syzkaller login: [ 275.376564][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 275.471303][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 275.510603][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 286.126814][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:21345' (ECDSA) to the list of known hosts. 1970/01/01 00:05:24 fuzzer started 1970/01/01 00:05:41 dialing manager at localhost:38981 [ 351.662206][ T2031] cgroup: Unknown subsys name 'net' [ 352.833431][ T2031] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:05:52 syscalls: 2818 1970/01/01 00:05:52 code coverage: enabled 1970/01/01 00:05:52 comparison tracing: ioctl(KCOV_DISABLE) failed: invalid argument 1970/01/01 00:05:52 extra coverage: ioctl(KCOV_REMOTE_ENABLE) failed: device or resource busy 1970/01/01 00:05:52 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:05:52 setuid sandbox: enabled 1970/01/01 00:05:52 namespace sandbox: enabled 1970/01/01 00:05:52 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:05:52 fault injection: enabled 1970/01/01 00:05:52 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:05:52 net packet injection: enabled 1970/01/01 00:05:52 net device setup: enabled 1970/01/01 00:05:52 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:05:52 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:05:52 USB emulation: enabled 1970/01/01 00:05:52 hci packet injection: /dev/vhci does not exist 1970/01/01 00:05:52 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:05:52 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:05:53 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:06:00 fetching corpus: 50, signal 32317/35533 (executing program) 1970/01/01 00:06:03 fetching corpus: 99, signal 46283/50577 (executing program) 1970/01/01 00:06:07 fetching corpus: 147, signal 55696/60962 (executing program) 1970/01/01 00:06:11 fetching corpus: 197, signal 65786/71727 (executing program) 1970/01/01 00:06:14 fetching corpus: 247, signal 69606/76467 (executing program) 1970/01/01 00:06:18 fetching corpus: 296, signal 74119/81740 (executing program) 1970/01/01 00:06:21 fetching corpus: 346, signal 77504/85862 (executing program) 1970/01/01 00:06:24 fetching corpus: 395, signal 81423/90384 (executing program) 1970/01/01 00:06:29 fetching corpus: 445, signal 86458/95769 (executing program) 1970/01/01 00:06:32 fetching corpus: 495, signal 90097/99822 (executing program) 1970/01/01 00:06:33 fetching corpus: 545, signal 92523/102786 (executing program) 1970/01/01 00:06:36 fetching corpus: 595, signal 94892/105649 (executing program) 1970/01/01 00:06:40 fetching corpus: 644, signal 98890/109721 (executing program) 1970/01/01 00:06:43 fetching corpus: 694, signal 102711/113600 (executing program) 1970/01/01 00:06:45 fetching corpus: 743, signal 105377/116502 (executing program) 1970/01/01 00:06:50 fetching corpus: 793, signal 107251/118696 (executing program) 1970/01/01 00:06:53 fetching corpus: 842, signal 109980/121497 (executing program) 1970/01/01 00:06:55 fetching corpus: 892, signal 112189/123785 (executing program) 1970/01/01 00:06:58 fetching corpus: 941, signal 115294/126681 (executing program) 1970/01/01 00:07:01 fetching corpus: 990, signal 117684/129016 (executing program) 1970/01/01 00:07:04 fetching corpus: 1040, signal 119874/131152 (executing program) 1970/01/01 00:07:06 fetching corpus: 1090, signal 122172/133319 (executing program) 1970/01/01 00:07:09 fetching corpus: 1140, signal 123774/134930 (executing program) 1970/01/01 00:07:12 fetching corpus: 1189, signal 125087/136333 (executing program) 1970/01/01 00:07:15 fetching corpus: 1238, signal 126610/137809 (executing program) 1970/01/01 00:07:18 fetching corpus: 1287, signal 128210/139341 (executing program) 1970/01/01 00:07:21 fetching corpus: 1337, signal 129907/140878 (executing program) 1970/01/01 00:07:23 fetching corpus: 1387, signal 131816/142525 (executing program) 1970/01/01 00:07:25 fetching corpus: 1436, signal 133042/143631 (executing program) 1970/01/01 00:07:28 fetching corpus: 1486, signal 134858/145079 (executing program) 1970/01/01 00:07:31 fetching corpus: 1536, signal 136845/146619 (executing program) 1970/01/01 00:07:33 fetching corpus: 1585, signal 137788/147475 (executing program) 1970/01/01 00:07:35 fetching corpus: 1635, signal 138818/148379 (executing program) 1970/01/01 00:07:37 fetching corpus: 1685, signal 139815/149217 (executing program) 1970/01/01 00:07:40 fetching corpus: 1735, signal 141079/150186 (executing program) 1970/01/01 00:07:43 fetching corpus: 1784, signal 142483/151190 (executing program) 1970/01/01 00:07:46 fetching corpus: 1833, signal 143738/152126 (executing program) 1970/01/01 00:07:49 fetching corpus: 1883, signal 144759/152865 (executing program) 1970/01/01 00:07:51 fetching corpus: 1933, signal 145904/153626 (executing program) 1970/01/01 00:07:55 fetching corpus: 1983, signal 147296/154510 (executing program) 1970/01/01 00:08:00 fetching corpus: 2032, signal 148154/155104 (executing program) 1970/01/01 00:08:03 fetching corpus: 2082, signal 149209/155755 (executing program) 1970/01/01 00:08:07 fetching corpus: 2130, signal 150123/156310 (executing program) 1970/01/01 00:08:10 fetching corpus: 2179, signal 150919/156821 (executing program) 1970/01/01 00:08:12 fetching corpus: 2229, signal 152043/157481 (executing program) 1970/01/01 00:08:16 fetching corpus: 2279, signal 153472/158194 (executing program) 1970/01/01 00:08:18 fetching corpus: 2329, signal 154391/158663 (executing program) 1970/01/01 00:08:21 fetching corpus: 2379, signal 155708/159268 (executing program) 1970/01/01 00:08:24 fetching corpus: 2429, signal 157125/159885 (executing program) 1970/01/01 00:08:27 fetching corpus: 2478, signal 157945/160258 (executing program) 1970/01/01 00:08:29 fetching corpus: 2526, signal 159174/160806 (executing program) 1970/01/01 00:08:31 fetching corpus: 2576, signal 160016/161138 (executing program) 1970/01/01 00:08:32 fetching corpus: 2587, signal 160142/161211 (executing program) 1970/01/01 00:08:32 fetching corpus: 2587, signal 160147/161236 (executing program) 1970/01/01 00:08:32 fetching corpus: 2587, signal 160147/161265 (executing program) 1970/01/01 00:08:33 fetching corpus: 2587, signal 160147/161282 (executing program) 1970/01/01 00:08:33 fetching corpus: 2587, signal 160147/161305 (executing program) 1970/01/01 00:08:33 fetching corpus: 2587, signal 160147/161322 (executing program) 1970/01/01 00:08:33 fetching corpus: 2587, signal 160177/161363 (executing program) 1970/01/01 00:08:33 fetching corpus: 2587, signal 160177/161383 (executing program) 1970/01/01 00:08:33 fetching corpus: 2587, signal 160177/161396 (executing program) 1970/01/01 00:08:33 fetching corpus: 2587, signal 160177/161415 (executing program) 1970/01/01 00:08:34 fetching corpus: 2587, signal 160177/161443 (executing program) 1970/01/01 00:08:34 fetching corpus: 2587, signal 160177/161462 (executing program) 1970/01/01 00:08:34 fetching corpus: 2587, signal 160177/161478 (executing program) 1970/01/01 00:08:34 fetching corpus: 2587, signal 160177/161497 (executing program) 1970/01/01 00:08:34 fetching corpus: 2587, signal 160177/161514 (executing program) 1970/01/01 00:08:34 fetching corpus: 2587, signal 160177/161540 (executing program) 1970/01/01 00:08:35 fetching corpus: 2587, signal 160177/161564 (executing program) 1970/01/01 00:08:35 fetching corpus: 2587, signal 160177/161586 (executing program) 1970/01/01 00:08:35 fetching corpus: 2587, signal 160177/161608 (executing program) 1970/01/01 00:08:35 fetching corpus: 2587, signal 160177/161626 (executing program) 1970/01/01 00:08:35 fetching corpus: 2587, signal 160177/161661 (executing program) 1970/01/01 00:08:35 fetching corpus: 2587, signal 160177/161677 (executing program) 1970/01/01 00:08:36 fetching corpus: 2587, signal 160177/161691 (executing program) 1970/01/01 00:08:36 fetching corpus: 2587, signal 160177/161708 (executing program) 1970/01/01 00:08:36 fetching corpus: 2587, signal 160177/161724 (executing program) 1970/01/01 00:08:36 fetching corpus: 2587, signal 160177/161752 (executing program) 1970/01/01 00:08:36 fetching corpus: 2587, signal 160177/161773 (executing program) 1970/01/01 00:08:37 fetching corpus: 2587, signal 160177/161797 (executing program) 1970/01/01 00:08:37 fetching corpus: 2587, signal 160177/161797 (executing program) 1970/01/01 00:10:29 starting 2 fuzzer processes 00:10:29 executing program 0: r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0xc0, 0x0) ioctl$FS_IOC_ENABLE_VERITY(r0, 0x40806685, &(0x7f0000000100)={0x1, 0x1, 0x1000, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$FS_IOC_READ_VERITY_METADATA(r0, 0xc0286687, &(0x7f0000000000)={0x3, 0x0, 0x0, 0x0}) 00:10:30 executing program 1: seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x7fff0000}]}) mknodat$null(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x0, 0x103) open_tree(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0) [ 660.893624][ T2039] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 661.775394][ T2039] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 662.387081][ T2038] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 663.174182][ T2038] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 674.239526][ T2039] device hsr_slave_0 entered promiscuous mode [ 674.274825][ T2039] device hsr_slave_1 entered promiscuous mode [ 676.264332][ T2038] device hsr_slave_0 entered promiscuous mode [ 676.337232][ T2038] device hsr_slave_1 entered promiscuous mode [ 676.366643][ T2038] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 676.372986][ T2038] Cannot create hsr debugfs directory [ 683.691103][ T2039] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 683.984836][ T2039] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 684.174361][ T2039] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 684.573558][ T2039] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 685.942717][ T2038] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 686.224231][ T2038] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 686.366376][ T2038] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 686.541681][ T2038] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 694.269320][ C0] ================================================================== [ 694.272954][ C0] BUG: KASAN: stack-out-of-bounds in walk_stackframe+0x11c/0x260 [ 694.274352][ C0] Read of size 8 at addr ffffaf801443be10 by task syz-executor.1/2038 [ 694.275648][ C0] [ 694.278194][ C0] CPU: 0 PID: 2038 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 694.280913][ C0] Hardware name: riscv-virtio,qemu (DT) [ 694.282020][ C0] Call Trace: [ 694.282882][ C0] [] dump_backtrace+0x2e/0x3c [ 694.284117][ C0] [] show_stack+0x34/0x40 [ 694.285228][ C0] [] dump_stack_lvl+0xe4/0x150 [ 694.286588][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 694.288585][ C0] [] kasan_report+0x184/0x1e0 [ 694.290295][ C0] [] __asan_load8+0x6e/0x96 [ 694.291523][ C0] [] walk_stackframe+0x11c/0x260 [ 694.292704][ C0] [] arch_stack_walk+0x2c/0x3c [ 694.293886][ C0] [] stack_trace_save+0xa6/0xd8 [ 694.295092][ C0] [] kasan_save_stack+0x2c/0x58 [ 694.296583][ C0] [ 694.297291][ C0] The buggy address belongs to the page: [ 694.299125][ C0] page:ffffaf807abfc098 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9463b [ 694.300651][ C0] flags: 0x9000000000(section=18|node=0|zone=0) [ 694.303242][ C0] raw: 0000009000000000 0000000000000000 ffffaf807abfc0a0 0000000000000000 [ 694.304478][ C0] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 694.305555][ C0] raw: 00000000000007ff [ 694.306480][ C0] page dumped because: kasan: bad access detected [ 694.307832][ C0] page_owner tracks the page as allocated [ 694.309570][ C0] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 2036, ts 635432696300, free_ts 506284181100 [ 694.312205][ C0] __set_page_owner+0x48/0x136 [ 694.313646][ C0] post_alloc_hook+0xd0/0x10a [ 694.314864][ C0] get_page_from_freelist+0x8da/0x12d8 [ 694.316099][ C0] __alloc_pages+0x150/0x3b6 [ 694.317116][ C0] copy_process+0x482/0x3c34 [ 694.318531][ C0] kernel_clone+0xee/0x920 [ 694.319950][ C0] __do_sys_clone+0xf2/0x12e [ 694.321381][ C0] sys_clone+0x32/0x44 [ 694.322385][ C0] ret_from_syscall+0x0/0x2 [ 694.323494][ C0] page last free stack trace: [ 694.324264][ C0] __reset_page_owner+0x4a/0xea [ 694.325344][ C0] free_pcp_prepare+0x29c/0x45e [ 694.326386][ C0] free_unref_page+0x6a/0x31e [ 694.327430][ C0] __free_pages+0xe2/0x112 [ 694.328694][ C0] __free_slab+0x122/0x27c [ 694.329814][ C0] discard_slab+0x4c/0x7a [ 694.330810][ C0] __slab_free+0x20a/0x29c [ 694.331816][ C0] ___cache_free+0x17c/0x354 [ 694.332831][ C0] qlist_free_all+0x7c/0x132 [ 694.333796][ C0] kasan_quarantine_reduce+0x14c/0x1c8 [ 694.334842][ C0] __kasan_slab_alloc+0x5c/0x98 [ 694.335992][ C0] kmem_cache_alloc_node+0x368/0x41c [ 694.337078][ C0] __alloc_skb+0x234/0x2e4 [ 694.338457][ C0] tcp_stream_alloc_skb+0x70/0x4c0 [ 694.339933][ C0] tcp_sendmsg_locked+0x880/0x1d9e [ 694.340971][ C0] tcp_sendmsg+0x32/0x4e [ 694.342133][ C0] [ 694.342771][ C0] Memory state around the buggy address: [ 694.343994][ C0] ffffaf801443bd00: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 694.345120][ C0] ffffaf801443bd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 694.346328][ C0] >ffffaf801443be00: f3 f3 f3 f3 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 [ 694.347392][ C0] ^ [ 694.348759][ C0] ffffaf801443be80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 694.350542][ C0] ffffaf801443bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 694.351718][ C0] ================================================================== [ 694.352785][ C0] Disabling lock debugging due to kernel taint [ 694.356490][ T2038] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 694.358004][ T2038] CPU: 0 PID: 2038 Comm: syz-executor.1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 694.359428][ T2038] Hardware name: riscv-virtio,qemu (DT) [ 694.360254][ T2038] Call Trace: [ 694.360823][ T2038] [] dump_backtrace+0x2e/0x3c [ 694.361852][ T2038] [] show_stack+0x34/0x40 [ 694.362848][ T2038] [] dump_stack_lvl+0xe4/0x150 [ 694.364517][ T2038] [] dump_stack+0x1c/0x24 [ 694.365681][ T2038] [] panic+0x24a/0x634 [ 694.366619][ T2038] [] schedule+0x0/0x14c [ 694.367733][ T2038] [] preempt_schedule_irq+0x4a/0x13e [ 694.368845][ T2038] [] resume_kernel+0x16/0x18 [ 694.370081][ T2038] SMP: stopping secondary CPUs [ 694.372232][ T2038] Rebooting in 86400 seconds.. VM DIAGNOSIS: 14:29:56 Registers: info registers vcpu 0 pc ffffffff8010b250 mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80475786 sepc ffffffff80200f34 mcause 8000000000000007 scause 8000000000000001 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff831a197a x2/sp ffffaf801443b800 x3/gp ffffffff85863ac0 x4/tp ffffaf800cb33080 x5/t0 ffffffff86bcb657 x6/t1 fffffffef0d796ca x7/t2 0000000000000000 x8/s0 ffffaf801443b810 x9/s1 ffffaf800cb33c58 x10/a0 0000000000000020 x11/a1 00000000000f0000 x12/a2 0000000000000507 x13/a3 0000000000000000 x14/a4 0000000000000001 x15/a5 ffffaf805a9c8840 x16/a6 0000000000f00000 x17/a7 ffffffff86bcb656 x18/s2 0000000000000000 x19/s3 ffffffff84b73ec0 x20/s4 ffffaf800cb34080 x21/s5 ffffffff8343c840 x22/s6 ffffffffffffffff x23/s7 0000000000000020 x24/s8 ffffffff86c1a620 x25/s9 000000000000000c x26/s10 ffffffff858655c0 x27/s11 ffffaf801443bae0 x28/t3 0000000000000043 x29/t4 fffffffef0d796c8 x30/t5 fffffffef0d796cb x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80119b48 mhartid 0000000000000001 mstatus 00000000000000a2 mip 0000000000000080 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc 00007fff8d815264 mcause 0000000000000009 scause 0000000000000008 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80119b52 x2/sp ffffaf80108337e0 x3/gp ffffffff85863ac0 x4/tp ffffaf800e5c9840 x5/t0 00000000000001f8 x6/t1 4315d6e4acaf6b00 x7/t2 ffffffffffffffff x8/s0 ffffaf8010833820 x9/s1 ffffaf8010641898 x10/a0 ffffaf8010641898 x11/a1 0000000000000003 x12/a2 1ffff5f0020c8313 x13/a3 ffffffff80119b52 x14/a4 0000000000000000 x15/a5 0000000000000001 x16/a6 0000000000f00000 x17/a7 ffffffff826e6226 x18/s2 0000000000000001 x19/s3 ffffaf800e5c9840 x20/s4 ffffaf80106418a8 x21/s5 ffffaf80106418a0 x22/s6 ffffaf8010833960 x23/s7 ffffaf8010833b00 x24/s8 0000000000000000 x25/s9 0000000000004000 x26/s10 0000000000000040 x27/s11 0000000000000001 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f0021066b4 x31/t6 000000000161babb f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000