syzkaller login: [  490.855053][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  490.921902][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  534.328710][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
Warning: Permanently added '[localhost]:6940' (ECDSA) to the list of known hosts.
1970/01/01 00:09:22 fuzzer started
1970/01/01 00:09:35 dialing manager at localhost:46737
[  581.498001][ T2045] cgroup: Unknown subsys name 'net'
[  582.594982][ T2045] cgroup: Unknown subsys name 'rlimit'
1970/01/01 00:09:42 syscalls: 2827
1970/01/01 00:09:42 code coverage: enabled
1970/01/01 00:09:42 comparison tracing: enabled
1970/01/01 00:09:42 extra coverage: enabled
1970/01/01 00:09:42 delay kcov mmap: mmap returned an invalid pointer
1970/01/01 00:09:42 setuid sandbox: enabled
1970/01/01 00:09:42 namespace sandbox: enabled
1970/01/01 00:09:42 Android sandbox: /sys/fs/selinux/policy does not exist
1970/01/01 00:09:42 fault injection: enabled
1970/01/01 00:09:42 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
1970/01/01 00:09:42 net packet injection: enabled
1970/01/01 00:09:42 net device setup: enabled
1970/01/01 00:09:42 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
1970/01/01 00:09:42 devlink PCI setup: PCI device 0000:00:10.0 is not available
1970/01/01 00:09:42 USB emulation: enabled
1970/01/01 00:09:42 hci packet injection: /dev/vhci does not exist
1970/01/01 00:09:42 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist
1970/01/01 00:09:42 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist
1970/01/01 00:09:42 fetching corpus: 0, signal 0/2000 (executing program)
[  583.880967][    C0] ==================================================================
[  583.882424][    C0] BUG: KASAN: slab-out-of-bounds in __bfs+0x154/0x394
[  583.883748][    C0] Read of size 8 at addr ffffaf800c457f30 by task sshd/2035
[  583.885136][    C0] 
[  583.886696][    C0] CPU: 0 PID: 2035 Comm: sshd Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
[  583.888564][    C0] Hardware name: riscv-virtio,qemu (DT)
[  583.889722][    C0] Call Trace:
[  583.890602][    C0] [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c
[  583.891801][    C0] [<ffffffff831668cc>] show_stack+0x34/0x40
[  583.892922][    C0] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150
[  583.894196][    C0] [<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330
[  583.895623][    C0] [<ffffffff80474d4c>] kasan_report+0x184/0x1e0
[  583.896798][    C0] [<ffffffff80475b20>] __asan_load8+0x6e/0x96
[  583.898024][    C0] [<ffffffff8010dd9a>] __bfs+0x154/0x394
[  583.899060][    C0] [<ffffffff8010e52a>] check_path.constprop.0+0x24/0x46
[  583.900217][    C0] [<ffffffff8010f95c>] check_noncircular+0x11a/0x1fe
[  583.901610][    C0] 
[  583.902368][    C0] Allocated by task 1974:
[  583.903200][    C0]  stack_trace_save+0xa6/0xd8
[  583.904309][    C0]  kasan_save_stack+0x2c/0x58
[  583.905370][    C0]  __kasan_kmalloc+0x80/0xb2
[  583.906402][    C0]  __kmalloc+0x190/0x318
[  583.907371][    C0]  tomoyo_init_log+0xd00/0x14cc
[  583.908419][    C0]  tomoyo_supervisor+0x250/0xc1e
[  583.909389][    C0]  tomoyo_path_permission+0x152/0x18e
[  583.910377][    C0]  tomoyo_check_open_permission+0x304/0x348
[  583.911442][    C0]  tomoyo_file_open+0x78/0x7c
[  583.912450][    C0]  security_file_open+0x44/0x9a
[  583.913512][    C0]  do_dentry_open+0x1c6/0x7d4
[  583.914522][    C0]  vfs_open+0x52/0x5e
[  583.915477][    C0]  path_openat+0x12b6/0x189e
[  583.916418][    C0]  do_filp_open+0x10e/0x22a
[  583.917345][    C0]  do_sys_openat2+0x174/0x31e
[  583.918308][    C0]  sys_openat+0xdc/0x164
[  583.921337][    C0]  ret_from_syscall+0x0/0x2
[  583.922722][    C0] 
[  583.923481][    C0] The buggy address belongs to the object at ffffaf800c457c00
[  583.923481][    C0]  which belongs to the cache kmalloc-512 of size 512
[  583.925114][    C0] The buggy address is located 304 bytes to the right of
[  583.925114][    C0]  512-byte region [ffffaf800c457c00, ffffaf800c457e00)
[  583.926547][    C0] The buggy address belongs to the page:
[  583.927932][    C0] page:ffffaf807a9bc7a0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffaf800c457c00 pfn:0x8c654
[  583.929691][    C0] head:ffffaf807a9bc7a0 order:2 compound_mapcount:0 compound_pincount:0
[  583.930984][    C0] flags: 0x8800010200(slab|head|section=17|node=0|zone=0)
[  583.933645][    C0] raw: 0000008800010200 ffffaf807a9ae108 ffffaf807aa7a9a8 ffffaf8007201c80
[  583.934726][    C0] raw: ffffaf800c457c00 0000000000100007 00000001ffffffff 0000000000000000
[  583.935681][    C0] raw: 00000000000007ff
[  583.936466][    C0] page dumped because: kasan: bad access detected
[  583.937528][    C0] page_owner tracks the page as allocated
[  583.938338][    C0] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 594, ts 42726746800, free_ts 42709350200
[  583.940354][    C0]  __set_page_owner+0x48/0x136
[  583.941661][    C0]  post_alloc_hook+0xd0/0x10a
[  583.942908][    C0]  get_page_from_freelist+0x8da/0x12d8
[  583.943932][    C0]  __alloc_pages+0x150/0x3b6
[  583.944803][    C0]  alloc_pages+0x132/0x2a6
[  583.945740][    C0]  alloc_slab_page.constprop.0+0xc2/0xfa
[  583.946904][    C0]  new_slab+0x25a/0x2cc
[  583.948149][    C0]  ___slab_alloc+0x56e/0x918
[  583.949131][    C0]  __slab_alloc.constprop.0+0x50/0x8c
[  583.950190][    C0]  kmem_cache_alloc_trace+0x2a2/0x2e0
[  583.951224][    C0]  alloc_bprm+0x48/0x4b6
[  583.952415][    C0]  kernel_execve+0x54/0x288
[  583.953597][    C0]  call_usermodehelper_exec_async+0x1c0/0x2dc
[  583.954764][    C0]  ret_from_exception+0x0/0x10
[  583.955764][    C0] page last free stack trace:
[  583.956418][    C0]  __reset_page_owner+0x4a/0xea
[  583.957398][    C0]  free_pcp_prepare+0x29c/0x45e
[  583.958273][    C0]  free_unref_page+0x6a/0x31e
[  583.959108][    C0]  __free_pages+0xe2/0x112
[  583.959909][    C0]  put_task_stack+0x1d0/0x2b0
[  583.960775][    C0]  finish_task_switch.isra.0+0x3ce/0x420
[  583.962232][    C0]  __schedule+0x58e/0x118e
[  583.963392][    C0]  schedule_idle+0x22/0x42
[  583.964403][    C0]  do_idle+0xca/0x144
[  583.965251][    C0]  cpu_startup_entry+0x1a/0x1c
[  583.966276][    C0]  smp_callin+0xa2/0xb0
[  583.967560][    C0] 
[  583.968093][    C0] Memory state around the buggy address:
[  583.969230][    C0]  ffffaf800c457e00: 00 f3 f3 f3 fc fc fc fc fc fc fc fc fc fc fc fc
[  583.970278][    C0]  ffffaf800c457e80: fc fc fc fc fc fc fc fc 00 00 00 00 f1 f1 f1 f1
[  583.971276][    C0] >ffffaf800c457f00: 00 f2 f2 f2 fc fc fc fc 00 00 00 f3 f3 f3 f3 f3
[  583.972167][    C0]                                      ^
[  583.973001][    C0]  ffffaf800c457f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  583.973998][    C0]  ffffaf800c458000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  583.974714][    C0] ==================================================================
[  583.975560][    C0] Disabling lock debugging due to kernel taint
[  584.001677][ T2035] Kernel panic - not syncing: corrupted stack end detected inside scheduler
[  584.003093][ T2035] CPU: 0 PID: 2035 Comm: sshd Tainted: G    B             5.17.0-rc1-syzkaller-00002-g0966d385830d #0
[  584.004237][ T2035] Hardware name: riscv-virtio,qemu (DT)
[  584.005019][ T2035] Call Trace:
[  584.005597][ T2035] [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c
[  584.006861][ T2035] [<ffffffff831668cc>] show_stack+0x34/0x40
[  584.008054][ T2035] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150
[  584.009178][ T2035] [<ffffffff83175742>] dump_stack+0x1c/0x24
[  584.010203][ T2035] [<ffffffff83166fa8>] panic+0x24a/0x634
[  584.011005][ T2035] [<ffffffff831a688a>] schedule+0x0/0x14c
[  584.012477][ T2035] [<ffffffff831a70f8>] preempt_schedule_irq+0x4a/0x13e
[  584.013652][ T2035] [<ffffffff800057cc>] resume_kernel+0x16/0x18
[  584.014933][ T2035] SMP: stopping secondary CPUs
[  584.016703][ T2035] Rebooting in 86400 seconds..

VM DIAGNOSIS:
13:26:17  Registers:
info registers vcpu 0
 pc       ffffffff80474702
 mhartid  0000000000000000
 mstatus  00000000000000a0
 mip      00000000000000a0
 mie      000000000000022a
 mideleg  0000000000000222
 medeleg  000000000000b109
 mtvec    0000000080000540
 stvec    ffffffff800055d4
 mepc     ffffffff80475986
 sepc     ffffffff8000a0aa
 mcause   8000000000000007
 scause   8000000000000005
 mtval  0000000000000000
 stval  0000000000000000
 x0/zero 0000000000000000 x1/ra ffffffff8047478c x2/sp ffffaf800c457cd0 x3/gp ffffffff85863ac0
 x4/tp ffffaf800ece1840 x5/t0 ffffffff86bcb657 x6/t1 fffff5ef0b53910c x7/t2 0000000000000000
 x8/s0 ffffaf800c457d10 x9/s1 ffffaf800c457f30 x10/a0 ffffaf800c457f30 x11/a1 00000000000f0000
 x12/a2 0000000000000506 x13/a3 0000000020000000 x14/a4 ffffaf8000000000 x15/a5 ffff7c0800000000
 x16/a6 0000000000f00000 x17/a7 ffffaf805a9c8863 x18/s2 ffffaf800c457f30 x19/s3 ffffffff8010dd9a
 x20/s4 0000000000000000 x21/s5 ffffffff85863560 x22/s6 ffffffff8588bb20 x23/s7 ffffffff85e09180
 x24/s8 ffffaf800c457e40 x25/s9 ffffaf800ece23e8 x26/s10 ffffffff85899680 x27/s11 ffffaf800ece1840
 x28/t3 ffffffff801163b2 x29/t4 fffff5ef0b53910c x30/t5 fffff5ef0b53910d x31/t6 ffffaf800c457818
 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000
 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000
 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000
 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000
 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000
 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000
 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000
 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000
info registers vcpu 1
 pc       ffffffff800058f0
 mhartid  0000000000000001
 mstatus  00000000000000a0
 mip      0000000000000000
 mie      00000000000002aa
 mideleg  0000000000000222
 medeleg  000000000000b109
 mtvec    0000000080000540
 stvec    ffffffff800055d4
 mepc     ffffffff800058f0
 sepc     ffffffff800058f4
 mcause   8000000000000003
 scause   8000000000000001
 mtval  0000000000000000
 stval  0000000000000000
 x0/zero 0000000000000000 x1/ra ffffffff800058ec x2/sp ffffaf800742bf40 x3/gp ffffffff85863ac0
 x4/tp ffffaf8007410000 x5/t0 ffffaf800743f5e0 x6/t1 fffff5ef0b53eb62 x7/t2 0000000000000001
 x8/s0 ffffaf800742bf50 x9/s1 ffffaf8007410000 x10/a0 0000000000000001 x11/a1 00000000000f0000
 x12/a2 0000000000000002 x13/a3 ffffffff800058ec x14/a4 ffffaf8007411000 x15/a5 0000000000000000
 x16/a6 0000000000f00000 x17/a7 ffffaf805a9f5b13 x18/s2 0000000000000001 x19/s3 0000000000000002
 x20/s4 0000000000000007 x21/s5 ffffffff8588b420 x22/s6 ffffaf8007410000 x23/s7 fffffffffffffffd
 x24/s8 00000000800130f0 x25/s9 0000000000000000 x26/s10 0000000000000000 x27/s11 0000000000000000
 x28/t3 fffffffff3f3f300 x29/t4 fffff5ef0b53eb62 x30/t5 fffff5ef0b53eb63 x31/t6 0000000000000006
 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 414fffffe0000000 f3/ft3 43e0000000000000
 f4/ft4 3ffe000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000
 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000
 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000
 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000
 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000
 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000
 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000