syzkaller login: [ 504.452485][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 514.671036][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 514.733825][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 514.793704][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:41620' (ECDSA) to the list of known hosts. 1970/01/01 00:09:38 fuzzer started 1970/01/01 00:09:52 dialing manager at localhost:40985 [ 599.779719][ T2031] cgroup: Unknown subsys name 'net' [ 600.810857][ T2031] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:10:00 syscalls: 2827 1970/01/01 00:10:00 code coverage: enabled 1970/01/01 00:10:00 comparison tracing: enabled 1970/01/01 00:10:00 extra coverage: enabled 1970/01/01 00:10:00 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:10:00 setuid sandbox: enabled 1970/01/01 00:10:00 namespace sandbox: enabled 1970/01/01 00:10:00 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:10:00 fault injection: enabled 1970/01/01 00:10:00 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:10:00 net packet injection: enabled 1970/01/01 00:10:00 net device setup: enabled 1970/01/01 00:10:00 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:10:00 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:10:00 USB emulation: enabled 1970/01/01 00:10:00 hci packet injection: /dev/vhci does not exist 1970/01/01 00:10:00 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:10:00 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:10:00 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:10:07 fetching corpus: 50, signal 32072/35136 (executing program) 1970/01/01 00:10:11 fetching corpus: 100, signal 52501/56158 (executing program) 1970/01/01 00:10:15 fetching corpus: 150, signal 59691/64123 (executing program) 1970/01/01 00:10:19 fetching corpus: 199, signal 68500/73365 (executing program) 1970/01/01 00:10:23 fetching corpus: 249, signal 75743/80932 (executing program) 1970/01/01 00:10:26 fetching corpus: 298, signal 79971/85578 (executing program) 1970/01/01 00:10:29 fetching corpus: 347, signal 86364/91990 (executing program) 1970/01/01 00:10:33 fetching corpus: 395, signal 92441/97921 (executing program) 1970/01/01 00:10:35 fetching corpus: 445, signal 97508/102780 (executing program) 1970/01/01 00:10:37 fetching corpus: 494, signal 100424/105749 (executing program) 1970/01/01 00:10:43 fetching corpus: 544, signal 103588/108829 (executing program) 1970/01/01 00:10:48 fetching corpus: 592, signal 108447/113209 (executing program) 1970/01/01 00:10:52 fetching corpus: 642, signal 112013/116340 (executing program) 1970/01/01 00:10:56 fetching corpus: 691, signal 114137/118308 (executing program) 1970/01/01 00:10:59 fetching corpus: 741, signal 117155/120831 (executing program) 1970/01/01 00:11:02 fetching corpus: 790, signal 119950/123152 (executing program) 1970/01/01 00:11:04 fetching corpus: 837, signal 123286/125729 (executing program) 1970/01/01 00:11:08 fetching corpus: 887, signal 124813/126976 (executing program) 1970/01/01 00:11:10 fetching corpus: 924, signal 126143/128053 (executing program) 1970/01/01 00:11:10 fetching corpus: 924, signal 126143/128161 (executing program) 1970/01/01 00:11:10 fetching corpus: 924, signal 126143/128256 (executing program) 1970/01/01 00:11:11 fetching corpus: 924, signal 126143/128356 (executing program) 1970/01/01 00:11:11 fetching corpus: 924, signal 126143/128446 (executing program) 1970/01/01 00:11:11 fetching corpus: 924, signal 126143/128541 (executing program) 1970/01/01 00:11:11 fetching corpus: 924, signal 126143/128628 (executing program) 1970/01/01 00:11:11 fetching corpus: 924, signal 126143/128738 (executing program) 1970/01/01 00:11:12 fetching corpus: 924, signal 126143/128821 (executing program) 1970/01/01 00:11:12 fetching corpus: 924, signal 126143/128913 (executing program) 1970/01/01 00:11:12 fetching corpus: 924, signal 126143/129022 (executing program) 1970/01/01 00:11:12 fetching corpus: 924, signal 126143/129127 (executing program) 1970/01/01 00:11:12 fetching corpus: 924, signal 126143/129224 (executing program) 1970/01/01 00:11:13 fetching corpus: 924, signal 126143/129310 (executing program) 1970/01/01 00:11:13 fetching corpus: 924, signal 126143/129405 (executing program) 1970/01/01 00:11:13 fetching corpus: 924, signal 126143/129500 (executing program) 1970/01/01 00:11:13 fetching corpus: 924, signal 126143/129591 (executing program) 1970/01/01 00:11:13 fetching corpus: 924, signal 126143/129709 (executing program) 1970/01/01 00:11:13 fetching corpus: 924, signal 126143/129802 (executing program) 1970/01/01 00:11:14 fetching corpus: 924, signal 126143/129888 (executing program) 1970/01/01 00:11:14 fetching corpus: 925, signal 126146/129971 (executing program) 1970/01/01 00:11:14 fetching corpus: 925, signal 126146/130062 (executing program) 1970/01/01 00:11:14 fetching corpus: 925, signal 126146/130150 (executing program) 1970/01/01 00:11:14 fetching corpus: 925, signal 126146/130256 (executing program) 1970/01/01 00:11:14 fetching corpus: 925, signal 126146/130350 (executing program) 1970/01/01 00:11:14 fetching corpus: 925, signal 126146/130444 (executing program) 1970/01/01 00:11:15 fetching corpus: 925, signal 126146/130542 (executing program) 1970/01/01 00:11:15 fetching corpus: 925, signal 126146/130630 (executing program) 1970/01/01 00:11:15 fetching corpus: 925, signal 126146/130729 (executing program) 1970/01/01 00:11:15 fetching corpus: 925, signal 126146/130831 (executing program) 1970/01/01 00:11:15 fetching corpus: 925, signal 126146/130946 (executing program) 1970/01/01 00:11:15 fetching corpus: 925, signal 126146/131033 (executing program) 1970/01/01 00:11:16 fetching corpus: 925, signal 126146/131126 (executing program) 1970/01/01 00:11:16 fetching corpus: 925, signal 126146/131214 (executing program) 1970/01/01 00:11:16 fetching corpus: 925, signal 126146/131310 (executing program) 1970/01/01 00:11:17 fetching corpus: 925, signal 126148/131411 (executing program) 1970/01/01 00:11:17 fetching corpus: 925, signal 126148/131500 (executing program) 1970/01/01 00:11:17 fetching corpus: 925, signal 126148/131596 (executing program) 1970/01/01 00:11:17 fetching corpus: 925, signal 126148/131672 (executing program) 1970/01/01 00:11:17 fetching corpus: 925, signal 126148/131767 (executing program) 1970/01/01 00:11:18 fetching corpus: 925, signal 126148/131858 (executing program) 1970/01/01 00:11:18 fetching corpus: 925, signal 126148/131939 (executing program) 1970/01/01 00:11:18 fetching corpus: 926, signal 126155/132059 (executing program) 1970/01/01 00:11:18 fetching corpus: 926, signal 126155/132159 (executing program) 1970/01/01 00:11:18 fetching corpus: 926, signal 126155/132251 (executing program) 1970/01/01 00:11:19 fetching corpus: 926, signal 126155/132340 (executing program) 1970/01/01 00:11:19 fetching corpus: 926, signal 126155/132439 (executing program) 1970/01/01 00:11:19 fetching corpus: 926, signal 126155/132479 (executing program) 1970/01/01 00:11:19 fetching corpus: 926, signal 126155/132479 (executing program) 1970/01/01 00:13:19 starting 2 fuzzer processes 00:13:19 executing program 0: r0 = syz_open_procfs$userns(0x0, &(0x7f0000000080)) ioctl$NS_GET_PARENT(r0, 0x5460, 0xec000) r1 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) read$FUSE(r1, 0x0, 0x0) 00:13:19 executing program 1: mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002080)={0x2020, 0x0, 0x0, 0x0, 0x0}, 0x2020) mount$fuse(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000180), 0x50, &(0x7f0000000500)={{}, 0x2c, {'rootmode', 0x3d, 0x2000}, 0x2c, {}, 0x2c, {'group_id', 0x3d, r0}, 0x2c, {[{@blksize={'blksize', 0x3d, 0x800}}, {@default_permissions}, {@max_read={'max_read', 0x3d, 0xfe38}}, {@blksize={'blksize', 0x3d, 0x800}}, {@max_read={'max_read', 0x3d, 0x8}}, {@default_permissions}, {@blksize={'blksize', 0x3d, 0x1200}}], [{@smackfsfloor={'smackfsfloor', 0x3d, '\x00'}}, {@fscontext={'fscontext', 0x3d, 'sysadm_u'}}, {@mask={'mask', 0x3d, '^MAY_WRITE'}}, {@obj_type={'obj_type', 0x3d, '{'}}, {@fsname={'fsname', 0x3d, 'tmpfs\x00'}}]}}) umount2(&(0x7f0000000280)='./file0\x00', 0x5) mount$tmpfs(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000240), 0x0, 0x0) umount2(&(0x7f0000000000)='./file0\x00', 0x4) r1 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) ioctl$FS_IOC_FSSETXATTR(r1, 0x401c5820, &(0x7f00000000c0)={0x8000}) close(r1) umount2(&(0x7f00000000c0)='./file0\x00', 0x4) [ 830.941248][ T2037] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 831.200629][ T2037] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 833.988392][ T2038] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 834.155570][ T2038] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 849.056251][ T2037] device hsr_slave_0 entered promiscuous mode [ 849.150561][ T2037] device hsr_slave_1 entered promiscuous mode [ 850.681814][ T2038] device hsr_slave_0 entered promiscuous mode [ 850.747243][ T2038] device hsr_slave_1 entered promiscuous mode [ 850.766403][ T2038] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 850.771411][ T2038] Cannot create hsr debugfs directory [ 864.471563][ T2037] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 864.885937][ T2037] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 865.302053][ T2037] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 865.689252][ T2037] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 866.892188][ T2038] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 867.051382][ T2038] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 867.258485][ T2038] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 867.398506][ T2038] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 878.371854][ T2037] 8021q: adding VLAN 0 to HW filter on device bond0 [ 879.269331][ T2032] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 879.343078][ T2032] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 881.178124][ T2038] 8021q: adding VLAN 0 to HW filter on device bond0 [ 881.682846][ T2395] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 881.738217][ T2395] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 890.342628][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 890.462383][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 890.813468][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 890.934015][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 892.488442][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 892.587507][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 893.232798][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 893.280285][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 893.902585][ T2037] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 894.051540][ T2037] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 894.692723][ T2032] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 894.787458][ T2032] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 895.439395][ T2395] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 895.550133][ T2395] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 895.798049][ T2395] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 895.802986][ T2395] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 896.843988][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 896.861132][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 896.942941][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 897.011530][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 898.100455][ T2395] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 898.163177][ T2395] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 898.790608][ T2038] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 898.901249][ T2038] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 899.364091][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 899.467063][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 900.390423][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 900.463014][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 925.062947][ T2101] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 925.093422][ T2101] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 931.278397][ T2101] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 931.501266][ T2101] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 940.073318][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 940.192662][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 940.436905][ T2037] device veth0_vlan entered promiscuous mode [ 940.556338][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 940.687746][ T2637] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 941.742271][ T2037] device veth1_vlan entered promiscuous mode [ 943.587686][ T2395] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 943.671203][ T2395] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 943.967958][ T2037] device veth0_macvtap entered promiscuous mode [ 944.503915][ T2037] device veth1_macvtap entered promiscuous mode [ 944.669559][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 945.188749][ C0] ================================================================== [ 945.193838][ C0] BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 [ 945.199088][ C0] Read of size 8 at addr ffffaf801080ffc0 by task syz-executor.0/2037 [ 945.202674][ C0] [ 945.204128][ C0] CPU: 0 PID: 2037 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 945.206595][ C0] Hardware name: riscv-virtio,qemu (DT) [ 945.207877][ C0] Call Trace: [ 945.208891][ C0] [] dump_backtrace+0x2e/0x3c [ 945.210257][ C0] [] show_stack+0x34/0x40 [ 945.211518][ C0] [] dump_stack_lvl+0xe4/0x150 [ 945.212917][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 945.215059][ C0] [] kasan_report+0x184/0x1e0 [ 945.217181][ C0] [] __asan_load8+0x6e/0x96 [ 945.218608][ C0] [] walk_stackframe+0x11c/0x260 [ 945.219954][ C0] [] arch_stack_walk+0x2c/0x3c [ 945.221341][ C0] [] stack_trace_save+0xa6/0xd8 [ 945.222898][ C0] [ 945.223732][ C0] Allocated by task 1: [ 945.225173][ C0] (stack is not available) [ 945.226436][ C0] [ 945.227317][ C0] Freed by task 12: [ 945.228320][ C0] stack_trace_save+0xa6/0xd8 [ 945.229596][ C0] kasan_save_stack+0x2c/0x58 [ 945.230815][ C0] kasan_set_track+0x1a/0x26 [ 945.232007][ C0] kasan_set_free_info+0x1e/0x3a [ 945.233198][ C0] ____kasan_slab_free+0x15e/0x180 [ 945.234752][ C0] __kasan_slab_free+0x10/0x18 [ 945.236599][ C0] slab_free_freelist_hook+0x8e/0x1cc [ 945.237831][ C0] kfree+0xe0/0x3e4 [ 945.238899][ C0] skb_release_data+0x3c2/0x3c4 [ 945.240050][ C0] consume_skb+0x96/0x136 [ 945.241170][ C0] nsim_dev_trap_report_work+0x524/0x5e4 [ 945.242390][ C0] process_one_work+0x654/0xffe [ 945.243513][ C0] worker_thread+0x360/0x8fa [ 945.245038][ C0] kthread+0x19e/0x1fa [ 945.246726][ C0] ret_from_exception+0x0/0x10 [ 945.247946][ C0] [ 945.248735][ C0] The buggy address belongs to the object at ffffaf801080e000 [ 945.248735][ C0] which belongs to the cache kmalloc-4k of size 4096 [ 945.250515][ C0] The buggy address is located 4032 bytes to the right of [ 945.250515][ C0] 4096-byte region [ffffaf801080e000, ffffaf801080f000) [ 945.252309][ C0] The buggy address belongs to the page: [ 945.253776][ C0] page:ffffaf807aaed240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x90a08 [ 945.256429][ C0] head:ffffaf807aaed240 order:3 compound_mapcount:0 compound_pincount:0 [ 945.257881][ C0] flags: 0x9000010200(slab|head|section=18|node=0|zone=0) [ 945.260634][ C0] raw: 0000009000010200 ffffaf807aa80280 0000000000000002 ffffaf8007202140 [ 945.262050][ C0] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 945.263323][ C0] raw: 00000000000007ff [ 945.264303][ C0] page dumped because: kasan: bad access detected [ 945.266252][ C0] page_owner tracks the page as allocated [ 945.267348][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 12, ts 915933971900, free_ts 911230308300 [ 945.269622][ C0] __set_page_owner+0x48/0x136 [ 945.270795][ C0] post_alloc_hook+0xd0/0x10a [ 945.271909][ C0] get_page_from_freelist+0x8da/0x12d8 [ 945.273098][ C0] __alloc_pages+0x150/0x3b6 [ 945.274312][ C0] alloc_pages+0x132/0x2a6 [ 945.275898][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 945.277152][ C0] new_slab+0x76/0x2cc [ 945.278225][ C0] ___slab_alloc+0x56e/0x918 [ 945.279376][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 945.280611][ C0] __kmalloc_node_track_caller+0x26c/0x362 [ 945.281899][ C0] __alloc_skb+0xee/0x2e4 [ 945.283039][ C0] nsim_dev_trap_report_work+0x1c2/0x5e4 [ 945.284318][ C0] process_one_work+0x654/0xffe [ 945.285866][ C0] worker_thread+0x360/0x8fa [ 945.286918][ C0] kthread+0x19e/0x1fa [ 945.288070][ C0] ret_from_exception+0x0/0x10 [ 945.289255][ C0] page last free stack trace: [ 945.290111][ C0] __reset_page_owner+0x4a/0xea [ 945.291265][ C0] free_pcp_prepare+0x29c/0x45e [ 945.292424][ C0] free_unref_page+0x6a/0x31e [ 945.293588][ C0] __free_pages+0xe2/0x112 [ 945.295055][ C0] __free_slab+0x122/0x27c [ 945.296653][ C0] discard_slab+0x4c/0x7a [ 945.297847][ C0] __unfreeze_partials+0x16a/0x18e [ 945.298980][ C0] put_cpu_partial+0xf6/0x162 [ 945.300169][ C0] __slab_free+0x166/0x29c [ 945.301330][ C0] ___cache_free+0x17c/0x354 [ 945.302507][ C0] qlist_free_all+0x7c/0x132 [ 945.303637][ C0] kasan_quarantine_reduce+0x14c/0x1c8 [ 945.305398][ C0] __kasan_slab_alloc+0x5c/0x98 [ 945.306651][ C0] kmem_cache_alloc+0x338/0x3de [ 945.308284][ C0] vm_area_dup+0xa4/0x224 [ 945.309560][ C0] __split_vma+0x7c/0x2fa [ 945.310912][ C0] [ 945.311689][ C0] Memory state around the buggy address: [ 945.313085][ C0] ffffaf801080fe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 945.314487][ C0] ffffaf801080ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 945.316833][ C0] >ffffaf801080ff80: 00 00 00 00 00 00 00 00 fc fc fc fc 00 00 00 00 [ 945.318098][ C0] ^ [ 945.319318][ C0] ffffaf8010810000: 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 [ 945.320639][ C0] ffffaf8010810080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 945.321979][ C0] ================================================================== [ 945.323234][ C0] Disabling lock debugging due to kernel taint [ 945.327979][ T2037] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 945.331371][ T2037] CPU: 0 PID: 2037 Comm: syz-executor.0 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 945.335618][ T2037] Hardware name: riscv-virtio,qemu (DT) [ 945.338077][ T2037] Call Trace: [ 945.339442][ T2037] [] dump_backtrace+0x2e/0x3c [ 945.341820][ T2037] [] show_stack+0x34/0x40 [ 945.343148][ T2037] [] dump_stack_lvl+0xe4/0x150 [ 945.344465][ T2037] [] dump_stack+0x1c/0x24 [ 945.345527][ T2037] [] panic+0x24a/0x634 [ 945.346447][ T2037] [] schedule+0x0/0x14c [ 945.347434][ T2037] [] preempt_schedule_irq+0x4a/0x13e [ 945.348561][ T2037] [] resume_kernel+0x16/0x18 [ 945.349916][ T2037] SMP: stopping secondary CPUs [ 945.352059][ T2037] Rebooting in 86400 seconds.. VM DIAGNOSIS: 18:55:56 Registers: info registers vcpu 0 pc ffffffff80dc337e mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80201140 sepc ffffffff8000a038 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80dc337e x2/sp ffffaf801080f990 x3/gp ffffffff85863ac0 x4/tp ffffaf800b959840 x5/t0 ffffffff86bcb657 x6/t1 8ebea78c7f320900 x7/t2 0000000000000000 x8/s0 ffffaf801080f9c0 x9/s1 ffffffff86e58900 x10/a0 ffffffff86e58948 x11/a1 ffff8f800066c000 x12/a2 1ffffffff0dcb129 x13/a3 ffffffff80dc337e x14/a4 0000000000000000 x15/a5 ffffffff86e58948 x16/a6 ffffffff86e589f1 x17/a7 ffffffff80dcc9fe x18/s2 ffff8f800066c000 x19/s3 000000000000000d x20/s4 ffffffff86e58900 x21/s5 ffffffff80dc333e x22/s6 0000000000000000 x23/s7 ffffffff86bcb69b x24/s8 0000000000000010 x25/s9 ffffffff86e58958 x26/s10 0000000000000010 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f002101ee0 x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80119b52 mhartid 0000000000000001 mstatus 00000000000000a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff804759c8 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80119b52 x2/sp ffffaf800ec0f7e0 x3/gp ffffffff85863ac0 x4/tp ffffaf800c7b3080 x5/t0 00000000000001f8 x6/t1 8ebea78c7f320900 x7/t2 ffffffffffffffff x8/s0 ffffaf800ec0f7e0 x9/s1 ffffaf800bfe9898 x10/a0 ffffaf800bfe9898 x11/a1 0000000000000003 x12/a2 1ffff5f0017fd313 x13/a3 ffffffff80119b52 x14/a4 fffffffffffffffb x15/a5 0000000000000001 x16/a6 0000000000f00000 x17/a7 ffffffff826e6226 x18/s2 0000000000000001 x19/s3 ffffaf800c7b3080 x20/s4 ffffaf800bfe98a8 x21/s5 ffffaf800bfe98a0 x22/s6 ffffaf800ec0f960 x23/s7 ffffaf800ec0fb00 x24/s8 0000000000000000 x25/s9 0000000000004000 x26/s10 0000000000000040 x27/s11 0000000000000001 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001d81eb4 x31/t6 0000000000112e2c f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000