syzkaller login: [ 270.044318][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 270.082970][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 292.176480][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:2846' (ECDSA) to the list of known hosts. 1970/01/01 00:05:57 fuzzer started 1970/01/01 00:06:09 dialing manager at localhost:38659 [ 374.690439][ T2031] cgroup: Unknown subsys name 'net' [ 375.706804][ T2031] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:06:15 syscalls: 2918 1970/01/01 00:06:15 code coverage: enabled 1970/01/01 00:06:15 comparison tracing: enabled 1970/01/01 00:06:15 extra coverage: enabled 1970/01/01 00:06:15 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:06:15 setuid sandbox: enabled 1970/01/01 00:06:15 namespace sandbox: enabled 1970/01/01 00:06:15 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:06:15 fault injection: enabled 1970/01/01 00:06:15 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:06:15 net packet injection: enabled 1970/01/01 00:06:15 net device setup: enabled 1970/01/01 00:06:15 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:06:15 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:06:15 NIC VF setup: PCI device 0000:00:11.0 is not available 1970/01/01 00:06:15 USB emulation: enabled 1970/01/01 00:06:15 hci packet injection: /dev/vhci does not exist 1970/01/01 00:06:15 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:06:15 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:06:15 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:06:20 fetching corpus: 50, signal 26737/30044 (executing program) 1970/01/01 00:06:23 fetching corpus: 100, signal 41229/45585 (executing program) 1970/01/01 00:06:27 fetching corpus: 150, signal 55455/60514 (executing program) 1970/01/01 00:06:30 fetching corpus: 199, signal 61764/67654 (executing program) 1970/01/01 00:06:33 fetching corpus: 249, signal 68170/74778 (executing program) 1970/01/01 00:06:37 fetching corpus: 299, signal 74318/81415 (executing program) 1970/01/01 00:06:40 fetching corpus: 349, signal 79888/87435 (executing program) 1970/01/01 00:06:43 fetching corpus: 398, signal 84126/92175 (executing program) 1970/01/01 00:06:46 fetching corpus: 448, signal 87300/95808 (executing program) 1970/01/01 00:06:48 fetching corpus: 498, signal 90171/99105 (executing program) 1970/01/01 00:06:53 fetching corpus: 548, signal 93815/102995 (executing program) 1970/01/01 00:06:56 fetching corpus: 598, signal 96437/105970 (executing program) 1970/01/01 00:07:00 fetching corpus: 648, signal 99710/109402 (executing program) 1970/01/01 00:07:03 fetching corpus: 697, signal 101845/111799 (executing program) 1970/01/01 00:07:05 fetching corpus: 747, signal 104119/114294 (executing program) 1970/01/01 00:07:10 fetching corpus: 797, signal 106771/116982 (executing program) 1970/01/01 00:07:13 fetching corpus: 847, signal 109609/119738 (executing program) 1970/01/01 00:07:15 fetching corpus: 897, signal 111689/121888 (executing program) 1970/01/01 00:07:19 fetching corpus: 947, signal 114860/124727 (executing program) 1970/01/01 00:07:21 fetching corpus: 997, signal 117064/126849 (executing program) 1970/01/01 00:07:24 fetching corpus: 1047, signal 119340/128927 (executing program) 1970/01/01 00:07:27 fetching corpus: 1096, signal 120783/130373 (executing program) 1970/01/01 00:07:30 fetching corpus: 1146, signal 122587/132001 (executing program) 1970/01/01 00:07:33 fetching corpus: 1195, signal 124318/133557 (executing program) 1970/01/01 00:07:35 fetching corpus: 1245, signal 126759/135537 (executing program) 1970/01/01 00:07:38 fetching corpus: 1294, signal 128934/137216 (executing program) 1970/01/01 00:07:40 fetching corpus: 1344, signal 130333/138427 (executing program) 1970/01/01 00:07:44 fetching corpus: 1394, signal 132404/140023 (executing program) 1970/01/01 00:07:48 fetching corpus: 1444, signal 134336/141452 (executing program) 1970/01/01 00:07:51 fetching corpus: 1494, signal 135600/142439 (executing program) 1970/01/01 00:07:55 fetching corpus: 1544, signal 137417/143731 (executing program) 1970/01/01 00:07:58 fetching corpus: 1594, signal 139769/145287 (executing program) 1970/01/01 00:08:00 fetching corpus: 1644, signal 141074/146165 (executing program) 1970/01/01 00:08:04 fetching corpus: 1693, signal 142390/147042 (executing program) 1970/01/01 00:08:06 fetching corpus: 1743, signal 143558/147778 (executing program) 1970/01/01 00:08:09 fetching corpus: 1793, signal 145019/148655 (executing program) 1970/01/01 00:08:12 fetching corpus: 1843, signal 146676/149632 (executing program) 1970/01/01 00:08:15 fetching corpus: 1893, signal 148085/150412 (executing program) 1970/01/01 00:08:19 fetching corpus: 1942, signal 150157/151443 (executing program) 1970/01/01 00:08:20 fetching corpus: 1952, signal 150435/151611 (executing program) 1970/01/01 00:08:20 fetching corpus: 1952, signal 150435/151639 (executing program) 1970/01/01 00:08:21 fetching corpus: 1952, signal 150435/151671 (executing program) 1970/01/01 00:08:21 fetching corpus: 1952, signal 150435/151702 (executing program) 1970/01/01 00:08:21 fetching corpus: 1952, signal 150435/151722 (executing program) 1970/01/01 00:08:21 fetching corpus: 1952, signal 150435/151760 (executing program) 1970/01/01 00:08:21 fetching corpus: 1952, signal 150435/151790 (executing program) 1970/01/01 00:08:21 fetching corpus: 1952, signal 150435/151817 (executing program) 1970/01/01 00:08:21 fetching corpus: 1952, signal 150435/151849 (executing program) 1970/01/01 00:08:22 fetching corpus: 1952, signal 150435/151878 (executing program) 1970/01/01 00:08:22 fetching corpus: 1952, signal 150435/151909 (executing program) 1970/01/01 00:08:22 fetching corpus: 1952, signal 150435/151941 (executing program) 1970/01/01 00:08:22 fetching corpus: 1952, signal 150435/151968 (executing program) 1970/01/01 00:08:22 fetching corpus: 1952, signal 150435/151996 (executing program) 1970/01/01 00:08:22 fetching corpus: 1952, signal 150435/152026 (executing program) 1970/01/01 00:08:23 fetching corpus: 1952, signal 150435/152060 (executing program) 1970/01/01 00:08:23 fetching corpus: 1952, signal 150435/152104 (executing program) 1970/01/01 00:08:23 fetching corpus: 1952, signal 150435/152145 (executing program) 1970/01/01 00:08:23 fetching corpus: 1952, signal 150435/152178 (executing program) 1970/01/01 00:08:23 fetching corpus: 1952, signal 150435/152216 (executing program) 1970/01/01 00:08:23 fetching corpus: 1952, signal 150435/152247 (executing program) 1970/01/01 00:08:23 fetching corpus: 1952, signal 150435/152269 (executing program) 1970/01/01 00:08:23 fetching corpus: 1952, signal 150435/152288 (executing program) 1970/01/01 00:08:24 fetching corpus: 1952, signal 150435/152316 (executing program) 1970/01/01 00:08:24 fetching corpus: 1952, signal 150435/152340 (executing program) 1970/01/01 00:08:24 fetching corpus: 1952, signal 150435/152365 (executing program) 1970/01/01 00:08:24 fetching corpus: 1952, signal 150435/152394 (executing program) 1970/01/01 00:08:24 fetching corpus: 1952, signal 150435/152426 (executing program) 1970/01/01 00:08:25 fetching corpus: 1952, signal 150435/152454 (executing program) 1970/01/01 00:08:25 fetching corpus: 1952, signal 150435/152485 (executing program) 1970/01/01 00:08:25 fetching corpus: 1952, signal 150435/152522 (executing program) 1970/01/01 00:08:25 fetching corpus: 1952, signal 150435/152546 (executing program) 1970/01/01 00:08:25 fetching corpus: 1952, signal 150435/152585 (executing program) 1970/01/01 00:08:26 fetching corpus: 1952, signal 150435/152616 (executing program) 1970/01/01 00:08:26 fetching corpus: 1952, signal 150435/152647 (executing program) 1970/01/01 00:08:26 fetching corpus: 1952, signal 150435/152677 (executing program) 1970/01/01 00:08:26 fetching corpus: 1952, signal 150435/152692 (executing program) 1970/01/01 00:08:26 fetching corpus: 1952, signal 150435/152692 (executing program) 1970/01/01 00:10:16 starting 2 fuzzer processes 00:10:16 executing program 0: r0 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000300), 0x0) ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(r0, 0x40045402, 0x0) 00:10:16 executing program 1: bpf$BPF_BTF_LOAD(0x15, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x0, 0x1}, 0x20) [ 643.722499][ T2041] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 643.828613][ T2041] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 646.604598][ T2043] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 646.805727][ T2043] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 657.382086][ T2041] device hsr_slave_0 entered promiscuous mode [ 657.464655][ T2041] device hsr_slave_1 entered promiscuous mode [ 659.038443][ T2043] device hsr_slave_0 entered promiscuous mode [ 659.098514][ T2043] device hsr_slave_1 entered promiscuous mode [ 659.140585][ T2043] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 659.144903][ T2043] Cannot create hsr debugfs directory [ 665.824763][ T2041] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 666.015431][ T2041] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 666.123690][ T2041] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 666.378758][ T2041] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 667.474299][ T2043] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 667.736071][ T2043] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 667.858615][ T2043] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 668.517069][ T2043] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 679.035864][ T2041] 8021q: adding VLAN 0 to HW filter on device bond0 [ 680.192046][ T2315] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 680.253958][ T2315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 680.732618][ T2043] 8021q: adding VLAN 0 to HW filter on device bond0 [ 681.662562][ T2315] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 681.705887][ T2315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 688.396292][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 688.457760][ T25] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 688.696819][ T2315] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 688.776933][ T2315] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 689.057160][ T2683] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 689.236183][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 689.302056][ T83] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 689.637846][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 689.690294][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 689.711576][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 690.037602][ C0] ================================================================== [ 690.042076][ C0] BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 [ 690.043554][ C0] Read of size 8 at addr ffffaf800f88ff40 by task syz-executor.0/2041 [ 690.044890][ C0] [ 690.046945][ C0] CPU: 0 PID: 2041 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 690.048600][ C0] Hardware name: riscv-virtio,qemu (DT) [ 690.050156][ C0] Call Trace: [ 690.051300][ C0] [] dump_backtrace+0x2e/0x3c [ 690.052619][ C0] [] show_stack+0x34/0x40 [ 690.053812][ C0] [] dump_stack_lvl+0xe4/0x150 [ 690.055177][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 690.056734][ C0] [] kasan_report+0x184/0x1e0 [ 690.058062][ C0] [] __asan_load8+0x6e/0x96 [ 690.059533][ C0] [] walk_stackframe+0x11c/0x260 [ 690.061241][ C0] [] arch_stack_walk+0x2c/0x3c [ 690.062586][ C0] [] stack_trace_save+0xa6/0xd8 [ 690.064125][ C0] [ 690.064979][ C0] Allocated by task 0: [ 690.065843][ C0] (stack is not available) [ 690.066683][ C0] [ 690.067371][ C0] Last potentially related work creation: [ 690.068360][ C0] ------------[ cut here ]------------ [ 690.069310][ C0] slab index 40758 out of bounds (322) for stack id 80009f36 [ 690.074878][ C0] WARNING: CPU: 0 PID: 2041 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 690.076811][ C0] Modules linked in: [ 690.078005][ C0] CPU: 0 PID: 2041 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 690.079890][ C0] Hardware name: riscv-virtio,qemu (DT) [ 690.081263][ C0] epc : stack_depot_print+0x66/0x70 [ 690.082529][ C0] ra : stack_depot_print+0x66/0x70 [ 690.084351][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800f88fe00 [ 690.085641][ C0] gp : ffffffff85863ac0 tp : ffffaf800de61840 t0 : ffffffff86bcb657 [ 690.086975][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800f88fe10 [ 690.088193][ C0] s1 : ffffaf807aaa7760 a0 : 000000000000003a a1 : 00000000000f0000 [ 690.089678][ C0] a2 : 0000000000000505 a3 : ffffffff8012252a a4 : 239ad411cd7eb300 [ 690.092850][ C0] a5 : 239ad411cd7eb300 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 690.094043][ C0] s2 : ffffaf800f88ff40 s3 : ffffaf8009bfa640 s4 : ffffaf800f88fa80 [ 690.095224][ C0] s5 : ffffaf800f88fe80 s6 : 0000000000003fff s7 : ffffaf800f88fee0 [ 690.096495][ C0] s8 : 0000000000400000 s9 : ffffffffffffc000 s10: ffffaf800f88ffc0 [ 690.097752][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 690.098892][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800f88f8f8 [ 690.099885][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 690.101194][ C0] [] print_address_description.constprop.0+0x2fc/0x330 [ 690.102710][ C0] [] kasan_report+0x184/0x1e0 [ 690.103982][ C0] [] __asan_load8+0x6e/0x96 [ 690.114396][ C0] [] walk_stackframe+0x11c/0x260 [ 690.115510][ C0] [] arch_stack_walk+0x2c/0x3c [ 690.116494][ C0] [] stack_trace_save+0xa6/0xd8 [ 690.117695][ C0] irq event stamp: 148291 [ 690.118388][ C0] hardirqs last enabled at (148290): [] _raw_spin_unlock_irqrestore+0x68/0x98 [ 690.121743][ C0] hardirqs last disabled at (148291): [] _raw_spin_lock_irqsave+0x60/0x62 [ 690.123837][ C0] softirqs last enabled at (148142): [] fib_create_info+0x1da2/0x2d8e [ 690.125603][ C0] softirqs last disabled at (148159): [] __irq_exit_rcu+0x142/0x1f8 [ 690.127438][ C0] ---[ end trace 0000000000000000 ]--- [ 690.128980][ C0] [ 690.129935][ C0] Second to last potentially related work creation: [ 690.131547][ C0] ------------[ cut here ]------------ [ 690.132575][ C0] slab index 2097151 out of bounds (322) for stack id ffffffff [ 690.136324][ C0] WARNING: CPU: 0 PID: 2041 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 690.138314][ C0] Modules linked in: [ 690.139815][ C0] CPU: 0 PID: 2041 Comm: syz-executor.0 Tainted: G W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 690.142550][ C0] Hardware name: riscv-virtio,qemu (DT) [ 690.143632][ C0] epc : stack_depot_print+0x66/0x70 [ 690.144897][ C0] ra : stack_depot_print+0x66/0x70 [ 690.146187][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800f88fe00 [ 690.147448][ C0] gp : ffffffff85863ac0 tp : ffffaf800de61840 t0 : ffffffff86bcb657 [ 690.148737][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800f88fe10 [ 690.150852][ C0] s1 : ffffaf807aaa7760 a0 : 000000000000003c a1 : 00000000000f0000 [ 690.152572][ C0] a2 : 0000000000000505 a3 : ffffffff8012252a a4 : 239ad411cd7eb300 [ 690.153815][ C0] a5 : 239ad411cd7eb300 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 690.155053][ C0] s2 : ffffaf800f88ff40 s3 : ffffaf8009bfa640 s4 : ffffaf800f88fa80 [ 690.156347][ C0] s5 : ffffaf800f88fe80 s6 : 0000000000003fff s7 : ffffaf800f88fee0 [ 690.157660][ C0] s8 : 0000000000400000 s9 : ffffffffffffc000 s10: ffffaf800f88ffc0 [ 690.158961][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 690.160512][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800f88f8f8 [ 690.161731][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 690.163035][ C0] [] print_address_description.constprop.0+0x2ae/0x330 [ 690.164699][ C0] [] kasan_report+0x184/0x1e0 [ 690.166098][ C0] [] __asan_load8+0x6e/0x96 [ 690.167338][ C0] [] walk_stackframe+0x11c/0x260 [ 690.168726][ C0] [] arch_stack_walk+0x2c/0x3c [ 690.170707][ C0] [] stack_trace_save+0xa6/0xd8 [ 690.172152][ C0] irq event stamp: 148291 [ 690.173093][ C0] hardirqs last enabled at (148290): [] _raw_spin_unlock_irqrestore+0x68/0x98 [ 690.174732][ C0] hardirqs last disabled at (148291): [] _raw_spin_lock_irqsave+0x60/0x62 [ 690.176435][ C0] softirqs last enabled at (148142): [] fib_create_info+0x1da2/0x2d8e [ 690.178048][ C0] softirqs last disabled at (148159): [] __irq_exit_rcu+0x142/0x1f8 [ 690.180602][ C0] ---[ end trace 0000000000000000 ]--- [ 690.182297][ C0] [ 690.183026][ C0] The buggy address belongs to the object at ffffaf800f88fa80 [ 690.183026][ C0] which belongs to the cache biovec-64 of size 1024 [ 690.184872][ C0] The buggy address is located 192 bytes to the right of [ 690.184872][ C0] 1024-byte region [ffffaf800f88fa80, ffffaf800f88fe80) [ 690.186712][ C0] The buggy address belongs to the page: [ 690.188181][ C0] page:ffffaf807aaa7760 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffaf800f88c480 pfn:0x8fa8c [ 690.191346][ C0] head:ffffaf807aaa7760 order:2 compound_mapcount:0 compound_pincount:0 [ 690.193865][ C0] flags: 0x8800010200(slab|head|section=17|node=0|zone=0) [ 690.197043][ C0] raw: 0000008800010200 0000000000000000 0000000000000122 ffffaf8009bfa640 [ 690.198678][ C0] raw: ffffaf800f88c480 00000000800e000c 00000001ffffffff 0000000000000000 [ 690.200832][ C0] raw: 00000000000007ff [ 690.202389][ C0] page dumped because: kasan: bad access detected [ 690.203755][ C0] page_owner tracks the page as allocated [ 690.204802][ C0] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2800(GFP_NOWAIT|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1966, ts 248814328300, free_ts 248372762400 [ 690.207335][ C0] __set_page_owner+0x48/0x136 [ 690.208709][ C0] post_alloc_hook+0xd0/0x10a [ 690.210342][ C0] get_page_from_freelist+0x8da/0x12d8 [ 690.211624][ C0] __alloc_pages+0x150/0x3b6 [ 690.212844][ C0] alloc_pages+0x132/0x2a6 [ 690.214028][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 690.215323][ C0] new_slab+0x76/0x2cc [ 690.216444][ C0] ___slab_alloc+0x56e/0x918 [ 690.217691][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 690.218918][ C0] kmem_cache_alloc+0x39c/0x3de [ 690.220698][ C0] bvec_alloc+0x12a/0x17a [ 690.221878][ C0] bio_alloc_bioset+0x264/0x316 [ 690.223011][ C0] ext4_mpage_readpages+0xcae/0x125a [ 690.224322][ C0] ext4_readahead+0xac/0xae [ 690.225515][ C0] read_pages+0x19a/0x7ee [ 690.226594][ C0] page_cache_ra_unbounded+0x396/0x450 [ 690.227962][ C0] page last free stack trace: [ 690.229471][ C0] __reset_page_owner+0x4a/0xea [ 690.231418][ C0] free_pcp_prepare+0x29c/0x45e [ 690.232612][ C0] free_unref_page+0x6a/0x31e [ 690.233784][ C0] __free_pages+0xe2/0x112 [ 690.234920][ C0] put_task_stack+0x1d0/0x2b0 [ 690.236622][ C0] finish_task_switch.isra.0+0x3ce/0x420 [ 690.238969][ C0] __schedule+0x58e/0x118e [ 690.240946][ C0] schedule_idle+0x22/0x42 [ 690.242452][ C0] do_idle+0xca/0x144 [ 690.244342][ C0] cpu_startup_entry+0x1a/0x1c [ 690.245541][ C0] rest_init+0x236/0x3f2 [ 690.247167][ C0] arch_call_rest_init+0x18/0x20 [ 690.248367][ C0] start_kernel+0x66a/0x698 [ 690.250219][ C0] [ 690.251201][ C0] Memory state around the buggy address: [ 690.253822][ C0] ffffaf800f88fe00: 00 00 00 00 00 00 00 00 fc fc fc fc 00 00 00 00 [ 690.255358][ C0] ffffaf800f88fe80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 690.256692][ C0] >ffffaf800f88ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 690.258102][ C0] ^ [ 690.259442][ C0] ffffaf800f88ff80: fc fc fc fc f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 [ 690.262128][ C0] ffffaf800f890000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 690.264105][ C0] ================================================================== [ 690.266133][ C0] Disabling lock debugging due to kernel taint [ 690.272841][ T2041] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 690.274865][ T2041] CPU: 0 PID: 2041 Comm: syz-executor.0 Tainted: G B W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 690.276367][ T2041] Hardware name: riscv-virtio,qemu (DT) [ 690.277179][ T2041] Call Trace: [ 690.277797][ T2041] [] dump_backtrace+0x2e/0x3c [ 690.279028][ T2041] [] show_stack+0x34/0x40 [ 690.280740][ T2041] [] dump_stack_lvl+0xe4/0x150 [ 690.281927][ T2041] [] dump_stack+0x1c/0x24 [ 690.283080][ T2041] [] panic+0x24a/0x634 [ 690.284091][ T2041] [] schedule+0x0/0x14c [ 690.285238][ T2041] [] preempt_schedule_common+0x4e/0xde [ 690.286437][ T2041] [] preempt_schedule+0x34/0x36 [ 690.287605][ T2041] [] _raw_spin_unlock_irqrestore+0x8c/0x98 [ 690.288795][ T2041] [] debug_check_no_obj_freed+0x14c/0x24a [ 690.290688][ T2041] [] slab_free_freelist_hook+0xe4/0x1cc [ 690.291852][ T2041] [] kfree+0xe0/0x3e4 [ 690.292909][ T2041] [] pskb_expand_head+0x1d8/0x842 [ 690.294181][ T2041] [] netlink_trim+0x15a/0x16c [ 690.295419][ T2041] [] netlink_broadcast+0x4c/0xab6 [ 690.296539][ T2041] [] nlmsg_notify+0x78/0x22e [ 690.297680][ T2041] [] rtnl_notify+0x80/0x98 [ 690.298710][ T2041] [] rtmsg_fib+0x204/0x2be [ 690.300228][ T2041] [] fib_table_insert+0x52a/0xebe [ 690.301570][ T2041] [] fib_magic+0x3f4/0x438 [ 690.302933][ T2041] [] fib_add_ifaddr+0x2be/0x2e2 [ 690.304043][ T2041] [] fib_netdev_event+0x362/0x4b0 [ 690.305195][ T2041] [] notifier_call_chain+0xb8/0x188 [ 690.306421][ T2041] [] raw_notifier_call_chain+0x2a/0x38 [ 690.307630][ T2041] [] call_netdevice_notifiers_info+0x9e/0x10c [ 690.308738][ T2041] [] __dev_notify_flags+0x108/0x1fa [ 690.310754][ T2041] [] dev_change_flags+0x9c/0xba [ 690.311922][ T2041] [] do_setlink+0x5d6/0x21c4 [ 690.312571][ T2041] [] __rtnl_newlink+0x99e/0xfa0 [ 690.314331][ T2041] [] rtnl_newlink+0x60/0x8c [ 690.315507][ T2041] [] rtnetlink_rcv_msg+0x338/0x9a0 [ 690.316723][ T2041] [] netlink_rcv_skb+0xf8/0x2be [ 690.317822][ T2041] [] rtnetlink_rcv+0x26/0x30 [ 690.318967][ T2041] [] netlink_unicast+0x40e/0x5fe [ 690.320681][ T2041] [] netlink_sendmsg+0x4e0/0x994 [ 690.321760][ T2041] [] sock_sendmsg+0xa0/0xc4 [ 690.322948][ T2041] [] __sys_sendto+0x1f2/0x2e0 [ 690.324064][ T2041] [] sys_sendto+0x3e/0x52 [ 690.325154][ T2041] [] ret_from_syscall+0x0/0x2 [ 690.326518][ T2041] SMP: stopping secondary CPUs [ 690.329422][ T2041] Rebooting in 86400 seconds.. VM DIAGNOSIS: 17:04:01 Registers: info registers vcpu 0 pc ffffffff80474d46 mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80200f00 sepc ffffffff801165e0 mcause 8000000000000007 scause 8000000000000001 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80474d20 x2/sp ffffaf800f88fe50 x3/gp ffffffff85863ac0 x4/tp ffffaf800de61840 x5/t0 ffffffff86bcb657 x6/t1 fffff5ef0b53910c x7/t2 0000000000000000 x8/s0 ffffaf800f88fec0 x9/s1 ffffaf800f88ff40 x10/a0 0000000000000000 x11/a1 00000000000f0000 x12/a2 0000000000000505 x13/a3 0000000020000000 x14/a4 2000000100000000 x15/a5 ffff7c0800000000 x16/a6 0000000000f00000 x17/a7 ffffaf805a9c8863 x18/s2 0000000000000008 x19/s3 ffffffff8000a052 x20/s4 0000000000000000 x21/s5 ffffffff85863560 x22/s6 0000000000003fff x23/s7 ffffaf800f88fee0 x24/s8 0000000000400000 x25/s9 ffffffffffffc000 x26/s10 ffffaf800f88ffc0 x27/s11 0000000000000008 x28/t3 fffffffff3f3f300 x29/t4 fffff5ef0b53910c x30/t5 fffff5ef0b53910d x31/t6 ffffaf800f88f958 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80475986 mhartid 0000000000000001 mstatus 00000000000000a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff80475986 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80119b52 x2/sp ffffaf800f7437d0 x3/gp ffffffff85863ac0 x4/tp ffffaf8009f88000 x5/t0 00000000000001f8 x6/t1 239ad411cd7eb300 x7/t2 ffffffffffffffff x8/s0 ffffaf800f743820 x9/s1 ffffaf800c521898 x10/a0 ffffaf800c521898 x11/a1 0000000000000003 x12/a2 1ffff5f0018a4313 x13/a3 ffffffff80119b52 x14/a4 0000000000000000 x15/a5 ffffaf800c521898 x16/a6 0000000000f00000 x17/a7 ffffffff826e6226 x18/s2 0000000000000001 x19/s3 ffffaf8009f88000 x20/s4 ffffaf800c5218a8 x21/s5 ffffaf800c5218a0 x22/s6 ffffaf800f743960 x23/s7 ffffaf800f743b00 x24/s8 0000000000000000 x25/s9 0000000000004000 x26/s10 0000000000000040 x27/s11 0000000000000001 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001ee86b4 x31/t6 000000000393aa3e f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000