syzkaller login: [ 280.352061][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 280.413461][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 309.033368][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:63706' (ECDSA) to the list of known hosts. 1970/01/01 00:06:19 fuzzer started 1970/01/01 00:06:33 dialing manager at localhost:40215 [ 399.646819][ T2037] cgroup: Unknown subsys name 'net' [ 400.745327][ T2037] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:06:40 syscalls: 2918 1970/01/01 00:06:40 code coverage: enabled 1970/01/01 00:06:40 comparison tracing: enabled 1970/01/01 00:06:40 extra coverage: enabled 1970/01/01 00:06:40 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:06:40 setuid sandbox: enabled 1970/01/01 00:06:40 namespace sandbox: enabled 1970/01/01 00:06:40 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:06:40 fault injection: enabled 1970/01/01 00:06:40 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:06:40 net packet injection: enabled 1970/01/01 00:06:40 net device setup: enabled 1970/01/01 00:06:40 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:06:40 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:06:40 NIC VF setup: PCI device 0000:00:11.0 is not available 1970/01/01 00:06:40 USB emulation: enabled 1970/01/01 00:06:40 hci packet injection: /dev/vhci does not exist 1970/01/01 00:06:40 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:06:40 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:06:40 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:06:46 fetching corpus: 50, signal 34053/36825 (executing program) 1970/01/01 00:06:49 fetching corpus: 99, signal 46740/50260 (executing program) 1970/01/01 00:06:54 fetching corpus: 149, signal 56245/60321 (executing program) 1970/01/01 00:06:56 fetching corpus: 198, signal 62156/66732 (executing program) 1970/01/01 00:06:59 fetching corpus: 248, signal 66623/71642 (executing program) 1970/01/01 00:07:02 fetching corpus: 297, signal 74063/79015 (executing program) 1970/01/01 00:07:04 fetching corpus: 347, signal 77721/82803 (executing program) 1970/01/01 00:07:08 fetching corpus: 397, signal 84826/89533 (executing program) 1970/01/01 00:07:12 fetching corpus: 445, signal 88278/92909 (executing program) 1970/01/01 00:07:15 fetching corpus: 495, signal 94074/98022 (executing program) 1970/01/01 00:07:18 fetching corpus: 542, signal 98561/101949 (executing program) 1970/01/01 00:07:21 fetching corpus: 592, signal 101695/104658 (executing program) 1970/01/01 00:07:25 fetching corpus: 642, signal 104297/106855 (executing program) 1970/01/01 00:07:30 fetching corpus: 690, signal 106701/108821 (executing program) 1970/01/01 00:07:35 fetching corpus: 739, signal 109937/111359 (executing program) 1970/01/01 00:07:38 fetching corpus: 786, signal 112432/113221 (executing program) 1970/01/01 00:07:40 fetching corpus: 804, signal 113964/114333 (executing program) 1970/01/01 00:07:40 fetching corpus: 805, signal 113996/114383 (executing program) 1970/01/01 00:07:40 fetching corpus: 805, signal 113996/114404 (executing program) 1970/01/01 00:07:40 fetching corpus: 805, signal 113996/114422 (executing program) 1970/01/01 00:07:41 fetching corpus: 805, signal 113996/114445 (executing program) 1970/01/01 00:07:41 fetching corpus: 805, signal 113996/114475 (executing program) 1970/01/01 00:07:41 fetching corpus: 805, signal 113996/114496 (executing program) 1970/01/01 00:07:41 fetching corpus: 805, signal 113996/114523 (executing program) 1970/01/01 00:07:41 fetching corpus: 805, signal 113996/114551 (executing program) 1970/01/01 00:07:41 fetching corpus: 805, signal 113996/114574 (executing program) 1970/01/01 00:07:41 fetching corpus: 805, signal 113996/114594 (executing program) 1970/01/01 00:07:41 fetching corpus: 805, signal 113996/114617 (executing program) 1970/01/01 00:07:42 fetching corpus: 805, signal 113996/114637 (executing program) 1970/01/01 00:07:42 fetching corpus: 805, signal 113996/114661 (executing program) 1970/01/01 00:07:42 fetching corpus: 805, signal 113996/114685 (executing program) 1970/01/01 00:07:42 fetching corpus: 805, signal 113996/114709 (executing program) 1970/01/01 00:07:42 fetching corpus: 805, signal 113998/114741 (executing program) 1970/01/01 00:07:42 fetching corpus: 805, signal 113998/114766 (executing program) 1970/01/01 00:07:43 fetching corpus: 805, signal 113998/114790 (executing program) 1970/01/01 00:07:43 fetching corpus: 805, signal 113998/114812 (executing program) 1970/01/01 00:07:43 fetching corpus: 805, signal 113998/114831 (executing program) 1970/01/01 00:07:43 fetching corpus: 805, signal 113998/114853 (executing program) 1970/01/01 00:07:43 fetching corpus: 805, signal 113998/114874 (executing program) 1970/01/01 00:07:43 fetching corpus: 805, signal 113998/114889 (executing program) 1970/01/01 00:07:43 fetching corpus: 805, signal 113998/114908 (executing program) 1970/01/01 00:07:43 fetching corpus: 805, signal 113998/114931 (executing program) 1970/01/01 00:07:44 fetching corpus: 805, signal 113998/114954 (executing program) 1970/01/01 00:07:44 fetching corpus: 805, signal 113998/114971 (executing program) 1970/01/01 00:07:44 fetching corpus: 805, signal 113998/114988 (executing program) 1970/01/01 00:07:44 fetching corpus: 806, signal 114006/115011 (executing program) 1970/01/01 00:07:44 fetching corpus: 806, signal 114006/115029 (executing program) 1970/01/01 00:07:45 fetching corpus: 806, signal 114006/115045 (executing program) 1970/01/01 00:07:45 fetching corpus: 806, signal 114006/115078 (executing program) 1970/01/01 00:07:45 fetching corpus: 807, signal 114009/115101 (executing program) 1970/01/01 00:07:45 fetching corpus: 807, signal 114009/115121 (executing program) 1970/01/01 00:07:45 fetching corpus: 807, signal 114009/115142 (executing program) 1970/01/01 00:07:45 fetching corpus: 807, signal 114009/115158 (executing program) 1970/01/01 00:07:45 fetching corpus: 807, signal 114009/115181 (executing program) 1970/01/01 00:07:46 fetching corpus: 807, signal 114009/115202 (executing program) 1970/01/01 00:07:46 fetching corpus: 807, signal 114009/115215 (executing program) 1970/01/01 00:07:46 fetching corpus: 807, signal 114013/115229 (executing program) 1970/01/01 00:07:46 fetching corpus: 807, signal 114033/115229 (executing program) 1970/01/01 00:07:46 fetching corpus: 807, signal 114033/115229 (executing program) 1970/01/01 00:09:44 starting 2 fuzzer processes 00:09:44 executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000002080), 0x2, 0x0) mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f0000000180)={{'fd', 0x3d, r0}, 0x2c, {'rootmode', 0x3d, 0x8000}}) 00:09:44 executing program 1: syz_clone3(&(0x7f00000001c0)={0x0, 0x0, 0x0, 0x0, {0x10000}, 0x0, 0x0, 0x0, 0x0}, 0x58) [ 615.710392][ T2051] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 615.840207][ T2051] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 618.866460][ T2052] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 618.990612][ T2052] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 629.989612][ T2051] device hsr_slave_0 entered promiscuous mode [ 630.040237][ T2051] device hsr_slave_1 entered promiscuous mode [ 632.608227][ T2052] device hsr_slave_0 entered promiscuous mode [ 632.667053][ T2052] device hsr_slave_1 entered promiscuous mode [ 632.703556][ T2052] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 632.712165][ T2052] Cannot create hsr debugfs directory [ 638.919700][ T2051] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 639.121734][ T2051] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 639.278593][ T2051] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 639.419500][ T2051] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 641.242049][ T2052] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 641.422727][ T2052] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 641.569507][ T2052] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 641.743031][ T2052] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 648.684840][ C0] ================================================================== [ 648.688482][ C0] BUG: KASAN: stack-out-of-bounds in walk_stackframe+0x11c/0x260 [ 648.689973][ C0] Read of size 8 at addr ffffaf8010643e10 by task syz-executor.0/2051 [ 648.691605][ C0] [ 648.693706][ C0] CPU: 0 PID: 2051 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 648.696179][ C0] Hardware name: riscv-virtio,qemu (DT) [ 648.697669][ C0] Call Trace: [ 648.698680][ C0] [] dump_backtrace+0x2e/0x3c [ 648.700120][ C0] [] show_stack+0x34/0x40 [ 648.701384][ C0] [] dump_stack_lvl+0xe4/0x150 [ 648.702831][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 648.705025][ C0] [] kasan_report+0x184/0x1e0 [ 648.706869][ C0] [] __asan_load8+0x6e/0x96 [ 648.708333][ C0] [] walk_stackframe+0x11c/0x260 [ 648.709676][ C0] [] arch_stack_walk+0x2c/0x3c [ 648.710986][ C0] [] stack_trace_save+0xa6/0xd8 [ 648.712259][ C0] [] save_stack+0x112/0x16c [ 648.713814][ C0] [ 648.714700][ C0] The buggy address belongs to the page: [ 648.716685][ C0] page:ffffaf807aae52d8 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x90843 [ 648.718385][ C0] flags: 0x9000000000(section=18|node=0|zone=0) [ 648.720845][ C0] raw: 0000009000000000 0000000000000000 ffffaf807aae52e0 0000000000000000 [ 648.722295][ C0] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 648.723523][ C0] raw: 00000000000007ff [ 648.724726][ C0] page dumped because: kasan: bad access detected [ 648.726496][ C0] page_owner tracks the page as allocated [ 648.727581][ C0] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 2030, ts 586249138200, free_ts 457387938200 [ 648.729920][ C0] __set_page_owner+0x48/0x136 [ 648.731178][ C0] post_alloc_hook+0xd0/0x10a [ 648.732315][ C0] get_page_from_freelist+0x8da/0x12d8 [ 648.733492][ C0] __alloc_pages+0x150/0x3b6 [ 648.734853][ C0] copy_process+0x482/0x3c34 [ 648.736097][ C0] kernel_clone+0xee/0x920 [ 648.737239][ C0] __do_sys_clone+0xf2/0x12e [ 648.738338][ C0] sys_clone+0x32/0x44 [ 648.739434][ C0] ret_from_syscall+0x0/0x2 [ 648.740652][ C0] page last free stack trace: [ 648.741506][ C0] __reset_page_owner+0x4a/0xea [ 648.742589][ C0] free_pcp_prepare+0x29c/0x45e [ 648.743803][ C0] free_unref_page+0x6a/0x31e [ 648.745311][ C0] free_compound_page+0x70/0x8a [ 648.746562][ C0] __put_compound_page+0x7c/0xb0 [ 648.747691][ C0] __put_page+0x48/0x100 [ 648.748761][ C0] skb_release_data+0x2f8/0x3c4 [ 648.749863][ C0] kfree_skb_reason+0x11a/0x40a [ 648.751025][ C0] skb_release_data+0x33a/0x3c4 [ 648.752134][ C0] __kfree_skb+0x38/0x50 [ 648.753205][ C0] tcp_recvmsg+0x1f2/0x414 [ 648.754731][ C0] inet_recvmsg+0x10a/0x4ba [ 648.756340][ C0] sock_read_iter+0x26c/0x2ba [ 648.757556][ C0] new_sync_read+0x3ae/0x3d8 [ 648.758740][ C0] vfs_read+0x2ce/0x324 [ 648.759889][ C0] ksys_read+0x1c4/0x224 [ 648.761235][ C0] [ 648.761941][ C0] Memory state around the buggy address: [ 648.763285][ C0] ffffaf8010643d00: 00 00 00 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 648.765200][ C0] ffffaf8010643d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 648.766964][ C0] >ffffaf8010643e00: f1 f1 f1 f1 00 00 f2 f2 00 00 f3 f3 f1 f1 f1 f1 [ 648.768167][ C0] ^ [ 648.769229][ C0] ffffaf8010643e80: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 [ 648.770457][ C0] ffffaf8010643f00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 [ 648.771679][ C0] ================================================================== [ 648.772837][ C0] Disabling lock debugging due to kernel taint [ 648.776069][ C0] Unable to handle kernel paging request at virtual address ffffffff8016f2dc [ 648.778206][ C0] Oops [#1] [ 648.778875][ C0] Modules linked in: [ 648.779890][ C0] CPU: 0 PID: 2051 Comm: syz-executor.0 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 648.781306][ C0] Hardware name: riscv-virtio,qemu (DT) [ 648.782119][ C0] epc : rb_insert_color+0xfc/0x246 [ 648.783102][ C0] ra : rb_insert_color+0xfc/0x246 [ 648.784490][ C0] epc : ffffffff80c263b8 ra : ffffffff80c263b8 sp : ffffaf8010643830 [ 648.785682][ C0] gp : ffffffff85863ac0 tp : ffffaf8007401840 t0 : 0000000000046000 [ 648.786725][ C0] t1 : fffffffef0b187a1 t2 : 0000000000000000 s0 : ffffaf8010643870 [ 648.787731][ C0] s1 : ffffaf805a9cbd18 a0 : 0000000000000000 a1 : 0000000000000003 [ 648.788839][ C0] a2 : fffffffef002de5c a3 : ffffffff80c263b8 a4 : 0000000000000000 [ 648.789912][ C0] a5 : ffffffff8016f2dc a6 : 0000000000f00000 a7 : ffffffff858c3d0b [ 648.790925][ C0] s2 : ffffaf805a9d7500 s3 : ffffaf805a9cbd18 s4 : ffffffff8016f2d4 [ 648.791935][ C0] s5 : ffffaf805a9cb4d0 s6 : ffffaf805a9cbd20 s7 : ffffaf805a9cb4d0 [ 648.793029][ C0] s8 : ffffaf805a9cb490 s9 : ffffaf805a9cbd50 s10: ffffaf805a9cb400 [ 648.794484][ C0] s11: 0000000000010504 t3 : 0000000061736944 t4 : fffffffef0b187a1 [ 648.796085][ C0] t5 : fffffffef0b187a2 t6 : ffffaf80106437d8 [ 648.796973][ C0] status: 0000000000000100 badaddr: ffffffff8016f2dc cause: 000000000000000f [ 648.798127][ C0] [] timerqueue_add+0x144/0x1d0 [ 648.799267][ C0] [] __hrtimer_run_queues+0x8b4/0xa16 [ 648.800388][ C0] [] hrtimer_interrupt+0x1d4/0x3ea [ 648.801460][ C0] [] riscv_timer_interrupt+0x5c/0x6a [ 648.802556][ C0] [] handle_percpu_devid_irq+0x17e/0x2ae [ 648.803780][ C0] [] generic_handle_domain_irq+0x7c/0x9c [ 648.804949][ C0] [] riscv_intc_irq+0x7e/0xc8 [ 648.806041][ C0] [] generic_handle_arch_irq+0x36/0x54 [ 648.807342][ C0] [] ret_from_exception+0x0/0x10 [ 648.808440][ C0] [] _raw_spin_unlock_irqrestore+0x68/0x98 [ 648.810109][ C0] ---[ end trace 0000000000000000 ]--- [ 648.811444][ C0] Kernel panic - not syncing: Fatal exception in interrupt [ 648.812521][ C0] SMP: stopping secondary CPUs [ 648.814352][ C0] Rebooting in 86400 seconds.. VM DIAGNOSIS: 03:06:33 Registers: info registers vcpu 0 pc ffffffff80475986 mhartid 0000000000000000 mstatus 00000000000000a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff80119b48 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80119b52 x2/sp ffffaf800e6677d0 x3/gp ffffffff85863ac0 x4/tp ffffaf800e66c8c0 x5/t0 00000000000001f8 x6/t1 9b6cd44ebd764e00 x7/t2 ffffffffffffffff x8/s0 ffffaf800e667820 x9/s1 ffffaf800f6e9898 x10/a0 ffffaf800f6e9898 x11/a1 0000000000000003 x12/a2 1ffff5f001edd313 x13/a3 ffffffff80119b52 x14/a4 0000000000000000 x15/a5 ffffaf800f6e9898 x16/a6 0000000000f00000 x17/a7 ffffffff826e6226 x18/s2 0000000000000001 x19/s3 ffffaf800e66c8c0 x20/s4 ffffaf800f6e98a8 x21/s5 ffffaf800f6e98a0 x22/s6 ffffaf800e667960 x23/s7 ffffaf800e667b00 x24/s8 0000000000000000 x25/s9 0000000000004000 x26/s10 0000000000000040 x27/s11 0000000000000001 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001ccceb4 x31/t6 0000000002b8a2a0 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff83175600 mhartid 0000000000000001 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80116e40 sepc ffffffff827384d8 mcause 8000000000000007 scause 8000000000000009 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff83175600 x2/sp ffffaf8010643cb0 x3/gp ffffffff85863ac0 x4/tp ffffaf8007401840 x5/t0 ffffffff86bcb657 x6/t1 fffff5ef0b53910c x7/t2 0000000000000000 x8/s0 ffffaf8010643ce0 x9/s1 0000000000000000 x10/a0 0000000000000000 x11/a1 ffffaf8007401840 x12/a2 0000000000000504 x13/a3 ffffffff831755ee x14/a4 0000000000000003 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffaf805a9c8863 x18/s2 ffffffff8453a6b0 x19/s3 ffffffff8000a052 x20/s4 0000000000000000 x21/s5 ffffffff85863560 x22/s6 0000000000003fff x23/s7 ffffaf8010643db0 x24/s8 ffffaf805a9de970 x25/s9 ffffffffffffc000 x26/s10 ffffaf8010643e80 x27/s11 0000000000000008 x28/t3 fffffffff3f3f300 x29/t4 fffff5ef0b53910c x30/t5 fffff5ef0b53910d x31/t6 ffffaf8010643818 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000