syzkaller login: [ 285.583300][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 295.331464][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 295.441153][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 336.117845][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:22125' (ECDSA) to the list of known hosts. 1970/01/01 00:06:09 fuzzer started 1970/01/01 00:06:23 dialing manager at localhost:44947 [ 389.732194][ T2044] cgroup: Unknown subsys name 'net' [ 390.820285][ T2044] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:06:30 syscalls: 2827 1970/01/01 00:06:30 code coverage: enabled 1970/01/01 00:06:30 comparison tracing: enabled 1970/01/01 00:06:30 extra coverage: enabled 1970/01/01 00:06:30 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:06:30 setuid sandbox: enabled 1970/01/01 00:06:30 namespace sandbox: enabled 1970/01/01 00:06:30 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:06:30 fault injection: enabled 1970/01/01 00:06:30 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:06:30 net packet injection: enabled 1970/01/01 00:06:30 net device setup: enabled 1970/01/01 00:06:30 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:06:30 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:06:30 USB emulation: enabled 1970/01/01 00:06:30 hci packet injection: /dev/vhci does not exist 1970/01/01 00:06:30 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:06:30 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:06:30 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:06:37 fetching corpus: 50, signal 36097/39440 (executing program) 1970/01/01 00:06:40 fetching corpus: 100, signal 46806/51488 (executing program) 1970/01/01 00:06:45 fetching corpus: 150, signal 59363/65142 (executing program) 1970/01/01 00:06:47 fetching corpus: 199, signal 69583/76326 (executing program) 1970/01/01 00:06:50 fetching corpus: 248, signal 81922/89286 (executing program) 1970/01/01 00:06:55 fetching corpus: 297, signal 88493/96710 (executing program) 1970/01/01 00:06:59 fetching corpus: 347, signal 94768/103665 (executing program) 1970/01/01 00:07:03 fetching corpus: 397, signal 99983/109560 (executing program) 1970/01/01 00:07:07 fetching corpus: 446, signal 106581/116621 (executing program) 1970/01/01 00:07:11 fetching corpus: 496, signal 109271/119976 (executing program) 1970/01/01 00:07:15 fetching corpus: 545, signal 112078/123452 (executing program) 1970/01/01 00:07:18 fetching corpus: 595, signal 115764/127644 (executing program) 1970/01/01 00:07:21 fetching corpus: 645, signal 122046/133955 (executing program) 1970/01/01 00:07:24 fetching corpus: 695, signal 123491/136080 (executing program) 1970/01/01 00:07:28 fetching corpus: 745, signal 127383/140224 (executing program) 1970/01/01 00:07:31 fetching corpus: 795, signal 128948/142378 (executing program) 1970/01/01 00:07:34 fetching corpus: 845, signal 131311/145177 (executing program) 1970/01/01 00:07:37 fetching corpus: 895, signal 133094/147482 (executing program) 1970/01/01 00:07:40 fetching corpus: 945, signal 135450/150176 (executing program) 1970/01/01 00:07:44 fetching corpus: 994, signal 137874/152806 (executing program) 1970/01/01 00:07:47 fetching corpus: 1044, signal 141777/156581 (executing program) 1970/01/01 00:07:49 fetching corpus: 1094, signal 143179/158329 (executing program) 1970/01/01 00:07:53 fetching corpus: 1144, signal 144978/160406 (executing program) 1970/01/01 00:07:56 fetching corpus: 1194, signal 148382/163701 (executing program) 1970/01/01 00:08:00 fetching corpus: 1244, signal 151810/166959 (executing program) 1970/01/01 00:08:04 fetching corpus: 1294, signal 156287/170865 (executing program) 1970/01/01 00:08:08 fetching corpus: 1344, signal 158388/172983 (executing program) 1970/01/01 00:08:11 fetching corpus: 1394, signal 162055/176207 (executing program) 1970/01/01 00:08:13 fetching corpus: 1444, signal 163299/177520 (executing program) 1970/01/01 00:08:16 fetching corpus: 1494, signal 165486/179546 (executing program) 1970/01/01 00:08:19 fetching corpus: 1544, signal 166949/181019 (executing program) 1970/01/01 00:08:22 fetching corpus: 1594, signal 169043/182891 (executing program) 1970/01/01 00:08:25 fetching corpus: 1644, signal 170292/184142 (executing program) 1970/01/01 00:08:28 fetching corpus: 1694, signal 171898/185639 (executing program) 1970/01/01 00:08:32 fetching corpus: 1744, signal 173423/187090 (executing program) 1970/01/01 00:08:35 fetching corpus: 1794, signal 175505/188858 (executing program) 1970/01/01 00:08:38 fetching corpus: 1843, signal 177642/190601 (executing program) 1970/01/01 00:08:41 fetching corpus: 1893, signal 178577/191521 (executing program) 1970/01/01 00:08:45 fetching corpus: 1943, signal 180339/192968 (executing program) 1970/01/01 00:08:48 fetching corpus: 1993, signal 181591/194068 (executing program) 1970/01/01 00:08:50 fetching corpus: 2043, signal 184955/196419 (executing program) 1970/01/01 00:08:52 fetching corpus: 2093, signal 186077/197394 (executing program) 1970/01/01 00:08:56 fetching corpus: 2143, signal 186889/198091 (executing program) 1970/01/01 00:08:59 fetching corpus: 2193, signal 187813/198852 (executing program) 1970/01/01 00:09:02 fetching corpus: 2243, signal 189452/200032 (executing program) 1970/01/01 00:09:06 fetching corpus: 2292, signal 190156/200621 (executing program) 1970/01/01 00:09:08 fetching corpus: 2342, signal 192554/202162 (executing program) 1970/01/01 00:09:11 fetching corpus: 2392, signal 193389/202795 (executing program) 1970/01/01 00:09:13 fetching corpus: 2442, signal 194454/203573 (executing program) 1970/01/01 00:09:17 fetching corpus: 2492, signal 198093/205609 (executing program) 1970/01/01 00:09:21 fetching corpus: 2542, signal 198963/206203 (executing program) 1970/01/01 00:09:24 fetching corpus: 2592, signal 200405/207087 (executing program) 1970/01/01 00:09:27 fetching corpus: 2642, signal 201293/207683 (executing program) 1970/01/01 00:09:30 fetching corpus: 2690, signal 202107/208216 (executing program) 1970/01/01 00:09:33 fetching corpus: 2740, signal 203049/208767 (executing program) 1970/01/01 00:09:36 fetching corpus: 2790, signal 204180/209386 (executing program) 1970/01/01 00:09:39 fetching corpus: 2840, signal 205756/210194 (executing program) 1970/01/01 00:09:41 fetching corpus: 2890, signal 206529/210619 (executing program) 1970/01/01 00:09:44 fetching corpus: 2940, signal 207769/211221 (executing program) 1970/01/01 00:09:48 fetching corpus: 2990, signal 208736/211673 (executing program) 1970/01/01 00:09:50 fetching corpus: 3040, signal 209509/212030 (executing program) 1970/01/01 00:09:53 fetching corpus: 3085, signal 211248/212804 (executing program) 1970/01/01 00:09:53 fetching corpus: 3085, signal 211248/212823 (executing program) 1970/01/01 00:09:53 fetching corpus: 3085, signal 211248/212844 (executing program) 1970/01/01 00:09:53 fetching corpus: 3085, signal 211248/212871 (executing program) 1970/01/01 00:09:54 fetching corpus: 3085, signal 211250/212892 (executing program) 1970/01/01 00:09:54 fetching corpus: 3085, signal 211250/212914 (executing program) 1970/01/01 00:09:54 fetching corpus: 3085, signal 211250/212939 (executing program) 1970/01/01 00:09:55 fetching corpus: 3085, signal 211250/212962 (executing program) 1970/01/01 00:09:55 fetching corpus: 3085, signal 211250/212976 (executing program) 1970/01/01 00:09:55 fetching corpus: 3085, signal 211250/212998 (executing program) 1970/01/01 00:09:56 fetching corpus: 3085, signal 211250/213025 (executing program) 1970/01/01 00:09:56 fetching corpus: 3085, signal 211250/213048 (executing program) 1970/01/01 00:09:56 fetching corpus: 3085, signal 211250/213066 (executing program) 1970/01/01 00:09:57 fetching corpus: 3085, signal 211250/213090 (executing program) 1970/01/01 00:09:57 fetching corpus: 3085, signal 211250/213114 (executing program) 1970/01/01 00:09:57 fetching corpus: 3085, signal 211250/213138 (executing program) 1970/01/01 00:09:58 fetching corpus: 3085, signal 211250/213158 (executing program) 1970/01/01 00:09:58 fetching corpus: 3085, signal 211250/213184 (executing program) 1970/01/01 00:09:58 fetching corpus: 3085, signal 211250/213210 (executing program) 1970/01/01 00:09:59 fetching corpus: 3085, signal 211250/213231 (executing program) 1970/01/01 00:09:59 fetching corpus: 3085, signal 211250/213255 (executing program) 1970/01/01 00:09:59 fetching corpus: 3085, signal 211250/213273 (executing program) 1970/01/01 00:09:59 fetching corpus: 3085, signal 211250/213304 (executing program) 1970/01/01 00:10:00 fetching corpus: 3085, signal 211250/213329 (executing program) 1970/01/01 00:10:00 fetching corpus: 3085, signal 211250/213351 (executing program) 1970/01/01 00:10:00 fetching corpus: 3085, signal 211250/213366 (executing program) 1970/01/01 00:10:00 fetching corpus: 3085, signal 211250/213381 (executing program) 1970/01/01 00:10:01 fetching corpus: 3085, signal 211250/213406 (executing program) 1970/01/01 00:10:01 fetching corpus: 3085, signal 211250/213428 (executing program) 1970/01/01 00:10:01 fetching corpus: 3085, signal 211250/213458 (executing program) 1970/01/01 00:10:01 fetching corpus: 3085, signal 211250/213488 (executing program) 1970/01/01 00:10:02 fetching corpus: 3085, signal 211250/213510 (executing program) 1970/01/01 00:10:02 fetching corpus: 3085, signal 211250/213532 (executing program) 1970/01/01 00:10:02 fetching corpus: 3085, signal 211250/213554 (executing program) 1970/01/01 00:10:02 fetching corpus: 3085, signal 211250/213578 (executing program) 1970/01/01 00:10:02 fetching corpus: 3085, signal 211250/213598 (executing program) 1970/01/01 00:10:03 fetching corpus: 3085, signal 211250/213621 (executing program) 1970/01/01 00:10:03 fetching corpus: 3085, signal 211250/213637 (executing program) 1970/01/01 00:10:03 fetching corpus: 3085, signal 211250/213660 (executing program) 1970/01/01 00:10:03 fetching corpus: 3085, signal 211250/213686 (executing program) 1970/01/01 00:10:03 fetching corpus: 3085, signal 211250/213711 (executing program) 1970/01/01 00:10:04 fetching corpus: 3085, signal 211250/213737 (executing program) 1970/01/01 00:10:04 fetching corpus: 3085, signal 211250/213751 (executing program) 1970/01/01 00:10:04 fetching corpus: 3085, signal 211250/213772 (executing program) 1970/01/01 00:10:04 fetching corpus: 3085, signal 211250/213793 (executing program) 1970/01/01 00:10:04 fetching corpus: 3085, signal 211250/213793 (executing program) 1970/01/01 00:12:15 starting 2 fuzzer processes 00:12:15 executing program 0: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:12:15 executing program 1: r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040), 0x280400, 0x0) fcntl$setlease(r0, 0x400, 0x0) [ 765.894759][ T2052] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 766.497534][ T2052] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 766.549800][ T2050] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 767.013853][ T2050] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 785.118322][ T2052] device hsr_slave_0 entered promiscuous mode [ 785.161028][ T2052] device hsr_slave_1 entered promiscuous mode [ 787.194453][ T2050] device hsr_slave_0 entered promiscuous mode [ 787.222205][ T2050] device hsr_slave_1 entered promiscuous mode [ 787.246355][ T2050] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 787.257783][ T2050] Cannot create hsr debugfs directory [ 800.093238][ T2052] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 800.383758][ T2052] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 800.846837][ T2052] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 801.405612][ T2052] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 803.137826][ T2050] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 803.335816][ T2050] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 803.565325][ T2050] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 804.092262][ T2050] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 824.416139][ T2052] 8021q: adding VLAN 0 to HW filter on device bond0 [ 825.557675][ T2045] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 825.731441][ T2045] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 826.238107][ T2050] 8021q: adding VLAN 0 to HW filter on device bond0 [ 827.236830][ T2104] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 827.282014][ T2104] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 835.737220][ T2467] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 835.854562][ T2467] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 836.922465][ T2104] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 837.015157][ T2104] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 837.083653][ T2104] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 837.164230][ T2104] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 837.687739][ T2467] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 837.736050][ T2467] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 837.854193][ T2045] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 837.897525][ T2045] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 838.094789][ T2657] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 838.167345][ T2657] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 838.427953][ T2045] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 838.496362][ T2045] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 838.656926][ T2052] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 838.958072][ T2045] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 839.548244][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 840.506244][ T2467] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 840.525997][ T2467] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 840.835690][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 840.892620][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 841.420194][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 841.488319][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 841.884551][ T2050] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 843.125802][ T2657] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 843.143477][ T2657] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 865.895139][ T2657] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 866.005811][ T2657] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 870.132311][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 870.175371][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 874.624112][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 874.677999][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 874.831796][ T2657] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 874.875891][ T2657] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 875.110924][ T2052] device veth0_vlan entered promiscuous mode [ 875.551772][ T2052] device veth1_vlan entered promiscuous mode [ 877.170221][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 877.245090][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 877.531983][ T2052] device veth0_macvtap entered promiscuous mode [ 877.877681][ T2052] device veth1_macvtap entered promiscuous mode [ 878.363859][ T2657] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 878.734235][ T2207] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 878.777580][ T2207] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 878.887380][ T2207] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 878.966928][ T2207] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 879.238185][ T2050] device veth0_vlan entered promiscuous mode [ 879.668098][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 879.716003][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 880.077640][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 880.137120][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 880.236125][ T2050] device veth1_vlan entered promiscuous mode [ 880.912237][ T2052] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 880.916092][ T2052] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 880.917825][ T2052] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 880.922313][ T2052] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 884.721196][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 884.777991][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 885.192271][ T2050] device veth0_macvtap entered promiscuous mode [ 885.488211][ T2050] device veth1_macvtap entered promiscuous mode [ 886.445277][ T2742] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 886.932344][ T82] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 886.981976][ T82] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 887.606082][ T2050] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 887.608142][ T2050] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 887.661888][ T2050] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 887.663631][ T2050] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 888.440459][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 888.511924][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 00:14:54 executing program 0: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:14:56 executing program 1: r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040), 0x280400, 0x0) fcntl$setlease(r0, 0x400, 0x0) 00:15:01 executing program 0: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:02 executing program 1: r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040), 0x280400, 0x0) fcntl$setlease(r0, 0x400, 0x0) 00:15:06 executing program 1: r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040), 0x280400, 0x0) fcntl$setlease(r0, 0x400, 0x0) 00:15:06 executing program 0: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:12 executing program 1: r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040), 0x280400, 0x0) fcntl$setlease(r0, 0x400, 0x0) 00:15:19 executing program 0: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:21 executing program 1: r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040), 0x280400, 0x0) fcntl$setlease(r0, 0x400, 0x0) 00:15:26 executing program 0: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:27 executing program 1: r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040), 0x280400, 0x0) fcntl$setlease(r0, 0x400, 0x0) 00:15:30 executing program 0: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:31 executing program 1: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:34 executing program 1: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:36 executing program 0: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:39 executing program 0: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:40 executing program 1: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:43 executing program 0: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:47 executing program 1: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:52 executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFULNL_MSG_CONFIG(r0, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={&(0x7f0000000600)=ANY=[@ANYBLOB="240000000104010400000000000000000000860008000440000000000500010001"], 0x24}}, 0x0) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFULNL_MSG_CONFIG(r1, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={&(0x7f0000000600)={0x1c, 0x1, 0x4, 0x401, 0x0, 0x0, {}, [@NFULA_CFG_CMD={0x5, 0x1, 0x1}]}, 0x1c}}, 0x0) 00:15:52 executing program 1: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:15:56 executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFULNL_MSG_CONFIG(r0, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={&(0x7f0000000600)=ANY=[@ANYBLOB="240000000104010400000000000000000000860008000440000000000500010001"], 0x24}}, 0x0) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFULNL_MSG_CONFIG(r1, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={&(0x7f0000000600)={0x1c, 0x1, 0x4, 0x401, 0x0, 0x0, {}, [@NFULA_CFG_CMD={0x5, 0x1, 0x1}]}, 0x1c}}, 0x0) 00:15:57 executing program 1: syz_io_uring_setup(0x5f02, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='smaps\x00') syz_io_uring_setup(0x3eaa, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000ffc000/0x3000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), 0x0) readv(r0, &(0x7f0000001140)=[{&(0x7f0000000140)=""/4096, 0x1000}], 0x1) readv(r0, &(0x7f0000003740)=[{&(0x7f00000012c0)=""/4096, 0x1000}], 0x1) 00:16:00 executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFULNL_MSG_CONFIG(r0, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={&(0x7f0000000600)=ANY=[@ANYBLOB="240000000104010400000000000000000000860008000440000000000500010001"], 0x24}}, 0x0) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFULNL_MSG_CONFIG(r1, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={&(0x7f0000000600)={0x1c, 0x1, 0x4, 0x401, 0x0, 0x0, {}, [@NFULA_CFG_CMD={0x5, 0x1, 0x1}]}, 0x1c}}, 0x0) 00:16:05 executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFULNL_MSG_CONFIG(r0, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={&(0x7f0000000600)=ANY=[@ANYBLOB="240000000104010400000000000000000000860008000440000000000500010001"], 0x24}}, 0x0) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFULNL_MSG_CONFIG(r1, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={&(0x7f0000000600)={0x1c, 0x1, 0x4, 0x401, 0x0, 0x0, {}, [@NFULA_CFG_CMD={0x5, 0x1, 0x1}]}, 0x1c}}, 0x0) 00:16:06 executing program 1: syz_mount_image$ext4(0x0, 0x0, 0x0, 0x1, &(0x7f0000000200)=[{0x0, 0x0, 0x400}], 0x0, 0x0) [ 968.995722][ T2799] loop1: detected capacity change from 0 to 4 00:16:08 executing program 1: syz_mount_image$ext4(0x0, 0x0, 0x0, 0x1, &(0x7f0000000200)=[{0x0, 0x0, 0x400}], 0x0, 0x0) 00:16:11 executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000340)=@newlink={0x48, 0x10, 0x401, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @veth={{0x9}, {0x18, 0x2, 0x0, 0x1, @val=@VETH_INFO_PEER={0x14}}}}]}, 0x48}}, 0x0) [ 973.422196][ T2807] loop1: detected capacity change from 0 to 4 00:16:13 executing program 1: syz_mount_image$ext4(0x0, 0x0, 0x0, 0x1, &(0x7f0000000200)=[{0x0, 0x0, 0x400}], 0x0, 0x0) [ 977.640787][ T2827] loop1: detected capacity change from 0 to 4 00:16:17 executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000340)=@newlink={0x48, 0x10, 0x401, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @veth={{0x9}, {0x18, 0x2, 0x0, 0x1, @val=@VETH_INFO_PEER={0x14}}}}]}, 0x48}}, 0x0) 00:16:18 executing program 1: syz_mount_image$ext4(0x0, 0x0, 0x0, 0x1, &(0x7f0000000200)=[{0x0, 0x0, 0x400}], 0x0, 0x0) [ 982.968088][ T2847] loop1: detected capacity change from 0 to 4 00:16:22 executing program 0: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000340)=@newlink={0x48, 0x10, 0x401, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @veth={{0x9}, {0x18, 0x2, 0x0, 0x1, @val=@VETH_INFO_PEER={0x14}}}}]}, 0x48}}, 0x0) [ 987.410066][ C0] ================================================================== [ 987.414931][ C0] BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 [ 987.416649][ C0] Read of size 8 at addr ffffaf8022213e00 by task syz-executor.0/2853 [ 987.419706][ C0] [ 987.421458][ C0] CPU: 0 PID: 2853 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 987.423319][ C0] Hardware name: riscv-virtio,qemu (DT) [ 987.424698][ C0] Call Trace: [ 987.425706][ C0] [] dump_backtrace+0x2e/0x3c [ 987.427108][ C0] [] show_stack+0x34/0x40 [ 987.428500][ C0] [] dump_stack_lvl+0xe4/0x150 [ 987.429958][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 987.431572][ C0] [] kasan_report+0x184/0x1e0 [ 987.433012][ C0] [] __asan_load8+0x6e/0x96 [ 987.434380][ C0] [] walk_stackframe+0x11c/0x260 [ 987.435701][ C0] [] arch_stack_walk+0x2c/0x3c [ 987.437058][ C0] [] stack_trace_save+0xa6/0xd8 [ 987.438556][ C0] [] kasan_save_stack+0x2c/0x58 [ 987.440236][ C0] [ 987.441153][ C0] Allocated by task 66822: [ 987.442124][ C0] (stack is not available) [ 987.442969][ C0] [ 987.443722][ C0] The buggy address belongs to the object at ffffaf8022213dc0 [ 987.443722][ C0] which belongs to the cache pid_2 of size 240 [ 987.445530][ C0] The buggy address is located 64 bytes inside of [ 987.445530][ C0] 240-byte region [ffffaf8022213dc0, ffffaf8022213eb0) [ 987.447285][ C0] The buggy address belongs to the page: [ 987.448884][ C0] page:ffffaf807afe2558 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa2413 [ 987.450475][ C0] memcg:ffffaf800f2d9d01 [ 987.451630][ C0] flags: 0xa000000200(slab|section=20|node=0|zone=0) [ 987.454499][ C0] raw: 000000a000000200 0000000000000000 0000000000000122 ffffaf800f2ba280 [ 987.455985][ C0] raw: 0000000000000000 00000000800c000c 00000001ffffffff ffffaf800f2d9d01 [ 987.457229][ C0] raw: 00000000000007ff [ 987.458163][ C0] page dumped because: kasan: bad access detected [ 987.460042][ C0] page_owner tracks the page as allocated [ 987.461095][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 2050, ts 981006386300, free_ts 979493876700 [ 987.463349][ C0] __set_page_owner+0x48/0x136 [ 987.464652][ C0] post_alloc_hook+0xd0/0x10a [ 987.465850][ C0] get_page_from_freelist+0x8da/0x12d8 [ 987.467075][ C0] __alloc_pages+0x150/0x3b6 [ 987.468257][ C0] alloc_pages+0x132/0x2a6 [ 987.469731][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 987.470988][ C0] new_slab+0x76/0x2cc [ 987.472063][ C0] ___slab_alloc+0x56e/0x918 [ 987.473241][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 987.474415][ C0] kmem_cache_alloc+0x39c/0x3de [ 987.475600][ C0] alloc_pid+0xac/0x8aa [ 987.476737][ C0] copy_process+0x26ae/0x3c34 [ 987.477932][ C0] kernel_clone+0xee/0x920 [ 987.479469][ C0] __do_sys_clone+0xf2/0x12e [ 987.480678][ C0] sys_clone+0x32/0x44 [ 987.481815][ C0] ret_from_syscall+0x0/0x2 [ 987.483026][ C0] page last free stack trace: [ 987.483905][ C0] __reset_page_owner+0x4a/0xea [ 987.485093][ C0] free_pcp_prepare+0x29c/0x45e [ 987.486234][ C0] free_unref_page_list+0x148/0x7fe [ 987.487444][ C0] release_pages+0x3f0/0xad0 [ 987.488746][ C0] free_pages_and_swap_cache+0x74/0x86 [ 987.490760][ C0] tlb_finish_mmu+0xe8/0x29a [ 987.491969][ C0] exit_mmap+0x170/0x412 [ 987.493122][ C0] mmput+0xee/0x2c2 [ 987.494218][ C0] do_exit+0x6f2/0x18fc [ 987.495303][ C0] do_group_exit+0x90/0x17e [ 987.496445][ C0] get_signal+0x3b8/0x1754 [ 987.497533][ C0] do_notify_resume+0x11a/0xa56 [ 987.499210][ C0] ret_from_exception+0x0/0x10 [ 987.501137][ C0] [ 987.501934][ C0] Memory state around the buggy address: [ 987.503297][ C0] ffffaf8022213d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 987.504690][ C0] ffffaf8022213d80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 [ 987.505938][ C0] >ffffaf8022213e00: fc fc fc fc f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 [ 987.507175][ C0] ^ [ 987.508244][ C0] ffffaf8022213e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 987.510199][ C0] ffffaf8022213f00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 987.511608][ C0] ================================================================== [ 987.512857][ C0] Disabling lock debugging due to kernel taint [ 987.517073][ T2853] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 987.518765][ T2853] CPU: 0 PID: 2853 Comm: syz-executor.0 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 987.520442][ T2853] Hardware name: riscv-virtio,qemu (DT) [ 987.521254][ T2853] Call Trace: [ 987.521952][ T2853] [] dump_backtrace+0x2e/0x3c [ 987.523161][ T2853] [] show_stack+0x34/0x40 [ 987.524265][ T2853] [] dump_stack_lvl+0xe4/0x150 [ 987.525502][ T2853] [] dump_stack+0x1c/0x24 [ 987.526715][ T2853] [] panic+0x24a/0x634 [ 987.527831][ T2853] [] schedule+0x0/0x14c [ 987.529710][ T2853] [] preempt_schedule_irq+0x4a/0x13e [ 987.531339][ T2853] [] resume_kernel+0x16/0x18 [ 987.532828][ T2853] SMP: stopping secondary CPUs [ 987.535297][ T2853] Rebooting in 86400 seconds.. VM DIAGNOSIS: 20:58:48 Registers: info registers vcpu 0 pc ffffffff80dc337e mhartid 0000000000000000 mstatus 00000000000001a0 mip 00000000000000a0 mie 000000000000002a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80475786 sepc ffffffff827356f6 mcause 8000000000000007 scause 8000000000000009 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80dc337e x2/sp ffffaf80222137a0 x3/gp ffffffff85863ac0 x4/tp ffffaf80087ab080 x5/t0 ffffffff86bcb657 x6/t1 f27f170bed7f1200 x7/t2 0000000000000000 x8/s0 ffffaf80222137d0 x9/s1 ffffffff86e58900 x10/a0 ffffffff86e58948 x11/a1 ffff8f800066c000 x12/a2 1ffffffff0dcb129 x13/a3 ffffffff80dc337e x14/a4 0000000000000000 x15/a5 ffffffff86e58948 x16/a6 ffffffff86e589f1 x17/a7 ffffffff80dcc9fe x18/s2 ffff8f800066c000 x19/s3 0000000000000032 x20/s4 ffffffff86e58900 x21/s5 ffffffff80dc333e x22/s6 0000000000000000 x23/s7 ffffffff86bcb69b x24/s8 0000000000000010 x25/s9 ffffffff86e58958 x26/s10 0000000000000010 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f0044426a4 x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff8010b22c mhartid 0000000000000001 mstatus 00000000000001a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff804759c8 sepc ffffffff804759c8 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff831a18d8 x2/sp ffffaf800e6434a0 x3/gp ffffffff85863ac0 x4/tp ffffaf800bbc9840 x5/t0 0000000000046000 x6/t1 fffff5ef0b53eb62 x7/t2 ffffffffffffffff x8/s0 ffffaf800e6434b0 x9/s1 0000000000001000 x10/a0 0000000000000120 x11/a1 ffffffffffffffff x12/a2 1ffff5f001779309 x13/a3 ffffffff80146d84 x14/a4 0000000000010202 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffaf805a9f5b13 x18/s2 ffffaf800bbc9840 x19/s3 ffffffff84b73ec0 x20/s4 0000000000000002 x21/s5 ffffffff8343c840 x22/s6 ffffffffffffffff x23/s7 ffffffff80133e3c x24/s8 ffffffff86c1a620 x25/s9 ffffffff8588a420 x26/s10 0000000000000040 x27/s11 0000000000000001 x28/t3 fffffffff3f3f300 x29/t4 fffff5ef0b53eb62 x30/t5 fffff5ef0b53eb63 x31/t6 0000000003aa0668 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000