Warning: Permanently added '10.128.0.178' (ECDSA) to the list of known hosts.
syzkaller login: [   34.427094][ T3638] ==================================================================
[   34.435174][ T3638] BUG: KASAN: use-after-free in __list_del_entry_valid+0x76/0x100
[   34.443165][ T3638] Read of size 8 at addr ffff88801ecab630 by task syz-executor987/3638
[   34.451408][ T3638] 
[   34.453736][ T3638] CPU: 1 PID: 3638 Comm: syz-executor987 Tainted: G        W         5.17.0-syzkaller-01442-gb47d5a4f6b8d #0
[   34.465293][ T3638] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.475354][ T3638] Call Trace:
[   34.478638][ T3638]  <TASK>
[   34.481575][ T3638]  dump_stack_lvl+0x1dc/0x2d8
[   34.486269][ T3638]  ? show_regs_print_info+0x12/0x12
[   34.491485][ T3638]  ? _printk+0xcf/0x118
[   34.495656][ T3638]  ? wake_up_klogd+0xb2/0xf0
[   34.500259][ T3638]  ? log_buf_vmcoreinfo_setup+0x498/0x498
[   34.505993][ T3638]  ? _raw_spin_lock_irqsave+0xdd/0x120
[   34.511469][ T3638]  print_address_description+0x65/0x3a0
[   34.517066][ T3638]  ? __list_del_entry_valid+0x76/0x100
[   34.522548][ T3638]  kasan_report+0x19a/0x1f0
[   34.527070][ T3638]  ? __list_del_entry_valid+0x76/0x100
[   34.532556][ T3638]  __list_del_entry_valid+0x76/0x100
[   34.537869][ T3638]  io_poll_remove_entries+0x1a8/0x5c0
[   34.543264][ T3638]  io_apoll_task_func+0x7d/0x2c0
[   34.548218][ T3638]  tctx_task_work+0xcf1/0x1130
[   34.552994][ T3638]  ? __lock_acquire+0x2b00/0x2b00
[   34.558032][ T3638]  ? _raw_spin_lock_irq+0xdb/0x110
[   34.563155][ T3638]  ? kcalloc+0x50/0x50
[   34.567239][ T3638]  ? do_raw_spin_unlock+0x134/0x8a0
[   34.572453][ T3638]  ? _raw_spin_unlock_irq+0x1f/0x40
[   34.577674][ T3638]  task_work_run+0x146/0x1c0
[   34.582303][ T3638]  do_exit+0x5e3/0x22a0
[   34.586478][ T3638]  ? __lock_acquire+0x2b00/0x2b00
[   34.591514][ T3638]  ? __lock_acquire+0x2b00/0x2b00
[   34.596581][ T3638]  ? mm_update_next_owner+0x6d0/0x6d0
[   34.602018][ T3638]  ? rcu_read_lock_sched_held+0x5f/0x130
[   34.607672][ T3638]  ? rcu_read_lock_sched_held+0x5f/0x130
[   34.613321][ T3638]  ? print_irqtrace_events+0x220/0x220
[   34.618798][ T3638]  ? vtime_user_exit+0x2b2/0x3e0
[   34.623750][ T3638]  do_group_exit+0x2af/0x2b0
[   34.628352][ T3638]  __do_sys_exit_group+0x13/0x20
[   34.633306][ T3638]  __se_sys_exit_group+0x10/0x10
[   34.638259][ T3638]  __x64_sys_exit_group+0x37/0x40
[   34.643299][ T3638]  do_syscall_64+0x2b/0x70
[   34.647738][ T3638]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   34.653645][ T3638] RIP: 0033:0x7f0e18005c59
[   34.658069][ T3638] Code: Unable to access opcode bytes at RIP 0x7f0e18005c2f.
[   34.665446][ T3638] RSP: 002b:00007fff7d1f37a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   34.673885][ T3638] RAX: ffffffffffffffda RBX: 00007f0e1807a330 RCX: 00007f0e18005c59
[   34.681880][ T3638] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   34.689911][ T3638] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   34.697911][ T3638] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0e1807a330
[   34.705932][ T3638] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   34.713925][ T3638]  </TASK>
[   34.716956][ T3638] 
[   34.719290][ T3638] Allocated by task 3633:
[   34.723626][ T3638]  ____kasan_kmalloc+0xdc/0x110
[   34.728661][ T3638]  kmem_cache_alloc_trace+0x9d/0x330
[   34.733967][ T3638]  io_arm_poll_handler+0x3bd/0x710
[   34.739095][ T3638]  __io_queue_sqe+0x23d/0x10b0
[   34.743871][ T3638]  io_submit_sqes+0x1265/0xb050
[   34.748751][ T3638]  __se_sys_io_uring_enter+0x31f/0x2f50
[   34.754314][ T3638]  do_syscall_64+0x2b/0x70
[   34.758741][ T3638]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   34.764644][ T3638] 
[   34.766971][ T3638] Freed by task 3633:
[   34.770958][ T3638]  kasan_set_track+0x4c/0x70
[   34.775559][ T3638]  kasan_set_free_info+0x1f/0x40
[   34.780515][ T3638]  ____kasan_slab_free+0x126/0x180
[   34.785740][ T3638]  slab_free_freelist_hook+0x12e/0x1a0
[   34.791215][ T3638]  kfree+0xb8/0x2e0
[   34.795040][ T3638]  io_dismantle_req+0x644/0x9b0
[   34.799953][ T3638]  __io_req_complete_post+0x294/0x4b0
[   34.805437][ T3638]  io_req_complete_failed+0xd7/0x440
[   34.810822][ T3638]  tctx_task_work+0xcf1/0x1130
[   34.815600][ T3638]  task_work_run+0x146/0x1c0
[   34.820209][ T3638]  do_exit+0x5e3/0x22a0
[   34.824379][ T3638]  do_group_exit+0x2af/0x2b0
[   34.828980][ T3638]  __do_sys_exit_group+0x13/0x20
[   34.833934][ T3638]  __ia32_sys_exit_group+0x0/0x40
[   34.838972][ T3638]  __x64_sys_exit_group+0x37/0x40
[   34.844029][ T3638]  do_syscall_64+0x2b/0x70
[   34.848481][ T3638]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   34.854398][ T3638] 
[   34.856734][ T3638] The buggy address belongs to the object at ffff88801ecab600
[   34.856734][ T3638]  which belongs to the cache kmalloc-96 of size 96
[   34.870626][ T3638] The buggy address is located 48 bytes inside of
[   34.870626][ T3638]  96-byte region [ffff88801ecab600, ffff88801ecab660)
[   34.883732][ T3638] The buggy address belongs to the page:
[   34.889364][ T3638] page:ffffea00007b2ac0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ecab
[   34.899546][ T3638] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   34.907105][ T3638] raw: 00fff00000000200 ffffea00007c7580 dead000000000004 ffff888011441780
[   34.915697][ T3638] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
[   34.924277][ T3638] page dumped because: kasan: bad access detected
[   34.930691][ T3638] page_owner tracks the page as allocated
[   34.936411][ T3638] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 2979, ts 18120987075, free_ts 18116591159
[   34.952302][ T3638]  get_page_from_freelist+0x729/0x9e0
[   34.957699][ T3638]  __alloc_pages+0x255/0x580
[   34.962311][ T3638]  allocate_slab+0xce/0x3f0
[   34.966829][ T3638]  ___slab_alloc+0x3fe/0xc30
[   34.971436][ T3638]  __kmalloc+0x2eb/0x380
[   34.975695][ T3638]  tomoyo_encode2+0x25a/0x560
[   34.980385][ T3638]  tomoyo_realpath_from_path+0x5c3/0x610
[   34.986036][ T3638]  tomoyo_check_open_permission+0x22f/0x490
[   34.991941][ T3638]  security_file_open+0x50/0x570
[   34.996889][ T3638]  do_dentry_open+0x350/0x1020
[   35.001677][ T3638]  path_openat+0x273b/0x36a0
[   35.006304][ T3638]  do_filp_open+0x277/0x4f0
[   35.010821][ T3638]  do_sys_openat2+0x13b/0x500
[   35.015545][ T3638]  __x64_sys_openat+0x243/0x290
[   35.020413][ T3638]  do_syscall_64+0x2b/0x70
[   35.024832][ T3638]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   35.030725][ T3638] page last free stack trace:
[   35.035389][ T3638]  free_pcp_prepare+0xd1c/0xe00
[   35.040251][ T3638]  free_unref_page+0x7d/0x580
[   35.044919][ T3638]  free_pipe_info+0x2f6/0x380
[   35.049592][ T3638]  pipe_release+0x235/0x310
[   35.054098][ T3638]  __fput+0x3fc/0x870
[   35.058093][ T3638]  task_work_run+0x146/0x1c0
[   35.062692][ T3638]  exit_to_user_mode_prepare+0x1dd/0x200
[   35.068329][ T3638]  syscall_exit_to_user_mode+0x2e/0x70
[   35.073781][ T3638]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   35.079665][ T3638] 
[   35.081985][ T3638] Memory state around the buggy address:
[   35.087608][ T3638]  ffff88801ecab500: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   35.095661][ T3638]  ffff88801ecab580: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   35.103801][ T3638] >ffff88801ecab600: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   35.111847][ T3638]                                      ^
[   35.117468][ T3638]  ffff88801ecab680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   35.125520][ T3638]  ffff88801ecab700: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   35.133567][ T3638] ==================================================================
[   35.141612][ T3638] Kernel panic - not syncing: panic_on_warn set ...
[   35.148197][ T3638] CPU: 1 PID: 3638 Comm: syz-executor987 Tainted: G    B   W         5.17.0-syzkaller-01442-gb47d5a4f6b8d #0
[   35.159744][ T3638] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.169793][ T3638] Call Trace:
[   35.173084][ T3638]  <TASK>
[   35.176009][ T3638]  dump_stack_lvl+0x1dc/0x2d8
[   35.180686][ T3638]  ? show_regs_print_info+0x12/0x12
[   35.185879][ T3638]  ? log_buf_vmcoreinfo_setup+0x498/0x498
[   35.191617][ T3638]  ? irq_work_queue+0xbd/0x120
[   35.196376][ T3638]  panic+0x2d6/0x810
[   35.200267][ T3638]  ? nmi_panic+0x90/0x90
[   35.204501][ T3638]  ? _raw_spin_unlock_irqrestore+0xd9/0x130
[   35.210417][ T3638]  ? print_memory_metadata+0xe0/0x140
[   35.215790][ T3638]  ? __list_del_entry_valid+0x76/0x100
[   35.221244][ T3638]  end_report+0x83/0x90
[   35.225389][ T3638]  kasan_report+0x1bf/0x1f0
[   35.229875][ T3638]  ? __list_del_entry_valid+0x76/0x100
[   35.235333][ T3638]  __list_del_entry_valid+0x76/0x100
[   35.240606][ T3638]  io_poll_remove_entries+0x1a8/0x5c0
[   35.245969][ T3638]  io_apoll_task_func+0x7d/0x2c0
[   35.250900][ T3638]  tctx_task_work+0xcf1/0x1130
[   35.255665][ T3638]  ? __lock_acquire+0x2b00/0x2b00
[   35.260689][ T3638]  ? _raw_spin_lock_irq+0xdb/0x110
[   35.265788][ T3638]  ? kcalloc+0x50/0x50
[   35.269840][ T3638]  ? do_raw_spin_unlock+0x134/0x8a0
[   35.275026][ T3638]  ? _raw_spin_unlock_irq+0x1f/0x40
[   35.280204][ T3638]  task_work_run+0x146/0x1c0
[   35.284780][ T3638]  do_exit+0x5e3/0x22a0
[   35.288920][ T3638]  ? __lock_acquire+0x2b00/0x2b00
[   35.293942][ T3638]  ? __lock_acquire+0x2b00/0x2b00
[   35.298949][ T3638]  ? mm_update_next_owner+0x6d0/0x6d0
[   35.304321][ T3638]  ? rcu_read_lock_sched_held+0x5f/0x130
[   35.309946][ T3638]  ? rcu_read_lock_sched_held+0x5f/0x130
[   35.315562][ T3638]  ? print_irqtrace_events+0x220/0x220
[   35.321004][ T3638]  ? vtime_user_exit+0x2b2/0x3e0
[   35.325921][ T3638]  do_group_exit+0x2af/0x2b0
[   35.330492][ T3638]  __do_sys_exit_group+0x13/0x20
[   35.335774][ T3638]  __se_sys_exit_group+0x10/0x10
[   35.340691][ T3638]  __x64_sys_exit_group+0x37/0x40
[   35.345693][ T3638]  do_syscall_64+0x2b/0x70
[   35.350089][ T3638]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   35.355964][ T3638] RIP: 0033:0x7f0e18005c59
[   35.360362][ T3638] Code: Unable to access opcode bytes at RIP 0x7f0e18005c2f.
[   35.367705][ T3638] RSP: 002b:00007fff7d1f37a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   35.376100][ T3638] RAX: ffffffffffffffda RBX: 00007f0e1807a330 RCX: 00007f0e18005c59
[   35.384063][ T3638] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   35.392046][ T3638] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   35.400000][ T3638] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0e1807a330
[   35.407954][ T3638] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   35.415911][ T3638]  </TASK>
[   35.419075][ T3638] Kernel Offset: disabled
[   35.423383][ T3638] Rebooting in 86400 seconds..