syzkaller login: [ 304.276562][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 304.354496][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 304.463626][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 304.509497][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 304.538982][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:47104' (ECDSA) to the list of known hosts. 1970/01/01 00:06:15 fuzzer started 1970/01/01 00:06:26 dialing manager at localhost:40001 [ 391.832555][ T2026] cgroup: Unknown subsys name 'net' [ 393.285622][ T2026] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:06:33 syscalls: 2918 1970/01/01 00:06:33 code coverage: enabled 1970/01/01 00:06:33 comparison tracing: enabled 1970/01/01 00:06:33 extra coverage: enabled 1970/01/01 00:06:33 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:06:33 setuid sandbox: enabled 1970/01/01 00:06:33 namespace sandbox: enabled 1970/01/01 00:06:33 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:06:33 fault injection: enabled 1970/01/01 00:06:33 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:06:33 net packet injection: enabled 1970/01/01 00:06:33 net device setup: enabled 1970/01/01 00:06:33 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:06:33 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:06:33 NIC VF setup: PCI device 0000:00:11.0 is not available 1970/01/01 00:06:33 USB emulation: enabled 1970/01/01 00:06:33 hci packet injection: /dev/vhci does not exist 1970/01/01 00:06:33 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:06:33 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:06:39 fetching corpus: 50, signal 29453/31260 (executing program) [ 400.760131][ C0] ================================================================== [ 400.764145][ C0] BUG: KASAN: use-after-free in __bfs+0x154/0x394 [ 400.768013][ C0] Read of size 8 at addr ffffaf800d3b7ff0 by task dhcpcd/1859 [ 400.770235][ C0] [ 400.772300][ C0] CPU: 0 PID: 1859 Comm: dhcpcd Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 400.773870][ C0] Hardware name: riscv-virtio,qemu (DT) [ 400.774957][ C0] Call Trace: [ 400.775786][ C0] [] dump_backtrace+0x2e/0x3c [ 400.777399][ C0] [] show_stack+0x34/0x40 [ 400.779030][ C0] [] dump_stack_lvl+0xe4/0x150 [ 400.780874][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 400.782766][ C0] [] kasan_report+0x184/0x1e0 [ 400.783978][ C0] [] __asan_load8+0x6e/0x96 [ 400.785209][ C0] [] __bfs+0x154/0x394 [ 400.786410][ C0] [] check_path.constprop.0+0x24/0x46 [ 400.787688][ C0] [] check_noncircular+0x11a/0x1fe [ 400.789120][ C0] [ 400.789789][ C0] The buggy address belongs to the page: [ 400.791307][ C0] page:ffffaf807aa01b78 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8d5b7 [ 400.793052][ C0] flags: 0x8800000000(section=17|node=0|zone=0) [ 400.795472][ C0] raw: 0000008800000000 ffffaf807aae5dd8 ffffaf807aa74e40 0000000000000000 [ 400.796782][ C0] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 400.797889][ C0] raw: 00000000000007ff [ 400.798724][ C0] page dumped because: kasan: bad access detected [ 400.799851][ C0] page_owner tracks the page as freed [ 400.800744][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), pid 2013, ts 353624773200, free_ts 353699784200 [ 400.803228][ C0] __set_page_owner+0x48/0x136 [ 400.804342][ C0] post_alloc_hook+0xd0/0x10a [ 400.805282][ C0] get_page_from_freelist+0x8da/0x12d8 [ 400.806349][ C0] __alloc_pages+0x150/0x3b6 [ 400.807320][ C0] alloc_pages+0x132/0x2a6 [ 400.808349][ C0] pipe_write+0xbd2/0x10d6 [ 400.809357][ C0] new_sync_write+0x296/0x3aa [ 400.810425][ C0] vfs_write+0x2de/0x334 [ 400.811406][ C0] ksys_write+0x1c4/0x224 [ 400.812913][ C0] sys_write+0x28/0x36 [ 400.813933][ C0] ret_from_syscall+0x0/0x2 [ 400.815023][ C0] page last free stack trace: [ 400.815747][ C0] __reset_page_owner+0x4a/0xea [ 400.816745][ C0] free_pcp_prepare+0x29c/0x45e [ 400.817745][ C0] free_unref_page+0x6a/0x31e [ 400.818744][ C0] __put_page+0xf2/0x100 [ 400.819643][ C0] anon_pipe_buf_release+0x154/0x19a [ 400.820764][ C0] pipe_read+0x3f2/0xa4c [ 400.822148][ C0] new_sync_read+0x3ae/0x3d8 [ 400.823244][ C0] vfs_read+0x2ce/0x324 [ 400.824178][ C0] ksys_read+0x1c4/0x224 [ 400.825128][ C0] sys_read+0x28/0x36 [ 400.826072][ C0] ret_from_syscall+0x0/0x2 [ 400.827262][ C0] [ 400.827839][ C0] Memory state around the buggy address: [ 400.829017][ C0] ffffaf800d3b7e80: ff ff ff ff f1 f1 f1 f1 00 f3 f3 f3 ff ff ff ff [ 400.830134][ C0] ffffaf800d3b7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 400.833122][ C0] >ffffaf800d3b7f80: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 ff ff ff ff [ 400.834253][ C0] ^ [ 400.835391][ C0] ffffaf800d3b8000: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 [ 400.836439][ C0] ffffaf800d3b8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 400.837589][ C0] ================================================================== [ 400.838642][ C0] Disabling lock debugging due to kernel taint [ 400.885849][ T1859] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 400.887662][ T1859] CPU: 0 PID: 1859 Comm: dhcpcd Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 400.889069][ T1859] Hardware name: riscv-virtio,qemu (DT) [ 400.889817][ T1859] Call Trace: [ 400.890448][ T1859] [] dump_backtrace+0x2e/0x3c [ 400.892427][ T1859] [] show_stack+0x34/0x40 [ 400.893648][ T1859] [] dump_stack_lvl+0xe4/0x150 [ 400.894864][ T1859] [] dump_stack+0x1c/0x24 [ 400.896107][ T1859] [] panic+0x24a/0x634 [ 400.897226][ T1859] [] schedule+0x0/0x14c [ 400.898995][ T1859] [] preempt_schedule_irq+0x4a/0x13e [ 400.900878][ T1859] [] resume_kernel+0x16/0x18 [ 400.902322][ T1859] SMP: stopping secondary CPUs [ 400.904590][ T1859] Rebooting in 86400 seconds.. VM DIAGNOSIS: 20:15:41 Registers: info registers vcpu 0 pc ffffffff80119b52 mhartid 0000000000000000 mstatus 00000000000000a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff80475986 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80119b52 x2/sp ffffaf800e4077e0 x3/gp ffffffff85863ac0 x4/tp ffffaf800f351840 x5/t0 00000000000001f8 x6/t1 ce83ce65226d1d00 x7/t2 ffffffffffffffff x8/s0 ffffaf800e407820 x9/s1 ffffaf8007480c98 x10/a0 ffffaf8007480c98 x11/a1 0000000000000003 x12/a2 1ffff5f000e90193 x13/a3 ffffffff80119b52 x14/a4 fffff5ef00e90193 x15/a5 ffffaf8007480c98 x16/a6 0000000000f00000 x17/a7 ffffffff826e6226 x18/s2 0000000000000001 x19/s3 ffffaf800f351840 x20/s4 ffffaf8007480ca8 x21/s5 ffffaf8007480ca0 x22/s6 ffffaf800e407960 x23/s7 ffffaf800e407b00 x24/s8 0000000000000000 x25/s9 0000000000004000 x26/s10 0000000000000040 x27/s11 0000000000000001 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001c80eb4 x31/t6 000000000366774c f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff801229fc mhartid 0000000000000001 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80200f3e sepc ffffffff80115bbc mcause 8000000000000007 scause 8000000000000009 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff801229f8 x2/sp ffffaf800d3b7980 x3/gp ffffffff85863ac0 x4/tp ffffaf800bbe1840 x5/t0 ffffffff86bd8e60 x6/t1 fffff5ef01a76f38 x7/t2 0000000000000000 x8/s0 ffffaf800d3b7a50 x9/s1 ffffaf800d3b7b40 x10/a0 0000000000000000 x11/a1 00000000000f0000 x12/a2 0000000000000505 x13/a3 ffffffff801229f8 x14/a4 ffffaf800bbe1840 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffaf800d3b79c7 x18/s2 0000000000000020 x19/s3 ffffaf800d3b7b48 x20/s4 ffffffff85889780 x21/s5 1ffff5f001a76f34 x22/s6 ffffffff84b3cd18 x23/s7 00000000ffffe2c5 x24/s8 00000000ffffe2c5 x25/s9 1ffff5f001a76f58 x26/s10 ffffffff85889780 x27/s11 ffffaf800d3b7b40 x28/t3 1ffff5f001a76fa0 x29/t4 fffff5ef01a76f38 x30/t5 fffff5ef01a76f39 x31/t6 ffffffff86bd8e63 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 ffffffff447a0000 f15/fa5 40501b0200000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000