syzkaller login: [ 245.873663][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 245.953461][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 246.036160][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 263.912075][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:11953' (ECDSA) to the list of known hosts. 1970/01/01 00:04:58 fuzzer started 1970/01/01 00:05:09 dialing manager at localhost:42663 [ 315.967060][ T2031] cgroup: Unknown subsys name 'net' [ 316.855225][ T2031] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:05:16 syscalls: 2870 1970/01/01 00:05:16 code coverage: enabled 1970/01/01 00:05:16 comparison tracing: enabled 1970/01/01 00:05:16 extra coverage: enabled 1970/01/01 00:05:16 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:05:16 setuid sandbox: enabled 1970/01/01 00:05:16 namespace sandbox: enabled 1970/01/01 00:05:16 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:05:16 fault injection: enabled 1970/01/01 00:05:16 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:05:16 net packet injection: enabled 1970/01/01 00:05:16 net device setup: enabled 1970/01/01 00:05:16 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:05:16 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:05:16 NIC VF setup: PCI device 0000:00:11.0 is not available 1970/01/01 00:05:16 USB emulation: enabled 1970/01/01 00:05:16 hci packet injection: /dev/vhci does not exist 1970/01/01 00:05:16 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:05:16 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:05:17 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:05:21 fetching corpus: 49, signal 34479/37655 (executing program) 1970/01/01 00:05:26 fetching corpus: 98, signal 49861/54083 (executing program) 1970/01/01 00:05:29 fetching corpus: 146, signal 57614/62797 (executing program) 1970/01/01 00:05:32 fetching corpus: 196, signal 62187/68397 (executing program) 1970/01/01 00:05:35 fetching corpus: 246, signal 66842/73974 (executing program) 1970/01/01 00:05:38 fetching corpus: 295, signal 70501/78519 (executing program) 1970/01/01 00:05:41 fetching corpus: 345, signal 74496/83351 (executing program) 1970/01/01 00:05:44 fetching corpus: 395, signal 79146/88621 (executing program) [ 345.324718][ C0] ================================================================== [ 345.325947][ C0] BUG: KASAN: slab-out-of-bounds in __bfs+0x154/0x394 [ 345.327029][ C0] Read of size 8 at addr ffffaf800e193ff0 by task sshd/2021 [ 345.328042][ C0] [ 345.329022][ C0] CPU: 0 PID: 2021 Comm: sshd Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 345.330814][ C0] Hardware name: riscv-virtio,qemu (DT) [ 345.331819][ C0] Call Trace: [ 345.332588][ C0] [] dump_backtrace+0x2e/0x3c [ 345.333649][ C0] [] show_stack+0x34/0x40 [ 345.334712][ C0] [] dump_stack_lvl+0xe4/0x150 [ 345.335841][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 345.337135][ C0] [] kasan_report+0x184/0x1e0 [ 345.338298][ C0] [] __asan_load8+0x6e/0x96 [ 345.339358][ C0] [] __bfs+0x154/0x394 [ 345.340339][ C0] [] check_path.constprop.0+0x24/0x46 [ 345.341411][ C0] [] check_noncircular+0x11a/0x1fe [ 345.342668][ C0] [ 345.343310][ C0] Allocated by task 1839: [ 345.344084][ C0] stack_trace_save+0xa6/0xd8 [ 345.345038][ C0] kasan_save_stack+0x2c/0x58 [ 345.345981][ C0] __kasan_kmalloc+0x80/0xb2 [ 345.346907][ C0] __kmalloc+0x190/0x318 [ 345.347814][ C0] load_elf_phdrs+0x100/0x1e8 [ 345.348713][ C0] load_elf_binary+0xbe2/0x2716 [ 345.349616][ C0] bprm_execve+0x5bc/0x1140 [ 345.350504][ C0] do_execveat_common+0x298/0x312 [ 345.351415][ C0] sys_execve+0x32/0x40 [ 345.352296][ C0] ret_from_syscall+0x0/0x2 [ 345.353199][ C0] [ 345.353717][ C0] Last potentially related work creation: [ 345.354457][ C0] ------------[ cut here ]------------ [ 345.355133][ C0] slab index 4095 out of bounds (256) for stack id 00000fff [ 345.359275][ C0] WARNING: CPU: 0 PID: 2021 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 345.360704][ C0] Modules linked in: [ 345.361596][ C0] CPU: 0 PID: 2021 Comm: sshd Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 345.362777][ C0] Hardware name: riscv-virtio,qemu (DT) [ 345.363559][ C0] epc : stack_depot_print+0x66/0x70 [ 345.364552][ C0] ra : stack_depot_print+0x66/0x70 [ 345.365563][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800e193d80 [ 345.366589][ C0] gp : ffffffff85863ac0 tp : ffffaf8009df9840 t0 : ffffffff86bcb657 [ 345.367620][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800e193d90 [ 345.368585][ C0] s1 : ffffaf807aa40080 a0 : 0000000000000039 a1 : 00000000000f0000 [ 345.369529][ C0] a2 : 0000000000000506 a3 : ffffffff8012252a a4 : 2915ea31eee56300 [ 345.370539][ C0] a5 : 2915ea31eee56300 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 345.371534][ C0] s2 : ffffaf800e193ff0 s3 : ffffaf8007201c80 s4 : ffffaf800e193c00 [ 345.372506][ C0] s5 : ffffaf800e193e00 s6 : ffffffff8588bb20 s7 : ffffffff85e09180 [ 345.373496][ C0] s8 : ffffaf800e193f00 s9 : ffffaf8009dfa3e8 s10: ffffffff85899680 [ 345.374507][ C0] s11: ffffaf8009df9840 t3 : ffffffff801163b2 t4 : fffff5ef0b53910c [ 345.375490][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800e193878 [ 345.376327][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 345.377459][ C0] [] print_address_description.constprop.0+0x2fc/0x330 [ 345.378820][ C0] [] kasan_report+0x184/0x1e0 [ 345.380083][ C0] [] __asan_load8+0x6e/0x96 [ 345.381072][ C0] [] __bfs+0x154/0x394 [ 345.382061][ C0] [] check_path.constprop.0+0x24/0x46 [ 345.383142][ C0] [] check_noncircular+0x11a/0x1fe [ 345.384314][ C0] irq event stamp: 135089 [ 345.384971][ C0] hardirqs last enabled at (135088): [] get_page_from_freelist+0xfc8/0x12d8 [ 345.386358][ C0] hardirqs last disabled at (135089): [] get_page_from_freelist+0xfbe/0x12d8 [ 345.387789][ C0] softirqs last enabled at (134096): [] release_sock+0xf6/0x122 [ 345.389077][ C0] softirqs last disabled at (134137): [] __irq_exit_rcu+0x142/0x1f8 [ 345.390386][ C0] ---[ end trace 0000000000000000 ]--- [ 345.391567][ C0] [ 345.392073][ C0] The buggy address belongs to the object at ffffaf800e193c00 [ 345.392073][ C0] which belongs to the cache kmalloc-512 of size 512 [ 345.393471][ C0] The buggy address is located 496 bytes to the right of [ 345.393471][ C0] 512-byte region [ffffaf800e193c00, ffffaf800e193e00) [ 345.394849][ C0] The buggy address belongs to the page: [ 345.395990][ C0] page:ffffaf807aa40080 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffaf800e190000 pfn:0x8e390 [ 345.397546][ C0] head:ffffaf807aa40080 order:2 compound_mapcount:0 compound_pincount:0 [ 345.398686][ C0] flags: 0x8800010200(slab|head|section=17|node=0|zone=0) [ 345.401242][ C0] raw: 0000008800010200 ffffaf807a9d6908 ffffaf807a9cbaa8 ffffaf8007201c80 [ 345.403446][ C0] raw: ffffaf800e190000 000000000010000a 00000001ffffffff 0000000000000000 [ 345.404548][ C0] raw: 00000000000007ff [ 345.405329][ C0] page dumped because: kasan: bad access detected [ 345.406334][ C0] page_owner tracks the page as allocated [ 345.407081][ C0] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 50188607100, free_ts 50162170300 [ 345.408968][ C0] __set_page_owner+0x48/0x136 [ 345.409909][ C0] post_alloc_hook+0xd0/0x10a [ 345.410771][ C0] get_page_from_freelist+0x8da/0x12d8 [ 345.411725][ C0] __alloc_pages+0x150/0x3b6 [ 345.412622][ C0] alloc_page_interleave+0x2a/0x1cc [ 345.413593][ C0] alloc_pages+0x210/0x2a6 [ 345.414509][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 345.415483][ C0] new_slab+0x25a/0x2cc [ 345.416348][ C0] ___slab_alloc+0x56e/0x918 [ 345.417259][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 345.418252][ C0] kmem_cache_alloc_trace+0x2a2/0x2e0 [ 345.419227][ C0] find_valid_gpt.constprop.0+0x1aa/0x15f4 [ 345.420237][ C0] efi_partition+0x100/0x70a [ 345.421113][ C0] bdev_disk_changed+0x352/0xb34 [ 345.422017][ C0] blkdev_get_whole+0x168/0x17a [ 345.422853][ C0] blkdev_get_by_dev.part.0+0x346/0x636 [ 345.423845][ C0] page last free stack trace: [ 345.424497][ C0] __reset_page_owner+0x4a/0xea [ 345.425405][ C0] free_pcp_prepare+0x29c/0x45e [ 345.426290][ C0] free_unref_page+0x6a/0x31e [ 345.427217][ C0] __free_pages+0xe2/0x112 [ 345.428144][ C0] free_pages.part.0+0xe0/0xf6 [ 345.429032][ C0] free_pages+0xe/0x18 [ 345.429835][ C0] __stack_depot_save+0x1b4/0x4b2 [ 345.430528][ C0] kasan_save_stack+0x40/0x58 [ 345.431196][ C0] __kasan_slab_alloc+0x8e/0x98 [ 345.431874][ C0] kmem_cache_alloc+0x144/0x3de [ 345.432522][ C0] alloc_inode+0xf4/0x134 [ 345.433097][ C0] new_inode+0x28/0x140 [ 345.433665][ C0] debugfs_get_inode+0x20/0xb0 [ 345.434298][ C0] debugfs_create_dir+0xc0/0x302 [ 345.434940][ C0] blk_mq_debugfs_register_rqos+0x132/0x1c8 [ 345.435698][ C0] wbt_init+0x224/0x354 [ 345.436435][ C0] [ 345.436830][ C0] Memory state around the buggy address: [ 345.437639][ C0] ffffaf800e193e80: fc fc fc fc f1 f1 f1 f1 00 f3 f3 f3 fc fc fc fc [ 345.438407][ C0] ffffaf800e193f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 345.439107][ C0] >ffffaf800e193f80: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 fc fc fc fc [ 345.439838][ C0] ^ [ 345.440580][ C0] ffffaf800e194000: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 [ 345.441304][ C0] ffffaf800e194080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 345.442028][ C0] ================================================================== [ 345.442702][ C0] Disabling lock debugging due to kernel taint [ 345.453042][ T2021] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 345.454087][ T2021] CPU: 0 PID: 2021 Comm: sshd Tainted: G B W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 345.455040][ T2021] Hardware name: riscv-virtio,qemu (DT) [ 345.455621][ T2021] Call Trace: [ 345.456025][ T2021] [] dump_backtrace+0x2e/0x3c [ 345.456742][ T2021] [] show_stack+0x34/0x40 [ 345.457375][ T2021] [] dump_stack_lvl+0xe4/0x150 [ 345.458105][ T2021] [] dump_stack+0x1c/0x24 [ 345.458863][ T2021] [] panic+0x24a/0x634 [ 345.459557][ T2021] [] schedule+0x0/0x14c [ 345.460304][ T2021] [] preempt_schedule_common+0x4e/0xde [ 345.462279][ T2021] [] preempt_schedule+0x34/0x36 [ 345.463533][ T2021] [] _raw_spin_unlock_irqrestore+0x8c/0x98 [ 345.464456][ T2021] [] hrtimer_start_range_ns+0x336/0x6dc [ 345.465176][ T2021] [] schedule_hrtimeout_range_clock+0x180/0x2de [ 345.465909][ T2021] [] schedule_hrtimeout_range+0x28/0x36 [ 345.466577][ T2021] [] poll_schedule_timeout.constprop.0+0x84/0xde [ 345.467395][ T2021] [] do_select+0xd50/0xeb4 [ 345.468043][ T2021] [] core_sys_select+0x364/0x8c8 [ 345.468716][ T2021] [] sys_pselect6+0x258/0x29a [ 345.469402][ T2021] [] ret_from_syscall+0x0/0x2 [ 345.470295][ T2021] SMP: stopping secondary CPUs [ 345.472734][ T2021] Rebooting in 86400 seconds.. VM DIAGNOSIS: 02:16:24 Registers: info registers vcpu 0 pc ffffffff800058f0 mhartid 0000000000000000 mstatus 00000000000000a0 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff800058f0 sepc ffffffff800058f4 mcause 8000000000000003 scause 8000000000000001 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff800058ec x2/sp ffffaf800742bf40 x3/gp ffffffff85863ac0 x4/tp ffffaf8007410000 x5/t0 ffffaf800742be00 x6/t1 fffff5ef0b53eb62 x7/t2 000000c00002c800 x8/s0 ffffaf800742bf50 x9/s1 ffffaf8007410000 x10/a0 0000000000000001 x11/a1 00000000000f0000 x12/a2 0000000000000002 x13/a3 ffffffff800058ec x14/a4 ffffaf8007411000 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffaf805a9f5b13 x18/s2 0000000000000001 x19/s3 0000000000000002 x20/s4 0000000000000007 x21/s5 ffffffff8588b420 x22/s6 ffffaf8007410000 x23/s7 fffffffffffffffe x24/s8 00000000800130f0 x25/s9 0000000000000000 x26/s10 0000000000000000 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 fffff5ef0b53eb62 x30/t5 fffff5ef0b53eb63 x31/t6 0000000000000004 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 4148746800000000 f3/ft3 403a000000000000 f4/ft4 41244d6000000000 f5/ft5 40357dea15a32c1b f6/ft6 3fe34376c24b9fa3 f7/ft7 3fc0410e3c61b1c0 f8/fs0 3ff09bedf94ec8e0 f9/fs1 3f964daeed130560 f10/fa0 3fbab859ab4b00ec f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80dc15ca mhartid 0000000000000001 mstatus 00000000000000a0 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff8000a0c2 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80dc15ca x2/sp ffffaf800e1937d0 x3/gp ffffffff85863ac0 x4/tp ffffaf8009df9840 x5/t0 ffffffff86bcb657 x6/t1 fffffffff3f3f3f3 x7/t2 0000000000000000 x8/s0 ffffaf800e1937f0 x9/s1 ffffffff86e58900 x10/a0 ffff8f800066c001 x11/a1 0000000000000007 x12/a2 1ffffffff0dcb129 x13/a3 ffffffff80dc15ca x14/a4 0000000000000000 x15/a5 ffffffff86e58948 x16/a6 ffffffff86e589f1 x17/a7 2915ea31eee56300 x18/s2 0000000000000001 x19/s3 ffffaf800e1938e0 x20/s4 ffffffff86e58900 x21/s5 0000000000000000 x22/s6 ffffffff86e58950 x23/s7 ffffffff8588c3e0 x24/s8 ffffffff8588c220 x25/s9 ffffffff84a88520 x26/s10 ffffffff858655c0 x27/s11 0000000000000000 x28/t3 ffffffff801163b2 x29/t4 fffffffef0d796c8 x30/t5 fffffffef0d796cb x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000