Warning: Permanently added '10.128.1.91' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   55.213028][ T5072] ==================================================================
[   55.221968][ T5072] BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119
[   55.229079][ T5072] Read of size 8 at addr ffff888017b8f948 by task syz-executor316/5072
[   55.237306][ T5072] 
[   55.239619][ T5072] CPU: 1 PID: 5072 Comm: syz-executor316 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   55.249519][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   55.259570][ T5072] Call Trace:
[   55.262844][ T5072]  <TASK>
[   55.265772][ T5072]  dump_stack_lvl+0xd1/0x138
[   55.270364][ T5072]  print_report+0x15e/0x45d
[   55.274893][ T5072]  ? __phys_addr+0xc8/0x140
[   55.279402][ T5072]  ? io_fallback_tw+0x6d/0x119
[   55.284157][ T5072]  kasan_report+0xc0/0xf0
[   55.288488][ T5072]  ? io_fallback_tw+0x6d/0x119
[   55.293246][ T5072]  io_fallback_tw+0x6d/0x119
[   55.297852][ T5072]  tctx_task_work.cold+0xf/0x2c
[   55.302691][ T5072]  ? handle_tw_list+0x460/0x460
[   55.307543][ T5072]  ? lock_downgrade+0x6e0/0x6e0
[   55.312412][ T5072]  ? do_raw_spin_lock+0x124/0x2b0
[   55.317428][ T5072]  ? rwlock_bug.part.0+0x90/0x90
[   55.322361][ T5072]  ? _raw_spin_unlock_irq+0x23/0x50
[   55.327556][ T5072]  task_work_run+0x16f/0x270
[   55.332141][ T5072]  ? task_work_cancel+0x30/0x30
[   55.336985][ T5072]  ? do_raw_spin_unlock+0x175/0x230
[   55.342187][ T5072]  do_exit+0xb17/0x2a90
[   55.346343][ T5072]  ? lock_downgrade+0x6e0/0x6e0
[   55.351210][ T5072]  ? do_raw_spin_lock+0x124/0x2b0
[   55.356223][ T5072]  ? mm_update_next_owner+0x7b0/0x7b0
[   55.361589][ T5072]  ? rwlock_bug.part.0+0x90/0x90
[   55.366517][ T5072]  ? _raw_spin_unlock_irq+0x23/0x50
[   55.371720][ T5072]  do_group_exit+0xd4/0x2a0
[   55.376219][ T5072]  __x64_sys_exit_group+0x3e/0x50
[   55.381246][ T5072]  do_syscall_64+0x39/0xb0
[   55.385654][ T5072]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   55.391556][ T5072] RIP: 0033:0x7f731fab0bd9
[   55.395955][ T5072] Code: Unable to access opcode bytes at 0x7f731fab0baf.
[   55.402956][ T5072] RSP: 002b:00007fff8b9ad9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   55.411359][ T5072] RAX: ffffffffffffffda RBX: 00007f731fb25350 RCX: 00007f731fab0bd9
[   55.419319][ T5072] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   55.427586][ T5072] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   55.435541][ T5072] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f731fb25350
[   55.443525][ T5072] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   55.451488][ T5072]  </TASK>
[   55.454493][ T5072] 
[   55.456801][ T5072] Allocated by task 5072:
[   55.461135][ T5072]  kasan_save_stack+0x22/0x40
[   55.465805][ T5072]  kasan_set_track+0x25/0x30
[   55.470394][ T5072]  __kasan_slab_alloc+0x7f/0x90
[   55.475238][ T5072]  kmem_cache_alloc_bulk+0x3aa/0x730
[   55.480519][ T5072]  __io_alloc_req_refill+0xcc/0x40b
[   55.486488][ T5072]  io_submit_sqes.cold+0x7c/0xc2
[   55.491420][ T5072]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   55.496964][ T5072]  do_syscall_64+0x39/0xb0
[   55.501389][ T5072]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   55.507296][ T5072] 
[   55.509626][ T5072] Freed by task 9:
[   55.513327][ T5072]  kasan_save_stack+0x22/0x40
[   55.517993][ T5072]  kasan_set_track+0x25/0x30
[   55.522569][ T5072]  kasan_save_free_info+0x2e/0x40
[   55.527585][ T5072]  ____kasan_slab_free+0x160/0x1c0
[   55.532685][ T5072]  slab_free_freelist_hook+0x8b/0x1c0
[   55.538072][ T5072]  kmem_cache_free+0xec/0x4e0
[   55.542735][ T5072]  io_req_caches_free+0x1a9/0x1e6
[   55.547746][ T5072]  io_ring_exit_work+0x2e7/0xc80
[   55.552672][ T5072]  process_one_work+0x9bf/0x1750
[   55.557600][ T5072]  worker_thread+0x669/0x1090
[   55.562266][ T5072]  kthread+0x2e8/0x3a0
[   55.566327][ T5072]  ret_from_fork+0x1f/0x30
[   55.570735][ T5072] 
[   55.573065][ T5072] The buggy address belongs to the object at ffff888017b8f8c0
[   55.573065][ T5072]  which belongs to the cache io_kiocb of size 216
[   55.586865][ T5072] The buggy address is located 136 bytes inside of
[   55.586865][ T5072]  216-byte region [ffff888017b8f8c0, ffff888017b8f998)
[   55.600139][ T5072] 
[   55.602454][ T5072] The buggy address belongs to the physical page:
[   55.608849][ T5072] page:ffffea00005ee3c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17b8f
[   55.618987][ T5072] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   55.626563][ T5072] raw: 00fff00000000200 ffff88814632aa00 dead000000000122 0000000000000000
[   55.635147][ T5072] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   55.643727][ T5072] page dumped because: kasan: bad access detected
[   55.650130][ T5072] page_owner tracks the page as allocated
[   55.655832][ T5072] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5072, tgid 5072 (syz-executor316), ts 55059318572, free_ts 51591614905
[   55.674401][ T5072]  get_page_from_freelist+0x11bb/0x2d50
[   55.680263][ T5072]  __alloc_pages+0x1cb/0x5c0
[   55.684845][ T5072]  alloc_pages+0x1aa/0x270
[   55.689247][ T5072]  allocate_slab+0x25f/0x350
[   55.693821][ T5072]  ___slab_alloc+0xa91/0x1400
[   55.698527][ T5072]  kmem_cache_alloc_bulk+0x23d/0x730
[   55.703800][ T5072]  __io_alloc_req_refill+0xcc/0x40b
[   55.708990][ T5072]  io_submit_sqes.cold+0x7c/0xc2
[   55.713915][ T5072]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   55.719474][ T5072]  do_syscall_64+0x39/0xb0
[   55.723878][ T5072]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   55.729768][ T5072] page last free stack trace:
[   55.734423][ T5072]  free_pcp_prepare+0x4d0/0x910
[   55.739263][ T5072]  free_unref_page_list+0x176/0xcd0
[   55.744450][ T5072]  release_pages+0xcb1/0x1330
[   55.749118][ T5072]  tlb_batch_pages_flush+0xa8/0x1a0
[   55.754304][ T5072]  tlb_finish_mmu+0x14b/0x7e0
[   55.758970][ T5072]  exit_mmap+0x202/0x7c0
[   55.763202][ T5072]  __mmput+0x128/0x4c0
[   55.767257][ T5072]  mmput+0x60/0x70
[   55.770964][ T5072]  do_exit+0x9ac/0x2a90
[   55.775110][ T5072]  do_group_exit+0xd4/0x2a0
[   55.779606][ T5072]  __x64_sys_exit_group+0x3e/0x50
[   55.784626][ T5072]  do_syscall_64+0x39/0xb0
[   55.789049][ T5072]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   55.794954][ T5072] 
[   55.797267][ T5072] Memory state around the buggy address:
[   55.802886][ T5072]  ffff888017b8f800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   55.811029][ T5072]  ffff888017b8f880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   55.819259][ T5072] >ffff888017b8f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.827405][ T5072]                                               ^
[   55.833808][ T5072]  ffff888017b8f980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.841865][ T5072]  ffff888017b8fa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.849930][ T5072] ==================================================================
[   55.858836][ T5072] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   55.866050][ T5072] CPU: 1 PID: 5072 Comm: syz-executor316 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   55.875956][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   55.886025][ T5072] Call Trace:
[   55.889326][ T5072]  <TASK>
[   55.892280][ T5072]  dump_stack_lvl+0xd1/0x138
[   55.896884][ T5072]  panic+0x2cc/0x626
[   55.900800][ T5072]  ? panic_print_sys_info.part.0+0x112/0x112
[   55.906806][ T5072]  ? preempt_schedule_thunk+0x1a/0x20
[   55.912203][ T5072]  ? preempt_schedule_common+0x59/0xc0
[   55.917682][ T5072]  check_panic_on_warn.cold+0x19/0x35
[   55.923076][ T5072]  end_report.part.0+0x36/0x73
[   55.927871][ T5072]  ? io_fallback_tw+0x6d/0x119
[   55.932655][ T5072]  kasan_report.cold+0xa/0xf
[   55.937263][ T5072]  ? io_fallback_tw+0x6d/0x119
[   55.942047][ T5072]  io_fallback_tw+0x6d/0x119
[   55.946647][ T5072]  tctx_task_work.cold+0xf/0x2c
[   55.951519][ T5072]  ? handle_tw_list+0x460/0x460
[   55.956473][ T5072]  ? lock_downgrade+0x6e0/0x6e0
[   55.961333][ T5072]  ? do_raw_spin_lock+0x124/0x2b0
[   55.966468][ T5072]  ? rwlock_bug.part.0+0x90/0x90
[   55.971414][ T5072]  ? _raw_spin_unlock_irq+0x23/0x50
[   55.976633][ T5072]  task_work_run+0x16f/0x270
[   55.981329][ T5072]  ? task_work_cancel+0x30/0x30
[   55.986203][ T5072]  ? do_raw_spin_unlock+0x175/0x230
[   55.991414][ T5072]  do_exit+0xb17/0x2a90
[   55.995594][ T5072]  ? lock_downgrade+0x6e0/0x6e0
[   56.000456][ T5072]  ? do_raw_spin_lock+0x124/0x2b0
[   56.005491][ T5072]  ? mm_update_next_owner+0x7b0/0x7b0
[   56.010881][ T5072]  ? rwlock_bug.part.0+0x90/0x90
[   56.015831][ T5072]  ? _raw_spin_unlock_irq+0x23/0x50
[   56.021058][ T5072]  do_group_exit+0xd4/0x2a0
[   56.025582][ T5072]  __x64_sys_exit_group+0x3e/0x50
[   56.030612][ T5072]  do_syscall_64+0x39/0xb0
[   56.035042][ T5072]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   56.040955][ T5072] RIP: 0033:0x7f731fab0bd9
[   56.045379][ T5072] Code: Unable to access opcode bytes at 0x7f731fab0baf.
[   56.052398][ T5072] RSP: 002b:00007fff8b9ad9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   56.060818][ T5072] RAX: ffffffffffffffda RBX: 00007f731fb25350 RCX: 00007f731fab0bd9
[   56.068793][ T5072] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   56.076770][ T5072] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   56.084757][ T5072] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f731fb25350
[   56.093346][ T5072] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   56.101416][ T5072]  </TASK>
[   56.104701][ T5072] Kernel Offset: disabled
[   56.109208][ T5072] Rebooting in 86400 seconds..