syzkaller login: [ 298.696271][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 306.485104][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 306.536408][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 348.721966][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:2450' (ECDSA) to the list of known hosts. 1970/01/01 00:06:18 fuzzer started 1970/01/01 00:06:32 dialing manager at localhost:35921 [ 399.115835][ T2045] cgroup: Unknown subsys name 'net' [ 400.203202][ T2045] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:06:39 syscalls: 2818 1970/01/01 00:06:39 code coverage: enabled 1970/01/01 00:06:39 comparison tracing: enabled 1970/01/01 00:06:39 extra coverage: enabled 1970/01/01 00:06:39 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:06:39 setuid sandbox: enabled 1970/01/01 00:06:39 namespace sandbox: enabled 1970/01/01 00:06:39 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:06:39 fault injection: enabled 1970/01/01 00:06:39 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:06:39 net packet injection: enabled 1970/01/01 00:06:39 net device setup: enabled 1970/01/01 00:06:39 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:06:39 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:06:39 USB emulation: enabled 1970/01/01 00:06:39 hci packet injection: /dev/vhci does not exist 1970/01/01 00:06:39 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:06:39 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:06:39 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:06:45 fetching corpus: 50, signal 30436/33909 (executing program) 1970/01/01 00:06:48 fetching corpus: 99, signal 42321/47200 (executing program) 1970/01/01 00:06:51 fetching corpus: 149, signal 48355/54678 (executing program) 1970/01/01 00:06:55 fetching corpus: 199, signal 55142/62749 (executing program) 1970/01/01 00:07:00 fetching corpus: 248, signal 63181/71877 (executing program) 1970/01/01 00:07:03 fetching corpus: 296, signal 67308/77229 (executing program) 1970/01/01 00:07:07 fetching corpus: 346, signal 71878/82902 (executing program) 1970/01/01 00:07:09 fetching corpus: 395, signal 75321/87449 (executing program) 1970/01/01 00:07:12 fetching corpus: 445, signal 80429/93453 (executing program) 1970/01/01 00:07:14 fetching corpus: 495, signal 83258/97347 (executing program) 1970/01/01 00:07:16 fetching corpus: 544, signal 85880/101033 (executing program) 1970/01/01 00:07:18 fetching corpus: 593, signal 89269/105307 (executing program) 1970/01/01 00:07:23 fetching corpus: 643, signal 91859/108783 (executing program) 1970/01/01 00:07:26 fetching corpus: 693, signal 94252/112050 (executing program) 1970/01/01 00:07:29 fetching corpus: 743, signal 97395/115950 (executing program) 1970/01/01 00:07:31 fetching corpus: 793, signal 100730/119969 (executing program) 1970/01/01 00:07:34 fetching corpus: 843, signal 102306/122407 (executing program) 1970/01/01 00:07:36 fetching corpus: 892, signal 104113/125083 (executing program) 1970/01/01 00:07:40 fetching corpus: 941, signal 107695/129127 (executing program) 1970/01/01 00:07:42 fetching corpus: 991, signal 110015/132123 (executing program) 1970/01/01 00:07:45 fetching corpus: 1041, signal 111918/134727 (executing program) 1970/01/01 00:07:48 fetching corpus: 1090, signal 114142/137587 (executing program) 1970/01/01 00:07:51 fetching corpus: 1140, signal 115948/139981 (executing program) 1970/01/01 00:07:53 fetching corpus: 1190, signal 118360/142895 (executing program) 1970/01/01 00:07:56 fetching corpus: 1240, signal 120329/145384 (executing program) 1970/01/01 00:07:59 fetching corpus: 1290, signal 122086/147722 (executing program) 1970/01/01 00:08:01 fetching corpus: 1340, signal 123692/149897 (executing program) 1970/01/01 00:08:03 fetching corpus: 1390, signal 124962/151750 (executing program) 1970/01/01 00:08:06 fetching corpus: 1440, signal 126090/153519 (executing program) 1970/01/01 00:08:08 fetching corpus: 1489, signal 128430/156176 (executing program) 1970/01/01 00:08:50 fetching corpus: 1532, signal 129510/157852 (executing program) 1970/01/01 00:08:53 fetching corpus: 1582, signal 130747/159645 (executing program) 1970/01/01 00:08:56 fetching corpus: 1632, signal 132768/161959 (executing program) 1970/01/01 00:08:58 fetching corpus: 1681, signal 134026/163749 (executing program) 1970/01/01 00:09:01 fetching corpus: 1730, signal 135723/165800 (executing program) 1970/01/01 00:09:03 fetching corpus: 1779, signal 137238/167663 (executing program) 1970/01/01 00:09:05 fetching corpus: 1829, signal 138436/169277 (executing program) 1970/01/01 00:09:07 fetching corpus: 1879, signal 139466/170751 (executing program) 1970/01/01 00:09:09 fetching corpus: 1928, signal 140595/172303 (executing program) 1970/01/01 00:09:11 fetching corpus: 1977, signal 141823/173866 (executing program) 1970/01/01 00:09:15 fetching corpus: 2027, signal 143224/175532 (executing program) 1970/01/01 00:09:17 fetching corpus: 2077, signal 144515/177063 (executing program) 1970/01/01 00:09:19 fetching corpus: 2127, signal 145468/178403 (executing program) 1970/01/01 00:09:21 fetching corpus: 2177, signal 146823/179973 (executing program) 1970/01/01 00:09:24 fetching corpus: 2227, signal 147821/181338 (executing program) 1970/01/01 00:09:27 fetching corpus: 2277, signal 148765/182615 (executing program) 1970/01/01 00:09:29 fetching corpus: 2327, signal 149724/183891 (executing program) 1970/01/01 00:09:31 fetching corpus: 2377, signal 151003/185335 (executing program) 1970/01/01 00:09:33 fetching corpus: 2426, signal 151828/186546 (executing program) 1970/01/01 00:09:35 fetching corpus: 2476, signal 152758/187748 (executing program) 1970/01/01 00:09:38 fetching corpus: 2526, signal 154096/189147 (executing program) 1970/01/01 00:09:41 fetching corpus: 2576, signal 155167/190425 (executing program) 1970/01/01 00:09:43 fetching corpus: 2625, signal 155793/191396 (executing program) 1970/01/01 00:09:45 fetching corpus: 2675, signal 157020/192713 (executing program) 1970/01/01 00:09:48 fetching corpus: 2725, signal 158214/193992 (executing program) 1970/01/01 00:09:51 fetching corpus: 2775, signal 159063/195083 (executing program) 1970/01/01 00:09:54 fetching corpus: 2825, signal 160122/196226 (executing program) 1970/01/01 00:09:57 fetching corpus: 2875, signal 160875/197219 (executing program) 1970/01/01 00:09:59 fetching corpus: 2925, signal 161717/198290 (executing program) 1970/01/01 00:10:03 fetching corpus: 2975, signal 162487/199256 (executing program) 1970/01/01 00:10:07 fetching corpus: 3025, signal 163886/200472 (executing program) 1970/01/01 00:10:09 fetching corpus: 3074, signal 165097/201633 (executing program) 1970/01/01 00:10:12 fetching corpus: 3124, signal 165932/202594 (executing program) 1970/01/01 00:10:14 fetching corpus: 3174, signal 166628/203486 (executing program) 1970/01/01 00:10:17 fetching corpus: 3224, signal 167588/204454 (executing program) 1970/01/01 00:10:19 fetching corpus: 3274, signal 168421/205370 (executing program) 1970/01/01 00:10:22 fetching corpus: 3323, signal 169050/206154 (executing program) 1970/01/01 00:10:27 fetching corpus: 3372, signal 169649/206902 (executing program) 1970/01/01 00:10:31 fetching corpus: 3420, signal 171778/208275 (executing program) 1970/01/01 00:10:35 fetching corpus: 3469, signal 172748/209141 (executing program) 1970/01/01 00:10:37 fetching corpus: 3519, signal 173344/209848 (executing program) 1970/01/01 00:10:39 fetching corpus: 3569, signal 174078/210622 (executing program) 1970/01/01 00:10:42 fetching corpus: 3618, signal 174690/211336 (executing program) 1970/01/01 00:10:44 fetching corpus: 3668, signal 175522/212132 (executing program) 1970/01/01 00:10:46 fetching corpus: 3718, signal 176161/212814 (executing program) 1970/01/01 00:10:53 fetching corpus: 3768, signal 177029/213572 (executing program) 1970/01/01 00:10:55 fetching corpus: 3818, signal 178002/214333 (executing program) 1970/01/01 00:10:57 fetching corpus: 3868, signal 178501/214990 (executing program) 1970/01/01 00:11:00 fetching corpus: 3917, signal 179127/215666 (executing program) 1970/01/01 00:11:03 fetching corpus: 3967, signal 179684/216252 (executing program) 1970/01/01 00:11:06 fetching corpus: 4017, signal 180412/216921 (executing program) 1970/01/01 00:11:08 fetching corpus: 4066, signal 181095/217565 (executing program) 1970/01/01 00:11:11 fetching corpus: 4116, signal 182220/218292 (executing program) 1970/01/01 00:11:14 fetching corpus: 4166, signal 182815/218864 (executing program) 1970/01/01 00:11:18 fetching corpus: 4215, signal 183398/219457 (executing program) 1970/01/01 00:11:21 fetching corpus: 4264, signal 184171/220086 (executing program) 1970/01/01 00:11:23 fetching corpus: 4314, signal 184786/220633 (executing program) 1970/01/01 00:11:26 fetching corpus: 4363, signal 185461/221154 (executing program) 1970/01/01 00:11:28 fetching corpus: 4413, signal 186140/221748 (executing program) 1970/01/01 00:11:31 fetching corpus: 4463, signal 186605/222251 (executing program) 1970/01/01 00:11:33 fetching corpus: 4513, signal 187277/222816 (executing program) 1970/01/01 00:11:35 fetching corpus: 4562, signal 187817/223321 (executing program) 1970/01/01 00:11:38 fetching corpus: 4612, signal 188419/223828 (executing program) 1970/01/01 00:11:40 fetching corpus: 4661, signal 188954/224372 (executing program) 1970/01/01 00:11:42 fetching corpus: 4711, signal 189517/224830 (executing program) 1970/01/01 00:11:45 fetching corpus: 4761, signal 190085/225317 (executing program) 1970/01/01 00:11:49 fetching corpus: 4810, signal 190743/225786 (executing program) 1970/01/01 00:11:51 fetching corpus: 4858, signal 191445/226223 (executing program) 1970/01/01 00:11:53 fetching corpus: 4908, signal 191896/226629 (executing program) 1970/01/01 00:11:56 fetching corpus: 4958, signal 192450/227058 (executing program) 1970/01/01 00:11:58 fetching corpus: 5008, signal 193102/227507 (executing program) 1970/01/01 00:12:01 fetching corpus: 5058, signal 193793/227939 (executing program) 1970/01/01 00:12:03 fetching corpus: 5108, signal 194246/228303 (executing program) 1970/01/01 00:12:06 fetching corpus: 5158, signal 194939/228715 (executing program) 1970/01/01 00:12:09 fetching corpus: 5208, signal 195601/229075 (executing program) 1970/01/01 00:12:12 fetching corpus: 5258, signal 196170/229410 (executing program) 1970/01/01 00:12:14 fetching corpus: 5308, signal 196700/229761 (executing program) 1970/01/01 00:12:15 fetching corpus: 5358, signal 197149/230092 (executing program) 1970/01/01 00:12:18 fetching corpus: 5408, signal 197732/230421 (executing program) 1970/01/01 00:12:20 fetching corpus: 5458, signal 198219/230738 (executing program) 1970/01/01 00:12:24 fetching corpus: 5508, signal 198790/231052 (executing program) 1970/01/01 00:12:28 fetching corpus: 5558, signal 199428/231356 (executing program) 1970/01/01 00:12:30 fetching corpus: 5607, signal 199874/231681 (executing program) 1970/01/01 00:12:32 fetching corpus: 5657, signal 200328/231964 (executing program) 1970/01/01 00:12:35 fetching corpus: 5706, signal 200828/232248 (executing program) 1970/01/01 00:12:38 fetching corpus: 5755, signal 201412/232264 (executing program) 1970/01/01 00:12:43 fetching corpus: 5804, signal 201910/232264 (executing program) 1970/01/01 00:12:46 fetching corpus: 5854, signal 202690/232264 (executing program) 1970/01/01 00:12:49 fetching corpus: 5904, signal 203358/232264 (executing program) 1970/01/01 00:12:52 fetching corpus: 5954, signal 203865/232268 (executing program) 1970/01/01 00:12:55 fetching corpus: 6003, signal 204470/232268 (executing program) 1970/01/01 00:12:58 fetching corpus: 6053, signal 205083/232270 (executing program) 1970/01/01 00:13:02 fetching corpus: 6103, signal 205466/232276 (executing program) 1970/01/01 00:13:04 fetching corpus: 6153, signal 206210/232276 (executing program) 1970/01/01 00:13:06 fetching corpus: 6203, signal 206569/232277 (executing program) 1970/01/01 00:13:08 fetching corpus: 6253, signal 206947/232277 (executing program) 1970/01/01 00:13:10 fetching corpus: 6303, signal 207461/232304 (executing program) 1970/01/01 00:13:14 fetching corpus: 6352, signal 208046/232308 (executing program) 1970/01/01 00:13:17 fetching corpus: 6402, signal 208533/232308 (executing program) 1970/01/01 00:13:19 fetching corpus: 6451, signal 209052/232311 (executing program) 1970/01/01 00:13:21 fetching corpus: 6501, signal 209404/232311 (executing program) 1970/01/01 00:13:24 fetching corpus: 6550, signal 209820/232311 (executing program) 1970/01/01 00:13:27 fetching corpus: 6600, signal 210559/232329 (executing program) 1970/01/01 00:13:30 fetching corpus: 6650, signal 211076/232339 (executing program) 1970/01/01 00:13:34 fetching corpus: 6700, signal 211539/232339 (executing program) 1970/01/01 00:13:36 fetching corpus: 6750, signal 211953/232342 (executing program) 1970/01/01 00:13:38 fetching corpus: 6800, signal 212414/232343 (executing program) 1970/01/01 00:13:41 fetching corpus: 6850, signal 212909/232343 (executing program) 1970/01/01 00:13:46 fetching corpus: 6900, signal 213463/232344 (executing program) 1970/01/01 00:13:49 fetching corpus: 6950, signal 213925/232351 (executing program) 1970/01/01 00:13:51 fetching corpus: 7000, signal 214332/232351 (executing program) 1970/01/01 00:13:53 fetching corpus: 7050, signal 214763/232363 (executing program) 1970/01/01 00:13:55 fetching corpus: 7100, signal 215187/232363 (executing program) 1970/01/01 00:13:57 fetching corpus: 7150, signal 215685/232366 (executing program) 1970/01/01 00:14:01 fetching corpus: 7200, signal 216162/232366 (executing program) 1970/01/01 00:14:04 fetching corpus: 7250, signal 216506/232367 (executing program) 1970/01/01 00:14:08 fetching corpus: 7300, signal 216884/232367 (executing program) 1970/01/01 00:14:11 fetching corpus: 7350, signal 217512/232389 (executing program) 1970/01/01 00:14:13 fetching corpus: 7400, signal 217802/232389 (executing program) 1970/01/01 00:14:15 fetching corpus: 7449, signal 218345/232395 (executing program) 1970/01/01 00:14:18 fetching corpus: 7499, signal 219066/232395 (executing program) 1970/01/01 00:14:20 fetching corpus: 7549, signal 219471/232395 (executing program) 1970/01/01 00:14:24 fetching corpus: 7599, signal 219816/232395 (executing program) 1970/01/01 00:14:28 fetching corpus: 7649, signal 220275/232395 (executing program) 1970/01/01 00:14:31 fetching corpus: 7698, signal 220670/232397 (executing program) 1970/01/01 00:14:33 fetching corpus: 7748, signal 221145/232398 (executing program) 1970/01/01 00:14:35 fetching corpus: 7797, signal 221479/232398 (executing program) 1970/01/01 00:14:38 fetching corpus: 7847, signal 221967/232398 (executing program) 1970/01/01 00:14:40 fetching corpus: 7897, signal 222358/232411 (executing program) 1970/01/01 00:14:43 fetching corpus: 7947, signal 222752/232411 (executing program) 1970/01/01 00:14:46 fetching corpus: 7997, signal 223109/232411 (executing program) 1970/01/01 00:14:48 fetching corpus: 8047, signal 223518/232421 (executing program) 1970/01/01 00:14:51 fetching corpus: 8096, signal 223937/232422 (executing program) 1970/01/01 00:14:53 fetching corpus: 8146, signal 224261/232422 (executing program) 1970/01/01 00:14:56 fetching corpus: 8196, signal 224647/232437 (executing program) 1970/01/01 00:14:59 fetching corpus: 8246, signal 224970/232438 (executing program) 1970/01/01 00:15:02 fetching corpus: 8296, signal 225370/232438 (executing program) 1970/01/01 00:15:03 fetching corpus: 8346, signal 225946/232438 (executing program) 1970/01/01 00:15:06 fetching corpus: 8396, signal 226311/232447 (executing program) 1970/01/01 00:15:09 fetching corpus: 8445, signal 226560/232448 (executing program) 1970/01/01 00:15:11 fetching corpus: 8495, signal 226953/232448 (executing program) 1970/01/01 00:15:13 fetching corpus: 8545, signal 227264/232457 (executing program) 1970/01/01 00:15:15 fetching corpus: 8594, signal 227780/232457 (executing program) 1970/01/01 00:15:17 fetching corpus: 8643, signal 228196/232460 (executing program) 1970/01/01 00:15:20 fetching corpus: 8693, signal 228621/232460 (executing program) 1970/01/01 00:15:22 fetching corpus: 8742, signal 228929/232460 (executing program) 1970/01/01 00:15:24 fetching corpus: 8792, signal 229237/232492 (executing program) 1970/01/01 00:15:27 fetching corpus: 8842, signal 229613/232510 (executing program) 1970/01/01 00:15:29 fetching corpus: 8878, signal 229828/232510 (executing program) 1970/01/01 00:15:29 fetching corpus: 8878, signal 229828/232510 (executing program) 1970/01/01 00:17:27 starting 2 fuzzer processes 00:17:27 executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000100)=@newlink={0x3c, 0x10, 0x401, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @geneve={{0xb}, {0xc, 0x2, 0x0, 0x1, [@IFLA_GENEVE_TTL={0x5}]}}}]}, 0x3c}}, 0x0) 00:17:27 executing program 1: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000080)={{{@in6=@remote, @in6=@rand_addr=' \x01\x00', 0x0, 0x0, 0x0, 0x0, 0x2}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@loopback, 0x0, 0x2b}, 0x0, @in=@empty, 0x0, 0x0, 0x0, 0x8}}, 0xe8) socket$key(0xf, 0x3, 0x2) socket$key(0xf, 0x3, 0x2) sendmmsg$inet(r0, &(0x7f00000003c0)=[{{&(0x7f0000000800)={0x2, 0x4c20, @dev}, 0x10, 0x0}}], 0x1, 0x0) [ 1075.775308][ T2065] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1076.032146][ T2067] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1076.147944][ T2065] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1076.272815][ T2067] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1088.425573][ T2067] device hsr_slave_0 entered promiscuous mode [ 1088.481589][ T2067] device hsr_slave_1 entered promiscuous mode [ 1090.072059][ T2065] device hsr_slave_0 entered promiscuous mode [ 1090.122866][ T2065] device hsr_slave_1 entered promiscuous mode [ 1090.169392][ T2065] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 1090.173634][ T2065] Cannot create hsr debugfs directory [ 1093.977611][ C0] ================================================================== [ 1093.981073][ C0] BUG: KASAN: use-after-free in walk_stackframe+0x11c/0x260 [ 1093.982590][ C0] Read of size 8 at addr ffffaf800c3cbd50 by task syz-executor.1/2067 [ 1093.984182][ C0] [ 1093.985858][ C0] CPU: 0 PID: 2067 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1093.987499][ C0] Hardware name: riscv-virtio,qemu (DT) [ 1093.989139][ C0] Call Trace: [ 1093.990409][ C0] [] dump_backtrace+0x2e/0x3c [ 1093.992106][ C0] [] show_stack+0x34/0x40 [ 1093.993333][ C0] [] dump_stack_lvl+0xe4/0x150 [ 1093.994583][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 1093.996010][ C0] [] kasan_report+0x184/0x1e0 [ 1093.997273][ C0] [] __asan_load8+0x6e/0x96 [ 1093.998978][ C0] [] walk_stackframe+0x11c/0x260 [ 1094.000833][ C0] [] arch_stack_walk+0x2c/0x3c [ 1094.002126][ C0] [] stack_trace_save+0xa6/0xd8 [ 1094.003393][ C0] [] save_stack+0x112/0x16c [ 1094.004533][ C0] [] __set_page_owner+0x48/0x136 [ 1094.006162][ C0] [ 1094.006945][ C0] Allocated by task 1102416563: [ 1094.007891][ C0] (stack is not available) [ 1094.009041][ C0] [ 1094.009962][ C0] Last potentially related work creation: [ 1094.010940][ C0] ------------[ cut here ]------------ [ 1094.011839][ C0] slab index 1177136 out of bounds (302) for stack id 8451f630 [ 1094.016324][ C0] WARNING: CPU: 0 PID: 2067 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 1094.018121][ C0] Modules linked in: [ 1094.019504][ C0] CPU: 0 PID: 2067 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1094.020954][ C0] Hardware name: riscv-virtio,qemu (DT) [ 1094.021964][ C0] epc : stack_depot_print+0x66/0x70 [ 1094.023180][ C0] ra : stack_depot_print+0x66/0x70 [ 1094.024408][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800c3cbc10 [ 1094.025568][ C0] gp : ffffffff85863ac0 tp : ffffaf800edcc8c0 t0 : ffffffff86bcb657 [ 1094.026711][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800c3cbc20 [ 1094.027872][ C0] s1 : ffffaf807a9ba040 a0 : 000000000000003c a1 : 00000000000f0000 [ 1094.029542][ C0] a2 : 0000000000000504 a3 : ffffffff8012252a a4 : 105af40625e7d600 [ 1094.031391][ C0] a5 : 105af40625e7d600 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 1094.032578][ C0] s2 : ffffaf800c3cbd50 s3 : ffffaf8007201c80 s4 : ffffaf800c3cbc00 [ 1094.033685][ C0] s5 : ffffaf800c3cbe00 s6 : 0000000000003fff s7 : ffffaf800c3cbcf0 [ 1094.034817][ C0] s8 : ffffaf805a9de970 s9 : ffffffffffffc000 s10: ffffaf800c3cbdc0 [ 1094.035961][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 1094.037173][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800c3cb718 [ 1094.038533][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 1094.040599][ C0] [] print_address_description.constprop.0+0x2fc/0x330 [ 1094.042191][ C0] [] kasan_report+0x184/0x1e0 [ 1094.043497][ C0] [] __asan_load8+0x6e/0x96 [ 1094.044586][ C0] [] walk_stackframe+0x11c/0x260 [ 1094.045845][ C0] [] arch_stack_walk+0x2c/0x3c [ 1094.047069][ C0] [] stack_trace_save+0xa6/0xd8 [ 1094.048779][ C0] [] save_stack+0x112/0x16c [ 1094.050460][ C0] [] __set_page_owner+0x48/0x136 [ 1094.051875][ C0] irq event stamp: 76273 [ 1094.052729][ C0] hardirqs last enabled at (76272): [] get_page_from_freelist+0xfc8/0x12d8 [ 1094.054252][ C0] hardirqs last disabled at (76273): [] _raw_spin_lock_irqsave+0x60/0x62 [ 1094.055789][ C0] softirqs last enabled at (76098): [] __do_softirq+0x618/0x8fc [ 1094.057266][ C0] softirqs last disabled at (76105): [] __irq_exit_rcu+0x142/0x1f8 [ 1094.059432][ C0] ---[ end trace 0000000000000000 ]--- [ 1094.061359][ C0] [ 1094.062067][ C0] Second to last potentially related work creation: [ 1094.062954][ C0] ------------[ cut here ]------------ [ 1094.063793][ C0] slab index 2097151 out of bounds (302) for stack id ffffffff [ 1094.067611][ C0] WARNING: CPU: 0 PID: 2067 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 1094.069886][ C0] Modules linked in: [ 1094.071095][ C0] CPU: 0 PID: 2067 Comm: syz-executor.1 Tainted: G W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1094.072640][ C0] Hardware name: riscv-virtio,qemu (DT) [ 1094.073493][ C0] epc : stack_depot_print+0x66/0x70 [ 1094.074681][ C0] ra : stack_depot_print+0x66/0x70 [ 1094.075920][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800c3cbc10 [ 1094.077027][ C0] gp : ffffffff85863ac0 tp : ffffaf800edcc8c0 t0 : ffffffff86bcb657 [ 1094.078380][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800c3cbc20 [ 1094.080019][ C0] s1 : ffffaf807a9ba040 a0 : 000000000000003c a1 : 00000000000f0000 [ 1094.081121][ C0] a2 : 0000000000000504 a3 : ffffffff8012252a a4 : 105af40625e7d600 [ 1094.082237][ C0] a5 : 105af40625e7d600 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 1094.083370][ C0] s2 : ffffaf800c3cbd50 s3 : ffffaf8007201c80 s4 : ffffaf800c3cbc00 [ 1094.084465][ C0] s5 : ffffaf800c3cbe00 s6 : 0000000000003fff s7 : ffffaf800c3cbcf0 [ 1094.085538][ C0] s8 : ffffaf805a9de970 s9 : ffffffffffffc000 s10: ffffaf800c3cbdc0 [ 1094.086612][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 1094.087711][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800c3cb718 [ 1094.089169][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 1094.091003][ C0] [] print_address_description.constprop.0+0x2ae/0x330 [ 1094.092572][ C0] [] kasan_report+0x184/0x1e0 [ 1094.093840][ C0] [] __asan_load8+0x6e/0x96 [ 1094.094987][ C0] [] walk_stackframe+0x11c/0x260 [ 1094.096261][ C0] [] arch_stack_walk+0x2c/0x3c [ 1094.097476][ C0] [] stack_trace_save+0xa6/0xd8 [ 1094.099195][ C0] [] save_stack+0x112/0x16c [ 1094.100805][ C0] [] __set_page_owner+0x48/0x136 [ 1094.102030][ C0] irq event stamp: 76273 [ 1094.102840][ C0] hardirqs last enabled at (76272): [] get_page_from_freelist+0xfc8/0x12d8 [ 1094.104398][ C0] hardirqs last disabled at (76273): [] _raw_spin_lock_irqsave+0x60/0x62 [ 1094.105992][ C0] softirqs last enabled at (76098): [] __do_softirq+0x618/0x8fc [ 1094.107450][ C0] softirqs last disabled at (76105): [] __irq_exit_rcu+0x142/0x1f8 [ 1094.109544][ C0] ---[ end trace 0000000000000000 ]--- [ 1094.110960][ C0] [ 1094.111708][ C0] The buggy address belongs to the object at ffffaf800c3cbc00 [ 1094.111708][ C0] which belongs to the cache kmalloc-512 of size 512 [ 1094.113387][ C0] The buggy address is located 336 bytes inside of [ 1094.113387][ C0] 512-byte region [ffffaf800c3cbc00, ffffaf800c3cbe00) [ 1094.114910][ C0] The buggy address belongs to the page: [ 1094.116227][ C0] page:ffffaf807a9ba040 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8c5c8 [ 1094.117853][ C0] head:ffffaf807a9ba040 order:2 compound_mapcount:0 compound_pincount:0 [ 1094.119859][ C0] flags: 0x8800010200(slab|head|section=17|node=0|zone=0) [ 1094.122725][ C0] raw: 0000008800010200 0000000000000100 0000000000000122 ffffaf8007201c80 [ 1094.124081][ C0] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 1094.125396][ C0] raw: 00000000000007ff [ 1094.126283][ C0] page dumped because: kasan: bad access detected [ 1094.127504][ C0] page_owner tracks the page as allocated [ 1094.129198][ C0] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 446, ts 43790979300, free_ts 43764360100 [ 1094.133085][ C0] __set_page_owner+0x48/0x136 [ 1094.134250][ C0] post_alloc_hook+0xd0/0x10a [ 1094.135293][ C0] get_page_from_freelist+0x8da/0x12d8 [ 1094.136441][ C0] __alloc_pages+0x150/0x3b6 [ 1094.137453][ C0] alloc_pages+0x132/0x2a6 [ 1094.138678][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 1094.140172][ C0] new_slab+0x25a/0x2cc [ 1094.141312][ C0] ___slab_alloc+0x56e/0x918 [ 1094.142424][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 1094.143559][ C0] kmem_cache_alloc_trace+0x2a2/0x2e0 [ 1094.144890][ C0] alloc_bprm+0x48/0x4b6 [ 1094.145900][ C0] kernel_execve+0x54/0x288 [ 1094.146944][ C0] call_usermodehelper_exec_async+0x1c0/0x2dc [ 1094.148561][ C0] ret_from_exception+0x0/0x10 [ 1094.150059][ C0] page last free stack trace: [ 1094.150912][ C0] __reset_page_owner+0x4a/0xea [ 1094.152076][ C0] free_pcp_prepare+0x29c/0x45e [ 1094.153098][ C0] free_unref_page+0x6a/0x31e [ 1094.154146][ C0] __free_pages+0xe2/0x112 [ 1094.155183][ C0] put_task_stack+0x1d0/0x2b0 [ 1094.156292][ C0] finish_task_switch.isra.0+0x3ce/0x420 [ 1094.157470][ C0] __schedule+0x58e/0x118e [ 1094.158936][ C0] preempt_schedule_common+0x4e/0xde [ 1094.160496][ C0] try_to_wake_up+0x47a/0x748 [ 1094.161728][ C0] wake_up_process+0x10/0x18 [ 1094.162776][ C0] devtmpfs_submit_req+0x98/0xce [ 1094.163885][ C0] devtmpfs_create_node+0x152/0x1ba [ 1094.164986][ C0] device_add+0x11fc/0x129e [ 1094.166090][ C0] device_register+0x20/0x2a [ 1094.167129][ C0] tty_register_device_attr+0x27a/0x4bc [ 1094.168586][ C0] tty_register_driver+0x2ca/0x4b2 [ 1094.170312][ C0] [ 1094.171118][ C0] Memory state around the buggy address: [ 1094.172516][ C0] ffffaf800c3cbc00: 00 00 00 00 00 00 00 00 fb fb fb fb 00 00 00 00 [ 1094.173842][ C0] ffffaf800c3cbc80: 00 00 00 00 fb fb fb fb fb fb fb fb fb fb fb fb [ 1094.175121][ C0] >ffffaf800c3cbd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1094.176279][ C0] ^ [ 1094.177386][ C0] ffffaf800c3cbd80: fb fb fb fb f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 [ 1094.179041][ C0] ffffaf800c3cbe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1094.180677][ C0] ================================================================== [ 1094.182625][ C0] Disabling lock debugging due to kernel taint [ 1094.210012][ T2067] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 1094.211324][ T2067] CPU: 0 PID: 2067 Comm: syz-executor.1 Tainted: G B W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1094.212726][ T2067] Hardware name: riscv-virtio,qemu (DT) [ 1094.213484][ T2067] Call Trace: [ 1094.214021][ T2067] [] dump_backtrace+0x2e/0x3c [ 1094.215084][ T2067] [] show_stack+0x34/0x40 [ 1094.216061][ T2067] [] dump_stack_lvl+0xe4/0x150 [ 1094.217177][ T2067] [] dump_stack+0x1c/0x24 [ 1094.218598][ T2067] [] panic+0x24a/0x634 [ 1094.219858][ T2067] [] schedule+0x0/0x14c [ 1094.220943][ T2067] [] preempt_schedule_irq+0x4a/0x13e [ 1094.222125][ T2067] [] resume_kernel+0x16/0x18 [ 1094.223498][ T2067] SMP: stopping secondary CPUs [ 1094.225714][ T2067] Rebooting in 86400 seconds.. VM DIAGNOSIS: 07:48:31 Registers: info registers vcpu 0 pc ffffffff8011edb6 mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80200f34 sepc ffffffff80061052 mcause 8000000000000007 scause 8000000000000009 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff8011eda6 x2/sp ffffaf800c3cb8e0 x3/gp ffffffff85863ac0 x4/tp ffffaf800edcc8c0 x5/t0 ffffffff86bcb657 x6/t1 fffffffef0d796ca x7/t2 0000000000000000 x8/s0 ffffaf800c3cbac0 x9/s1 0000000000000000 x10/a0 0000000000000018 x11/a1 00000000000f0000 x12/a2 0000000000000505 x13/a3 ffffffff8011c8a6 x14/a4 105af40625e7d600 x15/a5 0000000000000020 x16/a6 ffffffff86bcb658 x17/a7 ffffffff86bcb656 x18/s2 0000000000000018 x19/s3 0000000000000007 x20/s4 ffffaf800c3cba40 x21/s5 ffffaf800c3cb960 x22/s6 ffffffff8588c1a0 x23/s7 ffffffff8588c3e0 x24/s8 ffffffff8588c220 x25/s9 ffffffff84a88520 x26/s10 ffffffff858655c0 x27/s11 ffffaf800c3cba40 x28/t3 0000000000000043 x29/t4 fffffffef0d796c8 x30/t5 fffffffef0d796cb x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80119b52 mhartid 0000000000000001 mstatus 00000000000000a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff80119b52 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80119b52 x2/sp ffffaf800f9db7e0 x3/gp ffffffff85863ac0 x4/tp ffffaf800e530000 x5/t0 00000000000001f8 x6/t1 105af40625e7d600 x7/t2 ffffffffffffffff x8/s0 ffffaf800f9db820 x9/s1 ffffaf800cdc0c98 x10/a0 ffffaf800cdc0c98 x11/a1 0000000000000003 x12/a2 1ffff5f0019b8193 x13/a3 ffffffff80119b52 x14/a4 0000000000000000 x15/a5 ffffaf800cdc0c98 x16/a6 0000000000f00000 x17/a7 ffffffff826e6226 x18/s2 0000000000000001 x19/s3 ffffaf800e530000 x20/s4 ffffaf800cdc0ca8 x21/s5 ffffaf800cdc0ca0 x22/s6 ffffaf800f9db960 x23/s7 ffffaf800f9dbb00 x24/s8 0000000000000000 x25/s9 0000000000004000 x26/s10 0000000000000040 x27/s11 0000000000000001 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001f3b6b4 x31/t6 0000000002280228 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000