syzkaller login: [  296.527452][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  309.582162][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  309.632765][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  333.208633][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
Warning: Permanently added '[localhost]:44026' (ECDSA) to the list of known hosts.
1970/01/01 00:06:22 fuzzer started
1970/01/01 00:06:38 dialing manager at localhost:35273
[  405.270531][ T2039] cgroup: Unknown subsys name 'net'
[  406.441821][ T2039] cgroup: Unknown subsys name 'rlimit'
1970/01/01 00:06:46 syscalls: 2853
1970/01/01 00:06:46 code coverage: enabled
1970/01/01 00:06:46 comparison tracing: enabled
1970/01/01 00:06:46 extra coverage: enabled
1970/01/01 00:06:46 delay kcov mmap: mmap returned an invalid pointer
1970/01/01 00:06:46 setuid sandbox: enabled
1970/01/01 00:06:46 namespace sandbox: enabled
1970/01/01 00:06:46 Android sandbox: /sys/fs/selinux/policy does not exist
1970/01/01 00:06:46 fault injection: enabled
1970/01/01 00:06:46 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
1970/01/01 00:06:46 net packet injection: enabled
1970/01/01 00:06:46 net device setup: enabled
1970/01/01 00:06:46 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
1970/01/01 00:06:46 devlink PCI setup: PCI device 0000:00:10.0 is not available
1970/01/01 00:06:46 USB emulation: enabled
1970/01/01 00:06:46 hci packet injection: /dev/vhci does not exist
1970/01/01 00:06:46 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist
1970/01/01 00:06:46 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist
1970/01/01 00:06:46 fetching corpus: 0, signal 0/2000 (executing program)
[  408.088204][    C0] ==================================================================
[  408.091786][    C0] BUG: KASAN: use-after-free in __bfs+0x154/0x394
[  408.093291][    C0] Read of size 8 at addr ffffaf800d32bf70 by task sshd/2028
[  408.094464][    C0] 
[  408.096242][    C0] CPU: 0 PID: 2028 Comm: sshd Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
[  408.097745][    C0] Hardware name: riscv-virtio,qemu (DT)
[  408.098844][    C0] Call Trace:
[  408.099701][    C0] [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c
[  408.101022][    C0] [<ffffffff831668cc>] show_stack+0x34/0x40
[  408.102111][    C0] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150
[  408.103322][    C0] [<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330
[  408.104664][    C0] [<ffffffff80474d4c>] kasan_report+0x184/0x1e0
[  408.105876][    C0] [<ffffffff80475b20>] __asan_load8+0x6e/0x96
[  408.107018][    C0] [<ffffffff8010dd9a>] __bfs+0x154/0x394
[  408.108067][    C0] [<ffffffff8010e52a>] check_path.constprop.0+0x24/0x46
[  408.109248][    C0] [<ffffffff8010f95c>] check_noncircular+0x11a/0x1fe
[  408.110569][    C0] 
[  408.111144][    C0] The buggy address belongs to the page:
[  408.112441][    C0] page:ffffaf807a9ff418 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8d52b
[  408.113870][    C0] flags: 0x8800000000(section=17|node=0|zone=0)
[  408.116167][    C0] raw: 0000008800000000 ffffaf807a9c1620 ffffaf807aa658b8 0000000000000000
[  408.117307][    C0] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  408.118258][    C0] raw: 00000000000007ff
[  408.118957][    C0] page dumped because: kasan: bad access detected
[  408.119982][    C0] page_owner tracks the page as freed
[  408.120740][    C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), pid 2025, ts 363505706700, free_ts 363619062600
[  408.122890][    C0]  __set_page_owner+0x48/0x136
[  408.124561][    C0]  post_alloc_hook+0xd0/0x10a
[  408.126004][    C0]  get_page_from_freelist+0x8da/0x12d8
[  408.127070][    C0]  __alloc_pages+0x150/0x3b6
[  408.127977][    C0]  alloc_pages+0x132/0x2a6
[  408.129293][    C0]  pipe_write+0xbd2/0x10d6
[  408.130297][    C0]  new_sync_write+0x296/0x3aa
[  408.131461][    C0]  vfs_write+0x2de/0x334
[  408.132431][    C0]  ksys_write+0x1c4/0x224
[  408.133375][    C0]  sys_write+0x28/0x36
[  408.134375][    C0]  ret_from_syscall+0x0/0x2
[  408.135518][    C0] page last free stack trace:
[  408.136197][    C0]  __reset_page_owner+0x4a/0xea
[  408.137165][    C0]  free_pcp_prepare+0x29c/0x45e
[  408.138094][    C0]  free_unref_page+0x6a/0x31e
[  408.139024][    C0]  __put_page+0xf2/0x100
[  408.139881][    C0]  anon_pipe_buf_release+0x154/0x19a
[  408.140941][    C0]  pipe_read+0x3f2/0xa4c
[  408.141874][    C0]  new_sync_read+0x3ae/0x3d8
[  408.142829][    C0]  vfs_read+0x2ce/0x324
[  408.143733][    C0]  ksys_read+0x1c4/0x224
[  408.144672][    C0]  sys_read+0x28/0x36
[  408.145581][    C0]  ret_from_syscall+0x0/0x2
[  408.146668][    C0] 
[  408.147191][    C0] Memory state around the buggy address:
[  408.148343][    C0]  ffffaf800d32be00: ff ff ff ff f1 f1 f1 f1 00 f3 f3 f3 ff ff ff ff
[  408.149342][    C0]  ffffaf800d32be80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  408.150287][    C0] >ffffaf800d32bf00: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 ff ff ff ff
[  408.151150][    C0]                                                              ^
[  408.152172][    C0]  ffffaf800d32bf80: 00 00 00 f3 f3 f3 f3 f3 ff ff ff ff ff ff ff ff
[  408.153132][    C0]  ffffaf800d32c000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  408.154106][    C0] ==================================================================
[  408.155045][    C0] Disabling lock debugging due to kernel taint
[  408.237362][ T2028] Kernel panic - not syncing: corrupted stack end detected inside scheduler
[  408.238706][ T2028] CPU: 0 PID: 2028 Comm: sshd Tainted: G    B             5.17.0-rc1-syzkaller-00002-g0966d385830d #0
[  408.239849][ T2028] Hardware name: riscv-virtio,qemu (DT)
[  408.240530][ T2028] Call Trace:
[  408.241067][ T2028] [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c
[  408.242146][ T2028] [<ffffffff831668cc>] show_stack+0x34/0x40
[  408.243082][ T2028] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150
[  408.244689][ T2028] [<ffffffff83175742>] dump_stack+0x1c/0x24
[  408.245790][ T2028] [<ffffffff83166fa8>] panic+0x24a/0x634
[  408.246681][ T2028] [<ffffffff831a688a>] schedule+0x0/0x14c
[  408.247679][ T2028] [<ffffffff831a6b00>] preempt_schedule_common+0x4e/0xde
[  408.248804][ T2028] [<ffffffff831a6bc4>] preempt_schedule+0x34/0x36
[  408.251040][ T2028] [<ffffffff831afd78>] _raw_spin_unlock_irqrestore+0x8c/0x98
[  408.252139][ T2028] [<ffffffff80b090c2>] __debug_object_init+0x284/0x7b8
[  408.253413][ T2028] [<ffffffff80b09632>] debug_object_init_on_stack+0x1a/0x22
[  408.256241][ T2028] [<ffffffff831af106>] schedule_hrtimeout_range_clock+0xe0/0x2de
[  408.257378][ T2028] [<ffffffff831af32c>] schedule_hrtimeout_range+0x28/0x36
[  408.258395][ T2028] [<ffffffff804f928a>] poll_schedule_timeout.constprop.0+0x84/0xde
[  408.260229][ T2028] [<ffffffff804fa506>] do_select+0xd50/0xeb4
[  408.261277][ T2028] [<ffffffff804fb57c>] core_sys_select+0x364/0x8c8
[  408.264140][ T2028] [<ffffffff804fbed6>] sys_pselect6+0x258/0x29a
[  408.265887][ T2028] [<ffffffff80005716>] ret_from_syscall+0x0/0x2
[  408.267172][ T2028] SMP: stopping secondary CPUs
[  408.269381][ T2028] Rebooting in 86400 seconds..

VM DIAGNOSIS:
02:09:19  Registers:
info registers vcpu 0
 pc       ffffffff8012262a
 mhartid  0000000000000000
 mstatus  00000000000000a0
 mip      00000000000000a0
 mie      000000000000022a
 mideleg  0000000000000222
 medeleg  000000000000b109
 mtvec    0000000080000540
 stvec    ffffffff800055d4
 mepc     ffffffff80c38494
 sepc     ffffffff80173ff0
 mcause   8000000000000007
 scause   8000000000000005
 mtval  0000000000000000
 stval  0000000000000000
 x0/zero 0000000000000000 x1/ra ffffffff80122626 x2/sp ffffaf800d32b9a0 x3/gp ffffffff85863ac0
 x4/tp ffffaf800e5dc8c0 x5/t0 ffffffff86bcb657 x6/t1 fffffffff3f3f3f3 x7/t2 0000000000000000
 x8/s0 ffffaf800d32b9d0 x9/s1 0000000000000000 x10/a0 ffffaf800e5dc8c8 x11/a1 00000000000f0000
 x12/a2 0000000000000507 x13/a3 ffffffff80122626 x14/a4 ffffaf800e5dc8c0 x15/a5 0000000000000000
 x16/a6 0000000000f00000 x17/a7 3c17a9b6b54b2c00 x18/s2 0000000000000000 x19/s3 0000000000000020
 x20/s4 ffffaf800d32bb40 x21/s5 ffffaf800d32ba60 x22/s6 ffffffff8588c1a0 x23/s7 ffffffff8588c3e0
 x24/s8 ffffffff8588c220 x25/s9 ffffffff84a88520 x26/s10 ffffffff858655c0 x27/s11 ffffffff850d8410
 x28/t3 ffffffff801163b2 x29/t4 fffffffef0d796c8 x30/t5 fffffffef0d796cb x31/t6 ffffffff86bcb657
 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000
 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000
 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000
 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000
 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000
 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000
 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000
 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000
info registers vcpu 1
 pc       ffffffff8010b22c
 mhartid  0000000000000001
 mstatus  00000000000001a0
 mip      00000000000000a0
 mie      000000000000020a
 mideleg  0000000000000222
 medeleg  000000000000b109
 mtvec    0000000080000540
 stvec    ffffffff800055d4
 mepc     ffffffff80103a6c
 sepc     ffffffff800bdb3e
 mcause   8000000000000007
 scause   8000000000000005
 mtval  0000000000000000
 stval  0000000000000000
 x0/zero 0000000000000000 x1/ra ffffffff831a18d8 x2/sp ffffaf80095e33a0 x3/gp ffffffff85863ac0
 x4/tp ffffaf8009bd9840 x5/t0 0000000000046000 x6/t1 fd616b6aa4dea000 x7/t2 0000000000000001
 x8/s0 ffffaf80095e33b0 x9/s1 0000000000001000 x10/a0 0000000000000120 x11/a1 ffffffffffffffff
 x12/a2 1ffffffff0b0dfa4 x13/a3 ffffffff800bf936 x14/a4 0000000000010002 x15/a5 0000000000000000
 x16/a6 0000000000f00000 x17/a7 fe17ff234e600000 x18/s2 ffffffff8344cc80 x19/s3 ffffaf805a9f4c98
 x20/s4 1ffff5f0012bc690 x21/s5 ffffffff8343c840 x22/s6 ffffffffffffffff x23/s7 ffffffff86c1a628
 x24/s8 ffffffff86c1a620 x25/s9 ffffaf8009bd9840 x26/s10 ffffaf805a9f4c98 x27/s11 ffffffff8018e412
 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f0012bc634 x31/t6 0000000000000002
 f0/ft0 0000000000000000 f1/ft1 407dc9aa265db381 f2/ft2 4104b8c000000000 f3/ft3 43e0000000000000
 f4/ft4 3ffe000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000
 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000
 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000
 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000
 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000
 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000
 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000