syzkaller login: [ 256.287042][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[ 256.358651][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[ 256.433889][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[ 267.218503][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
Warning: Permanently added '[localhost]:26638' (ECDSA) to the list of known hosts.
1970/01/01 00:05:30 fuzzer started
1970/01/01 00:05:45 dialing manager at localhost:41265
[ 352.190973][ T2032] cgroup: Unknown subsys name 'net'
[ 353.267160][ T2032] cgroup: Unknown subsys name 'rlimit'
1970/01/01 00:05:53 syscalls: 2918
1970/01/01 00:05:53 code coverage: enabled
1970/01/01 00:05:53 comparison tracing: enabled
1970/01/01 00:05:53 extra coverage: enabled
1970/01/01 00:05:53 delay kcov mmap: mmap returned an invalid pointer
1970/01/01 00:05:53 setuid sandbox: enabled
1970/01/01 00:05:53 namespace sandbox: enabled
1970/01/01 00:05:53 Android sandbox: /sys/fs/selinux/policy does not exist
1970/01/01 00:05:53 fault injection: enabled
1970/01/01 00:05:53 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
1970/01/01 00:05:53 net packet injection: enabled
1970/01/01 00:05:53 net device setup: enabled
1970/01/01 00:05:53 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
1970/01/01 00:05:53 devlink PCI setup: PCI device 0000:00:10.0 is not available
1970/01/01 00:05:53 NIC VF setup: PCI device 0000:00:11.0 is not available
1970/01/01 00:05:53 USB emulation: enabled
1970/01/01 00:05:53 hci packet injection: /dev/vhci does not exist
1970/01/01 00:05:53 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist
1970/01/01 00:05:53 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist
1970/01/01 00:05:53 fetching corpus: 0, signal 0/2000 (executing program)
1970/01/01 00:06:00 fetching corpus: 50, signal 37157/39877 (executing program)
1970/01/01 00:06:04 fetching corpus: 98, signal 49863/53243 (executing program)
1970/01/01 00:06:10 fetching corpus: 147, signal 58744/62687 (executing program)
1970/01/01 00:06:13 fetching corpus: 195, signal 64749/69134 (executing program)
1970/01/01 00:06:17 fetching corpus: 244, signal 70541/75219 (executing program)
1970/01/01 00:06:20 fetching corpus: 294, signal 73215/78318 (executing program)
1970/01/01 00:06:23 fetching corpus: 344, signal 77339/82582 (executing program)
1970/01/01 00:06:25 fetching corpus: 392, signal 83902/88750 (executing program)
1970/01/01 00:06:28 fetching corpus: 442, signal 87599/92342 (executing program)
1970/01/01 00:06:31 fetching corpus: 491, signal 90590/95282 (executing program)
1970/01/01 00:06:36 fetching corpus: 541, signal 94770/99040 (executing program)
1970/01/01 00:06:39 fetching corpus: 591, signal 98067/102050 (executing program)
1970/01/01 00:06:41 fetching corpus: 640, signal 101519/105013 (executing program)
1970/01/01 00:06:45 fetching corpus: 689, signal 103667/106859 (executing program)
1970/01/01 00:06:47 fetching corpus: 738, signal 106184/108919 (executing program)
1970/01/01 00:06:52 fetching corpus: 786, signal 108822/110947 (executing program)
1970/01/01 00:06:54 fetching corpus: 834, signal 111215/112742 (executing program)
1970/01/01 00:06:56 fetching corpus: 883, signal 112634/113785 (executing program)
1970/01/01 00:06:58 fetching corpus: 907, signal 113374/114319 (executing program)
1970/01/01 00:06:58 fetching corpus: 907, signal 113374/114379 (executing program)
1970/01/01 00:06:58 fetching corpus: 907, signal 113374/114424 (executing program)
1970/01/01 00:06:58 fetching corpus: 907, signal 113374/114463 (executing program)
1970/01/01 00:06:58 fetching corpus: 907, signal 113374/114511 (executing program)
1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114549 (executing program)
1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114601 (executing program)
1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114643 (executing program)
1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114697 (executing program)
1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114751 (executing program)
1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114802 (executing program)
1970/01/01 00:07:00 fetching corpus: 907, signal 113374/114844 (executing program)
1970/01/01 00:07:00 fetching corpus: 907, signal 113374/114902 (executing program)
1970/01/01 00:07:00 fetching corpus: 907, signal 113374/114968 (executing program)
1970/01/01 00:07:00 fetching corpus: 907, signal 113374/115010 (executing program)
1970/01/01 00:07:00 fetching corpus: 907, signal 113374/115055 (executing program)
1970/01/01 00:07:00 fetching corpus: 907, signal 113374/115108 (executing program)
1970/01/01 00:07:00 fetching corpus: 907, signal 113374/115146 (executing program)
1970/01/01 00:07:01 fetching corpus: 907, signal 113374/115200 (executing program)
1970/01/01 00:07:01 fetching corpus: 907, signal 113376/115255 (executing program)
1970/01/01 00:07:01 fetching corpus: 908, signal 113377/115305 (executing program)
1970/01/01 00:07:01 fetching corpus: 908, signal 113377/115354 (executing program)
1970/01/01 00:07:02 fetching corpus: 908, signal 113377/115400 (executing program)
1970/01/01 00:07:02 fetching corpus: 908, signal 113377/115449 (executing program)
1970/01/01 00:07:02 fetching corpus: 908, signal 113377/115499 (executing program)
1970/01/01 00:07:02 fetching corpus: 908, signal 113377/115551 (executing program)
1970/01/01 00:07:02 fetching corpus: 908, signal 113377/115586 (executing program)
1970/01/01 00:07:03 fetching corpus: 908, signal 113377/115631 (executing program)
1970/01/01 00:07:03 fetching corpus: 908, signal 113377/115669 (executing program)
1970/01/01 00:07:03 fetching corpus: 908, signal 113377/115713 (executing program)
1970/01/01 00:07:03 fetching corpus: 908, signal 113377/115763 (executing program)
1970/01/01 00:07:03 fetching corpus: 908, signal 113377/115818 (executing program)
1970/01/01 00:07:04 fetching corpus: 908, signal 113377/115870 (executing program)
1970/01/01 00:07:04 fetching corpus: 908, signal 113377/115928 (executing program)
1970/01/01 00:07:04 fetching corpus: 908, signal 113377/115972 (executing program)
1970/01/01 00:07:04 fetching corpus: 908, signal 113377/116023 (executing program)
1970/01/01 00:07:04 fetching corpus: 908, signal 113377/116064 (executing program)
1970/01/01 00:07:05 fetching corpus: 908, signal 113377/116117 (executing program)
1970/01/01 00:07:05 fetching corpus: 908, signal 113377/116170 (executing program)
1970/01/01 00:07:05 fetching corpus: 908, signal 113377/116187 (executing program)
1970/01/01 00:07:05 fetching corpus: 908, signal 113377/116187 (executing program)
1970/01/01 00:09:07 starting 2 fuzzer processes
00:09:07 executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffffff8)
read(r0, 0x0, 0x0)
00:09:07 executing program 1:
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0)
close(r0)
r1 = eventfd2(0x0, 0x0)
read$FUSE(r0, &(0x7f0000004200)={0x2020}, 0x2020)
write(r1, &(0x7f0000000100)="6aeb6ea87b1e5b08", 0x8)
[ 580.575317][ T2037] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 580.678370][ T2036] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 580.734538][ T2037] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 581.540743][ T2036] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 596.914522][ T2037] device hsr_slave_0 entered promiscuous mode
[ 596.938975][ T2037] device hsr_slave_1 entered promiscuous mode
[ 598.642059][ T2036] device hsr_slave_0 entered promiscuous mode
[ 598.666304][ T2036] device hsr_slave_1 entered promiscuous mode
[ 598.683018][ T2036] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[ 598.687356][ T2036] Cannot create hsr debugfs directory
[ 607.292301][ T2037] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 607.507785][ T2037] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 607.605140][ T2037] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 608.136232][ T2037] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 609.503190][ T2036] netdevsim netdevsim1 netdevsim0: renamed from eth0
[ 609.824178][ T2036] netdevsim netdevsim1 netdevsim1: renamed from eth1
[ 609.958020][ T2036] netdevsim netdevsim1 netdevsim2: renamed from eth2
[ 610.194353][ T2036] netdevsim netdevsim1 netdevsim3: renamed from eth3
[ 620.604717][ C0] ==================================================================
[ 620.608785][ C0] BUG: KASAN: use-after-free in walk_stackframe+0x11c/0x260
[ 620.611666][ C0] Read of size 8 at addr ffffaf800c85bfa0 by task syz-executor.0/2037
[ 620.613567][ C0]
[ 620.615445][ C0] CPU: 0 PID: 2037 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
[ 620.617490][ C0] Hardware name: riscv-virtio,qemu (DT)
[ 620.618902][ C0] Call Trace:
[ 620.620407][ C0] [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c
[ 620.622009][ C0] [<ffffffff831668cc>] show_stack+0x34/0x40
[ 620.623347][ C0] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150
[ 620.624726][ C0] [<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330
[ 620.626411][ C0] [<ffffffff80474d4c>] kasan_report+0x184/0x1e0
[ 620.627820][ C0] [<ffffffff80475b20>] __asan_load8+0x6e/0x96
[ 620.629278][ C0] [<ffffffff8000a052>] walk_stackframe+0x11c/0x260
[ 620.631514][ C0] [<ffffffff8000a4a4>] arch_stack_walk+0x2c/0x3c
[ 620.632934][ C0] [<ffffffff80162ac8>] stack_trace_save+0xa6/0xd8
[ 620.634648][ C0]
[ 620.635511][ C0] The buggy address belongs to the page:
[ 620.637029][ C0] page:ffffaf807a9ce998 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8ca5b
[ 620.638855][ C0] flags: 0x8800000000(section=17|node=0|zone=0)
[ 620.643987][ C0] raw: 0000008800000000 ffffaf807aac4148 ffffaf807afafc80 0000000000000000
[ 620.645571][ C0] raw: 0000000000000000 0000000000100000 00000000ffffffff 0000000000000000
[ 620.646884][ C0] raw: 00000000000007ff
[ 620.647881][ C0] page dumped because: kasan: bad access detected
[ 620.649271][ C0] page_owner tracks the page as freed
[ 620.651045][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 2270, ts 574754858500, free_ts 615814088200
[ 620.654145][ C0] __set_page_owner+0x48/0x136
[ 620.655332][ C0] post_alloc_hook+0xd0/0x10a
[ 620.656472][ C0] get_page_from_freelist+0x8da/0x12d8
[ 620.657659][ C0] __alloc_pages+0x150/0x3b6
[ 620.658780][ C0] alloc_pages+0x132/0x2a6
[ 620.660333][ C0] alloc_slab_page.constprop.0+0xc2/0xfa
[ 620.661656][ C0] new_slab+0x76/0x2cc
[ 620.662772][ C0] ___slab_alloc+0x56e/0x918
[ 620.663917][ C0] __slab_alloc.constprop.0+0x50/0x8c
[ 620.665183][ C0] kmem_cache_alloc+0x39c/0x3de
[ 620.666381][ C0] prepare_kernel_cred+0x34/0x604
[ 620.667463][ C0] call_usermodehelper_exec_async+0x98/0x2dc
[ 620.668647][ C0] ret_from_exception+0x0/0x10
[ 620.670147][ C0] page last free stack trace:
[ 620.671290][ C0] __reset_page_owner+0x4a/0xea
[ 620.672424][ C0] free_pcp_prepare+0x29c/0x45e
[ 620.673346][ C0] free_unref_page+0x6a/0x31e
[ 620.674304][ C0] __free_pages+0xe2/0x112
[ 620.675303][ C0] __free_slab+0x122/0x27c
[ 620.676348][ C0] discard_slab+0x4c/0x7a
[ 620.677296][ C0] __slab_free+0x20a/0x29c
[ 620.678337][ C0] ___cache_free+0x17c/0x354
[ 620.679501][ C0] qlist_free_all+0x7c/0x132
[ 620.680688][ C0] kasan_quarantine_reduce+0x14c/0x1c8
[ 620.681739][ C0] __kasan_slab_alloc+0x5c/0x98
[ 620.682812][ C0] __kmalloc+0x156/0x318
[ 620.683744][ C0] tomoyo_realpath_from_path+0x9c/0x3f4
[ 620.684762][ C0] tomoyo_path_perm+0x1fc/0x3a8
[ 620.685712][ C0] tomoyo_inode_getattr+0x1e/0x28
[ 620.686863][ C0] security_inode_getattr+0x82/0xc6
[ 620.688076][ C0]
[ 620.688689][ C0] Memory state around the buggy address:
[ 620.690223][ C0] ffffaf800c85be80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 620.691767][ C0] ffffaf800c85bf00: ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00
[ 620.692824][ C0] >ffffaf800c85bf80: 00 00 00 00 ff ff ff ff f1 f1 f1 f1 00 00 00 f3
[ 620.693776][ C0] ^
[ 620.694699][ C0] ffffaf800c85c000: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[ 620.695725][ C0] ffffaf800c85c080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 620.696936][ C0] ==================================================================
[ 620.697965][ C0] Disabling lock debugging due to kernel taint
[ 620.701613][ T2037] Kernel panic - not syncing: corrupted stack end detected inside scheduler
[ 620.702777][ T2037] CPU: 0 PID: 2037 Comm: syz-executor.0 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
[ 620.703957][ T2037] Hardware name: riscv-virtio,qemu (DT)
[ 620.704575][ T2037] Call Trace:
[ 620.705119][ T2037] [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c
[ 620.706110][ T2037] [<ffffffff831668cc>] show_stack+0x34/0x40
[ 620.707028][ T2037] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150
[ 620.708026][ T2037] [<ffffffff83175742>] dump_stack+0x1c/0x24
[ 620.709004][ T2037] [<ffffffff83166fa8>] panic+0x24a/0x634
[ 620.710293][ T2037] [<ffffffff831a688a>] schedule+0x0/0x14c
[ 620.711338][ T2037] [<ffffffff831a70f8>] preempt_schedule_irq+0x4a/0x13e
[ 620.711890][ T2037] [<ffffffff800057cc>] resume_kernel+0x16/0x18
[ 620.713497][ T2037] SMP: stopping secondary CPUs
[ 620.715511][ T2037] Rebooting in 86400 seconds..
VM DIAGNOSIS:
12:09:00 Registers:
info registers vcpu 0
pc ffffffff80c2b612
mhartid 0000000000000000
mstatus 00000000000000a0
mip 00000000000000a0
mie 000000000000022a
mideleg 0000000000000222
medeleg 000000000000b109
mtvec 0000000080000540
stvec ffffffff800055d4
mepc ffffffff80200f00
sepc ffffffff82785ad0
mcause 8000000000000007
scause 8000000000000005
mtval 0000000000000000
stval 0000000000000000
x0/zero 0000000000000000 x1/ra ffffffff8011c7fa x2/sp ffffaf800c85b980 x3/gp ffffffff85863ac0
x4/tp ffffaf8007511840 x5/t0 ffffaf800c85ba23 x6/t1 fffff5ef0190b744 x7/t2 0000000000000000
x8/s0 ffffaf800c85b9b0 x9/s1 ffffffff86bcb640 x10/a0 ffffffff86bcb640 x11/a1 000000000000000a
x12/a2 0000000000000000 x13/a3 ffffffff8011c7ec x14/a4 ffffaf8007511840 x15/a5 0000000000000000
x16/a6 ffffaf800c85ba27 x17/a7 ffffaf800c85ba25 x18/s2 ffffffff86bcb641 x19/s3 ffffffff86bcb640
x20/s4 000000000000000a x21/s5 0000000000000017 x22/s6 0000000000000000 x23/s7 0000000000000400
x24/s8 ffffaf800c85ba10 x25/s9 0000000000000000 x26/s10 00000000000003e7 x27/s11 ffffaf800c85bc60
x28/t3 0000000000000043 x29/t4 fffff5ef0190b744 x30/t5 fffff5ef0190b745 x31/t6 ffffaf800c85ba26
f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000
f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000
f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000
f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000
f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000
f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000
f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000
f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000
info registers vcpu 1
pc ffffffff802010c8
mhartid 0000000000000001
mstatus 00000000000001a2
mip 0000000000000000
mie 00000000000002aa
mideleg 0000000000000222
medeleg 000000000000b109
mtvec 0000000080000540
stvec ffffffff800055d4
mepc ffffffff8000f97e
sepc ffffffff80061052
mcause 0000000000000009
scause 8000000000000005
mtval 0000000000000000
stval 0000000000000000
x0/zero 0000000000000000 x1/ra ffffffff80146d18 x2/sp ffffaf800eacf440 x3/gp ffffffff85863ac0
x4/tp ffffaf800c601840 x5/t0 0000000000000000 x6/t1 fffffffff3f3f3f3 x7/t2 ffffffff8cb826d2
x8/s0 ffffaf800eacf3b0 x9/s1 ffffffff8343c840 x10/a0 ffffaf800e8530a8 x11/a1 0000000000000007
x12/a2 1ffff5f0018c044e x13/a3 ffffffff801124d0 x14/a4 dfffffff00000000 x15/a5 0000000000000000
x16/a6 ffffffff866f1419 x17/a7 ffffffff800f6d46 x18/s2 ffffaf800c602260 x19/s3 ffffaf800eacf200
x20/s4 ffffffffffffffff x21/s5 ffffaf800c602258 x22/s6 ffffffff858c4ca0 x23/s7 a0cb256adb2da6a7
x24/s8 ffffffff800f6d46 x25/s9 ffffffff85889780 x26/s10 000000000000000e x27/s11 000000000000000e
x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001d59e60 x31/t6 ffffaf8021e927d0
f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000
f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000
f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000
f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000
f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000
f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000
f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000
f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000