syzkaller login: [ 257.370270][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 265.799702][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 265.823484][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 284.699516][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:48622' (ECDSA) to the list of known hosts. 1970/01/01 00:05:23 fuzzer started 1970/01/01 00:05:39 dialing manager at localhost:37149 [ 347.023011][ T2032] cgroup: Unknown subsys name 'net' [ 348.329215][ T2032] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:05:48 syscalls: 2870 1970/01/01 00:05:48 code coverage: enabled 1970/01/01 00:05:48 comparison tracing: enabled 1970/01/01 00:05:48 extra coverage: enabled 1970/01/01 00:05:48 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:05:48 setuid sandbox: enabled 1970/01/01 00:05:48 namespace sandbox: enabled 1970/01/01 00:05:48 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:05:48 fault injection: enabled 1970/01/01 00:05:48 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:05:48 net packet injection: enabled 1970/01/01 00:05:48 net device setup: enabled 1970/01/01 00:05:48 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:05:48 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:05:48 USB emulation: enabled 1970/01/01 00:05:48 hci packet injection: /dev/vhci does not exist 1970/01/01 00:05:48 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:05:48 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:05:48 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:05:55 fetching corpus: 50, signal 28567/30898 (executing program) 1970/01/01 00:05:58 fetching corpus: 98, signal 42134/44379 (executing program) 1970/01/01 00:06:03 fetching corpus: 148, signal 54912/56413 (executing program) 1970/01/01 00:06:06 fetching corpus: 198, signal 60033/61162 (executing program) 1970/01/01 00:06:13 fetching corpus: 248, signal 64712/65270 (executing program) 1970/01/01 00:06:13 fetching corpus: 250, signal 64749/65400 (executing program) 1970/01/01 00:06:13 fetching corpus: 250, signal 64749/65513 (executing program) 1970/01/01 00:06:13 fetching corpus: 250, signal 64749/65613 (executing program) 1970/01/01 00:06:14 fetching corpus: 250, signal 64749/65714 (executing program) 1970/01/01 00:06:14 fetching corpus: 250, signal 64749/65807 (executing program) 1970/01/01 00:06:14 fetching corpus: 250, signal 64749/65902 (executing program) 1970/01/01 00:06:14 fetching corpus: 250, signal 64749/65976 (executing program) 1970/01/01 00:06:14 fetching corpus: 250, signal 64749/66092 (executing program) 1970/01/01 00:06:14 fetching corpus: 250, signal 64749/66186 (executing program) 1970/01/01 00:06:14 fetching corpus: 250, signal 64749/66273 (executing program) 1970/01/01 00:06:15 fetching corpus: 250, signal 64749/66359 (executing program) 1970/01/01 00:06:15 fetching corpus: 250, signal 64749/66465 (executing program) 1970/01/01 00:06:15 fetching corpus: 250, signal 64749/66558 (executing program) 1970/01/01 00:06:15 fetching corpus: 250, signal 64749/66658 (executing program) 1970/01/01 00:06:15 fetching corpus: 250, signal 64749/66755 (executing program) 1970/01/01 00:06:15 fetching corpus: 250, signal 64749/66850 (executing program) 1970/01/01 00:06:15 fetching corpus: 250, signal 64749/66946 (executing program) 1970/01/01 00:06:16 fetching corpus: 250, signal 64749/67060 (executing program) 1970/01/01 00:06:16 fetching corpus: 250, signal 64749/67168 (executing program) 1970/01/01 00:06:16 fetching corpus: 250, signal 64749/67272 (executing program) 1970/01/01 00:06:16 fetching corpus: 250, signal 64749/67368 (executing program) 1970/01/01 00:06:16 fetching corpus: 250, signal 64749/67475 (executing program) 1970/01/01 00:06:16 fetching corpus: 250, signal 64749/67572 (executing program) 1970/01/01 00:06:16 fetching corpus: 250, signal 64749/67658 (executing program) 1970/01/01 00:06:16 fetching corpus: 250, signal 64749/67756 (executing program) 1970/01/01 00:06:17 fetching corpus: 250, signal 64838/67864 (executing program) 1970/01/01 00:06:17 fetching corpus: 250, signal 64838/67960 (executing program) 1970/01/01 00:06:17 fetching corpus: 250, signal 64838/68052 (executing program) 1970/01/01 00:06:17 fetching corpus: 250, signal 64838/68053 (executing program) 1970/01/01 00:06:17 fetching corpus: 250, signal 64838/68053 (executing program) 1970/01/01 00:08:05 starting 2 fuzzer processes 00:08:05 executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0) r0 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x0, 0x0) getdents64(r0, 0x0, 0x0) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000580), 0x0, 0x0) ioctl$TCXONC(r1, 0x540f, 0xea007) syz_io_uring_setup(0x0, 0x0, &(0x7f00000a0000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x0, 0x0) symlinkat(&(0x7f00000005c0)='./file1\x00', r0, &(0x7f0000000180)='./file1\x00') getdents64(r0, &(0x7f0000000000)=""/69, 0x45) 00:08:05 executing program 1: r0 = socket$inet_sctp(0x2, 0x1, 0x84) ioctl$sock_ifreq(r0, 0x8992, &(0x7f00000000c0)={'veth1_to_team\x00', @ifru_names='veth0_to_batadv\x00'}) [ 506.516183][ T19] ================================================================== [ 506.518967][ T19] BUG: KASAN: use-after-free in smpboot_thread_fn+0x6a/0x6cc [ 506.520446][ T19] Write of size 8 at addr ffffaf8048f6ebb3 by task ksoftirqd/1/19 [ 506.522154][ T19] [ 506.524140][ T19] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 506.525771][ T19] Hardware name: riscv-virtio,qemu (DT) [ 506.527554][ T19] Call Trace: [ 506.528919][ T19] [] dump_backtrace+0x2e/0x3c [ 506.530164][ T19] [] show_stack+0x34/0x40 [ 506.531303][ T19] [] dump_stack_lvl+0xe4/0x150 [ 506.532612][ T19] [] print_address_description.constprop.0+0x2a/0x330 [ 506.534076][ T19] [] kasan_report+0x184/0x1e0 [ 506.535340][ T19] [] __asan_store8+0x6e/0x96 [ 506.537342][ T19] [] smpboot_thread_fn+0x6a/0x6cc [ 506.539102][ T19] [] kthread+0x19e/0x1fa [ 506.540614][ T19] [ 506.541292][ T19] The buggy address belongs to the page: [ 506.542671][ T19] page:ffffaf807bace6f0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc916e [ 506.544271][ T19] flags: 0xc800000000(section=25|node=0|zone=0) [ 506.546726][ T19] raw: 000000c800000000 ffffaf807bace6f8 ffffaf807bace6f8 0000000000000000 [ 506.548097][ T19] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 506.549225][ T19] raw: 00000000000007ff [ 506.550087][ T19] page dumped because: kasan: bad access detected [ 506.551227][ T19] page_owner info is not present (never set?) [ 506.552217][ T19] [ 506.552868][ T19] Memory state around the buggy address: [ 506.554133][ T19] ffffaf8048f6ea80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 506.555278][ T19] ffffaf8048f6eb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 506.557150][ T19] >ffffaf8048f6eb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 506.558962][ T19] ^ [ 506.559951][ T19] ffffaf8048f6ec00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 506.561056][ T19] ffffaf8048f6ec80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 506.562201][ T19] ================================================================== [ 506.563351][ T19] Disabling lock debugging due to kernel taint [ 506.617843][ T19] Unable to handle kernel paging request at virtual address ffffaf7f8b935c90 [ 506.619968][ T19] Oops [#1] [ 506.620736][ T19] Modules linked in: [ 506.621710][ T19] CPU: 1 PID: 19 Comm: ksoftirqd/1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 506.622892][ T19] Hardware name: riscv-virtio,qemu (DT) [ 506.623603][ T19] epc : smpboot_thread_fn+0x6e/0x6cc [ 506.624642][ T19] ra : smpboot_thread_fn+0x6a/0x6cc [ 506.625583][ T19] epc : ffffffff800b1f24 ra : ffffffff800b1f20 sp : ffffaf800743be10 [ 506.627404][ T19] gp : ffffffff85863ac0 tp : ffffaf8007416100 t0 : 0000000000046000 [ 506.628425][ T19] t1 : fffff5ef012f2bc7 t2 : 0000000000000008 s0 : ffffaf800743be90 [ 506.629314][ T19] s1 : ffffaf80072eb3a0 a0 : 0000000000000001 a1 : 0000000000000007 [ 506.630227][ T19] a2 : 1ffff5f000e82c20 a3 : ffffffff831a6b2e a4 : 0000000000000000 [ 506.631129][ T19] a5 : ffffaf7f8b935730 a6 : 0000000000f00000 a7 : ffffaf8009795e3f [ 506.632073][ T19] s2 : ffffffff80110fdc s3 : ffffffff8451f630 s4 : 0000000041b58ab3 [ 506.633038][ T19] s5 : 0000000000000001 s6 : ffffaf80072eb3a4 s7 : ffffffff800b1f0a [ 506.633936][ T19] s8 : ffffaf8007416100 s9 : ffffffff801110e4 s10: ffffaf800743bf40 [ 506.634894][ T19] s11: ffffffff84a5aa90 t3 : 00007fffff513940 t4 : fffff5ef012f2bc7 [ 506.635862][ T19] t5 : fffff5ef012f2bc8 t6 : 2d32303030000000 [ 506.637443][ T19] status: 0000000000000120 badaddr: ffffaf7f8b935c90 cause: 000000000000000f [ 506.638600][ T19] [] kthread+0x19e/0x1fa [ 506.666988][ T19] ---[ end trace 0000000000000000 ]--- [ 506.668446][ T19] Kernel panic - not syncing: Fatal exception [ 506.669431][ T19] SMP: stopping secondary CPUs [ 506.670846][ T19] Rebooting in 86400 seconds.. VM DIAGNOSIS: 20:25:19 Registers: info registers vcpu 0 pc ffffffff80396b42 mhartid 0000000000000000 mstatus 00000000000000a0 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff831afd22 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff831a2618 x2/sp ffffaf801dbc36e0 x3/gp ffffffff85863ac0 x4/tp ffffaf800f941840 x5/t0 ffffaf800b8963a0 x6/t1 7d7bea8c9a351000 x7/t2 00000000216af401 x8/s0 ffffaf801dbc3670 x9/s1 ffffaf800f942840 x10/a0 0000000000000001 x11/a1 0000000000000003 x12/a2 1ffffffff0b132d0 x13/a3 0000000000040000 x14/a4 0000000000000000 x15/a5 ffffaf800f941860 x16/a6 0000000000f00000 x17/a7 ffffffff803d7000 x18/s2 ffffffff8343c848 x19/s3 ffffaf800f941840 x20/s4 ffffffff85891700 x21/s5 ffffffff85892a80 x22/s6 ffffaf800bab1268 x23/s7 0000000000000000 x24/s8 0000000000000260 x25/s9 ffffffff85863560 x26/s10 ffffaf800bab1280 x27/s11 ffffffff803d706e x28/t3 fffffffff3f3f300 x29/t4 fffff5ef0175624b x30/t5 fffff5ef0175624c x31/t6 0000000000000004 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80dc337e mhartid 0000000000000001 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000a4a4 sepc ffffffff800bdb3e mcause 8000000000000007 scause 8000000000000001 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80dc337e x2/sp ffffaf800743b850 x3/gp ffffffff85863ac0 x4/tp ffffaf8007416100 x5/t0 ffffffff86bcb657 x6/t1 7d7bea8c9a351000 x7/t2 0000000000000000 x8/s0 ffffaf800743b880 x9/s1 ffffffff86e58900 x10/a0 ffffffff86e58948 x11/a1 ffff8f800066c000 x12/a2 1ffffffff0dcb129 x13/a3 ffffffff80dc337e x14/a4 0000000000000000 x15/a5 ffffffff86e58948 x16/a6 ffffffff86e589f1 x17/a7 ffffffff80dcc9fe x18/s2 ffff8f800066c000 x19/s3 0000000000000032 x20/s4 ffffffff86e58900 x21/s5 ffffffff80dc333e x22/s6 0000000000000000 x23/s7 ffffffff86bcb658 x24/s8 0000000000000010 x25/s9 ffffffff86e58958 x26/s10 0000000000000010 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f000e876b8 x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000