./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1724078273 <...> Warning: Permanently added '10.128.1.71' (ECDSA) to the list of known hosts. execve("./syz-executor1724078273", ["./syz-executor1724078273"], 0x7ffed2e19970 /* 10 vars */) = 0 brk(NULL) = 0x555556f25000 brk(0x555556f25c40) = 0x555556f25c40 arch_prctl(ARCH_SET_FS, 0x555556f25300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x555556f255d0) = 5075 set_robust_list(0x555556f255e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f24a93ac450, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f24a93acb20}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f24a93ac4f0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f24a93acb20}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1724078273", 4096) = 28 brk(0x555556f46c40) = 0x555556f46c40 brk(0x555556f47000) = 0x555556f47000 mprotect(0x7f24a946c000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5076 attached , child_tidptr=0x555556f255d0) = 5076 [pid 5076] set_robust_list(0x555556f255e0, 24) = 0 [pid 5076] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5076] setpgid(0, 0) = 0 [pid 5076] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5076] write(3, "1000", 4) = 4 [pid 5076] close(3) = 0 [pid 5076] futex(0x7f24a947242c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5076] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f24a937c000 [pid 5076] mprotect(0x7f24a937d000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5076] clone(child_stack=0x7f24a939c3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5077 attached , parent_tid=[5077], tls=0x7f24a939c700, child_tidptr=0x7f24a939c9d0) = 5077 [pid 5077] set_robust_list(0x7f24a939c9e0, 24 [pid 5076] futex(0x7f24a9472428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5076] futex(0x7f24a947242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5077] <... set_robust_list resumed>) = 0 [pid 5077] socket(AF_INET6, SOCK_STREAM, IPPROTO_SCTP) = 3 [pid 5077] futex(0x7f24a947242c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5076] <... futex resumed>) = 0 [pid 5076] futex(0x7f24a9472428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5076] futex(0x7f24a947242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5077] io_uring_setup(30246, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=1048896}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 4 [pid 5077] mmap(0x20fed000, 1179968, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0) = 0x20fed000 [pid 5077] mmap(0x20ffb000, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0x10000000) = 0x20ffb000 [pid 5077] futex(0x7f24a947242c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5076] <... futex resumed>) = 0 [pid 5076] futex(0x7f24a9472428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5076] futex(0x7f24a947242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5077] <... futex resumed>) = 1 [pid 5077] futex(0x7f24a947242c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5076] <... futex resumed>) = 0 [pid 5076] futex(0x7f24a9472428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5076] futex(0x7f24a947242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5077] <... futex resumed>) = 1 [pid 5077] io_uring_enter(4, 17678, 0, 0, NULL, 0) = 1 [pid 5077] futex(0x7f24a947242c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5076] <... futex resumed>) = 0 [pid 5076] futex(0x7f24a9472428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5076] futex(0x7f24a947242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5077] <... futex resumed>) = 1 [pid 5077] sendto(3, "\xca", 1, 0, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "2001::", &sin6_addr), sin6_scope_id=0}, 28 [pid 5076] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5076] futex(0x7f24a947242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5076] futex(0x7f24a947243c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5076] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f24a935b000 [pid 5076] mprotect(0x7f24a935c000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5076] clone(child_stack=0x7f24a937b3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5078 attached , parent_tid=[5078], tls=0x7f24a937b700, child_tidptr=0x7f24a937b9d0) = 5078 [pid 5078] set_robust_list(0x7f24a937b9e0, 24 [pid 5076] futex(0x7f24a9472438, FUTEX_WAKE_PRIVATE, 1000000 [pid 5078] <... set_robust_list resumed>) = 0 [pid 5076] <... futex resumed>) = 0 [pid 5076] futex(0x7f24a947243c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5078] listen(3, 67 [pid 5076] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5076] futex(0x7f24a947243c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5076] futex(0x7f24a947244c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5076] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f24a933a000 [pid 5076] mprotect(0x7f24a933b000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5076] clone(child_stack=0x7f24a935a3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5081], tls=0x7f24a935a700, child_tidptr=0x7f24a935a9d0) = 5081 [pid 5076] futex(0x7f24a9472448, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5076] futex(0x7f24a947244c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5081 attached [pid 5081] set_robust_list(0x7f24a935a9e0, 24) = 0 [pid 5081] accept4(3, NULL, NULL, 0 [pid 5078] <... listen resumed>) = 0 [pid 5078] futex(0x7f24a947243c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] futex(0x7f24a9472438, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5081] <... accept4 resumed>) = 5 [pid 5077] <... sendto resumed>) = 1 [pid 5077] futex(0x7f24a947242c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5081] futex(0x7f24a947244c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5077] <... futex resumed>) = 0 [pid 5081] <... futex resumed>) = 1 [pid 5076] <... futex resumed>) = 0 [pid 5081] futex(0x7f24a9472448, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5077] futex(0x7f24a9472428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5076] exit_group(0 [pid 5081] <... futex resumed>) = ? [pid 5078] <... futex resumed>) = ? [pid 5077] <... futex resumed>) = ? [pid 5076] <... exit_group resumed>) = ? [pid 5081] +++ exited with 0 +++ [pid 5078] +++ exited with 0 +++ [pid 5077] +++ exited with 0 +++ [pid 5076] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5076, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5083 attached , child_tidptr=0x555556f255d0) = 5083 [pid 5083] set_robust_list(0x555556f255e0, 24) = 0 [pid 5083] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5083] setpgid(0, 0) = 0 [pid 5083] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5083] write(3, "1000", 4) = 4 [pid 5083] close(3) = 0 [pid 5083] futex(0x7f24a947242c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5083] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f24a937c000 [pid 5083] mprotect(0x7f24a937d000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5083] clone(child_stack=0x7f24a939c3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5084 attached [pid 5084] set_robust_list(0x7f24a939c9e0, 24 [pid 5083] <... clone resumed>, parent_tid=[5084], tls=0x7f24a939c700, child_tidptr=0x7f24a939c9d0) = 5084 [pid 5084] <... set_robust_list resumed>) = 0 [pid 5083] futex(0x7f24a9472428, FUTEX_WAKE_PRIVATE, 1000000 [pid 5084] socket(AF_INET6, SOCK_STREAM, IPPROTO_SCTP [pid 5083] <... futex resumed>) = 0 [pid 5084] <... socket resumed>) = 3 [pid 5083] futex(0x7f24a947242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5084] futex(0x7f24a947242c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5083] <... futex resumed>) = 0 [pid 5084] futex(0x7f24a9472428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5083] futex(0x7f24a9472428, FUTEX_WAKE_PRIVATE, 1000000 [pid 5084] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5083] <... futex resumed>) = 0 [pid 5084] io_uring_setup(30246, {flags=0, sq_thread_cpu=0, sq_thread_idle=0 [pid 5083] futex(0x7f24a947242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5084] <... io_uring_setup resumed>, sq_entries=32768, cq_entries=65536, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=1048896}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 4 [pid 5084] mmap(0x20fed000, 1179968, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0) = 0x20fed000 [pid 5084] mmap(0x20ffb000, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0x10000000) = 0x20ffb000 [pid 5084] futex(0x7f24a947242c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5083] <... futex resumed>) = 0 syzkaller login: [ 57.348511][ T4739] ================================================================== [ 57.356623][ T4739] BUG: KASAN: use-after-free in io_fallback_req_func+0xc7/0x204 [ 57.364286][ T4739] Read of size 8 at addr ffff88801e926948 by task kworker/1:3/4739 [ 57.372178][ T4739] [ 57.374500][ T4739] CPU: 1 PID: 4739 Comm: kworker/1:3 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0 [ 57.384046][ T4739] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 57.394101][ T4739] Workqueue: events io_fallback_req_func [ 57.399751][ T4739] Call Trace: [ 57.403033][ T4739] [ 57.405965][ T4739] dump_stack_lvl+0xd1/0x138 [ 57.410571][ T4739] print_report+0x15e/0x45d [ 57.415083][ T4739] ? __phys_addr+0xc8/0x140 [ 57.419601][ T4739] ? io_fallback_req_func+0xc7/0x204 [ 57.424899][ T4739] kasan_report+0xc0/0xf0 [ 57.429242][ T4739] ? io_fallback_req_func+0xc7/0x204 [ 57.434546][ T4739] io_fallback_req_func+0xc7/0x204 [ 57.439667][ T4739] ? __io_commit_cqring_flush.cold+0x42/0x42 [ 57.445663][ T4739] process_one_work+0x9bf/0x1750 [ 57.450618][ T4739] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 57.456000][ T4739] ? rcu_read_lock_sched_held+0x3e/0x70 [ 57.461555][ T4739] ? rwlock_bug.part.0+0x90/0x90 [ 57.466507][ T4739] ? lock_acquire+0x32/0xc0 [ 57.471016][ T4739] ? worker_thread+0x16d/0x1090 [ 57.475884][ T4739] worker_thread+0x669/0x1090 [ 57.480580][ T4739] ? __kthread_parkme+0x163/0x220 [ 57.485611][ T4739] ? process_one_work+0x1750/0x1750 [ 57.490824][ T4739] kthread+0x2e8/0x3a0 [ 57.494904][ T4739] ? kthread_complete_and_exit+0x40/0x40 [ 57.500548][ T4739] ret_from_fork+0x1f/0x30 [ 57.504986][ T4739] [ 57.508005][ T4739] [ 57.510327][ T4739] Allocated by task 5077: [ 57.514648][ T4739] kasan_save_stack+0x22/0x40 [ 57.519332][ T4739] kasan_set_track+0x25/0x30 [ 57.523929][ T4739] __kasan_slab_alloc+0x7f/0x90 [ 57.528795][ T4739] kmem_cache_alloc_bulk+0x3aa/0x730 [ 57.534096][ T4739] __io_alloc_req_refill+0xcc/0x40b [ 57.539303][ T4739] io_submit_sqes.cold+0x7c/0xc2 [ 57.544248][ T4739] __do_sys_io_uring_enter+0x9e4/0x2c10 [ 57.549811][ T4739] do_syscall_64+0x39/0xb0 [ 57.554234][ T4739] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 57.560149][ T4739] [ 57.562469][ T4739] Freed by task 1013: [ 57.566442][ T4739] kasan_save_stack+0x22/0x40 [ 57.571134][ T4739] kasan_set_track+0x25/0x30 [ 57.575817][ T4739] kasan_save_free_info+0x2e/0x40 [ 57.580851][ T4739] ____kasan_slab_free+0x160/0x1c0 [ 57.585970][ T4739] slab_free_freelist_hook+0x8b/0x1c0 [ 57.591350][ T4739] kmem_cache_free+0xec/0x4e0 [ 57.596047][ T4739] io_req_caches_free+0x1a9/0x1e6 [ 57.601123][ T4739] io_ring_exit_work+0x2e7/0xc80 [ 57.606069][ T4739] process_one_work+0x9bf/0x1750 [ 57.611018][ T4739] worker_thread+0x669/0x1090 [ 57.615704][ T4739] kthread+0x2e8/0x3a0 [ 57.619778][ T4739] ret_from_fork+0x1f/0x30 [ 57.624207][ T4739] [ 57.626556][ T4739] The buggy address belongs to the object at ffff88801e9268c0 [ 57.626556][ T4739] which belongs to the cache io_kiocb of size 216 [ 57.640346][ T4739] The buggy address is located 136 bytes inside of [ 57.640346][ T4739] 216-byte region [ffff88801e9268c0, ffff88801e926998) [ 57.653708][ T4739] [ 57.656024][ T4739] The buggy address belongs to the physical page: [ 57.662423][ T4739] page:ffffea00007a4980 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e926 [ 57.672578][ T4739] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 57.680136][ T4739] raw: 00fff00000000200 ffff88814628fdc0 dead000000000122 0000000000000000 [ 57.688727][ T4739] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 57.697303][ T4739] page dumped because: kasan: bad access detected [ 57.703708][ T4739] page_owner tracks the page as allocated [ 57.709413][ T4739] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5077, tgid 5076 (syz-executor172), ts 57188219085, free_ts 36761176115 [ 57.728002][ T4739] get_page_from_freelist+0x11bb/0x2d50 [ 57.733566][ T4739] __alloc_pages+0x1cb/0x5c0 [ 57.738167][ T4739] alloc_pages+0x1aa/0x270 [ 57.742588][ T4739] allocate_slab+0x25f/0x350 [ 57.747185][ T4739] ___slab_alloc+0xa91/0x1400 [ 57.751869][ T4739] kmem_cache_alloc_bulk+0x23d/0x730 [ 57.757157][ T4739] __io_alloc_req_refill+0xcc/0x40b [ 57.762364][ T4739] io_submit_sqes.cold+0x7c/0xc2 [ 57.767310][ T4739] __do_sys_io_uring_enter+0x9e4/0x2c10 [ 57.772863][ T4739] do_syscall_64+0x39/0xb0 [ 57.777287][ T4739] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 57.783217][ T4739] page last free stack trace: [ 57.787889][ T4739] free_pcp_prepare+0x4d0/0x910 [ 57.792747][ T4739] free_unref_page+0x1d/0x490 [ 57.797434][ T4739] __unfreeze_partials+0x17c/0x1a0 [ 57.802548][ T4739] qlist_free_all+0x6a/0x170 [ 57.807161][ T4739] kasan_quarantine_reduce+0x192/0x220 [ 57.812630][ T4739] __kasan_slab_alloc+0x63/0x90 [ 57.817487][ T4739] kmem_cache_alloc+0x175/0x320 [ 57.822347][ T4739] mas_alloc_nodes+0x402/0x8a0 [ 57.827113][ T4739] mas_preallocate+0x1bb/0x360 [ 57.831886][ T4739] do_mas_align_munmap+0x123/0x12a0 [ 57.837098][ T4739] do_mas_munmap+0x26e/0x2c0 [ 57.841706][ T4739] mmap_region+0x21d/0x1e50 [ 57.846286][ T4739] do_mmap+0x831/0xf60 [ 57.850370][ T4739] vm_mmap_pgoff+0x1af/0x280 [ 57.854985][ T4739] ksys_mmap_pgoff+0x41f/0x5a0 [ 57.859762][ T4739] do_syscall_64+0x39/0xb0 [ 57.864212][ T4739] [ 57.866532][ T4739] Memory state around the buggy address: [ 57.872163][ T4739] ffff88801e926800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 57.880229][ T4739] ffff88801e926880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 57.888292][ T4739] >ffff88801e926900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [pid 5083] futex(0x7f24a9472428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5083] futex(0x7f24a947242c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 57.896347][ T4739] ^ [ 57.902756][ T4739] ffff88801e926980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.910815][ T4739] ffff88801e926a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.918872][ T4739] ================================================================== [ 57.934348][ T4739] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 57.941563][ T4739] CPU: 1 PID: 4739 Comm: kworker/1:3 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0 [ 57.951108][ T4739] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 57.961167][ T4739] Workqueue: events io_fallback_req_func [ 57.966816][ T4739] Call Trace: [ 57.970089][ T4739] [ 57.973019][ T4739] dump_stack_lvl+0xd1/0x138 [ 57.977616][ T4739] panic+0x2cc/0x626 [ 57.981527][ T4739] ? panic_print_sys_info.part.0+0x112/0x112 [ 57.987526][ T4739] ? preempt_schedule_thunk+0x1a/0x20 [ 57.992917][ T4739] ? preempt_schedule_common+0x59/0xc0 [ 57.998388][ T4739] check_panic_on_warn.cold+0x19/0x35 [ 58.003782][ T4739] end_report.part.0+0x36/0x73 [ 58.008550][ T4739] ? io_fallback_req_func+0xc7/0x204 [ 58.013848][ T4739] kasan_report.cold+0xa/0xf [ 58.018453][ T4739] ? io_fallback_req_func+0xc7/0x204 [ 58.023750][ T4739] io_fallback_req_func+0xc7/0x204 [ 58.028873][ T4739] ? __io_commit_cqring_flush.cold+0x42/0x42 [ 58.034867][ T4739] process_one_work+0x9bf/0x1750 [ 58.039829][ T4739] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 58.045210][ T4739] ? rcu_read_lock_sched_held+0x3e/0x70 [ 58.050761][ T4739] ? rwlock_bug.part.0+0x90/0x90 [ 58.055704][ T4739] ? lock_acquire+0x32/0xc0 [ 58.060210][ T4739] ? worker_thread+0x16d/0x1090 [ 58.065072][ T4739] worker_thread+0x669/0x1090 [ 58.069770][ T4739] ? __kthread_parkme+0x163/0x220 [ 58.074817][ T4739] ? process_one_work+0x1750/0x1750 [ 58.080028][ T4739] kthread+0x2e8/0x3a0 [ 58.084104][ T4739] ? kthread_complete_and_exit+0x40/0x40 [ 58.089755][ T4739] ret_from_fork+0x1f/0x30 [ 58.094189][ T4739] [ 58.097346][ T4739] Kernel Offset: disabled [ 58.101667][ T4739] Rebooting in 86400 seconds..