syzkaller login: [ 482.714800][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 491.446408][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 491.490243][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 491.571226][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:32603' (ECDSA) to the list of known hosts. 1970/01/01 00:09:11 fuzzer started 1970/01/01 00:09:24 dialing manager at localhost:42735 [ 570.162463][ T2028] cgroup: Unknown subsys name 'net' [ 571.231680][ T2028] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:09:31 syscalls: 2918 1970/01/01 00:09:31 code coverage: enabled 1970/01/01 00:09:31 comparison tracing: enabled 1970/01/01 00:09:31 extra coverage: enabled 1970/01/01 00:09:31 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:09:31 setuid sandbox: enabled 1970/01/01 00:09:31 namespace sandbox: enabled 1970/01/01 00:09:31 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:09:31 fault injection: enabled 1970/01/01 00:09:31 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:09:31 net packet injection: enabled 1970/01/01 00:09:31 net device setup: enabled 1970/01/01 00:09:31 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:09:31 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:09:31 NIC VF setup: PCI device 0000:00:11.0 is not available 1970/01/01 00:09:31 USB emulation: enabled 1970/01/01 00:09:31 hci packet injection: /dev/vhci does not exist 1970/01/01 00:09:31 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:09:31 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:09:31 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:09:36 fetching corpus: 50, signal 33448/36811 (executing program) 1970/01/01 00:09:39 fetching corpus: 100, signal 43899/48614 (executing program) 1970/01/01 00:09:45 fetching corpus: 150, signal 52938/58839 (executing program) 1970/01/01 00:09:51 fetching corpus: 197, signal 60589/67668 (executing program) 1970/01/01 00:09:55 fetching corpus: 247, signal 67190/75273 (executing program) 1970/01/01 00:09:59 fetching corpus: 296, signal 71962/81099 (executing program) 1970/01/01 00:10:01 fetching corpus: 345, signal 75197/85354 (executing program) 1970/01/01 00:10:05 fetching corpus: 395, signal 81132/92046 (executing program) 1970/01/01 00:10:09 fetching corpus: 444, signal 86611/98281 (executing program) 1970/01/01 00:10:12 fetching corpus: 494, signal 89812/102311 (executing program) 1970/01/01 00:10:18 fetching corpus: 544, signal 95130/108115 (executing program) 1970/01/01 00:10:20 fetching corpus: 593, signal 99019/112601 (executing program) 1970/01/01 00:10:22 fetching corpus: 643, signal 100786/115150 (executing program) 1970/01/01 00:10:25 fetching corpus: 692, signal 103136/118168 (executing program) 1970/01/01 00:10:27 fetching corpus: 742, signal 104977/120727 (executing program) 1970/01/01 00:10:32 fetching corpus: 792, signal 107428/123741 (executing program) 1970/01/01 00:10:34 fetching corpus: 842, signal 109344/126290 (executing program) 1970/01/01 00:10:36 fetching corpus: 890, signal 111667/129134 (executing program) 1970/01/01 00:10:39 fetching corpus: 940, signal 113735/131748 (executing program) 1970/01/01 00:10:41 fetching corpus: 990, signal 115387/133972 (executing program) 1970/01/01 00:10:44 fetching corpus: 1040, signal 117196/136291 (executing program) 1970/01/01 00:10:47 fetching corpus: 1090, signal 119502/138951 (executing program) 1970/01/01 00:10:50 fetching corpus: 1140, signal 120928/140871 (executing program) 1970/01/01 00:10:52 fetching corpus: 1189, signal 122689/143055 (executing program) 1970/01/01 00:10:55 fetching corpus: 1239, signal 124734/145408 (executing program) 1970/01/01 00:10:58 fetching corpus: 1289, signal 127092/147923 (executing program) 1970/01/01 00:11:00 fetching corpus: 1338, signal 128114/149421 (executing program) 1970/01/01 00:11:02 fetching corpus: 1388, signal 129694/151297 (executing program) 1970/01/01 00:11:04 fetching corpus: 1437, signal 130945/152934 (executing program) 1970/01/01 00:11:06 fetching corpus: 1485, signal 132000/154430 (executing program) 1970/01/01 00:11:08 fetching corpus: 1534, signal 133224/156011 (executing program) 1970/01/01 00:11:11 fetching corpus: 1584, signal 134397/157521 (executing program) 1970/01/01 00:11:13 fetching corpus: 1633, signal 136067/159338 (executing program) 1970/01/01 00:11:16 fetching corpus: 1683, signal 137674/161040 (executing program) 1970/01/01 00:11:18 fetching corpus: 1732, signal 138683/162367 (executing program) 1970/01/01 00:11:22 fetching corpus: 1782, signal 140750/164374 (executing program) 1970/01/01 00:11:25 fetching corpus: 1831, signal 142073/165805 (executing program) 1970/01/01 00:11:28 fetching corpus: 1881, signal 143278/167138 (executing program) 1970/01/01 00:11:32 fetching corpus: 1931, signal 144381/168453 (executing program) 1970/01/01 00:11:34 fetching corpus: 1981, signal 145490/169734 (executing program) 1970/01/01 00:11:37 fetching corpus: 2030, signal 147662/171644 (executing program) 1970/01/01 00:11:40 fetching corpus: 2080, signal 149052/173020 (executing program) 1970/01/01 00:11:42 fetching corpus: 2130, signal 150433/174375 (executing program) 1970/01/01 00:11:45 fetching corpus: 2180, signal 151661/175640 (executing program) 1970/01/01 00:11:48 fetching corpus: 2230, signal 152902/176847 (executing program) 1970/01/01 00:11:51 fetching corpus: 2280, signal 153690/177824 (executing program) 1970/01/01 00:11:54 fetching corpus: 2330, signal 154887/178963 (executing program) 1970/01/01 00:11:56 fetching corpus: 2380, signal 155592/179844 (executing program) 1970/01/01 00:11:58 fetching corpus: 2430, signal 156364/180753 (executing program) 1970/01/01 00:12:01 fetching corpus: 2480, signal 158133/182096 (executing program) 1970/01/01 00:12:03 fetching corpus: 2529, signal 159511/183226 (executing program) 1970/01/01 00:12:06 fetching corpus: 2579, signal 160367/184091 (executing program) 1970/01/01 00:12:08 fetching corpus: 2629, signal 161361/185033 (executing program) 1970/01/01 00:12:11 fetching corpus: 2678, signal 162558/186022 (executing program) 1970/01/01 00:12:14 fetching corpus: 2728, signal 163355/186811 (executing program) 1970/01/01 00:12:16 fetching corpus: 2778, signal 164615/187791 (executing program) 1970/01/01 00:12:19 fetching corpus: 2828, signal 165313/188519 (executing program) 1970/01/01 00:12:22 fetching corpus: 2877, signal 166301/189325 (executing program) 1970/01/01 00:12:25 fetching corpus: 2926, signal 167183/190086 (executing program) 1970/01/01 00:12:29 fetching corpus: 2976, signal 168243/190910 (executing program) 1970/01/01 00:12:32 fetching corpus: 3026, signal 169178/191656 (executing program) 1970/01/01 00:12:35 fetching corpus: 3076, signal 170026/192377 (executing program) 1970/01/01 00:12:37 fetching corpus: 3126, signal 171161/193195 (executing program) 1970/01/01 00:12:40 fetching corpus: 3175, signal 171861/193800 (executing program) 1970/01/01 00:12:42 fetching corpus: 3225, signal 172828/194462 (executing program) 1970/01/01 00:12:45 fetching corpus: 3275, signal 173667/195083 (executing program) 1970/01/01 00:12:47 fetching corpus: 3325, signal 174428/195661 (executing program) 1970/01/01 00:12:50 fetching corpus: 3375, signal 175148/196232 (executing program) 1970/01/01 00:12:53 fetching corpus: 3424, signal 176156/196871 (executing program) 1970/01/01 00:12:56 fetching corpus: 3474, signal 176812/197374 (executing program) 1970/01/01 00:12:59 fetching corpus: 3524, signal 177523/197873 (executing program) 1970/01/01 00:13:02 fetching corpus: 3573, signal 178941/198550 (executing program) 1970/01/01 00:13:05 fetching corpus: 3623, signal 179851/199063 (executing program) 1970/01/01 00:13:08 fetching corpus: 3673, signal 180732/199577 (executing program) 1970/01/01 00:13:11 fetching corpus: 3723, signal 181652/200085 (executing program) 1970/01/01 00:13:13 fetching corpus: 3773, signal 182408/200526 (executing program) 1970/01/01 00:13:17 fetching corpus: 3822, signal 183415/201037 (executing program) 1970/01/01 00:13:20 fetching corpus: 3872, signal 184155/201487 (executing program) 1970/01/01 00:13:23 fetching corpus: 3922, signal 184971/201879 (executing program) 1970/01/01 00:13:25 fetching corpus: 3971, signal 185566/202185 (executing program) 1970/01/01 00:13:27 fetching corpus: 4021, signal 186456/202580 (executing program) 1970/01/01 00:13:30 fetching corpus: 4071, signal 187234/202938 (executing program) 1970/01/01 00:13:34 fetching corpus: 4121, signal 188126/203316 (executing program) 1970/01/01 00:13:37 fetching corpus: 4170, signal 188920/203649 (executing program) 1970/01/01 00:13:40 fetching corpus: 4220, signal 189618/203915 (executing program) 1970/01/01 00:13:44 fetching corpus: 4270, signal 190205/204188 (executing program) 1970/01/01 00:13:46 fetching corpus: 4320, signal 190989/204467 (executing program) 1970/01/01 00:13:49 fetching corpus: 4370, signal 192294/204793 (executing program) 1970/01/01 00:13:51 fetching corpus: 4419, signal 192749/205009 (executing program) 1970/01/01 00:13:55 fetching corpus: 4469, signal 193342/205209 (executing program) 1970/01/01 00:13:59 fetching corpus: 4519, signal 194070/205439 (executing program) 1970/01/01 00:14:01 fetching corpus: 4568, signal 194589/205610 (executing program) 1970/01/01 00:14:04 fetching corpus: 4618, signal 195318/205791 (executing program) 1970/01/01 00:14:07 fetching corpus: 4668, signal 195730/205929 (executing program) 1970/01/01 00:14:10 fetching corpus: 4717, signal 196470/206091 (executing program) 1970/01/01 00:14:12 fetching corpus: 4767, signal 197009/206219 (executing program) 1970/01/01 00:14:14 fetching corpus: 4817, signal 197755/206363 (executing program) 1970/01/01 00:14:18 fetching corpus: 4867, signal 198261/206475 (executing program) 1970/01/01 00:14:21 fetching corpus: 4917, signal 198732/206569 (executing program) 1970/01/01 00:14:23 fetching corpus: 4967, signal 199371/206680 (executing program) 1970/01/01 00:14:25 fetching corpus: 5017, signal 200029/206761 (executing program) 1970/01/01 00:14:27 fetching corpus: 5067, signal 200657/206820 (executing program) 1970/01/01 00:14:30 fetching corpus: 5116, signal 201343/206856 (executing program) 1970/01/01 00:14:32 fetching corpus: 5166, signal 201787/206868 (executing program) 1970/01/01 00:14:35 fetching corpus: 5216, signal 202199/206868 (executing program) 1970/01/01 00:14:37 fetching corpus: 5266, signal 203030/206868 (executing program) 1970/01/01 00:14:39 fetching corpus: 5316, signal 203615/206868 (executing program) 1970/01/01 00:14:42 fetching corpus: 5366, signal 204172/206881 (executing program) 1970/01/01 00:14:44 fetching corpus: 5416, signal 204754/206881 (executing program) 1970/01/01 00:14:45 fetching corpus: 5424, signal 204834/206881 (executing program) 1970/01/01 00:14:45 fetching corpus: 5424, signal 204834/206881 (executing program) 1970/01/01 00:16:47 starting 2 fuzzer processes 00:16:47 executing program 0: r0 = syz_io_uring_setup(0x884, &(0x7f0000000080), &(0x7f0000400000/0xc00000)=nil, &(0x7f0000990000/0x1000)=nil, &(0x7f0000000100)=0x0, &(0x7f0000000140)=0x0) r3 = socket$kcm(0x29, 0x2, 0x0) syz_io_uring_submit(r1, r2, &(0x7f0000000e40)=@IORING_OP_FILES_UPDATE={0x14, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0) syz_io_uring_submit(r1, r2, &(0x7f00000001c0)=@IORING_OP_READV=@pass_iovec={0x1, 0x4, 0x0, @fd=r3, 0x0, 0x0}, 0x0) io_uring_enter(r0, 0x547c, 0x0, 0x0, 0x0, 0x0) 00:16:48 executing program 1: r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000001580)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000500)={0xffffffffffffffff}, 0x111}}, 0x20) write$RDMA_USER_CM_CMD_RESOLVE_IP(r0, &(0x7f0000001740)={0x3, 0x40, 0xfa00, {{0xa, 0x0, 0x0, @loopback}, {0xa, 0x0, 0x0, @remote}, r1}}, 0x48) r2 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r2, &(0x7f0000000100)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000040)={0xffffffffffffffff}, 0x13f}}, 0x20) write$RDMA_USER_CM_CMD_RESOLVE_IP(r2, &(0x7f0000000140)={0x3, 0x40, 0xfa00, {{0xa, 0x0, 0x0, @empty}, {0xa, 0x0, 0x0, @dev}, r3, 0x1000000}}, 0x48) write$RDMA_USER_CM_CMD_RESOLVE_IP(r0, &(0x7f0000000000)={0x3, 0x40, 0xfa00, {{0x2, 0x0, 0x0, @mcast2}, {0xa, 0x0, 0x0, @mcast1}, r1}}, 0x48) [ 1036.232416][ C0] ================================================================== [ 1036.235941][ C0] BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 [ 1036.237482][ C0] Read of size 8 at addr ffffaf800c7f3f90 by task syz-executor.1/2047 [ 1036.239260][ C0] [ 1036.241259][ C0] CPU: 0 PID: 2047 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1036.243164][ C0] Hardware name: riscv-virtio,qemu (DT) [ 1036.245234][ C0] Call Trace: [ 1036.246234][ C0] [] dump_backtrace+0x2e/0x3c [ 1036.247595][ C0] [] show_stack+0x34/0x40 [ 1036.248838][ C0] [] dump_stack_lvl+0xe4/0x150 [ 1036.250160][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 1036.251719][ C0] [] kasan_report+0x184/0x1e0 [ 1036.253157][ C0] [] __asan_load8+0x6e/0x96 [ 1036.254447][ C0] [] walk_stackframe+0x11c/0x260 [ 1036.255727][ C0] [] arch_stack_walk+0x2c/0x3c [ 1036.257044][ C0] [] stack_trace_save+0xa6/0xd8 [ 1036.258555][ C0] [ 1036.259393][ C0] Allocated by task 1284: [ 1036.260344][ C0] (stack is not available) [ 1036.261265][ C0] [ 1036.262005][ C0] Last potentially related work creation: [ 1036.263174][ C0] ------------[ cut here ]------------ [ 1036.264503][ C0] slab index 1189162 out of bounds (290) for stack id 8012252a [ 1036.269141][ C0] WARNING: CPU: 0 PID: 2047 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 1036.271025][ C0] Modules linked in: [ 1036.272224][ C0] CPU: 0 PID: 2047 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1036.274676][ C0] Hardware name: riscv-virtio,qemu (DT) [ 1036.275835][ C0] epc : stack_depot_print+0x66/0x70 [ 1036.277175][ C0] ra : stack_depot_print+0x66/0x70 [ 1036.278477][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800c7f3e20 [ 1036.279736][ C0] gp : ffffffff85863ac0 tp : ffffaf80074048c0 t0 : ffffffff86bcb657 [ 1036.281118][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800c7f3e30 [ 1036.282459][ C0] s1 : ffffaf807a9ccb80 a0 : 000000000000003c a1 : 00000000000f0000 [ 1036.284499][ C0] a2 : 0000000000000504 a3 : ffffffff8012252a a4 : 7ef412310a7d7600 [ 1036.285890][ C0] a5 : 7ef412310a7d7600 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 1036.287136][ C0] s2 : ffffaf800c7f3f90 s3 : ffffaf8007201c80 s4 : ffffaf800c7f3c00 [ 1036.288489][ C0] s5 : ffffaf800c7f3e00 s6 : 0000000000003fff s7 : ffffaf800c7f3f80 [ 1036.289744][ C0] s8 : ffffffff8000a4a4 s9 : ffffffffffffc000 s10: ffffaf800c7f3fe0 [ 1036.291007][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 1036.292296][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800c7f3918 [ 1036.293702][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 1036.295847][ C0] [] print_address_description.constprop.0+0x2fc/0x330 [ 1036.297508][ C0] [] kasan_report+0x184/0x1e0 [ 1036.298865][ C0] [] __asan_load8+0x6e/0x96 [ 1036.300083][ C0] [] walk_stackframe+0x11c/0x260 [ 1036.301429][ C0] [] arch_stack_walk+0x2c/0x3c [ 1036.302715][ C0] [] stack_trace_save+0xa6/0xd8 [ 1036.304816][ C0] irq event stamp: 42797 [ 1036.305731][ C0] hardirqs last enabled at (42796): [] ip_finish_output2+0x157a/0x1720 [ 1036.307498][ C0] hardirqs last disabled at (42797): [] _raw_spin_lock_irqsave+0x60/0x62 [ 1036.309191][ C0] softirqs last enabled at (42606): [] __do_softirq+0x618/0x8fc [ 1036.310792][ C0] softirqs last disabled at (42625): [] __irq_exit_rcu+0x142/0x1f8 [ 1036.312439][ C0] ---[ end trace 0000000000000000 ]--- [ 1036.314344][ C0] [ 1036.315118][ C0] Second to last potentially related work creation: [ 1036.316133][ C0] ------------[ cut here ]------------ [ 1036.317057][ C0] slab index 2097151 out of bounds (290) for stack id ffffffff [ 1036.321108][ C0] WARNING: CPU: 0 PID: 2047 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 1036.323038][ C0] Modules linked in: [ 1036.324634][ C0] CPU: 0 PID: 2047 Comm: syz-executor.1 Tainted: G W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1036.326252][ C0] Hardware name: riscv-virtio,qemu (DT) [ 1036.327208][ C0] epc : stack_depot_print+0x66/0x70 [ 1036.328487][ C0] ra : stack_depot_print+0x66/0x70 [ 1036.329720][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800c7f3e20 [ 1036.330935][ C0] gp : ffffffff85863ac0 tp : ffffaf80074048c0 t0 : ffffffff86bcb657 [ 1036.332205][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800c7f3e30 [ 1036.334075][ C0] s1 : ffffaf807a9ccb80 a0 : 000000000000003c a1 : 00000000000f0000 [ 1036.335697][ C0] a2 : 0000000000000504 a3 : ffffffff8012252a a4 : 7ef412310a7d7600 [ 1036.336781][ C0] a5 : 7ef412310a7d7600 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 1036.337865][ C0] s2 : ffffaf800c7f3f90 s3 : ffffaf8007201c80 s4 : ffffaf800c7f3c00 [ 1036.338988][ C0] s5 : ffffaf800c7f3e00 s6 : 0000000000003fff s7 : ffffaf800c7f3f80 [ 1036.340024][ C0] s8 : ffffffff8000a4a4 s9 : ffffffffffffc000 s10: ffffaf800c7f3fe0 [ 1036.341027][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 1036.342087][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800c7f3918 [ 1036.343011][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 1036.344781][ C0] [] print_address_description.constprop.0+0x2ae/0x330 [ 1036.346398][ C0] [] kasan_report+0x184/0x1e0 [ 1036.347801][ C0] [] __asan_load8+0x6e/0x96 [ 1036.349084][ C0] [] walk_stackframe+0x11c/0x260 [ 1036.350440][ C0] [] arch_stack_walk+0x2c/0x3c [ 1036.351729][ C0] [] stack_trace_save+0xa6/0xd8 [ 1036.353199][ C0] irq event stamp: 42797 [ 1036.354414][ C0] hardirqs last enabled at (42796): [] ip_finish_output2+0x157a/0x1720 [ 1036.356065][ C0] hardirqs last disabled at (42797): [] _raw_spin_lock_irqsave+0x60/0x62 [ 1036.357618][ C0] softirqs last enabled at (42606): [] __do_softirq+0x618/0x8fc [ 1036.359151][ C0] softirqs last disabled at (42625): [] __irq_exit_rcu+0x142/0x1f8 [ 1036.360654][ C0] ---[ end trace 0000000000000000 ]--- [ 1036.361695][ C0] [ 1036.362370][ C0] The buggy address belongs to the object at ffffaf800c7f3c00 [ 1036.362370][ C0] which belongs to the cache kmalloc-512 of size 512 [ 1036.364986][ C0] The buggy address is located 400 bytes to the right of [ 1036.364986][ C0] 512-byte region [ffffaf800c7f3c00, ffffaf800c7f3e00) [ 1036.366811][ C0] The buggy address belongs to the page: [ 1036.368271][ C0] page:ffffaf807a9ccb80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8c9f0 [ 1036.369977][ C0] head:ffffaf807a9ccb80 order:2 compound_mapcount:0 compound_pincount:0 [ 1036.371398][ C0] flags: 0x8800010200(slab|head|section=17|node=0|zone=0) [ 1036.374429][ C0] raw: 0000008800010200 0000000000000000 0000000000000001 ffffaf8007201c80 [ 1036.375859][ C0] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 1036.377253][ C0] raw: 00000000000007ff [ 1036.378219][ C0] page dumped because: kasan: bad access detected [ 1036.379521][ C0] page_owner tracks the page as allocated [ 1036.380563][ C0] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 554, ts 39440070100, free_ts 39437635100 [ 1036.383024][ C0] __set_page_owner+0x48/0x136 [ 1036.384840][ C0] post_alloc_hook+0xd0/0x10a [ 1036.386075][ C0] get_page_from_freelist+0x8da/0x12d8 [ 1036.387343][ C0] __alloc_pages+0x150/0x3b6 [ 1036.388547][ C0] alloc_pages+0x132/0x2a6 [ 1036.389719][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 1036.390950][ C0] new_slab+0x25a/0x2cc [ 1036.392045][ C0] ___slab_alloc+0x56e/0x918 [ 1036.393358][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 1036.394576][ C0] kmem_cache_alloc_trace+0x2a2/0x2e0 [ 1036.395820][ C0] alloc_bprm+0x48/0x4b6 [ 1036.396996][ C0] kernel_execve+0x54/0x288 [ 1036.398168][ C0] call_usermodehelper_exec_async+0x1c0/0x2dc [ 1036.399488][ C0] ret_from_exception+0x0/0x10 [ 1036.400823][ C0] page last free stack trace: [ 1036.401759][ C0] __reset_page_owner+0x4a/0xea [ 1036.403049][ C0] free_pcp_prepare+0x29c/0x45e [ 1036.404516][ C0] free_unref_page+0x6a/0x31e [ 1036.405686][ C0] __free_pages+0xe2/0x112 [ 1036.406807][ C0] put_task_stack+0x1d0/0x2b0 [ 1036.408018][ C0] finish_task_switch.isra.0+0x3ce/0x420 [ 1036.409276][ C0] schedule_tail+0xe/0xc8 [ 1036.410407][ C0] ret_from_kernel_thread+0x4/0x10 [ 1036.411759][ C0] [ 1036.412528][ C0] Memory state around the buggy address: [ 1036.414357][ C0] ffffaf800c7f3e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1036.415763][ C0] ffffaf800c7f3f00: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 [ 1036.417056][ C0] >ffffaf800c7f3f80: fc fc fc fc 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 [ 1036.418246][ C0] ^ [ 1036.419303][ C0] ffffaf800c7f4000: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 1036.420577][ C0] ffffaf800c7f4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1036.421844][ C0] ================================================================== [ 1036.423042][ C0] Disabling lock debugging due to kernel taint [ 1036.426845][ T2047] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 1036.428038][ T2047] CPU: 0 PID: 2047 Comm: syz-executor.1 Tainted: G B W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 1036.429251][ T2047] Hardware name: riscv-virtio,qemu (DT) [ 1036.429861][ T2047] Call Trace: [ 1036.430359][ T2047] [] dump_backtrace+0x2e/0x3c [ 1036.431311][ T2047] [] show_stack+0x34/0x40 [ 1036.432173][ T2047] [] dump_stack_lvl+0xe4/0x150 [ 1036.433565][ T2047] [] dump_stack+0x1c/0x24 [ 1036.434652][ T2047] [] panic+0x24a/0x634 [ 1036.435650][ T2047] [] schedule+0x0/0x14c [ 1036.436753][ T2047] [] preempt_schedule_irq+0x4a/0x13e [ 1036.437937][ T2047] [] resume_kernel+0x16/0x18 [ 1036.439268][ T2047] SMP: stopping secondary CPUs [ 1036.441460][ T2047] Rebooting in 86400 seconds.. VM DIAGNOSIS: 22:33:04 Registers: info registers vcpu 0 pc ffffffff80c2b612 mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80ad53d0 sepc ffffffff802009d2 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff8011c7fa x2/sp ffffaf800c7f3970 x3/gp ffffffff85863ac0 x4/tp ffffaf80074048c0 x5/t0 ffffaf800c7f3a23 x6/t1 fffff5ef018fe744 x7/t2 0000000000000000 x8/s0 ffffaf800c7f39a0 x9/s1 ffffffff86bcb640 x10/a0 ffffffff86bcb640 x11/a1 000000000000000a x12/a2 0000000000000000 x13/a3 ffffffff8011c7ec x14/a4 ffffaf80074048c0 x15/a5 0000000000000000 x16/a6 ffffaf800c7f3a27 x17/a7 ffffaf800c7f3a25 x18/s2 ffffffff86bcb641 x19/s3 ffffffff86bcb640 x20/s4 000000000000000a x21/s5 0000000000000017 x22/s6 0000000000000000 x23/s7 0000000000000400 x24/s8 ffffaf800c7f3a10 x25/s9 0000000000000000 x26/s10 00000000000003e7 x27/s11 ffffaf800c7f3c60 x28/t3 0000000000000043 x29/t4 fffff5ef018fe744 x30/t5 fffff5ef018fe745 x31/t6 ffffaf800c7f3a26 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff8010ce7e mhartid 0000000000000001 mstatus 00000000000001a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff801165e0 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff8011271e x2/sp ffffaf800b0ff8d0 x3/gp ffffffff85863ac0 x4/tp ffffaf800b66e100 x5/t0 0000000000046000 x6/t1 7ef412310a7d7600 x7/t2 ffffffffffffffff x8/s0 ffffaf800b0ffbe0 x9/s1 ffffffff850d46c0 x10/a0 ffffaf800b66e120 x11/a1 0000000000000007 x12/a2 0000000000000002 x13/a3 ffffffff80115c08 x14/a4 0000000000000003 x15/a5 ffffaf805a9f5b10 x16/a6 0000000000f00000 x17/a7 ffffffff8176b8f4 x18/s2 ffffaf800b0ffb60 x19/s3 ffffffff84b73ec0 x20/s4 ffffffff838a0620 x21/s5 ffffffff8343c840 x22/s6 ffffffff8176b824 x23/s7 0000000000000122 x24/s8 ffffffff85889780 x25/s9 1ffff5f00161ff5c x26/s10 0000000000000002 x27/s11 ffffaf800b66f100 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f00161ff2c x31/t6 00000000012dd5b7 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000