syzkaller login: [ 514.212681][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 514.304627][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 526.373730][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:6214' (ECDSA) to the list of known hosts. 1970/01/01 00:09:31 fuzzer started 1970/01/01 00:09:46 dialing manager at localhost:39253 [ 593.334983][ T2026] cgroup: Unknown subsys name 'net' [ 594.529316][ T2026] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:09:54 syscalls: 2827 1970/01/01 00:09:54 code coverage: enabled 1970/01/01 00:09:54 comparison tracing: ioctl(KCOV_DISABLE) failed: invalid argument 1970/01/01 00:09:54 extra coverage: ioctl(KCOV_REMOTE_ENABLE) failed: device or resource busy 1970/01/01 00:09:54 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:09:54 setuid sandbox: enabled 1970/01/01 00:09:54 namespace sandbox: enabled 1970/01/01 00:09:54 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:09:54 fault injection: enabled 1970/01/01 00:09:54 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:09:54 net packet injection: enabled 1970/01/01 00:09:54 net device setup: enabled 1970/01/01 00:09:54 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:09:54 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:09:54 USB emulation: enabled 1970/01/01 00:09:54 hci packet injection: /dev/vhci does not exist 1970/01/01 00:09:54 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:09:54 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:09:54 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:10:01 fetching corpus: 50, signal 31759/35262 (executing program) 1970/01/01 00:10:04 fetching corpus: 100, signal 44042/49020 (executing program) 1970/01/01 00:10:10 fetching corpus: 150, signal 53262/59640 (executing program) 1970/01/01 00:10:14 fetching corpus: 200, signal 60121/67801 (executing program) 1970/01/01 00:10:17 fetching corpus: 250, signal 66614/75512 (executing program) 1970/01/01 00:10:21 fetching corpus: 300, signal 75875/85748 (executing program) 1970/01/01 00:10:25 fetching corpus: 350, signal 80336/91339 (executing program) 1970/01/01 00:10:29 fetching corpus: 400, signal 88573/100335 (executing program) 1970/01/01 00:10:32 fetching corpus: 450, signal 92450/105216 (executing program) 1970/01/01 00:10:37 fetching corpus: 500, signal 95418/109193 (executing program) 1970/01/01 00:10:39 fetching corpus: 549, signal 97831/112611 (executing program) 1970/01/01 00:10:45 fetching corpus: 598, signal 101414/117134 (executing program) 1970/01/01 00:10:48 fetching corpus: 648, signal 105089/121623 (executing program) 1970/01/01 00:10:55 fetching corpus: 697, signal 108117/125472 (executing program) 1970/01/01 00:10:59 fetching corpus: 747, signal 110142/128412 (executing program) 1970/01/01 00:11:03 fetching corpus: 797, signal 112602/131627 (executing program) 1970/01/01 00:11:05 fetching corpus: 847, signal 116008/135665 (executing program) 1970/01/01 00:11:08 fetching corpus: 897, signal 119496/139778 (executing program) 1970/01/01 00:11:11 fetching corpus: 947, signal 122877/143667 (executing program) 1970/01/01 00:11:14 fetching corpus: 996, signal 125307/146754 (executing program) 1970/01/01 00:11:16 fetching corpus: 1046, signal 128614/150536 (executing program) 1970/01/01 00:11:20 fetching corpus: 1096, signal 130406/153011 (executing program) 1970/01/01 00:11:22 fetching corpus: 1146, signal 132850/156010 (executing program) 1970/01/01 00:11:25 fetching corpus: 1196, signal 134133/158028 (executing program) 1970/01/01 00:11:28 fetching corpus: 1244, signal 135499/160050 (executing program) 1970/01/01 00:11:31 fetching corpus: 1294, signal 138296/163150 (executing program) 1970/01/01 00:11:33 fetching corpus: 1344, signal 139964/165354 (executing program) 1970/01/01 00:11:35 fetching corpus: 1394, signal 142147/167965 (executing program) 1970/01/01 00:11:39 fetching corpus: 1444, signal 144154/170380 (executing program) 1970/01/01 00:11:43 fetching corpus: 1493, signal 145400/172193 (executing program) 1970/01/01 00:11:46 fetching corpus: 1543, signal 146821/174077 (executing program) 1970/01/01 00:11:50 fetching corpus: 1592, signal 152384/179076 (executing program) 1970/01/01 00:11:53 fetching corpus: 1642, signal 153813/180937 (executing program) 1970/01/01 00:11:56 fetching corpus: 1692, signal 155030/182618 (executing program) 1970/01/01 00:11:59 fetching corpus: 1742, signal 156563/184552 (executing program) 1970/01/01 00:12:01 fetching corpus: 1792, signal 159538/187505 (executing program) 1970/01/01 00:12:04 fetching corpus: 1842, signal 160837/189193 (executing program) 1970/01/01 00:12:06 fetching corpus: 1891, signal 163376/191719 (executing program) 1970/01/01 00:12:09 fetching corpus: 1940, signal 164342/193111 (executing program) 1970/01/01 00:12:12 fetching corpus: 1990, signal 165293/194499 (executing program) 1970/01/01 00:12:16 fetching corpus: 2040, signal 167123/196443 (executing program) 1970/01/01 00:12:18 fetching corpus: 2090, signal 167915/197683 (executing program) 1970/01/01 00:12:21 fetching corpus: 2139, signal 171521/200721 (executing program) 1970/01/01 00:12:24 fetching corpus: 2188, signal 172889/202271 (executing program) 1970/01/01 00:12:27 fetching corpus: 2238, signal 174224/203805 (executing program) 1970/01/01 00:12:30 fetching corpus: 2287, signal 176983/206234 (executing program) 1970/01/01 00:12:33 fetching corpus: 2337, signal 179016/208147 (executing program) 1970/01/01 00:12:36 fetching corpus: 2387, signal 180371/209591 (executing program) 1970/01/01 00:12:40 fetching corpus: 2437, signal 182178/211243 (executing program) 1970/01/01 00:12:42 fetching corpus: 2487, signal 183174/212422 (executing program) 1970/01/01 00:12:48 fetching corpus: 2537, signal 184179/213598 (executing program) 1970/01/01 00:12:50 fetching corpus: 2585, signal 185104/214728 (executing program) 1970/01/01 00:12:53 fetching corpus: 2635, signal 186634/216163 (executing program) 1970/01/01 00:12:57 fetching corpus: 2685, signal 187803/217437 (executing program) 1970/01/01 00:13:00 fetching corpus: 2733, signal 188396/218348 (executing program) 1970/01/01 00:13:03 fetching corpus: 2783, signal 189521/219499 (executing program) 1970/01/01 00:13:05 fetching corpus: 2833, signal 191133/220920 (executing program) 1970/01/01 00:13:08 fetching corpus: 2883, signal 191932/221907 (executing program) 1970/01/01 00:13:10 fetching corpus: 2933, signal 192921/222943 (executing program) 1970/01/01 00:13:13 fetching corpus: 2983, signal 194882/224461 (executing program) 1970/01/01 00:13:16 fetching corpus: 3033, signal 195508/225255 (executing program) 1970/01/01 00:13:20 fetching corpus: 3083, signal 196826/226405 (executing program) 1970/01/01 00:13:23 fetching corpus: 3133, signal 198086/227490 (executing program) 1970/01/01 00:13:26 fetching corpus: 3183, signal 199129/228489 (executing program) 1970/01/01 00:13:29 fetching corpus: 3233, signal 199915/229358 (executing program) 1970/01/01 00:13:33 fetching corpus: 3283, signal 201021/230357 (executing program) 1970/01/01 00:13:36 fetching corpus: 3333, signal 202555/231528 (executing program) 1970/01/01 00:13:39 fetching corpus: 3383, signal 203315/232301 (executing program) 1970/01/01 00:13:43 fetching corpus: 3433, signal 204635/233320 (executing program) 1970/01/01 00:13:45 fetching corpus: 3481, signal 205373/234091 (executing program) 1970/01/01 00:13:48 fetching corpus: 3531, signal 206651/235080 (executing program) 1970/01/01 00:13:50 fetching corpus: 3581, signal 207168/235698 (executing program) 1970/01/01 00:13:53 fetching corpus: 3631, signal 207816/236302 (executing program) 1970/01/01 00:13:57 fetching corpus: 3681, signal 208638/237022 (executing program) 1970/01/01 00:14:00 fetching corpus: 3731, signal 209988/237964 (executing program) 1970/01/01 00:14:03 fetching corpus: 3781, signal 210751/238688 (executing program) 1970/01/01 00:14:07 fetching corpus: 3830, signal 211435/239309 (executing program) 1970/01/01 00:14:09 fetching corpus: 3880, signal 212576/240106 (executing program) 1970/01/01 00:14:14 fetching corpus: 3930, signal 213549/240834 (executing program) 1970/01/01 00:14:18 fetching corpus: 3979, signal 214057/241345 (executing program) 1970/01/01 00:14:21 fetching corpus: 4029, signal 214768/241948 (executing program) 1970/01/01 00:14:24 fetching corpus: 4078, signal 215546/242597 (executing program) 1970/01/01 00:14:26 fetching corpus: 4128, signal 216059/243097 (executing program) 1970/01/01 00:14:28 fetching corpus: 4178, signal 216647/243624 (executing program) 1970/01/01 00:14:31 fetching corpus: 4228, signal 217167/244076 (executing program) 1970/01/01 00:14:35 fetching corpus: 4278, signal 217704/244559 (executing program) 1970/01/01 00:14:38 fetching corpus: 4328, signal 218398/245119 (executing program) 1970/01/01 00:14:41 fetching corpus: 4378, signal 219457/245792 (executing program) 1970/01/01 00:14:45 fetching corpus: 4427, signal 220093/246266 (executing program) 1970/01/01 00:14:47 fetching corpus: 4477, signal 220635/246721 (executing program) 1970/01/01 00:14:50 fetching corpus: 4527, signal 221467/247284 (executing program) 1970/01/01 00:14:52 fetching corpus: 4577, signal 223193/248009 (executing program) 1970/01/01 00:14:55 fetching corpus: 4627, signal 223884/248464 (executing program) 1970/01/01 00:14:57 fetching corpus: 4677, signal 224552/248902 (executing program) 1970/01/01 00:15:00 fetching corpus: 4727, signal 225282/249336 (executing program) 1970/01/01 00:15:03 fetching corpus: 4776, signal 225981/249759 (executing program) 1970/01/01 00:15:07 fetching corpus: 4826, signal 226614/250145 (executing program) 1970/01/01 00:15:09 fetching corpus: 4876, signal 227117/250508 (executing program) 1970/01/01 00:15:11 fetching corpus: 4926, signal 227601/250828 (executing program) 1970/01/01 00:15:14 fetching corpus: 4976, signal 228682/251314 (executing program) 1970/01/01 00:15:17 fetching corpus: 5026, signal 229290/251662 (executing program) 1970/01/01 00:15:20 fetching corpus: 5075, signal 231156/252281 (executing program) 1970/01/01 00:15:23 fetching corpus: 5125, signal 231521/252540 (executing program) 1970/01/01 00:15:25 fetching corpus: 5175, signal 232195/252865 (executing program) 1970/01/01 00:15:28 fetching corpus: 5224, signal 232873/253204 (executing program) 1970/01/01 00:15:31 fetching corpus: 5274, signal 233575/253518 (executing program) 1970/01/01 00:15:35 fetching corpus: 5323, signal 234159/253818 (executing program) 1970/01/01 00:15:37 fetching corpus: 5373, signal 234576/254091 (executing program) 1970/01/01 00:15:39 fetching corpus: 5423, signal 235386/254409 (executing program) 1970/01/01 00:15:42 fetching corpus: 5473, signal 235931/254666 (executing program) 1970/01/01 00:15:46 fetching corpus: 5522, signal 236876/254947 (executing program) 1970/01/01 00:15:49 fetching corpus: 5572, signal 237526/255184 (executing program) 1970/01/01 00:15:52 fetching corpus: 5622, signal 238153/255412 (executing program) 1970/01/01 00:15:54 fetching corpus: 5672, signal 238814/255619 (executing program) 1970/01/01 00:15:56 fetching corpus: 5722, signal 239893/255866 (executing program) 1970/01/01 00:15:59 fetching corpus: 5772, signal 240579/256072 (executing program) 1970/01/01 00:16:01 fetching corpus: 5822, signal 241298/256260 (executing program) 1970/01/01 00:16:05 fetching corpus: 5872, signal 241790/256423 (executing program) 1970/01/01 00:16:08 fetching corpus: 5922, signal 242425/256610 (executing program) 1970/01/01 00:16:11 fetching corpus: 5972, signal 243252/256765 (executing program) 1970/01/01 00:16:14 fetching corpus: 6022, signal 244034/256920 (executing program) 1970/01/01 00:16:20 fetching corpus: 6072, signal 244544/257043 (executing program) 1970/01/01 00:16:24 fetching corpus: 6121, signal 244910/257162 (executing program) 1970/01/01 00:16:27 fetching corpus: 6171, signal 245899/257277 (executing program) 1970/01/01 00:16:29 fetching corpus: 6221, signal 247973/257430 (executing program) 1970/01/01 00:16:34 fetching corpus: 6271, signal 248615/257520 (executing program) 1970/01/01 00:16:36 fetching corpus: 6321, signal 249007/257592 (executing program) 1970/01/01 00:16:38 fetching corpus: 6371, signal 249687/257662 (executing program) 1970/01/01 00:16:41 fetching corpus: 6421, signal 250184/257662 (executing program) 1970/01/01 00:16:43 fetching corpus: 6469, signal 250878/257664 (executing program) 1970/01/01 00:16:46 fetching corpus: 6519, signal 251480/257664 (executing program) 1970/01/01 00:16:49 fetching corpus: 6569, signal 252019/257664 (executing program) 1970/01/01 00:16:51 fetching corpus: 6619, signal 252527/257664 (executing program) 1970/01/01 00:16:54 fetching corpus: 6669, signal 253199/257697 (executing program) 1970/01/01 00:16:56 fetching corpus: 6702, signal 253498/257697 (executing program) 1970/01/01 00:16:56 fetching corpus: 6702, signal 253507/257697 (executing program) 1970/01/01 00:16:57 fetching corpus: 6702, signal 253507/257697 (executing program) 1970/01/01 00:19:10 starting 2 fuzzer processes 00:19:10 executing program 0: r0 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x42, 0x0) close(r0) close(0xffffffffffffffff) socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp_SCTP_PR_SUPPORTED(r0, 0x84, 0x83, &(0x7f0000000240)={0x0, 0xfffffffc}, 0x8) 00:19:10 executing program 1: r0 = syz_open_dev$sndpcmp(&(0x7f0000002100), 0x0, 0x0) ioctl$SNDRV_PCM_IOCTL_STATUS64(r0, 0xc06c4124, &(0x7f0000000280)) [ 1186.848648][ T2045] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1187.464823][ T2045] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1187.567992][ T2047] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1188.404528][ T2047] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1201.875770][ T2045] device hsr_slave_0 entered promiscuous mode [ 1201.919498][ T2045] device hsr_slave_1 entered promiscuous mode [ 1203.957857][ T2047] device hsr_slave_0 entered promiscuous mode [ 1203.998875][ T2047] device hsr_slave_1 entered promiscuous mode [ 1204.042870][ T2047] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 1204.047889][ T2047] Cannot create hsr debugfs directory [ 1212.714363][ T2045] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 1212.914782][ T2045] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 1213.187599][ T2045] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 1213.934831][ T2045] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 1215.042324][ T2047] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 1215.475845][ T2047] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 1215.866377][ T2047] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 1216.012546][ T2047] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 1228.026525][ T2045] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1228.883684][ T2645] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 1229.048071][ T2645] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1230.895648][ T2047] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1231.578663][ T829] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 1231.649622][ T829] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1237.363773][ T2220] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 1237.458542][ T2220] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1237.816347][ T829] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 1237.877955][ T829] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1238.258887][ T2103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 1238.667554][ T2655] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 1239.366630][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 1239.476981][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1240.192727][ T2045] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1240.276109][ T2045] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1240.513190][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 1240.629746][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1241.264616][ T2655] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 1241.293885][ T2655] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1242.594098][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 1242.665328][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1242.725863][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1242.763589][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1242.767889][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 1242.816565][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 1243.448275][ T2103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 1243.512100][ T2103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1243.969269][ T2103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 1244.026019][ T2103] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1244.337467][ T2047] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1245.669419][ T2645] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1245.676577][ T2645] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1275.928755][ T2645] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 1276.007849][ T2645] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1281.556640][ T2103] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 1281.635262][ T2103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1292.533040][ T2045] device veth0_vlan entered promiscuous mode [ 1292.811232][ T2655] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 1292.906728][ T2655] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1293.169814][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1293.243347][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1293.749231][ T2045] device veth1_vlan entered promiscuous mode [ 1295.755824][ T829] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 1295.817732][ T829] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1296.155477][ T2045] device veth0_macvtap entered promiscuous mode [ 1296.321605][ C0] ================================================================== [ 1296.325804][ C0] BUG: KASAN: use-after-free in walk_stackframe+0x11c/0x260 [ 1296.327419][ C0] Read of size 8 at addr ffffaf800e803f80 by task syz-executor.0/2045 [ 1296.329249][ C0] [ 1296.331479][ C0] CPU: 0 PID: 2045 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1296.333063][ C0] Hardware name: riscv-virtio,qemu (DT) [ 1296.334066][ C0] Call Trace: [ 1296.334942][ C0] [] dump_backtrace+0x2e/0x3c [ 1296.336200][ C0] [] show_stack+0x34/0x40 [ 1296.337306][ C0] [] dump_stack_lvl+0xe4/0x150 [ 1296.338420][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 1296.339855][ C0] [] kasan_report+0x184/0x1e0 [ 1296.341212][ C0] [] __asan_load8+0x6e/0x96 [ 1296.342381][ C0] [] walk_stackframe+0x11c/0x260 [ 1296.343391][ C0] [] arch_stack_walk+0x2c/0x3c [ 1296.344423][ C0] [] stack_trace_save+0xa6/0xd8 [ 1296.345818][ C0] [ 1296.346459][ C0] Allocated by task 1102416563: [ 1296.347223][ C0] (stack is not available) [ 1296.347946][ C0] [ 1296.348538][ C0] Last potentially related work creation: [ 1296.349351][ C0] ------------[ cut here ]------------ [ 1296.350232][ C0] slab index 1189544 out of bounds (324) for stack id 845226a8 [ 1296.353884][ C0] WARNING: CPU: 0 PID: 2045 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 1296.355459][ C0] Modules linked in: [ 1296.356710][ C0] CPU: 0 PID: 2045 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1296.358236][ C0] Hardware name: riscv-virtio,qemu (DT) [ 1296.359658][ C0] epc : stack_depot_print+0x66/0x70 [ 1296.361041][ C0] ra : stack_depot_print+0x66/0x70 [ 1296.362201][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800e803e40 [ 1296.363115][ C0] gp : ffffffff85863ac0 tp : ffffaf800e60b080 t0 : ffffffff86bcb657 [ 1296.364098][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800e803e50 [ 1296.365139][ C0] s1 : ffffaf807aa5d0d8 a0 : 000000000000003c a1 : 00000000000f0000 [ 1296.366092][ C0] a2 : 0000000000000505 a3 : ffffffff8012252a a4 : 7420ee1098bdee00 [ 1296.367039][ C0] a5 : 7420ee1098bdee00 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 1296.368023][ C0] s2 : ffffaf800e803f80 s3 : ffffaf8007201780 s4 : ffffaf800e803f80 [ 1296.368957][ C0] s5 : ffffaf800e803fe0 s6 : 0000000000003fff s7 : ffffaf800e803f20 [ 1296.370009][ C0] s8 : 0000000000400000 s9 : ffffffffffffc000 s10: ffffaf800e804000 [ 1296.371498][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 1296.373038][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800e803938 [ 1296.373871][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 1296.374983][ C0] [] print_address_description.constprop.0+0x2fc/0x330 [ 1296.376227][ C0] [] kasan_report+0x184/0x1e0 [ 1296.377203][ C0] [] __asan_load8+0x6e/0x96 [ 1296.378084][ C0] [] walk_stackframe+0x11c/0x260 [ 1296.379123][ C0] [] arch_stack_walk+0x2c/0x3c [ 1296.380351][ C0] [] stack_trace_save+0xa6/0xd8 [ 1296.381783][ C0] irq event stamp: 192877 [ 1296.382518][ C0] hardirqs last enabled at (192876): [] _raw_spin_unlock_irqrestore+0x68/0x98 [ 1296.383776][ C0] hardirqs last disabled at (192877): [] _raw_spin_lock_irqsave+0x60/0x62 [ 1296.384986][ C0] softirqs last enabled at (192776): [] fib_create_info+0x1da2/0x2d8e [ 1296.386463][ C0] softirqs last disabled at (192787): [] __irq_exit_rcu+0x142/0x1f8 [ 1296.387941][ C0] ---[ end trace 0000000000000000 ]--- [ 1296.389521][ C0] [ 1296.390510][ C0] Second to last potentially related work creation: [ 1296.391873][ C0] ------------[ cut here ]------------ [ 1296.392798][ C0] slab index 2097151 out of bounds (324) for stack id ffffffff [ 1296.396682][ C0] WARNING: CPU: 0 PID: 2045 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 1296.398275][ C0] Modules linked in: [ 1296.399406][ C0] CPU: 0 PID: 2045 Comm: syz-executor.0 Tainted: G W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1296.402380][ C0] Hardware name: riscv-virtio,qemu (DT) [ 1296.403839][ C0] epc : stack_depot_print+0x66/0x70 [ 1296.405112][ C0] ra : stack_depot_print+0x66/0x70 [ 1296.406232][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800e803e40 [ 1296.407331][ C0] gp : ffffffff85863ac0 tp : ffffaf800e60b080 t0 : ffffffff86bcb657 [ 1296.408460][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800e803e50 [ 1296.409590][ C0] s1 : ffffaf807aa5d0d8 a0 : 000000000000003c a1 : 00000000000f0000 [ 1296.411842][ C0] a2 : 0000000000000505 a3 : ffffffff8012252a a4 : 7420ee1098bdee00 [ 1296.413888][ C0] a5 : 7420ee1098bdee00 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 1296.415001][ C0] s2 : ffffaf800e803f80 s3 : ffffaf8007201780 s4 : ffffaf800e803f80 [ 1296.416120][ C0] s5 : ffffaf800e803fe0 s6 : 0000000000003fff s7 : ffffaf800e803f20 [ 1296.417196][ C0] s8 : 0000000000400000 s9 : ffffffffffffc000 s10: ffffaf800e804000 [ 1296.418280][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 1296.419367][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800e803938 [ 1296.421272][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 1296.423237][ C0] [] print_address_description.constprop.0+0x2ae/0x330 [ 1296.424846][ C0] [] kasan_report+0x184/0x1e0 [ 1296.426105][ C0] [] __asan_load8+0x6e/0x96 [ 1296.427191][ C0] [] walk_stackframe+0x11c/0x260 [ 1296.428403][ C0] [] arch_stack_walk+0x2c/0x3c [ 1296.429580][ C0] [] stack_trace_save+0xa6/0xd8 [ 1296.431471][ C0] irq event stamp: 192877 [ 1296.432710][ C0] hardirqs last enabled at (192876): [] _raw_spin_unlock_irqrestore+0x68/0x98 [ 1296.434246][ C0] hardirqs last disabled at (192877): [] _raw_spin_lock_irqsave+0x60/0x62 [ 1296.435654][ C0] softirqs last enabled at (192776): [] fib_create_info+0x1da2/0x2d8e [ 1296.437063][ C0] softirqs last disabled at (192787): [] __irq_exit_rcu+0x142/0x1f8 [ 1296.438502][ C0] ---[ end trace 0000000000000000 ]--- [ 1296.439410][ C0] [ 1296.440383][ C0] The buggy address belongs to the object at ffffaf800e803f80 [ 1296.440383][ C0] which belongs to the cache kmalloc-96 of size 96 [ 1296.443076][ C0] The buggy address is located 0 bytes inside of [ 1296.443076][ C0] 96-byte region [ffffaf800e803f80, ffffaf800e803fe0) [ 1296.444645][ C0] The buggy address belongs to the page: [ 1296.445978][ C0] page:ffffaf807aa5d0d8 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffaf800e803380 pfn:0x8ea03 [ 1296.447586][ C0] flags: 0x8800000200(slab|section=17|node=0|zone=0) [ 1296.450192][ C0] raw: 0000008800000200 ffffaf807abfc2e0 ffffaf807aa87f68 ffffaf8007201780 [ 1296.452683][ C0] raw: ffffaf800e803380 0000000000200007 00000001ffffffff 0000000000000000 [ 1296.453808][ C0] raw: 00000000000007ff [ 1296.454666][ C0] page dumped because: kasan: bad access detected [ 1296.455820][ C0] page_owner tracks the page as allocated [ 1296.456699][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 83, ts 1233308599000, free_ts 1233047872500 [ 1296.458647][ C0] __set_page_owner+0x48/0x136 [ 1296.459802][ C0] post_alloc_hook+0xd0/0x10a [ 1296.461353][ C0] get_page_from_freelist+0x8da/0x12d8 [ 1296.462540][ C0] __alloc_pages+0x150/0x3b6 [ 1296.463536][ C0] alloc_pages+0x132/0x2a6 [ 1296.464591][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 1296.465716][ C0] new_slab+0x76/0x2cc [ 1296.466671][ C0] ___slab_alloc+0x56e/0x918 [ 1296.467688][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 1296.468802][ C0] kmem_cache_alloc_trace+0x2a2/0x2e0 [ 1296.469987][ C0] dst_cow_metrics_generic+0x4a/0x1c2 [ 1296.471551][ C0] icmp6_dst_alloc+0x216/0x2c2 [ 1296.472660][ C0] ndisc_send_skb+0xe7a/0x117a [ 1296.473660][ C0] ndisc_send_ns+0x252/0x49c [ 1296.474642][ C0] addrconf_dad_work+0x8d0/0xc94 [ 1296.475635][ C0] process_one_work+0x654/0xffe [ 1296.476746][ C0] page last free stack trace: [ 1296.477477][ C0] __reset_page_owner+0x4a/0xea [ 1296.478484][ C0] free_pcp_prepare+0x29c/0x45e [ 1296.479474][ C0] free_unref_page+0x6a/0x31e [ 1296.480882][ C0] __free_pages+0xe2/0x112 [ 1296.482116][ C0] free_pages.part.0+0xe0/0xf6 [ 1296.483132][ C0] free_pages+0xe/0x18 [ 1296.484094][ C0] free_pgd_range+0x8b0/0xc54 [ 1296.485039][ C0] free_pgtables+0x1bc/0x1c8 [ 1296.486044][ C0] exit_mmap+0x168/0x412 [ 1296.487051][ C0] mmput+0xee/0x2c2 [ 1296.488011][ C0] do_exit+0x6f2/0x18fc [ 1296.488910][ C0] do_group_exit+0x90/0x17e [ 1296.489981][ C0] __wake_up_parent+0x0/0x4a [ 1296.491619][ C0] ret_from_syscall+0x0/0x2 [ 1296.492880][ C0] [ 1296.493511][ C0] Memory state around the buggy address: [ 1296.494754][ C0] ffffaf800e803e80: fb fb fb fb 00 00 00 00 00 00 00 00 fc fc fc fc [ 1296.495934][ C0] ffffaf800e803f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 1296.497043][ C0] >ffffaf800e803f80: fb fb fb fb fb fb fb fb fb fb fb fb f1 f1 f1 f1 [ 1296.498091][ C0] ^ [ 1296.498988][ C0] ffffaf800e804000: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 [ 1296.500379][ C0] ffffaf800e804080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1296.502409][ C0] ================================================================== [ 1296.503526][ C0] Disabling lock debugging due to kernel taint [ 1296.506789][ T2045] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 1296.507884][ T2045] CPU: 0 PID: 2045 Comm: syz-executor.0 Tainted: G B W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1296.509011][ T2045] Hardware name: riscv-virtio,qemu (DT) [ 1296.509617][ T2045] Call Trace: [ 1296.510687][ T2045] [] dump_backtrace+0x2e/0x3c [ 1296.511748][ T2045] [] show_stack+0x34/0x40 [ 1296.512664][ T2045] [] dump_stack_lvl+0xe4/0x150 [ 1296.513699][ T2045] [] dump_stack+0x1c/0x24 [ 1296.514702][ T2045] [] panic+0x24a/0x634 [ 1296.515577][ T2045] [] schedule+0x0/0x14c [ 1296.516581][ T2045] [] preempt_schedule_common+0x4e/0xde [ 1296.517702][ T2045] [] preempt_schedule+0x34/0x36 [ 1296.518737][ T2045] [] _raw_spin_unlock_irqrestore+0x8c/0x98 [ 1296.519969][ T2045] [] debug_check_no_obj_freed+0x14c/0x24a [ 1296.522234][ T2045] [] slab_free_freelist_hook+0xe4/0x1cc [ 1296.523385][ T2045] [] kfree+0xe0/0x3e4 [ 1296.524428][ T2045] [] skb_release_data+0x3c2/0x3c4 [ 1296.525422][ T2045] [] consume_skb+0x96/0x136 [ 1296.526354][ T2045] [] netlink_broadcast+0x280/0xab6 [ 1296.527327][ T2045] [] nlmsg_notify+0x78/0x22e [ 1296.528279][ T2045] [] rtnl_notify+0x80/0x98 [ 1296.529228][ T2045] [] rtmsg_fib+0x204/0x2be [ 1296.530788][ T2045] [] fib_table_insert+0x52a/0xebe [ 1296.531869][ T2045] [] fib_magic+0x3f4/0x438 [ 1296.532881][ T2045] [] fib_add_ifaddr+0x2be/0x2e2 [ 1296.533836][ T2045] [] fib_netdev_event+0x362/0x4b0 [ 1296.534793][ T2045] [] notifier_call_chain+0xb8/0x188 [ 1296.535846][ T2045] [] raw_notifier_call_chain+0x2a/0x38 [ 1296.536882][ T2045] [] call_netdevice_notifiers_info+0x9e/0x10c [ 1296.537919][ T2045] [] __dev_notify_flags+0x108/0x1fa [ 1296.538958][ T2045] [] dev_change_flags+0x9c/0xba [ 1296.540428][ T2045] [] do_setlink+0x5d6/0x21c4 [ 1296.541496][ T2045] [] __rtnl_newlink+0x99e/0xfa0 [ 1296.542534][ T2045] [] rtnl_newlink+0x60/0x8c [ 1296.543515][ T2045] [] rtnetlink_rcv_msg+0x338/0x9a0 [ 1296.544565][ T2045] [] netlink_rcv_skb+0xf8/0x2be [ 1296.545512][ T2045] [] rtnetlink_rcv+0x26/0x30 [ 1296.546468][ T2045] [] netlink_unicast+0x40e/0x5fe [ 1296.547412][ T2045] [] netlink_sendmsg+0x4e0/0x994 [ 1296.548383][ T2045] [] sock_sendmsg+0xa0/0xc4 [ 1296.549369][ T2045] [] __sys_sendto+0x1f2/0x2e0 [ 1296.551138][ T2045] [] sys_sendto+0x3e/0x52 [ 1296.552184][ T2045] [] ret_from_syscall+0x0/0x2 [ 1296.553398][ T2045] SMP: stopping secondary CPUs [ 1296.555420][ T2045] Rebooting in 86400 seconds.. VM DIAGNOSIS: 05:29:22 Registers: info registers vcpu 0 pc ffffffff8013fa14 mhartid 0000000000000000 mstatus 00000000000000a0 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80010124 sepc ffffffff8010b26a mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff8011289a x2/sp ffffaf800b0df8d0 x3/gp ffffffff85863ac0 x4/tp ffffaf800b691840 x5/t0 0000000000000310 x6/t1 7420ee1098bdee00 x7/t2 0000000000d873c0 x8/s0 ffffaf800b0dfc00 x9/s1 0000000000000000 x10/a0 0000000000000020 x11/a1 ffffffff84b73e60 x12/a2 0000000000000002 x13/a3 ffffffff8010ce7e x14/a4 0000000000000003 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffffff8176b8f4 x18/s2 0000000000000003 x19/s3 ffffaf800b691840 x20/s4 ffffaf800b692840 x21/s5 ffffffff8343c840 x22/s6 0000000000000000 x23/s7 ffffaf800b691840 x24/s8 ffffaf800b6922b0 x25/s9 ffffffff8176b8f4 x26/s10 ffffffffa311f512 x27/s11 0000000000000002 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f00161bf2c x31/t6 0000000000082cc8 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80dc337e mhartid 0000000000000001 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80200f3e sepc ffffffff831afd22 mcause 8000000000000003 scause 8000000000000001 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80dc337e x2/sp ffffaf800e803950 x3/gp ffffffff85863ac0 x4/tp ffffaf800e60b080 x5/t0 ffffffff86bcb657 x6/t1 7420ee1098bdee00 x7/t2 0000000000000000 x8/s0 ffffaf800e803980 x9/s1 ffffffff86e58900 x10/a0 ffffffff86e58948 x11/a1 ffff8f800066c000 x12/a2 1ffffffff0dcb129 x13/a3 ffffffff80dc337e x14/a4 0000000000000000 x15/a5 ffffffff86e58948 x16/a6 ffffffff86e589f1 x17/a7 ffffffff80dcc9fe x18/s2 ffff8f800066c000 x19/s3 000000000000005d x20/s4 ffffffff86e58900 x21/s5 ffffffff80dc333e x22/s6 0000000000000000 x23/s7 ffffffff86bcb658 x24/s8 0000000000000010 x25/s9 ffffffff86e58958 x26/s10 0000000000000010 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001d006d8 x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000