syzkaller login: [ 256.287042][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 256.358651][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 256.433889][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 267.218503][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:26638' (ECDSA) to the list of known hosts. 1970/01/01 00:05:30 fuzzer started 1970/01/01 00:05:45 dialing manager at localhost:41265 [ 352.190973][ T2032] cgroup: Unknown subsys name 'net' [ 353.267160][ T2032] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:05:53 syscalls: 2918 1970/01/01 00:05:53 code coverage: enabled 1970/01/01 00:05:53 comparison tracing: enabled 1970/01/01 00:05:53 extra coverage: enabled 1970/01/01 00:05:53 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:05:53 setuid sandbox: enabled 1970/01/01 00:05:53 namespace sandbox: enabled 1970/01/01 00:05:53 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:05:53 fault injection: enabled 1970/01/01 00:05:53 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:05:53 net packet injection: enabled 1970/01/01 00:05:53 net device setup: enabled 1970/01/01 00:05:53 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:05:53 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:05:53 NIC VF setup: PCI device 0000:00:11.0 is not available 1970/01/01 00:05:53 USB emulation: enabled 1970/01/01 00:05:53 hci packet injection: /dev/vhci does not exist 1970/01/01 00:05:53 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:05:53 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:05:53 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:06:00 fetching corpus: 50, signal 37157/39877 (executing program) 1970/01/01 00:06:04 fetching corpus: 98, signal 49863/53243 (executing program) 1970/01/01 00:06:10 fetching corpus: 147, signal 58744/62687 (executing program) 1970/01/01 00:06:13 fetching corpus: 195, signal 64749/69134 (executing program) 1970/01/01 00:06:17 fetching corpus: 244, signal 70541/75219 (executing program) 1970/01/01 00:06:20 fetching corpus: 294, signal 73215/78318 (executing program) 1970/01/01 00:06:23 fetching corpus: 344, signal 77339/82582 (executing program) 1970/01/01 00:06:25 fetching corpus: 392, signal 83902/88750 (executing program) 1970/01/01 00:06:28 fetching corpus: 442, signal 87599/92342 (executing program) 1970/01/01 00:06:31 fetching corpus: 491, signal 90590/95282 (executing program) 1970/01/01 00:06:36 fetching corpus: 541, signal 94770/99040 (executing program) 1970/01/01 00:06:39 fetching corpus: 591, signal 98067/102050 (executing program) 1970/01/01 00:06:41 fetching corpus: 640, signal 101519/105013 (executing program) 1970/01/01 00:06:45 fetching corpus: 689, signal 103667/106859 (executing program) 1970/01/01 00:06:47 fetching corpus: 738, signal 106184/108919 (executing program) 1970/01/01 00:06:52 fetching corpus: 786, signal 108822/110947 (executing program) 1970/01/01 00:06:54 fetching corpus: 834, signal 111215/112742 (executing program) 1970/01/01 00:06:56 fetching corpus: 883, signal 112634/113785 (executing program) 1970/01/01 00:06:58 fetching corpus: 907, signal 113374/114319 (executing program) 1970/01/01 00:06:58 fetching corpus: 907, signal 113374/114379 (executing program) 1970/01/01 00:06:58 fetching corpus: 907, signal 113374/114424 (executing program) 1970/01/01 00:06:58 fetching corpus: 907, signal 113374/114463 (executing program) 1970/01/01 00:06:58 fetching corpus: 907, signal 113374/114511 (executing program) 1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114549 (executing program) 1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114601 (executing program) 1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114643 (executing program) 1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114697 (executing program) 1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114751 (executing program) 1970/01/01 00:06:59 fetching corpus: 907, signal 113374/114802 (executing program) 1970/01/01 00:07:00 fetching corpus: 907, signal 113374/114844 (executing program) 1970/01/01 00:07:00 fetching corpus: 907, signal 113374/114902 (executing program) 1970/01/01 00:07:00 fetching corpus: 907, signal 113374/114968 (executing program) 1970/01/01 00:07:00 fetching corpus: 907, signal 113374/115010 (executing program) 1970/01/01 00:07:00 fetching corpus: 907, signal 113374/115055 (executing program) 1970/01/01 00:07:00 fetching corpus: 907, signal 113374/115108 (executing program) 1970/01/01 00:07:00 fetching corpus: 907, signal 113374/115146 (executing program) 1970/01/01 00:07:01 fetching corpus: 907, signal 113374/115200 (executing program) 1970/01/01 00:07:01 fetching corpus: 907, signal 113376/115255 (executing program) 1970/01/01 00:07:01 fetching corpus: 908, signal 113377/115305 (executing program) 1970/01/01 00:07:01 fetching corpus: 908, signal 113377/115354 (executing program) 1970/01/01 00:07:02 fetching corpus: 908, signal 113377/115400 (executing program) 1970/01/01 00:07:02 fetching corpus: 908, signal 113377/115449 (executing program) 1970/01/01 00:07:02 fetching corpus: 908, signal 113377/115499 (executing program) 1970/01/01 00:07:02 fetching corpus: 908, signal 113377/115551 (executing program) 1970/01/01 00:07:02 fetching corpus: 908, signal 113377/115586 (executing program) 1970/01/01 00:07:03 fetching corpus: 908, signal 113377/115631 (executing program) 1970/01/01 00:07:03 fetching corpus: 908, signal 113377/115669 (executing program) 1970/01/01 00:07:03 fetching corpus: 908, signal 113377/115713 (executing program) 1970/01/01 00:07:03 fetching corpus: 908, signal 113377/115763 (executing program) 1970/01/01 00:07:03 fetching corpus: 908, signal 113377/115818 (executing program) 1970/01/01 00:07:04 fetching corpus: 908, signal 113377/115870 (executing program) 1970/01/01 00:07:04 fetching corpus: 908, signal 113377/115928 (executing program) 1970/01/01 00:07:04 fetching corpus: 908, signal 113377/115972 (executing program) 1970/01/01 00:07:04 fetching corpus: 908, signal 113377/116023 (executing program) 1970/01/01 00:07:04 fetching corpus: 908, signal 113377/116064 (executing program) 1970/01/01 00:07:05 fetching corpus: 908, signal 113377/116117 (executing program) 1970/01/01 00:07:05 fetching corpus: 908, signal 113377/116170 (executing program) 1970/01/01 00:07:05 fetching corpus: 908, signal 113377/116187 (executing program) 1970/01/01 00:07:05 fetching corpus: 908, signal 113377/116187 (executing program) 1970/01/01 00:09:07 starting 2 fuzzer processes 00:09:07 executing program 0: r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffffff8) read(r0, 0x0, 0x0) 00:09:07 executing program 1: r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) close(r0) r1 = eventfd2(0x0, 0x0) read$FUSE(r0, &(0x7f0000004200)={0x2020}, 0x2020) write(r1, &(0x7f0000000100)="6aeb6ea87b1e5b08", 0x8) [ 580.575317][ T2037] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 580.678370][ T2036] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 580.734538][ T2037] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 581.540743][ T2036] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 596.914522][ T2037] device hsr_slave_0 entered promiscuous mode [ 596.938975][ T2037] device hsr_slave_1 entered promiscuous mode [ 598.642059][ T2036] device hsr_slave_0 entered promiscuous mode [ 598.666304][ T2036] device hsr_slave_1 entered promiscuous mode [ 598.683018][ T2036] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 598.687356][ T2036] Cannot create hsr debugfs directory [ 607.292301][ T2037] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 607.507785][ T2037] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 607.605140][ T2037] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 608.136232][ T2037] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 609.503190][ T2036] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 609.824178][ T2036] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 609.958020][ T2036] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 610.194353][ T2036] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 620.604717][ C0] ================================================================== [ 620.608785][ C0] BUG: KASAN: use-after-free in walk_stackframe+0x11c/0x260 [ 620.611666][ C0] Read of size 8 at addr ffffaf800c85bfa0 by task syz-executor.0/2037 [ 620.613567][ C0] [ 620.615445][ C0] CPU: 0 PID: 2037 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 620.617490][ C0] Hardware name: riscv-virtio,qemu (DT) [ 620.618902][ C0] Call Trace: [ 620.620407][ C0] [] dump_backtrace+0x2e/0x3c [ 620.622009][ C0] [] show_stack+0x34/0x40 [ 620.623347][ C0] [] dump_stack_lvl+0xe4/0x150 [ 620.624726][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 620.626411][ C0] [] kasan_report+0x184/0x1e0 [ 620.627820][ C0] [] __asan_load8+0x6e/0x96 [ 620.629278][ C0] [] walk_stackframe+0x11c/0x260 [ 620.631514][ C0] [] arch_stack_walk+0x2c/0x3c [ 620.632934][ C0] [] stack_trace_save+0xa6/0xd8 [ 620.634648][ C0] [ 620.635511][ C0] The buggy address belongs to the page: [ 620.637029][ C0] page:ffffaf807a9ce998 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8ca5b [ 620.638855][ C0] flags: 0x8800000000(section=17|node=0|zone=0) [ 620.643987][ C0] raw: 0000008800000000 ffffaf807aac4148 ffffaf807afafc80 0000000000000000 [ 620.645571][ C0] raw: 0000000000000000 0000000000100000 00000000ffffffff 0000000000000000 [ 620.646884][ C0] raw: 00000000000007ff [ 620.647881][ C0] page dumped because: kasan: bad access detected [ 620.649271][ C0] page_owner tracks the page as freed [ 620.651045][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 2270, ts 574754858500, free_ts 615814088200 [ 620.654145][ C0] __set_page_owner+0x48/0x136 [ 620.655332][ C0] post_alloc_hook+0xd0/0x10a [ 620.656472][ C0] get_page_from_freelist+0x8da/0x12d8 [ 620.657659][ C0] __alloc_pages+0x150/0x3b6 [ 620.658780][ C0] alloc_pages+0x132/0x2a6 [ 620.660333][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 620.661656][ C0] new_slab+0x76/0x2cc [ 620.662772][ C0] ___slab_alloc+0x56e/0x918 [ 620.663917][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 620.665183][ C0] kmem_cache_alloc+0x39c/0x3de [ 620.666381][ C0] prepare_kernel_cred+0x34/0x604 [ 620.667463][ C0] call_usermodehelper_exec_async+0x98/0x2dc [ 620.668647][ C0] ret_from_exception+0x0/0x10 [ 620.670147][ C0] page last free stack trace: [ 620.671290][ C0] __reset_page_owner+0x4a/0xea [ 620.672424][ C0] free_pcp_prepare+0x29c/0x45e [ 620.673346][ C0] free_unref_page+0x6a/0x31e [ 620.674304][ C0] __free_pages+0xe2/0x112 [ 620.675303][ C0] __free_slab+0x122/0x27c [ 620.676348][ C0] discard_slab+0x4c/0x7a [ 620.677296][ C0] __slab_free+0x20a/0x29c [ 620.678337][ C0] ___cache_free+0x17c/0x354 [ 620.679501][ C0] qlist_free_all+0x7c/0x132 [ 620.680688][ C0] kasan_quarantine_reduce+0x14c/0x1c8 [ 620.681739][ C0] __kasan_slab_alloc+0x5c/0x98 [ 620.682812][ C0] __kmalloc+0x156/0x318 [ 620.683744][ C0] tomoyo_realpath_from_path+0x9c/0x3f4 [ 620.684762][ C0] tomoyo_path_perm+0x1fc/0x3a8 [ 620.685712][ C0] tomoyo_inode_getattr+0x1e/0x28 [ 620.686863][ C0] security_inode_getattr+0x82/0xc6 [ 620.688076][ C0] [ 620.688689][ C0] Memory state around the buggy address: [ 620.690223][ C0] ffffaf800c85be80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 620.691767][ C0] ffffaf800c85bf00: ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 [ 620.692824][ C0] >ffffaf800c85bf80: 00 00 00 00 ff ff ff ff f1 f1 f1 f1 00 00 00 f3 [ 620.693776][ C0] ^ [ 620.694699][ C0] ffffaf800c85c000: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 620.695725][ C0] ffffaf800c85c080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 620.696936][ C0] ================================================================== [ 620.697965][ C0] Disabling lock debugging due to kernel taint [ 620.701613][ T2037] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 620.702777][ T2037] CPU: 0 PID: 2037 Comm: syz-executor.0 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 620.703957][ T2037] Hardware name: riscv-virtio,qemu (DT) [ 620.704575][ T2037] Call Trace: [ 620.705119][ T2037] [] dump_backtrace+0x2e/0x3c [ 620.706110][ T2037] [] show_stack+0x34/0x40 [ 620.707028][ T2037] [] dump_stack_lvl+0xe4/0x150 [ 620.708026][ T2037] [] dump_stack+0x1c/0x24 [ 620.709004][ T2037] [] panic+0x24a/0x634 [ 620.710293][ T2037] [] schedule+0x0/0x14c [ 620.711338][ T2037] [] preempt_schedule_irq+0x4a/0x13e [ 620.711890][ T2037] [] resume_kernel+0x16/0x18 [ 620.713497][ T2037] SMP: stopping secondary CPUs [ 620.715511][ T2037] Rebooting in 86400 seconds.. VM DIAGNOSIS: 12:09:00 Registers: info registers vcpu 0 pc ffffffff80c2b612 mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80200f00 sepc ffffffff82785ad0 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff8011c7fa x2/sp ffffaf800c85b980 x3/gp ffffffff85863ac0 x4/tp ffffaf8007511840 x5/t0 ffffaf800c85ba23 x6/t1 fffff5ef0190b744 x7/t2 0000000000000000 x8/s0 ffffaf800c85b9b0 x9/s1 ffffffff86bcb640 x10/a0 ffffffff86bcb640 x11/a1 000000000000000a x12/a2 0000000000000000 x13/a3 ffffffff8011c7ec x14/a4 ffffaf8007511840 x15/a5 0000000000000000 x16/a6 ffffaf800c85ba27 x17/a7 ffffaf800c85ba25 x18/s2 ffffffff86bcb641 x19/s3 ffffffff86bcb640 x20/s4 000000000000000a x21/s5 0000000000000017 x22/s6 0000000000000000 x23/s7 0000000000000400 x24/s8 ffffaf800c85ba10 x25/s9 0000000000000000 x26/s10 00000000000003e7 x27/s11 ffffaf800c85bc60 x28/t3 0000000000000043 x29/t4 fffff5ef0190b744 x30/t5 fffff5ef0190b745 x31/t6 ffffaf800c85ba26 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff802010c8 mhartid 0000000000000001 mstatus 00000000000001a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff80061052 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80146d18 x2/sp ffffaf800eacf440 x3/gp ffffffff85863ac0 x4/tp ffffaf800c601840 x5/t0 0000000000000000 x6/t1 fffffffff3f3f3f3 x7/t2 ffffffff8cb826d2 x8/s0 ffffaf800eacf3b0 x9/s1 ffffffff8343c840 x10/a0 ffffaf800e8530a8 x11/a1 0000000000000007 x12/a2 1ffff5f0018c044e x13/a3 ffffffff801124d0 x14/a4 dfffffff00000000 x15/a5 0000000000000000 x16/a6 ffffffff866f1419 x17/a7 ffffffff800f6d46 x18/s2 ffffaf800c602260 x19/s3 ffffaf800eacf200 x20/s4 ffffffffffffffff x21/s5 ffffaf800c602258 x22/s6 ffffffff858c4ca0 x23/s7 a0cb256adb2da6a7 x24/s8 ffffffff800f6d46 x25/s9 ffffffff85889780 x26/s10 000000000000000e x27/s11 000000000000000e x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001d59e60 x31/t6 ffffaf8021e927d0 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000