DUID 00:04:15:32:48:1d:3b:73:54:4f:46:a6:7d:b2:d0:ec:1f:b1
forked to background, child pid 3181
[   43.586779][ T3182] 8021q: adding VLAN 0 to HW filter on device bond0
[   43.612472][ T3182] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.10.2' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   67.267314][ T3602] ==================================================================
[   67.275475][ T3602] BUG: KASAN: use-after-free in io_submit_one+0x6fb/0x1c70
[   67.282691][ T3602] Write of size 4 at addr ffff8880186720c8 by task syz-executor789/3602
[   67.290997][ T3602] 
[   67.293307][ T3602] CPU: 0 PID: 3602 Comm: syz-executor789 Not tainted 5.16.0-rc4-syzkaller #0
[   67.302069][ T3602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.312109][ T3602] Call Trace:
[   67.315375][ T3602]  <TASK>
[   67.318295][ T3602]  dump_stack_lvl+0xcd/0x134
[   67.322894][ T3602]  print_address_description.constprop.0.cold+0x8d/0x320
[   67.329909][ T3602]  ? io_submit_one+0x6fb/0x1c70
[   67.334751][ T3602]  ? io_submit_one+0x6fb/0x1c70
[   67.339582][ T3602]  kasan_report.cold+0x83/0xdf
[   67.344337][ T3602]  ? io_submit_one+0x6fb/0x1c70
[   67.349171][ T3602]  kasan_check_range+0x13d/0x180
[   67.354112][ T3602]  io_submit_one+0x6fb/0x1c70
[   67.358780][ T3602]  ? find_held_lock+0x2d/0x110
[   67.363534][ T3602]  ? __do_compat_sys_io_pgetevents_time64+0x400/0x400
[   67.370281][ T3602]  ? __might_fault+0xd1/0x170
[   67.374948][ T3602]  ? lock_downgrade+0x6e0/0x6e0
[   67.379809][ T3602]  __x64_sys_io_submit+0x18c/0x330
[   67.384913][ T3602]  ? __ia32_sys_io_destroy+0x1e0/0x1e0
[   67.390480][ T3602]  ? syscall_enter_from_user_mode+0x21/0x70
[   67.396375][ T3602]  do_syscall_64+0x35/0xb0
[   67.400783][ T3602]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   67.406666][ T3602] RIP: 0033:0x7f1ef62dde89
[   67.411067][ T3602] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   67.430687][ T3602] RSP: 002b:00007fffd6590348 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
[   67.439082][ T3602] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1ef62dde89
[   67.447044][ T3602] RDX: 0000000020000800 RSI: 0000000000000002 RDI: 00007f1ef6295000
[   67.455003][ T3602] RBP: 0000000000000000 R08: 00007fffd65904e8 R09: 00007fffd65904e8
[   67.463047][ T3602] R10: 00007fffd65904e8 R11: 0000000000000246 R12: 00007f1ef62a1710
[   67.471004][ T3602] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
[   67.478970][ T3602]  </TASK>
[   67.481972][ T3602] 
[   67.484278][ T3602] Allocated by task 3602:
[   67.488583][ T3602]  kasan_save_stack+0x1e/0x50
[   67.493263][ T3602]  __kasan_slab_alloc+0x90/0xc0
[   67.498098][ T3602]  kmem_cache_alloc+0x202/0x3a0
[   67.502932][ T3602]  io_submit_one+0xfd/0x1c70
[   67.507509][ T3602]  __x64_sys_io_submit+0x18c/0x330
[   67.512605][ T3602]  do_syscall_64+0x35/0xb0
[   67.517008][ T3602]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   67.522897][ T3602] 
[   67.525210][ T3602] Freed by task 3602:
[   67.529176][ T3602]  kasan_save_stack+0x1e/0x50
[   67.533869][ T3602]  kasan_set_track+0x21/0x30
[   67.538448][ T3602]  kasan_set_free_info+0x20/0x30
[   67.543432][ T3602]  __kasan_slab_free+0xff/0x130
[   67.548269][ T3602]  slab_free_freelist_hook+0x8b/0x1c0
[   67.553648][ T3602]  kmem_cache_free+0xbd/0x5d0
[   67.558332][ T3602]  aio_complete_rw+0x474/0x8c0
[   67.563077][ T3602]  aio_read+0x30d/0x460
[   67.567214][ T3602]  io_submit_one+0xfbe/0x1c70
[   67.571877][ T3602]  __x64_sys_io_submit+0x18c/0x330
[   67.576975][ T3602]  do_syscall_64+0x35/0xb0
[   67.581402][ T3602]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   67.587300][ T3602] 
[   67.589778][ T3602] The buggy address belongs to the object at ffff888018672000
[   67.589778][ T3602]  which belongs to the cache aio_kiocb of size 216
[   67.603640][ T3602] The buggy address is located 200 bytes inside of
[   67.603640][ T3602]  216-byte region [ffff888018672000, ffff8880186720d8)
[   67.616986][ T3602] The buggy address belongs to the page:
[   67.622595][ T3602] page:ffffea0000619c80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x18672
[   67.632728][ T3602] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   67.640264][ T3602] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff88814663b8c0
[   67.648938][ T3602] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   67.657497][ T3602] page dumped because: kasan: bad access detected
[   67.663887][ T3602] page_owner tracks the page as allocated
[   67.669595][ T3602] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3602, ts 67267165484, free_ts 16951029362
[   67.685637][ T3602]  get_page_from_freelist+0xa72/0x2f50
[   67.691110][ T3602]  __alloc_pages+0x1b2/0x500
[   67.695689][ T3602]  alloc_pages+0x1a7/0x300
[   67.700095][ T3602]  new_slab+0x32d/0x4a0
[   67.704240][ T3602]  ___slab_alloc+0x918/0xfe0
[   67.708813][ T3602]  __slab_alloc.constprop.0+0x4d/0xa0
[   67.714168][ T3602]  kmem_cache_alloc+0x35c/0x3a0
[   67.719004][ T3602]  io_submit_one+0xfd/0x1c70
[   67.723580][ T3602]  __x64_sys_io_submit+0x18c/0x330
[   67.728674][ T3602]  do_syscall_64+0x35/0xb0
[   67.733084][ T3602]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   67.738973][ T3602] page last free stack trace:
[   67.743626][ T3602]  free_pcp_prepare+0x374/0x870
[   67.748469][ T3602]  free_unref_page+0x19/0x690
[   67.753132][ T3602]  kasan_depopulate_vmalloc_pte+0x5c/0x70
[   67.758843][ T3602]  __apply_to_page_range+0x694/0x1080
[   67.764222][ T3602]  kasan_release_vmalloc+0xa7/0xc0
[   67.769316][ T3602]  __purge_vmap_area_lazy+0x8f9/0x1c50
[   67.774760][ T3602]  _vm_unmap_aliases.part.0+0x3f0/0x500
[   67.780288][ T3602]  vm_unmap_aliases+0x45/0x50
[   67.784955][ T3602]  change_page_attr_set_clr+0x241/0x500
[   67.790491][ T3602]  set_memory_nx+0xb2/0x110
[   67.794978][ T3602]  free_init_pages+0x73/0xc0
[   67.799549][ T3602]  kernel_init+0x2e/0x1d0
[   67.803865][ T3602]  ret_from_fork+0x1f/0x30
[   67.808273][ T3602] 
[   67.810590][ T3602] Memory state around the buggy address:
[   67.816209][ T3602]  ffff888018671f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   67.824268][ T3602]  ffff888018672000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.832435][ T3602] >ffff888018672080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   67.840481][ T3602]                                               ^
[   67.846934][ T3602]  ffff888018672100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.854984][ T3602]  ffff888018672180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.863028][ T3602] ==================================================================
[   67.871069][ T3602] Disabling lock debugging due to kernel taint
[   67.877982][ T3602] Kernel panic - not syncing: panic_on_warn set ...
[   67.884570][ T3602] CPU: 0 PID: 3602 Comm: syz-executor789 Tainted: G    B             5.16.0-rc4-syzkaller #0
[   67.894712][ T3602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.904754][ T3602] Call Trace:
[   67.908024][ T3602]  <TASK>
[   67.910945][ T3602]  dump_stack_lvl+0xcd/0x134
[   67.915539][ T3602]  panic+0x2b0/0x6dd
[   67.919435][ T3602]  ? __warn_printk+0xf3/0xf3
[   67.924020][ T3602]  ? preempt_schedule_common+0x59/0xc0
[   67.929481][ T3602]  ? io_submit_one+0x6fb/0x1c70
[   67.934325][ T3602]  ? preempt_schedule_thunk+0x16/0x18
[   67.939701][ T3602]  ? trace_hardirqs_on+0x38/0x1c0
[   67.944722][ T3602]  ? trace_hardirqs_on+0x51/0x1c0
[   67.949743][ T3602]  ? io_submit_one+0x6fb/0x1c70
[   67.954582][ T3602]  ? io_submit_one+0x6fb/0x1c70
[   67.959424][ T3602]  end_report.cold+0x63/0x6f
[   67.964010][ T3602]  kasan_report.cold+0x71/0xdf
[   67.968777][ T3602]  ? io_submit_one+0x6fb/0x1c70
[   67.973734][ T3602]  kasan_check_range+0x13d/0x180
[   67.978686][ T3602]  io_submit_one+0x6fb/0x1c70
[   67.983368][ T3602]  ? find_held_lock+0x2d/0x110
[   67.988134][ T3602]  ? __do_compat_sys_io_pgetevents_time64+0x400/0x400
[   67.994898][ T3602]  ? __might_fault+0xd1/0x170
[   67.999576][ T3602]  ? lock_downgrade+0x6e0/0x6e0
[   68.004431][ T3602]  __x64_sys_io_submit+0x18c/0x330
[   68.009538][ T3602]  ? __ia32_sys_io_destroy+0x1e0/0x1e0
[   68.015014][ T3602]  ? syscall_enter_from_user_mode+0x21/0x70
[   68.021019][ T3602]  do_syscall_64+0x35/0xb0
[   68.025448][ T3602]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   68.031350][ T3602] RIP: 0033:0x7f1ef62dde89
[   68.035764][ T3602] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   68.055370][ T3602] RSP: 002b:00007fffd6590348 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
[   68.063808][ T3602] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1ef62dde89
[   68.071783][ T3602] RDX: 0000000020000800 RSI: 0000000000000002 RDI: 00007f1ef6295000
[   68.079763][ T3602] RBP: 0000000000000000 R08: 00007fffd65904e8 R09: 00007fffd65904e8
[   68.087739][ T3602] R10: 00007fffd65904e8 R11: 0000000000000246 R12: 00007f1ef62a1710
[   68.095891][ T3602] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
[   68.103879][ T3602]  </TASK>
[   68.107002][ T3602] Kernel Offset: disabled
[   68.111341][ T3602] Rebooting in 86400 seconds..