syzkaller login: [ 295.368467][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 295.468622][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 295.540935][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 295.666665][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 316.505768][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:37615' (ECDSA) to the list of known hosts. 1970/01/01 00:06:03 fuzzer started 1970/01/01 00:06:18 dialing manager at localhost:45653 [ 386.097931][ T2032] cgroup: Unknown subsys name 'net' [ 387.478350][ T2032] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:06:27 syscalls: 2817 1970/01/01 00:06:27 code coverage: enabled 1970/01/01 00:06:27 comparison tracing: enabled 1970/01/01 00:06:27 extra coverage: enabled 1970/01/01 00:06:27 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:06:27 setuid sandbox: enabled 1970/01/01 00:06:27 namespace sandbox: enabled 1970/01/01 00:06:27 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:06:27 fault injection: enabled 1970/01/01 00:06:27 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:06:27 net packet injection: enabled 1970/01/01 00:06:27 net device setup: enabled 1970/01/01 00:06:27 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:06:27 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:06:27 USB emulation: enabled 1970/01/01 00:06:27 hci packet injection: /dev/vhci does not exist 1970/01/01 00:06:27 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:06:27 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:06:27 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:06:35 fetching corpus: 50, signal 33423/36127 (executing program) 1970/01/01 00:06:38 fetching corpus: 98, signal 45941/49200 (executing program) 1970/01/01 00:06:44 fetching corpus: 147, signal 55035/58649 (executing program) 1970/01/01 00:06:48 fetching corpus: 194, signal 62813/66560 (executing program) 1970/01/01 00:06:51 fetching corpus: 243, signal 68918/72729 (executing program) 1970/01/01 00:06:54 fetching corpus: 291, signal 73291/77110 (executing program) 1970/01/01 00:06:56 fetching corpus: 341, signal 77239/80956 (executing program) 1970/01/01 00:07:00 fetching corpus: 388, signal 81035/84547 (executing program) 1970/01/01 00:07:03 fetching corpus: 436, signal 83948/87246 (executing program) 1970/01/01 00:07:07 fetching corpus: 485, signal 88621/91231 (executing program) 1970/01/01 00:07:09 fetching corpus: 535, signal 91088/93324 (executing program) 1970/01/01 00:07:12 fetching corpus: 583, signal 93987/95624 (executing program) 1970/01/01 00:07:15 fetching corpus: 632, signal 96867/97813 (executing program) 1970/01/01 00:07:16 fetching corpus: 664, signal 97851/98567 (executing program) 1970/01/01 00:07:16 fetching corpus: 664, signal 97851/98625 (executing program) 1970/01/01 00:07:17 fetching corpus: 664, signal 97851/98682 (executing program) 1970/01/01 00:07:17 fetching corpus: 665, signal 97878/98752 (executing program) 1970/01/01 00:07:17 fetching corpus: 665, signal 97878/98807 (executing program) 1970/01/01 00:07:17 fetching corpus: 665, signal 97878/98859 (executing program) 1970/01/01 00:07:17 fetching corpus: 665, signal 97878/98908 (executing program) 1970/01/01 00:07:18 fetching corpus: 665, signal 97878/98957 (executing program) 1970/01/01 00:07:18 fetching corpus: 665, signal 97920/99052 (executing program) 1970/01/01 00:07:18 fetching corpus: 665, signal 97920/99099 (executing program) 1970/01/01 00:07:18 fetching corpus: 665, signal 97920/99145 (executing program) 1970/01/01 00:07:18 fetching corpus: 665, signal 97920/99192 (executing program) 1970/01/01 00:07:19 fetching corpus: 665, signal 97920/99239 (executing program) 1970/01/01 00:07:19 fetching corpus: 665, signal 97920/99299 (executing program) 1970/01/01 00:07:19 fetching corpus: 665, signal 97920/99353 (executing program) 1970/01/01 00:07:19 fetching corpus: 665, signal 97920/99412 (executing program) 1970/01/01 00:07:19 fetching corpus: 665, signal 97920/99461 (executing program) 1970/01/01 00:07:19 fetching corpus: 665, signal 97920/99495 (executing program) 1970/01/01 00:07:19 fetching corpus: 665, signal 97920/99542 (executing program) 1970/01/01 00:07:20 fetching corpus: 665, signal 97920/99595 (executing program) 1970/01/01 00:07:20 fetching corpus: 665, signal 97920/99640 (executing program) 1970/01/01 00:07:20 fetching corpus: 665, signal 97920/99675 (executing program) 1970/01/01 00:07:20 fetching corpus: 665, signal 97920/99726 (executing program) 1970/01/01 00:07:20 fetching corpus: 665, signal 97920/99771 (executing program) 1970/01/01 00:07:21 fetching corpus: 665, signal 97920/99830 (executing program) 1970/01/01 00:07:21 fetching corpus: 666, signal 97954/99887 (executing program) 1970/01/01 00:07:21 fetching corpus: 666, signal 97954/99925 (executing program) 1970/01/01 00:07:21 fetching corpus: 666, signal 97954/99971 (executing program) 1970/01/01 00:07:21 fetching corpus: 666, signal 97954/100018 (executing program) 1970/01/01 00:07:22 fetching corpus: 666, signal 97958/100069 (executing program) 1970/01/01 00:07:22 fetching corpus: 666, signal 97958/100114 (executing program) 1970/01/01 00:07:22 fetching corpus: 666, signal 97958/100156 (executing program) 1970/01/01 00:07:22 fetching corpus: 666, signal 97958/100213 (executing program) 1970/01/01 00:07:22 fetching corpus: 666, signal 97958/100272 (executing program) 1970/01/01 00:07:22 fetching corpus: 666, signal 97958/100332 (executing program) 1970/01/01 00:07:22 fetching corpus: 666, signal 97958/100383 (executing program) 1970/01/01 00:07:22 fetching corpus: 666, signal 97958/100387 (executing program) 1970/01/01 00:07:22 fetching corpus: 666, signal 97958/100387 (executing program) 1970/01/01 00:09:31 starting 2 fuzzer processes 00:09:31 executing program 0: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) recvmsg$unix(r1, &(0x7f0000002400)={0x0, 0x0, 0x0}, 0x2) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$unix(r0, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x0, &(0x7f00000001c0)=[@rights={{0x14, 0x1, 0x1, [r2]}}], 0x18}, 0x0) 00:09:31 executing program 1: setuid(0xee00) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$L2TP_CMD_SESSION_CREATE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000080)={0x14, r1, 0x1, 0x0, 0x0, {0x6}}, 0x14}}, 0x0) [ 606.628352][ T2047] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 607.430228][ T2047] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 607.548362][ T2048] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 608.250447][ T2048] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 623.581346][ T2048] device hsr_slave_0 entered promiscuous mode [ 623.642354][ T2048] device hsr_slave_1 entered promiscuous mode [ 625.772159][ T2047] device hsr_slave_0 entered promiscuous mode [ 625.832786][ T2047] device hsr_slave_1 entered promiscuous mode [ 625.878348][ T2047] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 625.883018][ T2047] Cannot create hsr debugfs directory [ 634.137646][ T2048] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 634.320348][ T2048] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 634.441022][ T2048] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 634.702432][ T2048] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 635.779181][ T2047] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 636.090485][ T2047] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 636.290695][ T2047] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 636.430559][ T2047] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 644.888049][ C0] ================================================================== [ 644.892466][ C0] BUG: KASAN: use-after-free in walk_stackframe+0x11c/0x260 [ 644.895117][ C0] Read of size 8 at addr ffffaf80100c3b90 by task syz-executor.1/2048 [ 644.898221][ C0] [ 644.900045][ C0] CPU: 0 PID: 2048 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 644.902181][ C0] Hardware name: riscv-virtio,qemu (DT) [ 644.903689][ C0] Call Trace: [ 644.905350][ C0] [] dump_backtrace+0x2e/0x3c [ 644.906874][ C0] [] show_stack+0x34/0x40 [ 644.908308][ C0] [] dump_stack_lvl+0xe4/0x150 [ 644.909814][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 644.911607][ C0] [] kasan_report+0x184/0x1e0 [ 644.913159][ C0] [] __asan_load8+0x6e/0x96 [ 644.915223][ C0] [] walk_stackframe+0x11c/0x260 [ 644.916737][ C0] [] arch_stack_walk+0x2c/0x3c [ 644.918269][ C0] [] stack_trace_save+0xa6/0xd8 [ 644.919813][ C0] [] save_stack+0x112/0x16c [ 644.921331][ C0] [] __set_page_owner+0x48/0x136 [ 644.922926][ C0] [] post_alloc_hook+0xd0/0x10a [ 644.926287][ C0] [] get_page_from_freelist+0x8da/0x12d8 [ 644.928362][ C0] [ 644.929327][ C0] The buggy address belongs to the page: [ 644.930976][ C0] page:ffffaf807aacc6d8 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x902c3 [ 644.932921][ C0] flags: 0x9000000000(section=18|node=0|zone=0) [ 644.937113][ C0] raw: 0000009000000000 ffffaf807aa74f60 ffffaf807a99da10 0000000000000000 [ 644.940617][ C0] raw: 0000000000000000 00000000000f0000 00000000ffffffff 0000000000000000 [ 644.942083][ C0] raw: 00000000000007ff [ 644.943117][ C0] page dumped because: kasan: bad access detected [ 644.946172][ C0] page_owner tracks the page as freed [ 644.947274][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 2200, ts 595256362300, free_ts 641318955900 [ 644.950028][ C0] __set_page_owner+0x48/0x136 [ 644.951414][ C0] post_alloc_hook+0xd0/0x10a [ 644.952736][ C0] get_page_from_freelist+0x8da/0x12d8 [ 644.954492][ C0] __alloc_pages+0x150/0x3b6 [ 644.956348][ C0] alloc_pages+0x132/0x2a6 [ 644.957673][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 644.959078][ C0] new_slab+0x76/0x2cc [ 644.960334][ C0] ___slab_alloc+0x56e/0x918 [ 644.961636][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 644.963064][ C0] kmem_cache_alloc+0x39c/0x3de [ 644.964402][ C0] vm_area_alloc+0x2e/0xaa [ 644.965814][ C0] mmap_region+0x62e/0xa88 [ 644.966754][ C0] do_mmap+0x784/0x8d2 [ 644.967713][ C0] vm_mmap_pgoff+0x1a2/0x24e [ 644.968667][ C0] ksys_mmap_pgoff+0x78/0x2ea [ 644.969630][ C0] sys_mmap+0x9e/0xc4 [ 644.970602][ C0] page last free stack trace: [ 644.971451][ C0] __reset_page_owner+0x4a/0xea [ 644.972326][ C0] free_pcp_prepare+0x29c/0x45e [ 644.973160][ C0] free_unref_page+0x6a/0x31e [ 644.974973][ C0] __free_pages+0xe2/0x112 [ 644.975820][ C0] __free_slab+0x122/0x27c [ 644.976654][ C0] discard_slab+0x4c/0x7a [ 644.977548][ C0] __unfreeze_partials+0x16a/0x18e [ 644.978419][ C0] put_cpu_partial+0xf6/0x162 [ 644.979273][ C0] __slab_free+0x166/0x29c [ 644.980148][ C0] ___cache_free+0x17c/0x354 [ 644.981863][ C0] qlist_free_all+0x7c/0x132 [ 644.982714][ C0] kasan_quarantine_reduce+0x14c/0x1c8 [ 644.984291][ C0] __kasan_slab_alloc+0x5c/0x98 [ 644.985556][ C0] kmem_cache_alloc+0x338/0x3de [ 644.986596][ C0] vm_area_dup+0xa4/0x224 [ 644.987542][ C0] __split_vma+0x7c/0x2fa [ 644.988599][ C0] [ 644.989281][ C0] Memory state around the buggy address: [ 644.990464][ C0] ffffaf80100c3a80: ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff [ 644.991651][ C0] ffffaf80100c3b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 644.992749][ C0] >ffffaf80100c3b80: ff ff ff ff ff ff ff ff ff ff ff ff f1 f1 f1 f1 [ 644.994362][ C0] ^ [ 644.995486][ C0] ffffaf80100c3c00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 [ 644.996696][ C0] ffffaf80100c3c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 [ 644.997822][ C0] ================================================================== [ 644.998875][ C0] Disabling lock debugging due to kernel taint [ 645.013126][ T2048] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 645.014522][ T2048] CPU: 0 PID: 2048 Comm: syz-executor.1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 645.015495][ T2048] Hardware name: riscv-virtio,qemu (DT) [ 645.016017][ T2048] Call Trace: [ 645.016434][ T2048] [] dump_backtrace+0x2e/0x3c [ 645.017299][ T2048] [] show_stack+0x34/0x40 [ 645.018046][ T2048] [] dump_stack_lvl+0xe4/0x150 [ 645.018869][ T2048] [] dump_stack+0x1c/0x24 [ 645.019667][ T2048] [] panic+0x24a/0x634 [ 645.020349][ T2048] [] schedule+0x0/0x14c [ 645.021414][ T2048] [] preempt_schedule_common+0x4e/0xde [ 645.022646][ T2048] [] preempt_schedule+0x34/0x36 [ 645.024335][ T2048] [] _raw_spin_unlock_irqrestore+0x8c/0x98 [ 645.025750][ T2048] [] pcpu_alloc+0x7ca/0x1278 [ 645.026990][ T2048] [] __alloc_percpu_gfp+0x28/0x36 [ 645.028160][ T2048] [] fib_nh_common_init+0xa8/0x22e [ 645.029002][ T2048] [] fib_nh_init+0x6e/0x1fc [ 645.030032][ T2048] [] fib_create_info+0x1dc4/0x2d8e [ 645.030973][ T2048] [] fib_table_insert+0x1a0/0xebe [ 645.032173][ T2048] [] fib_magic+0x3f4/0x438 [ 645.033309][ T2048] [] fib_add_ifaddr+0xd2/0x2e2 [ 645.034444][ T2048] [] fib_netdev_event+0x362/0x4b0 [ 645.035515][ T2048] [] notifier_call_chain+0xb8/0x188 [ 645.036651][ T2048] [] raw_notifier_call_chain+0x2a/0x38 [ 645.037823][ T2048] [] call_netdevice_notifiers_info+0x9e/0x10c [ 645.039049][ T2048] [] __dev_notify_flags+0x108/0x1fa [ 645.040252][ T2048] [] dev_change_flags+0x9c/0xba [ 645.041365][ T2048] [] do_setlink+0x5d6/0x21c4 [ 645.042191][ T2048] [] __rtnl_newlink+0x99e/0xfa0 [ 645.043004][ T2048] [] rtnl_newlink+0x60/0x8c [ 645.044087][ T2048] [] rtnetlink_rcv_msg+0x338/0x9a0 [ 645.044978][ T2048] [] netlink_rcv_skb+0xf8/0x2be [ 645.045809][ T2048] [] rtnetlink_rcv+0x26/0x30 [ 645.046561][ T2048] [] netlink_unicast+0x40e/0x5fe [ 645.047391][ T2048] [] netlink_sendmsg+0x4e0/0x994 [ 645.048170][ T2048] [] sock_sendmsg+0xa0/0xc4 [ 645.049011][ T2048] [] __sys_sendto+0x1f2/0x2e0 [ 645.049844][ T2048] [] sys_sendto+0x3e/0x52 [ 645.050711][ T2048] [] ret_from_syscall+0x0/0x2 [ 645.052188][ T2048] SMP: stopping secondary CPUs [ 645.054728][ T2048] Rebooting in 86400 seconds.. VM DIAGNOSIS: 08:26:14 Registers: info registers vcpu 0 pc ffffffff80115baa mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80c2d7a4 sepc ffffffff82af607c mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80115b96 x2/sp ffffaf80100c3590 x3/gp ffffffff85863ac0 x4/tp ffffaf8009bf8000 x5/t0 ffffffff86bcb657 x6/t1 03777b2f96b01400 x7/t2 0000000000000000 x8/s0 ffffaf80100c36b0 x9/s1 ffffffff8343c840 x10/a0 ffffaf805a9c8840 x11/a1 0000000000000003 x12/a2 1ffff5f00b539108 x13/a3 ffffffff80115b96 x14/a4 0000000000000000 x15/a5 0000000000000020 x16/a6 0000000000f00000 x17/a7 ffffffff8010742c x18/s2 ffffaf805a9c8840 x19/s3 ffffaf8009bf8000 x20/s4 ffffaf8009bf8a18 x21/s5 dd10bdcf86ebcd89 x22/s6 ffffffff86c1a620 x23/s7 000000000000000d x24/s8 ffffffff85889780 x25/s9 1ffff5f0020186b8 x26/s10 000000000000000c x27/s11 ffffaf8009bf9000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f002018684 x31/t6 ffffaf80100c3598 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff8014488c mhartid 0000000000000001 mstatus 00000000000000a0 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff8046dffa mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80112158 x2/sp ffffaf800d447400 x3/gp ffffffff85863ac0 x4/tp ffffaf800c45c8c0 x5/t0 fffff5ef01e7d000 x6/t1 03777b2f96b01400 x7/t2 0000000020c05a40 x8/s0 ffffaf800d4473f0 x9/s1 ffffffff86c1a628 x10/a0 ffffaf800c45c8c0 x11/a1 0000000000000007 x12/a2 0000000000000002 x13/a3 ffffffff80b07976 x14/a4 ffffaf800c45d8c0 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffffff80468584 x18/s2 0000000000000000 x19/s3 ffffffff831afa4e x20/s4 ffffffff838a0620 x21/s5 ffffffff831a2658 x22/s6 0000000000000000 x23/s7 0000000000000000 x24/s8 ffffffffffffffff x25/s9 ffffaf807af6c940 x26/s10 ffffffff8586fd20 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001a88e3c x31/t6 4a7d000000000000 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000