syzkaller login: [ 285.411461][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 295.904130][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 295.974016][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 328.202308][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:7712' (ECDSA) to the list of known hosts. 1970/01/01 00:05:58 fuzzer started 1970/01/01 00:06:13 dialing manager at localhost:46737 [ 380.754893][ T2037] cgroup: Unknown subsys name 'net' [ 382.126734][ T2037] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:06:21 syscalls: 2827 1970/01/01 00:06:21 code coverage: enabled 1970/01/01 00:06:21 comparison tracing: enabled 1970/01/01 00:06:21 extra coverage: enabled 1970/01/01 00:06:21 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:06:21 setuid sandbox: enabled 1970/01/01 00:06:21 namespace sandbox: enabled 1970/01/01 00:06:21 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:06:21 fault injection: enabled 1970/01/01 00:06:21 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:06:21 net packet injection: enabled 1970/01/01 00:06:21 net device setup: enabled 1970/01/01 00:06:21 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:06:21 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:06:21 USB emulation: enabled 1970/01/01 00:06:21 hci packet injection: /dev/vhci does not exist 1970/01/01 00:06:21 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:06:21 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:06:22 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:06:29 fetching corpus: 43, signal 37224/37454 (executing program) 1970/01/01 00:06:29 fetching corpus: 44, signal 37429/37751 (executing program) 1970/01/01 00:06:29 fetching corpus: 45, signal 37458/37898 (executing program) 1970/01/01 00:06:29 fetching corpus: 45, signal 37458/38009 (executing program) 1970/01/01 00:06:30 fetching corpus: 45, signal 37458/38121 (executing program) 1970/01/01 00:06:30 fetching corpus: 45, signal 37458/38236 (executing program) 1970/01/01 00:06:30 fetching corpus: 45, signal 37458/38331 (executing program) 1970/01/01 00:06:30 fetching corpus: 45, signal 37458/38456 (executing program) 1970/01/01 00:06:30 fetching corpus: 45, signal 37458/38568 (executing program) 1970/01/01 00:06:30 fetching corpus: 45, signal 37458/38697 (executing program) 1970/01/01 00:06:31 fetching corpus: 45, signal 37458/38812 (executing program) 1970/01/01 00:06:31 fetching corpus: 45, signal 37458/38921 (executing program) 1970/01/01 00:06:31 fetching corpus: 45, signal 37458/39042 (executing program) 1970/01/01 00:06:31 fetching corpus: 45, signal 37458/39156 (executing program) 1970/01/01 00:06:31 fetching corpus: 45, signal 37458/39282 (executing program) 1970/01/01 00:06:31 fetching corpus: 45, signal 37458/39415 (executing program) 1970/01/01 00:06:32 fetching corpus: 45, signal 37458/39551 (executing program) 1970/01/01 00:06:32 fetching corpus: 45, signal 37458/39685 (executing program) 1970/01/01 00:06:32 fetching corpus: 45, signal 37458/39792 (executing program) 1970/01/01 00:06:32 fetching corpus: 45, signal 37458/39792 (executing program) 1970/01/01 00:08:52 starting 2 fuzzer processes 00:08:52 executing program 0: r0 = inotify_init1(0x0) inotify_add_watch(r0, &(0x7f0000000080)='.\x00', 0x22000894) openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x42, 0x0) setxattr$trusted_overlay_upper(&(0x7f0000000000)='./file1\x00', &(0x7f0000000040), 0x0, 0x0, 0x0) 00:08:52 executing program 1: r0 = syz_mount_image$ext4(&(0x7f0000000000)='ext4\x00', &(0x7f0000000100)='./file0\x00', 0x100000, 0x9, &(0x7f0000000200)=[{&(0x7f0000010000)="200000000002000019000000500100000f000000000000000100000005000000000004000040000020000000dbf4655fdbf4655f0100ffff53ef010001000000dbf4655f000000000000000001000000000000000b0000008000000018000000c20500002b02", 0x66, 0x400}, {&(0x7f0000010100)="000000000000000000000000244b8e9b57f04b59aa229cc218853f95010040", 0x1f, 0x4e0}, {&(0x7f0000010200)="010000000000050040", 0x9, 0x560}, {&(0x7f0000010300)="020000000300000004", 0x9, 0x800}, {&(0x7f0000011500)="ed41000000080000dbf4655fdbf4655fdbf4655f00000000000004004000000000000800050000000af301000400000000000000000000000100000010", 0x3d, 0x2080}, {&(0x7f0000000300)="ed41000000080000dbf4655fdbf4655fdbf4655f00000000000002004000000000000800030000000af30100040000000000000000000000010000005000000000000000000000000000000000000000000000000000000000000000000000000000000005142ad1000000000000000000000000000000000000000000000000ed8100001a040000dbf4655fdbf4655fdbf4655f00000000000001004000000000000800010000000af301000400000000000000000000000100000060000000000000000000000000000000000000000000000000000000000000000000000000000000a7ea2103000000000000000000000000000000000000000000000000ffa1000026000000dbf4655fdbf4655fdbf4655f00000000000001000000000000000000010000002f746d702f73797a2d696d61676567656e3638353036393038362f66696c65302f66696c653000000000000000000000000000000000000000000000e28cd836000000000000000000000000000000000000000000000000ed8100000a000000dbf4655fdbf4655fdbf4655f00000000000001008000000000000800010000000af30100040000000000000000000000010000007000000000000000000000000000000000000000000000000000000000000000000000000000000037875b3480", 0x1e9, 0x2580}, {&(0x7f0000011b00)="020000000c0001022e000000020000000c0002022e2e00000b00000014000a026c6f73742b666f756e6400000c0000001000050266696c65300000000f0000001000050166696c6531", 0x49, 0x8000}, {&(0x7f0000012400)="504d4d00504d4dff", 0x8, 0x20000}, {&(0x7f0000012c00)="000002ea0100000001000000270f240c0000000000000000000000000000000006", 0x21, 0x40000}], 0x0, &(0x7f0000012f00)) syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='net/if_inet6\x00') ioctl$sock_inet_udp_SIOCINQ(0xffffffffffffffff, 0x541b, &(0x7f0000003000)) unlinkat(r0, &(0x7f00000000c0)='./file1\x00', 0x0) [ 562.643922][ T2048] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 562.742480][ T2048] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 565.002707][ T2050] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 565.234658][ T2050] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 575.644673][ T2048] device hsr_slave_0 entered promiscuous mode [ 575.726884][ T2048] device hsr_slave_1 entered promiscuous mode [ 577.473291][ T2050] device hsr_slave_0 entered promiscuous mode [ 577.525273][ T2050] device hsr_slave_1 entered promiscuous mode [ 577.544702][ T2050] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 577.554137][ T2050] Cannot create hsr debugfs directory [ 586.173547][ T2048] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 586.331094][ T2048] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 586.443102][ T2048] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 586.973993][ T2048] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 588.646586][ T2050] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 588.881142][ T2050] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 589.025004][ T2050] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 589.218723][ T2050] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 596.818044][ C0] ================================================================== [ 596.823982][ C0] BUG: KASAN: use-after-free in walk_stackframe+0x11c/0x260 [ 596.825812][ C0] Read of size 8 at addr ffffaf801140fff0 by task syz-executor.1/2048 [ 596.828377][ C0] [ 596.830455][ C0] CPU: 0 PID: 2048 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 596.832428][ C0] Hardware name: riscv-virtio,qemu (DT) [ 596.833922][ C0] Call Trace: [ 596.835192][ C0] [] dump_backtrace+0x2e/0x3c [ 596.836802][ C0] [] show_stack+0x34/0x40 [ 596.839043][ C0] [] dump_stack_lvl+0xe4/0x150 [ 596.840631][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 596.842313][ C0] [] kasan_report+0x184/0x1e0 [ 596.843792][ C0] [] __asan_load8+0x6e/0x96 [ 596.845279][ C0] [] walk_stackframe+0x11c/0x260 [ 596.846824][ C0] [] arch_stack_walk+0x2c/0x3c [ 596.849222][ C0] [] stack_trace_save+0xa6/0xd8 [ 596.851018][ C0] [ 596.851856][ C0] The buggy address belongs to the page: [ 596.853459][ C0] page:ffffaf807ab23438 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9160f [ 596.855710][ C0] flags: 0x9000000000(section=18|node=0|zone=0) [ 596.859533][ C0] raw: 0000009000000000 0000000000000000 ffffaf807ab23440 0000000000000000 [ 596.861101][ C0] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 596.862410][ C0] raw: 00000000000007ff [ 596.863419][ C0] page dumped because: kasan: bad access detected [ 596.864752][ C0] page_owner tracks the page as freed [ 596.865808][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2126, ts 558989914600, free_ts 596743921500 [ 596.871131][ C0] __set_page_owner+0x48/0x136 [ 596.872527][ C0] post_alloc_hook+0xd0/0x10a [ 596.873810][ C0] get_page_from_freelist+0x8da/0x12d8 [ 596.875153][ C0] __alloc_pages+0x150/0x3b6 [ 596.876464][ C0] alloc_pages+0x132/0x2a6 [ 596.878501][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 596.879850][ C0] new_slab+0x25a/0x2cc [ 596.881071][ C0] ___slab_alloc+0x56e/0x918 [ 596.882448][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 596.883794][ C0] kmem_cache_alloc_node+0x1f2/0x41c [ 596.885187][ C0] copy_process+0x203e/0x3c34 [ 596.886576][ C0] kernel_clone+0xee/0x920 [ 596.888431][ C0] kernel_thread+0xf8/0x130 [ 596.889721][ C0] call_usermodehelper_exec_work+0xc8/0x122 [ 596.891132][ C0] process_one_work+0x654/0xffe [ 596.892390][ C0] worker_thread+0x360/0x8fa [ 596.893691][ C0] page last free stack trace: [ 596.894660][ C0] __reset_page_owner+0x4a/0xea [ 596.895974][ C0] free_pcp_prepare+0x29c/0x45e [ 596.897352][ C0] free_unref_page+0x6a/0x31e [ 596.899105][ C0] __free_pages+0xe2/0x112 [ 596.900369][ C0] __free_slab+0x122/0x27c [ 596.901601][ C0] discard_slab+0x4c/0x7a [ 596.902621][ C0] __unfreeze_partials+0x16a/0x18e [ 596.903879][ C0] put_cpu_partial+0xf6/0x162 [ 596.905188][ C0] __slab_free+0x166/0x29c [ 596.906439][ C0] ___cache_free+0x17c/0x354 [ 596.908224][ C0] qlist_free_all+0x7c/0x132 [ 596.909881][ C0] kasan_quarantine_reduce+0x14c/0x1c8 [ 596.911132][ C0] __kasan_slab_alloc+0x5c/0x98 [ 596.912461][ C0] kmem_cache_alloc_node+0x368/0x41c [ 596.913795][ C0] __alloc_skb+0x234/0x2e4 [ 596.915099][ C0] netlink_sendmsg+0x7d4/0x994 [ 596.916543][ C0] [ 596.917772][ C0] Memory state around the buggy address: [ 596.920207][ C0] ffffaf801140fe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 596.921697][ C0] ffffaf801140ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 596.923168][ C0] >ffffaf801140ff80: 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff [ 596.924477][ C0] ^ [ 596.925830][ C0] ffffaf8011410000: 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 [ 596.927245][ C0] ffffaf8011410080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 596.929734][ C0] ================================================================== [ 596.931077][ C0] Disabling lock debugging due to kernel taint [ 596.965836][ T2048] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 596.967831][ T2048] CPU: 0 PID: 2048 Comm: syz-executor.1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 596.969457][ T2048] Hardware name: riscv-virtio,qemu (DT) [ 596.970277][ T2048] Call Trace: [ 596.971030][ T2048] [] dump_backtrace+0x2e/0x3c [ 596.971706][ T2048] [] show_stack+0x34/0x40 [ 596.973760][ T2048] [] dump_stack_lvl+0xe4/0x150 [ 596.974884][ T2048] [] dump_stack+0x1c/0x24 [ 596.976043][ T2048] [] panic+0x24a/0x634 [ 596.977158][ T2048] [] schedule+0x0/0x14c [ 596.978327][ T2048] [] preempt_schedule_common+0x4e/0xde [ 596.979557][ T2048] [] preempt_schedule+0x34/0x36 [ 596.980731][ T2048] [] __slab_alloc.constprop.0+0x8a/0x8c [ 596.981996][ T2048] [] kmem_cache_alloc_trace+0x2a2/0x2e0 [ 596.983242][ T2048] [] ref_tracker_alloc+0x10c/0x33e [ 596.984555][ T2048] [] fib_check_nh+0x1dc/0x47e [ 596.985649][ T2048] [] fib_create_info+0x1748/0x2d8e [ 596.986785][ T2048] [] fib_table_insert+0x1a0/0xebe [ 596.988621][ T2048] [] fib_magic+0x3f4/0x438 [ 596.989907][ T2048] [] fib_add_ifaddr+0x2be/0x2e2 [ 596.990996][ T2048] [] fib_netdev_event+0x362/0x4b0 [ 596.992109][ T2048] [] notifier_call_chain+0xb8/0x188 [ 596.993297][ T2048] [] raw_notifier_call_chain+0x2a/0x38 [ 596.994526][ T2048] [] call_netdevice_notifiers_info+0x9e/0x10c [ 596.995780][ T2048] [] __dev_notify_flags+0x108/0x1fa [ 596.997067][ T2048] [] dev_change_flags+0x9c/0xba [ 596.998447][ T2048] [] do_setlink+0x5d6/0x21c4 [ 596.999544][ T2048] [] __rtnl_newlink+0x99e/0xfa0 [ 597.000641][ T2048] [] rtnl_newlink+0x60/0x8c [ 597.001827][ T2048] [] rtnetlink_rcv_msg+0x338/0x9a0 [ 597.003035][ T2048] [] netlink_rcv_skb+0xf8/0x2be [ 597.004081][ T2048] [] rtnetlink_rcv+0x26/0x30 [ 597.005194][ T2048] [] netlink_unicast+0x40e/0x5fe [ 597.006266][ T2048] [] netlink_sendmsg+0x4e0/0x994 [ 597.007917][ T2048] [] sock_sendmsg+0xa0/0xc4 [ 597.009020][ T2048] [] __sys_sendto+0x1f2/0x2e0 [ 597.010019][ T2048] [] sys_sendto+0x3e/0x52 [ 597.011064][ T2048] [] ret_from_syscall+0x0/0x2 [ 597.012497][ T2048] SMP: stopping secondary CPUs [ 597.014840][ T2048] Rebooting in 86400 seconds.. VM DIAGNOSIS: 13:11:27 Registers: info registers vcpu 0 pc ffffffff801165d6 mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80475ac2 sepc ffffffff80200a06 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff801165c2 x2/sp ffffaf801140f980 x3/gp ffffffff85863ac0 x4/tp ffffaf800b689840 x5/t0 ffffffff86bcb657 x6/t1 7293084b1ab64500 x7/t2 0000000000000000 x8/s0 ffffaf801140fae0 x9/s1 ffffffff8343c840 x10/a0 ffffaf805a9c8840 x11/a1 0000000000000003 x12/a2 1ffff5f00b539108 x13/a3 ffffffff801165c2 x14/a4 0000000000000000 x15/a5 0000000000000020 x16/a6 0000000000f00000 x17/a7 ffffffff8011efb0 x18/s2 ffffffff86c1a620 x19/s3 ffffaf805a9c8840 x20/s4 0000000000000000 x21/s5 ffffffff84a88898 x22/s6 0000000000000000 x23/s7 ffffaf800b689840 x24/s8 ffffffff8011efb0 x25/s9 ffffffff85889780 x26/s10 1ffff5f002281f38 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f002281f14 x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff8010b250 mhartid 0000000000000001 mstatus 00000000000001a0 mip 00000000000000a0 mie 000000000000020a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80119b52 sepc ffffffff80119b52 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff831a197a x2/sp ffffaf800ef93070 x3/gp ffffffff85863ac0 x4/tp ffffaf800bc7c8c0 x5/t0 0000000000046000 x6/t1 7293084b1ab64500 x7/t2 ffffffffffffffff x8/s0 ffffaf800ef93080 x9/s1 ffffaf800bc7d308 x10/a0 0000000000000120 x11/a1 00000000000f0000 x12/a2 0000000000010201 x13/a3 0000000000000000 x14/a4 0000000000000001 x15/a5 ffffaf805a9e4840 x16/a6 0000000000f00000 x17/a7 ffffffff8018e490 x18/s2 0000000000000000 x19/s3 ffffffff84b787b0 x20/s4 ffffaf800bc7d8c0 x21/s5 ffffffff8343c840 x22/s6 ffffffffffffffff x23/s7 0000000000000120 x24/s8 ffffffff86c1a620 x25/s9 0000000000000002 x26/s10 ffffffff858296b8 x27/s11 ffffaf800ef93280 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001df2610 x31/t6 0000000002857bde f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000