syzkaller login: [ 265.153093][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 273.759837][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 273.803172][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:59027' (ECDSA) to the list of known hosts. 1970/01/01 00:05:11 fuzzer started 1970/01/01 00:05:23 dialing manager at localhost:36483 [ 329.424052][ T2025] cgroup: Unknown subsys name 'net' [ 330.463988][ T2025] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:05:30 syscalls: 2870 1970/01/01 00:05:30 code coverage: enabled 1970/01/01 00:05:30 comparison tracing: enabled 1970/01/01 00:05:30 extra coverage: enabled 1970/01/01 00:05:30 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:05:30 setuid sandbox: enabled 1970/01/01 00:05:30 namespace sandbox: enabled 1970/01/01 00:05:30 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:05:30 fault injection: enabled 1970/01/01 00:05:30 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:05:30 net packet injection: enabled 1970/01/01 00:05:30 net device setup: enabled 1970/01/01 00:05:30 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:05:30 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:05:30 USB emulation: enabled 1970/01/01 00:05:30 hci packet injection: /dev/vhci does not exist 1970/01/01 00:05:30 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:05:30 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:05:30 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:05:38 fetching corpus: 50, signal 27118/30525 (executing program) 1970/01/01 00:05:42 fetching corpus: 100, signal 47233/51704 (executing program) 1970/01/01 00:05:45 fetching corpus: 150, signal 57430/62992 (executing program) 1970/01/01 00:05:48 fetching corpus: 199, signal 65686/72218 (executing program) 1970/01/01 00:05:52 fetching corpus: 249, signal 71335/78764 (executing program) 1970/01/01 00:05:54 fetching corpus: 297, signal 75065/83457 (executing program) 1970/01/01 00:05:57 fetching corpus: 346, signal 78458/87770 (executing program) 1970/01/01 00:06:00 fetching corpus: 396, signal 82649/92734 (executing program) 1970/01/01 00:06:03 fetching corpus: 446, signal 85682/96540 (executing program) 1970/01/01 00:06:06 fetching corpus: 496, signal 88724/100296 (executing program) 1970/01/01 00:06:08 fetching corpus: 546, signal 92412/104598 (executing program) 1970/01/01 00:06:12 fetching corpus: 595, signal 95004/107881 (executing program) 1970/01/01 00:06:15 fetching corpus: 645, signal 97274/110829 (executing program) 1970/01/01 00:06:18 fetching corpus: 694, signal 99983/114027 (executing program) 1970/01/01 00:06:20 fetching corpus: 744, signal 103699/117999 (executing program) 1970/01/01 00:06:23 fetching corpus: 793, signal 106833/121494 (executing program) 1970/01/01 00:06:25 fetching corpus: 843, signal 108476/123692 (executing program) 1970/01/01 00:06:28 fetching corpus: 893, signal 110268/125931 (executing program) 1970/01/01 00:06:30 fetching corpus: 943, signal 113775/129490 (executing program) 1970/01/01 00:06:32 fetching corpus: 993, signal 115151/131361 (executing program) 1970/01/01 00:06:35 fetching corpus: 1042, signal 117819/134193 (executing program) 1970/01/01 00:06:37 fetching corpus: 1090, signal 119442/136195 (executing program) 1970/01/01 00:06:40 fetching corpus: 1140, signal 120706/137875 (executing program) 1970/01/01 00:06:42 fetching corpus: 1190, signal 122123/139659 (executing program) 1970/01/01 00:06:44 fetching corpus: 1240, signal 123829/141624 (executing program) 1970/01/01 00:06:47 fetching corpus: 1290, signal 125694/143617 (executing program) 1970/01/01 00:06:49 fetching corpus: 1340, signal 127492/145509 (executing program) 1970/01/01 00:06:52 fetching corpus: 1390, signal 129064/147175 (executing program) 1970/01/01 00:06:53 fetching corpus: 1440, signal 130687/148944 (executing program) 1970/01/01 00:06:56 fetching corpus: 1490, signal 132702/150937 (executing program) 1970/01/01 00:06:58 fetching corpus: 1540, signal 134567/152703 (executing program) 1970/01/01 00:07:01 fetching corpus: 1590, signal 135819/154096 (executing program) 1970/01/01 00:07:03 fetching corpus: 1640, signal 137675/155788 (executing program) 1970/01/01 00:07:05 fetching corpus: 1690, signal 138596/156921 (executing program) 1970/01/01 00:07:08 fetching corpus: 1738, signal 139786/158241 (executing program) 1970/01/01 00:07:10 fetching corpus: 1788, signal 140774/159374 (executing program) 1970/01/01 00:07:12 fetching corpus: 1838, signal 142251/160808 (executing program) 1970/01/01 00:07:15 fetching corpus: 1888, signal 143678/162121 (executing program) 1970/01/01 00:07:18 fetching corpus: 1938, signal 144928/163291 (executing program) 1970/01/01 00:07:21 fetching corpus: 1988, signal 145988/164374 (executing program) 1970/01/01 00:07:23 fetching corpus: 2036, signal 146992/165412 (executing program) 1970/01/01 00:07:26 fetching corpus: 2086, signal 148980/166934 (executing program) 1970/01/01 00:07:28 fetching corpus: 2136, signal 150418/168104 (executing program) 1970/01/01 00:07:31 fetching corpus: 2184, signal 151164/168888 (executing program) 1970/01/01 00:07:33 fetching corpus: 2234, signal 152668/170027 (executing program) 1970/01/01 00:07:35 fetching corpus: 2284, signal 153506/170827 (executing program) 1970/01/01 00:07:38 fetching corpus: 2334, signal 154533/171710 (executing program) 1970/01/01 00:07:41 fetching corpus: 2384, signal 155714/172643 (executing program) 1970/01/01 00:07:43 fetching corpus: 2433, signal 156631/173381 (executing program) 1970/01/01 00:07:47 fetching corpus: 2483, signal 157989/174329 (executing program) 1970/01/01 00:07:50 fetching corpus: 2532, signal 159219/175258 (executing program) 1970/01/01 00:07:53 fetching corpus: 2582, signal 160100/175942 (executing program) 1970/01/01 00:07:56 fetching corpus: 2632, signal 160975/176627 (executing program) 1970/01/01 00:07:59 fetching corpus: 2682, signal 162436/177531 (executing program) 1970/01/01 00:08:01 fetching corpus: 2731, signal 163339/178153 (executing program) 1970/01/01 00:08:04 fetching corpus: 2781, signal 164251/178774 (executing program) 1970/01/01 00:08:06 fetching corpus: 2831, signal 165536/179518 (executing program) 1970/01/01 00:08:09 fetching corpus: 2880, signal 166730/180208 (executing program) 1970/01/01 00:08:12 fetching corpus: 2930, signal 167608/180749 (executing program) 1970/01/01 00:08:14 fetching corpus: 2980, signal 168515/181274 (executing program) 1970/01/01 00:08:16 fetching corpus: 3030, signal 169341/181754 (executing program) 1970/01/01 00:08:19 fetching corpus: 3080, signal 170073/182208 (executing program) 1970/01/01 00:08:21 fetching corpus: 3130, signal 170881/182640 (executing program) 1970/01/01 00:08:24 fetching corpus: 3180, signal 171409/182989 (executing program) 1970/01/01 00:08:28 fetching corpus: 3230, signal 172300/183428 (executing program) 1970/01/01 00:08:30 fetching corpus: 3280, signal 172918/183781 (executing program) 1970/01/01 00:08:32 fetching corpus: 3329, signal 173825/184189 (executing program) 1970/01/01 00:08:35 fetching corpus: 3379, signal 174394/184516 (executing program) 1970/01/01 00:08:37 fetching corpus: 3429, signal 175226/184891 (executing program) 1970/01/01 00:08:39 fetching corpus: 3479, signal 175827/185174 (executing program) 1970/01/01 00:08:42 fetching corpus: 3529, signal 176953/185545 (executing program) 1970/01/01 00:08:45 fetching corpus: 3579, signal 177660/185824 (executing program) 1970/01/01 00:08:47 fetching corpus: 3629, signal 178210/186043 (executing program) 1970/01/01 00:08:52 fetching corpus: 3678, signal 179217/186371 (executing program) 1970/01/01 00:08:56 fetching corpus: 3728, signal 179681/186537 (executing program) 1970/01/01 00:08:59 fetching corpus: 3778, signal 180177/186709 (executing program) 1970/01/01 00:09:01 fetching corpus: 3828, signal 181033/186942 (executing program) 1970/01/01 00:09:05 fetching corpus: 3878, signal 182849/187314 (executing program) 1970/01/01 00:09:07 fetching corpus: 3928, signal 183435/187457 (executing program) 1970/01/01 00:09:09 fetching corpus: 3978, signal 184054/187606 (executing program) 1970/01/01 00:09:13 fetching corpus: 4028, signal 184882/187765 (executing program) 1970/01/01 00:09:15 fetching corpus: 4078, signal 185625/187903 (executing program) 1970/01/01 00:09:17 fetching corpus: 4101, signal 185941/187957 (executing program) 1970/01/01 00:09:17 fetching corpus: 4101, signal 185941/187977 (executing program) 1970/01/01 00:09:17 fetching corpus: 4102, signal 185943/187996 (executing program) 1970/01/01 00:09:17 fetching corpus: 4102, signal 185943/188013 (executing program) 1970/01/01 00:09:17 fetching corpus: 4102, signal 185952/188042 (executing program) 1970/01/01 00:09:18 fetching corpus: 4102, signal 185952/188060 (executing program) 1970/01/01 00:09:18 fetching corpus: 4102, signal 185952/188078 (executing program) 1970/01/01 00:09:18 fetching corpus: 4102, signal 185952/188106 (executing program) 1970/01/01 00:09:18 fetching corpus: 4102, signal 185952/188123 (executing program) 1970/01/01 00:09:18 fetching corpus: 4102, signal 185952/188140 (executing program) 1970/01/01 00:09:18 fetching corpus: 4102, signal 185952/188164 (executing program) 1970/01/01 00:09:18 fetching corpus: 4102, signal 185952/188169 (executing program) 1970/01/01 00:09:18 fetching corpus: 4102, signal 185952/188169 (executing program) 1970/01/01 00:11:06 starting 2 fuzzer processes 00:11:07 executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f0000000b80)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a14000000050a000000000000000000000000000020000000000a010400000000000000000a0000000900010073797a310000000058000000160a010800000000000000000a0000002c0003800800014000000000080002400000000018000380140001e26870766c616e310000000000000000000900020073797a31000000000900010073797a31"], 0xb4}}, 0x0) 00:11:07 executing program 1: bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x17, 0x4, &(0x7f0000000480)=@framed={{}, [@call={0x85, 0x0, 0x0, 0x6}]}, &(0x7f00000001c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x78) [ 695.140238][ C0] ================================================================== [ 695.141646][ C0] BUG: KASAN: use-after-free in __bfs+0x154/0x394 [ 695.142902][ C0] Read of size 8 at addr ffffaf800e6f3fb0 by task syz-executor.1/2038 [ 695.143998][ C0] [ 695.145518][ C0] CPU: 0 PID: 2038 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 695.146990][ C0] Hardware name: riscv-virtio,qemu (DT) [ 695.148719][ C0] Call Trace: [ 695.149756][ C0] [] dump_backtrace+0x2e/0x3c [ 695.150904][ C0] [] show_stack+0x34/0x40 [ 695.151975][ C0] [] dump_stack_lvl+0xe4/0x150 [ 695.153191][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 695.154450][ C0] [] kasan_report+0x184/0x1e0 [ 695.155481][ C0] [] __asan_load8+0x6e/0x96 [ 695.156616][ C0] [] __bfs+0x154/0x394 [ 695.158046][ C0] [] check_path.constprop.0+0x24/0x46 [ 695.159111][ C0] [] check_noncircular+0x11a/0x1fe [ 695.160462][ C0] [ 695.161243][ C0] The buggy address belongs to the page: [ 695.162567][ C0] page:ffffaf807aa58458 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8e8f3 [ 695.164056][ C0] flags: 0x8800000000(section=17|node=0|zone=0) [ 695.167956][ C0] raw: 0000008800000000 0000000000000000 ffffffff7aa50101 0000000000000000 [ 695.169464][ C0] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 695.170520][ C0] raw: 00000000000007ff [ 695.171327][ C0] page dumped because: kasan: bad access detected [ 695.173673][ C0] page_owner tracks the page as freed [ 695.175108][ C0] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2015, ts 437996271200, free_ts 694713186200 [ 695.177857][ C0] __set_page_owner+0x48/0x136 [ 695.179441][ C0] post_alloc_hook+0xd0/0x10a [ 695.180498][ C0] get_page_from_freelist+0x8da/0x12d8 [ 695.181503][ C0] __alloc_pages+0x150/0x3b6 [ 695.182440][ C0] alloc_pages+0x132/0x2a6 [ 695.183367][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 695.184258][ C0] new_slab+0x25a/0x2cc [ 695.185073][ C0] ___slab_alloc+0x56e/0x918 [ 695.186553][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 695.187425][ C0] kmem_cache_alloc_node+0x1f2/0x41c [ 695.188273][ C0] __alloc_skb+0x234/0x2e4 [ 695.189817][ C0] tcp_stream_alloc_skb+0x70/0x4c0 [ 695.191618][ C0] tcp_sendmsg_locked+0x880/0x1d9e [ 695.193751][ C0] tcp_sendmsg+0x32/0x4e [ 695.194888][ C0] inet_sendmsg+0x74/0x94 [ 695.195849][ C0] sock_sendmsg+0xa0/0xc4 [ 695.197049][ C0] page last free stack trace: [ 695.197785][ C0] __reset_page_owner+0x4a/0xea [ 695.198816][ C0] free_pcp_prepare+0x29c/0x45e [ 695.199750][ C0] free_unref_page+0x6a/0x31e [ 695.200636][ C0] __free_pages+0xe2/0x112 [ 695.201559][ C0] __free_slab+0x122/0x27c [ 695.202387][ C0] discard_slab+0x4c/0x7a [ 695.203164][ C0] __slab_free+0x20a/0x29c [ 695.203979][ C0] ___cache_free+0x17c/0x354 [ 695.204796][ C0] qlist_free_all+0x7c/0x132 [ 695.205603][ C0] kasan_quarantine_reduce+0x14c/0x1c8 [ 695.206534][ C0] __kasan_slab_alloc+0x5c/0x98 [ 695.207454][ C0] __kmalloc+0x156/0x318 [ 695.208453][ C0] tomoyo_realpath_from_path+0x9c/0x3f4 [ 695.209355][ C0] tomoyo_path_perm+0x1fc/0x3a8 [ 695.210178][ C0] tomoyo_inode_getattr+0x1e/0x28 [ 695.211128][ C0] security_inode_getattr+0x82/0xc6 [ 695.212326][ C0] [ 695.212910][ C0] Memory state around the buggy address: [ 695.214040][ C0] ffffaf800e6f3e80: 00 f3 f3 f3 ff ff ff ff ff ff ff ff ff ff ff ff [ 695.215136][ C0] ffffaf800e6f3f00: ff ff ff ff ff ff ff ff 00 00 00 00 f1 f1 f1 f1 [ 695.216191][ C0] >ffffaf800e6f3f80: 00 f2 f2 f2 ff ff ff ff 00 00 00 f3 f3 f3 f3 f3 [ 695.218656][ C0] ^ [ 695.220352][ C0] ffffaf800e6f4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 695.221454][ C0] ffffaf800e6f4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 695.222553][ C0] ================================================================== [ 695.223513][ C0] Disabling lock debugging due to kernel taint [ 695.228290][ T2038] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 695.229674][ T2038] CPU: 0 PID: 2038 Comm: syz-executor.1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 695.231016][ T2038] Hardware name: riscv-virtio,qemu (DT) [ 695.231703][ T2038] Call Trace: [ 695.232394][ T2038] [] dump_backtrace+0x2e/0x3c [ 695.233392][ T2038] [] show_stack+0x34/0x40 [ 695.234240][ T2038] [] dump_stack_lvl+0xe4/0x150 [ 695.235214][ T2038] [] dump_stack+0x1c/0x24 [ 695.236176][ T2038] [] panic+0x24a/0x634 [ 695.237031][ T2038] [] schedule+0x0/0x14c [ 695.237882][ T2038] [] preempt_schedule_irq+0x4a/0x13e [ 695.238809][ T2038] [] resume_kernel+0x16/0x18 [ 695.239928][ T2038] SMP: stopping secondary CPUs [ 695.242113][ T2038] Rebooting in 86400 seconds.. VM DIAGNOSIS: 01:42:44 Registers: info registers vcpu 0 pc ffffffff80475ab2 mhartid 0000000000000000 mstatus 00000000000001a0 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff80174252 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80115a88 x2/sp ffffaf800f896fd0 x3/gp ffffffff85863ac0 x4/tp ffffaf800e5d9840 x5/t0 ffffaf8020897c80 x6/t1 fdf274e196711400 x7/t2 00000000171bce85 x8/s0 ffffaf800f897150 x9/s1 0000000000000120 x10/a0 ffffffff831afd54 x11/a1 0000000000000003 x12/a2 1ffffffff0b118b4 x13/a3 ffffffff8011203a x14/a4 ffffaf800e5da840 x15/a5 ffffffff86c1a628 x16/a6 0000000000f00000 x17/a7 ffffffff80b08efe x18/s2 ffffaf800e5da260 x19/s3 ffffaf800f897000 x20/s4 ffffaf800e5d9840 x21/s5 ffffffff86c1a620 x22/s6 0000000000000001 x23/s7 ffffaf8020a7a850 x24/s8 ffffffff8586fde0 x25/s9 ffffffff86d3aca8 x26/s10 0000000000000122 x27/s11 ffffffff80504370 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001f12dd8 x31/t6 000000006e6a84a8 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80475786 mhartid 0000000000000001 mstatus 00000000000000a0 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff8010b26a mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80c386e2 x2/sp ffffaf800e6f37d0 x3/gp ffffffff85863ac0 x4/tp ffffaf800d6c8000 x5/t0 ffffffff84a97ee8 x6/t1 fffff5ef01cde6dc x7/t2 0000000000000000 x8/s0 ffffaf800e6f3640 x9/s1 fffffffffffffffc x10/a0 0000000000000000 x11/a1 00000000000f0000 x12/a2 0000000000000504 x13/a3 ffffffff80c2d4cc x14/a4 ffffaf800d6c8000 x15/a5 0000000000000025 x16/a6 0000000000f00000 x17/a7 ffffaf800e6f3847 x18/s2 ffffffff838d2e6e x19/s3 ffffaf800e6f3840 x20/s4 0000000000000006 x21/s5 ffffffff838d2e6f x22/s6 ffffaf800e6f3c98 x23/s7 1ffff5f001cde6e0 x24/s8 ffffffff85889780 x25/s9 0000000000000064 x26/s10 0000000000000034 x27/s11 ffffffff838d6d80 x28/t3 1ffff5f001cde77c x29/t4 fffff5ef01cde708 x30/t5 fffff5ef01cde709 x31/t6 ffffffff86bd8e86 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000