Warning: Permanently added '10.128.10.59' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   58.500954][ T5074] ==================================================================
[   58.509042][ T5074] BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119
[   58.516181][ T5074] Read of size 8 at addr ffff888078f2b948 by task syz-executor345/5074
[   58.524408][ T5074] 
[   58.526723][ T5074] CPU: 0 PID: 5074 Comm: syz-executor345 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   58.536611][ T5074] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   58.546653][ T5074] Call Trace:
[   58.549919][ T5074]  <TASK>
[   58.552839][ T5074]  dump_stack_lvl+0xd1/0x138
[   58.557434][ T5074]  print_report+0x15e/0x45d
[   58.561929][ T5074]  ? __phys_addr+0xc8/0x140
[   58.566425][ T5074]  ? io_fallback_tw+0x6d/0x119
[   58.571178][ T5074]  kasan_report+0xc0/0xf0
[   58.575861][ T5074]  ? io_fallback_tw+0x6d/0x119
[   58.581596][ T5074]  io_fallback_tw+0x6d/0x119
[   58.586180][ T5074]  tctx_task_work.cold+0xf/0x2c
[   58.591025][ T5074]  ? handle_tw_list+0x460/0x460
[   58.595865][ T5074]  ? lock_downgrade+0x6e0/0x6e0
[   58.600706][ T5074]  ? do_raw_spin_lock+0x124/0x2b0
[   58.605745][ T5074]  ? rwlock_bug.part.0+0x90/0x90
[   58.610678][ T5074]  ? _raw_spin_unlock_irq+0x23/0x50
[   58.615901][ T5074]  task_work_run+0x16f/0x270
[   58.620512][ T5074]  ? task_work_cancel+0x30/0x30
[   58.625383][ T5074]  ? do_raw_spin_unlock+0x175/0x230
[   58.630682][ T5074]  do_exit+0xb17/0x2a90
[   58.634859][ T5074]  ? lock_downgrade+0x6e0/0x6e0
[   58.639716][ T5074]  ? do_raw_spin_lock+0x124/0x2b0
[   58.644749][ T5074]  ? mm_update_next_owner+0x7b0/0x7b0
[   58.650141][ T5074]  ? rwlock_bug.part.0+0x90/0x90
[   58.655090][ T5074]  ? _raw_spin_unlock_irq+0x23/0x50
[   58.660314][ T5074]  do_group_exit+0xd4/0x2a0
[   58.664842][ T5074]  __x64_sys_exit_group+0x3e/0x50
[   58.669871][ T5074]  do_syscall_64+0x39/0xb0
[   58.674294][ T5074]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   58.680206][ T5074] RIP: 0033:0x7f7d4192be59
[   58.684622][ T5074] Code: Unable to access opcode bytes at 0x7f7d4192be2f.
[   58.691631][ T5074] RSP: 002b:00007ffcaeb0d518 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   58.700048][ T5074] RAX: ffffffffffffffda RBX: 00007f7d419a0350 RCX: 00007f7d4192be59
[   58.708023][ T5074] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   58.715997][ T5074] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   58.723969][ T5074] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7d419a0350
[   58.731944][ T5074] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   58.739924][ T5074]  </TASK>
[   58.742940][ T5074] 
[   58.745255][ T5074] Allocated by task 5074:
[   58.749582][ T5074]  kasan_save_stack+0x22/0x40
[   58.754269][ T5074]  kasan_set_track+0x25/0x30
[   58.758870][ T5074]  __kasan_slab_alloc+0x7f/0x90
[   58.763729][ T5074]  kmem_cache_alloc_bulk+0x3aa/0x730
[   58.769019][ T5074]  __io_alloc_req_refill+0xcc/0x40b
[   58.774225][ T5074]  io_submit_sqes.cold+0x7c/0xc2
[   58.779172][ T5074]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   58.784731][ T5074]  do_syscall_64+0x39/0xb0
[   58.789153][ T5074]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   58.795061][ T5074] 
[   58.797376][ T5074] Freed by task 33:
[   58.801173][ T5074]  kasan_save_stack+0x22/0x40
[   58.805856][ T5074]  kasan_set_track+0x25/0x30
[   58.810455][ T5074]  kasan_save_free_info+0x2e/0x40
[   58.815490][ T5074]  ____kasan_slab_free+0x160/0x1c0
[   58.820606][ T5074]  slab_free_freelist_hook+0x8b/0x1c0
[   58.825982][ T5074]  kmem_cache_free+0xec/0x4e0
[   58.830664][ T5074]  io_req_caches_free+0x1a9/0x1e6
[   58.835696][ T5074]  io_ring_exit_work+0x2e7/0xc80
[   58.840642][ T5074]  process_one_work+0x9bf/0x1750
[   58.845587][ T5074]  worker_thread+0x669/0x1090
[   58.850270][ T5074]  kthread+0x2e8/0x3a0
[   58.854346][ T5074]  ret_from_fork+0x1f/0x30
[   58.858795][ T5074] 
[   58.861113][ T5074] The buggy address belongs to the object at ffff888078f2b8c0
[   58.861113][ T5074]  which belongs to the cache io_kiocb of size 216
[   58.874907][ T5074] The buggy address is located 136 bytes inside of
[   58.874907][ T5074]  216-byte region [ffff888078f2b8c0, ffff888078f2b998)
[   58.888182][ T5074] 
[   58.890503][ T5074] The buggy address belongs to the physical page:
[   58.896909][ T5074] page:ffffea0001e3cac0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78f2b
[   58.907060][ T5074] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   58.914617][ T5074] raw: 00fff00000000200 ffff88801bf62140 dead000000000122 0000000000000000
[   58.923207][ T5074] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   58.931784][ T5074] page dumped because: kasan: bad access detected
[   58.938187][ T5074] page_owner tracks the page as allocated
[   58.943893][ T5074] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5074, tgid 5074 (syz-executor345), ts 58498008938, free_ts 51433960614
[   58.962479][ T5074]  get_page_from_freelist+0x11bb/0x2d50
[   58.968040][ T5074]  __alloc_pages+0x1cb/0x5c0
[   58.972639][ T5074]  alloc_pages+0x1aa/0x270
[   58.977063][ T5074]  allocate_slab+0x25f/0x350
[   58.981654][ T5074]  ___slab_alloc+0xa91/0x1400
[   58.986333][ T5074]  kmem_cache_alloc_bulk+0x23d/0x730
[   58.991625][ T5074]  __io_alloc_req_refill+0xcc/0x40b
[   58.996833][ T5074]  io_submit_sqes.cold+0x7c/0xc2
[   59.001778][ T5074]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   59.007337][ T5074]  do_syscall_64+0x39/0xb0
[   59.011771][ T5074]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   59.017679][ T5074] page last free stack trace:
[   59.022347][ T5074]  free_pcp_prepare+0x4d0/0x910
[   59.027205][ T5074]  free_unref_page+0x1d/0x490
[   59.031892][ T5074]  __folio_put+0xc5/0x140
[   59.036228][ T5074]  anon_pipe_buf_release+0x3fb/0x4c0
[   59.041529][ T5074]  pipe_read+0x614/0x1110
[   59.045865][ T5074]  vfs_read+0x7fa/0x930
[   59.050025][ T5074]  ksys_read+0x1ec/0x250
[   59.054279][ T5074]  do_syscall_64+0x39/0xb0
[   59.058699][ T5074]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   59.064607][ T5074] 
[   59.066925][ T5074] Memory state around the buggy address:
[   59.072550][ T5074]  ffff888078f2b800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   59.080643][ T5074]  ffff888078f2b880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   59.088705][ T5074] >ffff888078f2b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.096760][ T5074]                                               ^
[   59.103169][ T5074]  ffff888078f2b980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[   59.111226][ T5074]  ffff888078f2ba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   59.119287][ T5074] ==================================================================
[   59.128437][ T5074] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   59.135661][ T5074] CPU: 1 PID: 5074 Comm: syz-executor345 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   59.145562][ T5074] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   59.155602][ T5074] Call Trace:
[   59.158866][ T5074]  <TASK>
[   59.161784][ T5074]  dump_stack_lvl+0xd1/0x138
[   59.166364][ T5074]  panic+0x2cc/0x626
[   59.170256][ T5074]  ? panic_print_sys_info.part.0+0x112/0x112
[   59.176253][ T5074]  ? preempt_schedule_thunk+0x1a/0x20
[   59.181619][ T5074]  ? preempt_schedule_common+0x59/0xc0
[   59.187067][ T5074]  check_panic_on_warn.cold+0x19/0x35
[   59.192435][ T5074]  end_report.part.0+0x36/0x73
[   59.197186][ T5074]  ? io_fallback_tw+0x6d/0x119
[   59.201941][ T5074]  kasan_report.cold+0xa/0xf
[   59.206518][ T5074]  ? io_fallback_tw+0x6d/0x119
[   59.211273][ T5074]  io_fallback_tw+0x6d/0x119
[   59.215850][ T5074]  tctx_task_work.cold+0xf/0x2c
[   59.220693][ T5074]  ? handle_tw_list+0x460/0x460
[   59.225533][ T5074]  ? lock_downgrade+0x6e0/0x6e0
[   59.230370][ T5074]  ? do_raw_spin_lock+0x124/0x2b0
[   59.235382][ T5074]  ? rwlock_bug.part.0+0x90/0x90
[   59.240308][ T5074]  ? _raw_spin_unlock_irq+0x23/0x50
[   59.245523][ T5074]  task_work_run+0x16f/0x270
[   59.250110][ T5074]  ? task_work_cancel+0x30/0x30
[   59.254954][ T5074]  ? do_raw_spin_unlock+0x175/0x230
[   59.260142][ T5074]  do_exit+0xb17/0x2a90
[   59.264292][ T5074]  ? lock_downgrade+0x6e0/0x6e0
[   59.269131][ T5074]  ? do_raw_spin_lock+0x124/0x2b0
[   59.274143][ T5074]  ? mm_update_next_owner+0x7b0/0x7b0
[   59.279596][ T5074]  ? rwlock_bug.part.0+0x90/0x90
[   59.284522][ T5074]  ? _raw_spin_unlock_irq+0x23/0x50
[   59.289717][ T5074]  do_group_exit+0xd4/0x2a0
[   59.294220][ T5074]  __x64_sys_exit_group+0x3e/0x50
[   59.299229][ T5074]  do_syscall_64+0x39/0xb0
[   59.303634][ T5074]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   59.309519][ T5074] RIP: 0033:0x7f7d4192be59
[   59.313921][ T5074] Code: Unable to access opcode bytes at 0x7f7d4192be2f.
[   59.320918][ T5074] RSP: 002b:00007ffcaeb0d518 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   59.329317][ T5074] RAX: ffffffffffffffda RBX: 00007f7d419a0350 RCX: 00007f7d4192be59
[   59.337282][ T5074] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   59.345242][ T5074] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   59.353198][ T5074] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7d419a0350
[   59.361155][ T5074] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   59.369116][ T5074]  </TASK>
[   59.372290][ T5074] Kernel Offset: disabled
[   59.376610][ T5074] Rebooting in 86400 seconds..