DUID 00:04:a3:03:08:15:93:78:e3:1f:4c:1c:fb:56:e6:f5:4b:05
forked to background, child pid 4650
[   35.937528][ T4651] 8021q: adding VLAN 0 to HW filter on device bond0
[   35.956508][ T4651] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.197' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   55.098119][ T5072] ==================================================================
[   55.106235][ T5072] BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119
[   55.113356][ T5072] Read of size 8 at addr ffff888074062948 by task syz-executor294/5072
[   55.121587][ T5072] 
[   55.123907][ T5072] CPU: 0 PID: 5072 Comm: syz-executor294 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   55.133798][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   55.143856][ T5072] Call Trace:
[   55.146564][   T26] general protection fault, probably for non-canonical address 0xe0d91c2be000000c: 0000 [#1] PREEMPT SMP KASAN
[   55.147115][ T5072]  <TASK>
[   55.147126][ T5072]  dump_stack_lvl+0xd1/0x138
[   55.158809][   T26] KASAN: maybe wild-memory-access in range [0x06c9015f00000060-0x06c9015f00000067]
[   55.161742][ T5072]  print_report+0x15e/0x45d
[   55.166309][   T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   55.175576][ T5072]  ? __phys_addr+0xc8/0x140
[   55.180064][   T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   55.189422][ T5072]  ? io_fallback_tw+0x6d/0x119
[   55.193913][   T26] Workqueue: events io_fallback_req_func
[   55.203945][ T5072]  kasan_report+0xc0/0xf0
[   55.208681][   T26] 
[   55.208688][   T26] RIP: 0010:__lock_acquire+0xd83/0x5660
[   55.214293][ T5072]  ? io_fallback_tw+0x6d/0x119
[   55.218591][   T26] Code: 3d 0f 41 bf 01 00 00 00 0f 86 c8 00 00 00 89 05 53 f6 3d 0f e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 e6 30 00 00 49 81 3e 60 b6 f8 8f 0f 84 4c f3 ff
[   55.220908][ T5072]  io_fallback_tw+0x6d/0x119
[   55.226430][   T26] RSP: 0018:ffffc90000a1f8f8 EFLAGS: 00010006
[   55.231185][ T5072]  tctx_task_work.cold+0xf/0x2c
[   55.250761][   T26] 
[   55.250767][   T26] RAX: dffffc0000000000 RBX: 1ffff92000143f4d RCX: 0000000000000000
[   55.255328][ T5072]  ? handle_tw_list+0x460/0x460
[   55.261364][   T26] RDX: 00d9202be000000c RSI: 0000000000000000 RDI: 0000000000000001
[   55.266187][ T5072]  ? lock_downgrade+0x6e0/0x6e0
[   55.268492][   T26] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
[   55.276441][ T5072]  ? do_raw_spin_lock+0x124/0x2b0
[   55.281265][   T26] R10: fffffbfff1ce78da R11: 1ffffffff2148cf1 R12: 0000000000000000
[   55.289217][ T5072]  ? rwlock_bug.part.0+0x90/0x90
[   55.294050][   T26] R13: ffff888012783a80 R14: 06c9015f00000063 R15: 0000000000000000
[   55.302017][ T5072]  ? _raw_spin_unlock_irq+0x23/0x50
[   55.307020][   T26] FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[   55.314976][ T5072]  task_work_run+0x16f/0x270
[   55.319892][   T26] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   55.327840][ T5072]  ? task_work_cancel+0x30/0x30
[   55.333010][   T26] CR2: 00007ffcfc07d1c8 CR3: 000000002a0dc000 CR4: 00000000003506e0
[   55.341913][ T5072]  ? do_raw_spin_unlock+0x175/0x230
[   55.346477][   T26] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   55.353052][ T5072]  do_exit+0xb17/0x2a90
[   55.357884][   T26] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   55.365849][ T5072]  ? lock_downgrade+0x6e0/0x6e0
[   55.371030][   T26] Call Trace:
[   55.371040][   T26]  <TASK>
[   55.378985][ T5072]  ? do_raw_spin_lock+0x124/0x2b0
[   55.383127][   T26]  ? ret_from_fork+0x1f/0x30
[   55.391074][ T5072]  ? mm_update_next_owner+0x7b0/0x7b0
[   55.395900][   T26]  ? lockdep_hardirqs_on_prepare+0x410/0x410
[   55.399158][ T5072]  ? rwlock_bug.part.0+0x90/0x90
[   55.402073][   T26]  ? lockdep_hardirqs_on_prepare+0x410/0x410
[   55.407076][ T5072]  ? _raw_spin_unlock_irq+0x23/0x50
[   55.411637][   T26]  ? stack_trace_save+0x90/0xc0
[   55.416985][ T5072]  do_group_exit+0xd4/0x2a0
[   55.422941][   T26]  lock_acquire.part.0+0x11a/0x350
[   55.427854][ T5072]  __x64_sys_exit_group+0x3e/0x50
[   55.433807][   T26]  ? io_poll_remove_entries.part.0+0x15e/0x810
[   55.438979][ T5072]  do_syscall_64+0x39/0xb0
[   55.443805][   T26]  ? lock_release+0x810/0x810
[   55.448282][ T5072]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   55.453370][   T26]  ? io_poll_remove_entries.part.0+0x15e/0x810
[   55.458368][ T5072] RIP: 0033:0x7f8ae2ea51d9
[   55.464502][   T26]  ? rcu_read_lock_sched_held+0x3e/0x70
[   55.468894][ T5072] Code: Unable to access opcode bytes at 0x7f8ae2ea51af.
[   55.473545][   T26]  ? trace_lock_acquire+0x1f1/0x290
[   55.479411][ T5072] RSP: 002b:00007ffcfc07d198 EFLAGS: 00000246
[   55.485538][   T26]  ? io_poll_remove_entries.part.0+0x15e/0x810
[   55.489929][ T5072]  ORIG_RAX: 00000000000000e7
[   55.495452][   T26]  ? lock_acquire+0x32/0xc0
[   55.502448][ T5072] RAX: ffffffffffffffda RBX: 00007f8ae2f19350 RCX: 00007f8ae2ea51d9
[   55.507622][   T26]  ? io_poll_remove_entries.part.0+0x15e/0x810
[   55.513660][ T5072] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   55.519791][   T26]  _raw_spin_lock_irq+0x36/0x50
[   55.524440][ T5072] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007ffcfc07d388
[   55.528918][   T26]  ? io_poll_remove_entries.part.0+0x15e/0x810
[   55.536891][ T5072] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8ae2f19350
[   55.543025][   T26]  io_poll_remove_entries.part.0+0x15e/0x810
[   55.550973][ T5072] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   55.555799][   T26]  io_poll_task_func+0x56c/0x1220
[   55.563756][ T5072]  </TASK>
[   55.569877][   T26]  ? io_poll_remove_entries.part.0+0x810/0x810
[   55.577826][ T5072] 
[   55.577831][ T5072] Allocated by task 5072:
[   55.583776][   T26]  ? lock_acquire+0x32/0xc0
[   55.591726][ T5072]  kasan_save_stack+0x22/0x40
[   55.596731][   T26]  io_fallback_req_func+0xfd/0x204
[   55.599732][ T5072]  kasan_set_track+0x25/0x30
[   55.605858][   T26]  ? __io_commit_cqring_flush.cold+0x42/0x42
[   55.608163][ T5072]  __kasan_slab_alloc+0x7f/0x90
[   55.612474][   T26]  process_one_work+0x9bf/0x1750
[   55.616948][ T5072]  kmem_cache_alloc_bulk+0x3aa/0x730
[   55.621604][   T26]  ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[   55.626683][ T5072]  __io_alloc_req_refill+0xcc/0x40b
[   55.631245][   T26]  ? rcu_read_lock_sched_held+0x3e/0x70
[   55.637199][ T5072]  io_submit_sqes.cold+0x7c/0xc2
[   55.642027][   T26]  ? rwlock_bug.part.0+0x90/0x90
[   55.646940][ T5072]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   55.652199][   T26]  ? lock_acquire+0x32/0xc0
[   55.657545][ T5072]  do_syscall_64+0x39/0xb0
[   55.662719][   T26]  ? worker_thread+0x16d/0x1090
[   55.668239][ T5072]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   55.673159][   T26]  worker_thread+0x669/0x1090
[   55.678071][ T5072] 
[   55.678076][ T5072] Freed by task 46:
[   55.683597][   T26]  ? __kthread_parkme+0x163/0x220
[   55.688068][ T5072]  kasan_save_stack+0x22/0x40
[   55.692459][   T26]  ? process_one_work+0x1750/0x1750
[   55.697284][ T5072]  kasan_set_track+0x25/0x30
[   55.703157][   T26]  kthread+0x2e8/0x3a0
[   55.707815][ T5072]  kasan_save_free_info+0x2e/0x40
[   55.710123][   T26]  ? kthread_complete_and_exit+0x40/0x40
[   55.713905][ T5072]  ____kasan_slab_free+0x160/0x1c0
[   55.718904][   T26]  ret_from_fork+0x1f/0x30
[   55.723552][ T5072]  slab_free_freelist_hook+0x8b/0x1c0
[   55.728732][   T26]  </TASK>
[   55.733288][ T5072]  kmem_cache_free+0xec/0x4e0
[   55.737335][   T26] Modules linked in:
[   55.742329][ T5072]  io_req_caches_free+0x1a9/0x1e6
[   55.747940][   T26] ---[ end trace 0000000000000000 ]---
[   55.753018][ T5072]  io_ring_exit_work+0x2e7/0xc80
[   55.757418][   T26] RIP: 0010:__lock_acquire+0xd83/0x5660
[   55.762763][ T5072]  process_one_work+0x9bf/0x1750
[   55.765766][   T26] Code: 3d 0f 41 bf 01 00 00 00 0f 86 c8 00 00 00 89 05 53 f6 3d 0f e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 e6 30 00 00 49 81 3e 60 b6 f8 8f 0f 84 4c f3 ff
[   55.770414][ T5072]  worker_thread+0x669/0x1090
[   55.774291][   T26] RSP: 0018:ffffc90000a1f8f8 EFLAGS: 00010006
[   55.779290][ T5072]  kthread+0x2e8/0x3a0
[   55.784724][   T26] 
[   55.784729][   T26] RAX: dffffc0000000000 RBX: 1ffff92000143f4d RCX: 0000000000000000
[   55.789638][ T5072]  ret_from_fork+0x1f/0x30
[   55.795163][   T26] RDX: 00d9202be000000c RSI: 0000000000000000 RDI: 0000000000000001
[   55.800081][ T5072] 
[   55.800086][ T5072] The buggy address belongs to the object at ffff8880740628c0
[   55.800086][ T5072]  which belongs to the cache io_kiocb of size 216
[   55.819666][   T26] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
[   55.824318][ T5072] The buggy address is located 136 bytes inside of
[   55.824318][ T5072]  216-byte region [ffff8880740628c0, ffff888074062998)
[   55.830360][   T26] R10: fffffbfff1ce78da R11: 1ffffffff2148cf1 R12: 0000000000000000
[   55.834402][ T5072] 
[   55.834407][ T5072] The buggy address belongs to the physical page:
[   55.836708][   T26] R13: ffff888012783a80 R14: 06c9015f00000063 R15: 0000000000000000
[   55.844747][ T5072] page:ffffea0001d01880 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74062
[   55.849133][   T26] FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[   55.857088][ T5072] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   55.859395][   T26] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   55.873173][ T5072] raw: 00fff00000000200 ffff88801bf9c500 dead000000000122 0000000000000000
[   55.881109][   T26] CR2: 00007ffcfc07d1c8 CR3: 000000002a0dc000 CR4: 00000000003506e0
[   55.894364][ T5072] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   55.902306][   T26] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   55.904612][ T5072] page dumped because: kasan: bad access detected
[   55.904625][ T5072] page_owner tracks the page as allocated
[   55.910997][   T26] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   55.918948][ T5072] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5072, tgid 5072 (syz-executor294), ts 55096698238, free_ts 46134705123
[   55.929071][   T26] Kernel panic - not syncing: Fatal exception
[   55.937990][ T5072]  get_page_from_freelist+0x11bb/0x2d50
[   55.945556][ T5072]  __alloc_pages+0x1cb/0x5c0
[   55.952156][ T5072]  alloc_pages+0x1aa/0x270
[   55.960772][ T5072]  allocate_slab+0x25f/0x350
[   55.968764][ T5072]  ___slab_alloc+0xa91/0x1400
[   55.977357][ T5072]  kmem_cache_alloc_bulk+0x23d/0x730
[   55.985360][ T5072]  __io_alloc_req_refill+0xcc/0x40b
[   55.991792][ T5072]  io_submit_sqes.cold+0x7c/0xc2
[   55.997514][ T5072]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   56.005497][ T5072]  do_syscall_64+0x39/0xb0
[   56.024072][ T5072]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   56.030168][ T5072] page last free stack trace:
[   56.035695][ T5072]  free_pcp_prepare+0x4d0/0x910
[   56.040292][ T5072]  free_unref_page+0x1d/0x490
[   56.044719][ T5072]  __folio_put+0xc5/0x140
[   56.049321][ T5072]  anon_pipe_buf_release+0x3fb/0x4c0
[   56.054017][ T5072]  pipe_read+0x614/0x1110
[   56.059343][ T5072]  vfs_read+0x7fa/0x930
[   56.064543][ T5072]  ksys_read+0x1ec/0x250
[   56.069494][ T5072]  do_syscall_64+0x39/0xb0
[   56.075057][ T5072]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   56.079492][ T5072] 
[   56.085366][ T5072] Memory state around the buggy address:
[   56.090029][ T5072]  ffff888074062800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   56.094870][ T5072]  ffff888074062880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   56.099534][ T5072] >ffff888074062900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.103847][ T5072]                                               ^
[   56.109133][ T5072]  ffff888074062980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[   56.113459][ T5072]  ffff888074062a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   56.117598][ T5072] ==================================================================
[   56.121974][   T26] Kernel Offset: disabled
[   56.200035][   T26] Rebooting in 86400 seconds..