syzkaller login: [ 270.480287][ T1857] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 270.568289][ T1857] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 270.647657][ T1857] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 280.751017][ T1857] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:28662' (ECDSA) to the list of known hosts. 1970/01/01 00:05:25 fuzzer started 1970/01/01 00:05:39 dialing manager at localhost:38403 [ 349.876293][ T2030] cgroup: Unknown subsys name 'net' [ 350.891085][ T2030] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:05:50 syscalls: 2853 1970/01/01 00:05:50 code coverage: enabled 1970/01/01 00:05:50 comparison tracing: enabled 1970/01/01 00:05:50 extra coverage: enabled 1970/01/01 00:05:50 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:05:50 setuid sandbox: enabled 1970/01/01 00:05:50 namespace sandbox: enabled 1970/01/01 00:05:50 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:05:50 fault injection: enabled 1970/01/01 00:05:50 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:05:50 net packet injection: enabled 1970/01/01 00:05:50 net device setup: enabled 1970/01/01 00:05:50 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:05:50 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:05:50 USB emulation: enabled 1970/01/01 00:05:50 hci packet injection: /dev/vhci does not exist 1970/01/01 00:05:50 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:05:50 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:05:51 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:05:56 fetching corpus: 50, signal 34729/38305 (executing program) 1970/01/01 00:06:00 fetching corpus: 100, signal 50102/55199 (executing program) 1970/01/01 00:06:04 fetching corpus: 150, signal 65134/71601 (executing program) 1970/01/01 00:06:06 fetching corpus: 199, signal 74261/82130 (executing program) 1970/01/01 00:06:09 fetching corpus: 249, signal 84373/93454 (executing program) 1970/01/01 00:06:12 fetching corpus: 299, signal 95391/105534 (executing program) 1970/01/01 00:06:15 fetching corpus: 349, signal 99029/110430 (executing program) 1970/01/01 00:06:17 fetching corpus: 399, signal 105554/118020 (executing program) 1970/01/01 00:06:21 fetching corpus: 449, signal 110443/124032 (executing program) 1970/01/01 00:06:24 fetching corpus: 498, signal 114599/129303 (executing program) 1970/01/01 00:06:26 fetching corpus: 548, signal 121875/137378 (executing program) 1970/01/01 00:06:29 fetching corpus: 598, signal 125841/142335 (executing program) 1970/01/01 00:06:31 fetching corpus: 647, signal 128968/146460 (executing program) 1970/01/01 00:06:33 fetching corpus: 697, signal 134248/152550 (executing program) 1970/01/01 00:06:36 fetching corpus: 747, signal 139832/158809 (executing program) 1970/01/01 00:06:38 fetching corpus: 796, signal 143881/163659 (executing program) 1970/01/01 00:06:40 fetching corpus: 846, signal 148894/169311 (executing program) 1970/01/01 00:06:42 fetching corpus: 896, signal 152074/173268 (executing program) 1970/01/01 00:06:45 fetching corpus: 946, signal 156243/178038 (executing program) 1970/01/01 00:06:47 fetching corpus: 996, signal 158520/181131 (executing program) 1970/01/01 00:06:49 fetching corpus: 1046, signal 161826/185079 (executing program) 1970/01/01 00:06:51 fetching corpus: 1095, signal 165167/189039 (executing program) 1970/01/01 00:06:55 fetching corpus: 1145, signal 171058/195209 (executing program) 1970/01/01 00:06:57 fetching corpus: 1195, signal 174447/199185 (executing program) 1970/01/01 00:06:59 fetching corpus: 1245, signal 176323/201766 (executing program) 1970/01/01 00:07:01 fetching corpus: 1294, signal 179952/205737 (executing program) 1970/01/01 00:07:04 fetching corpus: 1344, signal 183392/209575 (executing program) 1970/01/01 00:07:06 fetching corpus: 1394, signal 186362/212976 (executing program) 1970/01/01 00:07:11 fetching corpus: 1443, signal 189361/216356 (executing program) 1970/01/01 00:07:14 fetching corpus: 1491, signal 193197/220385 (executing program) 1970/01/01 00:07:16 fetching corpus: 1541, signal 195246/222899 (executing program) 1970/01/01 00:07:18 fetching corpus: 1591, signal 196790/225054 (executing program) 1970/01/01 00:07:20 fetching corpus: 1641, signal 198486/227273 (executing program) 1970/01/01 00:07:22 fetching corpus: 1689, signal 200397/229685 (executing program) 1970/01/01 00:07:24 fetching corpus: 1738, signal 202018/231776 (executing program) 1970/01/01 00:07:26 fetching corpus: 1787, signal 205356/235232 (executing program) 1970/01/01 00:07:28 fetching corpus: 1837, signal 207771/237919 (executing program) 1970/01/01 00:07:30 fetching corpus: 1887, signal 209087/239686 (executing program) 1970/01/01 00:07:32 fetching corpus: 1937, signal 211101/242024 (executing program) 1970/01/01 00:07:35 fetching corpus: 1987, signal 212291/243701 (executing program) 1970/01/01 00:07:40 fetching corpus: 2037, signal 214572/246221 (executing program) 1970/01/01 00:07:42 fetching corpus: 2087, signal 215796/247856 (executing program) 1970/01/01 00:07:44 fetching corpus: 2137, signal 217467/249855 (executing program) 1970/01/01 00:07:46 fetching corpus: 2187, signal 218800/251610 (executing program) 1970/01/01 00:07:49 fetching corpus: 2237, signal 220662/253748 (executing program) 1970/01/01 00:07:52 fetching corpus: 2287, signal 222202/255543 (executing program) 1970/01/01 00:07:54 fetching corpus: 2336, signal 223711/257333 (executing program) 1970/01/01 00:07:58 fetching corpus: 2386, signal 225316/259166 (executing program) 1970/01/01 00:08:02 fetching corpus: 2436, signal 226869/260988 (executing program) 1970/01/01 00:08:04 fetching corpus: 2485, signal 228821/263011 (executing program) 1970/01/01 00:08:06 fetching corpus: 2535, signal 230179/264625 (executing program) 1970/01/01 00:08:09 fetching corpus: 2585, signal 231554/266263 (executing program) 1970/01/01 00:08:11 fetching corpus: 2634, signal 234267/268790 (executing program) 1970/01/01 00:08:13 fetching corpus: 2684, signal 236068/270661 (executing program) 1970/01/01 00:08:16 fetching corpus: 2733, signal 237775/272456 (executing program) 1970/01/01 00:08:19 fetching corpus: 2783, signal 238820/273795 (executing program) 1970/01/01 00:08:21 fetching corpus: 2833, signal 242112/276560 (executing program) 1970/01/01 00:08:23 fetching corpus: 2883, signal 244101/278466 (executing program) 1970/01/01 00:08:26 fetching corpus: 2932, signal 245430/279911 (executing program) 1970/01/01 00:08:28 fetching corpus: 2981, signal 247434/281832 (executing program) 1970/01/01 00:08:30 fetching corpus: 3030, signal 248416/283036 (executing program) 1970/01/01 00:08:31 fetching corpus: 3079, signal 249587/284380 (executing program) 1970/01/01 00:08:34 fetching corpus: 3129, signal 251162/285958 (executing program) 1970/01/01 00:08:36 fetching corpus: 3179, signal 253133/287744 (executing program) 1970/01/01 00:08:38 fetching corpus: 3228, signal 255077/289482 (executing program) 1970/01/01 00:08:40 fetching corpus: 3278, signal 256756/291068 (executing program) 1970/01/01 00:08:42 fetching corpus: 3327, signal 258253/292552 (executing program) 1970/01/01 00:08:44 fetching corpus: 3377, signal 259472/293772 (executing program) 1970/01/01 00:08:46 fetching corpus: 3427, signal 260979/295136 (executing program) 1970/01/01 00:08:48 fetching corpus: 3476, signal 262399/296465 (executing program) 1970/01/01 00:08:50 fetching corpus: 3525, signal 263878/297801 (executing program) 1970/01/01 00:08:52 fetching corpus: 3575, signal 264936/298900 (executing program) 1970/01/01 00:08:54 fetching corpus: 3625, signal 265612/299801 (executing program) 1970/01/01 00:08:56 fetching corpus: 3675, signal 266204/300621 (executing program) 1970/01/01 00:08:58 fetching corpus: 3725, signal 267209/301678 (executing program) 1970/01/01 00:09:01 fetching corpus: 3775, signal 268336/302795 (executing program) 1970/01/01 00:09:03 fetching corpus: 3825, signal 269640/303909 (executing program) 1970/01/01 00:09:05 fetching corpus: 3874, signal 270814/305067 (executing program) 1970/01/01 00:09:07 fetching corpus: 3924, signal 271860/306065 (executing program) 1970/01/01 00:09:10 fetching corpus: 3974, signal 272685/306914 (executing program) 1970/01/01 00:09:12 fetching corpus: 4024, signal 273280/307659 (executing program) 1970/01/01 00:09:14 fetching corpus: 4074, signal 274892/308933 (executing program) 1970/01/01 00:09:16 fetching corpus: 4123, signal 275966/309900 (executing program) 1970/01/01 00:09:18 fetching corpus: 4173, signal 276575/310620 (executing program) 1970/01/01 00:09:22 fetching corpus: 4223, signal 277270/311343 (executing program) 1970/01/01 00:09:25 fetching corpus: 4273, signal 278006/312117 (executing program) 1970/01/01 00:09:27 fetching corpus: 4322, signal 278550/312762 (executing program) 1970/01/01 00:09:29 fetching corpus: 4372, signal 279490/313611 (executing program) 1970/01/01 00:09:32 fetching corpus: 4422, signal 281413/314970 (executing program) 1970/01/01 00:09:34 fetching corpus: 4472, signal 282415/315831 (executing program) 1970/01/01 00:09:37 fetching corpus: 4522, signal 283514/316744 (executing program) 1970/01/01 00:09:39 fetching corpus: 4571, signal 284634/317614 (executing program) 1970/01/01 00:09:41 fetching corpus: 4621, signal 285182/318246 (executing program) 1970/01/01 00:09:44 fetching corpus: 4671, signal 286011/318959 (executing program) 1970/01/01 00:09:46 fetching corpus: 4720, signal 287627/320031 (executing program) 1970/01/01 00:09:49 fetching corpus: 4767, signal 288834/320911 (executing program) 1970/01/01 00:09:50 fetching corpus: 4817, signal 289827/321672 (executing program) 1970/01/01 00:09:53 fetching corpus: 4866, signal 290703/322414 (executing program) 1970/01/01 00:09:55 fetching corpus: 4916, signal 291777/323212 (executing program) 1970/01/01 00:09:58 fetching corpus: 4966, signal 292753/323936 (executing program) 1970/01/01 00:10:00 fetching corpus: 5016, signal 293823/324731 (executing program) 1970/01/01 00:10:02 fetching corpus: 5066, signal 294602/325391 (executing program) 1970/01/01 00:10:05 fetching corpus: 5116, signal 295267/325908 (executing program) 1970/01/01 00:10:11 fetching corpus: 5166, signal 296359/326672 (executing program) 1970/01/01 00:10:16 fetching corpus: 5216, signal 296866/327167 (executing program) 1970/01/01 00:10:18 fetching corpus: 5263, signal 297438/327674 (executing program) 1970/01/01 00:10:20 fetching corpus: 5313, signal 298835/328509 (executing program) 1970/01/01 00:10:22 fetching corpus: 5363, signal 299418/328997 (executing program) 1970/01/01 00:10:26 fetching corpus: 5413, signal 300313/329593 (executing program) 1970/01/01 00:10:28 fetching corpus: 5462, signal 301438/330273 (executing program) 1970/01/01 00:10:30 fetching corpus: 5512, signal 301906/330707 (executing program) 1970/01/01 00:10:32 fetching corpus: 5562, signal 302551/331159 (executing program) 1970/01/01 00:10:34 fetching corpus: 5612, signal 303217/331649 (executing program) 1970/01/01 00:10:36 fetching corpus: 5662, signal 304139/332185 (executing program) 1970/01/01 00:10:39 fetching corpus: 5711, signal 305005/332722 (executing program) 1970/01/01 00:10:42 fetching corpus: 5759, signal 306012/333266 (executing program) 1970/01/01 00:10:45 fetching corpus: 5809, signal 306729/333711 (executing program) 1970/01/01 00:10:47 fetching corpus: 5859, signal 307471/334167 (executing program) 1970/01/01 00:10:50 fetching corpus: 5909, signal 308881/334809 (executing program) 1970/01/01 00:10:53 fetching corpus: 5959, signal 309569/335260 (executing program) 1970/01/01 00:10:55 fetching corpus: 6009, signal 310486/335760 (executing program) 1970/01/01 00:10:58 fetching corpus: 6057, signal 310992/336110 (executing program) 1970/01/01 00:11:01 fetching corpus: 6105, signal 312223/336697 (executing program) 1970/01/01 00:11:03 fetching corpus: 6155, signal 312905/337102 (executing program) 1970/01/01 00:11:06 fetching corpus: 6204, signal 313803/337527 (executing program) 1970/01/01 00:11:07 fetching corpus: 6254, signal 314528/337897 (executing program) 1970/01/01 00:11:09 fetching corpus: 6304, signal 315288/338293 (executing program) 1970/01/01 00:11:11 fetching corpus: 6354, signal 316028/338667 (executing program) 1970/01/01 00:11:13 fetching corpus: 6404, signal 316514/338952 (executing program) 1970/01/01 00:11:15 fetching corpus: 6454, signal 317500/339400 (executing program) 1970/01/01 00:11:18 fetching corpus: 6504, signal 318172/339710 (executing program) 1970/01/01 00:11:20 fetching corpus: 6554, signal 319004/340071 (executing program) 1970/01/01 00:11:22 fetching corpus: 6604, signal 319681/340413 (executing program) 1970/01/01 00:11:24 fetching corpus: 6654, signal 320928/340891 (executing program) 1970/01/01 00:11:26 fetching corpus: 6703, signal 321788/341256 (executing program) 1970/01/01 00:11:29 fetching corpus: 6753, signal 323289/341710 (executing program) 1970/01/01 00:11:31 fetching corpus: 6803, signal 323809/341955 (executing program) 1970/01/01 00:11:34 fetching corpus: 6853, signal 324593/342255 (executing program) 1970/01/01 00:11:36 fetching corpus: 6903, signal 325342/342562 (executing program) 1970/01/01 00:11:37 fetching corpus: 6953, signal 326248/342857 (executing program) 1970/01/01 00:11:40 fetching corpus: 7003, signal 327106/343116 (executing program) 1970/01/01 00:11:42 fetching corpus: 7053, signal 328185/343427 (executing program) 1970/01/01 00:11:45 fetching corpus: 7102, signal 328683/343618 (executing program) 1970/01/01 00:11:48 fetching corpus: 7151, signal 329475/343877 (executing program) 1970/01/01 00:11:50 fetching corpus: 7201, signal 330531/344132 (executing program) 1970/01/01 00:11:52 fetching corpus: 7251, signal 331390/344387 (executing program) 1970/01/01 00:11:54 fetching corpus: 7301, signal 331799/344517 (executing program) 1970/01/01 00:11:57 fetching corpus: 7351, signal 332244/344674 (executing program) 1970/01/01 00:12:00 fetching corpus: 7401, signal 333009/344857 (executing program) 1970/01/01 00:12:03 fetching corpus: 7451, signal 333491/344989 (executing program) 1970/01/01 00:12:05 fetching corpus: 7501, signal 333885/345122 (executing program) 1970/01/01 00:12:07 fetching corpus: 7550, signal 334185/345221 (executing program) 1970/01/01 00:12:09 fetching corpus: 7599, signal 334638/345349 (executing program) 1970/01/01 00:12:11 fetching corpus: 7649, signal 335307/345522 (executing program) 1970/01/01 00:12:14 fetching corpus: 7699, signal 336274/345702 (executing program) 1970/01/01 00:12:16 fetching corpus: 7748, signal 336714/345801 (executing program) 1970/01/01 00:12:18 fetching corpus: 7798, signal 337660/345951 (executing program) 1970/01/01 00:12:21 fetching corpus: 7848, signal 338269/346059 (executing program) 1970/01/01 00:12:23 fetching corpus: 7898, signal 339350/346186 (executing program) 1970/01/01 00:12:25 fetching corpus: 7948, signal 339812/346282 (executing program) 1970/01/01 00:12:28 fetching corpus: 7998, signal 340761/346426 (executing program) 1970/01/01 00:12:31 fetching corpus: 8048, signal 341380/346496 (executing program) 1970/01/01 00:12:34 fetching corpus: 8098, signal 341809/346556 (executing program) 1970/01/01 00:12:37 fetching corpus: 8148, signal 342477/346637 (executing program) 1970/01/01 00:12:39 fetching corpus: 8198, signal 343175/346688 (executing program) 1970/01/01 00:12:41 fetching corpus: 8247, signal 344062/346751 (executing program) 1970/01/01 00:12:41 fetching corpus: 8248, signal 344063/346765 (executing program) 1970/01/01 00:12:41 fetching corpus: 8248, signal 344063/346791 (executing program) 1970/01/01 00:12:41 fetching corpus: 8248, signal 344063/346814 (executing program) 1970/01/01 00:12:41 fetching corpus: 8248, signal 344063/346826 (executing program) 1970/01/01 00:12:42 fetching corpus: 8248, signal 344063/346842 (executing program) 1970/01/01 00:12:42 fetching corpus: 8248, signal 344063/346860 (executing program) 1970/01/01 00:12:42 fetching corpus: 8248, signal 344063/346866 (executing program) 1970/01/01 00:12:42 fetching corpus: 8248, signal 344063/346866 (executing program) 1970/01/01 00:14:22 starting 2 fuzzer processes 00:14:22 executing program 0: r0 = socket$l2tp(0x2, 0x2, 0x73) setsockopt$IPT_SO_SET_REPLACE(r0, 0x0, 0x40, &(0x7f00000002c0)=@raw={'raw\x00', 0x8, 0x3, 0x270, 0x98, 0xffffffff, 0xffffffff, 0x98, 0xffffffff, 0x1d8, 0xffffffff, 0xffffffff, 0x1d8, 0xffffffff, 0x3, 0x0, {[{{@uncond, 0x0, 0x70, 0x98}, @common=@unspec=@NFQUEUE3={0x28, 'NFQUEUE\x00', 0x3, {0x0, 0x5}}}, {{@uncond, 0x0, 0xe0, 0x140, 0x0, {}, [@common=@unspec=@devgroup={{0x38}}, @common=@unspec=@quota={{0x38}}]}, @common=@CLUSTERIP={0x60, 'CLUSTERIP\x00', 0x0, {0x0, @multicast}}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x2d0) 00:14:22 executing program 1: r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0xc1c2, 0x0) r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x42, 0x0) ioctl$FICLONE(r1, 0x40049409, r1) pwritev(r1, &(0x7f0000000a80)=[{&(0x7f0000000980)='+', 0x1}], 0x1, 0x100bfaa, 0x0) sendfile(r0, r0, &(0x7f00000000c0)=0x7, 0x100000001) r2 = openat(r1, 0x0, 0x200, 0x0) symlinkat(&(0x7f0000000000)='./file1\x00', r1, &(0x7f0000000100)='./file1\x00') ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, 0x0) r3 = userfaultfd(0x0) fallocate(r3, 0x1d, 0x8, 0x8000) recvmsg$can_j1939(r2, &(0x7f0000000300)={&(0x7f0000000180)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff}}, 0x80, &(0x7f00000002c0)=[{&(0x7f0000000200)=""/164, 0xa4}], 0x1}, 0x40000100) sendfile(0xffffffffffffffff, r4, &(0x7f0000000340)=0x4, 0xab64) ioctl$EXT4_IOC_SWAP_BOOT(r0, 0x6611) [ 895.348155][ T2045] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 895.441644][ T2044] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 895.525763][ T2045] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 896.067500][ T2044] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 907.482341][ T2045] device hsr_slave_0 entered promiscuous mode [ 907.537488][ T2045] device hsr_slave_1 entered promiscuous mode [ 909.302057][ T2044] device hsr_slave_0 entered promiscuous mode [ 909.360535][ T2044] device hsr_slave_1 entered promiscuous mode [ 909.380821][ T2044] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 909.387381][ T2044] Cannot create hsr debugfs directory [ 916.776238][ T2045] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 916.959635][ T2045] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 917.199000][ T2045] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 917.479086][ T2045] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 918.801740][ T2044] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 919.100410][ T2044] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 919.317103][ T2044] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 919.531111][ T2044] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 926.891232][ C0] ================================================================== [ 926.899195][ C0] BUG: KASAN: use-after-free in stack_trace_consume_entry+0x6c/0x9e [ 926.900875][ C0] Write of size 8 at addr ffffaf800f98fa60 by task syz-executor.0/2045 [ 926.902308][ C0] [ 926.903986][ C0] CPU: 0 PID: 2045 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 926.906114][ C0] Hardware name: riscv-virtio,qemu (DT) [ 926.907476][ C0] Call Trace: [ 926.908519][ C0] [] dump_backtrace+0x2e/0x3c [ 926.909810][ C0] [] show_stack+0x34/0x40 [ 926.910991][ C0] [] dump_stack_lvl+0xe4/0x150 [ 926.912308][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 926.914426][ C0] [] kasan_report+0x184/0x1e0 [ 926.916287][ C0] [] __asan_store8+0x6e/0x96 [ 926.917571][ C0] [] stack_trace_consume_entry+0x6c/0x9e [ 926.918906][ C0] [] walk_stackframe+0x17e/0x260 [ 926.920184][ C0] [] arch_stack_walk+0x2c/0x3c [ 926.921433][ C0] [] stack_trace_save+0xa6/0xd8 [ 926.922683][ C0] [] save_stack+0x112/0x16c [ 926.924379][ C0] [] __set_page_owner+0x48/0x136 [ 926.925697][ C0] [] post_alloc_hook+0xd0/0x10a [ 926.926906][ C0] [] get_page_from_freelist+0x8da/0x12d8 [ 926.928231][ C0] [] __alloc_pages+0x150/0x3b6 [ 926.929453][ C0] [] alloc_pages+0x132/0x2a6 [ 926.930717][ C0] [] alloc_slab_page.constprop.0+0xc2/0xfa [ 926.932146][ C0] [] new_slab+0x76/0x2cc [ 926.933400][ C0] [] ___slab_alloc+0x56e/0x918 [ 926.934972][ C0] [ 926.935883][ C0] Allocated by task 1: [ 926.936773][ C0] (stack is not available) [ 926.937576][ C0] [ 926.938359][ C0] Last potentially related work creation: [ 926.939317][ C0] ------------[ cut here ]------------ [ 926.940283][ C0] slab index 1118436 out of bounds (318) for stack id 801110e4 [ 926.944593][ C0] WARNING: CPU: 0 PID: 2045 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 926.946508][ C0] Modules linked in: [ 926.947736][ C0] CPU: 0 PID: 2045 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 926.949169][ C0] Hardware name: riscv-virtio,qemu (DT) [ 926.950156][ C0] epc : stack_depot_print+0x66/0x70 [ 926.951383][ C0] ra : stack_depot_print+0x66/0x70 [ 926.952628][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800f98f780 [ 926.953991][ C0] gp : ffffffff85863ac0 tp : ffffaf8007403080 t0 : ffffffff86bcb657 [ 926.955169][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800f98f790 [ 926.956384][ C0] s1 : ffffaf807aaabe40 a0 : 000000000000003c a1 : 00000000000f0000 [ 926.957517][ C0] a2 : 0000000000000504 a3 : ffffffff8012252a a4 : a23d0919d893f100 [ 926.958661][ C0] a5 : a23d0919d893f100 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 926.959790][ C0] s2 : ffffaf800f98fa60 s3 : ffffaf8007201dc0 s4 : ffffaf800f98f800 [ 926.961001][ C0] s5 : ffffaf800f98fc00 s6 : 0000000000003fff s7 : 0000000000000001 [ 926.962133][ C0] s8 : ffffffff8045746a s9 : ffffffffffffc000 s10: ffffaf800f98f960 [ 926.963361][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 926.964633][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800f98f278 [ 926.965745][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 926.967067][ C0] [] print_address_description.constprop.0+0x2fc/0x330 [ 926.968613][ C0] [] kasan_report+0x184/0x1e0 [ 926.969827][ C0] [] __asan_store8+0x6e/0x96 [ 926.971044][ C0] [] stack_trace_consume_entry+0x6c/0x9e [ 926.972390][ C0] [] walk_stackframe+0x17e/0x260 [ 926.973724][ C0] [] arch_stack_walk+0x2c/0x3c [ 926.975156][ C0] [] stack_trace_save+0xa6/0xd8 [ 926.976439][ C0] [] save_stack+0x112/0x16c [ 926.977627][ C0] [] __set_page_owner+0x48/0x136 [ 926.978835][ C0] [] post_alloc_hook+0xd0/0x10a [ 926.979995][ C0] [] get_page_from_freelist+0x8da/0x12d8 [ 926.981283][ C0] [] __alloc_pages+0x150/0x3b6 [ 926.982477][ C0] [] alloc_pages+0x132/0x2a6 [ 926.983850][ C0] [] alloc_slab_page.constprop.0+0xc2/0xfa [ 926.985242][ C0] [] new_slab+0x76/0x2cc [ 926.986549][ C0] [] ___slab_alloc+0x56e/0x918 [ 926.987943][ C0] irq event stamp: 122055 [ 926.988827][ C0] hardirqs last enabled at (122054): [] get_page_from_freelist+0xfc8/0x12d8 [ 926.990379][ C0] hardirqs last disabled at (122055): [] _raw_spin_lock_irqsave+0x60/0x62 [ 926.991872][ C0] softirqs last enabled at (121922): [] ip6_route_add+0x7e/0x148 [ 926.993522][ C0] softirqs last disabled at (121925): [] __irq_exit_rcu+0x142/0x1f8 [ 926.995052][ C0] ---[ end trace 0000000000000000 ]--- [ 926.996562][ C0] [ 926.997262][ C0] Second to last potentially related work creation: [ 926.998162][ C0] ------------[ cut here ]------------ [ 926.998982][ C0] slab index 2097151 out of bounds (318) for stack id ffffffff [ 927.002505][ C0] WARNING: CPU: 0 PID: 2045 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 927.004475][ C0] Modules linked in: [ 927.005687][ C0] CPU: 0 PID: 2045 Comm: syz-executor.0 Tainted: G W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 927.007235][ C0] Hardware name: riscv-virtio,qemu (DT) [ 927.008210][ C0] epc : stack_depot_print+0x66/0x70 [ 927.009466][ C0] ra : stack_depot_print+0x66/0x70 [ 927.010669][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800f98f780 [ 927.011840][ C0] gp : ffffffff85863ac0 tp : ffffaf8007403080 t0 : ffffffff86bcb657 [ 927.013032][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800f98f790 [ 927.016811][ C0] s1 : ffffaf807aaabe40 a0 : 000000000000003c a1 : 00000000000f0000 [ 927.018143][ C0] a2 : 0000000000000504 a3 : ffffffff8012252a a4 : a23d0919d893f100 [ 927.019255][ C0] a5 : a23d0919d893f100 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 927.020428][ C0] s2 : ffffaf800f98fa60 s3 : ffffaf8007201dc0 s4 : ffffaf800f98f800 [ 927.021550][ C0] s5 : ffffaf800f98fc00 s6 : 0000000000003fff s7 : 0000000000000001 [ 927.022662][ C0] s8 : ffffffff8045746a s9 : ffffffffffffc000 s10: ffffaf800f98f960 [ 927.023848][ C0] s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c [ 927.025144][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800f98f278 [ 927.026119][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 927.027287][ C0] [] print_address_description.constprop.0+0x2ae/0x330 [ 927.028834][ C0] [] kasan_report+0x184/0x1e0 [ 927.030121][ C0] [] __asan_store8+0x6e/0x96 [ 927.031320][ C0] [] stack_trace_consume_entry+0x6c/0x9e [ 927.032712][ C0] [] walk_stackframe+0x17e/0x260 [ 927.034133][ C0] [] arch_stack_walk+0x2c/0x3c [ 927.035463][ C0] [] stack_trace_save+0xa6/0xd8 [ 927.036820][ C0] [] save_stack+0x112/0x16c [ 927.038061][ C0] [] __set_page_owner+0x48/0x136 [ 927.039293][ C0] [] post_alloc_hook+0xd0/0x10a [ 927.040543][ C0] [] get_page_from_freelist+0x8da/0x12d8 [ 927.041913][ C0] [] __alloc_pages+0x150/0x3b6 [ 927.043191][ C0] [] alloc_pages+0x132/0x2a6 [ 927.044589][ C0] [] alloc_slab_page.constprop.0+0xc2/0xfa [ 927.045969][ C0] [] new_slab+0x76/0x2cc [ 927.047172][ C0] [] ___slab_alloc+0x56e/0x918 [ 927.048462][ C0] irq event stamp: 122055 [ 927.050549][ C0] hardirqs last enabled at (122054): [] get_page_from_freelist+0xfc8/0x12d8 [ 927.053452][ C0] hardirqs last disabled at (122055): [] _raw_spin_lock_irqsave+0x60/0x62 [ 927.055496][ C0] softirqs last enabled at (121922): [] ip6_route_add+0x7e/0x148 [ 927.057242][ C0] softirqs last disabled at (121925): [] __irq_exit_rcu+0x142/0x1f8 [ 927.058752][ C0] ---[ end trace 0000000000000000 ]--- [ 927.059828][ C0] [ 927.060587][ C0] The buggy address belongs to the object at ffffaf800f98f800 [ 927.060587][ C0] which belongs to the cache kmalloc-1k of size 1024 [ 927.064045][ C0] The buggy address is located 608 bytes inside of [ 927.064045][ C0] 1024-byte region [ffffaf800f98f800, ffffaf800f98fc00) [ 927.065717][ C0] The buggy address belongs to the page: [ 927.068577][ C0] page:ffffaf807aaabe40 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffaf800f98f000 pfn:0x8fb88 [ 927.072087][ C0] head:ffffaf807aaabe40 order:3 compound_mapcount:0 compound_pincount:0 [ 927.075413][ C0] flags: 0x8800010200(slab|head|section=17|node=0|zone=0) [ 927.078285][ C0] raw: 0000008800010200 ffffaf807aacf788 ffffaf807ab26848 ffffaf8007201dc0 [ 927.079813][ C0] raw: ffffaf800f98f000 0000000000100007 00000001ffffffff 0000000000000000 [ 927.081077][ C0] raw: 00000000000007ff [ 927.082121][ C0] page dumped because: kasan: bad access detected [ 927.083378][ C0] page_owner tracks the page as allocated [ 927.084436][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 13, ts 467625391700, free_ts 451830716000 [ 927.088289][ C0] __set_page_owner+0x48/0x136 [ 927.090875][ C0] post_alloc_hook+0xd0/0x10a [ 927.092092][ C0] get_page_from_freelist+0x8da/0x12d8 [ 927.093763][ C0] __alloc_pages+0x150/0x3b6 [ 927.095078][ C0] alloc_pages+0x132/0x2a6 [ 927.096243][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 927.097393][ C0] new_slab+0x76/0x2cc [ 927.098430][ C0] ___slab_alloc+0x56e/0x918 [ 927.099611][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 927.101011][ C0] __kmalloc_node_track_caller+0x26c/0x362 [ 927.102283][ C0] __alloc_skb+0xee/0x2e4 [ 927.104864][ C0] __napi_alloc_skb+0x72/0x214 [ 927.106041][ C0] page_to_skb+0x16e/0x70e [ 927.107156][ C0] receive_buf+0xa20/0x3e50 [ 927.108675][ C0] virtnet_poll+0x39c/0x986 [ 927.111044][ C0] __napi_poll+0x7c/0x358 [ 927.112347][ C0] page last free stack trace: [ 927.113270][ C0] __reset_page_owner+0x4a/0xea [ 927.115589][ C0] free_pcp_prepare+0x29c/0x45e [ 927.117877][ C0] free_unref_page+0x6a/0x31e [ 927.120099][ C0] free_compound_page+0x70/0x8a [ 927.122304][ C0] __put_compound_page+0x7c/0xb0 [ 927.123551][ C0] __put_page+0x48/0x100 [ 927.125342][ C0] skb_release_data+0x2f8/0x3c4 [ 927.127924][ C0] __kfree_skb+0x38/0x50 [ 927.129018][ C0] tcp_recvmsg+0x1f2/0x414 [ 927.130135][ C0] inet_recvmsg+0x10a/0x4ba [ 927.131235][ C0] sock_read_iter+0x26c/0x2ba [ 927.133350][ C0] new_sync_read+0x3ae/0x3d8 [ 927.134678][ C0] vfs_read+0x2ce/0x324 [ 927.135815][ C0] ksys_read+0x1c4/0x224 [ 927.136988][ C0] sys_read+0x28/0x36 [ 927.138532][ C0] ret_from_syscall+0x0/0x2 [ 927.139862][ C0] [ 927.140680][ C0] Memory state around the buggy address: [ 927.142223][ C0] ffffaf800f98f900: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 [ 927.143973][ C0] ffffaf800f98f980: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 927.145836][ C0] >ffffaf800f98fa00: fb fb fb fb f1 f1 f1 f1 00 00 00 00 fb fb fb fb [ 927.147029][ C0] ^ [ 927.149050][ C0] ffffaf800f98fa80: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 [ 927.150419][ C0] ffffaf800f98fb00: 00 00 00 00 00 00 00 00 00 00 00 00 fb fb fb fb [ 927.151748][ C0] ================================================================== [ 927.153226][ C0] Disabling lock debugging due to kernel taint [ 927.164732][ T2045] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 927.166057][ T2045] CPU: 0 PID: 2045 Comm: syz-executor.0 Tainted: G B W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 927.167392][ T2045] Hardware name: riscv-virtio,qemu (DT) [ 927.168115][ T2045] Call Trace: [ 927.168671][ T2045] [] dump_backtrace+0x2e/0x3c [ 927.169747][ T2045] [] show_stack+0x34/0x40 [ 927.170726][ T2045] [] dump_stack_lvl+0xe4/0x150 [ 927.171762][ T2045] [] dump_stack+0x1c/0x24 [ 927.172866][ T2045] [] panic+0x24a/0x634 [ 927.174414][ T2045] [] schedule+0x0/0x14c [ 927.175448][ T2045] [] preempt_schedule_irq+0x4a/0x13e [ 927.176614][ T2045] [] resume_kernel+0x16/0x18 [ 927.177906][ T2045] SMP: stopping secondary CPUs [ 927.180120][ T2045] Rebooting in 86400 seconds.. VM DIAGNOSIS: 06:06:48 Registers: info registers vcpu 0 pc ffffffff80474702 mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80475986 sepc ffffffff801165e0 mcause 8000000000000003 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff8047478c x2/sp ffffaf800f98f790 x3/gp ffffffff85863ac0 x4/tp ffffaf8007403080 x5/t0 ffffffff86bcb657 x6/t1 fffff5ef0b53910c x7/t2 0000000000000000 x8/s0 ffffaf800f98f7d0 x9/s1 ffffaf800f98fa60 x10/a0 ffffaf800f98fa60 x11/a1 00000000000f0000 x12/a2 0000000000000504 x13/a3 0000000020000000 x14/a4 ffffaf8000000000 x15/a5 ffff7c0800000000 x16/a6 0000000000f00000 x17/a7 ffffaf805a9c8863 x18/s2 ffffaf800f98fa60 x19/s3 ffffffff80162970 x20/s4 0000000000000001 x21/s5 ffffffff85863560 x22/s6 0000000000003fff x23/s7 0000000000000001 x24/s8 ffffffff8045746a x25/s9 ffffffffffffc000 x26/s10 ffffaf800f98f960 x27/s11 0000000000000008 x28/t3 fffffffff3f3f300 x29/t4 fffff5ef0b53910c x30/t5 fffff5ef0b53910d x31/t6 ffffaf800f98f2d8 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff8010b26a mhartid 0000000000000001 mstatus 00000000000001a0 mip 00000000000000a0 mie 000000000000020a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80010124 sepc ffffffff80010124 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff831a1986 x2/sp ffffaf80074f31e0 x3/gp ffffffff85863ac0 x4/tp ffffaf8009e26100 x5/t0 0000000000046000 x6/t1 a23d0919d893f100 x7/t2 ffffffffffffffff x8/s0 ffffaf80074f31f0 x9/s1 ffffaf8009e26be8 x10/a0 0000000000000000 x11/a1 00000000000f0000 x12/a2 0000000000010001 x13/a3 0000000000000000 x14/a4 0000000000000001 x15/a5 ffffaf805a9e4840 x16/a6 0000000000f00000 x17/a7 ffffffff8018e490 x18/s2 0000000000000000 x19/s3 ffffffff84b73ec0 x20/s4 ffffaf8009e27100 x21/s5 ffffffff8343c840 x22/s6 ffffffffffffffff x23/s7 0000000000000120 x24/s8 ffffffff86c1a620 x25/s9 0000000000000006 x26/s10 ffffffff84b86688 x27/s11 ffffffff8018e490 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f000e9e620 x31/t6 0000000000000004 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000