syzkaller login: [ 269.832994][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 269.945866][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 270.035642][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 288.115178][ T1858] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:54345' (ECDSA) to the list of known hosts. 1970/01/01 00:06:26 fuzzer started 1970/01/01 00:06:39 dialing manager at localhost:34061 [ 405.830412][ T2032] cgroup: Unknown subsys name 'net' [ 406.894618][ T2032] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:06:46 syscalls: 2918 1970/01/01 00:06:46 code coverage: enabled 1970/01/01 00:06:46 comparison tracing: enabled 1970/01/01 00:06:46 extra coverage: enabled 1970/01/01 00:06:46 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:06:46 setuid sandbox: enabled 1970/01/01 00:06:46 namespace sandbox: enabled 1970/01/01 00:06:46 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:06:46 fault injection: enabled 1970/01/01 00:06:46 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:06:46 net packet injection: enabled 1970/01/01 00:06:46 net device setup: enabled 1970/01/01 00:06:46 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:06:46 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:06:46 NIC VF setup: PCI device 0000:00:11.0 is not available 1970/01/01 00:06:46 USB emulation: enabled 1970/01/01 00:06:46 hci packet injection: /dev/vhci does not exist 1970/01/01 00:06:46 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:06:46 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:06:47 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:06:53 fetching corpus: 50, signal 31815/35036 (executing program) 1970/01/01 00:06:57 fetching corpus: 99, signal 44915/49221 (executing program) 1970/01/01 00:07:03 fetching corpus: 149, signal 57953/63018 (executing program) 1970/01/01 00:07:06 fetching corpus: 199, signal 68314/74042 (executing program) 1970/01/01 00:07:08 fetching corpus: 247, signal 71737/78341 (executing program) 1970/01/01 00:07:11 fetching corpus: 297, signal 76792/84070 (executing program) 1970/01/01 00:07:14 fetching corpus: 347, signal 82975/90730 (executing program) 1970/01/01 00:07:16 fetching corpus: 396, signal 87205/95473 (executing program) 1970/01/01 00:07:19 fetching corpus: 443, signal 90867/99631 (executing program) 1970/01/01 00:07:22 fetching corpus: 493, signal 93568/102810 (executing program) 1970/01/01 00:07:25 fetching corpus: 543, signal 96536/106169 (executing program) 1970/01/01 00:07:28 fetching corpus: 591, signal 98340/108511 (executing program) 1970/01/01 00:07:31 fetching corpus: 641, signal 100492/111088 (executing program) 1970/01/01 00:07:34 fetching corpus: 691, signal 103152/113991 (executing program) 1970/01/01 00:07:37 fetching corpus: 739, signal 106144/117074 (executing program) 1970/01/01 00:07:42 fetching corpus: 787, signal 108504/119611 (executing program) 1970/01/01 00:07:46 fetching corpus: 835, signal 112083/123019 (executing program) 1970/01/01 00:07:53 fetching corpus: 885, signal 114069/125157 (executing program) 1970/01/01 00:07:57 fetching corpus: 934, signal 116350/127495 (executing program) 1970/01/01 00:08:00 fetching corpus: 983, signal 118560/129727 (executing program) 1970/01/01 00:08:02 fetching corpus: 1031, signal 120037/131328 (executing program) 1970/01/01 00:08:04 fetching corpus: 1080, signal 122082/133327 (executing program) 1970/01/01 00:08:07 fetching corpus: 1130, signal 124080/135254 (executing program) 1970/01/01 00:08:10 fetching corpus: 1179, signal 125649/136835 (executing program) 1970/01/01 00:08:12 fetching corpus: 1229, signal 127667/138659 (executing program) 1970/01/01 00:08:15 fetching corpus: 1277, signal 128854/139858 (executing program) 1970/01/01 00:08:17 fetching corpus: 1327, signal 130292/141280 (executing program) 1970/01/01 00:08:20 fetching corpus: 1377, signal 131966/142745 (executing program) 1970/01/01 00:08:22 fetching corpus: 1426, signal 133068/143802 (executing program) 1970/01/01 00:08:25 fetching corpus: 1476, signal 134328/144941 (executing program) 1970/01/01 00:08:28 fetching corpus: 1526, signal 135425/145954 (executing program) 1970/01/01 00:08:30 fetching corpus: 1573, signal 137323/147386 (executing program) 1970/01/01 00:08:33 fetching corpus: 1623, signal 138867/148582 (executing program) 1970/01/01 00:08:36 fetching corpus: 1672, signal 141211/150225 (executing program) 1970/01/01 00:08:39 fetching corpus: 1722, signal 142431/151191 (executing program) 1970/01/01 00:08:41 fetching corpus: 1769, signal 143718/152149 (executing program) 1970/01/01 00:08:44 fetching corpus: 1819, signal 145379/153265 (executing program) 1970/01/01 00:08:46 fetching corpus: 1869, signal 147424/154591 (executing program) 1970/01/01 00:08:49 fetching corpus: 1918, signal 148396/155285 (executing program) 1970/01/01 00:08:53 fetching corpus: 1967, signal 149921/156229 (executing program) 1970/01/01 00:08:55 fetching corpus: 2016, signal 151659/157153 (executing program) 1970/01/01 00:08:58 fetching corpus: 2066, signal 152687/157757 (executing program) 1970/01/01 00:09:00 fetching corpus: 2115, signal 153618/158315 (executing program) 1970/01/01 00:09:02 fetching corpus: 2164, signal 154618/158844 (executing program) 1970/01/01 00:09:05 fetching corpus: 2212, signal 155828/159477 (executing program) 1970/01/01 00:09:09 fetching corpus: 2261, signal 156752/159919 (executing program) 1970/01/01 00:09:12 fetching corpus: 2310, signal 157889/160456 (executing program) 1970/01/01 00:09:14 fetching corpus: 2344, signal 158506/160744 (executing program) 1970/01/01 00:09:14 fetching corpus: 2345, signal 158507/160805 (executing program) 1970/01/01 00:09:14 fetching corpus: 2345, signal 158507/160850 (executing program) 1970/01/01 00:09:14 fetching corpus: 2345, signal 158507/160889 (executing program) 1970/01/01 00:09:15 fetching corpus: 2345, signal 158507/160927 (executing program) 1970/01/01 00:09:15 fetching corpus: 2345, signal 158507/160990 (executing program) 1970/01/01 00:09:15 fetching corpus: 2345, signal 158507/161042 (executing program) 1970/01/01 00:09:15 fetching corpus: 2345, signal 158507/161104 (executing program) 1970/01/01 00:09:15 fetching corpus: 2345, signal 158507/161141 (executing program) 1970/01/01 00:09:15 fetching corpus: 2345, signal 158507/161195 (executing program) 1970/01/01 00:09:15 fetching corpus: 2345, signal 158507/161240 (executing program) 1970/01/01 00:09:16 fetching corpus: 2345, signal 158507/161281 (executing program) 1970/01/01 00:09:16 fetching corpus: 2345, signal 158507/161326 (executing program) 1970/01/01 00:09:16 fetching corpus: 2345, signal 158507/161372 (executing program) 1970/01/01 00:09:16 fetching corpus: 2345, signal 158507/161415 (executing program) 1970/01/01 00:09:16 fetching corpus: 2345, signal 158507/161461 (executing program) 1970/01/01 00:09:16 fetching corpus: 2345, signal 158507/161504 (executing program) 1970/01/01 00:09:16 fetching corpus: 2346, signal 158515/161554 (executing program) 1970/01/01 00:09:16 fetching corpus: 2346, signal 158515/161604 (executing program) 1970/01/01 00:09:17 fetching corpus: 2346, signal 158515/161648 (executing program) 1970/01/01 00:09:17 fetching corpus: 2346, signal 158515/161692 (executing program) 1970/01/01 00:09:17 fetching corpus: 2346, signal 158515/161733 (executing program) 1970/01/01 00:09:17 fetching corpus: 2346, signal 158515/161783 (executing program) 1970/01/01 00:09:17 fetching corpus: 2346, signal 158515/161826 (executing program) 1970/01/01 00:09:17 fetching corpus: 2346, signal 158515/161875 (executing program) 1970/01/01 00:09:17 fetching corpus: 2346, signal 158515/161916 (executing program) 1970/01/01 00:09:18 fetching corpus: 2346, signal 158515/161967 (executing program) 1970/01/01 00:09:18 fetching corpus: 2346, signal 158515/162026 (executing program) 1970/01/01 00:09:18 fetching corpus: 2346, signal 158515/162076 (executing program) 1970/01/01 00:09:18 fetching corpus: 2346, signal 158515/162121 (executing program) 1970/01/01 00:09:18 fetching corpus: 2346, signal 158515/162173 (executing program) 1970/01/01 00:09:18 fetching corpus: 2346, signal 158515/162214 (executing program) 1970/01/01 00:09:19 fetching corpus: 2346, signal 158515/162258 (executing program) 1970/01/01 00:09:19 fetching corpus: 2346, signal 158515/162264 (executing program) 1970/01/01 00:09:19 fetching corpus: 2347, signal 158520/162264 (executing program) 1970/01/01 00:09:19 fetching corpus: 2347, signal 158548/162264 (executing program) 1970/01/01 00:09:19 fetching corpus: 2347, signal 158548/162264 (executing program) 1970/01/01 00:11:14 starting 2 fuzzer processes 00:11:15 executing program 0: r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000100)={0x3, 0x3, &(0x7f0000000000)=@framed, &(0x7f00000003c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x80) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000001400)={r0, 0x0, 0xe, 0x0, &(0x7f0000000040)="811635ee775cba93d8e8598a0d86", 0x0, 0x0, 0x0, 0xc1, 0x0, &(0x7f0000000280)="f1e380d9f52e2dc527292cd3e8b850c3c832fdbdc96908fe9ffa9f352cc3ec35fad3eae5e1141d2fd678bf90c6885b62c203dc279deaa983b71491a2b94b62ba80f403d3bb367a9dc9643ee9deec99d0c3875752dee38fdc8aae409ab0f3905e17447cc7de4d2801d93209f3bf834a78c0ed847b92553e73625fbf1a16b97be3002fdfb5b26eb95c5b665e57d32fc3e95620e193b7619a53f53eb78747b69639183a47acf224616aa62529e90dec0aaf70e1a6fc359b2107191ba9846f8a4830c0", 0x0}, 0x48) 00:11:15 executing program 1: keyctl$join(0xc, 0x0) [ 694.396628][ C0] ================================================================== [ 694.400354][ C0] BUG: KASAN: use-after-free in walk_stackframe+0x11c/0x260 [ 694.401976][ C0] Read of size 8 at addr ffffaf800c8df8f0 by task syz-executor.0/2038 [ 694.403617][ C0] [ 694.405542][ C0] CPU: 0 PID: 2038 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 694.408315][ C0] Hardware name: riscv-virtio,qemu (DT) [ 694.409636][ C0] Call Trace: [ 694.410698][ C0] [] dump_backtrace+0x2e/0x3c [ 694.412091][ C0] [] show_stack+0x34/0x40 [ 694.413388][ C0] [] dump_stack_lvl+0xe4/0x150 [ 694.414765][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 694.416372][ C0] [] kasan_report+0x184/0x1e0 [ 694.417832][ C0] [] __asan_load8+0x6e/0x96 [ 694.419217][ C0] [] walk_stackframe+0x11c/0x260 [ 694.420575][ C0] [] arch_stack_walk+0x2c/0x3c [ 694.421918][ C0] [] stack_trace_save+0xa6/0xd8 [ 694.423276][ C0] [] save_stack+0x112/0x16c [ 694.424565][ C0] [] __set_page_owner+0x48/0x136 [ 694.425953][ C0] [] post_alloc_hook+0xd0/0x10a [ 694.427829][ C0] [] get_page_from_freelist+0x8da/0x12d8 [ 694.429287][ C0] [] __alloc_pages+0x150/0x3b6 [ 694.430651][ C0] [] alloc_pages+0x132/0x2a6 [ 694.432070][ C0] [] __stack_depot_save+0x3ba/0x4b2 [ 694.433729][ C0] [ 694.434617][ C0] Allocated by task 3: [ 694.435531][ C0] (stack is not available) [ 694.436538][ C0] [ 694.437413][ C0] The buggy address belongs to the object at ffffaf800c8df800 [ 694.437413][ C0] which belongs to the cache kmalloc-1k of size 1024 [ 694.439189][ C0] The buggy address is located 240 bytes inside of [ 694.439189][ C0] 1024-byte region [ffffaf800c8df800, ffffaf800c8dfc00) [ 694.440865][ C0] The buggy address belongs to the page: [ 694.442328][ C0] page:ffffaf807a9d0cc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cad8 [ 694.444166][ C0] head:ffffaf807a9d0cc0 order:3 compound_mapcount:0 compound_pincount:0 [ 694.445673][ C0] flags: 0x8800010200(slab|head|section=17|node=0|zone=0) [ 694.448837][ C0] raw: 0000008800010200 ffffaf807aaf4e00 0000000000000002 ffffaf8007201dc0 [ 694.450286][ C0] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 694.451538][ C0] raw: 00000000000007ff [ 694.452489][ C0] page dumped because: kasan: bad access detected [ 694.453686][ C0] page_owner tracks the page as allocated [ 694.454685][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 0, ts 303933132700, free_ts 300512230900 [ 694.457573][ C0] __set_page_owner+0x48/0x136 [ 694.458940][ C0] post_alloc_hook+0xd0/0x10a [ 694.460045][ C0] get_page_from_freelist+0x8da/0x12d8 [ 694.461198][ C0] __alloc_pages+0x150/0x3b6 [ 694.462283][ C0] alloc_pages+0x132/0x2a6 [ 694.463401][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 694.464626][ C0] new_slab+0x76/0x2cc [ 694.465713][ C0] ___slab_alloc+0x56e/0x918 [ 694.467282][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 694.468473][ C0] __kmalloc_node_track_caller+0x26c/0x362 [ 694.469711][ C0] __alloc_skb+0xee/0x2e4 [ 694.470817][ C0] __napi_alloc_skb+0x72/0x214 [ 694.471977][ C0] page_to_skb+0x16e/0x70e [ 694.473096][ C0] receive_buf+0xa20/0x3e50 [ 694.474227][ C0] virtnet_poll+0x39c/0x986 [ 694.475393][ C0] __napi_poll+0x7c/0x358 [ 694.476897][ C0] page last free stack trace: [ 694.478044][ C0] __reset_page_owner+0x4a/0xea [ 694.479209][ C0] free_pcp_prepare+0x29c/0x45e [ 694.480316][ C0] free_unref_page+0x6a/0x31e [ 694.481378][ C0] __free_pages+0xe2/0x112 [ 694.482414][ C0] __free_slab+0x122/0x27c [ 694.483505][ C0] discard_slab+0x4c/0x7a [ 694.484626][ C0] __slab_free+0x20a/0x29c [ 694.485732][ C0] ___cache_free+0x17c/0x354 [ 694.487208][ C0] qlist_free_all+0x7c/0x132 [ 694.488269][ C0] kasan_quarantine_reduce+0x14c/0x1c8 [ 694.489402][ C0] __kasan_slab_alloc+0x5c/0x98 [ 694.490578][ C0] kmem_cache_alloc_node+0x368/0x41c [ 694.491752][ C0] __alloc_skb+0x234/0x2e4 [ 694.492855][ C0] tcp_stream_alloc_skb+0x70/0x4c0 [ 694.493952][ C0] tcp_sendmsg_locked+0x880/0x1d9e [ 694.495024][ C0] tcp_sendmsg+0x32/0x4e [ 694.496258][ C0] [ 694.497063][ C0] Memory state around the buggy address: [ 694.498422][ C0] ffffaf800c8df780: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 694.499681][ C0] ffffaf800c8df800: 00 00 00 00 00 00 00 00 fb fb fb fb fb fb fb fb [ 694.500851][ C0] >ffffaf800c8df880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 694.501958][ C0] ^ [ 694.503196][ C0] ffffaf800c8df900: fb fb fb fb fb fb fb fb f1 f1 f1 f1 00 00 00 f3 [ 694.504381][ C0] ffffaf800c8df980: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 694.505573][ C0] ================================================================== [ 694.507178][ C0] Disabling lock debugging due to kernel taint [ 694.511474][ T2038] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 694.512699][ T2038] CPU: 0 PID: 2038 Comm: syz-executor.0 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 694.513890][ T2038] Hardware name: riscv-virtio,qemu (DT) [ 694.514603][ T2038] Call Trace: [ 694.515191][ T2038] [] dump_backtrace+0x2e/0x3c [ 694.516524][ T2038] [] show_stack+0x34/0x40 [ 694.517516][ T2038] [] dump_stack_lvl+0xe4/0x150 [ 694.518635][ T2038] [] dump_stack+0x1c/0x24 [ 694.519717][ T2038] [] panic+0x24a/0x634 [ 694.520744][ T2038] [] schedule+0x0/0x14c [ 694.521831][ T2038] [] preempt_schedule_irq+0x4a/0x13e [ 694.523439][ T2038] [] resume_kernel+0x16/0x18 [ 694.525212][ T2038] SMP: stopping secondary CPUs [ 694.527818][ T2038] Rebooting in 86400 seconds.. VM DIAGNOSIS: 13:49:46 Registers: info registers vcpu 0 pc ffffffff80dc337e mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80201160 sepc ffffffff80061052 mcause 8000000000000007 scause 8000000000000009 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80dc337e x2/sp ffffaf800c8df2c0 x3/gp ffffffff85863ac0 x4/tp ffffaf800ecb1840 x5/t0 ffffffff86bcb657 x6/t1 46b46b895fdcde00 x7/t2 0000000000000000 x8/s0 ffffaf800c8df2f0 x9/s1 ffffffff86e58900 x10/a0 ffffffff86e58948 x11/a1 ffff8f800066c000 x12/a2 1ffffffff0dcb129 x13/a3 ffffffff80dc337e x14/a4 0000000000000000 x15/a5 ffffffff86e58948 x16/a6 ffffffff86e589f1 x17/a7 ffffffff80dcc9fe x18/s2 ffff8f800066c000 x19/s3 000000000000005b x20/s4 ffffffff86e58900 x21/s5 ffffffff80dc333e x22/s6 0000000000000000 x23/s7 ffffffff86bcb658 x24/s8 0000000000000010 x25/s9 ffffffff86e58958 x26/s10 0000000000000010 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f00191be08 x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80475986 mhartid 0000000000000001 mstatus 00000000000000a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff804759b6 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80119b52 x2/sp ffffaf800bc8f7e0 x3/gp ffffffff85863ac0 x4/tp ffffaf8009c09840 x5/t0 00000000000001f8 x6/t1 46b46b895fdcde00 x7/t2 ffffffffffffffff x8/s0 ffffaf800bc8f820 x9/s1 ffffaf800f982498 x10/a0 ffffaf800f982498 x11/a1 0000000000000003 x12/a2 1ffff5f001f30493 x13/a3 ffffffff80119b52 x14/a4 0000000000000000 x15/a5 ffffaf800f982498 x16/a6 0000000000f00000 x17/a7 ffffffff826e6226 x18/s2 0000000000000001 x19/s3 ffffaf8009c09840 x20/s4 ffffaf800f9824a8 x21/s5 ffffaf800f9824a0 x22/s6 ffffaf800bc8f960 x23/s7 ffffaf800bc8fb00 x24/s8 0000000000000000 x25/s9 0000000000004000 x26/s10 0000000000000040 x27/s11 0000000000000001 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001791eb4 x31/t6 0000000001c34a68 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000