syzkaller login: [ 268.764234][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 278.873180][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 278.961185][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. [ 320.014741][ T1859] netlink: 4 bytes leftover after parsing attributes in process `dhcpcd'. Warning: Permanently added '[localhost]:23818' (ECDSA) to the list of known hosts. 1970/01/01 00:05:49 fuzzer started 1970/01/01 00:06:03 dialing manager at localhost:36783 [ 369.624043][ T2044] cgroup: Unknown subsys name 'net' [ 369.718994][ T2044] ================================================================== [ 369.721477][ T2044] BUG: KASAN: double-free or invalid-free in kfree+0xe0/0x3e4 [ 369.722621][ T2044] [ 369.723594][ T2044] CPU: 1 PID: 2044 Comm: syz-executor Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 [ 369.725199][ T2044] Hardware name: riscv-virtio,qemu (DT) [ 369.726999][ T2044] Call Trace: [ 369.727841][ T2044] [] dump_backtrace+0x2e/0x3c [ 369.728970][ T2044] [] show_stack+0x34/0x40 [ 369.729968][ T2044] [] dump_stack_lvl+0xe4/0x150 [ 369.731148][ T2044] [] print_address_description.constprop.0+0x2a/0x330 [ 369.732463][ T2044] [] kasan_report_invalid_free+0x62/0x92 [ 369.733717][ T2044] [] ____kasan_slab_free+0x170/0x180 [ 369.734883][ T2044] [] __kasan_slab_free+0x10/0x18 [ 369.736046][ T2044] [] slab_free_freelist_hook+0x8e/0x1cc [ 369.738231][ T2044] [] kfree+0xe0/0x3e4 [ 369.740204][ T2044] [] put_fs_context+0x2b8/0x404 [ 369.742363][ T2044] [] path_mount+0x606/0x14dc [ 369.744535][ T2044] [] sys_mount+0x360/0x3ee [ 369.746657][ T2044] [] ret_from_syscall+0x0/0x2 [ 369.748900][ T2044] [ 369.750071][ T2044] Allocated by task 0: [ 369.751453][ T2044] (stack is not available) [ 369.752892][ T2044] [ 369.753870][ T2044] Freed by task 2044: [ 369.755337][ T2044] stack_trace_save+0xa6/0xd8 [ 369.757144][ T2044] kasan_save_stack+0x2c/0x58 [ 369.758936][ T2044] kasan_set_track+0x1a/0x26 [ 369.760718][ T2044] kasan_set_free_info+0x1e/0x3a [ 369.762425][ T2044] ____kasan_slab_free+0x15e/0x180 [ 369.764219][ T2044] __kasan_slab_free+0x10/0x18 [ 369.766472][ T2044] slab_free_freelist_hook+0x8e/0x1cc [ 369.768939][ T2044] kfree+0xe0/0x3e4 [ 369.770617][ T2044] put_fs_context+0x2b8/0x404 [ 369.772558][ T2044] path_mount+0x606/0x14dc [ 369.774609][ T2044] sys_mount+0x360/0x3ee [ 369.776492][ T2044] ret_from_syscall+0x0/0x2 [ 369.778642][ T2044] [ 369.779243][ T2044] The buggy address belongs to the object at ffffaf800ecb0000 [ 369.779243][ T2044] which belongs to the cache kmalloc-cg-512 of size 512 [ 369.780791][ T2044] The buggy address is located 272 bytes inside of [ 369.780791][ T2044] 512-byte region [ffffaf800ecb0000, ffffaf800ecb0200) [ 369.782130][ T2044] The buggy address belongs to the page: [ 369.784239][ T2044] page:ffffaf807aa72180 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8eeb0 [ 369.788428][ T2044] head:ffffaf807aa72180 order:2 compound_mapcount:0 compound_pincount:0 [ 369.791742][ T2044] flags: 0x8800010200(slab|head|section=17|node=0|zone=0) [ 369.795006][ T2044] raw: 0000008800010200 0000000000000100 0000000000000122 ffffaf8007202dc0 [ 369.796807][ T2044] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 369.798671][ T2044] raw: 00000000000007ff [ 369.799418][ T2044] page dumped because: kasan: bad access detected [ 369.800496][ T2044] page_owner tracks the page as allocated [ 369.801277][ T2044] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1985, ts 260391268800, free_ts 256018013500 [ 369.803124][ T2044] __set_page_owner+0x48/0x136 [ 369.804091][ T2044] post_alloc_hook+0xd0/0x10a [ 369.805010][ T2044] get_page_from_freelist+0x8da/0x12d8 [ 369.806291][ T2044] __alloc_pages+0x150/0x3b6 [ 369.807383][ T2044] alloc_pages+0x132/0x2a6 [ 369.808416][ T2044] alloc_slab_page.constprop.0+0xc2/0xfa [ 369.809439][ T2044] new_slab+0x25a/0x2cc [ 369.810300][ T2044] ___slab_alloc+0x56e/0x918 [ 369.811209][ T2044] __slab_alloc.constprop.0+0x50/0x8c [ 369.812214][ T2044] __kmalloc_node_track_caller+0x26c/0x362 [ 369.813217][ T2044] __alloc_skb+0xee/0x2e4 [ 369.814151][ T2044] alloc_skb_with_frags+0x78/0x30c [ 369.815034][ T2044] sock_alloc_send_pskb+0x536/0x558 [ 369.816353][ T2044] unix_stream_sendmsg+0x472/0xbb8 [ 369.817358][ T2044] sock_sendmsg+0xa0/0xc4 [ 369.818282][ T2044] sock_write_iter+0x1c0/0x272 [ 369.819330][ T2044] page last free stack trace: [ 369.820022][ T2044] __reset_page_owner+0x4a/0xea [ 369.820944][ T2044] free_pcp_prepare+0x29c/0x45e [ 369.821850][ T2044] free_unref_page+0x6a/0x31e [ 369.822766][ T2044] __free_pages+0xe2/0x112 [ 369.823665][ T2044] put_task_stack+0x1d0/0x2b0 [ 369.824617][ T2044] finish_task_switch.isra.0+0x3ce/0x420 [ 369.826155][ T2044] __schedule+0x58e/0x118e [ 369.827457][ T2044] preempt_schedule_common+0x4e/0xde [ 369.828531][ T2044] preempt_schedule+0x34/0x36 [ 369.829486][ T2044] _raw_spin_unlock_irqrestore+0x8c/0x98 [ 369.830391][ T2044] debug_object_active_state+0x1ea/0x1f4 [ 369.831381][ T2044] call_rcu+0x54/0x4ce [ 369.832348][ T2044] destroy_inode+0xa4/0xda [ 369.833196][ T2044] evict+0x2ca/0x344 [ 369.834004][ T2044] iput+0x410/0x61c [ 369.834793][ T2044] proc_invalidate_siblings_dcache+0x288/0x5ba [ 369.836322][ T2044] [ 369.837092][ T2044] Memory state around the buggy address: [ 369.838664][ T2044] ffffaf800ecb0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 369.839718][ T2044] ffffaf800ecb0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 369.840706][ T2044] >ffffaf800ecb0100: fb fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 369.841607][ T2044] ^ [ 369.842428][ T2044] ffffaf800ecb0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 369.843456][ T2044] ffffaf800ecb0200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 369.844487][ T2044] ================================================================== [ 369.845628][ T2044] Disabling lock debugging due to kernel taint [ 370.169487][ T2044] cgroup: Unknown subsys name 'rlimit' 1970/01/01 00:06:09 syscalls: 2818 1970/01/01 00:06:09 code coverage: enabled 1970/01/01 00:06:09 comparison tracing: enabled 1970/01/01 00:06:09 extra coverage: enabled 1970/01/01 00:06:09 delay kcov mmap: mmap returned an invalid pointer 1970/01/01 00:06:09 setuid sandbox: enabled 1970/01/01 00:06:09 namespace sandbox: enabled 1970/01/01 00:06:09 Android sandbox: /sys/fs/selinux/policy does not exist 1970/01/01 00:06:09 fault injection: enabled 1970/01/01 00:06:09 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 1970/01/01 00:06:09 net packet injection: enabled 1970/01/01 00:06:09 net device setup: enabled 1970/01/01 00:06:09 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 1970/01/01 00:06:09 devlink PCI setup: PCI device 0000:00:10.0 is not available 1970/01/01 00:06:09 USB emulation: enabled 1970/01/01 00:06:09 hci packet injection: /dev/vhci does not exist 1970/01/01 00:06:09 wifi device emulation: /sys/class/mac80211_hwsim/ does not exist 1970/01/01 00:06:09 802.15.4 emulation: /sys/bus/platform/devices/mac802154_hwsim does not exist 1970/01/01 00:06:12 fetching corpus: 50, signal 40901/42594 (executing program) 1970/01/01 00:06:14 fetching corpus: 100, signal 51223/54474 (executing program) 1970/01/01 00:06:16 fetching corpus: 150, signal 58242/62962 (executing program) 1970/01/01 00:06:18 fetching corpus: 200, signal 64912/71041 (executing program) 1970/01/01 00:06:19 fetching corpus: 250, signal 70729/78224 (executing program) 1970/01/01 00:06:21 fetching corpus: 300, signal 75727/84465 (executing program) 1970/01/01 00:06:22 fetching corpus: 350, signal 79920/89983 (executing program) 1970/01/01 00:06:23 fetching corpus: 400, signal 82292/93680 (executing program) 1970/01/01 00:06:25 fetching corpus: 450, signal 86654/99151 (executing program) 1970/01/01 00:06:27 fetching corpus: 500, signal 90270/103911 (executing program) 1970/01/01 00:06:30 fetching corpus: 550, signal 93218/108027 (executing program) 1970/01/01 00:06:31 fetching corpus: 600, signal 96544/112413 (executing program) 1970/01/01 00:06:33 fetching corpus: 650, signal 99323/116222 (executing program) 1970/01/01 00:06:35 fetching corpus: 700, signal 103994/121721 (executing program) 1970/01/01 00:06:36 fetching corpus: 750, signal 106453/125205 (executing program) VM DIAGNOSIS: 11:53:40 Registers: info registers vcpu 0 pc ffffffff800058f0 mhartid 0000000000000000 mstatus 00000000000000a0 mip 0000000000000000 mie 00000000000002aa mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff800058f0 sepc ffffffff800058f4 mcause 8000000000000003 scause 8000000000000001 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff800058ec x2/sp ffffffff84a03ec0 x3/gp ffffffff85863ac0 x4/tp ffffffff84a3f180 x5/t0 ffffffff84a03d80 x6/t1 fffff5ef0b53b362 x7/t2 0000000000000008 x8/s0 ffffffff84a03ed0 x9/s1 ffffffff84a3f180 x10/a0 0000000000000000 x11/a1 00000000000f0000 x12/a2 0000000000000002 x13/a3 ffffffff800058ec x14/a4 ffffffff84a40180 x15/a5 0000000000000000 x16/a6 0000000000f00000 x17/a7 ffffaf805a9d9b13 x18/s2 0000000000000000 x19/s3 0000000000000001 x20/s4 0000000000000007 x21/s5 ffffffff8588b420 x22/s6 ffffffff84a3f180 x23/s7 00000000800130f0 x24/s8 000000000000007f x25/s9 0000000080012010 x26/s10 0000000000000000 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 fffff5ef0b53b362 x30/t5 fffff5ef0b53b363 x31/t6 0000000000000004 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 pc ffffffff80dc337e mhartid 0000000000000001 mstatus 00000000000000a0 mip 00000000000000a0 mie 000000000000022a mideleg 0000000000000222 medeleg 000000000000b109 mtvec 0000000080000540 stvec ffffffff800055d4 mepc ffffffff80112380 sepc ffffffff831a18c2 mcause 8000000000000007 scause 8000000000000005 mtval 0000000000000000 stval 0000000000000000 x0/zero 0000000000000000 x1/ra ffffffff80dc337e x2/sp ffffaf80093874a0 x3/gp ffffffff85863ac0 x4/tp ffffaf800e6bc8c0 x5/t0 ffffffff86bcb657 x6/t1 14985556652fee00 x7/t2 0000000000000000 x8/s0 ffffaf80093874d0 x9/s1 ffffffff86e58900 x10/a0 ffffffff86e58948 x11/a1 ffff8f800066c000 x12/a2 1ffffffff0dcb129 x13/a3 ffffffff80dc337e x14/a4 0000000000000000 x15/a5 ffffffff86e58948 x16/a6 ffffffff86e589f1 x17/a7 ffffffff80dcc9fe x18/s2 ffff8f800066c000 x19/s3 0000000000000072 x20/s4 ffffffff86e58900 x21/s5 ffffffff80dc333e x22/s6 0000000000000000 x23/s7 ffffffff86bcb67d x24/s8 0000000000000010 x25/s9 ffffffff86e58958 x26/s10 0000000000000010 x27/s11 0000000000000000 x28/t3 fffffffff3f3f300 x29/t4 ffffffff80112282 x30/t5 1ffff5f001270e44 x31/t6 ffffffff86bcb657 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000