syzkaller login: [ 254.112262][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 264.413561][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 264.453801][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 292.983768][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:9946' (ECDSA) to the list of known hosts. 1970/01/01 00:05:49 fuzzer started 1970/01/01 00:06:02 dialing manager at localhost:41109 [ 367.407751][ T2044] cgroup: Unknown subsys name 'net' [ 368.474770][ T2044] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:06:08 syscalls: 2918 1970/01/01 00:06:08 code coverage: enabled 1970/01/01 00:06:08 comparison tracing: enabled 1970/01/01 00:06:08 extra coverage: ioctl(KCOV_DISABLE) failed: invalid argument 1970/01/01 00:06:08 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:06:08 setuid sandbox: enabled 1970/01/01 00:06:08 namespace sandbox: enabled 1970/01/01 00:06:08 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:06:08 fault injection: enabled 1970/01/01 00:06:08 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:06:08 net packet injection: enabled 1970/01/01 00:06:08 net device setup: enabled 1970/01/01 00:06:08 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:06:08 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:06:08 NIC VF setup: PCI device 0000:00:11.0 is not available 1970/01/01 00:06:08 USB emulation: enabled 1970/01/01 00:06:08 hci packet injection: /dev/vhci does not exist 1970/01/01 00:06:08 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:06:08 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:06:08 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:06:13 fetching corpus: 50, signal 34311/37486 (executing program) 1970/01/01 00:06:18 fetching corpus: 99, signal 50677/54834 (executing program) 1970/01/01 00:06:22 fetching corpus: 149, signal 60208/65277 (executing program) 1970/01/01 00:06:24 fetching corpus: 199, signal 66277/72211 (executing program) 1970/01/01 00:06:26 fetching corpus: 249, signal 72950/79612 (executing program) 1970/01/01 00:06:29 fetching corpus: 299, signal 78137/85539 (executing program) 1970/01/01 00:06:32 fetching corpus: 348, signal 82478/90494 (executing program) 1970/01/01 00:06:35 fetching corpus: 397, signal 85766/94376 (executing program) 1970/01/01 00:06:38 fetching corpus: 445, signal 90250/99282 (executing program) 1970/01/01 00:06:41 fetching corpus: 495, signal 93445/102962 (executing program) 1970/01/01 00:06:44 fetching corpus: 545, signal 96520/106422 (executing program) 1970/01/01 00:06:48 fetching corpus: 595, signal 99023/109411 (executing program) 1970/01/01 00:06:52 fetching corpus: 645, signal 101884/112594 (executing program) 1970/01/01 00:06:55 fetching corpus: 695, signal 104618/115640 (executing program) 1970/01/01 00:06:58 fetching corpus: 744, signal 106530/117928 (executing program) 1970/01/01 00:07:02 fetching corpus: 794, signal 108481/120149 (executing program) 1970/01/01 00:07:04 fetching corpus: 844, signal 110311/122234 (executing program) 1970/01/01 00:07:07 fetching corpus: 894, signal 112251/124394 (executing program) 1970/01/01 00:07:09 fetching corpus: 943, signal 114196/126522 (executing program) 1970/01/01 00:07:12 fetching corpus: 993, signal 116327/128758 (executing program) 1970/01/01 00:07:14 fetching corpus: 1042, signal 118526/130963 (executing program) 1970/01/01 00:07:17 fetching corpus: 1091, signal 120556/132981 (executing program) 1970/01/01 00:07:20 fetching corpus: 1141, signal 121949/134503 (executing program) 1970/01/01 00:07:22 fetching corpus: 1191, signal 123745/136267 (executing program) 1970/01/01 00:07:24 fetching corpus: 1241, signal 125294/137821 (executing program) 1970/01/01 00:07:28 fetching corpus: 1290, signal 127526/139796 (executing program) 1970/01/01 00:07:30 fetching corpus: 1340, signal 128986/141218 (executing program) 1970/01/01 00:07:32 fetching corpus: 1389, signal 130916/142924 (executing program) 1970/01/01 00:07:35 fetching corpus: 1439, signal 132830/144521 (executing program) 1970/01/01 00:07:37 fetching corpus: 1489, signal 134401/145914 (executing program) 1970/01/01 00:07:41 fetching corpus: 1539, signal 135947/147231 (executing program) 1970/01/01 00:07:43 fetching corpus: 1589, signal 138061/148758 (executing program) 1970/01/01 00:07:48 fetching corpus: 1639, signal 139428/149871 (executing program) 1970/01/01 00:07:51 fetching corpus: 1688, signal 140558/150858 (executing program) 1970/01/01 00:07:55 fetching corpus: 1738, signal 141988/151986 (executing program) 1970/01/01 00:07:58 fetching corpus: 1788, signal 143174/152909 (executing program) 1970/01/01 00:08:01 fetching corpus: 1838, signal 144376/153814 (executing program) 1970/01/01 00:08:04 fetching corpus: 1887, signal 145693/154748 (executing program) 1970/01/01 00:08:07 fetching corpus: 1937, signal 146570/155399 (executing program) 1970/01/01 00:08:09 fetching corpus: 1985, signal 148050/156400 (executing program) 1970/01/01 00:08:12 fetching corpus: 2035, signal 149417/157271 (executing program) 1970/01/01 00:08:15 fetching corpus: 2084, signal 151207/158276 (executing program) 1970/01/01 00:08:18 fetching corpus: 2134, signal 152372/158963 (executing program) 1970/01/01 00:08:21 fetching corpus: 2184, signal 153356/159542 (executing program) 1970/01/01 00:08:24 fetching corpus: 2233, signal 154607/160197 (executing program) 1970/01/01 00:08:26 fetching corpus: 2283, signal 155721/160782 (executing program) 1970/01/01 00:08:29 fetching corpus: 2333, signal 157097/161448 (executing program) 1970/01/01 00:08:32 fetching corpus: 2383, signal 159458/162481 (executing program) 1970/01/01 00:08:35 fetching corpus: 2433, signal 160199/162840 (executing program) 1970/01/01 00:08:38 fetching corpus: 2482, signal 161095/163224 (executing program) 1970/01/01 00:08:41 fetching corpus: 2531, signal 162038/163607 (executing program) 1970/01/01 00:08:42 fetching corpus: 2549, signal 162255/163715 (executing program) 1970/01/01 00:08:42 fetching corpus: 2549, signal 162255/163747 (executing program) 1970/01/01 00:08:42 fetching corpus: 2549, signal 162255/163769 (executing program) 1970/01/01 00:08:42 fetching corpus: 2549, signal 162255/163798 (executing program) 1970/01/01 00:08:43 fetching corpus: 2549, signal 162255/163824 (executing program) 1970/01/01 00:08:43 fetching corpus: 2549, signal 162255/163858 (executing program) 1970/01/01 00:08:43 fetching corpus: 2549, signal 162255/163891 (executing program) 1970/01/01 00:08:43 fetching corpus: 2549, signal 162255/163920 (executing program) 1970/01/01 00:08:43 fetching corpus: 2550, signal 162256/163948 (executing program) 1970/01/01 00:08:43 fetching corpus: 2550, signal 162256/163980 (executing program) 1970/01/01 00:08:43 fetching corpus: 2550, signal 162256/163999 (executing program) 1970/01/01 00:08:44 fetching corpus: 2550, signal 162256/164016 (executing program) 1970/01/01 00:08:44 fetching corpus: 2550, signal 162256/164043 (executing program) 1970/01/01 00:08:44 fetching corpus: 2550, signal 162256/164070 (executing program) 1970/01/01 00:08:44 fetching corpus: 2550, signal 162256/164099 (executing program) 1970/01/01 00:08:44 fetching corpus: 2550, signal 162256/164127 (executing program) 1970/01/01 00:08:44 fetching corpus: 2550, signal 162256/164149 (executing program) 1970/01/01 00:08:45 fetching corpus: 2550, signal 162256/164181 (executing program) 1970/01/01 00:08:45 fetching corpus: 2550, signal 162256/164213 (executing program) 1970/01/01 00:08:45 fetching corpus: 2550, signal 162256/164248 (executing program) 1970/01/01 00:08:45 fetching corpus: 2550, signal 162256/164268 (executing program) 1970/01/01 00:08:45 fetching corpus: 2551, signal 162261/164303 (executing program) 1970/01/01 00:08:45 fetching corpus: 2551, signal 162261/164342 (executing program) 1970/01/01 00:08:45 fetching corpus: 2551, signal 162261/164371 (executing program) 1970/01/01 00:08:45 fetching corpus: 2551, signal 162261/164411 (executing program) 1970/01/01 00:08:46 fetching corpus: 2551, signal 162261/164443 (executing program) 1970/01/01 00:08:46 fetching corpus: 2551, signal 162261/164470 (executing program) 1970/01/01 00:08:46 fetching corpus: 2551, signal 162261/164494 (executing program) 1970/01/01 00:08:46 fetching corpus: 2551, signal 162261/164517 (executing program) 1970/01/01 00:08:46 fetching corpus: 2551, signal 162261/164550 (executing program) 1970/01/01 00:08:46 fetching corpus: 2551, signal 162261/164555 (executing program) 1970/01/01 00:08:46 fetching corpus: 2551, signal 162261/164555 (executing program) 1970/01/01 00:10:29 starting 2 fuzzer processes 00:10:30 executing program 0: r0 = syz_io_uring_setup(0x884, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000a0000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000000100)=0x0, &(0x7f0000000140)=0x0) syz_io_uring_submit(r1, r2, &(0x7f0000000200)=@IORING_OP_FSYNC={0x3, 0x0, 0x0, @fd_index, 0x0, 0x0, 0x0, 0xa9baf2bd630d208d}, 0x0) io_uring_enter(r0, 0x6a1b, 0x0, 0x0, 0x0, 0x0) 00:10:30 executing program 1: r0 = memfd_create(&(0x7f0000000200)='\x00\x03\x00\xef\xff\x01\x00\x93\x91\x85\b\x82!\xe5\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00f\'>\xa4\x8b\x1d\xe8\a}<\xb1&li\xfd\x8ayP\x90\xf46\x80J\x8a\x99!4\xd5\xbc\x00S\x00vu', 0x4) ftruncate(r0, 0x1000000) lseek(r0, 0x0, 0x3) [ 656.055820][ T2055] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 656.567956][ T2055] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 656.687495][ T2056] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 657.337313][ T2056] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 667.963833][ T2055] device hsr_slave_0 entered promiscuous mode [ 668.022923][ T2055] device hsr_slave_1 entered promiscuous mode [ 670.595458][ T2056] device hsr_slave_0 entered promiscuous mode [ 670.638565][ T2056] device hsr_slave_1 entered promiscuous mode [ 670.665183][ T2056] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 670.679412][ T2056] Cannot create hsr debugfs directory [ 676.516086][ T2055] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 677.144973][ T2055] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 677.468427][ T2055] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 677.745496][ T2055] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 678.566933][ T2056] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 678.936593][ T2056] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 679.106851][ T2056] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 679.473653][ T2056] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 689.177665][ T2055] 8021q: adding VLAN 0 to HW filter on device bond0 [ 690.098301][ T2665] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 690.201873][ T2665] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 690.766327][ T2056] 8021q: adding VLAN 0 to HW filter on device bond0 [ 691.281091][ T2491] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 691.504639][ T2491] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 697.787320][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 697.815004][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 697.844983][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 697.876007][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 697.916731][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 697.934400][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 698.276638][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 698.318569][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 698.348888][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 698.584393][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 698.742256][ T2665] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 699.578977][ T2665] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 699.668050][ T2665] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 699.694837][ T2665] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 699.965379][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 699.998990][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 700.145253][ T2665] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 700.185341][ T2665] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 700.425591][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 700.465850][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 700.605182][ T2055] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 706.398522][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 706.405590][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 706.694185][ T2491] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 706.697317][ T2491] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 718.832004][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 718.888189][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 719.789477][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 719.862868][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 724.966736][ T830] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 725.017349][ T830] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 725.127587][ T830] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 725.151983][ T830] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 725.289084][ T2056] device veth0_vlan entered promiscuous mode [ 725.685915][ T2056] device veth1_vlan entered promiscuous mode [ 726.607419][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 726.642148][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 726.776479][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 726.789402][ T2197] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 726.819335][ T2055] device veth0_vlan entered promiscuous mode [ 727.416440][ T830] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 727.454291][ T830] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 727.675481][ T2055] device veth1_vlan entered promiscuous mode [ 727.835308][ T2056] device veth0_macvtap entered promiscuous mode [ 728.167359][ T2056] device veth1_macvtap entered promiscuous mode [ 728.446610][ T2491] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 728.487675][ T2491] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 729.509472][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 729.557912][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 730.081974][ T2056] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 730.131663][ T2056] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 730.133432][ T2056] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 730.182467][ T2056] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 730.291489][ C0] ================================================================== [ 730.295153][ C0] BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 [ 730.296500][ C0] Read of size 8 at addr ffffaf8012aa7b70 by task syz-executor.0/2056 [ 730.298166][ C0] [ 730.300362][ C0] CPU: 0 PID: 2056 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 730.301993][ C0] Hardware name: riscv-virtio,qemu (DT) [ 730.303115][ C0] Call Trace: [ 730.303999][ C0] [] dump_backtrace+0x2e/0x3c [ 730.305228][ C0] [] show_stack+0x34/0x40 [ 730.306337][ C0] [] dump_stack_lvl+0xe4/0x150 [ 730.307544][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 730.308945][ C0] [] kasan_report+0x184/0x1e0 [ 730.310512][ C0] [] __asan_load8+0x6e/0x96 [ 730.311647][ C0] [] walk_stackframe+0x11c/0x260 [ 730.313988][ C0] [] arch_stack_walk+0x2c/0x3c [ 730.315844][ C0] [] stack_trace_save+0xa6/0xd8 [ 730.317750][ C0] [] save_stack+0x112/0x16c [ 730.319496][ C0] [] __set_page_owner+0x48/0x136 [ 730.320954][ C0] [] post_alloc_hook+0xd0/0x10a [ 730.321945][ C0] [] get_page_from_freelist+0x8da/0x12d8 [ 730.323111][ C0] [ 730.323737][ C0] Allocated by task 313160032: [ 730.324427][ C0] (stack is not available) [ 730.325037][ C0] [ 730.325593][ C0] Freed by task 12: [ 730.326304][ C0] stack_trace_save+0xa6/0xd8 [ 730.327176][ C0] kasan_save_stack+0x2c/0x58 [ 730.328140][ C0] kasan_set_track+0x1a/0x26 [ 730.329071][ C0] kasan_set_free_info+0x1e/0x3a [ 730.330299][ C0] ____kasan_slab_free+0x15e/0x180 [ 730.331826][ C0] __kasan_slab_free+0x10/0x18 [ 730.333292][ C0] slab_free_freelist_hook+0x8e/0x1cc [ 730.334527][ C0] kfree+0xe0/0x3e4 [ 730.335562][ C0] skb_release_data+0x3c2/0x3c4 [ 730.336641][ C0] consume_skb+0x96/0x136 [ 730.337669][ C0] nsim_dev_trap_report_work+0x524/0x5e4 [ 730.338872][ C0] process_one_work+0x654/0xffe [ 730.340308][ C0] worker_thread+0x360/0x8fa [ 730.341361][ C0] kthread+0x19e/0x1fa [ 730.342461][ C0] ret_from_exception+0x0/0x10 [ 730.343644][ C0] [ 730.344334][ C0] Last potentially related work creation: [ 730.345296][ C0] ------------[ cut here ]------------ [ 730.346237][ C0] slab index 684096 out of bounds (325) for stack id 12aa7040 [ 730.350716][ C0] WARNING: CPU: 0 PID: 2056 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 730.353089][ C0] Modules linked in: [ 730.354328][ C0] CPU: 0 PID: 2056 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 730.355890][ C0] Hardware name: riscv-virtio,qemu (DT) [ 730.356839][ C0] epc : stack_depot_print+0x66/0x70 [ 730.358113][ C0] ra : stack_depot_print+0x66/0x70 [ 730.359359][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf8012aa7a30 [ 730.361040][ C0] gp : ffffffff85863ac0 tp : ffffaf800a37e100 t0 : ffffffff86bcb657 [ 730.362444][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf8012aa7a40 [ 730.363654][ C0] s1 : ffffaf807ab88d00 a0 : 000000000000003b a1 : 00000000000f0000 [ 730.364585][ C0] a2 : 0000000000000504 a3 : ffffffff8012252a a4 : dd5ed1d0fe625300 [ 730.365626][ C0] a5 : dd5ed1d0fe625300 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 730.366605][ C0] s2 : ffffaf8012aa7b70 s3 : ffffaf8007202140 s4 : ffffaf8012aa6000 [ 730.367565][ C0] s5 : ffffaf8012aa7000 s6 : 0000000000003fff s7 : ffffaf8012aa7b10 [ 730.368469][ C0] s8 : ffffaf805a9de970 s9 : ffffffffffffc000 s10: ffffaf8012aa7be0 [ 730.369497][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 730.371014][ C0] t5 : fffff5ef0b53910d t6 : ffffaf8012aa7538 [ 730.372505][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 730.373701][ C0] [] print_address_description.constprop.0+0x2fc/0x330 [ 730.375050][ C0] [] kasan_report+0x184/0x1e0 [ 730.376216][ C0] [] __asan_load8+0x6e/0x96 [ 730.377128][ C0] [] walk_stackframe+0x11c/0x260 [ 730.378466][ C0] [] arch_stack_walk+0x2c/0x3c [ 730.379818][ C0] [] stack_trace_save+0xa6/0xd8 [ 730.381127][ C0] [] save_stack+0x112/0x16c [ 730.382324][ C0] [] __set_page_owner+0x48/0x136 [ 730.383618][ C0] [] post_alloc_hook+0xd0/0x10a [ 730.384890][ C0] [] get_page_from_freelist+0x8da/0x12d8 [ 730.386257][ C0] irq event stamp: 177755 [ 730.387119][ C0] hardirqs last enabled at (177754): [] get_page_from_freelist+0xfc8/0x12d8 [ 730.388434][ C0] hardirqs last disabled at (177755): [] _raw_spin_lock_irqsave+0x60/0x62 [ 730.390363][ C0] softirqs last enabled at (177652): [] ip6_route_add+0x7e/0x148 [ 730.391987][ C0] softirqs last disabled at (177655): [] __irq_exit_rcu+0x142/0x1f8 [ 730.393610][ C0] ---[ end trace 0000000000000000 ]--- [ 730.395112][ C0] [ 730.395830][ C0] Second to last potentially related work creation: [ 730.396818][ C0] ------------[ cut here ]------------ [ 730.397491][ C0] slab index 2076544 out of bounds (325) for stack id ffffaf80 [ 730.399910][ C0] WARNING: CPU: 0 PID: 2056 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 730.401210][ C0] Modules linked in: [ 730.402161][ C0] CPU: 0 PID: 2056 Comm: syz-executor.0 Tainted: G W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 730.403503][ C0] Hardware name: riscv-virtio,qemu (DT) [ 730.404261][ C0] epc : stack_depot_print+0x66/0x70 [ 730.405159][ C0] ra : stack_depot_print+0x66/0x70 [ 730.406214][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf8012aa7a30 [ 730.407186][ C0] gp : ffffffff85863ac0 tp : ffffaf800a37e100 t0 : ffffffff86bcb657 [ 730.408214][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf8012aa7a40 [ 730.409206][ C0] s1 : ffffaf807ab88d00 a0 : 000000000000003c a1 : 00000000000f0000 [ 730.410870][ C0] a2 : 0000000000000504 a3 : ffffffff8012252a a4 : dd5ed1d0fe625300 [ 730.412411][ C0] a5 : dd5ed1d0fe625300 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 730.413423][ C0] s2 : ffffaf8012aa7b70 s3 : ffffaf8007202140 s4 : ffffaf8012aa6000 [ 730.414385][ C0] s5 : ffffaf8012aa7000 s6 : 0000000000003fff s7 : ffffaf8012aa7b10 [ 730.415304][ C0] s8 : ffffaf805a9de970 s9 : ffffffffffffc000 s10: ffffaf8012aa7be0 [ 730.416272][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 730.417167][ C0] t5 : fffff5ef0b53910d t6 : ffffaf8012aa7538 [ 730.418017][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 730.419017][ C0] [] print_address_description.constprop.0+0x2ae/0x330 [ 730.420995][ C0] [] kasan_report+0x184/0x1e0 [ 730.422319][ C0] [] __asan_load8+0x6e/0x96 [ 730.423508][ C0] [] walk_stackframe+0x11c/0x260 [ 730.424769][ C0] [] arch_stack_walk+0x2c/0x3c [ 730.426041][ C0] [] stack_trace_save+0xa6/0xd8 [ 730.427337][ C0] [] save_stack+0x112/0x16c [ 730.428596][ C0] [] __set_page_owner+0x48/0x136 [ 730.430195][ C0] [] post_alloc_hook+0xd0/0x10a [ 730.431476][ C0] [] get_page_from_freelist+0x8da/0x12d8 [ 730.432812][ C0] irq event stamp: 177755 [ 730.433674][ C0] hardirqs last enabled at (177754): [] get_page_from_freelist+0xfc8/0x12d8 [ 730.435282][ C0] hardirqs last disabled at (177755): [] _raw_spin_lock_irqsave+0x60/0x62 [ 730.436907][ C0] softirqs last enabled at (177652): [] ip6_route_add+0x7e/0x148 [ 730.438546][ C0] softirqs last disabled at (177655): [] __irq_exit_rcu+0x142/0x1f8 [ 730.440469][ C0] ---[ end trace 0000000000000000 ]--- [ 730.441774][ C0] [ 730.442512][ C0] The buggy address belongs to the object at ffffaf8012aa6000 [ 730.442512][ C0] which belongs to the cache kmalloc-4k of size 4096 [ 730.444302][ C0] The buggy address is located 2928 bytes to the right of [ 730.444302][ C0] 4096-byte region [ffffaf8012aa6000, ffffaf8012aa7000) [ 730.446304][ C0] The buggy address belongs to the page: [ 730.447833][ C0] page:ffffaf807ab88d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x92ca0 [ 730.449795][ C0] head:ffffaf807ab88d00 order:3 compound_mapcount:0 compound_pincount:0 [ 730.451928][ C0] flags: 0x9000010200(slab|head|section=18|node=0|zone=0) [ 730.454111][ C0] raw: 0000009000010200 0000000000000000 0000000000000122 ffffaf8007202140 [ 730.455214][ C0] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 730.456178][ C0] raw: 00000000000007ff [ 730.456881][ C0] page dumped because: kasan: bad access detected [ 730.457937][ C0] page_owner tracks the page as allocated [ 730.458718][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 12, ts 718715168200, free_ts 717566017700 [ 730.461753][ C0] __set_page_owner+0x48/0x136 [ 730.463018][ C0] post_alloc_hook+0xd0/0x10a [ 730.463947][ C0] get_page_from_freelist+0x8da/0x12d8 [ 730.464826][ C0] __alloc_pages+0x150/0x3b6 [ 730.465667][ C0] alloc_pages+0x132/0x2a6 [ 730.466512][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 730.467454][ C0] new_slab+0x76/0x2cc [ 730.468235][ C0] ___slab_alloc+0x56e/0x918 [ 730.469058][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 730.470554][ C0] __kmalloc_node_track_caller+0x26c/0x362 [ 730.472168][ C0] __alloc_skb+0xee/0x2e4 [ 730.473296][ C0] nsim_dev_trap_report_work+0x1c2/0x5e4 [ 730.474480][ C0] process_one_work+0x654/0xffe [ 730.475342][ C0] worker_thread+0x360/0x8fa [ 730.476120][ C0] kthread+0x19e/0x1fa [ 730.476940][ C0] ret_from_exception+0x0/0x10 [ 730.477878][ C0] page last free stack trace: [ 730.478556][ C0] __reset_page_owner+0x4a/0xea [ 730.479391][ C0] free_pcp_prepare+0x29c/0x45e [ 730.480521][ C0] free_unref_page+0x6a/0x31e [ 730.481708][ C0] __free_pages+0xe2/0x112 [ 730.482588][ C0] __free_slab+0x122/0x27c [ 730.483381][ C0] discard_slab+0x4c/0x7a [ 730.484153][ C0] __unfreeze_partials+0x16a/0x18e [ 730.484994][ C0] put_cpu_partial+0xf6/0x162 [ 730.485803][ C0] __slab_free+0x166/0x29c [ 730.486565][ C0] ___cache_free+0x17c/0x354 [ 730.487373][ C0] qlist_free_all+0x7c/0x132 [ 730.488140][ C0] kasan_quarantine_reduce+0x14c/0x1c8 [ 730.488994][ C0] __kasan_slab_alloc+0x5c/0x98 [ 730.490205][ C0] __kmalloc+0x156/0x318 [ 730.491321][ C0] tomoyo_realpath_from_path+0x9c/0x3f4 [ 730.492263][ C0] tomoyo_path_perm+0x1fc/0x3a8 [ 730.493234][ C0] [ 730.493778][ C0] Memory state around the buggy address: [ 730.494769][ C0] ffffaf8012aa7a00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 730.495744][ C0] ffffaf8012aa7a80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 730.496684][ C0] >ffffaf8012aa7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 730.497572][ C0] ^ [ 730.498597][ C0] ffffaf8012aa7b80: fc fc fc fc fc fc fc fc f1 f1 f1 f1 00 00 00 f3 [ 730.499489][ C0] ffffaf8012aa7c00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 730.500896][ C0] ================================================================== [ 730.502211][ C0] Disabling lock debugging due to kernel taint [ 730.505939][ T2056] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 730.507374][ T2056] CPU: 0 PID: 2056 Comm: syz-executor.0 Tainted: G B W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 730.508359][ T2056] Hardware name: riscv-virtio,qemu (DT) [ 730.509053][ T2056] Call Trace: [ 730.509545][ T2056] [] dump_backtrace+0x2e/0x3c [ 730.511186][ T2056] [] show_stack+0x34/0x40 [ 730.512182][ T2056] [] dump_stack_lvl+0xe4/0x150 [ 730.513326][ T2056] [] dump_stack+0x1c/0x24 [ 730.514475][ T2056] [] panic+0x24a/0x634 [ 730.515376][ T2056] [] schedule+0x0/0x14c [ 730.516373][ T2056] [] preempt_schedule_irq+0x4a/0x13e [ 730.517471][ T2056] [] resume_kernel+0x16/0x18 [ 730.518748][ T2056] SMP: stopping secondary CPUs [ 730.521202][ T2056] Rebooting in 86400 seconds.. VM DIAGNOSIS: 17:12:18 Registers: info registers vcpu 0 pc ffffffff80c2b612 mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80475ab2 sepc ffffffff802009d2 mcause 8000000000000007 scause 8000000000000001 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff8011c7fa x2/sp ffffaf8012aa7580 x3/gp ffffffff85863ac0 x4/tp ffffaf800a37e100 x5/t0 ffffaf8012aa7623 x6/t1 fffff5ef02554ec4 x7/t2 0000000000000000 x8/s0 ffffaf8012aa75b0 x9/s1 ffffffff86bcb640 x10/a0 ffffffff86bcb640 x11/a1 000000000000000a x12/a2 0000000000000000 x13/a3 ffffffff8011c7ec x14/a4 ffffaf800a37e100 x15/a5 0000000000000000 x16/a6 ffffaf8012aa7627 x17/a7 ffffaf8012aa7625 x18/s2 ffffffff86bcb641 x19/s3 ffffffff86bcb640 x20/s4 000000000000000a x21/s5 0000000000000017 x22/s6 0000000000000000 x23/s7 0000000000000400 x24/s8 ffffaf8012aa7610 x25/s9 0000000000000000 x26/s10 00000000000003e7 x27/s11 ffffaf8012aa7860 x28/t3 0000000000000043 x29/t4 fffff5ef02554ec4 x30/t5 fffff5ef02554ec5 x31/t6 ffffaf8012aa7626 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff804759c8 mhartid 0000000000000001 mstatus 00000000000000a2 mip 0000000000000080 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc 00007fffb28f1264 mcause 0000000000000009 scause 0000000000000008 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80119b52 x2/sp ffffaf800bf877d0 x3/gp ffffffff85863ac0 x4/tp ffffaf8009a80000 x5/t0 00000000000001f8 x6/t1 dd5ed1d0fe625300 x7/t2 ffffffffffffffff x8/s0 ffffaf800bf877e0 x9/s1 ffffaf800f441898 x10/a0 ffffaf800f441898 x11/a1 0000000000000003 x12/a2 1ffff5f001e88313 x13/a3 ffffffff80119b52 x14/a4 0000000000000000 x15/a5 ffffaf800f441898 x16/a6 0000000000f00000 x17/a7 ffffffff826e6226 x18/s2 0000000000000001 x19/s3 ffffaf8009a80000 x20/s4 ffffaf800f4418a8 x21/s5 ffffaf800f4418a0 x22/s6 ffffaf800bf87960 x23/s7 ffffaf800bf87b00 x24/s8 0000000000000000 x25/s9 0000000000004000 x26/s10 0000000000000040 x27/s11 0000000000000001 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f0017f0eb4 x31/t6 0000000002617ba0 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000