forked to background, child pid 3178
no interfaces have a carrier
[ 31.797639][ T3179] 8021q: adding VLAN 0 to HW filter on device bond0
[ 31.807287][ T3179] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.60' (ECDSA) to the list of known hosts.
syzkaller login: [ 48.851600][ T3601] cgroup: Unknown subsys name 'net'
[ 48.986600][ T3601] cgroup: Unknown subsys name 'rlimit'
executing program
executing program
executing program
[ 49.300526][ T3616] cgroup: fork rejected by pids controller in
[ 49.300553][ T3619] cgroup: fork rejected by pids controller in
[ 49.300698][ T3616] /syz5
[ 49.313665][ T3619] /syz3
[ 49.313728][ T3616]
[ 49.316439][ T3619]
[ 49.401664][ T3617] cgroup: fork rejected by pids controller in /syz4
executing program
executing program
executing program
executing program
executing program
executing program
[ 49.573887][ T4281] cgroup: fork rejected by pids controller in /syz2
executing program
executing program
[ 49.622839][ T25] ==================================================================
[ 49.631136][ T25] BUG: KASAN: use-after-free in io_queue_worker_create+0x453/0x4e0
[ 49.639073][ T25] Write of size 8 at addr ffff88806e6920d8 by task kworker/1:1/25
[ 49.646887][ T25]
[ 49.649217][ T25] CPU: 1 PID: 25 Comm: kworker/1:1 Not tainted 5.16.0-rc4-syzkaller #0
[ 49.657544][ T25] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 49.667601][ T25] Workqueue: events io_workqueue_create
[ 49.673328][ T25] Call Trace:
[ 49.676995][ T25]
[ 49.680011][ T25] dump_stack_lvl+0xcd/0x134
[ 49.684621][ T25] print_address_description.constprop.0.cold+0x8d/0x320
[ 49.691857][ T25] ? io_queue_worker_create+0x453/0x4e0
[ 49.697684][ T25] ? io_queue_worker_create+0x453/0x4e0
[ 49.703404][ T25] kasan_report.cold+0x83/0xdf
[ 49.708195][ T25] ? io_queue_worker_create+0x453/0x4e0
[ 49.713909][ T25] kasan_check_range+0x13d/0x180
[ 49.719037][ T25] io_queue_worker_create+0x453/0x4e0
[ 49.724685][ T25] ? io_workqueue_create+0xe0/0xe0
[ 49.729818][ T25] ? io_worker_cancel_cb+0x210/0x210
[ 49.735202][ T25] ? do_raw_spin_lock+0x120/0x2b0
[ 49.740267][ T25] io_workqueue_create+0x9e/0xe0
[ 49.745227][ T25] process_one_work+0x9b2/0x1690
[ 49.750198][ T25] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 49.755765][ T25] ? rwlock_bug.part.0+0x90/0x90
[ 49.760805][ T25] ? _raw_spin_lock_irq+0x41/0x50
[ 49.765853][ T25] worker_thread+0x658/0x11f0
[ 49.770558][ T25] ? process_one_work+0x1690/0x1690
[ 49.775863][ T25] kthread+0x405/0x4f0
[ 49.779951][ T25] ? set_kthread_struct+0x130/0x130
[ 49.785172][ T25] ret_from_fork+0x1f/0x30
[ 49.789622][ T25]
[ 49.792647][ T25]
[ 49.794977][ T25] Allocated by task 4385:
[ 49.799312][ T25] kasan_save_stack+0x1e/0x50
[ 49.804005][ T25] __kasan_kmalloc+0xa9/0xd0
[ 49.808608][ T25] create_io_worker+0x108/0x630
[ 49.813471][ T25] create_worker_cb+0x202/0x270
[ 49.818335][ T25] task_work_run+0xdd/0x1a0
executing program
[ 49.822843][ T25] exit_to_user_mode_prepare+0x256/0x290
[ 49.828568][ T25] syscall_exit_to_user_mode+0x19/0x60
[ 49.834039][ T25] do_syscall_64+0x42/0xb0
[ 49.838549][ T25] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 49.844458][ T25]
[ 49.846783][ T25] Freed by task 4385:
[ 49.850756][ T25] kasan_save_stack+0x1e/0x50
[ 49.855448][ T25] kasan_set_track+0x21/0x30
[ 49.860046][ T25] kasan_set_free_info+0x20/0x30
[ 49.865047][ T25] __kasan_slab_free+0xff/0x130
[ 49.869995][ T25] slab_free_freelist_hook+0x8b/0x1c0
[ 49.875379][ T25] kfree+0xf6/0x560
[ 49.879201][ T25] create_worker_cont+0x3fb/0x550
[ 49.884245][ T25] task_work_run+0xdd/0x1a0
[ 49.889031][ T25] exit_to_user_mode_prepare+0x256/0x290
[ 49.894936][ T25] syscall_exit_to_user_mode+0x19/0x60
[ 49.900398][ T25] do_syscall_64+0x42/0xb0
[ 49.904821][ T25] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 49.910719][ T25]
[ 49.913148][ T25] Last potentially related work creation:
[ 49.918861][ T25] kasan_save_stack+0x1e/0x50
[ 49.923551][ T25] __kasan_record_aux_stack+0xf5/0x120
[ 49.929016][ T25] task_work_add+0x3a/0x190
[ 49.933524][ T25] io_queue_worker_create+0x3ee/0x4e0
[ 49.938996][ T25] io_workqueue_create+0x9e/0xe0
[ 49.943944][ T25] process_one_work+0x9b2/0x1690
[ 49.949323][ T25] worker_thread+0x658/0x11f0
[ 49.954086][ T25] kthread+0x405/0x4f0
[ 49.958687][ T25] ret_from_fork+0x1f/0x30
[ 49.963119][ T25]
[ 49.965443][ T25] Second to last potentially related work creation:
executing program
[ 49.972113][ T25] kasan_save_stack+0x1e/0x50
[ 49.976898][ T25] __kasan_record_aux_stack+0xf5/0x120
[ 49.982647][ T25] insert_work+0x48/0x370
[ 49.987257][ T25] __queue_work+0x5ca/0xee0
[ 49.991768][ T25] queue_work_on+0xee/0x110
[ 49.996453][ T25] create_worker_cont+0x44b/0x550
[ 50.001582][ T25] task_work_run+0xdd/0x1a0
[ 50.006103][ T25] exit_to_user_mode_prepare+0x256/0x290
[ 50.011757][ T25] syscall_exit_to_user_mode+0x19/0x60
[ 50.017755][ T25] do_syscall_64+0x42/0xb0
[ 50.022281][ T25] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 50.028194][ T25]
[ 50.030609][ T25] The buggy address belongs to the object at ffff88806e692000
[ 50.030609][ T25] which belongs to the cache kmalloc-512 of size 512
[ 50.044934][ T25] The buggy address is located 216 bytes inside of
[ 50.044934][ T25] 512-byte region [ffff88806e692000, ffff88806e692200)
[ 50.058398][ T25] The buggy address belongs to the page:
[ 50.064123][ T25] page:ffffea0001b9a400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6e690
[ 50.074392][ T25] head:ffffea0001b9a400 order:2 compound_mapcount:0 compound_pincount:0
[ 50.082818][ T25] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 50.090907][ T25] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c41c80
[ 50.099533][ T25] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 50.108207][ T25] page dumped because: kasan: bad access detected
[ 50.114636][ T25] page_owner tracks the page as allocated
[ 50.121056][ T25] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4385, ts 49566988561, free_ts 10514971018
[ 50.141649][ T25] get_page_from_freelist+0xa72/0x2f50
[ 50.147122][ T25] __alloc_pages+0x1b2/0x500
[ 50.151906][ T25] new_slab+0xab/0x4a0
[ 50.156083][ T25] ___slab_alloc+0x918/0xfe0
[ 50.160691][ T25] __slab_alloc.constprop.0+0x4d/0xa0
[ 50.166424][ T25] kmem_cache_alloc_node_trace+0x116/0x310
executing program
[ 50.172247][ T25] create_io_worker+0x108/0x630
[ 50.177125][ T25] create_worker_cb+0x202/0x270
[ 50.181994][ T25] task_work_run+0xdd/0x1a0
[ 50.186517][ T25] exit_to_user_mode_prepare+0x256/0x290
[ 50.192169][ T25] syscall_exit_to_user_mode+0x19/0x60
[ 50.197637][ T25] do_syscall_64+0x42/0xb0
[ 50.202064][ T25] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 50.208058][ T25] page last free stack trace:
[ 50.212727][ T25] free_pcp_prepare+0x374/0x870
[ 50.217587][ T25] free_unref_page+0x19/0x690
[ 50.222355][ T25] free_contig_range+0xa8/0xf0
[ 50.227127][ T25] destroy_args+0xa8/0x646
[ 50.231550][ T25] debug_vm_pgtable+0x2984/0x2a16
[ 50.236585][ T25] do_one_initcall+0x103/0x650
[ 50.241441][ T25] kernel_init_freeable+0x6b1/0x73a
[ 50.246642][ T25] kernel_init+0x1a/0x1d0
[ 50.250979][ T25] ret_from_fork+0x1f/0x30
[ 50.255408][ T25]
[ 50.257728][ T25] Memory state around the buggy address:
[ 50.263360][ T25] ffff88806e691f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
executing program
[ 50.271432][ T25] ffff88806e692000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.279505][ T25] >ffff88806e692080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.287577][ T25] ^
[ 50.294515][ T25] ffff88806e692100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.302682][ T25] ffff88806e692180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.310755][ T25] ==================================================================
[ 50.318899][ T25] Disabling lock debugging due to kernel taint
executing program
executing program
executing program
[ 50.394920][ T25] Kernel panic - not syncing: panic_on_warn set ...
[ 50.401730][ T25] CPU: 1 PID: 25 Comm: kworker/1:1 Tainted: G B 5.16.0-rc4-syzkaller #0
[ 50.411369][ T25] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 50.421698][ T25] Workqueue: events io_workqueue_create
[ 50.427267][ T25] Call Trace:
[ 50.430545][ T25]
[ 50.433478][ T25] dump_stack_lvl+0xcd/0x134
[ 50.438246][ T25] panic+0x2b0/0x6dd
[ 50.442139][ T25] ? __warn_printk+0xf3/0xf3
[ 50.446737][ T25] ? preempt_schedule_common+0x59/0xc0
[ 50.452519][ T25] ? io_queue_worker_create+0x453/0x4e0
[ 50.458169][ T25] ? preempt_schedule_thunk+0x16/0x18
[ 50.463599][ T25] ? trace_hardirqs_on+0x38/0x1c0
[ 50.468643][ T25] ? trace_hardirqs_on+0x51/0x1c0
[ 50.473688][ T25] ? io_queue_worker_create+0x453/0x4e0
[ 50.479249][ T25] ? io_queue_worker_create+0x453/0x4e0
[ 50.484979][ T25] end_report.cold+0x63/0x6f
[ 50.489671][ T25] kasan_report.cold+0x71/0xdf
executing program
[ 50.494626][ T25] ? io_queue_worker_create+0x453/0x4e0
[ 50.500196][ T25] kasan_check_range+0x13d/0x180
[ 50.505240][ T25] io_queue_worker_create+0x453/0x4e0
[ 50.510626][ T25] ? io_workqueue_create+0xe0/0xe0
[ 50.515798][ T25] ? io_worker_cancel_cb+0x210/0x210
[ 50.521181][ T25] ? do_raw_spin_lock+0x120/0x2b0
[ 50.526232][ T25] io_workqueue_create+0x9e/0xe0
[ 50.531185][ T25] process_one_work+0x9b2/0x1690
[ 50.536144][ T25] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 50.542578][ T25] ? rwlock_bug.part.0+0x90/0x90
[ 50.548316][ T25] ? _raw_spin_lock_irq+0x41/0x50
[ 50.553359][ T25] worker_thread+0x658/0x11f0
[ 50.558054][ T25] ? process_one_work+0x1690/0x1690
[ 50.563352][ T25] kthread+0x405/0x4f0
[ 50.567438][ T25] ? set_kthread_struct+0x130/0x130
[ 50.573001][ T25] ret_from_fork+0x1f/0x30
[ 50.576077][ T7216] cgroup: fork rejected by pids controller in
[ 50.577940][ T25]
[ 50.578858][ T25] Kernel Offset: disabled
[ 50.594568][ T25] Rebooting in 86400 seconds..