[ 524.195168][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 524.262079][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 524.294060][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:41839' (ECDSA) to the list of known hosts. 1970/01/01 00:09:22 fuzzer started 1970/01/01 00:09:34 dialing manager at localhost:40155 [ 581.202678][ T2027] cgroup: Unknown subsys name 'net' [ 582.030726][ T2027] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:09:42 syscalls: 2827 1970/01/01 00:09:42 code coverage: enabled 1970/01/01 00:09:42 comparison tracing: enabled 1970/01/01 00:09:42 extra coverage: enabled 1970/01/01 00:09:42 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:09:42 setuid sandbox: enabled 1970/01/01 00:09:42 namespace sandbox: enabled 1970/01/01 00:09:42 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:09:42 fault injection: enabled 1970/01/01 00:09:42 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:09:42 net packet injection: enabled 1970/01/01 00:09:42 net device setup: enabled 1970/01/01 00:09:42 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:09:42 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:09:42 USB emulation: enabled 1970/01/01 00:09:42 hci packet injection: /dev/vhci does not exist 1970/01/01 00:09:42 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:09:42 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:09:42 fetching corpus: 0, signal 0/0 (executing program) 1970/01/01 00:09:42 fetching corpus: 0, signal 0/0 (executing program) 1970/01/01 00:11:03 starting 2 fuzzer processes 00:11:03 executing program 0: set_mempolicy(0xc000, 0x0, 0x0) 00:11:03 executing program 1: syz_mount_image$ext4(0x0, &(0x7f00000000c0)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) lsetxattr$trusted_overlay_opaque(&(0x7f0000001580)='./file0\x00', &(0x7f00000015c0), 0x0, 0x0, 0x0) setxattr$trusted_overlay_upper(&(0x7f0000000080)='./file0\x00', &(0x7f0000000100), &(0x7f0000000140)={0x0, 0xfb, 0x1d, 0x0, 0x0, "9a359929638351726e3434f2045515b0", "fdb4ed123efc3916"}, 0x1d, 0x0) setxattr$system_posix_acl(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='system.posix_acl_access\x00', &(0x7f0000000280)={{}, {}, [{}, {}], {}, [{}]}, 0x3c, 0x0) lsetxattr$trusted_overlay_upper(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0), 0x0, 0x0, 0x0) [ 704.546970][ T2033] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 705.083030][ T2033] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 705.567589][ T2032] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 706.257269][ T2032] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 717.477530][ T2033] device hsr_slave_0 entered promiscuous mode [ 717.555860][ T2033] device hsr_slave_1 entered promiscuous mode [ 718.295660][ C0] ================================================================== [ 718.297294][ C0] BUG: KASAN: slab-out-of-bounds in __bfs+0x154/0x394 [ 718.300039][ C0] Read of size 8 at addr ffffaf800c2ffaf0 by task syz-executor.1/2033 [ 718.301686][ C0] [ 718.304678][ C0] CPU: 0 PID: 2033 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 718.308036][ C0] Hardware name: riscv-virtio,qemu (DT) [ 718.309131][ C0] Call Trace: [ 718.309986][ C0] [] dump_backtrace+0x2e/0x3c [ 718.311140][ C0] [] show_stack+0x34/0x40 [ 718.312149][ C0] [] dump_stack_lvl+0xe4/0x150 [ 718.313345][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 718.314701][ C0] [] kasan_report+0x184/0x1e0 [ 718.315886][ C0] [] __asan_load8+0x6e/0x96 [ 718.317009][ C0] [] __bfs+0x154/0x394 [ 718.318107][ C0] [] check_path.constprop.0+0x24/0x46 [ 718.319320][ C0] [] check_noncircular+0x11a/0x1fe [ 718.320452][ C0] [] __lock_acquire+0x19a4/0x333e [ 718.321582][ C0] [] lock_acquire.part.0+0x1d0/0x424 [ 718.322747][ C0] [] lock_acquire+0x54/0x6a [ 718.324925][ C0] [] get_page_from_freelist+0xbc2/0x12d8 [ 718.326701][ C0] [ 718.327839][ C0] Allocated by task 1: [ 718.328837][ C0] stack_trace_save+0xa6/0xd8 [ 718.330008][ C0] kasan_save_stack+0x2c/0x58 [ 718.331887][ C0] __kasan_kmalloc+0x80/0xb2 [ 718.333727][ C0] kmem_cache_alloc_trace+0x178/0x2e0 [ 718.335736][ C0] device_add+0xce0/0x129e [ 718.337532][ C0] device_register+0x20/0x2a [ 718.338645][ C0] tty_register_device_attr+0x27a/0x4bc [ 718.339844][ C0] tty_register_driver+0x2ca/0x4b2 [ 718.341781][ C0] pty_init+0x310/0x7e6 [ 718.343502][ C0] do_one_initcall+0x13a/0x7ea [ 718.344983][ C0] kernel_init_freeable+0x510/0x5b4 [ 718.346206][ C0] kernel_init+0x28/0x21c [ 718.347153][ C0] ret_from_exception+0x0/0x10 [ 718.348484][ C0] [ 718.349244][ C0] Last potentially related work creation: [ 718.350593][ C0] ------------[ cut here ]------------ [ 718.351396][ C0] slab index 340096 out of bounds (290) for stack id 0be53080 [ 718.355996][ C0] WARNING: CPU: 0 PID: 2033 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 718.357544][ C0] Modules linked in: [ 718.358835][ C0] CPU: 0 PID: 2033 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 718.361194][ C0] Hardware name: riscv-virtio,qemu (DT) [ 718.362034][ C0] epc : stack_depot_print+0x66/0x70 [ 718.363146][ C0] ra : stack_depot_print+0x66/0x70 [ 718.364254][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800c2ff880 [ 718.365296][ C0] gp : ffffffff85863ac0 tp : ffffaf800be53080 t0 : ffffffff86bcb657 [ 718.366348][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800c2ff890 [ 718.367356][ C0] s1 : ffffaf807a9b66e0 a0 : 000000000000003b a1 : 00000000000f0000 [ 718.369036][ C0] a2 : 0000000000000504 a3 : ffffffff8012252a a4 : f1232ceb7708db00 [ 718.370887][ C0] a5 : f1232ceb7708db00 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 718.371952][ C0] s2 : ffffaf800c2ffaf0 s3 : ffffaf8007201c80 s4 : ffffaf800c2ff800 [ 718.372960][ C0] s5 : ffffaf800c2ffa00 s6 : ffffffff8588bb20 s7 : ffffffff85e09180 [ 718.373972][ C0] s8 : ffffaf800c2ffa00 s9 : ffffaf800be53c50 s10: ffffffff85899680 [ 718.374997][ C0] s11: ffffaf800be53080 t3 : ffffffff801163b2 t4 : fffff5ef0b53910c [ 718.375988][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800c2ff378 [ 718.376825][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 718.377971][ C0] [] print_address_description.constprop.0+0x2fc/0x330 [ 718.380165][ C0] [] kasan_report+0x184/0x1e0 [ 718.381301][ C0] [] __asan_load8+0x6e/0x96 [ 718.382327][ C0] [] __bfs+0x154/0x394 [ 718.383317][ C0] [] check_path.constprop.0+0x24/0x46 [ 718.384413][ C0] [] check_noncircular+0x11a/0x1fe [ 718.385508][ C0] [] __lock_acquire+0x19a4/0x333e [ 718.386657][ C0] [] lock_acquire.part.0+0x1d0/0x424 [ 718.387794][ C0] [] lock_acquire+0x54/0x6a [ 718.389329][ C0] [] get_page_from_freelist+0xbc2/0x12d8 [ 718.390655][ C0] irq event stamp: 59335 [ 718.391334][ C0] hardirqs last enabled at (59334): [] _raw_spin_unlock_irqrestore+0x68/0x98 [ 718.392763][ C0] hardirqs last disabled at (59335): [] get_page_from_freelist+0xfbe/0x12d8 [ 718.394158][ C0] softirqs last enabled at (59218): [] __do_softirq+0x618/0x8fc [ 718.395536][ C0] softirqs last disabled at (59249): [] __irq_exit_rcu+0x142/0x1f8 [ 718.396922][ C0] ---[ end trace 0000000000000000 ]--- [ 718.398257][ C0] [ 718.398966][ C0] Second to last potentially related work creation: [ 718.400324][ C0] ------------[ cut here ]------------ [ 718.401002][ C0] slab index 2076544 out of bounds (290) for stack id ffffaf80 [ 718.404925][ C0] WARNING: CPU: 0 PID: 2033 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 [ 718.406371][ C0] Modules linked in: [ 718.407294][ C0] CPU: 0 PID: 2033 Comm: syz-executor.1 Tainted: G W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 718.409553][ C0] Hardware name: riscv-virtio,qemu (DT) [ 718.410817][ C0] epc : stack_depot_print+0x66/0x70 [ 718.411930][ C0] ra : stack_depot_print+0x66/0x70 [ 718.412946][ C0] epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf800c2ff880 [ 718.413946][ C0] gp : ffffffff85863ac0 tp : ffffaf800be53080 t0 : ffffffff86bcb657 [ 718.414970][ C0] t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf800c2ff890 [ 718.415939][ C0] s1 : ffffaf807a9b66e0 a0 : 000000000000003c a1 : 00000000000f0000 [ 718.416925][ C0] a2 : 0000000000000504 a3 : ffffffff8012252a a4 : f1232ceb7708db00 [ 718.417900][ C0] a5 : f1232ceb7708db00 a6 : 0000000000f00000 a7 : ffffaf805a9c8863 [ 718.419524][ C0] s2 : ffffaf800c2ffaf0 s3 : ffffaf8007201c80 s4 : ffffaf800c2ff800 [ 718.420559][ C0] s5 : ffffaf800c2ffa00 s6 : ffffffff8588bb20 s7 : ffffffff85e09180 [ 718.421543][ C0] s8 : ffffaf800c2ffa00 s9 : ffffaf800be53c50 s10: ffffffff85899680 [ 718.422524][ C0] s11: ffffaf800be53080 t3 : ffffffff801163b2 t4 : fffff5ef0b53910c [ 718.423484][ C0] t5 : fffff5ef0b53910d t6 : ffffaf800c2ff378 [ 718.424288][ C0] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 718.425277][ C0] [] print_address_description.constprop.0+0x2ae/0x330 [ 718.426653][ C0] [] kasan_report+0x184/0x1e0 [ 718.427802][ C0] [] __asan_load8+0x6e/0x96 [ 718.429295][ C0] [] __bfs+0x154/0x394 [ 718.430417][ C0] [] check_path.constprop.0+0x24/0x46 [ 718.431539][ C0] [] check_noncircular+0x11a/0x1fe [ 718.432632][ C0] [] __lock_acquire+0x19a4/0x333e [ 718.433723][ C0] [] lock_acquire.part.0+0x1d0/0x424 [ 718.434867][ C0] [] lock_acquire+0x54/0x6a [ 718.435926][ C0] [] get_page_from_freelist+0xbc2/0x12d8 [ 718.437087][ C0] irq event stamp: 59335 [ 718.437733][ C0] hardirqs last enabled at (59334): [] _raw_spin_unlock_irqrestore+0x68/0x98 [ 718.440015][ C0] hardirqs last disabled at (59335): [] get_page_from_freelist+0xfbe/0x12d8 [ 718.441387][ C0] softirqs last enabled at (59218): [] __do_softirq+0x618/0x8fc [ 718.442682][ C0] softirqs last disabled at (59249): [] __irq_exit_rcu+0x142/0x1f8 [ 718.443940][ C0] ---[ end trace 0000000000000000 ]--- [ 718.444706][ C0] [ 718.445203][ C0] The buggy address belongs to the object at ffffaf800c2ff800 [ 718.445203][ C0] which belongs to the cache kmalloc-512 of size 512 [ 718.446594][ C0] The buggy address is located 240 bytes to the right of [ 718.446594][ C0] 512-byte region [ffffaf800c2ff800, ffffaf800c2ffa00) [ 718.448150][ C0] The buggy address belongs to the page: [ 718.449867][ C0] page:ffffaf807a9b66e0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8c4fc [ 718.451308][ C0] head:ffffaf807a9b66e0 order:2 compound_mapcount:0 compound_pincount:0 [ 718.452445][ C0] flags: 0x8800010200(slab|head|section=17|node=0|zone=0) [ 718.454888][ C0] raw: 0000008800010200 ffffaf807aa6c9c0 0000000000000002 ffffaf8007201c80 [ 718.455971][ C0] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 718.456899][ C0] raw: 00000000000007ff [ 718.457592][ C0] page dumped because: kasan: bad access detected [ 718.459164][ C0] page_owner tracks the page as allocated [ 718.460349][ C0] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 367, ts 243075068400, free_ts 0 [ 718.462222][ C0] __set_page_owner+0x48/0x136 [ 718.463181][ C0] post_alloc_hook+0xd0/0x10a [ 718.464050][ C0] get_page_from_freelist+0x8da/0x12d8 [ 718.464999][ C0] __alloc_pages+0x150/0x3b6 [ 718.465869][ C0] alloc_pages+0x132/0x2a6 [ 718.466799][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 718.467780][ C0] new_slab+0x25a/0x2cc [ 718.468988][ C0] ___slab_alloc+0x56e/0x918 [ 718.469938][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 718.470975][ C0] kmem_cache_alloc_trace+0x2a2/0x2e0 [ 718.471954][ C0] alloc_bprm+0x48/0x4b6 [ 718.472839][ C0] kernel_execve+0x54/0x288 [ 718.473733][ C0] call_usermodehelper_exec_async+0x1c0/0x2dc [ 718.474873][ C0] ret_from_exception+0x0/0x10 [ 718.475816][ C0] page_owner free stack trace missing [ 718.476624][ C0] [ 718.477149][ C0] Memory state around the buggy address: [ 718.478267][ C0] ffffaf800c2ff980: fc fc fc fc f1 f1 f1 f1 00 f3 f3 f3 fc fc fc fc [ 718.479931][ C0] ffffaf800c2ffa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 718.480902][ C0] >ffffaf800c2ffa80: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 fc fc fc fc [ 718.481859][ C0] ^ [ 718.482878][ C0] ffffaf800c2ffb00: 00 00 00 f3 f3 f3 f3 f3 fc fc fc fc fc fc fc fc [ 718.483824][ C0] ffffaf800c2ffb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 718.484801][ C0] ================================================================== [ 718.485696][ C0] Disabling lock debugging due to kernel taint [ 718.507644][ T2033] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 718.509505][ T2033] CPU: 0 PID: 2033 Comm: syz-executor.1 Tainted: G B W 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 718.510995][ T2033] Hardware name: riscv-virtio,qemu (DT) [ 718.511714][ T2033] Call Trace: [ 718.512305][ T2033] [] dump_backtrace+0x2e/0x3c [ 718.513457][ T2033] [] show_stack+0x34/0x40 [ 718.514500][ T2033] [] dump_stack_lvl+0xe4/0x150 [ 718.515663][ T2033] [] dump_stack+0x1c/0x24 [ 718.516797][ T2033] [] panic+0x24a/0x634 [ 718.517752][ T2033] [] schedule+0x0/0x14c [ 718.519258][ T2033] [] preempt_schedule_irq+0x4a/0x13e [ 718.520409][ T2033] [] resume_kernel+0x16/0x18 [ 718.521697][ T2033] SMP: stopping secondary CPUs [ 718.523872][ T2033] Rebooting in 86400 seconds.. VM DIAGNOSIS: 23:05:20 Registers: info registers vcpu 0 pc ffffffff80dc337e mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80475986 sepc ffffffff80115bbc mcause 8000000000000007 scause 8000000000000009 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80dc337e x2/sp ffffaf800c2ff390 x3/gp ffffffff85863ac0 x4/tp ffffaf800be53080 x5/t0 ffffffff86bcb657 x6/t1 fffffffff3f3f3f3 x7/t2 0000000000000000 x8/s0 ffffaf800c2ff3c0 x9/s1 ffffffff86e58900 x10/a0 ffffffff86e58948 x11/a1 ffff8f800066c000 x12/a2 1ffffffff0dcb129 x13/a3 ffffffff80dc337e x14/a4 0000000000000000 x15/a5 ffffffff86e58948 x16/a6 ffffffff86e589f1 x17/a7 f1232ceb7708db00 x18/s2 ffff8f800066c000 x19/s3 0000000000000020 x20/s4 ffffffff86e58900 x21/s5 ffffffff80dc333e x22/s6 0000000000000000 x23/s7 ffffffff86bcb658 x24/s8 0000000000000010 x25/s9 ffffffff86e58958 x26/s10 0000000000000010 x27/s11 0000000000000000 x28/t3 ffffffff801163b2 x29/t4 fffffffef0d796c8 x30/t5 fffffffef0d796cb x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80119b52 mhartid 0000000000000001 mstatus 00000000000000a2 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc ffffffff80119b52 mcause 0000000000000009 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80119b52 x2/sp ffffaf800f9d37e0 x3/gp ffffffff85863ac0 x4/tp ffffaf800cfa1840 x5/t0 00000000000001f8 x6/t1 f1232ceb7708db00 x7/t2 ffffffffffffffff x8/s0 ffffaf800f9d37e0 x9/s1 ffffaf800f8d9898 x10/a0 ffffaf800f8d9898 x11/a1 0000000000000003 x12/a2 1ffff5f001f1b313 x13/a3 ffffffff80119b52 x14/a4 0000000000000000 x15/a5 0000000000000001 x16/a6 0000000000f00000 x17/a7 ffffffff826e6226 x18/s2 0000000000000001 x19/s3 ffffaf800cfa1840 x20/s4 ffffaf800f8d98a8 x21/s5 ffffaf800f8d98a0 x22/s6 ffffaf800f9d3960 x23/s7 ffffaf800f9d3b00 x24/s8 0000000000000000 x25/s9 0000000000004000 x26/s10 0000000000000040 x27/s11 0000000000000001 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001f3a6b4 x31/t6 000000000124f826 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000