syzkaller login: [ 323.575636][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 323.703066][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 323.761754][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 323.811144][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 347.412729][ T1860] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:23948' (ECDSA) to the list of known hosts. 1970/01/01 00:06:43 fuzzer started 1970/01/01 00:07:02 dialing manager at localhost:41357 [ 433.325697][ T2033] cgroup: Unknown subsys name 'net' [ 434.699604][ T2033] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:07:14 syscalls: 2827 1970/01/01 00:07:14 code coverage: enabled 1970/01/01 00:07:14 comparison tracing: enabled 1970/01/01 00:07:14 extra coverage: enabled 1970/01/01 00:07:14 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:07:14 setuid sandbox: enabled 1970/01/01 00:07:14 namespace sandbox: enabled 1970/01/01 00:07:14 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:07:14 fault injection: enabled 1970/01/01 00:07:14 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:07:14 net packet injection: enabled 1970/01/01 00:07:14 net device setup: enabled 1970/01/01 00:07:14 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:07:14 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:07:14 USB emulation: enabled 1970/01/01 00:07:14 hci packet injection: /dev/vhci does not exist 1970/01/01 00:07:14 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:07:14 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:07:14 fetching corpus: 0, signal 0/2000 (executing program) 1970/01/01 00:07:22 fetching corpus: 49, signal 32013/34686 (executing program) 1970/01/01 00:07:26 fetching corpus: 99, signal 48444/51432 (executing program) 1970/01/01 00:07:31 fetching corpus: 148, signal 58782/61914 (executing program) 1970/01/01 00:07:37 fetching corpus: 198, signal 67751/70786 (executing program) 1970/01/01 00:07:41 fetching corpus: 248, signal 73296/76281 (executing program) 1970/01/01 00:07:44 fetching corpus: 295, signal 78737/81454 (executing program) 1970/01/01 00:07:48 fetching corpus: 344, signal 84521/86690 (executing program) 1970/01/01 00:07:53 fetching corpus: 394, signal 93483/94292 (executing program) 1970/01/01 00:07:54 fetching corpus: 406, signal 94804/95435 (executing program) 1970/01/01 00:07:54 fetching corpus: 406, signal 94804/95504 (executing program) 1970/01/01 00:07:55 fetching corpus: 406, signal 94804/95587 (executing program) 1970/01/01 00:07:55 fetching corpus: 406, signal 94804/95658 (executing program) 1970/01/01 00:07:55 fetching corpus: 406, signal 94804/95722 (executing program) 1970/01/01 00:07:55 fetching corpus: 406, signal 94804/95780 (executing program) 1970/01/01 00:07:55 fetching corpus: 406, signal 94804/95848 (executing program) 1970/01/01 00:07:56 fetching corpus: 406, signal 94804/95923 (executing program) 1970/01/01 00:07:56 fetching corpus: 406, signal 94804/95991 (executing program) 1970/01/01 00:07:56 fetching corpus: 406, signal 94804/96060 (executing program) 1970/01/01 00:07:56 fetching corpus: 406, signal 94804/96125 (executing program) 1970/01/01 00:07:57 fetching corpus: 406, signal 94804/96186 (executing program) 1970/01/01 00:07:57 fetching corpus: 406, signal 94804/96262 (executing program) 1970/01/01 00:07:57 fetching corpus: 406, signal 94804/96343 (executing program) 1970/01/01 00:07:57 fetching corpus: 406, signal 94804/96404 (executing program) 1970/01/01 00:07:58 fetching corpus: 406, signal 94804/96472 (executing program) 1970/01/01 00:07:58 fetching corpus: 406, signal 94804/96522 (executing program) 1970/01/01 00:07:58 fetching corpus: 406, signal 94804/96582 (executing program) 1970/01/01 00:07:58 fetching corpus: 406, signal 94804/96650 (executing program) 1970/01/01 00:07:58 fetching corpus: 406, signal 94804/96721 (executing program) 1970/01/01 00:07:59 fetching corpus: 406, signal 94804/96784 (executing program) 1970/01/01 00:07:59 fetching corpus: 406, signal 94804/96844 (executing program) 1970/01/01 00:07:59 fetching corpus: 406, signal 94804/96919 (executing program) 1970/01/01 00:07:59 fetching corpus: 406, signal 94804/96995 (executing program) 1970/01/01 00:07:59 fetching corpus: 406, signal 94804/97074 (executing program) 1970/01/01 00:07:59 fetching corpus: 406, signal 94804/97136 (executing program) 1970/01/01 00:08:00 fetching corpus: 406, signal 94804/97198 (executing program) 1970/01/01 00:08:00 fetching corpus: 406, signal 94804/97260 (executing program) 1970/01/01 00:08:00 fetching corpus: 406, signal 94804/97358 (executing program) 1970/01/01 00:08:00 fetching corpus: 406, signal 94804/97418 (executing program) 1970/01/01 00:08:00 fetching corpus: 406, signal 94804/97480 (executing program) 1970/01/01 00:08:01 fetching corpus: 406, signal 94804/97541 (executing program) 1970/01/01 00:08:01 fetching corpus: 406, signal 94804/97614 (executing program) 1970/01/01 00:08:01 fetching corpus: 406, signal 94804/97686 (executing program) 1970/01/01 00:08:01 fetching corpus: 406, signal 94804/97766 (executing program) 1970/01/01 00:08:02 fetching corpus: 406, signal 94804/97841 (executing program) 1970/01/01 00:08:02 fetching corpus: 406, signal 94804/97917 (executing program) 1970/01/01 00:08:02 fetching corpus: 406, signal 94804/97981 (executing program) 1970/01/01 00:08:02 fetching corpus: 406, signal 94804/98038 (executing program) 1970/01/01 00:08:03 fetching corpus: 406, signal 94804/98103 (executing program) 1970/01/01 00:08:03 fetching corpus: 406, signal 94804/98111 (executing program) 1970/01/01 00:08:03 fetching corpus: 406, signal 94804/98111 (executing program) 1970/01/01 00:10:16 starting 2 fuzzer processes 00:10:17 executing program 0: r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0) open_by_handle_at(r0, &(0x7f0000000000)=@ocfs2={0xc, 0xfe, {0x1}}, 0x0) 00:10:17 executing program 1: r0 = add_key$fscrypt_v1(&(0x7f0000000040), &(0x7f0000000000)={'fscrypt:', @desc2}, &(0x7f00000000c0)={0x0, "56f2acdb7ad5f3eead589673a528dd5324d7ecd9972224d209d0e6b697df684ddf6a4d4e8510b85b241f86f0536bfa58ccc89937e3b25055e863cd73fd862510"}, 0x48, 0xfffffffffffffffd) r1 = add_key$keyring(&(0x7f0000001700), &(0x7f0000001740)={'syz', 0x2}, 0x0, 0x0, 0xffffffffffffffff) keyctl$KEYCTL_MOVE(0x1d, r0, r1, 0xfffffffffffffffd, 0x0) [ 645.929925][ C0] ================================================================== [ 645.934154][ C0] BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 [ 645.936021][ C0] Read of size 8 at addr ffffaf800a1a7f10 by task syz-executor.0/2041 [ 645.938779][ C0] [ 645.940622][ C0] CPU: 0 PID: 2041 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 645.942567][ C0] Hardware name: riscv-virtio,qemu (DT) [ 645.944127][ C0] Call Trace: [ 645.945483][ C0] [] dump_backtrace+0x2e/0x3c [ 645.947112][ C0] [] show_stack+0x34/0x40 [ 645.948969][ C0] [] dump_stack_lvl+0xe4/0x150 [ 645.950764][ C0] [] print_address_description.constprop.0+0x2a/0x330 [ 645.952600][ C0] [] kasan_report+0x184/0x1e0 [ 645.955020][ C0] [] __asan_load8+0x6e/0x96 [ 645.957388][ C0] [] walk_stackframe+0x11c/0x260 [ 645.958990][ C0] [] arch_stack_walk+0x2c/0x3c [ 645.960912][ C0] [] stack_trace_save+0xa6/0xd8 [ 645.962949][ C0] [ 645.964078][ C0] Allocated by task 1: [ 645.965591][ C0] (stack is not available) [ 645.966594][ C0] [ 645.967463][ C0] Last potentially related work creation: [ 645.968617][ C0] stack_trace_save+0xa6/0xd8 [ 645.970021][ C0] kasan_save_stack+0x2c/0x58 [ 645.971392][ C0] __kasan_kmalloc+0x80/0xb2 [ 645.972678][ C0] __kmalloc+0x190/0x318 [ 645.974238][ C0] aa_str_alloc+0x26/0x64 [ 645.976135][ C0] aa_policy_init+0x15a/0x178 [ 645.977388][ C0] alloc_ns+0xae/0x46c [ 645.978668][ C0] aa_alloc_root_ns+0x24/0x46 [ 645.980050][ C0] apparmor_init+0x9e/0x47e [ 645.981359][ C0] initialize_lsm+0xac/0xfc [ 645.982621][ C0] security_init+0x510/0x53e [ 645.984275][ C0] start_kernel+0x60a/0x698 [ 645.985876][ C0] [ 645.986724][ C0] The buggy address belongs to the object at ffffaf800a1a72c0 [ 645.986724][ C0] which belongs to the cache signal_cache of size 1544 [ 645.988708][ C0] The buggy address is located 1608 bytes to the right of [ 645.988708][ C0] 1544-byte region [ffffaf800a1a72c0, ffffaf800a1a78c8) [ 645.990564][ C0] The buggy address belongs to the page: [ 645.992233][ C0] page:ffffaf807a920500 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffaf800a1a4a40 pfn:0x8a3a0 [ 645.994199][ C0] head:ffffaf807a920500 order:3 compound_mapcount:0 compound_pincount:0 [ 645.995968][ C0] flags: 0x8800010200(slab|head|section=17|node=0|zone=0) [ 645.999269][ C0] raw: 0000008800010200 ffffaf807a909408 ffffaf807a903e88 ffffaf800723ec80 [ 646.000866][ C0] raw: ffffaf800a1a4a40 0000000000120002 00000001ffffffff 0000000000000000 [ 646.002262][ C0] raw: 00000000000007ff [ 646.003460][ C0] page dumped because: kasan: bad access detected [ 646.005988][ C0] page_owner tracks the page as allocated [ 646.007161][ C0] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 7, ts 26408213100, free_ts 0 [ 646.009608][ C0] __set_page_owner+0x48/0x136 [ 646.010946][ C0] post_alloc_hook+0xd0/0x10a [ 646.012234][ C0] get_page_from_freelist+0x8da/0x12d8 [ 646.013713][ C0] __alloc_pages+0x150/0x3b6 [ 646.015260][ C0] alloc_pages+0x132/0x2a6 [ 646.016627][ C0] alloc_slab_page.constprop.0+0xc2/0xfa [ 646.018055][ C0] new_slab+0x25a/0x2cc [ 646.019346][ C0] ___slab_alloc+0x56e/0x918 [ 646.020664][ C0] __slab_alloc.constprop.0+0x50/0x8c [ 646.022110][ C0] kmem_cache_alloc+0x39c/0x3de [ 646.023485][ C0] copy_process+0x15a8/0x3c34 [ 646.025147][ C0] kernel_clone+0xee/0x920 [ 646.026538][ C0] kernel_thread+0xf8/0x130 [ 646.027927][ C0] call_usermodehelper_exec_work+0xc8/0x122 [ 646.029396][ C0] process_one_work+0x654/0xffe [ 646.030663][ C0] worker_thread+0x360/0x8fa [ 646.032034][ C0] page_owner free stack trace missing [ 646.033373][ C0] [ 646.034466][ C0] Memory state around the buggy address: [ 646.036796][ C0] ffffaf800a1a7e00: 00 00 00 00 fc fc fc fc 00 00 00 00 00 00 00 00 [ 646.038467][ C0] ffffaf800a1a7e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 646.039939][ C0] >ffffaf800a1a7f00: fc fc fc fc fc fc fc fc fc fc fc fc f1 f1 f1 f1 [ 646.041216][ C0] ^ [ 646.042411][ C0] ffffaf800a1a7f80: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 fc fc fc fc [ 646.043996][ C0] ffffaf800a1a8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 646.046123][ C0] ================================================================== [ 646.047482][ C0] Disabling lock debugging due to kernel taint [ 646.051875][ T2041] Kernel panic - not syncing: corrupted stack end detected inside scheduler [ 646.053436][ T2041] CPU: 0 PID: 2041 Comm: syz-executor.0 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 646.055116][ T2041] Hardware name: riscv-virtio,qemu (DT) [ 646.055979][ T2041] Call Trace: [ 646.056607][ T2041] [] dump_backtrace+0x2e/0x3c [ 646.057999][ T2041] [] show_stack+0x34/0x40 [ 646.059330][ T2041] [] dump_stack_lvl+0xe4/0x150 [ 646.060643][ T2041] [] dump_stack+0x1c/0x24 [ 646.061900][ T2041] [] panic+0x24a/0x634 [ 646.062994][ T2041] [] schedule+0x0/0x14c [ 646.064707][ T2041] [] preempt_schedule_irq+0x4a/0x13e [ 646.066141][ T2041] [] resume_kernel+0x16/0x18 [ 646.067682][ T2041] SMP: stopping secondary CPUs [ 646.069771][ T2041] Rebooting in 86400 seconds.. VM DIAGNOSIS: 03:58:24 Registers: info registers vcpu 0 pc ffffffff801165d6 mhartid 0000000000000000 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff801137f8 sepc ffffffff802009d2 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff801165c2 x2/sp ffffaf800a1a7870 x3/gp ffffffff85863ac0 x4/tp ffffaf800df1b080 x5/t0 ffffffff86bcb657 x6/t1 2e2b0738c8643500 x7/t2 0000000000000000 x8/s0 ffffaf800a1a79d0 x9/s1 ffffffff8343c840 x10/a0 ffffaf805a9c8840 x11/a1 0000000000000003 x12/a2 1ffff5f00b539108 x13/a3 ffffffff801165c2 x14/a4 0000000000000000 x15/a5 0000000000000020 x16/a6 0000000000f00000 x17/a7 ffffffff8010742c x18/s2 ffffffff86c1a620 x19/s3 ffffaf805a9c8840 x20/s4 0000000000000000 x21/s5 ffffffff84a88678 x22/s6 0000000000000000 x23/s7 ffffaf800df1b080 x24/s8 ffffffff8010742c x25/s9 ffffffff85889780 x26/s10 1ffff5f001434f18 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001434ef4 x31/t6 ffffaf800a1a7918 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80112a26 mhartid 0000000000000001 mstatus 00000000000000a0 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff8000f97e sepc 00007fffa625229c mcause 0000000000000009 scause 0000000000000008 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff800cd74c x2/sp ffffaf8009d8fdc0 x3/gp ffffffff85863ac0 x4/tp ffffaf800a18e100 x5/t0 0000000000000000 x6/t1 2e2b0738c8643500 x7/t2 ffffffffffffffff x8/s0 ffffaf8009d8fcd0 x9/s1 0000000000000001 x10/a0 ffffaf805a9f5b10 x11/a1 ffffffff838a05a0 x12/a2 0000000000000002 x13/a3 ffffffff80146d84 x14/a4 0000000000000001 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffffff831a2308 x18/s2 0000000000000000 x19/s3 ffffffff8588a420 x20/s4 ffffffff8586fd20 x21/s5 0000000000000001 x22/s6 ffffffff86c1a620 x23/s7 0000000000001000 x24/s8 ffffffff85889780 x25/s9 1ffff5f0013b1fa8 x26/s10 ffffaf800a18e820 x27/s11 ffffffff831a2308 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f0013b1f78 x31/t6 0000000000040000 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000