syzkaller login: [  495.006813][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  495.042836][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  495.121365][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  514.731434][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
Warning: Permanently added '[localhost]:52015' (ECDSA) to the list of known hosts.
1970/01/01 00:09:12 fuzzer started
1970/01/01 00:09:27 dialing manager at localhost:38517
[  573.845408][ T2037] cgroup: Unknown subsys name 'net'
[  574.775293][ T2037] cgroup: Unknown subsys name 'rlimit'
1970/01/01 00:09:34 syscalls: 2853
1970/01/01 00:09:34 code coverage: enabled
1970/01/01 00:09:34 comparison tracing: enabled
1970/01/01 00:09:34 extra coverage: enabled
1970/01/01 00:09:34 delay kcov mmap: mmap returned an invalid pointer
1970/01/01 00:09:34 setuid sandbox: enabled
1970/01/01 00:09:34 namespace sandbox: enabled
1970/01/01 00:09:34 Android sandbox: /sys/fs/selinux/policy does not exist
1970/01/01 00:09:34 fault injection: enabled
1970/01/01 00:09:34 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
1970/01/01 00:09:34 net packet injection: enabled
1970/01/01 00:09:34 net device setup: enabled
1970/01/01 00:09:34 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
1970/01/01 00:09:34 devlink PCI setup: PCI device 0000:00:10.0 is not available
1970/01/01 00:09:34 USB emulation: enabled
1970/01/01 00:09:34 hci packet injection: /dev/vhci does not exist
1970/01/01 00:09:34 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist
1970/01/01 00:09:34 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist
1970/01/01 00:09:40 fetching corpus: 50, signal 31538/33379 (executing program)
[  581.455830][    C0] ==================================================================
[  581.456946][    C0] BUG: KASAN: use-after-free in __bfs+0x154/0x394
[  581.457947][    C0] Read of size 8 at addr ffffaf800f70ff70 by task sshd/2027
[  581.458982][    C0] 
[  581.460087][    C0] CPU: 0 PID: 2027 Comm: sshd Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
[  581.461917][    C0] Hardware name: riscv-virtio,qemu (DT)
[  581.462824][    C0] Call Trace:
[  581.463766][    C0] [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c
[  581.464859][    C0] [<ffffffff831668cc>] show_stack+0x34/0x40
[  581.465799][    C0] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150
[  581.466739][    C0] [<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330
[  581.467888][    C0] [<ffffffff80474d4c>] kasan_report+0x184/0x1e0
[  581.473605][    C0] [<ffffffff80475b20>] __asan_load8+0x6e/0x96
[  581.474777][    C0] [<ffffffff8010dd9a>] __bfs+0x154/0x394
[  581.475679][    C0] [<ffffffff8010e52a>] check_path.constprop.0+0x24/0x46
[  581.476864][    C0] [<ffffffff8010f95c>] check_noncircular+0x11a/0x1fe
[  581.478035][    C0] 
[  581.478542][    C0] The buggy address belongs to the page:
[  581.479634][    C0] page:ffffaf807aaa0c38 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8f90f
[  581.481113][    C0] flags: 0x8800000000(section=17|node=0|zone=0)
[  581.483153][    C0] raw: 0000008800000000 0000000000000100 0000000000000122 0000000000000000
[  581.484300][    C0] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  581.485195][    C0] raw: 00000000000007ff
[  581.485940][    C0] page dumped because: kasan: bad access detected
[  581.486868][    C0] page_owner tracks the page as freed
[  581.487536][    C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), pid 1990, ts 524452591700, free_ts 524633002300
[  581.489392][    C0]  __set_page_owner+0x48/0x136
[  581.490316][    C0]  post_alloc_hook+0xd0/0x10a
[  581.491147][    C0]  get_page_from_freelist+0x8da/0x12d8
[  581.491973][    C0]  __alloc_pages+0x150/0x3b6
[  581.492793][    C0]  alloc_pages+0x132/0x2a6
[  581.493691][    C0]  pipe_write+0xbd2/0x10d6
[  581.494696][    C0]  new_sync_write+0x296/0x3aa
[  581.495564][    C0]  vfs_write+0x2de/0x334
[  581.496429][    C0]  ksys_write+0x1c4/0x224
[  581.497247][    C0]  sys_write+0x28/0x36
[  581.498367][    C0]  ret_from_syscall+0x0/0x2
[  581.500000][    C0] page last free stack trace:
[  581.500612][    C0]  __reset_page_owner+0x4a/0xea
[  581.501516][    C0]  free_pcp_prepare+0x29c/0x45e
[  581.502348][    C0]  free_unref_page+0x6a/0x31e
[  581.503125][    C0]  __put_page+0xf2/0x100
[  581.503974][    C0]  anon_pipe_buf_release+0x154/0x19a
[  581.504891][    C0]  pipe_read+0x3f2/0xa4c
[  581.505675][    C0]  new_sync_read+0x3ae/0x3d8
[  581.506536][    C0]  vfs_read+0x2ce/0x324
[  581.507334][    C0]  ksys_read+0x1c4/0x224
[  581.508215][    C0]  sys_read+0x28/0x36
[  581.508982][    C0]  ret_from_syscall+0x0/0x2
[  581.509937][    C0] 
[  581.510437][    C0] Memory state around the buggy address:
[  581.511493][    C0]  ffffaf800f70fe00: ff ff ff ff f1 f1 f1 f1 00 f3 f3 f3 ff ff ff ff
[  581.512476][    C0]  ffffaf800f70fe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  581.513478][    C0] >ffffaf800f70ff00: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 ff ff ff ff
[  581.514403][    C0]                                                              ^
[  581.515348][    C0]  ffffaf800f70ff80: 00 00 00 f3 f3 f3 f3 f3 ff ff ff ff ff ff ff ff
[  581.516240][    C0]  ffffaf800f710000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  581.517129][    C0] ==================================================================
[  581.517964][    C0] Disabling lock debugging due to kernel taint
[  581.555237][ T2027] Kernel panic - not syncing: corrupted stack end detected inside scheduler
[  581.556501][ T2027] CPU: 0 PID: 2027 Comm: sshd Tainted: G    B             5.17.0-rc1-syzkaller-00002-g0966d385830d #0
[  581.557625][ T2027] Hardware name: riscv-virtio,qemu (DT)
[  581.558242][ T2027] Call Trace:
[  581.558775][ T2027] [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c
[  581.559854][ T2027] [<ffffffff831668cc>] show_stack+0x34/0x40
[  581.560758][ T2027] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150
[  581.561715][ T2027] [<ffffffff83175742>] dump_stack+0x1c/0x24
[  581.562601][ T2027] [<ffffffff83166fa8>] panic+0x24a/0x634
[  581.563370][ T2027] [<ffffffff831a688a>] schedule+0x0/0x14c
[  581.564295][ T2027] [<ffffffff831a6b00>] preempt_schedule_common+0x4e/0xde
[  581.565256][ T2027] [<ffffffff831a6bc4>] preempt_schedule+0x34/0x36
[  581.566209][ T2027] [<ffffffff831afd78>] _raw_spin_unlock_irqrestore+0x8c/0x98
[  581.567137][ T2027] [<ffffffff80b090c2>] __debug_object_init+0x284/0x7b8
[  581.568028][ T2027] [<ffffffff80b09632>] debug_object_init_on_stack+0x1a/0x22
[  581.569419][ T2027] [<ffffffff831af106>] schedule_hrtimeout_range_clock+0xe0/0x2de
[  581.570639][ T2027] [<ffffffff831af32c>] schedule_hrtimeout_range+0x28/0x36
[  581.571617][ T2027] [<ffffffff804f928a>] poll_schedule_timeout.constprop.0+0x84/0xde
[  581.572705][ T2027] [<ffffffff804fa506>] do_select+0xd50/0xeb4
[  581.573700][ T2027] [<ffffffff804fb57c>] core_sys_select+0x364/0x8c8
[  581.574766][ T2027] [<ffffffff804fbed6>] sys_pselect6+0x258/0x29a
[  581.575717][ T2027] [<ffffffff80005716>] ret_from_syscall+0x0/0x2
[  581.576898][ T2027] SMP: stopping secondary CPUs
[  581.583143][ T2027] Rebooting in 86400 seconds..

VM DIAGNOSIS:
12:10:59  Registers:
info registers vcpu 0
 pc       ffffffff8233751e
 mhartid  0000000000000000
 mstatus  00000000000000a0
 mip      00000000000000a0
 mie      000000000000022a
 mideleg  0000000000000222
 medeleg  000000000000b109
 mtvec    0000000080000540
 stvec    ffffffff800055d4
 mepc     ffffffff80475986
 sepc     ffffffff80014c9c
 mcause   8000000000000007
 scause   8000000000000005
 mtval  0000000000000000
 stval  0000000000000000
 x0/zero 0000000000000000 x1/ra ffffffff8233751a x2/sp ffffaf800f70f8b0 x3/gp ffffffff85863ac0
 x4/tp ffffaf800cfc8000 x5/t0 ffffffff86bcb657 x6/t1 ffffaf800f70fba0 x7/t2 0000000000000000
 x8/s0 ffffaf800f70f8c0 x9/s1 ffffffff84b8e270 x10/a0 000000016042f171 x11/a1 00000000000f0000
 x12/a2 0000000000000506 x13/a3 ffffffff8233751a x14/a4 ffffaf800cfc8000 x15/a5 0000000000000000
 x16/a6 0000000000f00000 x17/a7 fffffffff2000000 x18/s2 ffffaf800cfc8000 x19/s3 0000000000000004
 x20/s4 ffffaf800f70fc48 x21/s5 ffffffff84b8e240 x22/s6 ffffffff838d2e60 x23/s7 ffffffff84b8e270
 x24/s8 0000000000000000 x25/s9 1ffff5f001ee1f2c x26/s10 ffffffff85889780 x27/s11 ffffaf800cfc8000
 x28/t3 1ffff5f001ee1f74 x29/t4 fffffffef0b180cc x30/t5 fffffffef0b180ce x31/t6 ffffffff858c066c
 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000
 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000
 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000
 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000
 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000
 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000
 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000
 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000
info registers vcpu 1
 pc       ffffffff800058f0
 mhartid  0000000000000001
 mstatus  00000000000000a0
 mip      0000000000000000
 mie      00000000000002aa
 mideleg  0000000000000222
 medeleg  000000000000b109
 mtvec    0000000080000540
 stvec    ffffffff800055d4
 mepc     ffffffff8000f97e
 sepc     ffffffff800058f4
 mcause   0000000000000009
 scause   8000000000000001
 mtval  0000000000000000
 stval  0000000000000000
 x0/zero 0000000000000000 x1/ra ffffffff800058ec x2/sp ffffaf800742bf40 x3/gp ffffffff85863ac0
 x4/tp ffffaf8007410000 x5/t0 ffffaf800c9db280 x6/t1 fffff5ef0b53eb62 x7/t2 0000000000000001
 x8/s0 ffffaf800742bf50 x9/s1 ffffaf8007410000 x10/a0 0000000000000001 x11/a1 00000000000f0000
 x12/a2 0000000000000002 x13/a3 ffffffff800058ec x14/a4 ffffaf8007411000 x15/a5 0000000000000000
 x16/a6 0000000000f00000 x17/a7 ffffaf805a9f5b13 x18/s2 0000000000000001 x19/s3 0000000000000002
 x20/s4 0000000000000007 x21/s5 ffffffff8588b420 x22/s6 ffffaf8007410000 x23/s7 fffffffffffffffd
 x24/s8 00000000800130f0 x25/s9 0000000000000000 x26/s10 0000000000000000 x27/s11 0000000000000000
 x28/t3 fffffffff3f3f300 x29/t4 fffff5ef0b53eb62 x30/t5 fffff5ef0b53eb63 x31/t6 0000000000000002
 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 414fffffe0000000 f3/ft3 43e0000000000000
 f4/ft4 3ffe000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000
 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000
 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000
 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000
 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000
 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000
 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000