffdc5f714f R14: 00007efdbd8dc300 R15: 0000000000022000 Modules linked in: ---[ end trace 4b8c3f35b62b2e3c ]--- RIP: 0010:skb_panic+0x14f/0x160 net/core/skbuff.c:106 Code: 87 85 48 8b 75 c0 48 8b 55 b8 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 b8 00 00 00 00 53 41 56 41 55 41 54 e8 fc bf 8e fd 48 83 c4 20 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 55 48 89 e5 41 RSP: 0018:ffffc90000007af8 EFLAGS: 00010282 RAX: 0000000000000089 RBX: ffff888147e4c000 RCX: 9d75bfbc4e5e0200 RDX: 0000000000000502 RSI: 0000000000000502 RDI: 0000000000000000 RBP: ffffc90000007b40 R08: ffffffff81544d28 R09: ffffed103ee0a5d8 R10: ffffed103ee0a5d8 R11: 0000000000000000 R12: ffff88814f6d7440 R13: 000000000000008c R14: 0000000000000080 R15: dffffc0000000000 FS: 00007efdbd8dc700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2df24000 CR3: 0000000148551000 CR4: 00000000003526b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 84 35 e5 84 48 89 test %dh,-0x76b77b1b(%rip) # 0x894884eb 6: d8 48 c1 fmuls -0x3f(%rax) 9: e8 03 42 8a 04 callq 0x48a4211 e: 38 84 c0 0f 85 d3 00 cmp %al,0xd3850f(%rax,%rax,8) 15: 00 00 add %al,(%rax) 17: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 1c: 8b 1b mov (%rbx),%ebx 1e: e8 7f a0 4b 00 callq 0x4ba0a2 23: 0f 79 1d 00 ca a6 04 vmwrite 0x4a6ca00(%rip),%rbx # 0x4a6ca2a * 2a: 2e 0f 86 34 01 00 00 jbe,pn 0x165 <-- trapping instruction 31: 49 8d 9c 24 88 35 e5 lea -0x7b1aca78(%r12),%rbx 38: 84 39: 48 89 d8 mov %rbx,%rax 3c: 48 c1 e8 03 shr $0x3,%rax