[   32.306246][ T4655] dhcpcd-run-hook (4655) used greatest stack depth: 22392 bytes left
forked to background, child pid 4651
[   34.380245][ T4652] 8021q: adding VLAN 0 to HW filter on device bond0
[   34.396755][ T4652] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.4' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   55.651905][ T5070] syz-executor371[5070]: segfault at 10c ip 00007ff7d332e08e sp 00007fffc08a9bc8 error 4 in syz-executor3715100810[7ff7d332d000+81000] likely on CPU 1 (core 0, socket 0)
[   55.669293][ T5070] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 7c 24 f0 48 89 74 24 e8 48 89 54 24 e0 48 8b 44 24 f0 48 8b 54 24 e8 48 8b 4c 24 e0 <8b> b0 0c 01 00 00 f3 0f 6f 01 c1 e6 04 0f 11 02 f3 0f 6f 49 10 81
[   55.692563][ T5070] ==================================================================
[   55.700696][ T5070] BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119
[   55.707819][ T5070] Read of size 8 at addr ffff888028d33948 by task syz-executor371/5070
[   55.716054][ T5070] 
[   55.718369][ T5070] CPU: 1 PID: 5070 Comm: syz-executor371 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   55.728252][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   55.738297][ T5070] Call Trace:
[   55.741567][ T5070]  <TASK>
[   55.744487][ T5070]  dump_stack_lvl+0xd1/0x138
[   55.749079][ T5070]  print_report+0x15e/0x45d
[   55.753574][ T5070]  ? __phys_addr+0xc8/0x140
[   55.758071][ T5070]  ? io_fallback_tw+0x6d/0x119
[   55.762829][ T5070]  kasan_report+0xc0/0xf0
[   55.767151][ T5070]  ? io_fallback_tw+0x6d/0x119
[   55.771906][ T5070]  io_fallback_tw+0x6d/0x119
[   55.776500][ T5070]  tctx_task_work.cold+0xf/0x2c
[   55.781362][ T5070]  ? handle_tw_list+0x460/0x460
[   55.786216][ T5070]  ? lock_downgrade+0x6e0/0x6e0
[   55.791067][ T5070]  ? do_raw_spin_lock+0x124/0x2b0
[   55.796084][ T5070]  ? rwlock_bug.part.0+0x90/0x90
[   55.801015][ T5070]  ? _raw_spin_unlock_irq+0x23/0x50
[   55.806225][ T5070]  task_work_run+0x16f/0x270
[   55.810853][ T5070]  ? task_work_cancel+0x30/0x30
[   55.815702][ T5070]  ? do_raw_spin_unlock+0x175/0x230
[   55.820915][ T5070]  do_exit+0xb17/0x2a90
[   55.825109][ T5070]  ? find_held_lock+0x2d/0x110
[   55.829875][ T5070]  ? mm_update_next_owner+0x7b0/0x7b0
[   55.835255][ T5070]  do_group_exit+0xd4/0x2a0
[   55.839776][ T5070]  get_signal+0x225f/0x24f0
[   55.844283][ T5070]  ? exit_signals+0x910/0x910
[   55.848954][ T5070]  ? force_sig+0xe0/0xe0
[   55.853185][ T5070]  arch_do_signal_or_restart+0x79/0x5c0
[   55.858731][ T5070]  ? get_sigframe_size+0x10/0x10
[   55.863657][ T5070]  ? trace_hardirqs_off+0x12/0x170
[   55.868768][ T5070]  ? __bad_area+0x5f/0xa0
[   55.873105][ T5070]  exit_to_user_mode_prepare+0x11f/0x240
[   55.878738][ T5070]  irqentry_exit_to_user_mode+0x9/0x40
[   55.884194][ T5070]  exc_page_fault+0xc0/0x170
[   55.888777][ T5070]  asm_exc_page_fault+0x26/0x30
[   55.893635][ T5070] RIP: 0033:0x7ff7d332e08e
[   55.898039][ T5070] Code: Unable to access opcode bytes at 0x7ff7d332e064.
[   55.905047][ T5070] RSP: 002b:00007fffc08a9bc8 EFLAGS: 00010246
[   55.911102][ T5070] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000
[   55.919065][ T5070] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   55.927031][ T5070] RBP: 00007ff7d332f1e0 R08: 0000000000000000 R09: 0000000000000000
[   55.934992][ T5070] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff7d332f270
[   55.942963][ T5070] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   55.950930][ T5070]  </TASK>
[   55.953936][ T5070] 
[   55.956241][ T5070] Allocated by task 5070:
[   55.960550][ T5070]  kasan_save_stack+0x22/0x40
[   55.965217][ T5070]  kasan_set_track+0x25/0x30
[   55.969793][ T5070]  __kasan_slab_alloc+0x7f/0x90
[   55.974632][ T5070]  kmem_cache_alloc_bulk+0x3aa/0x730
[   55.979904][ T5070]  __io_alloc_req_refill+0xcc/0x40b
[   55.985096][ T5070]  io_submit_sqes.cold+0x7c/0xc2
[   55.990031][ T5070]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   55.995571][ T5070]  do_syscall_64+0x39/0xb0
[   55.999978][ T5070]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   56.005874][ T5070] 
[   56.008192][ T5070] Freed by task 33:
[   56.011982][ T5070]  kasan_save_stack+0x22/0x40
[   56.016657][ T5070]  kasan_set_track+0x25/0x30
[   56.021262][ T5070]  kasan_save_free_info+0x2e/0x40
[   56.026280][ T5070]  ____kasan_slab_free+0x160/0x1c0
[   56.031388][ T5070]  slab_free_freelist_hook+0x8b/0x1c0
[   56.036758][ T5070]  kmem_cache_free+0xec/0x4e0
[   56.041448][ T5070]  io_req_caches_free+0x1a9/0x1e6
[   56.046472][ T5070]  io_ring_exit_work+0x2e7/0xc80
[   56.051403][ T5070]  process_one_work+0x9bf/0x1750
[   56.056335][ T5070]  worker_thread+0x669/0x1090
[   56.061007][ T5070]  kthread+0x2e8/0x3a0
[   56.065066][ T5070]  ret_from_fork+0x1f/0x30
[   56.069474][ T5070] 
[   56.071784][ T5070] The buggy address belongs to the object at ffff888028d338c0
[   56.071784][ T5070]  which belongs to the cache io_kiocb of size 216
[   56.085563][ T5070] The buggy address is located 136 bytes inside of
[   56.085563][ T5070]  216-byte region [ffff888028d338c0, ffff888028d33998)
[   56.098826][ T5070] 
[   56.101136][ T5070] The buggy address belongs to the physical page:
[   56.107539][ T5070] page:ffffea0000a34cc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28d33
[   56.117678][ T5070] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   56.125214][ T5070] raw: 00fff00000000200 ffff88814633b280 dead000000000122 0000000000000000
[   56.133786][ T5070] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   56.142348][ T5070] page dumped because: kasan: bad access detected
[   56.148750][ T5070] page_owner tracks the page as allocated
[   56.154446][ T5070] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5070, tgid 5070 (syz-executor371), ts 55651699541, free_ts 55645844106
[   56.173011][ T5070]  get_page_from_freelist+0x11bb/0x2d50
[   56.178554][ T5070]  __alloc_pages+0x1cb/0x5c0
[   56.183138][ T5070]  alloc_pages+0x1aa/0x270
[   56.187544][ T5070]  allocate_slab+0x25f/0x350
[   56.192119][ T5070]  ___slab_alloc+0xa91/0x1400
[   56.197141][ T5070]  kmem_cache_alloc_bulk+0x23d/0x730
[   56.202421][ T5070]  __io_alloc_req_refill+0xcc/0x40b
[   56.207615][ T5070]  io_submit_sqes.cold+0x7c/0xc2
[   56.212543][ T5070]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   56.218084][ T5070]  do_syscall_64+0x39/0xb0
[   56.222495][ T5070]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   56.228385][ T5070] page last free stack trace:
[   56.233045][ T5070]  free_pcp_prepare+0x4d0/0x910
[   56.237890][ T5070]  free_unref_page_list+0x176/0xcd0
[   56.243085][ T5070]  release_pages+0xcb1/0x1330
[   56.247757][ T5070]  tlb_batch_pages_flush+0xa8/0x1a0
[   56.252951][ T5070]  tlb_finish_mmu+0x14b/0x7e0
[   56.257620][ T5070]  exit_mmap+0x202/0x7c0
[   56.261852][ T5070]  __mmput+0x128/0x4c0
[   56.265915][ T5070]  mmput+0x60/0x70
[   56.269623][ T5070]  begin_new_exec+0x1027/0x2f80
[   56.274465][ T5070]  load_elf_binary+0x801/0x4ff0
[   56.279302][ T5070]  bprm_execve+0x7fd/0x1ae0
[   56.283795][ T5070]  do_execveat_common+0x72c/0x880
[   56.288813][ T5070]  __x64_sys_execve+0x93/0xc0
[   56.293480][ T5070]  do_syscall_64+0x39/0xb0
[   56.297885][ T5070]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   56.303771][ T5070] 
[   56.306081][ T5070] Memory state around the buggy address:
[   56.311693][ T5070]  ffff888028d33800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   56.319741][ T5070]  ffff888028d33880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   56.327787][ T5070] >ffff888028d33900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.335829][ T5070]                                               ^
[   56.342229][ T5070]  ffff888028d33980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[   56.350276][ T5070]  ffff888028d33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   56.358319][ T5070] ==================================================================
[   56.368050][ T5070] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   56.375271][ T5070] CPU: 0 PID: 5070 Comm: syz-executor371 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   56.385188][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   56.395238][ T5070] Call Trace:
[   56.398511][ T5070]  <TASK>
[   56.401435][ T5070]  dump_stack_lvl+0xd1/0x138
[   56.406023][ T5070]  panic+0x2cc/0x626
[   56.409922][ T5070]  ? panic_print_sys_info.part.0+0x112/0x112
[   56.415903][ T5070]  ? preempt_schedule_thunk+0x1a/0x20
[   56.421273][ T5070]  ? preempt_schedule_common+0x59/0xc0
[   56.426740][ T5070]  check_panic_on_warn.cold+0x19/0x35
[   56.432143][ T5070]  end_report.part.0+0x36/0x73
[   56.436898][ T5070]  ? io_fallback_tw+0x6d/0x119
[   56.441669][ T5070]  kasan_report.cold+0xa/0xf
[   56.446250][ T5070]  ? io_fallback_tw+0x6d/0x119
[   56.451005][ T5070]  io_fallback_tw+0x6d/0x119
[   56.455585][ T5070]  tctx_task_work.cold+0xf/0x2c
[   56.460428][ T5070]  ? handle_tw_list+0x460/0x460
[   56.465270][ T5070]  ? lock_downgrade+0x6e0/0x6e0
[   56.470108][ T5070]  ? do_raw_spin_lock+0x124/0x2b0
[   56.475124][ T5070]  ? rwlock_bug.part.0+0x90/0x90
[   56.480055][ T5070]  ? _raw_spin_unlock_irq+0x23/0x50
[   56.485265][ T5070]  task_work_run+0x16f/0x270
[   56.489857][ T5070]  ? task_work_cancel+0x30/0x30
[   56.494704][ T5070]  ? do_raw_spin_unlock+0x175/0x230
[   56.499897][ T5070]  do_exit+0xb17/0x2a90
[   56.504053][ T5070]  ? find_held_lock+0x2d/0x110
[   56.508820][ T5070]  ? mm_update_next_owner+0x7b0/0x7b0
[   56.514206][ T5070]  do_group_exit+0xd4/0x2a0
[   56.518712][ T5070]  get_signal+0x225f/0x24f0
[   56.523211][ T5070]  ? exit_signals+0x910/0x910
[   56.527877][ T5070]  ? force_sig+0xe0/0xe0
[   56.532116][ T5070]  arch_do_signal_or_restart+0x79/0x5c0
[   56.537654][ T5070]  ? get_sigframe_size+0x10/0x10
[   56.542590][ T5070]  ? trace_hardirqs_off+0x12/0x170
[   56.547698][ T5070]  ? __bad_area+0x5f/0xa0
[   56.552021][ T5070]  exit_to_user_mode_prepare+0x11f/0x240
[   56.557648][ T5070]  irqentry_exit_to_user_mode+0x9/0x40
[   56.563104][ T5070]  exc_page_fault+0xc0/0x170
[   56.567694][ T5070]  asm_exc_page_fault+0x26/0x30
[   56.572546][ T5070] RIP: 0033:0x7ff7d332e08e
[   56.576952][ T5070] Code: Unable to access opcode bytes at 0x7ff7d332e064.
[   56.583956][ T5070] RSP: 002b:00007fffc08a9bc8 EFLAGS: 00010246
[   56.590012][ T5070] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000
[   56.597972][ T5070] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   56.607930][ T5070] RBP: 00007ff7d332f1e0 R08: 0000000000000000 R09: 0000000000000000
[   56.615896][ T5070] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff7d332f270
[   56.623860][ T5070] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   56.631830][ T5070]  </TASK>
[   56.635003][ T5070] Kernel Offset: disabled
[   56.639322][ T5070] Rebooting in 86400 seconds..