syzkaller syzkaller login: [ 5.230569][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #80!!! [ 10.714308][ T23] kauditd_printk_skb: 60 callbacks suppressed [ 10.714314][ T23] audit: type=1400 audit(1635033192.260:71): avc: denied { transition } for pid=289 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 10.719646][ T23] audit: type=1400 audit(1635033192.260:72): avc: denied { write } for pid=289 comm="sh" path="pipe:[10837]" dev="pipefs" ino=10837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 [ 10.760528][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #280!!! [ 11.480491][ T0] NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! Warning: Permanently added '10.128.1.49' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program [ 17.539460][ T23] audit: type=1400 audit(1635033199.080:73): avc: denied { execmem } for pid=365 comm="syz-executor823" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 17.542947][ T23] audit: type=1400 audit(1635033199.100:74): avc: denied { mounton } for pid=366 comm="syz-executor823" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1 [ 17.546195][ T23] audit: type=1400 audit(1635033199.100:75): avc: denied { mount } for pid=366 comm="syz-executor823" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 17.549865][ T23] audit: type=1400 audit(1635033199.100:76): avc: denied { mounton } for pid=366 comm="syz-executor823" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 17.734775][ T431] ================================================================== [ 17.742850][ T431] BUG: KASAN: double-free or invalid-free in kfree+0xca/0x310 [ 17.750269][ T431] [ 17.752573][ T431] CPU: 1 PID: 431 Comm: syz-executor823 Not tainted 5.10.75-syzkaller-01082-g234d53d2bb60 #0 [ 17.762681][ T431] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 17.772703][ T431] Call Trace: [ 17.775963][ T431] dump_stack_lvl+0x1e2/0x24b [ 17.780647][ T431] ? printk+0xcf/0x119 [ 17.784684][ T431] ? show_regs_print_info+0x18/0x18 [ 17.789851][ T431] ? wake_up_klogd+0xb8/0xf0 [ 17.794406][ T431] ? devkmsg_release+0x127/0x127 [ 17.799316][ T431] ? kfree+0xca/0x310 [ 17.803265][ T431] print_address_description+0x8d/0x3d0 [ 17.808787][ T431] ? kfree+0xca/0x310 [ 17.812750][ T431] ? kfree+0xca/0x310 [ 17.816704][ T431] kasan_report_invalid_free+0x58/0x130 [ 17.822219][ T431] ____kasan_slab_free+0x14b/0x170 [ 17.827312][ T431] __kasan_slab_free+0x11/0x20 [ 17.832044][ T431] slab_free_freelist_hook+0xb2/0x180 [ 17.837385][ T431] ? io_commit_cqring+0x76a/0xa00 [ 17.842375][ T431] kfree+0xca/0x310 [ 17.846151][ T431] io_commit_cqring+0x76a/0xa00 [ 17.850970][ T431] io_do_iopoll+0x1e18/0x23f0 [ 17.855626][ T431] ? __rcu_read_lock+0x50/0x50 [ 17.860369][ T431] ? io_iopoll_try_reap_events+0x290/0x290 [ 17.866146][ T431] ? __kasan_check_write+0x14/0x20 [ 17.871226][ T431] ? mutex_lock+0xa6/0x110 [ 17.875611][ T431] ? mutex_trylock+0xb0/0xb0 [ 17.880170][ T431] ? _raw_spin_lock_irq+0xa4/0x1b0 [ 17.885263][ T431] io_iopoll_try_reap_events+0x116/0x290 [ 17.890864][ T431] ? io_poll_remove_all+0x210/0x210 [ 17.896028][ T431] ? io_poll_remove_all+0x1f1/0x210 [ 17.901193][ T431] io_ring_ctx_wait_and_kill+0x295/0x670 [ 17.906794][ T431] ? io_uring_show_fdinfo+0x1210/0x1210 [ 17.912313][ T431] ? kmem_cache_free+0xaa/0x1e0 [ 17.917135][ T431] io_uring_release+0x5b/0x70 [ 17.921781][ T431] ? io_uring_flush+0x6d0/0x6d0 [ 17.926601][ T431] __fput+0x348/0x7d0 [ 17.930549][ T431] ____fput+0x15/0x20 [ 17.934502][ T431] task_work_run+0x147/0x1b0 [ 17.939064][ T431] do_exit+0x70e/0x23a0 [ 17.943188][ T431] ? vmacache_update+0xb7/0x120 [ 17.948008][ T431] ? mm_update_next_owner+0x6e0/0x6e0 [ 17.953351][ T431] ? do_user_addr_fault+0x863/0xd70 [ 17.958523][ T431] do_group_exit+0x16a/0x2d0 [ 17.963084][ T431] __do_sys_exit_group+0x17/0x20 [ 17.967989][ T431] __se_sys_exit_group+0x14/0x20 [ 17.972895][ T431] __x64_sys_exit_group+0x3b/0x40 [ 17.977890][ T431] do_syscall_64+0x31/0x70 [ 17.982273][ T431] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 17.988133][ T431] RIP: 0033:0x7f80504bfde9 [ 17.992525][ T431] Code: Unable to access opcode bytes at RIP 0x7f80504bfdbf. [ 17.999884][ T431] RSP: 002b:00007ffc01175c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 18.008287][ T431] RAX: ffffffffffffffda RBX: 00007f8050534330 RCX: 00007f80504bfde9 [ 18.016247][ T431] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 18.024373][ T431] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 18.032313][ T431] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f8050534330 [ 18.040254][ T431] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 18.048195][ T431] [ 18.050495][ T431] Allocated by task 431: [ 18.054715][ T431] ____kasan_kmalloc+0xdc/0x110 [ 18.059542][ T431] __kasan_kmalloc+0x9/0x10 [ 18.064015][ T431] kmem_cache_alloc_trace+0x210/0x3a0 [ 18.069355][ T431] io_req_defer+0x40e/0x11b0 [ 18.073914][ T431] io_queue_sqe+0x2a/0x1180 [ 18.078386][ T431] io_submit_sqe+0x385/0xfd0 [ 18.082944][ T431] io_submit_sqes+0x1050/0x2da0 [ 18.087762][ T431] __se_sys_io_uring_enter+0x322/0x12b0 [ 18.093301][ T431] __x64_sys_io_uring_enter+0xe5/0x100 [ 18.098726][ T431] do_syscall_64+0x31/0x70 [ 18.103110][ T431] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 18.108969][ T431] [ 18.111276][ T431] Freed by task 432: [ 18.115146][ T431] kasan_set_track+0x4c/0x80 [ 18.119717][ T431] kasan_set_free_info+0x23/0x40 [ 18.124627][ T431] ____kasan_slab_free+0x133/0x170 [ 18.129706][ T431] __kasan_slab_free+0x11/0x20 [ 18.134436][ T431] slab_free_freelist_hook+0xb2/0x180 [ 18.139774][ T431] kfree+0xca/0x310 [ 18.143552][ T431] io_commit_cqring+0x76a/0xa00 [ 18.148373][ T431] __io_req_task_cancel+0x64/0x720 [ 18.153454][ T431] io_req_task_cancel+0x51/0x130 [ 18.158359][ T431] task_work_run+0x147/0x1b0 [ 18.162918][ T431] io_wq_manager+0x1aa/0x8b0 [ 18.167477][ T431] kthread+0x371/0x390 [ 18.171516][ T431] ret_from_fork+0x1f/0x30 [ 18.175891][ T431] [ 18.178201][ T431] The buggy address belongs to the object at ffff88810a63bb40 [ 18.178201][ T431] which belongs to the cache kmalloc-32 of size 32 [ 18.192054][ T431] The buggy address is located 0 bytes inside of [ 18.192054][ T431] 32-byte region [ffff88810a63bb40, ffff88810a63bb60) [ 18.205032][ T431] The buggy address belongs to the page: [ 18.210635][ T431] page:ffffea0004298ec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10a63b [ 18.220841][ T431] flags: 0x8000000000000200(slab) [ 18.225838][ T431] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100043980 [ 18.234428][ T431] raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000 [ 18.242980][ T431] page dumped because: kasan: bad access detected [ 18.249359][ T431] page_owner tracks the page as allocated [ 18.255050][ T431] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 431, ts 17731009870, free_ts 17719841877 [ 18.270985][ T431] get_page_from_freelist+0xa74/0xa90 [ 18.276325][ T431] __alloc_pages_nodemask+0x3c8/0x820 [ 18.281663][ T431] allocate_slab+0x6b/0x350 [ 18.286131][ T431] ___slab_alloc+0x143/0x2f0 [ 18.290690][ T431] kmem_cache_alloc_trace+0x278/0x3a0 [ 18.296031][ T431] io_req_defer+0x40e/0x11b0 [ 18.300592][ T431] io_queue_sqe+0x2a/0x1180 [ 18.305066][ T431] io_submit_sqe+0x385/0xfd0 [ 18.309625][ T431] io_submit_sqes+0x1050/0x2da0 [ 18.314446][ T431] __se_sys_io_uring_enter+0x322/0x12b0 [ 18.319959][ T431] __x64_sys_io_uring_enter+0xe5/0x100 [ 18.325385][ T431] do_syscall_64+0x31/0x70 [ 18.329765][ T431] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 18.335619][ T431] page last free stack trace: [ 18.340262][ T431] __free_pages_ok+0xbe7/0xc20 [ 18.344991][ T431] __free_pages+0x2d6/0x4a0 [ 18.349459][ T431] __free_slab+0xdf/0x1a0 [ 18.353757][ T431] unfreeze_partials+0x17d/0x1b0 [ 18.358703][ T431] put_cpu_partial+0xc8/0x190 [ 18.363386][ T431] __slab_free+0x2eb/0x4e0 [ 18.367768][ T431] ___cache_free+0x131/0x150 [ 18.372323][ T431] qlink_free+0x38/0x40 [ 18.376477][ T431] kasan_quarantine_reduce+0x178/0x1d0 [ 18.381907][ T431] __kasan_slab_alloc+0x2f/0xe0 [ 18.386721][ T431] kmem_cache_alloc+0x1a2/0x380 [ 18.391538][ T431] dup_task_struct+0xbc/0xea0 [ 18.396183][ T431] copy_process+0x665/0x5330 [ 18.400740][ T431] kernel_clone+0x21f/0x9a0 [ 18.405208][ T431] __x64_sys_clone+0x258/0x2d0 [ 18.409940][ T431] do_syscall_64+0x31/0x70 [ 18.414321][ T431] [ 18.416619][ T431] Memory state around the buggy address: [ 18.422218][ T431] ffff88810a63ba00: 00 00 00 00 fc fc fc fc fa fb fb fb fc fc fc fc [ 18.430245][ T431] ffff88810a63ba80: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc [ 18.438276][ T431] >ffff88810a63bb00: 00 00 00 00 fc fc fc fc fa fb fb fb fc fc fc fc [ 18.446311][ T431] ^ [ 18.452427][ T431] ffff88810a63bb80: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc [ 18.460455][ T431] ffff88810a63bc00: 00 00 00 00 fc fc fc fc fa fb fb fb fc fc fc fc [ 18.468480][ T431] ================================================================== [ 18.476503][ T431] Disabling lock debugging due to kernel taint executing program executing program executing program executing program [ 18.482658][ T432] ================================================================== [ 18.490719][ T432] BUG: KASAN: use-after-free in task_work_run+0x126/0x1b0 [ 18.497812][ T432] Read of size 8 at addr ffff88810a63a1d8 by task io_wq_manager/432 [ 18.505763][ T432] [ 18.508094][ T432] CPU: 0 PID: 432 Comm: io_wq_manager Tainted: G B 5.10.75-syzkaller-01082-g234d53d2bb60 #0 [ 18.519436][ T432] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 18.529475][ T432] Call Trace: [ 18.532755][ T432] dump_stack_lvl+0x1e2/0x24b executing program executing program executing program [ 18.537424][ T432] ? printk+0xcf/0x119 [ 18.541489][ T432] ? show_regs_print_info+0x18/0x18 [ 18.546761][ T432] ? wake_up_klogd+0xb8/0xf0 [ 18.551357][ T432] ? devkmsg_release+0x127/0x127 [ 18.556290][ T432] print_address_description+0x8d/0x3d0 [ 18.561828][ T432] __kasan_report+0x142/0x220 [ 18.566490][ T432] ? task_work_run+0x126/0x1b0 [ 18.571254][ T432] kasan_report+0x51/0x70 [ 18.575575][ T432] __asan_report_load8_noabort+0x14/0x20 [ 18.581193][ T432] task_work_run+0x126/0x1b0 executing program executing program executing program [ 18.585780][ T432] io_wq_manager+0x1aa/0x8b0 [ 18.590357][ T432] ? io_wq_create+0x840/0x840 [ 18.595020][ T432] ? __kasan_check_read+0x11/0x20 [ 18.600032][ T432] ? __kthread_parkme+0xba/0x1d0 [ 18.604955][ T432] kthread+0x371/0x390 [ 18.609014][ T432] ? io_wq_create+0x840/0x840 [ 18.613675][ T432] ? kthread_blkcg+0xd0/0xd0 [ 18.618258][ T432] ret_from_fork+0x1f/0x30 [ 18.622664][ T432] [ 18.624976][ T432] Allocated by task 431: [ 18.629205][ T432] __kasan_slab_alloc+0xb2/0xe0 executing program executing program [ 18.634044][ T432] kmem_cache_alloc_bulk+0x2d5/0x3f0 [ 18.639323][ T432] io_submit_sqes+0x6bf/0x2da0 [ 18.644072][ T432] __se_sys_io_uring_enter+0x322/0x12b0 [ 18.649603][ T432] __x64_sys_io_uring_enter+0xe5/0x100 [ 18.655049][ T432] do_syscall_64+0x31/0x70 [ 18.659453][ T432] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 18.665321][ T432] [ 18.667636][ T432] Freed by task 432: [ 18.671519][ T432] kasan_set_track+0x4c/0x80 [ 18.676095][ T432] kasan_set_free_info+0x23/0x40 [ 18.681019][ T432] ____kasan_slab_free+0x133/0x170 [ 18.686115][ T432] __kasan_slab_free+0x11/0x20 [ 18.690865][ T432] slab_free_freelist_hook+0xb2/0x180 [ 18.696223][ T432] kmem_cache_free+0xaa/0x1e0 [ 18.700885][ T432] __io_free_req+0x20e/0x380 [ 18.705459][ T432] __io_req_task_cancel+0x144/0x720 [ 18.710646][ T432] io_req_task_cancel+0x51/0x130 [ 18.715569][ T432] task_work_run+0x147/0x1b0 [ 18.720142][ T432] io_wq_manager+0x1aa/0x8b0 [ 18.724723][ T432] kthread+0x371/0x390 [ 18.728782][ T432] ret_from_fork+0x1f/0x30 [ 18.733174][ T432] [ 18.735489][ T432] Last potentially related work creation: [ 18.741194][ T432] kasan_save_stack+0x36/0x60 [ 18.745861][ T432] kasan_record_aux_stack+0xd3/0xf0 [ 18.751045][ T432] task_work_add+0xa7/0x320 [ 18.755538][ T432] io_commit_cqring+0x756/0xa00 [ 18.760373][ T432] io_do_iopoll+0x1e18/0x23f0 [ 18.765036][ T432] io_iopoll_try_reap_events+0x116/0x290 [ 18.770656][ T432] io_ring_ctx_wait_and_kill+0x295/0x670 [ 18.776273][ T432] io_uring_release+0x5b/0x70 [ 18.780934][ T432] __fput+0x348/0x7d0 [ 18.784904][ T432] ____fput+0x15/0x20 [ 18.788871][ T432] task_work_run+0x147/0x1b0 [ 18.793446][ T432] do_exit+0x70e/0x23a0 [ 18.797591][ T432] do_group_exit+0x16a/0x2d0 [ 18.802166][ T432] __do_sys_exit_group+0x17/0x20 [ 18.807088][ T432] __se_sys_exit_group+0x14/0x20 [ 18.812011][ T432] __x64_sys_exit_group+0x3b/0x40 [ 18.817024][ T432] do_syscall_64+0x31/0x70 [ 18.821427][ T432] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 18.827291][ T432] [ 18.829611][ T432] The buggy address belongs to the object at ffff88810a63a140 [ 18.829611][ T432] which belongs to the cache io_kiocb of size 216 [ 18.843389][ T432] The buggy address is located 152 bytes inside of [ 18.843389][ T432] 216-byte region [ffff88810a63a140, ffff88810a63a218) [ 18.856642][ T432] The buggy address belongs to the page: [ 18.862274][ T432] page:ffffea0004298e80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10a63a [ 18.872493][ T432] flags: 0x8000000000000200(slab) [ 18.877514][ T432] raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881029f3b00 [ 18.886096][ T432] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 18.894658][ T432] page dumped because: kasan: bad access detected [ 18.901050][ T432] page_owner tracks the page as allocated [ 18.906755][ T432] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 431, ts 17730920844, free_ts 17719841877 [ 18.922709][ T432] get_page_from_freelist+0xa74/0xa90 [ 18.928072][ T432] __alloc_pages_nodemask+0x3c8/0x820 [ 18.933430][ T432] allocate_slab+0x6b/0x350 [ 18.937921][ T432] ___slab_alloc+0x143/0x2f0 [ 18.942502][ T432] kmem_cache_alloc_bulk+0x167/0x3f0 [ 18.947778][ T432] io_submit_sqes+0x6bf/0x2da0 [ 18.952531][ T432] __se_sys_io_uring_enter+0x322/0x12b0 [ 18.958061][ T432] __x64_sys_io_uring_enter+0xe5/0x100 [ 18.963513][ T432] do_syscall_64+0x31/0x70 [ 18.967915][ T432] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 18.973786][ T432] page last free stack trace: [ 18.978452][ T432] __free_pages_ok+0xbe7/0xc20 [ 18.983201][ T432] __free_pages+0x2d6/0x4a0 [ 18.987691][ T432] __free_slab+0xdf/0x1a0 [ 18.992006][ T432] unfreeze_partials+0x17d/0x1b0 [ 18.996927][ T432] put_cpu_partial+0xc8/0x190 [ 19.001587][ T432] __slab_free+0x2eb/0x4e0 [ 19.005991][ T432] ___cache_free+0x131/0x150 [ 19.010570][ T432] qlink_free+0x38/0x40 [ 19.014711][ T432] kasan_quarantine_reduce+0x178/0x1d0 [ 19.020158][ T432] __kasan_slab_alloc+0x2f/0xe0 [ 19.024996][ T432] kmem_cache_alloc+0x1a2/0x380 [ 19.029830][ T432] dup_task_struct+0xbc/0xea0 [ 19.034495][ T432] copy_process+0x665/0x5330 [ 19.039070][ T432] kernel_clone+0x21f/0x9a0 [ 19.043559][ T432] __x64_sys_clone+0x258/0x2d0 [ 19.048310][ T432] do_syscall_64+0x31/0x70 [ 19.052703][ T432] [ 19.055014][ T432] Memory state around the buggy address: [ 19.060629][ T432] ffff88810a63a080: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 19.068675][ T432] ffff88810a63a100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 19.076719][ T432] >ffff88810a63a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 19.084769][ T432] ^ [ 19.091686][ T432] ffff88810a63a200: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.099730][ T432] ffff88810a63a280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.107777][ T432] ================================================================== [ 19.120713][ T432] ------------[ cut here ]------------ [ 19.126163][ T432] refcount_t: underflow; use-after-free. executing program executing program executing program [ 19.132183][ T432] WARNING: CPU: 1 PID: 432 at lib/refcount.c:28 refcount_warn_saturate+0x165/0x1b0 [ 19.141687][ T432] Modules linked in: [ 19.145582][ T432] CPU: 1 PID: 432 Comm: io_wq_manager Tainted: G B 5.10.75-syzkaller-01082-g234d53d2bb60 #0 [ 19.157193][ T432] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.167521][ T432] RIP: 0010:refcount_warn_saturate+0x165/0x1b0 executing program executing program [ 19.173927][ T432] Code: c7 80 b1 49 85 31 c0 e8 c9 7d eb fe 0f 0b eb 83 e8 00 9b 18 ff c6 05 2e cb 68 04 01 48 c7 c7 e0 b1 49 85 31 c0 e8 ab 7d eb fe <0f> 0b e9 62 ff ff ff e8 df 9a 18 ff c6 05 0e cb 68 04 01 48 c7 c7 [ 19.202179][ T432] RSP: 0018:ffffc90000db7d20 EFLAGS: 00010246 [ 19.208360][ T432] RAX: 4c5e4e9fbd095d00 RBX: 0000000000000003 RCX: 1ffff920001b6f5c [ 19.216516][ T432] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 19.225307][ T432] RBP: ffffc90000db7d30 R08: ffffffff81545368 R09: ffffed103ee295d8 executing program executing program executing program executing program [ 19.233493][ T432] R10: ffffed103ee295d8 R11: 0000000000000000 R12: ffff88810a63a198 [ 19.242006][ T432] R13: ffff88810a63a140 R14: 0000000000000003 R15: ffff88810a63a19c [ 19.250389][ T432] FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 19.259460][ T432] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 19.266201][ T432] CR2: 00007ffc01175c48 CR3: 000000011ce86000 CR4: 00000000003506b0 [ 19.274411][ T432] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 19.282606][ T432] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 executing program executing program executing program [ 19.290793][ T432] Call Trace: [ 19.294089][ T432] __io_req_task_cancel+0x1c3/0x720 [ 19.299279][ T432] io_req_task_cancel+0x51/0x130 [ 19.304506][ T432] task_work_run+0x147/0x1b0 [ 19.309088][ T432] io_wq_manager+0x1aa/0x8b0 [ 19.313922][ T432] ? io_wq_create+0x840/0x840 [ 19.319456][ T432] ? __kasan_check_read+0x11/0x20 [ 19.324606][ T432] ? __kthread_parkme+0xba/0x1d0 [ 19.329678][ T432] kthread+0x371/0x390 [ 19.334473][ T432] ? io_wq_create+0x840/0x840 executing program executing program executing program executing program [ 19.339264][ T432] ? kthread_blkcg+0xd0/0xd0 [ 19.343907][ T432] ret_from_fork+0x1f/0x30 [ 19.348336][ T432] ---[ end trace f391b6adfa5539c7 ]--- executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 19.590604][ T685] ================================================================== [ 19.598680][ T685] BUG: KASAN: double-free or invalid-free in kfree+0xca/0x310 [ 19.606110][ T685] [ 19.608427][ T685] CPU: 0 PID: 685 Comm: syz-executor823 Tainted: G B W 5.10.75-syzkaller-01082-g234d53d2bb60 #0 [ 19.619939][ T685] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.629972][ T685] Call Trace: [ 19.633247][ T685] dump_stack_lvl+0x1e2/0x24b [ 19.637903][ T685] ? printk+0xcf/0x119 [ 19.641953][ T685] ? show_regs_print_info+0x18/0x18 [ 19.647130][ T685] ? wake_up_klogd+0xb8/0xf0 [ 19.651717][ T685] ? devkmsg_release+0x127/0x127 [ 19.656640][ T685] ? kfree+0xca/0x310 [ 19.660617][ T685] print_address_description+0x8d/0x3d0 [ 19.666140][ T685] ? kfree+0xca/0x310 [ 19.670102][ T685] ? kfree+0xca/0x310 [ 19.674062][ T685] kasan_report_invalid_free+0x58/0x130 [ 19.679673][ T685] ____kasan_slab_free+0x14b/0x170 [ 19.684773][ T685] __kasan_slab_free+0x11/0x20 [ 19.689514][ T685] slab_free_freelist_hook+0xb2/0x180 [ 19.694865][ T685] ? io_commit_cqring+0x76a/0xa00 [ 19.699866][ T685] kfree+0xca/0x310 [ 19.703656][ T685] io_commit_cqring+0x76a/0xa00 [ 19.708486][ T685] io_do_iopoll+0x1e18/0x23f0 [ 19.713152][ T685] ? __rcu_read_lock+0x50/0x50 [ 19.717899][ T685] ? io_iopoll_try_reap_events+0x290/0x290 [ 19.723690][ T685] ? __kasan_check_write+0x14/0x20 [ 19.729653][ T685] ? mutex_lock+0xa6/0x110 [ 19.734048][ T685] ? mutex_trylock+0xb0/0xb0 [ 19.738619][ T685] ? _raw_spin_lock_irq+0xa4/0x1b0 [ 19.743719][ T685] io_iopoll_try_reap_events+0x116/0x290 [ 19.749333][ T685] ? io_poll_remove_all+0x210/0x210 [ 19.754513][ T685] ? io_poll_remove_all+0x1f1/0x210 [ 19.759695][ T685] io_ring_ctx_wait_and_kill+0x295/0x670 [ 19.765306][ T685] ? io_uring_show_fdinfo+0x1210/0x1210 [ 19.770837][ T685] ? kmem_cache_free+0xaa/0x1e0 [ 19.775679][ T685] io_uring_release+0x5b/0x70 [ 19.780337][ T685] ? io_uring_flush+0x6d0/0x6d0 [ 19.785163][ T685] __fput+0x348/0x7d0 [ 19.789126][ T685] ____fput+0x15/0x20 [ 19.793092][ T685] task_work_run+0x147/0x1b0 [ 19.797666][ T685] do_exit+0x70e/0x23a0 [ 19.801807][ T685] ? vmacache_update+0xb7/0x120 [ 19.806637][ T685] ? mm_update_next_owner+0x6e0/0x6e0 [ 19.811991][ T685] ? do_user_addr_fault+0x863/0xd70 [ 19.817174][ T685] do_group_exit+0x16a/0x2d0 [ 19.821744][ T685] __do_sys_exit_group+0x17/0x20 [ 19.826664][ T685] __se_sys_exit_group+0x14/0x20 [ 19.831583][ T685] __x64_sys_exit_group+0x3b/0x40 [ 19.836586][ T685] do_syscall_64+0x31/0x70 [ 19.840981][ T685] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 19.846849][ T685] RIP: 0033:0x7f80504bfde9 [ 19.851239][ T685] Code: Unable to access opcode bytes at RIP 0x7f80504bfdbf. [ 19.858580][ T685] RSP: 002b:00007ffc01175c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 19.866972][ T685] RAX: ffffffffffffffda RBX: 00007f8050534330 RCX: 00007f80504bfde9 [ 19.874926][ T685] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 19.882879][ T685] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 19.890828][ T685] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f8050534330 [ 19.898779][ T685] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 19.906728][ T685] [ 19.909037][ T685] Allocated by task 685: [ 19.913264][ T685] ____kasan_kmalloc+0xdc/0x110 [ 19.918095][ T685] __kasan_kmalloc+0x9/0x10 [ 19.922577][ T685] kmem_cache_alloc_trace+0x210/0x3a0 [ 19.927928][ T685] io_req_defer+0x40e/0x11b0 [ 19.932507][ T685] io_queue_sqe+0x2a/0x1180 [ 19.936987][ T685] io_submit_sqe+0x385/0xfd0 [ 19.941554][ T685] io_submit_sqes+0x1050/0x2da0 [ 19.946380][ T685] __se_sys_io_uring_enter+0x322/0x12b0 [ 19.951900][ T685] __x64_sys_io_uring_enter+0xe5/0x100 [ 19.957336][ T685] do_syscall_64+0x31/0x70 [ 19.961729][ T685] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 19.967589][ T685] [ 19.969894][ T685] Freed by task 686: [ 19.973767][ T685] kasan_set_track+0x4c/0x80 [ 19.978337][ T685] kasan_set_free_info+0x23/0x40 [ 19.983250][ T685] ____kasan_slab_free+0x133/0x170 [ 19.988342][ T685] __kasan_slab_free+0x11/0x20 [ 19.993086][ T685] slab_free_freelist_hook+0xb2/0x180 [ 19.998435][ T685] kfree+0xca/0x310 [ 20.002227][ T685] io_commit_cqring+0x76a/0xa00 [ 20.007056][ T685] __io_req_task_cancel+0x64/0x720 [ 20.012151][ T685] io_req_task_cancel+0x51/0x130 [ 20.017066][ T685] task_work_run+0x147/0x1b0 [ 20.021634][ T685] io_wq_manager+0x1aa/0x8b0 [ 20.026198][ T685] kthread+0x371/0x390 [ 20.030246][ T685] ret_from_fork+0x1f/0x30 [ 20.034630][ T685] [ 20.036939][ T685] The buggy address belongs to the object at ffff88810fd4a980 [ 20.036939][ T685] which belongs to the cache kmalloc-32 of size 32 [ 20.050884][ T685] The buggy address is located 0 bytes inside of [ 20.050884][ T685] 32-byte region [ffff88810fd4a980, ffff88810fd4a9a0) [ 20.063867][ T685] The buggy address belongs to the page: [ 20.069482][ T685] page:ffffea00043f5280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10fd4a [ 20.079691][ T685] flags: 0x8000000000000200(slab) [ 20.084700][ T685] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100043980 [ 20.093261][ T685] raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000 [ 20.101817][ T685] page dumped because: kasan: bad access detected [ 20.108203][ T685] page_owner tracks the page as allocated [ 20.113903][ T685] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 682, ts 19574350293, free_ts 19566873625 [ 20.129845][ T685] get_page_from_freelist+0xa74/0xa90 [ 20.135195][ T685] __alloc_pages_nodemask+0x3c8/0x820 [ 20.140546][ T685] allocate_slab+0x6b/0x350 [ 20.145025][ T685] ___slab_alloc+0x143/0x2f0 [ 20.149591][ T685] kmem_cache_alloc_trace+0x278/0x3a0 [ 20.154938][ T685] io_req_defer+0x40e/0x11b0 [ 20.159504][ T685] io_queue_sqe+0x2a/0x1180 [ 20.163985][ T685] io_submit_sqe+0x385/0xfd0 [ 20.168555][ T685] io_submit_sqes+0x1050/0x2da0 [ 20.173383][ T685] __se_sys_io_uring_enter+0x322/0x12b0 [ 20.178916][ T685] __x64_sys_io_uring_enter+0xe5/0x100 [ 20.184355][ T685] do_syscall_64+0x31/0x70 [ 20.188753][ T685] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 20.194623][ T685] page last free stack trace: [ 20.199287][ T685] __free_pages_ok+0xbe7/0xc20 [ 20.204033][ T685] __free_pages+0x2d6/0x4a0 [ 20.208523][ T685] __free_slab+0xdf/0x1a0 [ 20.212835][ T685] unfreeze_partials+0x17d/0x1b0 [ 20.217751][ T685] put_cpu_partial+0xc8/0x190 [ 20.222404][ T685] __slab_free+0x2eb/0x4e0 [ 20.226798][ T685] ___cache_free+0x131/0x150 [ 20.231367][ T685] qlink_free+0x38/0x40 [ 20.235505][ T685] kasan_quarantine_reduce+0x178/0x1d0 [ 20.240952][ T685] __kasan_slab_alloc+0x2f/0xe0 [ 20.245786][ T685] kmem_cache_alloc+0x1a2/0x380 [ 20.250615][ T685] getname_flags+0xba/0x650 [ 20.255101][ T685] getname+0x19/0x20 [ 20.258977][ T685] do_sys_openat2+0xd2/0x470 [ 20.263550][ T685] __x64_sys_openat+0x243/0x290 [ 20.268379][ T685] do_syscall_64+0x31/0x70 [ 20.272769][ T685] [ 20.275072][ T685] Memory state around the buggy address: [ 20.280682][ T685] ffff88810fd4a880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc executing program [ 20.288719][ T685] ffff88810fd4a900: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 20.296758][ T685] >ffff88810fd4a980: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 20.304794][ T685] ^ [ 20.308837][ T685] ffff88810fd4aa00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 20.316879][ T685] ffff88810fd4aa80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 20.324915][ T685] ================================================================== [ 20.350804][ C0] ------------[ cut here ]------------ [ 20.356270][ C0] percpu ref (io_ring_ctx_ref_free) <= 0 (-491496) after switching to atomic [ 20.356370][ C0] WARNING: CPU: 0 PID: 2 at lib/percpu-refcount.c:196 percpu_ref_switch_to_atomic_rcu+0x503/0x5b0 [ 20.375696][ C0] Modules linked in: [ 20.379582][ C0] CPU: 0 PID: 2 Comm: kthreadd Tainted: G B W 5.10.75-syzkaller-01082-g234d53d2bb60 #0 [ 20.390338][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.400405][ C0] RIP: 0010:percpu_ref_switch_to_atomic_rcu+0x503/0x5b0 [ 20.407351][ C0] Code: 00 00 00 fc ff df 41 80 3c 06 00 74 08 4c 89 ef e8 02 e8 52 ff 49 8b 55 00 48 c7 c7 20 ae 49 85 48 89 de 31 c0 e8 7d f8 eb fe <0f> 0b e9 4b fd ff ff e8 b1 15 19 ff 0f 0b e9 a1 fe ff ff 48 c7 c1 [ 20.426959][ C0] RSP: 0018:ffffc90000007be8 EFLAGS: 00010246 [ 20.433039][ C0] RAX: 5bf52de9b7b1af00 RBX: ffffffff81c8f460 RCX: 1ffff92000000f34 [ 20.441014][ C0] RDX: 0000000080000102 RSI: 0000000080000102 RDI: 0000000000000000 [ 20.448971][ C0] RBP: ffffc90000007c30 R08: ffffffff81545368 R09: ffffed103ee03e83 [ 20.456960][ C0] R10: ffffed103ee03e83 R11: 0000000000000000 R12: 80000000000002fe [ 20.464936][ C0] R13: ffff88810e85e280 R14: 1ffff11021d0bc50 R15: ffff88810e85e2a0 [ 20.472921][ C0] FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 20.481850][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 20.488415][ C0] CR2: 00007f80505351d0 CR3: 000000011ce8d000 CR4: 00000000003506b0 [ 20.496398][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 20.504372][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 20.512344][ C0] Call Trace: [ 20.515610][ C0] [ 20.518459][ C0] ? percpu_ref_noop_confirm_switch+0x10/0x10 [ 20.524516][ C0] rcu_do_batch+0x4cd/0xb40 [ 20.529003][ C0] ? _raw_spin_unlock+0x4d/0x70 [ 20.533852][ C0] ? local_bh_enable+0x20/0x20 [ 20.538596][ C0] ? _raw_spin_unlock_irqrestore+0x5b/0x80 [ 20.544402][ C0] rcu_core+0x822/0x10d0 [ 20.548635][ C0] ? rcu_cpu_kthread_park+0x90/0x90 [ 20.553828][ C0] ? kvm_sched_clock_read+0x19/0x40 [ 20.559006][ C0] ? sched_clock+0x3a/0x40 [ 20.563420][ C0] ? sched_clock_cpu+0x1b/0x3c0 [ 20.568254][ C0] rcu_core_si+0x9/0x10 [ 20.572403][ C0] __do_softirq+0x27e/0x598 [ 20.576890][ C0] asm_call_irq_on_stack+0xf/0x20 [ 20.581987][ C0] [ 20.584913][ C0] do_softirq_own_stack+0x60/0x80 [ 20.589933][ C0] __local_bh_enable_ip+0x158/0x170 [ 20.595125][ C0] ? __kmalloc+0x22a/0x3d0 [ 20.599521][ C0] ? _local_bh_enable+0x30/0x30 [ 20.604365][ C0] ? __kasan_check_write+0x14/0x20 [ 20.609460][ C0] ? _raw_spin_lock+0xa3/0x1b0 [ 20.614216][ C0] local_bh_enable+0x1f/0x30 [ 20.618788][ C0] fpu__copy+0x259/0x510 [ 20.623025][ C0] arch_dup_task_struct+0x46/0x70 [ 20.628031][ C0] dup_task_struct+0x3a7/0xea0 [ 20.632797][ C0] ? mmdrop_async_fn+0x20/0x20 [ 20.637541][ C0] ? _raw_spin_lock_irq+0xa4/0x1b0 [ 20.642645][ C0] ? _raw_spin_lock_irqsave+0x210/0x210 [ 20.648172][ C0] copy_process+0x665/0x5330 [ 20.652755][ C0] ? __rcu_read_lock+0x50/0x50 [ 20.657506][ C0] ? pidfd_show_fdinfo+0x2b0/0x2b0 [ 20.662608][ C0] ? __switch_to+0x586/0x10b0 [ 20.667270][ C0] kernel_clone+0x21f/0x9a0 [ 20.671768][ C0] ? dup_mm+0x320/0x320 [ 20.675901][ C0] ? _raw_spin_unlock_irq+0x4e/0x70 [ 20.681096][ C0] ? finish_task_switch+0x130/0x5f0 [ 20.686275][ C0] kernel_thread+0x16c/0x1e0 [ 20.690870][ C0] ? kthread_blkcg+0xd0/0xd0 [ 20.695439][ C0] ? kernel_clone+0x9a0/0x9a0 executing program [ 20.700097][ C0] ? kthread_blkcg+0xd0/0xd0 [ 20.704682][ C0] ? _raw_spin_trylock_bh+0x1a0/0x1a0 [ 20.710033][ C0] ? __kasan_check_read+0x11/0x20 [ 20.715049][ C0] ? schedule+0x162/0x1f0 [ 20.719357][ C0] kthreadd+0x3cd/0x510 [ 20.723505][ C0] ? kthread_stop+0x3d0/0x3d0 [ 20.728164][ C0] ? calculate_sigpending+0x7d/0x90 [ 20.733357][ C0] ? schedule_tail+0xbe/0x1a0 [ 20.738015][ C0] ? kthread_stop+0x3d0/0x3d0 [ 20.742687][ C0] ret_from_fork+0x1f/0x30 [ 20.747082][ C0] ---[ end trace f391b6adfa5539c8 ]--- executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 22.051835][ T778] ================================================================== [ 22.059913][ T778] BUG: KASAN: double-free or invalid-free in kfree+0xca/0x310 [ 22.067343][ T778] [ 22.069656][ T778] CPU: 0 PID: 778 Comm: syz-executor823 Tainted: G B W 5.10.75-syzkaller-01082-g234d53d2bb60 #0 [ 22.081164][ T778] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.091197][ T778] Call Trace: [ 22.094470][ T778] dump_stack_lvl+0x1e2/0x24b [ 22.099129][ T778] ? printk+0xcf/0x119 [ 22.103175][ T778] ? show_regs_print_info+0x18/0x18 [ 22.108350][ T778] ? wake_up_klogd+0xb8/0xf0 [ 22.112919][ T778] ? devkmsg_release+0x127/0x127 [ 22.117837][ T778] ? kfree+0xca/0x310 [ 22.121802][ T778] print_address_description+0x8d/0x3d0 [ 22.127326][ T778] ? kfree+0xca/0x310 [ 22.131288][ T778] ? kfree+0xca/0x310 [ 22.135251][ T778] kasan_report_invalid_free+0x58/0x130 [ 22.140775][ T778] ____kasan_slab_free+0x14b/0x170 [ 22.145866][ T778] __kasan_slab_free+0x11/0x20 [ 22.150607][ T778] slab_free_freelist_hook+0xb2/0x180 [ 22.155963][ T778] ? io_commit_cqring+0x76a/0xa00 [ 22.160974][ T778] kfree+0xca/0x310 [ 22.164763][ T778] io_commit_cqring+0x76a/0xa00 [ 22.169594][ T778] io_do_iopoll+0x1e18/0x23f0 [ 22.174254][ T778] ? __rcu_read_lock+0x50/0x50 [ 22.178997][ T778] ? io_iopoll_try_reap_events+0x290/0x290 [ 22.184788][ T778] ? __kasan_check_write+0x14/0x20 [ 22.189879][ T778] ? mutex_lock+0xa6/0x110 [ 22.194273][ T778] ? mutex_trylock+0xb0/0xb0 [ 22.198843][ T778] ? _raw_spin_lock_irq+0xa4/0x1b0 [ 22.203931][ T778] io_iopoll_try_reap_events+0x116/0x290 [ 22.209547][ T778] ? io_poll_remove_all+0x210/0x210 [ 22.214723][ T778] ? io_poll_remove_all+0x1f1/0x210 [ 22.219900][ T778] io_ring_ctx_wait_and_kill+0x295/0x670 [ 22.225526][ T778] ? io_uring_show_fdinfo+0x1210/0x1210 [ 22.231054][ T778] ? kmem_cache_free+0xaa/0x1e0 [ 22.235890][ T778] io_uring_release+0x5b/0x70 [ 22.240546][ T778] ? io_uring_flush+0x6d0/0x6d0 [ 22.245379][ T778] __fput+0x348/0x7d0 [ 22.249345][ T778] ____fput+0x15/0x20 [ 22.253306][ T778] task_work_run+0x147/0x1b0 [ 22.257875][ T778] do_exit+0x70e/0x23a0 [ 22.262013][ T778] ? vmacache_update+0xb7/0x120 [ 22.266842][ T778] ? mm_update_next_owner+0x6e0/0x6e0 [ 22.272192][ T778] ? do_user_addr_fault+0x863/0xd70 [ 22.277373][ T778] do_group_exit+0x16a/0x2d0 [ 22.281944][ T778] __do_sys_exit_group+0x17/0x20 [ 22.286861][ T778] __se_sys_exit_group+0x14/0x20 [ 22.291782][ T778] __x64_sys_exit_group+0x3b/0x40 [ 22.296786][ T778] do_syscall_64+0x31/0x70 [ 22.301184][ T778] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.307053][ T778] RIP: 0033:0x7f80504bfde9 [ 22.311445][ T778] Code: Unable to access opcode bytes at RIP 0x7f80504bfdbf. [ 22.318788][ T778] RSP: 002b:00007ffc01175c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 22.327185][ T778] RAX: ffffffffffffffda RBX: 00007f8050534330 RCX: 00007f80504bfde9 [ 22.335153][ T778] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 22.343106][ T778] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 22.351066][ T778] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f8050534330 [ 22.359020][ T778] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 22.366971][ T778] [ 22.369279][ T778] Allocated by task 778: [ 22.373508][ T778] ____kasan_kmalloc+0xdc/0x110 [ 22.378350][ T778] __kasan_kmalloc+0x9/0x10 [ 22.382832][ T778] kmem_cache_alloc_trace+0x210/0x3a0 [ 22.388186][ T778] io_req_defer+0x40e/0x11b0 [ 22.392753][ T778] io_queue_sqe+0x2a/0x1180 [ 22.397232][ T778] io_submit_sqe+0x385/0xfd0 [ 22.401801][ T778] io_submit_sqes+0x1050/0x2da0 [ 22.406630][ T778] __se_sys_io_uring_enter+0x322/0x12b0 [ 22.412152][ T778] __x64_sys_io_uring_enter+0xe5/0x100 [ 22.417587][ T778] do_syscall_64+0x31/0x70 [ 22.421982][ T778] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.427843][ T778] [ 22.430149][ T778] Freed by task 779: [ 22.434020][ T778] kasan_set_track+0x4c/0x80 [ 22.438589][ T778] kasan_set_free_info+0x23/0x40 [ 22.443506][ T778] ____kasan_slab_free+0x133/0x170 [ 22.448593][ T778] __kasan_slab_free+0x11/0x20 [ 22.453332][ T778] slab_free_freelist_hook+0xb2/0x180 [ 22.458682][ T778] kfree+0xca/0x310 [ 22.462474][ T778] io_commit_cqring+0x76a/0xa00 [ 22.467303][ T778] __io_req_task_cancel+0x64/0x720 [ 22.472394][ T778] io_req_task_cancel+0x51/0x130 [ 22.477309][ T778] task_work_run+0x147/0x1b0 [ 22.481876][ T778] io_wq_manager+0x1aa/0x8b0 [ 22.486443][ T778] kthread+0x371/0x390 [ 22.490508][ T778] ret_from_fork+0x1f/0x30 [ 22.494896][ T778] [ 22.497208][ T778] The buggy address belongs to the object at ffff88811188a540 [ 22.497208][ T778] which belongs to the cache kmalloc-32 of size 32 [ 22.511069][ T778] The buggy address is located 0 bytes inside of [ 22.511069][ T778] 32-byte region [ffff88811188a540, ffff88811188a560) [ 22.524059][ T778] The buggy address belongs to the page: [ 22.529673][ T778] page:ffffea0004462280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11188a [ 22.539882][ T778] flags: 0x8000000000000200(slab) [ 22.544887][ T778] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100043980 [ 22.553447][ T778] raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000 [ 22.562003][ T778] page dumped because: kasan: bad access detected [ 22.568386][ T778] page_owner tracks the page as allocated [ 22.574086][ T778] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 775, ts 22016075224, free_ts 21976002523 [ 22.590030][ T778] get_page_from_freelist+0xa74/0xa90 [ 22.595382][ T778] __alloc_pages_nodemask+0x3c8/0x820 [ 22.600732][ T778] allocate_slab+0x6b/0x350 [ 22.605214][ T778] ___slab_alloc+0x143/0x2f0 [ 22.609781][ T778] kmem_cache_alloc_trace+0x278/0x3a0 [ 22.615131][ T778] io_req_defer+0x40e/0x11b0 [ 22.619697][ T778] io_queue_sqe+0x2a/0x1180 [ 22.624178][ T778] io_submit_sqe+0x385/0xfd0 [ 22.628744][ T778] io_submit_sqes+0x1050/0x2da0 [ 22.633573][ T778] __se_sys_io_uring_enter+0x322/0x12b0 [ 22.639094][ T778] __x64_sys_io_uring_enter+0xe5/0x100 [ 22.644532][ T778] do_syscall_64+0x31/0x70 [ 22.648925][ T778] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 22.654791][ T778] page last free stack trace: [ 22.659443][ T778] __free_pages_ok+0xbe7/0xc20 [ 22.664184][ T778] __free_pages+0x2d6/0x4a0 [ 22.668663][ T778] __free_slab+0xdf/0x1a0 [ 22.672969][ T778] unfreeze_partials+0x17d/0x1b0 [ 22.677882][ T778] put_cpu_partial+0xc8/0x190 [ 22.682535][ T778] __slab_free+0x2eb/0x4e0 [ 22.686928][ T778] ___cache_free+0x131/0x150 [ 22.691492][ T778] qlink_free+0x38/0x40 [ 22.695624][ T778] kasan_quarantine_reduce+0x178/0x1d0 [ 22.701063][ T778] __kasan_slab_alloc+0x2f/0xe0 [ 22.705889][ T778] kmem_cache_alloc+0x1a2/0x380 [ 22.710716][ T778] dup_task_struct+0xbc/0xea0 [ 22.715379][ T778] copy_process+0x665/0x5330 [ 22.720045][ T778] kernel_clone+0x21f/0x9a0 [ 22.724523][ T778] __x64_sys_clone+0x258/0x2d0 [ 22.729262][ T778] do_syscall_64+0x31/0x70 [ 22.733653][ T778] [ 22.735958][ T778] Memory state around the buggy address: [ 22.741564][ T778] ffff88811188a400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.749602][ T778] ffff88811188a480: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.757638][ T778] >ffff88811188a500: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.765671][ T778] ^ [ 22.771801][ T778] ffff88811188a580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.779841][ T778] ffff88811188a600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.787873][ T778] ================================================================== executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program