syzkaller login: [ 263.066295][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 263.145334][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 272.296827][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:24288' (ECDSA) to the list of known hosts. 1970/01/01 00:05:27 fuzzer started 1970/01/01 00:05:40 dialing manager at localhost:39229 [ 348.796788][ T2033] cgroup: Unknown subsys name 'net' [ 349.994524][ T2033] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:05:49 syscalls: 2853 1970/01/01 00:05:49 code coverage: enabled 1970/01/01 00:05:49 comparison tracing: enabled 1970/01/01 00:05:49 extra coverage: enabled 1970/01/01 00:05:49 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:05:49 setuid sandbox: enabled 1970/01/01 00:05:49 namespace sandbox: enabled 1970/01/01 00:05:49 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:05:49 fault injection: enabled 1970/01/01 00:05:49 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:05:49 net packet injection: enabled 1970/01/01 00:05:49 net device setup: enabled 1970/01/01 00:05:49 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:05:49 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:05:49 USB emulation: enabled 1970/01/01 00:05:49 hci packet injection: /dev/vhci does not exist 1970/01/01 00:05:49 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:05:49 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:05:49 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:05:55 fetching corpus: 49, signal 39596/43010 (executing program) 1970/01/01 00:05:59 fetching corpus: 99, signal 58655/63267 (executing program) 1970/01/01 00:06:01 fetching corpus: 149, signal 67616/73474 (executing program) 1970/01/01 00:06:05 fetching corpus: 199, signal 80573/87371 (executing program) 1970/01/01 00:06:07 fetching corpus: 248, signal 87348/95181 (executing program) 1970/01/01 00:06:11 fetching corpus: 297, signal 94634/103353 (executing program) 1970/01/01 00:06:14 fetching corpus: 346, signal 100892/110446 (executing program) 1970/01/01 00:06:16 fetching corpus: 396, signal 104775/115224 (executing program) 1970/01/01 00:06:20 fetching corpus: 446, signal 109744/120954 (executing program) 1970/01/01 00:06:23 fetching corpus: 496, signal 113583/125531 (executing program) 1970/01/01 00:06:25 fetching corpus: 546, signal 116419/129160 (executing program) 1970/01/01 00:06:28 fetching corpus: 596, signal 120242/133592 (executing program) 1970/01/01 00:06:30 fetching corpus: 646, signal 127853/141387 (executing program) 1970/01/01 00:06:32 fetching corpus: 696, signal 130093/144298 (executing program) 1970/01/01 00:06:36 fetching corpus: 746, signal 136662/150963 (executing program) 1970/01/01 00:06:38 fetching corpus: 796, signal 144977/159054 (executing program) 1970/01/01 00:06:40 fetching corpus: 846, signal 148368/162796 (executing program) 1970/01/01 00:06:43 fetching corpus: 895, signal 151982/166601 (executing program) 1970/01/01 00:06:46 fetching corpus: 945, signal 154068/169091 (executing program) 1970/01/01 00:06:47 fetching corpus: 994, signal 156771/172061 (executing program) 1970/01/01 00:06:50 fetching corpus: 1044, signal 160913/176249 (executing program) 1970/01/01 00:06:52 fetching corpus: 1093, signal 166532/181532 (executing program) 1970/01/01 00:06:54 fetching corpus: 1143, signal 169573/184639 (executing program) 1970/01/01 00:06:56 fetching corpus: 1193, signal 171341/186651 (executing program) 1970/01/01 00:06:59 fetching corpus: 1243, signal 173184/188712 (executing program) 1970/01/01 00:07:02 fetching corpus: 1293, signal 176272/191769 (executing program) 1970/01/01 00:07:04 fetching corpus: 1343, signal 179887/195156 (executing program) 1970/01/01 00:07:07 fetching corpus: 1392, signal 182109/197385 (executing program) 1970/01/01 00:07:09 fetching corpus: 1440, signal 184003/199328 (executing program) 1970/01/01 00:07:11 fetching corpus: 1489, signal 185849/201235 (executing program) 1970/01/01 00:07:13 fetching corpus: 1539, signal 187621/203049 (executing program) 1970/01/01 00:07:16 fetching corpus: 1589, signal 190565/205721 (executing program) 1970/01/01 00:07:18 fetching corpus: 1638, signal 193185/208092 (executing program) 1970/01/01 00:07:21 fetching corpus: 1688, signal 196003/210550 (executing program) 1970/01/01 00:07:24 fetching corpus: 1737, signal 197894/212318 (executing program) 1970/01/01 00:07:30 fetching corpus: 1786, signal 199818/214060 (executing program) 1970/01/01 00:07:32 fetching corpus: 1834, signal 201522/215659 (executing program) 1970/01/01 00:07:35 fetching corpus: 1884, signal 203414/217305 (executing program) 1970/01/01 00:07:39 fetching corpus: 1933, signal 204784/218573 (executing program) 1970/01/01 00:07:42 fetching corpus: 1983, signal 206519/220038 (executing program) 1970/01/01 00:07:44 fetching corpus: 2033, signal 207343/220907 (executing program) 1970/01/01 00:07:46 fetching corpus: 2083, signal 208349/221933 (executing program) 1970/01/01 00:07:49 fetching corpus: 2133, signal 211439/224233 (executing program) 1970/01/01 00:07:51 fetching corpus: 2183, signal 212985/225544 (executing program) 1970/01/01 00:07:57 fetching corpus: 2233, signal 215128/227145 (executing program) 1970/01/01 00:08:01 fetching corpus: 2283, signal 216563/228307 (executing program) 1970/01/01 00:08:04 fetching corpus: 2333, signal 217603/229192 (executing program) 1970/01/01 00:08:06 fetching corpus: 2382, signal 218852/230259 (executing program) 1970/01/01 00:08:09 fetching corpus: 2431, signal 221938/232320 (executing program) 1970/01/01 00:08:13 fetching corpus: 2481, signal 223283/233352 (executing program) 1970/01/01 00:08:16 fetching corpus: 2531, signal 224985/234538 (executing program) 1970/01/01 00:08:18 fetching corpus: 2580, signal 226502/235596 (executing program) 1970/01/01 00:08:21 fetching corpus: 2629, signal 227910/236586 (executing program) 1970/01/01 00:08:24 fetching corpus: 2679, signal 229885/237867 (executing program) 1970/01/01 00:08:26 fetching corpus: 2729, signal 230820/238548 (executing program) 1970/01/01 00:08:28 fetching corpus: 2779, signal 232475/239580 (executing program) 1970/01/01 00:08:32 fetching corpus: 2828, signal 233940/240550 (executing program) 1970/01/01 00:08:34 fetching corpus: 2878, signal 235523/241495 (executing program) 1970/01/01 00:08:36 fetching corpus: 2927, signal 237001/242355 (executing program) 1970/01/01 00:08:38 fetching corpus: 2976, signal 238768/243384 (executing program) 1970/01/01 00:08:41 fetching corpus: 3026, signal 240547/244343 (executing program) 1970/01/01 00:08:44 fetching corpus: 3076, signal 242830/245517 (executing program) 1970/01/01 00:08:46 fetching corpus: 3126, signal 243676/245973 (executing program) 1970/01/01 00:08:48 fetching corpus: 3155, signal 244230/246267 (executing program) 1970/01/01 00:08:48 fetching corpus: 3155, signal 244230/246289 (executing program) 1970/01/01 00:08:48 fetching corpus: 3156, signal 244235/246321 (executing program) 1970/01/01 00:08:48 fetching corpus: 3156, signal 244235/246350 (executing program) 1970/01/01 00:08:49 fetching corpus: 3156, signal 244235/246376 (executing program) 1970/01/01 00:08:49 fetching corpus: 3156, signal 244237/246408 (executing program) 1970/01/01 00:08:49 fetching corpus: 3156, signal 244237/246445 (executing program) 1970/01/01 00:08:49 fetching corpus: 3156, signal 244241/246482 (executing program) 1970/01/01 00:08:49 fetching corpus: 3156, signal 244241/246517 (executing program) 1970/01/01 00:08:49 fetching corpus: 3156, signal 244241/246547 (executing program) 1970/01/01 00:08:50 fetching corpus: 3156, signal 244241/246577 (executing program) 1970/01/01 00:08:50 fetching corpus: 3156, signal 244241/246612 (executing program) 1970/01/01 00:08:50 fetching corpus: 3156, signal 244241/246638 (executing program) 1970/01/01 00:08:50 fetching corpus: 3156, signal 244241/246676 (executing program) 1970/01/01 00:08:50 fetching corpus: 3156, signal 244241/246712 (executing program) 1970/01/01 00:08:50 fetching corpus: 3156, signal 244241/246741 (executing program) 1970/01/01 00:08:50 fetching corpus: 3156, signal 244241/246763 (executing program) 1970/01/01 00:08:51 fetching corpus: 3156, signal 244241/246789 (executing program) 1970/01/01 00:08:51 fetching corpus: 3156, signal 244241/246825 (executing program) 1970/01/01 00:08:51 fetching corpus: 3156, signal 244241/246863 (executing program) 1970/01/01 00:08:51 fetching corpus: 3156, signal 244241/246884 (executing program) 1970/01/01 00:08:51 fetching corpus: 3156, signal 244241/246915 (executing program) 1970/01/01 00:08:51 fetching corpus: 3156, signal 244241/246943 (executing program) 1970/01/01 00:08:51 fetching corpus: 3156, signal 244241/246976 (executing program) 1970/01/01 00:08:52 fetching corpus: 3156, signal 244241/247010 (executing program) 1970/01/01 00:08:52 fetching corpus: 3156, signal 244241/247044 (executing program) 1970/01/01 00:08:52 fetching corpus: 3156, signal 244241/247078 (executing program) 1970/01/01 00:08:52 fetching corpus: 3156, signal 244241/247114 (executing program) 1970/01/01 00:08:52 fetching corpus: 3156, signal 244241/247155 (executing program) 1970/01/01 00:08:52 fetching corpus: 3156, signal 244241/247183 (executing program) 1970/01/01 00:08:52 fetching corpus: 3156, signal 244241/247216 (executing program) 1970/01/01 00:08:53 fetching corpus: 3156, signal 244241/247251 (executing program) 1970/01/01 00:08:53 fetching corpus: 3156, signal 244241/247284 (executing program) 1970/01/01 00:08:53 fetching corpus: 3156, signal 244241/247314 (executing program) 1970/01/01 00:08:53 fetching corpus: 3156, signal 244241/247348 (executing program) 1970/01/01 00:08:54 fetching corpus: 3156, signal 244241/247383 (executing program) 1970/01/01 00:08:54 fetching corpus: 3156, signal 244241/247411 (executing program) 1970/01/01 00:08:54 fetching corpus: 3156, signal 244241/247440 (executing program) 1970/01/01 00:08:54 fetching corpus: 3156, signal 244241/247465 (executing program) 1970/01/01 00:08:54 fetching corpus: 3156, signal 244241/247497 (executing program) 1970/01/01 00:08:54 fetching corpus: 3156, signal 244241/247538 (executing program) 1970/01/01 00:08:54 fetching corpus: 3156, signal 244241/247578 (executing program) 1970/01/01 00:08:55 fetching corpus: 3156, signal 244241/247597 (executing program) 1970/01/01 00:08:55 fetching corpus: 3156, signal 244241/247625 (executing program) 1970/01/01 00:08:55 fetching corpus: 3156, signal 244241/247660 (executing program) 1970/01/01 00:08:55 fetching corpus: 3156, signal 244241/247700 (executing program) 1970/01/01 00:08:55 fetching corpus: 3156, signal 244241/247738 (executing program) 1970/01/01 00:08:56 fetching corpus: 3156, signal 244241/247779 (executing program) 1970/01/01 00:08:56 fetching corpus: 3157, signal 244245/247807 (executing program) 1970/01/01 00:08:56 fetching corpus: 3157, signal 244245/247832 (executing program) 1970/01/01 00:08:56 fetching corpus: 3157, signal 244262/247867 (executing program) 1970/01/01 00:08:56 fetching corpus: 3157, signal 244262/247891 (executing program) 1970/01/01 00:08:57 fetching corpus: 3157, signal 244262/247920 (executing program) 1970/01/01 00:08:57 fetching corpus: 3157, signal 244262/247951 (executing program) 1970/01/01 00:08:57 fetching corpus: 3157, signal 244262/247986 (executing program) 1970/01/01 00:08:57 fetching corpus: 3157, signal 244262/248017 (executing program) 1970/01/01 00:08:57 fetching corpus: 3157, signal 244262/248056 (executing program) 1970/01/01 00:08:57 fetching corpus: 3157, signal 244262/248072 (executing program) 1970/01/01 00:08:57 fetching corpus: 3157, signal 244262/248103 (executing program) 1970/01/01 00:08:58 fetching corpus: 3157, signal 244262/248136 (executing program) 1970/01/01 00:08:58 fetching corpus: 3157, signal 244262/248144 (executing program) 1970/01/01 00:08:58 fetching corpus: 3157, signal 244262/248144 (executing program) 1970/01/01 00:10:52 starting 2 fuzzer processes 00:10:52 executing program 0: setfsuid(0xffffffffffffffff) 00:10:52 executing program 1: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000)={0xffffffffffffffff}) r1 = socket(0x1d, 0x2, 0x6) close(r1) close(0xffffffffffffffff) close(0xffffffffffffffff) sendmsg$unix(r0, &(0x7f0000000340)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000080)=[@rights={{0x14, 0x1, 0x1, [r1]}}], 0x18}, 0x0) [ 686.704353][ T2040] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 686.805958][ T2040] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 690.365195][ T2038] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 690.654364][ T2038] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 702.390898][ T2040] device hsr_slave_0 entered promiscuous mode [ 702.592060][ T2040] device hsr_slave_1 entered promiscuous mode [ 706.504262][ T2038] device hsr_slave_0 entered promiscuous mode [ 706.533028][ T2038] device hsr_slave_1 entered promiscuous mode [ 706.567375][ T2038] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 706.578949][ T2038] Cannot create hsr debugfs directory [ 714.957043][ T2040] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 715.207415][ T2040] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 715.437880][ T2040] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 715.895293][ T2040] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 717.207191][ T2038] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 717.415534][ T2038] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 717.617196][ T2038] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 717.990686][ T2038] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 726.555603][ T2040] 8021q: adding VLAN 0 to HW filter on device bond0 [ 727.162596][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 727.358854][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 730.296778][ T2038] 8021q: adding VLAN 0 to HW filter on device bond0 [ 730.647221][ T84] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 730.826546][ T84] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 734.653316][ T84] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 734.775842][ T84] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 735.137942][ T2279] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 735.187709][ T2279] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 735.397955][ T2279] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 736.163410][ C1] ================================================================== [ 736.164852][ C1] BUG: KASAN: slab-out-of-bounds in __bfs+0x154/0x394 [ 736.166231][ C1] Read of size 8 at addr ffffaf800e79ff30 by task syz-executor.1/2040 [ 736.167479][ C1] [ 736.169181][ C1] CPU: 1 PID: 2040 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 736.172598][ C1] Hardware name: riscv-virtio,qemu (DT) [ 736.173876][ C1] Call Trace: [ 736.174832][ C1] [] dump_backtrace+0x2e/0x3c [ 736.176194][ C1] [] show_stack+0x34/0x40 [ 736.177385][ C1] [] dump_stack_lvl+0xe4/0x150 [ 736.178749][ C1] [] print_address_description.constprop.0+0x2a/0x330 [ 736.181380][ C1] [] kasan_report+0x184/0x1e0 [ 736.182883][ C1] [] __asan_load8+0x6e/0x96 [ 736.184229][ C1] [] __bfs+0x154/0x394 [ 736.185370][ C1] [] check_path.constprop.0+0x24/0x46 [ 736.186769][ C1] [] check_noncircular+0x11a/0x1fe [ 736.188278][ C1] [ 736.189029][ C1] Allocated by task 1102416563: [ 736.190469][ C1] (stack is not available) [ 736.191704][ C1] [ 736.192685][ C1] Freed by task 2279: [ 736.193607][ C1] stack_trace_save+0xa6/0xd8 [ 736.194542][ C1] kasan_save_stack+0x2c/0x58 [ 736.195442][ C1] kasan_set_track+0x1a/0x26 [ 736.196395][ C1] kasan_set_free_info+0x1e/0x3a [ 736.197353][ C1] ____kasan_slab_free+0x15e/0x180 [ 736.198431][ C1] __kasan_slab_free+0x10/0x18 [ 736.200317][ C1] slab_free_freelist_hook+0x8e/0x1cc [ 736.201900][ C1] kfree+0xe0/0x3e4 [ 736.202921][ C1] skb_release_data+0x3c2/0x3c4 [ 736.203899][ C1] consume_skb+0x96/0x136 [ 736.204841][ C1] nsim_dev_trap_report_work+0x524/0x5e4 [ 736.205973][ C1] process_one_work+0x654/0xffe [ 736.206954][ C1] worker_thread+0x360/0x8fa [ 736.207914][ C1] kthread+0x19e/0x1fa [ 736.208878][ C1] ret_from_exception+0x0/0x10 [ 736.210803][ C1] [ 736.211772][ C1] Last potentially related work creation: [ 736.213157][ C1] ------------[ cut here ]------------ [ 736.214091][ C1] slab index 1700064 out of bounds (318) for stack id 0e79f0e0 [ 736.218430][ C1] WARNING: CPU: 1 PID: 2040 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 736.221642][ C1] Modules linked in: [ 736.222792][ C1] CPU: 1 PID: 2040 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 736.224253][ C1] Hardware name: riscv-virtio,qemu (DT) [ 736.225945][ C1] epc : stack_depot_print+0x66/0x70 [ 736.227164][ C1] ra : stack_depot_print+0x66/0x70 [ 736.228322][ C1] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800e79fcc0 [ 736.230333][ C1] gp : ffffffff85863ac0 tp : ffffaf800ecf6100 t0 : ffffffff86bcb657 [ 736.232564][ C1] t1 : fffff5ef0b53c90c t2 : 0000000000000000 s0 : ffffaf800e79fcd0 [ 736.234155][ C1] s1 : ffffaf807aa5b2c0 a0 : 000000000000003c a1 : 00000000000f0000 [ 736.235322][ C1] a2 : 0000000000000502 a3 : ffffffff8012252a a4 : efd34f3ccc8ce800 [ 736.236510][ C1] a5 : efd34f3ccc8ce800 a6 : 0000000000f00000 a7 : ffffaf805a9e4863 [ 736.237679][ C1] s2 : ffffaf800e79ff30 s3 : ffffaf8007202140 s4 : ffffaf800e79e000 [ 736.238838][ C1] s5 : ffffaf800e79f000 s6 : ffffffff8588bb20 s7 : ffffffff85e09180 [ 736.240698][ C1] s8 : ffffaf800e79fe40 s9 : ffffaf800ecf6c08 s10: ffffffff85899680 [ 736.242928][ C1] s11: ffffaf800ecf6100 t3 : ffffffff801163b2 t4 : fffff5ef0b53c90c [ 736.244273][ C1] t5 : fffff5ef0b53c90d t6 : ffffaf800e79f7b8 [ 736.245389][ C1] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 736.246715][ C1] [] print_address_description.constprop.0+0x2fc/0x330 [ 736.248213][ C1] [] kasan_report+0x184/0x1e0 [ 736.249991][ C1] [] __asan_load8+0x6e/0x96 [ 736.251740][ C1] [] __bfs+0x154/0x394 [ 736.252841][ C1] [] check_path.constprop.0+0x24/0x46 [ 736.254127][ C1] [] check_noncircular+0x11a/0x1fe [ 736.255537][ C1] irq event stamp: 157705 [ 736.256342][ C1] hardirqs last enabled at (157704): [] _raw_spin_unlock_irqrestore+0x68/0x98 [ 736.257894][ C1] hardirqs last disabled at (157705): [] get_page_from_freelist+0xfbe/0x12d8 [ 736.260232][ C1] softirqs last enabled at (157660): [] igmpv3_del_delrec+0x2b2/0x3fa [ 736.263278][ C1] softirqs last disabled at (157675): [] __irq_exit_rcu+0x142/0x1f8 [ 736.264887][ C1] ---[ end trace 0000000000000000 ]--- [ 736.266280][ C1] [ 736.266975][ C1] The buggy address belongs to the object at ffffaf800e79e000 [ 736.266975][ C1] which belongs to the cache kmalloc-4k of size 4096 [ 736.268723][ C1] The buggy address is located 3888 bytes to the right of [ 736.268723][ C1] 4096-byte region [ffffaf800e79e000, ffffaf800e79f000) [ 736.272168][ C1] The buggy address belongs to the page: [ 736.274393][ C1] page:ffffaf807aa5b2c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8e998 [ 736.276077][ C1] head:ffffaf807aa5b2c0 order:3 compound_mapcount:0 compound_pincount:0 [ 736.277545][ C1] flags: 0x8800010200(slab|head|section=17|node=0|zone=0) [ 736.281147][ C1] raw: 0000008800010200 0000000000000100 0000000000000122 ffffaf8007202140 [ 736.282646][ C1] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 736.283925][ C1] raw: 00000000000007ff [ 736.284751][ C1] page dumped because: kasan: bad access detected [ 736.285995][ C1] page_owner tracks the page as allocated [ 736.286904][ C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2038, ts 688607572700, free_ts 686071314000 [ 736.289825][ C1] __set_page_owner+0x48/0x136 [ 736.291737][ C1] post_alloc_hook+0xd0/0x10a [ 736.292845][ C1] get_page_from_freelist+0x8da/0x12d8 [ 736.294196][ C1] __alloc_pages+0x150/0x3b6 [ 736.295228][ C1] alloc_pages+0x132/0x2a6 [ 736.296269][ C1] alloc_slab_page.constprop.0+0xc2/0xfa [ 736.297372][ C1] new_slab+0x25a/0x2cc [ 736.298374][ C1] ___slab_alloc+0x56e/0x918 [ 736.299901][ C1] __slab_alloc.constprop.0+0x50/0x8c [ 736.301725][ C1] kmem_cache_alloc_trace+0x2a2/0x2e0 [ 736.302950][ C1] ipv6_add_dev+0x3d6/0xa7e [ 736.303923][ C1] addrconf_notify+0x5e8/0x1360 [ 736.304981][ C1] notifier_call_chain+0xb8/0x188 [ 736.306110][ C1] raw_notifier_call_chain+0x2a/0x38 [ 736.307228][ C1] call_netdevice_notifiers_info+0x9e/0x10c [ 736.308327][ C1] register_netdevice+0xae8/0xc6a [ 736.310296][ C1] page last free stack trace: [ 736.311558][ C1] __reset_page_owner+0x4a/0xea [ 736.313113][ C1] free_pcp_prepare+0x29c/0x45e [ 736.314229][ C1] free_unref_page+0x6a/0x31e [ 736.315218][ C1] __free_pages+0xe2/0x112 [ 736.316259][ C1] __free_slab+0x122/0x27c [ 736.317275][ C1] discard_slab+0x4c/0x7a [ 736.318793][ C1] __slab_free+0x20a/0x29c [ 736.320559][ C1] ___cache_free+0x17c/0x354 [ 736.321661][ C1] qlist_free_all+0x7c/0x132 [ 736.322674][ C1] kasan_quarantine_reduce+0x14c/0x1c8 [ 736.323879][ C1] __kasan_slab_alloc+0x5c/0x98 [ 736.325022][ C1] kmem_cache_alloc+0x338/0x3de [ 736.326557][ C1] vm_area_dup+0xa4/0x224 [ 736.327563][ C1] __split_vma+0x7c/0x2fa [ 736.328553][ C1] split_vma+0x68/0x8c [ 736.330040][ C1] mprotect_fixup+0x358/0x3dc [ 736.331856][ C1] [ 736.332453][ C1] Memory state around the buggy address: [ 736.333700][ C1] ffffaf800e79fe00: 00 f3 f3 f3 fc fc fc fc fc fc fc fc fc fc fc fc [ 736.334871][ C1] ffffaf800e79fe80: fc fc fc fc fc fc fc fc 00 00 00 00 f1 f1 f1 f1 [ 736.335870][ C1] >ffffaf800e79ff00: 00 f2 f2 f2 fc fc fc fc 00 00 00 f3 f3 f3 f3 f3 [ 736.336863][ C1] ^ [ 736.337940][ C1] ffffaf800e79ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 736.339069][ C1] ffffaf800e7a0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 736.341169][ C1] ================================================================== [ 736.343337][ C1] Disabling lock debugging due to kernel taint [ 736.351132][ T2040] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 736.352890][ T2040] CPU: 1 PID: 2040 Comm: syz-executor.1 Tainted: G B W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 736.354382][ T2040] Hardware name: riscv-virtio,qemu (DT) [ 736.355115][ T2040] Call Trace: [ 736.355666][ T2040] [] dump_backtrace+0x2e/0x3c [ 736.356779][ T2040] [] show_stack+0x34/0x40 [ 736.358095][ T2040] [] dump_stack_lvl+0xe4/0x150 [ 736.359856][ T2040] [] dump_stack+0x1c/0x24 [ 736.361787][ T2040] [] panic+0x24a/0x634 [ 736.362938][ T2040] [] schedule+0x0/0x14c [ 736.364189][ T2040] [] preempt_schedule_common+0x4e/0xde [ 736.365488][ T2040] [] preempt_schedule+0x34/0x36 [ 736.366767][ T2040] [] _raw_spin_unlock_irqrestore+0x8c/0x98 [ 736.368055][ T2040] [] __stack_depot_save+0x384/0x4b2 [ 736.369686][ T2040] [] stack_depot_save+0xe/0x18 [ 736.371653][ T2040] [] save_stack+0x122/0x16c [ 736.372831][ T2040] [] __set_page_owner+0x48/0x136 [ 736.374028][ T2040] [] post_alloc_hook+0xd0/0x10a [ 736.375129][ T2040] [] get_page_from_freelist+0x8da/0x12d8 [ 736.376311][ T2040] [] __alloc_pages+0x150/0x3b6 [ 736.377478][ T2040] [] alloc_pages+0x132/0x2a6 [ 736.378781][ T2040] [] alloc_slab_page.constprop.0+0xc2/0xfa [ 736.381088][ T2040] [] new_slab+0x76/0x2cc [ 736.382307][ T2040] [] ___slab_alloc+0x56e/0x918 [ 736.383501][ T2040] [] __slab_alloc.constprop.0+0x50/0x8c [ 736.384781][ T2040] [] kmem_cache_alloc+0x39c/0x3de [ 736.385991][ T2040] [] fill_pool+0x24a/0x35c [ 736.387115][ T2040] [] __debug_object_init+0x8e/0x7b8 [ 736.388308][ T2040] [] debug_object_activate+0x286/0x29a [ 736.390351][ T2040] [] call_rcu+0x3c/0x4ce [ 736.391953][ T2040] [] fib_create_info+0x1520/0x2d8e [ 736.393133][ T2040] [] fib_table_insert+0x1a0/0xebe [ 736.395086][ T2040] [] fib_magic+0x3f4/0x438 [ 736.396938][ T2040] [] fib_add_ifaddr+0xd2/0x2e2 [ 736.398148][ T2040] [] fib_netdev_event+0x362/0x4b0 [ 736.399807][ T2040] [] notifier_call_chain+0xb8/0x188 [ 736.401090][ T2040] [] raw_notifier_call_chain+0x2a/0x38 [ 736.402354][ T2040] [] call_netdevice_notifiers_info+0x9e/0x10c [ 736.403603][ T2040] [] __dev_notify_flags+0x108/0x1fa [ 736.404877][ T2040] [] dev_change_flags+0x9c/0xba [ 736.406149][ T2040] [] do_setlink+0x5d6/0x21c4 [ 736.407311][ T2040] [] __rtnl_newlink+0x99e/0xfa0 [ 736.408492][ T2040] [] rtnl_newlink+0x60/0x8c [ 736.410353][ T2040] [] rtnetlink_rcv_msg+0x338/0x9a0 [ 736.411617][ T2040] [] netlink_rcv_skb+0xf8/0x2be [ 736.412795][ T2040] [] rtnetlink_rcv+0x26/0x30 [ 736.414560][ T2040] [] netlink_unicast+0x40e/0x5fe [ 736.415733][ T2040] [] netlink_sendmsg+0x4e0/0x994 [ 736.417104][ T2040] [] sock_sendmsg+0xa0/0xc4 [ 736.418703][ T2040] [] __sys_sendto+0x1f2/0x2e0 [ 736.420486][ T2040] [] sys_sendto+0x3e/0x52 [ 736.421579][ T2040] [] ret_from_syscall+0x0/0x2 [ 736.422944][ T2040] SMP: stopping secondary CPUs [ 736.425211][ T2040] Rebooting in 86400 seconds.. VM DIAGNOSIS: 11:03:47 Registers: info registers vcpu 0 pc ffffffff8272014a mhartid 0000000000000000 mstatus 00000000000001a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff80200f00 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff817da968 x2/sp ffffaf8009a4b580 x3/gp ffffffff85863ac0 x4/tp ffffaf80091a48c0 x5/t0 fffff5ef012fe8ec x6/t1 fffff5ef00ea4401 x7/t2 00007fffdaee7628 x8/s0 ffffaf8009a4b500 x9/s1 0000000000000000 x10/a0 ffffaf805a9d99d8 x11/a1 0000000000000003 x12/a2 1ffff5f001234919 x13/a3 ffffffff831a2498 x14/a4 fffffffffff00000 x15/a5 0000000000000007 x16/a6 0000000000f00000 x17/a7 ffffaf800752200f x18/s2 0000000000000000 x19/s3 ffffaf80091a48c0 x20/s4 0000000000000000 x21/s5 ffffaf80108c8b40 x22/s6 0000000000000000 x23/s7 0000000000000000 x24/s8 0000000000000000 x25/s9 000000000000005a x26/s10 ffffffff8588a420 x27/s11 ffffffff86eaa0e0 x28/t3 fffffffff3f3f300 x29/t4 fffff5ef00ea4401 x30/t5 fffff5ef00ea4402 x31/t6 ffffaf8007522010 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff804766c2 mhartid 0000000000000001 mstatus 00000000000001a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8020100c sepc ffffffff831afd22 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80c2c848 x2/sp ffffaf800e79f2f0 x3/gp ffffffff85863ac0 x4/tp ffffaf800ecf6100 x5/t0 ffffffff86bd9688 x6/t1 fffff5ef01cf3e70 x7/t2 0000000000000000 x8/s0 ffffaf800e79f480 x9/s1 ffffaf800e79f7dd x10/a0 ffffffff8362ff8b x11/a1 00000000000f0000 x12/a2 0000000000000503 x13/a3 ffffffff80c2d514 x14/a4 0000000000000003 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffaf800e79f4e7 x18/s2 ffffffff8362ff8b x19/s3 ffffaf800e79f520 x20/s4 ffffaf800e79f7dd x21/s5 ffffffff8362ff8c x22/s6 ffffaf800e79f670 x23/s7 ffffaf808e79f7cf x24/s8 ffffaf800e79f7d0 x25/s9 0000000000000000 x26/s10 ffffffff858655c0 x27/s11 ffffaf800e79fa20 x28/t3 1ffff5f001cf3eb8 x29/t4 fffff5ef01cf3efb x30/t5 fffff5ef01cf3efc x31/t6 ffffaf800e79f7de f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000