syzkaller login: [ 474.350714][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 483.693307][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 483.748769][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:52392' (ECDSA) to the list of known hosts. 1970/01/01 00:09:18 fuzzer started 1970/01/01 00:09:30 dialing manager at localhost:40479 [ 578.205700][ T2026] cgroup: Unknown subsys name 'net' [ 579.206655][ T2026] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:09:39 syscalls: 2918 1970/01/01 00:09:39 code coverage: enabled 1970/01/01 00:09:39 comparison tracing: enabled 1970/01/01 00:09:39 extra coverage: enabled 1970/01/01 00:09:39 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:09:39 setuid sandbox: enabled 1970/01/01 00:09:39 namespace sandbox: enabled 1970/01/01 00:09:39 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:09:39 fault injection: enabled 1970/01/01 00:09:39 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:09:39 net packet injection: enabled 1970/01/01 00:09:39 net device setup: enabled 1970/01/01 00:09:39 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:09:39 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:09:39 NIC VF setup: PCI device 0000:00:11.0 is not available 1970/01/01 00:09:39 USB emulation: enabled 1970/01/01 00:09:39 hci packet injection: /dev/vhci does not exist 1970/01/01 00:09:39 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:09:39 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:09:39 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:09:43 fetching corpus: 50, signal 26013/29549 (executing program) 1970/01/01 00:09:46 fetching corpus: 100, signal 40947/45829 (executing program) 1970/01/01 00:09:50 fetching corpus: 150, signal 53051/59072 (executing program) 1970/01/01 00:09:54 fetching corpus: 200, signal 63708/70718 (executing program) 1970/01/01 00:09:58 fetching corpus: 250, signal 69249/77350 (executing program) 1970/01/01 00:10:01 fetching corpus: 300, signal 75000/84102 (executing program) 1970/01/01 00:10:04 fetching corpus: 350, signal 78089/88269 (executing program) 1970/01/01 00:10:06 fetching corpus: 400, signal 83286/94308 (executing program) 1970/01/01 00:10:09 fetching corpus: 450, signal 87689/99464 (executing program) 1970/01/01 00:10:11 fetching corpus: 500, signal 92660/105090 (executing program) 1970/01/01 00:10:15 fetching corpus: 549, signal 95926/109095 (executing program) 1970/01/01 00:10:19 fetching corpus: 599, signal 98951/112897 (executing program) 1970/01/01 00:10:21 fetching corpus: 649, signal 101580/116306 (executing program) 1970/01/01 00:10:25 fetching corpus: 698, signal 104595/119960 (executing program) 1970/01/01 00:10:29 fetching corpus: 748, signal 107144/123204 (executing program) 1970/01/01 00:10:31 fetching corpus: 797, signal 108930/125758 (executing program) 1970/01/01 00:10:34 fetching corpus: 847, signal 111505/128905 (executing program) 1970/01/01 00:10:37 fetching corpus: 896, signal 113904/131816 (executing program) 1970/01/01 00:10:39 fetching corpus: 946, signal 116274/134658 (executing program) 1970/01/01 00:10:41 fetching corpus: 996, signal 118502/137362 (executing program) 1970/01/01 00:10:43 fetching corpus: 1046, signal 120268/139712 (executing program) 1970/01/01 00:10:45 fetching corpus: 1096, signal 122059/142000 (executing program) 1970/01/01 00:10:47 fetching corpus: 1146, signal 123284/143845 (executing program) 1970/01/01 00:10:50 fetching corpus: 1196, signal 125255/146249 (executing program) 1970/01/01 00:10:52 fetching corpus: 1246, signal 126784/148240 (executing program) 1970/01/01 00:10:54 fetching corpus: 1296, signal 128571/150384 (executing program) 1970/01/01 00:10:56 fetching corpus: 1346, signal 129507/151864 (executing program) 1970/01/01 00:11:00 fetching corpus: 1396, signal 131344/153984 (executing program) 1970/01/01 00:11:01 fetching corpus: 1446, signal 133230/156112 (executing program) 1970/01/01 00:11:04 fetching corpus: 1496, signal 134772/157955 (executing program) 1970/01/01 00:11:07 fetching corpus: 1546, signal 136686/160102 (executing program) 1970/01/01 00:11:08 fetching corpus: 1596, signal 137806/161655 (executing program) 1970/01/01 00:11:11 fetching corpus: 1646, signal 139311/163415 (executing program) 1970/01/01 00:11:13 fetching corpus: 1695, signal 140960/165217 (executing program) 1970/01/01 00:11:16 fetching corpus: 1745, signal 142207/166769 (executing program) 1970/01/01 00:11:19 fetching corpus: 1795, signal 143367/168208 (executing program) 1970/01/01 00:11:23 fetching corpus: 1845, signal 144826/169831 (executing program) 1970/01/01 00:11:26 fetching corpus: 1895, signal 146254/171403 (executing program) 1970/01/01 00:11:28 fetching corpus: 1945, signal 147376/172720 (executing program) 1970/01/01 00:11:31 fetching corpus: 1995, signal 148837/174272 (executing program) 1970/01/01 00:11:32 fetching corpus: 2045, signal 150033/175673 (executing program) 1970/01/01 00:11:35 fetching corpus: 2095, signal 151061/176897 (executing program) 1970/01/01 00:11:38 fetching corpus: 2145, signal 151972/178035 (executing program) 1970/01/01 00:11:40 fetching corpus: 2194, signal 152951/179230 (executing program) 1970/01/01 00:11:42 fetching corpus: 2244, signal 154022/180481 (executing program) 1970/01/01 00:11:45 fetching corpus: 2294, signal 154993/181635 (executing program) 1970/01/01 00:11:47 fetching corpus: 2344, signal 155698/182571 (executing program) 1970/01/01 00:11:50 fetching corpus: 2394, signal 157086/183865 (executing program) 1970/01/01 00:11:52 fetching corpus: 2444, signal 158456/185161 (executing program) 1970/01/01 00:11:55 fetching corpus: 2494, signal 160165/186640 (executing program) 1970/01/01 00:11:57 fetching corpus: 2544, signal 161145/187703 (executing program) 1970/01/01 00:12:01 fetching corpus: 2594, signal 162288/188783 (executing program) 1970/01/01 00:12:03 fetching corpus: 2644, signal 163045/189703 (executing program) 1970/01/01 00:12:05 fetching corpus: 2694, signal 164069/190674 (executing program) 1970/01/01 00:12:09 fetching corpus: 2744, signal 165017/191632 (executing program) 1970/01/01 00:12:12 fetching corpus: 2794, signal 165786/192498 (executing program) 1970/01/01 00:12:14 fetching corpus: 2844, signal 166630/193401 (executing program) 1970/01/01 00:12:17 fetching corpus: 2894, signal 167349/194169 (executing program) 1970/01/01 00:12:19 fetching corpus: 2944, signal 168181/194954 (executing program) 1970/01/01 00:12:21 fetching corpus: 2994, signal 169115/195833 (executing program) 1970/01/01 00:12:24 fetching corpus: 3043, signal 170161/196731 (executing program) 1970/01/01 00:12:26 fetching corpus: 3093, signal 171010/197508 (executing program) 1970/01/01 00:12:27 fetching corpus: 3143, signal 171984/198350 (executing program) 1970/01/01 00:12:31 fetching corpus: 3193, signal 172957/199123 (executing program) 1970/01/01 00:12:35 fetching corpus: 3243, signal 173755/199820 (executing program) 1970/01/01 00:12:37 fetching corpus: 3292, signal 174717/200559 (executing program) 1970/01/01 00:12:40 fetching corpus: 3342, signal 175802/201332 (executing program) 1970/01/01 00:12:42 fetching corpus: 3392, signal 176653/202006 (executing program) 1970/01/01 00:12:44 fetching corpus: 3442, signal 177155/202551 (executing program) 1970/01/01 00:12:48 fetching corpus: 3492, signal 178064/203229 (executing program) 1970/01/01 00:12:50 fetching corpus: 3542, signal 178931/203861 (executing program) 1970/01/01 00:12:52 fetching corpus: 3592, signal 179545/204400 (executing program) 1970/01/01 00:12:54 fetching corpus: 3642, signal 180241/204971 (executing program) 1970/01/01 00:12:57 fetching corpus: 3692, signal 180942/205519 (executing program) 1970/01/01 00:12:59 fetching corpus: 3742, signal 181596/206051 (executing program) 1970/01/01 00:13:02 fetching corpus: 3792, signal 182407/206603 (executing program) 1970/01/01 00:13:04 fetching corpus: 3842, signal 183022/207094 (executing program) 1970/01/01 00:13:07 fetching corpus: 3892, signal 183638/207550 (executing program) 1970/01/01 00:13:10 fetching corpus: 3942, signal 184424/208079 (executing program) 1970/01/01 00:13:13 fetching corpus: 3992, signal 185358/208627 (executing program) 1970/01/01 00:13:16 fetching corpus: 4040, signal 185972/209090 (executing program) 1970/01/01 00:13:17 fetching corpus: 4090, signal 186671/209534 (executing program) 1970/01/01 00:13:19 fetching corpus: 4140, signal 187361/209947 (executing program) 1970/01/01 00:13:23 fetching corpus: 4190, signal 187998/210346 (executing program) 1970/01/01 00:13:26 fetching corpus: 4240, signal 188603/210747 (executing program) 1970/01/01 00:13:28 fetching corpus: 4290, signal 189329/211135 (executing program) 1970/01/01 00:13:33 fetching corpus: 4340, signal 189974/211500 (executing program) 1970/01/01 00:13:36 fetching corpus: 4390, signal 190687/211914 (executing program) 1970/01/01 00:13:38 fetching corpus: 4440, signal 191303/212264 (executing program) 1970/01/01 00:13:41 fetching corpus: 4490, signal 191962/212593 (executing program) 1970/01/01 00:13:44 fetching corpus: 4539, signal 192613/212950 (executing program) 1970/01/01 00:13:48 fetching corpus: 4588, signal 193191/213228 (executing program) 1970/01/01 00:13:51 fetching corpus: 4638, signal 193576/213526 (executing program) 1970/01/01 00:13:54 fetching corpus: 4687, signal 194273/213819 (executing program) 1970/01/01 00:13:57 fetching corpus: 4737, signal 194692/214073 (executing program) 1970/01/01 00:13:59 fetching corpus: 4786, signal 195122/214345 (executing program) 1970/01/01 00:14:01 fetching corpus: 4836, signal 195595/214576 (executing program) 1970/01/01 00:14:06 fetching corpus: 4886, signal 196126/214799 (executing program) 1970/01/01 00:14:09 fetching corpus: 4936, signal 196706/215040 (executing program) 1970/01/01 00:14:12 fetching corpus: 4986, signal 197261/215277 (executing program) 1970/01/01 00:14:13 fetching corpus: 5036, signal 197708/215471 (executing program) 1970/01/01 00:14:16 fetching corpus: 5086, signal 198212/215652 (executing program) 1970/01/01 00:14:20 fetching corpus: 5136, signal 198681/215867 (executing program) 1970/01/01 00:14:24 fetching corpus: 5185, signal 199237/216071 (executing program) 1970/01/01 00:14:26 fetching corpus: 5235, signal 199836/216242 (executing program) 1970/01/01 00:14:29 fetching corpus: 5285, signal 200258/216411 (executing program) 1970/01/01 00:14:31 fetching corpus: 5335, signal 200949/216568 (executing program) 1970/01/01 00:14:35 fetching corpus: 5385, signal 201433/216620 (executing program) 1970/01/01 00:14:37 fetching corpus: 5433, signal 202202/216625 (executing program) 1970/01/01 00:14:40 fetching corpus: 5483, signal 202751/216625 (executing program) 1970/01/01 00:14:43 fetching corpus: 5533, signal 203288/216625 (executing program) 1970/01/01 00:14:45 fetching corpus: 5581, signal 203722/216634 (executing program) 1970/01/01 00:14:48 fetching corpus: 5631, signal 204340/216635 (executing program) 1970/01/01 00:14:52 fetching corpus: 5680, signal 204916/216635 (executing program) 1970/01/01 00:14:55 fetching corpus: 5730, signal 205470/216652 (executing program) 1970/01/01 00:14:57 fetching corpus: 5779, signal 205988/216653 (executing program) 1970/01/01 00:14:59 fetching corpus: 5829, signal 206382/216653 (executing program) 1970/01/01 00:15:01 fetching corpus: 5879, signal 207020/216653 (executing program) 1970/01/01 00:15:04 fetching corpus: 5929, signal 207751/216655 (executing program) 1970/01/01 00:15:07 fetching corpus: 5979, signal 208213/216655 (executing program) 1970/01/01 00:15:09 fetching corpus: 6029, signal 208555/216655 (executing program) 1970/01/01 00:15:12 fetching corpus: 6079, signal 209350/216655 (executing program) 1970/01/01 00:15:14 fetching corpus: 6129, signal 209895/216655 (executing program) 1970/01/01 00:15:17 fetching corpus: 6179, signal 210896/216655 (executing program) 1970/01/01 00:15:20 fetching corpus: 6229, signal 211394/216659 (executing program) 1970/01/01 00:15:22 fetching corpus: 6279, signal 211855/216659 (executing program) 1970/01/01 00:15:24 fetching corpus: 6329, signal 212381/216660 (executing program) 1970/01/01 00:15:26 fetching corpus: 6378, signal 212941/216660 (executing program) 1970/01/01 00:15:31 fetching corpus: 6428, signal 213485/216660 (executing program) 1970/01/01 00:15:35 fetching corpus: 6478, signal 213913/216660 (executing program) 1970/01/01 00:15:35 fetching corpus: 6490, signal 214536/216692 (executing program) 1970/01/01 00:15:35 fetching corpus: 6490, signal 214536/216692 (executing program) 1970/01/01 00:17:33 starting 2 fuzzer processes 00:17:34 executing program 1: r0 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$sock_ipv4_tunnel_SIOCGETTUNNEL(r0, 0x8922, &(0x7f0000000040)={'sit0\x00', 0x0}) 00:17:34 executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f00000011c0)='./file0\x00', 0x0) mount$cgroup(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040), 0x0, &(0x7f00000000c0)={[{@release_agent={'release_agent', 0x3d, './file0'}}, {@release_agent={'release_agent', 0x3d, './file0'}}]}) [ 1091.435557][ C0] ================================================================== [ 1091.439328][ C0] BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 [ 1091.440984][ C0] Read of size 8 at addr ffffaf8008197fe0 by task syz-executor.0/2040 [ 1091.442699][ C0] [ 1091.444832][ C0] CPU: 0 PID: 2040 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1091.446636][ C0] Hardware name: riscv-virtio,qemu (DT) [ 1091.447992][ C0] Call Trace: [ 1091.449017][ C0] [] dump_backtrace+0x2e/0x3c [ 1091.450554][ C0] [] show_stack+0x34/0x40 [ 1091.451981][ C0] [] dump_stack_lvl+0xe4/0x150 [ 1091.453452][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 1091.455546][ C0] [] kasan_report+0x184/0x1e0 [ 1091.456899][ C0] [] __asan_load8+0x6e/0x96 [ 1091.458065][ C0] [] walk_stackframe+0x11c/0x260 [ 1091.459184][ C0] [] arch_stack_walk+0x2c/0x3c [ 1091.460525][ C0] [ 1091.461203][ C0] Allocated by task 721: [ 1091.461949][ C0] (stack is not available) [ 1091.462623][ C0] [ 1091.463232][ C0] Last potentially related work creation: [ 1091.464084][ C0] ------------[ cut here ]------------ [ 1091.465303][ C0] slab index 473900 out of bounds (290) for stack id 20473b2c [ 1091.469968][ C0] WARNING: CPU: 0 PID: 2040 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 1091.471638][ C0] Modules linked in: [ 1091.472661][ C0] CPU: 0 PID: 2040 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1091.473922][ C0] Hardware name: riscv-virtio,qemu (DT) [ 1091.475210][ C0] epc : stack_depot_print+0x66/0x70 [ 1091.476579][ C0] ra : stack_depot_print+0x66/0x70 [ 1091.477925][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf8008197ea0 [ 1091.479213][ C0] gp : ffffffff85863ac0 tp : ffffaf800b6be100 t0 : ffffffff86bcb657 [ 1091.480505][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf8008197eb0 [ 1091.481800][ C0] s1 : ffffaf807a890080 a0 : 000000000000003b a1 : 00000000000f0000 [ 1091.483106][ C0] a2 : 0000000000000504 a3 : ffffffff8012252a a4 : f3d788cf64c7cb00 [ 1091.484583][ C0] a5 : f3d788cf64c7cb00 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 1091.486999][ C0] s2 : ffffaf8008197fe0 s3 : ffffaf8007201dc0 s4 : ffffaf8008197800 [ 1091.488347][ C0] s5 : ffffaf8008197c00 s6 : 0000000000003fff s7 : ffffaf8008197f80 [ 1091.489694][ C0] s8 : 0000000000400000 s9 : ffffffffffffc000 s10: ffffaf8008198060 [ 1091.491022][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 1091.492269][ C0] t5 : fffff5ef0b53910d t6 : ffffaf8008197998 [ 1091.493404][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 1091.494850][ C0] [] print_address_description.constprop.0+0x2fc/0x330 [ 1091.496469][ C0] [] kasan_report+0x184/0x1e0 [ 1091.497971][ C0] [] __asan_load8+0x6e/0x96 [ 1091.499260][ C0] [] walk_stackframe+0x11c/0x260 [ 1091.500614][ C0] [] arch_stack_walk+0x2c/0x3c [ 1091.502106][ C0] irq event stamp: 41095 [ 1091.503099][ C0] hardirqs last enabled at (41094): [] _raw_spin_unlock_irqrestore+0x68/0x98 [ 1091.505576][ C0] hardirqs last disabled at (41095): [] _raw_spin_lock_irqsave+0x60/0x62 [ 1091.507141][ C0] softirqs last enabled at (41014): [] __do_softirq+0x618/0x8fc [ 1091.508460][ C0] softirqs last disabled at (41021): [] __irq_exit_rcu+0x142/0x1f8 [ 1091.509898][ C0] ---[ end trace 0000000000000000 ]--- [ 1091.511154][ C0] [ 1091.511749][ C0] Second to last potentially related work creation: [ 1091.512709][ C0] stack_trace_save+0xa6/0xd8 [ 1091.513773][ C0] kasan_save_stack+0x2c/0x58 [ 1091.515330][ C0] kasan_set_track+0x1a/0x26 [ 1091.516429][ C0] kasan_set_free_info+0x1e/0x3a [ 1091.517371][ C0] ____kasan_slab_free+0x15e/0x180 [ 1091.518411][ C0] __kasan_slab_free+0x10/0x18 [ 1091.519425][ C0] slab_free_freelist_hook+0x8e/0x1cc [ 1091.520498][ C0] kmem_cache_free+0xca/0x482 [ 1091.521472][ C0] jbd2_journal_stop+0x47e/0x99c [ 1091.522463][ C0] __ext4_journal_stop+0x90/0x154 [ 1091.523423][ C0] ext4_mkdir+0x618/0x6fa [ 1091.524593][ C0] vfs_mkdir+0x110/0x202 [ 1091.525908][ C0] do_mkdirat+0x22e/0x262 [ 1091.527042][ C0] sys_mkdirat+0x88/0xb2 [ 1091.528207][ C0] ret_from_syscall+0x0/0x2 [ 1091.529474][ C0] [ 1091.530200][ C0] The buggy address belongs to the object at ffffaf8008197800 [ 1091.530200][ C0] which belongs to the cache kmalloc-1k of size 1024 [ 1091.531899][ C0] The buggy address is located 992 bytes to the right of [ 1091.531899][ C0] 1024-byte region [ffffaf8008197800, ffffaf8008197c00) [ 1091.533940][ C0] The buggy address belongs to the page: [ 1091.536386][ C0] page:ffffaf807a890080 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffaf8008190800 pfn:0x88390 [ 1091.538629][ C0] head:ffffaf807a890080 order:3 compound_mapcount:0 compound_pincount:0 [ 1091.540138][ C0] flags: 0x8800010200(slab|head|section=17|node=0|zone=0) [ 1091.542969][ C0] raw: 0000008800010200 ffffaf807a9b6148 ffffaf807aa6c308 ffffaf8007201dc0 [ 1091.544550][ C0] raw: ffffaf8008190800 000000000010000a 00000001ffffffff 0000000000000000 [ 1091.546390][ C0] raw: 00000000000007ff [ 1091.547230][ C0] page dumped because: kasan: bad access detected [ 1091.548357][ C0] page_owner tracks the page as allocated [ 1091.549188][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1995, ts 508327549800, free_ts 508219580500 [ 1091.551120][ C0] __set_page_owner+0x48/0x136 [ 1091.552197][ C0] post_alloc_hook+0xd0/0x10a [ 1091.553193][ C0] get_page_from_freelist+0x8da/0x12d8 [ 1091.554194][ C0] __alloc_pages+0x150/0x3b6 [ 1091.555534][ C0] alloc_pages+0x132/0x2a6 [ 1091.556592][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 1091.557640][ C0] new_slab+0x76/0x2cc [ 1091.558547][ C0] ___slab_alloc+0x56e/0x918 [ 1091.559515][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 1091.560561][ C0] __kmalloc_node_track_caller+0x26c/0x362 [ 1091.561627][ C0] __alloc_skb+0xee/0x2e4 [ 1091.562606][ C0] __napi_alloc_skb+0x72/0x214 [ 1091.563597][ C0] page_to_skb+0x16e/0x70e [ 1091.564999][ C0] receive_buf+0xa20/0x3e50 [ 1091.566162][ C0] virtnet_poll+0x39c/0x986 [ 1091.567313][ C0] __napi_poll+0x7c/0x358 [ 1091.568538][ C0] page last free stack trace: [ 1091.569474][ C0] __reset_page_owner+0x4a/0xea [ 1091.570673][ C0] free_pcp_prepare+0x29c/0x45e [ 1091.571872][ C0] free_unref_page+0x6a/0x31e [ 1091.573039][ C0] free_compound_page+0x70/0x8a [ 1091.574278][ C0] __put_compound_page+0x7c/0xb0 [ 1091.575988][ C0] __put_page+0x48/0x100 [ 1091.577106][ C0] skb_release_data+0x2f8/0x3c4 [ 1091.578226][ C0] __kfree_skb+0x38/0x50 [ 1091.579325][ C0] __sk_defer_free_flush+0x52/0x68 [ 1091.580531][ C0] tcp_v4_rcv+0x1bbc/0x1f46 [ 1091.581654][ C0] ip_protocol_deliver_rcu+0x9c/0x8c0 [ 1091.582858][ C0] ip_local_deliver_finish+0x12c/0x278 [ 1091.584126][ C0] ip_local_deliver+0x160/0x464 [ 1091.585543][ C0] ip_sublist_rcv_finish+0x64/0x1b2 [ 1091.586618][ C0] ip_sublist_rcv+0x420/0x738 [ 1091.587627][ C0] ip_list_rcv+0x268/0x2c0 [ 1091.588806][ C0] [ 1091.589450][ C0] Memory state around the buggy address: [ 1091.590627][ C0] ffffaf8008197e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 1091.591756][ C0] ffffaf8008197f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1091.592862][ C0] >ffffaf8008197f80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 1091.593840][ C0] ^ [ 1091.595728][ C0] ffffaf8008198000: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 [ 1091.597076][ C0] ffffaf8008198080: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 1091.598423][ C0] ================================================================== [ 1091.599585][ C0] Disabling lock debugging due to kernel taint [ 1091.605848][ T2040] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 1091.607366][ T2040] CPU: 0 PID: 2040 Comm: syz-executor.0 Tainted: G B W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1091.608847][ T2040] Hardware name: riscv-virtio,qemu (DT) [ 1091.609576][ T2040] Call Trace: [ 1091.610140][ T2040] [] dump_backtrace+0x2e/0x3c [ 1091.611188][ T2040] [] show_stack+0x34/0x40 [ 1091.612223][ T2040] [] dump_stack_lvl+0xe4/0x150 [ 1091.613474][ T2040] [] dump_stack+0x1c/0x24 [ 1091.615194][ T2040] [] panic+0x24a/0x634 [ 1091.616282][ T2040] [] schedule+0x0/0x14c [ 1091.617361][ T2040] [] preempt_schedule_irq+0x4a/0x13e [ 1091.618569][ T2040] [] resume_kernel+0x16/0x18 [ 1091.619945][ T2040] SMP: stopping secondary CPUs [ 1091.622281][ T2040] Rebooting in 86400 seconds.. VM DIAGNOSIS: 10:35:26 Registers: info registers vcpu 0 pc ffffffff80124490 mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80475aca sepc ffffffff82b83a96 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff8012448c x2/sp ffffaf8008197a10 x3/gp ffffffff85863ac0 x4/tp ffffaf800b6be100 x5/t0 ffffffff86bcb657 x6/t1 fffff5ef01032f94 x7/t2 0000000000000000 x8/s0 ffffaf8008197b90 x9/s1 ffffffff84a88a00 x10/a0 0000000000000000 x11/a1 00000000000f0000 x12/a2 0000000000000504 x13/a3 ffffffff8012448c x14/a4 ffffaf800b6be100 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffaf8008197ca2 x18/s2 0000000000000010 x19/s3 0000000000000020 x20/s4 ffffaf8008197b20 x21/s5 ffffaf8008197c20 x22/s6 ffffaf8008197c60 x23/s7 ffffaf8008197eb8 x24/s8 ffffaf8008197c30 x25/s9 1ffff5f001032f7c x26/s10 ffffffff85889780 x27/s11 ffffaf8008197c60 x28/t3 1ffff5f001032fc4 x29/t4 fffff5ef01032f94 x30/t5 fffff5ef01032f95 x31/t6 ffffaf8008197ca3 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80475986 mhartid 0000000000000001 mstatus 00000000000000a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff831afd22 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80b07954 x2/sp ffffaf800743faf0 x3/gp ffffffff85863ac0 x4/tp ffffaf8007460000 x5/t0 ffffaf80083eb638 x6/t1 f3d788cf64c7cb00 x7/t2 fffffffffffff000 x8/s0 ffffaf800743fae0 x9/s1 0000000000000001 x10/a0 ffffaf805a9f59d8 x11/a1 ffffffffffffffff x12/a2 0000000000000002 x13/a3 ffffffff831a2498 x14/a4 0000000000000001 x15/a5 0000000000000000 x16/a6 ffffffff8176b8f4 x17/a7 f3d788cf64c7cb00 x18/s2 ffffffff86c1a620 x19/s3 0000000000000000 x20/s4 0000000000000000 x21/s5 ffffaf8007460a18 x22/s6 0000000000000a04 x23/s7 0000000000040000 x24/s8 ffffaf8007460a70 x25/s9 0000000000000002 x26/s10 ffffaf8007460a20 x27/s11 ffffaf8007460000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f000e87f2c x31/t6 00007fff99623000 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000