[  253.479517][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  253.529342][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
[  253.552203][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'.
Warning: Permanently added '[localhost]:55864' (ECDSA) to the list of known hosts.
1970/01/01 00:05:16 fuzzer started
1970/01/01 00:05:26 dialing manager at localhost:46541
[  333.234807][ T2027] cgroup: Unknown subsys name 'net'
[  334.404811][ T2027] cgroup: Unknown subsys name 'rlimit'
1970/01/01 00:05:34 syscalls: 2918
1970/01/01 00:05:34 code coverage: enabled
1970/01/01 00:05:34 comparison tracing: enabled
1970/01/01 00:05:34 extra coverage: enabled
1970/01/01 00:05:34 delay kcov mmap: mmap returned an invalid pointer
1970/01/01 00:05:34 setuid sandbox: enabled
1970/01/01 00:05:34 namespace sandbox: enabled
1970/01/01 00:05:34 Android sandbox: /sys/fs/selinux/policy does not exist
1970/01/01 00:05:34 fault injection: enabled
1970/01/01 00:05:34 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
1970/01/01 00:05:34 net packet injection: enabled
1970/01/01 00:05:34 net device setup: enabled
1970/01/01 00:05:34 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist
1970/01/01 00:05:34 devlink PCI setup: PCI device 0000:00:10.0 is not available
1970/01/01 00:05:34 NIC VF setup: PCI device 0000:00:11.0 is not available
1970/01/01 00:05:34 USB emulation: enabled
1970/01/01 00:05:34 hci packet injection: /dev/vhci does not exist
1970/01/01 00:05:34 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist
1970/01/01 00:05:34 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist
1970/01/01 00:05:34 fetching corpus: 0, signal 0/2000 (executing program)
1970/01/01 00:05:39 fetching corpus: 50, signal 36075/38817 (executing program)
1970/01/01 00:05:42 fetching corpus: 100, signal 48337/51751 (executing program)
1970/01/01 00:05:45 fetching corpus: 150, signal 58216/61997 (executing program)
1970/01/01 00:05:48 fetching corpus: 200, signal 68632/72521 (executing program)
1970/01/01 00:05:50 fetching corpus: 250, signal 73726/77879 (executing program)
1970/01/01 00:05:53 fetching corpus: 299, signal 78361/82680 (executing program)
1970/01/01 00:05:55 fetching corpus: 349, signal 81887/86341 (executing program)
1970/01/01 00:05:57 fetching corpus: 398, signal 84616/89233 (executing program)
1970/01/01 00:06:00 fetching corpus: 448, signal 88631/93061 (executing program)
1970/01/01 00:06:03 fetching corpus: 498, signal 93548/97458 (executing program)
1970/01/01 00:06:06 fetching corpus: 546, signal 95638/99449 (executing program)
1970/01/01 00:06:09 fetching corpus: 596, signal 98230/101765 (executing program)
1970/01/01 00:06:12 fetching corpus: 645, signal 101231/104243 (executing program)
1970/01/01 00:06:14 fetching corpus: 694, signal 103575/106171 (executing program)
1970/01/01 00:06:18 fetching corpus: 744, signal 105973/108056 (executing program)
1970/01/01 00:06:22 fetching corpus: 794, signal 107894/109548 (executing program)
1970/01/01 00:06:24 fetching corpus: 833, signal 109255/110568 (executing program)
1970/01/01 00:06:24 fetching corpus: 833, signal 109271/110641 (executing program)
1970/01/01 00:06:24 fetching corpus: 833, signal 109271/110706 (executing program)
1970/01/01 00:06:24 fetching corpus: 833, signal 109271/110804 (executing program)
1970/01/01 00:06:24 fetching corpus: 833, signal 109271/110863 (executing program)
1970/01/01 00:06:24 fetching corpus: 833, signal 109271/110940 (executing program)
1970/01/01 00:06:24 fetching corpus: 833, signal 109271/111007 (executing program)
1970/01/01 00:06:25 fetching corpus: 833, signal 109271/111070 (executing program)
1970/01/01 00:06:25 fetching corpus: 834, signal 109281/111145 (executing program)
1970/01/01 00:06:25 fetching corpus: 834, signal 109283/111227 (executing program)
1970/01/01 00:06:25 fetching corpus: 834, signal 109283/111298 (executing program)
1970/01/01 00:06:25 fetching corpus: 834, signal 109283/111367 (executing program)
1970/01/01 00:06:25 fetching corpus: 834, signal 109283/111430 (executing program)
1970/01/01 00:06:25 fetching corpus: 834, signal 109283/111499 (executing program)
1970/01/01 00:06:26 fetching corpus: 834, signal 109283/111575 (executing program)
1970/01/01 00:06:26 fetching corpus: 834, signal 109283/111642 (executing program)
1970/01/01 00:06:26 fetching corpus: 834, signal 109283/111713 (executing program)
1970/01/01 00:06:26 fetching corpus: 834, signal 109283/111777 (executing program)
1970/01/01 00:06:26 fetching corpus: 834, signal 109283/111832 (executing program)
1970/01/01 00:06:26 fetching corpus: 834, signal 109283/111908 (executing program)
1970/01/01 00:06:26 fetching corpus: 834, signal 109283/111978 (executing program)
1970/01/01 00:06:26 fetching corpus: 834, signal 109283/112064 (executing program)
1970/01/01 00:06:27 fetching corpus: 834, signal 109288/112139 (executing program)
1970/01/01 00:06:27 fetching corpus: 834, signal 109288/112210 (executing program)
1970/01/01 00:06:27 fetching corpus: 834, signal 109288/112284 (executing program)
1970/01/01 00:06:27 fetching corpus: 834, signal 109288/112373 (executing program)
1970/01/01 00:06:27 fetching corpus: 834, signal 109288/112440 (executing program)
1970/01/01 00:06:27 fetching corpus: 834, signal 109288/112508 (executing program)
1970/01/01 00:06:28 fetching corpus: 834, signal 109288/112573 (executing program)
1970/01/01 00:06:28 fetching corpus: 834, signal 109288/112655 (executing program)
1970/01/01 00:06:28 fetching corpus: 834, signal 109288/112735 (executing program)
1970/01/01 00:06:28 fetching corpus: 834, signal 109288/112816 (executing program)
1970/01/01 00:06:28 fetching corpus: 834, signal 109288/112885 (executing program)
1970/01/01 00:06:28 fetching corpus: 834, signal 109288/112961 (executing program)
1970/01/01 00:06:28 fetching corpus: 834, signal 109288/113042 (executing program)
1970/01/01 00:06:29 fetching corpus: 834, signal 109307/113109 (executing program)
1970/01/01 00:06:29 fetching corpus: 834, signal 109307/113185 (executing program)
1970/01/01 00:06:29 fetching corpus: 834, signal 109307/113262 (executing program)
1970/01/01 00:06:29 fetching corpus: 834, signal 109307/113327 (executing program)
1970/01/01 00:06:29 fetching corpus: 834, signal 109307/113374 (executing program)
1970/01/01 00:06:29 fetching corpus: 834, signal 109307/113374 (executing program)
1970/01/01 00:08:10 starting 2 fuzzer processes
00:08:10 executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, &(0x7f0000000040)={'vxcan0\x00', <r2=>0x0})
sendmsg$nl_route(r0, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000002c0)=@ipv6_newaddr={0x34, 0x14, 0x801, 0x0, 0x0, {0xa, 0x0, 0x0, 0x0, r2}, [@IFA_LOCAL={0x14, 0x2, @mcast1}, @IFA_FLAGS={0x8}]}, 0x34}}, 0x0)

00:08:10 executing program 1:
r0 = userfaultfd(0x80801)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000000100))
r1 = dup(r0)
ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000005940)={{&(0x7f0000ff8000/0x8000)=nil, 0x8000}, 0x1})
r2 = userfaultfd(0x80801)
ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000000100))
ioctl$UFFDIO_COPY(r2, 0xc028aa03, &(0x7f0000001480)={&(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ff1000/0xf000)=nil, 0x4000})
ioctl$UFFDIO_COPY(r2, 0xc028aa03, &(0x7f00000001c0)={&(0x7f0000ff8000/0x1000)=nil, &(0x7f0000ffe000/0x2000)=nil, 0x1000})

[  515.142433][ T2031] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  515.252599][ T2033] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  515.322152][ T2031] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  515.393821][ T2033] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  527.123208][ T2033] device hsr_slave_0 entered promiscuous mode
[  527.211984][ T2033] device hsr_slave_1 entered promiscuous mode
[  527.362744][ T2031] device hsr_slave_0 entered promiscuous mode
[  527.445232][ T2031] device hsr_slave_1 entered promiscuous mode
[  527.495661][ T2031] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[  527.503063][ T2031] Cannot create hsr debugfs directory
[  527.602160][    C0] ==================================================================
[  527.604429][    C0] BUG: KASAN: use-after-free in walk_stackframe+0x11c/0x260
[  527.605738][    C0] Read of size 8 at addr ffffaf800e783e30 by task syz-executor.0/2033
[  527.606889][    C0] 
[  527.608006][    C0] CPU: 0 PID: 2033 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
[  527.609748][    C0] Hardware name: riscv-virtio,qemu (DT)
[  527.611058][    C0] Call Trace:
[  527.612531][    C0] [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c
[  527.613328][    C0] [<ffffffff831668cc>] show_stack+0x34/0x40
[  527.614113][    C0] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150
[  527.614910][    C0] [<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330
[  527.615727][    C0] [<ffffffff80474d4c>] kasan_report+0x184/0x1e0
[  527.616864][    C0] [<ffffffff80475b20>] __asan_load8+0x6e/0x96
[  527.617832][    C0] [<ffffffff8000a052>] walk_stackframe+0x11c/0x260
[  527.618566][    C0] [<ffffffff8000a4a4>] arch_stack_walk+0x2c/0x3c
[  527.619266][    C0] [<ffffffff80162ac8>] stack_trace_save+0xa6/0xd8
[  527.619980][    C0] [<ffffffff80473abe>] kasan_save_stack+0x2c/0x58
[  527.620852][    C0] 
[  527.621292][    C0] The buggy address belongs to the page:
[  527.622137][    C0] page:ffffaf807aa5acd8 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8e983
[  527.623036][    C0] flags: 0x8800000000(section=17|node=0|zone=0)
[  527.624455][    C0] raw: 0000008800000000 ffffaf807a9a2d98 ffffaf807a98a078 0000000000000000
[  527.625690][    C0] raw: 0000000000000000 ffffaf800f4f9840 00000000ffffffff 0000000000000000
[  527.627604][    C0] raw: 00000000000007ff
[  527.628419][    C0] page dumped because: kasan: bad access detected
[  527.629168][    C0] page_owner tracks the page as freed
[  527.629684][    C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 2505, ts 526970023200, free_ts 527019360400
[  527.631812][    C0]  __set_page_owner+0x48/0x136
[  527.633004][    C0]  post_alloc_hook+0xd0/0x10a
[  527.634097][    C0]  get_page_from_freelist+0x8da/0x12d8
[  527.635172][    C0]  __alloc_pages+0x150/0x3b6
[  527.636741][    C0]  alloc_pages+0x132/0x2a6
[  527.638225][    C0]  __pmd_alloc+0x4e/0x4cc
[  527.639331][    C0]  __handle_mm_fault+0xa44/0x23a4
[  527.640361][    C0]  handle_mm_fault+0x296/0x674
[  527.641354][    C0]  __get_user_pages+0x444/0x7b4
[  527.642402][    C0]  __get_user_pages_remote+0x156/0x63a
[  527.643260][    C0]  get_user_pages_remote+0x5e/0x86
[  527.644336][    C0]  get_arg_page+0xf4/0x282
[  527.645356][    C0]  copy_string_kernel+0x13c/0x3ea
[  527.647022][    C0]  kernel_execve+0x16c/0x288
[  527.648694][    C0]  call_usermodehelper_exec_async+0x1c0/0x2dc
[  527.650043][    C0]  ret_from_exception+0x0/0x10
[  527.651262][    C0] page last free stack trace:
[  527.652188][    C0]  __reset_page_owner+0x4a/0xea
[  527.653271][    C0]  free_pcp_prepare+0x29c/0x45e
[  527.654287][    C0]  free_unref_page+0x6a/0x31e
[  527.655058][    C0]  __free_pages+0xe2/0x112
[  527.656089][    C0]  free_pages.part.0+0xe0/0xf6
[  527.657341][    C0]  free_pages+0xe/0x18
[  527.658541][    C0]  free_pgd_range+0x8b0/0xc54
[  527.659482][    C0]  free_pgtables+0xf2/0x1c8
[  527.660065][    C0]  exit_mmap+0x168/0x412
[  527.661054][    C0]  mmput+0xee/0x2c2
[  527.661652][    C0]  free_bprm+0xbc/0x1de
[  527.662602][    C0]  kernel_execve+0x214/0x288
[  527.663323][    C0]  call_usermodehelper_exec_async+0x1c0/0x2dc
[  527.664434][    C0]  ret_from_exception+0x0/0x10
[  527.665174][    C0] 
[  527.665850][    C0] Memory state around the buggy address:
[  527.667118][    C0]  ffffaf800e783d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  527.668396][    C0]  ffffaf800e783d80: ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00
[  527.669249][    C0] >ffffaf800e783e00: 00 00 00 00 ff ff ff ff 00 00 00 00 f1 f1 f1 f1
[  527.670113][    C0]                                      ^
[  527.670762][    C0]  ffffaf800e783e80: 00 00 00 f3 f3 f3 f3 f3 ff ff ff ff ff ff ff ff
[  527.671515][    C0]  ffffaf800e783f00: 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff
[  527.672273][    C0] ==================================================================
[  527.673035][    C0] Disabling lock debugging due to kernel taint
[  527.680772][ T2033] Kernel panic - not syncing: corrupted stack end detected inside scheduler
[  527.681789][ T2033] CPU: 0 PID: 2033 Comm: syz-executor.0 Tainted: G    B             5.17.0-rc1-syzkaller-00002-g0966d385830d #0
[  527.682574][ T2033] Hardware name: riscv-virtio,qemu (DT)
[  527.682970][ T2033] Call Trace:
[  527.683303][ T2033] [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c
[  527.683910][ T2033] [<ffffffff831668cc>] show_stack+0x34/0x40
[  527.684447][ T2033] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150
[  527.685141][ T2033] [<ffffffff83175742>] dump_stack+0x1c/0x24
[  527.685703][ T2033] [<ffffffff83166fa8>] panic+0x24a/0x634
[  527.686674][ T2033] [<ffffffff831a688a>] schedule+0x0/0x14c
[  527.687313][ T2033] [<ffffffff831a70f8>] preempt_schedule_irq+0x4a/0x13e
[  527.688040][ T2033] [<ffffffff800057cc>] resume_kernel+0x16/0x18
[  527.688913][ T2033] SMP: stopping secondary CPUs
[  527.690477][ T2033] Rebooting in 86400 seconds..

VM DIAGNOSIS:
04:27:40  Registers:
info registers vcpu 0
 pc       ffffffff80123df4
 mhartid  0000000000000000
 mstatus  00000000000000a0
 mip      00000000000000a0
 mie      000000000000022a
 mideleg  0000000000000222
 medeleg  000000000000b109
 mtvec    0000000080000540
 stvec    ffffffff800055d4
 mepc     ffffffff80474d20
 sepc     ffffffff826ede9a
 mcause   8000000000000007
 scause   8000000000000005
 mtval  0000000000000000
 stval  0000000000000000
 x0/zero 0000000000000000 x1/ra ffffffff80123df4 x2/sp ffffaf800e783770 x3/gp ffffffff85863ac0
 x4/tp ffffaf800f1cb080 x5/t0 ffffffff86bcb657 x6/t1 fffff5ef01cf0708 x7/t2 0000000000000000
 x8/s0 ffffaf800e783920 x9/s1 ffffffff84a88a00 x10/a0 ffffaf800e7839e8 x11/a1 0000000000000007
 x12/a2 1ffff5f001cf073d x13/a3 ffffffff80123df4 x14/a4 0000000000000000 x15/a5 ffffaf800e7839e8
 x16/a6 0000000000f00000 x17/a7 ffffaf800e783847 x18/s2 ffffaf800e7839e0 x19/s3 ffffaf800e7838a0
 x20/s4 ffffffff80000000 x21/s5 00000000ffffe2d1 x22/s6 ffffaf800e7839a0 x23/s7 0000000000000002
 x24/s8 ffffffff84a88a00 x25/s9 ffffaf800e7839e8 x26/s10 ffffffff84a88a18 x27/s11 ffffaf800e7839e0
 x28/t3 1ffff5f001cf0774 x29/t4 fffff5ef01cf0708 x30/t5 fffff5ef01cf0709 x31/t6 ffffaf800e783858
 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000
 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000
 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000
 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000
 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000
 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000
 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000
 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000
info registers vcpu 1
 pc       ffffffff80475986
 mhartid  0000000000000001
 mstatus  00000000000000a2
 mip      0000000000000000
 mie      00000000000002aa
 mideleg  0000000000000222
 medeleg  000000000000b109
 mtvec    0000000080000540
 stvec    ffffffff800055d4
 mepc     ffffffff8000f97e
 sepc     ffffffff80119b52
 mcause   0000000000000009
 scause   8000000000000005
 mtval  0000000000000000
 stval  0000000000000000
 x0/zero 0000000000000000 x1/ra ffffffff80119b52 x2/sp ffffaf800ce7b7e0 x3/gp ffffffff85863ac0
 x4/tp ffffaf800e35b080 x5/t0 00000000000001f8 x6/t1 bf8fa5f22bbacb00 x7/t2 ffffffffffffffff
 x8/s0 ffffaf800ce7b820 x9/s1 ffffaf800c1b9898 x10/a0 ffffaf800c1b9898 x11/a1 0000000000000003
 x12/a2 1ffff5f001837313 x13/a3 ffffffff80119b52 x14/a4 0000000000000000 x15/a5 ffffaf800c1b9898
 x16/a6 0000000000f00000 x17/a7 ffffffff826e6226 x18/s2 0000000000000001 x19/s3 ffffaf800e35b080
 x20/s4 ffffaf800c1b98a8 x21/s5 ffffaf800c1b98a0 x22/s6 ffffaf800ce7b960 x23/s7 ffffaf800ce7bb00
 x24/s8 0000000000000000 x25/s9 0000000000004000 x26/s10 0000000000000040 x27/s11 0000000000000001
 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f0019cf6b4 x31/t6 0000000000129ba0
 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000
 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000
 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000
 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000
 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000
 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000
 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000
 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000