syzkaller login: [ 578.959151][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 578.999849][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 579.048261][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 579.112200][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:58936' (ECDSA) to the list of known hosts. 1970/01/01 00:10:34 fuzzer started 1970/01/01 00:10:49 dialing manager at localhost:34731 [ 655.491060][ T2026] cgroup: Unknown subsys name 'net' [ 656.763571][ T2026] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:10:56 syscalls: 2827 1970/01/01 00:10:56 code coverage: enabled 1970/01/01 00:10:56 comparison tracing: enabled 1970/01/01 00:10:56 extra coverage: enabled 1970/01/01 00:10:56 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:10:56 setuid sandbox: enabled 1970/01/01 00:10:56 namespace sandbox: enabled 1970/01/01 00:10:56 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:10:56 fault injection: enabled 1970/01/01 00:10:56 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:10:56 net packet injection: enabled 1970/01/01 00:10:56 net device setup: enabled 1970/01/01 00:10:56 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:10:56 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:10:56 USB emulation: enabled 1970/01/01 00:10:56 hci packet injection: /dev/vhci does not exist 1970/01/01 00:10:56 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:10:56 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:10:56 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:11:01 fetching corpus: 49, signal 27143/30455 (executing program) 1970/01/01 00:11:05 fetching corpus: 98, signal 44725/48990 (executing program) 1970/01/01 00:11:11 fetching corpus: 148, signal 58186/63267 (executing program) 1970/01/01 00:11:14 fetching corpus: 197, signal 64715/70635 (executing program) 1970/01/01 00:11:17 fetching corpus: 246, signal 71877/78446 (executing program) 1970/01/01 00:11:20 fetching corpus: 295, signal 78092/85160 (executing program) 1970/01/01 00:11:24 fetching corpus: 345, signal 83601/91127 (executing program) 1970/01/01 00:11:26 fetching corpus: 394, signal 90184/97892 (executing program) 1970/01/01 00:11:29 fetching corpus: 444, signal 95510/103408 (executing program) 1970/01/01 00:11:32 fetching corpus: 493, signal 98050/106360 (executing program) 1970/01/01 00:11:36 fetching corpus: 542, signal 101753/110248 (executing program) 1970/01/01 00:11:40 fetching corpus: 591, signal 104527/113253 (executing program) 1970/01/01 00:11:45 fetching corpus: 641, signal 109495/118022 (executing program) 1970/01/01 00:11:49 fetching corpus: 690, signal 112974/121442 (executing program) 1970/01/01 00:11:53 fetching corpus: 738, signal 115592/124040 (executing program) 1970/01/01 00:11:56 fetching corpus: 788, signal 118203/126663 (executing program) 1970/01/01 00:11:59 fetching corpus: 838, signal 120200/128705 (executing program) 1970/01/01 00:12:02 fetching corpus: 888, signal 125725/133391 (executing program) 1970/01/01 00:12:04 fetching corpus: 937, signal 127309/134957 (executing program) 1970/01/01 00:12:07 fetching corpus: 987, signal 131656/138539 (executing program) 1970/01/01 00:12:10 fetching corpus: 1035, signal 133565/140258 (executing program) 1970/01/01 00:12:13 fetching corpus: 1085, signal 135584/141964 (executing program) 1970/01/01 00:12:16 fetching corpus: 1135, signal 137694/143736 (executing program) 1970/01/01 00:12:18 fetching corpus: 1184, signal 139899/145503 (executing program) 1970/01/01 00:12:21 fetching corpus: 1233, signal 142225/147288 (executing program) 1970/01/01 00:12:24 fetching corpus: 1282, signal 143524/148317 (executing program) 1970/01/01 00:12:27 fetching corpus: 1331, signal 146940/150719 (executing program) 1970/01/01 00:12:31 fetching corpus: 1379, signal 153187/154797 (executing program) 1970/01/01 00:12:34 fetching corpus: 1428, signal 154747/155856 (executing program) 1970/01/01 00:12:36 fetching corpus: 1440, signal 154923/156027 (executing program) 1970/01/01 00:12:36 fetching corpus: 1440, signal 154923/156067 (executing program) 1970/01/01 00:12:36 fetching corpus: 1440, signal 154923/156106 (executing program) 1970/01/01 00:12:36 fetching corpus: 1440, signal 154923/156137 (executing program) 1970/01/01 00:12:36 fetching corpus: 1440, signal 154923/156183 (executing program) 1970/01/01 00:12:37 fetching corpus: 1440, signal 154923/156216 (executing program) 1970/01/01 00:12:37 fetching corpus: 1440, signal 154923/156253 (executing program) 1970/01/01 00:12:37 fetching corpus: 1440, signal 154923/156291 (executing program) 1970/01/01 00:12:37 fetching corpus: 1440, signal 154923/156334 (executing program) 1970/01/01 00:12:38 fetching corpus: 1440, signal 154923/156372 (executing program) 1970/01/01 00:12:38 fetching corpus: 1440, signal 154923/156405 (executing program) 1970/01/01 00:12:38 fetching corpus: 1440, signal 154923/156435 (executing program) 1970/01/01 00:12:38 fetching corpus: 1440, signal 154923/156470 (executing program) 1970/01/01 00:12:38 fetching corpus: 1440, signal 154923/156507 (executing program) 1970/01/01 00:12:39 fetching corpus: 1440, signal 154924/156541 (executing program) 1970/01/01 00:12:39 fetching corpus: 1440, signal 154924/156587 (executing program) 1970/01/01 00:12:39 fetching corpus: 1440, signal 154924/156625 (executing program) 1970/01/01 00:12:39 fetching corpus: 1440, signal 154924/156661 (executing program) 1970/01/01 00:12:39 fetching corpus: 1440, signal 154924/156688 (executing program) 1970/01/01 00:12:39 fetching corpus: 1440, signal 154924/156728 (executing program) 1970/01/01 00:12:39 fetching corpus: 1440, signal 154924/156766 (executing program) 1970/01/01 00:12:40 fetching corpus: 1440, signal 154924/156792 (executing program) 1970/01/01 00:12:40 fetching corpus: 1440, signal 154924/156827 (executing program) 1970/01/01 00:12:40 fetching corpus: 1440, signal 154924/156850 (executing program) 1970/01/01 00:12:40 fetching corpus: 1440, signal 154924/156896 (executing program) 1970/01/01 00:12:40 fetching corpus: 1440, signal 154924/156942 (executing program) 1970/01/01 00:12:40 fetching corpus: 1440, signal 154924/156982 (executing program) 1970/01/01 00:12:41 fetching corpus: 1440, signal 154924/157019 (executing program) 1970/01/01 00:12:41 fetching corpus: 1440, signal 154924/157052 (executing program) 1970/01/01 00:12:41 fetching corpus: 1440, signal 154924/157085 (executing program) 1970/01/01 00:12:41 fetching corpus: 1440, signal 154924/157119 (executing program) 1970/01/01 00:12:41 fetching corpus: 1440, signal 154924/157155 (executing program) 1970/01/01 00:12:41 fetching corpus: 1440, signal 154924/157185 (executing program) 1970/01/01 00:12:42 fetching corpus: 1440, signal 154924/157214 (executing program) 1970/01/01 00:12:42 fetching corpus: 1440, signal 154924/157251 (executing program) 1970/01/01 00:12:42 fetching corpus: 1440, signal 154924/157290 (executing program) 1970/01/01 00:12:42 fetching corpus: 1440, signal 154924/157321 (executing program) 1970/01/01 00:12:42 fetching corpus: 1440, signal 154924/157353 (executing program) 1970/01/01 00:12:43 fetching corpus: 1440, signal 154924/157386 (executing program) 1970/01/01 00:12:43 fetching corpus: 1440, signal 154924/157421 (executing program) 1970/01/01 00:12:43 fetching corpus: 1440, signal 154924/157453 (executing program) 1970/01/01 00:12:43 fetching corpus: 1440, signal 154924/157494 (executing program) 1970/01/01 00:12:43 fetching corpus: 1440, signal 154924/157529 (executing program) 1970/01/01 00:12:43 fetching corpus: 1440, signal 154928/157559 (executing program) 1970/01/01 00:12:44 fetching corpus: 1440, signal 154928/157720 (executing program) 1970/01/01 00:12:44 fetching corpus: 1440, signal 154928/157765 (executing program) 1970/01/01 00:12:44 fetching corpus: 1440, signal 154928/157808 (executing program) 1970/01/01 00:12:44 fetching corpus: 1440, signal 154928/157844 (executing program) 1970/01/01 00:12:44 fetching corpus: 1440, signal 154931/157878 (executing program) 1970/01/01 00:12:44 fetching corpus: 1440, signal 154931/157878 (executing program) 1970/01/01 00:14:44 starting 2 fuzzer processes 00:14:44 executing program 0: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x17, 0x3, &(0x7f0000000080)=@raw=[@btf_id, @exit], &(0x7f00000001c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x80) 00:14:44 executing program 1: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000000c0)=@newlink={0x54, 0x10, 0x401, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x34, 0x12, 0x0, 0x1, @geneve={{0xb}, {0x24, 0x2, 0x0, 0x1, [@IFLA_GENEVE_COLLECT_METADATA={0x4}, @IFLA_GENEVE_UDP_ZERO_CSUM6_TX={0x5, 0x9, 0x1}, @IFLA_GENEVE_REMOTE6={0x14, 0x7, @loopback}]}}}]}, 0x54}}, 0x0) [ 916.818353][ T2039] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 916.958059][ T2039] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 919.952359][ T2038] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 920.065342][ T2038] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 928.802865][ T2039] device hsr_slave_0 entered promiscuous mode [ 928.852168][ T2039] device hsr_slave_1 entered promiscuous mode [ 930.823184][ C0] ================================================================== [ 930.827672][ C0] BUG: KASAN: out-of-bounds in walk_stackframe+0x12c/0x260 [ 930.829435][ C0] Read of size 8 at addr ffffaf800f873d58 by task syz-executor.1/2039 [ 930.831791][ C0] [ 930.833413][ C0] CPU: 0 PID: 2039 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 930.835308][ C0] Hardware name: riscv-virtio,qemu (DT) [ 930.837029][ C0] Call Trace: [ 930.838471][ C0] [] dump_backtrace+0x2e/0x3c [ 930.839937][ C0] [] show_stack+0x34/0x40 [ 930.841226][ C0] [] dump_stack_lvl+0xe4/0x150 [ 930.842755][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 930.844314][ C0] [] kasan_report+0x184/0x1e0 [ 930.845744][ C0] [] __asan_load8+0x6e/0x96 [ 930.847752][ C0] [] walk_stackframe+0x12c/0x260 [ 930.849187][ C0] [] arch_stack_walk+0x2c/0x3c [ 930.850621][ C0] [] stack_trace_save+0xa6/0xd8 [ 930.852084][ C0] [] kasan_save_stack+0x2c/0x58 [ 930.853808][ C0] [ 930.854600][ C0] The buggy address belongs to the page: [ 930.856222][ C0] page:ffffaf807aaa7058 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8fa73 [ 930.858908][ C0] flags: 0x8800000000(section=17|node=0|zone=0) [ 930.861849][ C0] raw: 0000008800000000 0000000000000000 0000000000000122 0000000000000000 [ 930.864422][ C0] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 930.865799][ C0] raw: 00000000000007ff [ 930.867231][ C0] page dumped because: kasan: bad access detected [ 930.869372][ C0] page_owner tracks the page as allocated [ 930.870385][ C0] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 2036, ts 890020266400, free_ts 743550153200 [ 930.872874][ C0] __set_page_owner+0x48/0x136 [ 930.874190][ C0] post_alloc_hook+0xd0/0x10a [ 930.875356][ C0] get_page_from_freelist+0x8da/0x12d8 [ 930.877073][ C0] __alloc_pages+0x150/0x3b6 [ 930.878669][ C0] copy_process+0x482/0x3c34 [ 930.879872][ C0] kernel_clone+0xee/0x920 [ 930.881034][ C0] __do_sys_clone+0xf2/0x12e [ 930.882256][ C0] sys_clone+0x32/0x44 [ 930.883429][ C0] ret_from_syscall+0x0/0x2 [ 930.884623][ C0] page last free stack trace: [ 930.885530][ C0] __reset_page_owner+0x4a/0xea [ 930.887239][ C0] free_pcp_prepare+0x29c/0x45e [ 930.889051][ C0] free_unref_page+0x6a/0x31e [ 930.890465][ C0] __free_pages+0xe2/0x112 [ 930.891710][ C0] __free_slab+0x122/0x27c [ 930.892970][ C0] discard_slab+0x4c/0x7a [ 930.894205][ C0] __slab_free+0x20a/0x29c [ 930.895441][ C0] ___cache_free+0x17c/0x354 [ 930.897094][ C0] qlist_free_all+0x7c/0x132 [ 930.898837][ C0] kasan_quarantine_reduce+0x14c/0x1c8 [ 930.900107][ C0] __kasan_slab_alloc+0x5c/0x98 [ 930.901452][ C0] kmem_cache_alloc_node+0x368/0x41c [ 930.902732][ C0] __alloc_skb+0x234/0x2e4 [ 930.903974][ C0] tcp_stream_alloc_skb+0x70/0x4c0 [ 930.905151][ C0] tcp_sendmsg_locked+0x880/0x1d9e [ 930.906832][ C0] tcp_sendmsg+0x32/0x4e [ 930.908483][ C0] [ 930.909257][ C0] Memory state around the buggy address: [ 930.910690][ C0] ffffaf800f873c00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 930.912006][ C0] ffffaf800f873c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 [ 930.913250][ C0] >ffffaf800f873d00: 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 [ 930.914508][ C0] ^ [ 930.915710][ C0] ffffaf800f873d80: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 f2 f2 f2 f2 [ 930.917658][ C0] ffffaf800f873e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 930.919794][ C0] ================================================================== [ 930.921037][ C0] Disabling lock debugging due to kernel taint [ 930.927816][ T2039] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 930.929376][ T2039] CPU: 0 PID: 2039 Comm: syz-executor.1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 930.931290][ T2039] Hardware name: riscv-virtio,qemu (DT) [ 930.932063][ T2039] Call Trace: [ 930.932796][ T2039] [] dump_backtrace+0x2e/0x3c [ 930.934039][ T2039] [] show_stack+0x34/0x40 [ 930.935027][ T2039] [] dump_stack_lvl+0xe4/0x150 [ 930.936284][ T2039] [] dump_stack+0x1c/0x24 [ 930.937484][ T2039] [] panic+0x24a/0x634 [ 930.938495][ T2039] [] schedule+0x0/0x14c [ 930.939625][ T2039] [] preempt_schedule_irq+0x4a/0x13e [ 930.940860][ T2039] [] resume_kernel+0x16/0x18 [ 930.942201][ T2039] SMP: stopping secondary CPUs [ 930.944443][ T2039] Rebooting in 86400 seconds.. VM DIAGNOSIS: 01:25:55 Registers: info registers vcpu 0 pc ffffffff80475986 mhartid 0000000000000000 mstatus 00000000000000a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff804759c8 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80119b52 x2/sp ffffaf80109ef7e0 x3/gp ffffffff85863ac0 x4/tp ffffaf8009c19840 x5/t0 00000000000001f8 x6/t1 5be6c32564426700 x7/t2 ffffffffffffffff x8/s0 ffffaf80109ef820 x9/s1 ffffaf800c5b0c98 x10/a0 ffffaf800c5b0c98 x11/a1 0000000000000003 x12/a2 1ffff5f0018b6193 x13/a3 ffffffff80119b52 x14/a4 0000000000000000 x15/a5 0000000000000001 x16/a6 0000000000f00000 x17/a7 ffffffff826e6226 x18/s2 0000000000000001 x19/s3 ffffaf8009c19840 x20/s4 ffffaf800c5b0ca8 x21/s5 ffffaf800c5b0ca0 x22/s6 ffffaf80109ef960 x23/s7 ffffaf80109efb00 x24/s8 0000000000000000 x25/s9 0000000000004000 x26/s10 0000000000000040 x27/s11 0000000000000001 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f00213deb4 x31/t6 0000000002483c2b f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80dc337e mhartid 0000000000000001 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80dc2576 sepc ffffffff80200a74 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80dc337e x2/sp ffffaf800f8736f0 x3/gp ffffffff85863ac0 x4/tp ffffaf8009d448c0 x5/t0 ffffffff86bcb657 x6/t1 5be6c32564426700 x7/t2 0000000000000000 x8/s0 ffffaf800f873720 x9/s1 ffffffff86e58900 x10/a0 ffffffff86e58948 x11/a1 ffff8f800066c000 x12/a2 1ffffffff0dcb129 x13/a3 ffffffff80dc337e x14/a4 0000000000000000 x15/a5 ffffffff86e58948 x16/a6 ffffffff86e589f1 x17/a7 ffffffff80dcc9fe x18/s2 ffff8f800066c000 x19/s3 0000000000000030 x20/s4 ffffffff86e58900 x21/s5 ffffffff80dc333e x22/s6 0000000000000000 x23/s7 ffffffff86bcb658 x24/s8 0000000000000010 x25/s9 ffffffff86e58958 x26/s10 0000000000000010 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001f0e68c x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000