syzkaller login: [ 266.646004][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 275.588901][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 275.640615][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 275.705424][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:32946' (ECDSA) to the list of known hosts. 1970/01/01 00:05:35 fuzzer started 1970/01/01 00:05:51 dialing manager at localhost:44711 [ 359.306607][ T2033] cgroup: Unknown subsys name 'net' [ 360.400392][ T2033] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:06:00 syscalls: 2918 1970/01/01 00:06:00 code coverage: enabled 1970/01/01 00:06:00 comparison tracing: ioctl(KCOV_DISABLE) failed: invalid argument 1970/01/01 00:06:00 extra coverage: enabled 1970/01/01 00:06:00 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:06:00 setuid sandbox: enabled 1970/01/01 00:06:00 namespace sandbox: enabled 1970/01/01 00:06:00 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:06:00 fault injection: enabled 1970/01/01 00:06:00 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:06:00 net packet injection: enabled 1970/01/01 00:06:00 net device setup: enabled 1970/01/01 00:06:00 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:06:00 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:06:00 NIC VF setup: PCI device 0000:00:11.0 is not available 1970/01/01 00:06:00 USB emulation: enabled 1970/01/01 00:06:00 hci packet injection: /dev/vhci does not exist 1970/01/01 00:06:00 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:06:00 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:06:00 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:06:05 fetching corpus: 50, signal 35199/38542 (executing program) 1970/01/01 00:06:08 fetching corpus: 99, signal 45024/49774 (executing program) 1970/01/01 00:06:12 fetching corpus: 148, signal 52568/58672 (executing program) 1970/01/01 00:06:15 fetching corpus: 198, signal 57328/64740 (executing program) 1970/01/01 00:06:18 fetching corpus: 246, signal 64509/72942 (executing program) 1970/01/01 00:06:21 fetching corpus: 296, signal 70447/79880 (executing program) 1970/01/01 00:06:23 fetching corpus: 346, signal 74234/84713 (executing program) 1970/01/01 00:06:26 fetching corpus: 396, signal 78357/89792 (executing program) 1970/01/01 00:06:28 fetching corpus: 446, signal 82615/94908 (executing program) 1970/01/01 00:06:31 fetching corpus: 496, signal 86474/99598 (executing program) 1970/01/01 00:06:34 fetching corpus: 546, signal 89510/103523 (executing program) 1970/01/01 00:06:38 fetching corpus: 595, signal 93001/107773 (executing program) 1970/01/01 00:06:40 fetching corpus: 645, signal 95227/110876 (executing program) 1970/01/01 00:06:43 fetching corpus: 695, signal 99117/115357 (executing program) 1970/01/01 00:06:46 fetching corpus: 745, signal 102324/119183 (executing program) 1970/01/01 00:06:48 fetching corpus: 792, signal 104031/121651 (executing program) 1970/01/01 00:06:51 fetching corpus: 842, signal 106425/124638 (executing program) 1970/01/01 00:06:55 fetching corpus: 892, signal 108069/126980 (executing program) 1970/01/01 00:06:57 fetching corpus: 942, signal 109943/129489 (executing program) 1970/01/01 00:07:00 fetching corpus: 992, signal 111655/131887 (executing program) 1970/01/01 00:07:03 fetching corpus: 1042, signal 113577/134387 (executing program) 1970/01/01 00:07:05 fetching corpus: 1091, signal 115591/136920 (executing program) 1970/01/01 00:07:07 fetching corpus: 1138, signal 117059/138979 (executing program) 1970/01/01 00:07:11 fetching corpus: 1188, signal 118721/141163 (executing program) 1970/01/01 00:07:14 fetching corpus: 1238, signal 120283/143230 (executing program) 1970/01/01 00:07:17 fetching corpus: 1288, signal 122449/145722 (executing program) 1970/01/01 00:07:20 fetching corpus: 1338, signal 124162/147849 (executing program) 1970/01/01 00:07:23 fetching corpus: 1387, signal 126068/150030 (executing program) 1970/01/01 00:07:27 fetching corpus: 1436, signal 127808/152174 (executing program) 1970/01/01 00:07:29 fetching corpus: 1484, signal 128639/153604 (executing program) 1970/01/01 00:07:32 fetching corpus: 1534, signal 130513/155718 (executing program) 1970/01/01 00:07:34 fetching corpus: 1584, signal 131861/157402 (executing program) 1970/01/01 00:07:37 fetching corpus: 1634, signal 133562/159313 (executing program) 1970/01/01 00:07:39 fetching corpus: 1684, signal 135988/161704 (executing program) 1970/01/01 00:07:42 fetching corpus: 1733, signal 137914/163722 (executing program) 1970/01/01 00:07:44 fetching corpus: 1783, signal 138820/165019 (executing program) 1970/01/01 00:07:47 fetching corpus: 1833, signal 140303/166698 (executing program) 1970/01/01 00:07:53 fetching corpus: 1882, signal 141843/168395 (executing program) 1970/01/01 00:07:55 fetching corpus: 1932, signal 142913/169730 (executing program) 1970/01/01 00:07:58 fetching corpus: 1982, signal 144733/171468 (executing program) 1970/01/01 00:08:02 fetching corpus: 2032, signal 146764/173290 (executing program) 1970/01/01 00:08:04 fetching corpus: 2081, signal 148236/174807 (executing program) 1970/01/01 00:08:08 fetching corpus: 2131, signal 149636/176267 (executing program) 1970/01/01 00:08:09 fetching corpus: 2181, signal 151576/177991 (executing program) 1970/01/01 00:08:12 fetching corpus: 2231, signal 152970/179410 (executing program) 1970/01/01 00:08:15 fetching corpus: 2281, signal 153950/180524 (executing program) 1970/01/01 00:08:17 fetching corpus: 2331, signal 154930/181597 (executing program) 1970/01/01 00:08:20 fetching corpus: 2380, signal 155931/182692 (executing program) 1970/01/01 00:08:23 fetching corpus: 2429, signal 157150/183902 (executing program) 1970/01/01 00:08:25 fetching corpus: 2479, signal 158423/185101 (executing program) 1970/01/01 00:08:28 fetching corpus: 2528, signal 159402/186151 (executing program) 1970/01/01 00:08:30 fetching corpus: 2578, signal 160289/187124 (executing program) 1970/01/01 00:08:33 fetching corpus: 2628, signal 161274/188103 (executing program) 1970/01/01 00:08:35 fetching corpus: 2678, signal 162045/188996 (executing program) 1970/01/01 00:08:38 fetching corpus: 2728, signal 163091/190014 (executing program) 1970/01/01 00:08:40 fetching corpus: 2777, signal 163818/190826 (executing program) 1970/01/01 00:08:43 fetching corpus: 2827, signal 165001/191852 (executing program) 1970/01/01 00:08:45 fetching corpus: 2877, signal 165778/192672 (executing program) 1970/01/01 00:08:47 fetching corpus: 2926, signal 166517/193479 (executing program) 1970/01/01 00:08:50 fetching corpus: 2975, signal 167085/194198 (executing program) 1970/01/01 00:08:53 fetching corpus: 3025, signal 167650/194873 (executing program) 1970/01/01 00:08:54 fetching corpus: 3074, signal 168247/195586 (executing program) 1970/01/01 00:08:57 fetching corpus: 3124, signal 169116/196371 (executing program) 1970/01/01 00:09:00 fetching corpus: 3174, signal 169814/197057 (executing program) 1970/01/01 00:09:02 fetching corpus: 3224, signal 170481/197729 (executing program) 1970/01/01 00:09:05 fetching corpus: 3274, signal 171281/198462 (executing program) 1970/01/01 00:09:08 fetching corpus: 3324, signal 171978/199130 (executing program) 1970/01/01 00:09:10 fetching corpus: 3372, signal 172625/199773 (executing program) 1970/01/01 00:09:12 fetching corpus: 3422, signal 173225/200377 (executing program) 1970/01/01 00:09:16 fetching corpus: 3472, signal 173950/201060 (executing program) 1970/01/01 00:09:18 fetching corpus: 3522, signal 174751/201736 (executing program) 1970/01/01 00:09:20 fetching corpus: 3572, signal 175689/202449 (executing program) 1970/01/01 00:09:23 fetching corpus: 3621, signal 176472/203047 (executing program) 1970/01/01 00:09:26 fetching corpus: 3670, signal 177163/203591 (executing program) 1970/01/01 00:09:28 fetching corpus: 3719, signal 177894/204161 (executing program) 1970/01/01 00:09:30 fetching corpus: 3769, signal 178575/204663 (executing program) 1970/01/01 00:09:34 fetching corpus: 3818, signal 179144/205149 (executing program) 1970/01/01 00:09:36 fetching corpus: 3867, signal 179795/205676 (executing program) 1970/01/01 00:09:38 fetching corpus: 3917, signal 180551/206158 (executing program) 1970/01/01 00:09:40 fetching corpus: 3966, signal 181357/206645 (executing program) 1970/01/01 00:09:43 fetching corpus: 4016, signal 181971/207102 (executing program) 1970/01/01 00:09:46 fetching corpus: 4066, signal 182864/207612 (executing program) 1970/01/01 00:09:48 fetching corpus: 4116, signal 185174/208423 (executing program) 1970/01/01 00:09:50 fetching corpus: 4166, signal 185980/208867 (executing program) 1970/01/01 00:09:54 fetching corpus: 4216, signal 186569/209254 (executing program) 1970/01/01 00:09:56 fetching corpus: 4266, signal 187266/209669 (executing program) 1970/01/01 00:09:58 fetching corpus: 4316, signal 187966/210011 (executing program) 1970/01/01 00:10:00 fetching corpus: 4366, signal 188956/210439 (executing program) 1970/01/01 00:10:04 fetching corpus: 4415, signal 189561/210779 (executing program) 1970/01/01 00:10:09 fetching corpus: 4465, signal 190418/211131 (executing program) 1970/01/01 00:10:12 fetching corpus: 4515, signal 191017/211430 (executing program) 1970/01/01 00:10:14 fetching corpus: 4564, signal 191598/211723 (executing program) 1970/01/01 00:10:18 fetching corpus: 4614, signal 192094/212000 (executing program) 1970/01/01 00:10:20 fetching corpus: 4663, signal 192616/212273 (executing program) 1970/01/01 00:10:22 fetching corpus: 4713, signal 193259/212559 (executing program) 1970/01/01 00:10:24 fetching corpus: 4762, signal 193744/212818 (executing program) 1970/01/01 00:10:27 fetching corpus: 4812, signal 194316/213064 (executing program) 1970/01/01 00:10:31 fetching corpus: 4861, signal 194975/213343 (executing program) 1970/01/01 00:10:34 fetching corpus: 4910, signal 195469/213607 (executing program) 1970/01/01 00:10:36 fetching corpus: 4960, signal 196072/213812 (executing program) 1970/01/01 00:10:40 fetching corpus: 5010, signal 196584/214039 (executing program) 1970/01/01 00:10:44 fetching corpus: 5060, signal 197194/214231 (executing program) 1970/01/01 00:10:47 fetching corpus: 5108, signal 197830/214430 (executing program) 1970/01/01 00:10:49 fetching corpus: 5158, signal 198303/214624 (executing program) 1970/01/01 00:10:51 fetching corpus: 5208, signal 198893/214790 (executing program) 1970/01/01 00:10:53 fetching corpus: 5257, signal 199602/214985 (executing program) 1970/01/01 00:10:55 fetching corpus: 5307, signal 200209/215062 (executing program) 1970/01/01 00:10:59 fetching corpus: 5357, signal 200940/215062 (executing program) 1970/01/01 00:11:01 fetching corpus: 5407, signal 201582/215063 (executing program) 1970/01/01 00:11:04 fetching corpus: 5457, signal 202818/215063 (executing program) 1970/01/01 00:11:06 fetching corpus: 5507, signal 203401/215063 (executing program) 1970/01/01 00:11:08 fetching corpus: 5556, signal 203810/215063 (executing program) 1970/01/01 00:11:12 fetching corpus: 5606, signal 204424/215063 (executing program) 1970/01/01 00:11:15 fetching corpus: 5655, signal 205027/215083 (executing program) 1970/01/01 00:11:18 fetching corpus: 5705, signal 205482/215083 (executing program) 1970/01/01 00:11:19 fetching corpus: 5755, signal 205964/215083 (executing program) 1970/01/01 00:11:22 fetching corpus: 5805, signal 206455/215104 (executing program) 1970/01/01 00:11:24 fetching corpus: 5854, signal 206784/215104 (executing program) 1970/01/01 00:11:27 fetching corpus: 5904, signal 207416/215104 (executing program) 1970/01/01 00:11:29 fetching corpus: 5954, signal 207868/215104 (executing program) 1970/01/01 00:11:32 fetching corpus: 6004, signal 208325/215134 (executing program) 1970/01/01 00:11:35 fetching corpus: 6054, signal 209010/215134 (executing program) 1970/01/01 00:11:37 fetching corpus: 6104, signal 209408/215134 (executing program) 1970/01/01 00:11:40 fetching corpus: 6154, signal 209958/215137 (executing program) 1970/01/01 00:11:42 fetching corpus: 6204, signal 210395/215151 (executing program) 1970/01/01 00:11:45 fetching corpus: 6254, signal 210866/215151 (executing program) 1970/01/01 00:11:47 fetching corpus: 6304, signal 211324/215153 (executing program) 1970/01/01 00:11:49 fetching corpus: 6354, signal 211805/215156 (executing program) 1970/01/01 00:11:51 fetching corpus: 6404, signal 212286/215156 (executing program) 1970/01/01 00:11:54 fetching corpus: 6453, signal 212820/215156 (executing program) 1970/01/01 00:11:55 fetching corpus: 6465, signal 212909/215156 (executing program) 1970/01/01 00:11:55 fetching corpus: 6465, signal 212909/215168 (executing program) 1970/01/01 00:11:55 fetching corpus: 6465, signal 212909/215168 (executing program) 1970/01/01 00:13:52 starting 2 fuzzer processes 00:13:52 executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f0000000b80)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000001c0)={{0x14}, [@NFT_MSG_DELCHAIN={0x14}, @NFT_MSG_NEWFLOWTABLE={0x6c, 0x16, 0xa, 0x801, 0x0, 0x0, {0xa}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_FLOWTABLE_TABLE={0x9, 0x1, 'syz1\x00'}, @NFTA_FLOWTABLE_HOOK={0x40, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_DEVS={0x2c, 0x3, 0x0, 0x1, [{0x14, 0x1, 'veth1_vlan\x00'}, {0x14, 0x1, 'veth0_macvtap\x00'}]}, @NFTA_FLOWTABLE_HOOK_PRIORITY={0x8}]}]}], {0x14}}, 0xa8}}, 0x0) 00:13:52 executing program 1: r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$BLKROGET(r0, 0x1268, &(0x7f0000000100)) [ 865.473453][ T2038] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 865.635153][ T2038] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 868.048032][ T2039] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 868.167303][ T2039] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 882.397782][ T2038] device hsr_slave_0 entered promiscuous mode [ 882.485607][ T2038] device hsr_slave_1 entered promiscuous mode [ 885.237331][ T2039] device hsr_slave_0 entered promiscuous mode [ 885.327075][ T2039] device hsr_slave_1 entered promiscuous mode [ 885.350726][ T2039] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 885.358453][ T2039] Cannot create hsr debugfs directory [ 893.433325][ T2038] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 893.656682][ T2038] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 894.019010][ T2038] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 894.310707][ T2038] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 895.377310][ T2039] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 895.595889][ T2039] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 895.720015][ T2039] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 895.828489][ T2039] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 905.906040][ C0] ================================================================== [ 905.909547][ C0] BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 [ 905.910881][ C0] Read of size 8 at addr ffffaf80081bbe50 by task syz-executor.1/2038 [ 905.913087][ C0] [ 905.914463][ C0] CPU: 0 PID: 2038 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 905.915941][ C0] Hardware name: riscv-virtio,qemu (DT) [ 905.917153][ C0] Call Trace: [ 905.918140][ C0] [] dump_backtrace+0x2e/0x3c [ 905.919464][ C0] [] show_stack+0x34/0x40 [ 905.920741][ C0] [] dump_stack_lvl+0xe4/0x150 [ 905.922877][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 905.924582][ C0] [] kasan_report+0x184/0x1e0 [ 905.926027][ C0] [] __asan_load8+0x6e/0x96 [ 905.927316][ C0] [] walk_stackframe+0x11c/0x260 [ 905.928613][ C0] [] arch_stack_walk+0x2c/0x3c [ 905.929954][ C0] [] stack_trace_save+0xa6/0xd8 [ 905.931460][ C0] [] kasan_save_stack+0x2c/0x58 [ 905.933312][ C0] [ 905.934058][ C0] Allocated by task 0: [ 905.934794][ C0] (stack is not available) [ 905.935564][ C0] [ 905.936211][ C0] Last potentially related work creation: [ 905.937189][ C0] ------------[ cut here ]------------ [ 905.938125][ C0] slab index 870592 out of bounds (319) for stack id 0f0d48c0 [ 905.942437][ C0] WARNING: CPU: 0 PID: 2038 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 905.944075][ C0] Modules linked in: [ 905.945074][ C0] CPU: 0 PID: 2038 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 905.946359][ C0] Hardware name: riscv-virtio,qemu (DT) [ 905.947268][ C0] epc : stack_depot_print+0x66/0x70 [ 905.948518][ C0] ra : stack_depot_print+0x66/0x70 [ 905.949803][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf80081bbd10 [ 905.951073][ C0] gp : ffffffff85863ac0 tp : ffffaf800f0d48c0 t0 : ffffffff86bcb657 [ 905.952944][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf80081bbd20 [ 905.954194][ C0] s1 : ffffaf807a890c98 a0 : 000000000000003b a1 : 00000000000f0000 [ 905.955417][ C0] a2 : 0000000000000506 a3 : ffffffff8012252a a4 : b531743c48f2fc00 [ 905.956609][ C0] a5 : b531743c48f2fc00 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 905.957882][ C0] s2 : ffffaf80081bbe50 s3 : ffffaf80072ed280 s4 : ffffaf80081bbd98 [ 905.959156][ C0] s5 : ffffaf80081bbe40 s6 : 0000000000003fff s7 : ffffaf80081bbdf0 [ 905.960427][ C0] s8 : 0000000000400000 s9 : ffffffffffffc000 s10: ffffaf80081bbec0 [ 905.962188][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 905.963813][ C0] t5 : fffff5ef0b53910d t6 : ffffaf80081bb818 [ 905.964740][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 905.965947][ C0] [] print_address_description.constprop.0+0x2fc/0x330 [ 905.967431][ C0] [] kasan_report+0x184/0x1e0 [ 905.968651][ C0] [] __asan_load8+0x6e/0x96 [ 905.969686][ C0] [] walk_stackframe+0x11c/0x260 [ 905.970821][ C0] [] arch_stack_walk+0x2c/0x3c [ 905.972526][ C0] [] stack_trace_save+0xa6/0xd8 [ 905.973879][ C0] [] kasan_save_stack+0x2c/0x58 [ 905.975356][ C0] irq event stamp: 129283 [ 905.976202][ C0] hardirqs last enabled at (129282): [] _raw_spin_unlock_irqrestore+0x68/0x98 [ 905.977805][ C0] hardirqs last disabled at (129283): [] _raw_spin_lock_irqsave+0x60/0x62 [ 905.979432][ C0] softirqs last enabled at (129174): [] __do_softirq+0x618/0x8fc [ 905.980970][ C0] softirqs last disabled at (129179): [] __irq_exit_rcu+0x142/0x1f8 [ 905.983274][ C0] ---[ end trace 0000000000000000 ]--- [ 905.984639][ C0] [ 905.985288][ C0] Second to last potentially related work creation: [ 905.986116][ C0] ------------[ cut here ]------------ [ 905.986925][ C0] slab index 2076544 out of bounds (319) for stack id ffffaf80 [ 905.990440][ C0] WARNING: CPU: 0 PID: 2038 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 905.992541][ C0] Modules linked in: [ 905.993775][ C0] CPU: 0 PID: 2038 Comm: syz-executor.1 Tainted: G W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 905.995474][ C0] Hardware name: riscv-virtio,qemu (DT) [ 905.996404][ C0] epc : stack_depot_print+0x66/0x70 [ 905.997657][ C0] ra : stack_depot_print+0x66/0x70 [ 905.998813][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf80081bbd10 [ 905.999780][ C0] gp : ffffffff85863ac0 tp : ffffaf800f0d48c0 t0 : ffffffff86bcb657 [ 906.000778][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf80081bbd20 [ 906.002493][ C0] s1 : ffffaf807a890c98 a0 : 000000000000003c a1 : 00000000000f0000 [ 906.004043][ C0] a2 : 0000000000000506 a3 : ffffffff8012252a a4 : b531743c48f2fc00 [ 906.005348][ C0] a5 : b531743c48f2fc00 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 906.006551][ C0] s2 : ffffaf80081bbe50 s3 : ffffaf80072ed280 s4 : ffffaf80081bbd98 [ 906.007747][ C0] s5 : ffffaf80081bbe40 s6 : 0000000000003fff s7 : ffffaf80081bbdf0 [ 906.009231][ C0] s8 : 0000000000400000 s9 : ffffffffffffc000 s10: ffffaf80081bbec0 [ 906.012045][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 906.013833][ C0] t5 : fffff5ef0b53910d t6 : ffffaf80081bb818 [ 906.014876][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 906.015919][ C0] [] print_address_description.constprop.0+0x2ae/0x330 [ 906.018711][ C0] [] kasan_report+0x184/0x1e0 [ 906.019923][ C0] [] __asan_load8+0x6e/0x96 [ 906.021057][ C0] [] walk_stackframe+0x11c/0x260 [ 906.022620][ C0] [] arch_stack_walk+0x2c/0x3c [ 906.023750][ C0] [] stack_trace_save+0xa6/0xd8 [ 906.024904][ C0] [] kasan_save_stack+0x2c/0x58 [ 906.026132][ C0] irq event stamp: 129283 [ 906.026881][ C0] hardirqs last enabled at (129282): [] _raw_spin_unlock_irqrestore+0x68/0x98 [ 906.028268][ C0] hardirqs last disabled at (129283): [] _raw_spin_lock_irqsave+0x60/0x62 [ 906.029601][ C0] softirqs last enabled at (129174): [] __do_softirq+0x618/0x8fc [ 906.030872][ C0] softirqs last disabled at (129179): [] __irq_exit_rcu+0x142/0x1f8 [ 906.032826][ C0] ---[ end trace 0000000000000000 ]--- [ 906.033763][ C0] [ 906.034380][ C0] The buggy address belongs to the object at ffffaf80081bbd98 [ 906.034380][ C0] which belongs to the cache kernfs_node_cache of size 168 [ 906.035912][ C0] The buggy address is located 16 bytes to the right of [ 906.035912][ C0] 168-byte region [ffffaf80081bbd98, ffffaf80081bbe40) [ 906.037634][ C0] The buggy address belongs to the page: [ 906.039039][ C0] page:ffffaf807a890c98 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883bb [ 906.040714][ C0] flags: 0x8800000200(slab|section=17|node=0|zone=0) [ 906.043615][ C0] raw: 0000008800000200 0000000000000000 0000000000000122 ffffaf80072ed280 [ 906.045028][ C0] raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000 [ 906.046291][ C0] raw: 00000000000007ff [ 906.047190][ C0] page dumped because: kasan: bad access detected [ 906.048487][ C0] page_owner tracks the page as allocated [ 906.049570][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 2038, ts 848416074500, free_ts 842715655000 [ 906.052885][ C0] __set_page_owner+0x48/0x136 [ 906.054204][ C0] post_alloc_hook+0xd0/0x10a [ 906.055357][ C0] get_page_from_freelist+0x8da/0x12d8 [ 906.056518][ C0] __alloc_pages+0x150/0x3b6 [ 906.057676][ C0] alloc_pages+0x132/0x2a6 [ 906.058701][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 906.059780][ C0] new_slab+0x76/0x2cc [ 906.060703][ C0] ___slab_alloc+0x56e/0x918 [ 906.062029][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 906.063121][ C0] kmem_cache_alloc+0x39c/0x3de [ 906.064109][ C0] __kernfs_new_node+0xfc/0x5f2 [ 906.065152][ C0] kernfs_new_node+0x66/0xbe [ 906.066062][ C0] __kernfs_create_file+0x4e/0x1e8 [ 906.067103][ C0] sysfs_add_file_mode_ns+0x138/0x254 [ 906.068283][ C0] internal_create_group+0x274/0x722 [ 906.069482][ C0] internal_create_groups.part.0+0x64/0xe8 [ 906.070788][ C0] page last free stack trace: [ 906.071968][ C0] __reset_page_owner+0x4a/0xea [ 906.073231][ C0] free_pcp_prepare+0x29c/0x45e [ 906.074339][ C0] free_unref_page+0x6a/0x31e [ 906.075448][ C0] __free_pages+0xe2/0x112 [ 906.076507][ C0] free_pages.part.0+0xe0/0xf6 [ 906.077683][ C0] free_pages+0xe/0x18 [ 906.078712][ C0] free_pgd_range+0x8b0/0xc54 [ 906.079642][ C0] free_pgtables+0x1bc/0x1c8 [ 906.080601][ C0] exit_mmap+0x168/0x412 [ 906.081895][ C0] mmput+0xee/0x2c2 [ 906.083232][ C0] do_exit+0x6f2/0x18fc [ 906.084159][ C0] do_group_exit+0x90/0x17e [ 906.085100][ C0] __wake_up_parent+0x0/0x4a [ 906.086045][ C0] ret_from_syscall+0x0/0x2 [ 906.087203][ C0] [ 906.087906][ C0] Memory state around the buggy address: [ 906.089241][ C0] ffffaf80081bbd00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 906.090536][ C0] ffffaf80081bbd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 906.092478][ C0] >ffffaf80081bbe00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 906.094371][ C0] ^ [ 906.095601][ C0] ffffaf80081bbe80: 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 [ 906.096781][ C0] ffffaf80081bbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 906.098028][ C0] ================================================================== [ 906.099219][ C0] Disabling lock debugging due to kernel taint [ 906.103065][ T2038] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 906.104146][ T2038] CPU: 0 PID: 2038 Comm: syz-executor.1 Tainted: G B W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 906.105310][ T2038] Hardware name: riscv-virtio,qemu (DT) [ 906.105941][ T2038] Call Trace: [ 906.106440][ T2038] [] dump_backtrace+0x2e/0x3c [ 906.107392][ T2038] [] show_stack+0x34/0x40 [ 906.108276][ T2038] [] dump_stack_lvl+0xe4/0x150 [ 906.109293][ T2038] [] dump_stack+0x1c/0x24 [ 906.110303][ T2038] [] panic+0x24a/0x634 [ 906.111668][ T2038] [] schedule+0x0/0x14c [ 906.112698][ T2038] [] preempt_schedule_notrace+0x9c/0x19a [ 906.113889][ T2038] [] trace_lock_acquire+0xd6/0x1fc [ 906.115000][ T2038] [] lock_acquire+0x28/0x6a [ 906.116040][ T2038] [] in6_dev_get+0x4c/0x2f4 [ 906.117071][ T2038] [] fib6_nh_init+0x49a/0x10c0 [ 906.118134][ T2038] [] ip6_route_info_create+0xb70/0xf78 [ 906.119242][ T2038] [] addrconf_f6i_alloc+0x242/0x3d8 [ 906.120323][ T2038] [] ipv6_add_addr+0x28e/0x12f2 [ 906.121578][ T2038] [] addrconf_add_linklocal+0x152/0x312 [ 906.122591][ T2038] [] addrconf_addr_gen+0x2c8/0x2d2 [ 906.123488][ T2038] [] addrconf_dev_config+0x208/0x3a0 [ 906.124481][ T2038] [] addrconf_notify+0xaa4/0x1360 [ 906.125490][ T2038] [] notifier_call_chain+0xb8/0x188 [ 906.126516][ T2038] [] raw_notifier_call_chain+0x2a/0x38 [ 906.127551][ T2038] [] call_netdevice_notifiers_info+0x9e/0x10c [ 906.128591][ T2038] [] __dev_notify_flags+0x108/0x1fa [ 906.129652][ T2038] [] dev_change_flags+0x9c/0xba [ 906.130729][ T2038] [] do_setlink+0x5d6/0x21c4 [ 906.132248][ T2038] [] __rtnl_newlink+0x99e/0xfa0 [ 906.133413][ T2038] [] rtnl_newlink+0x60/0x8c [ 906.134498][ T2038] [] rtnetlink_rcv_msg+0x338/0x9a0 [ 906.135679][ T2038] [] netlink_rcv_skb+0xf8/0x2be [ 906.136717][ T2038] [] rtnetlink_rcv+0x26/0x30 [ 906.137867][ T2038] [] netlink_unicast+0x40e/0x5fe [ 906.138985][ T2038] [] netlink_sendmsg+0x4e0/0x994 [ 906.140147][ T2038] [] sock_sendmsg+0xa0/0xc4 [ 906.141905][ T2038] [] __sys_sendto+0x1f2/0x2e0 [ 906.142961][ T2038] [] sys_sendto+0x3e/0x52 [ 906.143852][ T2038] [] ret_from_syscall+0x0/0x2 [ 906.145049][ T2038] SMP: stopping secondary CPUs [ 906.147134][ T2038] Rebooting in 86400 seconds.. VM DIAGNOSIS: 01:49:58 Registers: info registers vcpu 0 pc ffffffff80475986 mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff802009d2 sepc ffffffff80396ce2 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80dc3394 x2/sp ffffaf80081bb820 x3/gp ffffffff85863ac0 x4/tp ffffaf800f0d48c0 x5/t0 ffffffff86bcb657 x6/t1 b531743c48f2fc00 x7/t2 0000000000000000 x8/s0 ffffaf80081bb850 x9/s1 ffffffff86e58900 x10/a0 ffffaf800f0d48e0 x11/a1 ffff8f800066c000 x12/a2 1ffffffff0dcb129 x13/a3 ffffffff80dc337e x14/a4 0000000000000000 x15/a5 ffffffff86e58948 x16/a6 ffffffff86e589f1 x17/a7 ffffffff80dcc9fe x18/s2 ffffaf800f0d48c0 x19/s3 0000000000000030 x20/s4 ffffffff86e58900 x21/s5 ffffffff80dc333e x22/s6 0000000000000000 x23/s7 ffffffff86bcb69b x24/s8 0000000000000010 x25/s9 ffffffff86e58958 x26/s10 0000000000000010 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f0010376b4 x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff8010b22c mhartid 0000000000000001 mstatus 00000000000001a0 mip 00000000000000a0 mie 000000000000020a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80119b52 sepc ffffffff80119b52 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff831a18d8 x2/sp ffffaf800c73b110 x3/gp ffffffff85863ac0 x4/tp ffffaf800e1c48c0 x5/t0 0000000000046000 x6/t1 b531743c48f2fc00 x7/t2 ffffffffffffffff x8/s0 ffffaf800c73b120 x9/s1 0000000000001000 x10/a0 0000000000000120 x11/a1 ffffffffffffffff x12/a2 1ffff5f001c38919 x13/a3 ffffffff80146d84 x14/a4 0000000000010201 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffffff800dddaa x18/s2 ffffaf8007336c00 x19/s3 ffffffff84b73ec0 x20/s4 1ffff5f0018e7648 x21/s5 ffffffff8343c840 x22/s6 ffffffffffffffff x23/s7 ffffffff86c1a628 x24/s8 ffffffff86c1a620 x25/s9 ffffaf800e1c48c0 x26/s10 ffffaf805a9f4c98 x27/s11 ffffffff8465b2d0 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f0018e75d8 x31/t6 00000000006735bf f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000