Warning: Permanently added '10.128.0.50' (ED25519) to the list of known hosts.
executing program
[   30.947924][ T6164] ==================================================================
[   30.949906][ T6164] BUG: KASAN: slab-use-after-free in __arm64_sys_io_cancel+0x370/0x374
[   30.951979][ T6164] Read of size 4 at addr ffff0000c80c0020 by task syz-executor399/6164
[   30.954016][ T6164] 
[   30.954616][ T6164] CPU: 0 PID: 6164 Comm: syz-executor399 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
[   30.957144][ T6164] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[   30.959682][ T6164] Call trace:
[   30.960577][ T6164]  dump_backtrace+0x1b8/0x1e4
[   30.961774][ T6164]  show_stack+0x2c/0x3c
[   30.962888][ T6164]  dump_stack_lvl+0xd0/0x124
[   30.964137][ T6164]  print_report+0x178/0x518
[   30.965237][ T6164]  kasan_report+0xd8/0x138
[   30.966351][ T6164]  __asan_report_load4_noabort+0x20/0x2c
[   30.967772][ T6164]  __arm64_sys_io_cancel+0x370/0x374
[   30.969104][ T6164]  invoke_syscall+0x98/0x2b8
[   30.970270][ T6164]  el0_svc_common+0x130/0x23c
[   30.971449][ T6164]  do_el0_svc+0x48/0x58
[   30.972493][ T6164]  el0_svc+0x54/0x168
[   30.973554][ T6164]  el0t_64_sync_handler+0x84/0xfc
[   30.974817][ T6164]  el0t_64_sync+0x190/0x194
[   30.976008][ T6164] 
[   30.976608][ T6164] Allocated by task 6164:
[   30.977733][ T6164]  kasan_save_track+0x40/0x78
[   30.978940][ T6164]  kasan_save_alloc_info+0x40/0x50
[   30.980316][ T6164]  __kasan_slab_alloc+0x74/0x8c
[   30.981608][ T6164]  kmem_cache_alloc+0x1dc/0x488
[   30.982883][ T6164]  io_submit_one+0x204/0x14f8
[   30.984028][ T6164]  __arm64_sys_io_submit+0x248/0x3c8
[   30.985410][ T6164]  invoke_syscall+0x98/0x2b8
[   30.986601][ T6164]  el0_svc_common+0x130/0x23c
[   30.987761][ T6164]  do_el0_svc+0x48/0x58
[   30.988821][ T6164]  el0_svc+0x54/0x168
[   30.989828][ T6164]  el0t_64_sync_handler+0x84/0xfc
[   30.991120][ T6164]  el0t_64_sync+0x190/0x194
[   30.992316][ T6164] 
[   30.992938][ T6164] Freed by task 1390:
[   30.993965][ T6164]  kasan_save_track+0x40/0x78
[   30.995146][ T6164]  kasan_save_free_info+0x54/0x6c
[   30.996413][ T6164]  poison_slab_object+0x124/0x18c
[   30.997701][ T6164]  __kasan_slab_free+0x3c/0x70
[   30.998994][ T6164]  kmem_cache_free+0x15c/0x3d4
[   31.000275][ T6164]  iocb_put+0x680/0x8c4
[   31.001340][ T6164]  aio_poll_complete_work+0x3a4/0x570
[   31.002733][ T6164]  process_one_work+0x694/0x1204
[   31.004012][ T6164]  worker_thread+0x938/0xef4
[   31.005236][ T6164]  kthread+0x288/0x310
[   31.006294][ T6164]  ret_from_fork+0x10/0x20
[   31.007453][ T6164] 
[   31.008043][ T6164] Last potentially related work creation:
[   31.009611][ T6164]  kasan_save_stack+0x40/0x6c
[   31.010817][ T6164]  __kasan_record_aux_stack+0xcc/0xe8
[   31.012210][ T6164]  kasan_record_aux_stack_noalloc+0x14/0x20
[   31.013695][ T6164]  insert_work+0x54/0x2d4
[   31.014801][ T6164]  __queue_work+0xcb0/0x12bc
[   31.015961][ T6164]  queue_work_on+0x9c/0x128
[   31.017182][ T6164]  aio_poll_cancel+0xc4/0x13c
[   31.018392][ T6164]  __arm64_sys_io_cancel+0x1cc/0x374
[   31.019781][ T6164]  invoke_syscall+0x98/0x2b8
[   31.020926][ T6164]  el0_svc_common+0x130/0x23c
[   31.022118][ T6164]  do_el0_svc+0x48/0x58
[   31.023236][ T6164]  el0_svc+0x54/0x168
[   31.024299][ T6164]  el0t_64_sync_handler+0x84/0xfc
[   31.025682][ T6164]  el0t_64_sync+0x190/0x194
[   31.026839][ T6164] 
[   31.027429][ T6164] The buggy address belongs to the object at ffff0000c80c0000
[   31.027429][ T6164]  which belongs to the cache aio_kiocb of size 216
[   31.031039][ T6164] The buggy address is located 32 bytes inside of
[   31.031039][ T6164]  freed 216-byte region [ffff0000c80c0000, ffff0000c80c00d8)
[   31.034683][ T6164] 
[   31.035284][ T6164] The buggy address belongs to the physical page:
[   31.036955][ T6164] page:00000000b86f3956 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1080c0
[   31.039613][ T6164] flags: 0x5ffc00000000800(slab|node=0|zone=2|lastcpupid=0x7ff)
[   31.041597][ T6164] page_type: 0xffffffff()
[   31.042724][ T6164] raw: 05ffc00000000800 ffff0000c3b13640 dead000000000122 0000000000000000
[   31.045022][ T6164] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   31.047242][ T6164] page dumped because: kasan: bad access detected
[   31.048890][ T6164] 
[   31.049482][ T6164] Memory state around the buggy address:
[   31.050943][ T6164]  ffff0000c80bff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.053018][ T6164]  ffff0000c80bff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.055051][ T6164] >ffff0000c80c0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.057224][ T6164]                                ^
[   31.058588][ T6164]  ffff0000c80c0080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   31.060680][ T6164]  ffff0000c80c0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.062749][ T6164] ==================================================================
[   31.065625][ T6164] Disabling lock debugging due to kernel taint