Warning: Permanently added '10.128.1.213' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program [ 27.313791][ T23] audit: type=1400 audit(1635786024.789:73): avc: denied { execmem } for pid=366 comm="syz-executor934" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 27.317635][ T23] audit: type=1400 audit(1635786024.789:74): avc: denied { mounton } for pid=367 comm="syz-executor934" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1 [ 27.321472][ T23] audit: type=1400 audit(1635786024.789:75): avc: denied { mount } for pid=367 comm="syz-executor934" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 27.325075][ T23] audit: type=1400 audit(1635786024.789:76): avc: denied { mounton } for pid=367 comm="syz-executor934" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 27.330388][ T23] audit: type=1400 audit(1635786024.809:77): avc: denied { mounton } for pid=367 comm="syz-executor934" path="/dev/binderfs" dev="devtmpfs" ino=363 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 27.333621][ T23] audit: type=1400 audit(1635786024.809:78): avc: denied { mount } for pid=367 comm="syz-executor934" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 27.663456][ T455] ================================================================== [ 27.671537][ T455] BUG: KASAN: double-free or invalid-free in kfree+0xd5/0x320 [ 27.678959][ T455] [ 27.681262][ T455] CPU: 0 PID: 455 Comm: syz-executor934 Not tainted 5.10.76-syzkaller-01178-g4944ec82ebb9 #0 [ 27.691373][ T455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.701397][ T455] Call Trace: [ 27.704659][ T455] dump_stack_lvl+0x1e2/0x24b [ 27.709304][ T455] ? show_regs_print_info+0x18/0x18 [ 27.714471][ T455] ? devkmsg_release+0x127/0x127 [ 27.719376][ T455] ? kfree+0xd5/0x320 [ 27.723331][ T455] print_address_description+0x8d/0x3d0 [ 27.728843][ T455] ? kfree+0xd5/0x320 [ 27.732794][ T455] ? kfree+0xd5/0x320 [ 27.736743][ T455] kasan_report_invalid_free+0x58/0x130 [ 27.742255][ T455] ____kasan_slab_free+0x14b/0x170 [ 27.747333][ T455] __kasan_slab_free+0x11/0x20 [ 27.752150][ T455] slab_free_freelist_hook+0xcc/0x1a0 [ 27.757490][ T455] ? io_commit_cqring+0x76a/0xa00 [ 27.762480][ T455] kfree+0xd5/0x320 [ 27.766256][ T455] ? fput_many+0x47/0x1a0 [ 27.770555][ T455] io_commit_cqring+0x76a/0xa00 [ 27.775374][ T455] io_do_iopoll+0x1e18/0x23f0 [ 27.780021][ T455] ? __rcu_read_lock+0x50/0x50 [ 27.784799][ T455] ? io_iopoll_try_reap_events+0x290/0x290 [ 27.790576][ T455] ? __kasan_check_write+0x14/0x20 [ 27.795656][ T455] ? mutex_lock+0xa6/0x110 [ 27.800049][ T455] ? mutex_trylock+0xb0/0xb0 [ 27.804658][ T455] ? _raw_spin_lock_irq+0xa4/0x1b0 [ 27.809737][ T455] io_iopoll_try_reap_events+0x116/0x290 [ 27.815337][ T455] ? io_poll_remove_all+0x210/0x210 [ 27.820543][ T455] ? io_poll_remove_all+0x1f1/0x210 [ 27.825708][ T455] io_ring_ctx_wait_and_kill+0x295/0x670 [ 27.831308][ T455] ? io_uring_show_fdinfo+0x1210/0x1210 [ 27.836821][ T455] ? kmem_cache_free+0xb5/0x1f0 [ 27.841661][ T455] ? ____kasan_slab_free+0x13e/0x170 [ 27.846917][ T455] io_uring_release+0x5b/0x70 [ 27.851652][ T455] ? io_uring_flush+0x6d0/0x6d0 [ 27.856654][ T455] __fput+0x348/0x7d0 [ 27.860784][ T455] ____fput+0x15/0x20 [ 27.864748][ T455] task_work_run+0x147/0x1b0 [ 27.869310][ T455] do_exit+0x70e/0x23a0 [ 27.873437][ T455] ? vmacache_update+0xb7/0x120 [ 27.878267][ T455] ? mm_update_next_owner+0x6e0/0x6e0 [ 27.883617][ T455] ? do_user_addr_fault+0x863/0xd70 [ 27.888784][ T455] do_group_exit+0x16a/0x2d0 [ 27.893345][ T455] __do_sys_exit_group+0x17/0x20 [ 27.898251][ T455] __se_sys_exit_group+0x14/0x20 [ 27.903158][ T455] __x64_sys_exit_group+0x3b/0x40 [ 27.908162][ T455] do_syscall_64+0x31/0x70 [ 27.912549][ T455] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 27.918408][ T455] RIP: 0033:0x7f992802de29 [ 27.922790][ T455] Code: Unable to access opcode bytes at RIP 0x7f992802ddff. [ 27.930126][ T455] RSP: 002b:00007ffc72469aa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 27.938511][ T455] RAX: ffffffffffffffda RBX: 00007f99280a2350 RCX: 00007f992802de29 [ 27.946452][ T455] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 27.954392][ T455] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 000000000000005e [ 27.962334][ T455] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99280a2350 [ 27.970275][ T455] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 27.978215][ T455] [ 27.980515][ T455] Allocated by task 455: [ 27.984736][ T455] ____kasan_kmalloc+0xdc/0x110 [ 27.989564][ T455] __kasan_kmalloc+0x9/0x10 [ 27.994034][ T455] kmem_cache_alloc_trace+0x210/0x3a0 [ 27.999374][ T455] io_req_defer+0x40e/0x11b0 [ 28.003933][ T455] io_queue_sqe+0x2a/0x1180 [ 28.008405][ T455] io_submit_sqe+0x385/0xfd0 [ 28.012962][ T455] io_submit_sqes+0x1050/0x2da0 [ 28.017788][ T455] __se_sys_io_uring_enter+0x322/0x12b0 [ 28.023310][ T455] __x64_sys_io_uring_enter+0xe5/0x100 [ 28.028737][ T455] do_syscall_64+0x31/0x70 [ 28.033122][ T455] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 28.038987][ T455] [ 28.041284][ T455] Freed by task 456: [ 28.045146][ T455] kasan_set_track+0x4c/0x80 [ 28.049715][ T455] kasan_set_free_info+0x23/0x40 [ 28.054621][ T455] ____kasan_slab_free+0x133/0x170 [ 28.059703][ T455] __kasan_slab_free+0x11/0x20 [ 28.064435][ T455] slab_free_freelist_hook+0xcc/0x1a0 [ 28.069784][ T455] kfree+0xd5/0x320 [ 28.073559][ T455] io_commit_cqring+0x76a/0xa00 [ 28.078379][ T455] __io_req_task_cancel+0x64/0x720 [ 28.083461][ T455] io_req_task_cancel+0x51/0x130 [ 28.088368][ T455] task_work_run+0x147/0x1b0 [ 28.092939][ T455] io_wq_manager+0x1aa/0x8b0 [ 28.097508][ T455] kthread+0x371/0x390 [ 28.101547][ T455] ret_from_fork+0x1f/0x30 [ 28.105925][ T455] [ 28.108238][ T455] The buggy address belongs to the object at ffff88810c636a00 [ 28.108238][ T455] which belongs to the cache kmalloc-32 of size 32 [ 28.122081][ T455] The buggy address is located 0 bytes inside of [ 28.122081][ T455] 32-byte region [ffff88810c636a00, ffff88810c636a20) [ 28.135056][ T455] The buggy address belongs to the page: [ 28.140658][ T455] page:ffffea0004318d80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10c636 [ 28.150856][ T455] flags: 0x8000000000000200(slab) [ 28.155852][ T455] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100043980 [ 28.164431][ T455] raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000 [ 28.173002][ T455] page dumped because: kasan: bad access detected [ 28.179391][ T455] page_owner tracks the page as allocated [ 28.185085][ T455] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 455, ts 27656068447, free_ts 27650333165 [ 28.201020][ T455] get_page_from_freelist+0xa74/0xa90 [ 28.206370][ T455] __alloc_pages_nodemask+0x3c8/0x820 [ 28.211712][ T455] allocate_slab+0x6b/0x350 [ 28.216186][ T455] ___slab_alloc+0x143/0x2f0 [ 28.220743][ T455] kmem_cache_alloc_trace+0x278/0x3a0 [ 28.226088][ T455] io_req_defer+0x40e/0x11b0 [ 28.230660][ T455] io_queue_sqe+0x2a/0x1180 [ 28.235145][ T455] io_submit_sqe+0x385/0xfd0 [ 28.239705][ T455] io_submit_sqes+0x1050/0x2da0 [ 28.244526][ T455] __se_sys_io_uring_enter+0x322/0x12b0 [ 28.250039][ T455] __x64_sys_io_uring_enter+0xe5/0x100 [ 28.255465][ T455] do_syscall_64+0x31/0x70 [ 28.259847][ T455] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 28.265703][ T455] page last free stack trace: [ 28.270347][ T455] __free_pages_ok+0xbe7/0xc20 [ 28.275081][ T455] __free_pages+0x2d6/0x4a0 [ 28.280073][ T455] __free_slab+0xdf/0x1a0 [ 28.284378][ T455] unfreeze_partials+0x17d/0x1b0 [ 28.289295][ T455] put_cpu_partial+0xc8/0x190 [ 28.293958][ T455] __slab_free+0x2eb/0x4e0 [ 28.298342][ T455] ___cache_free+0x131/0x150 [ 28.302911][ T455] qlink_free+0x38/0x40 [ 28.307319][ T455] kasan_quarantine_reduce+0x178/0x1d0 [ 28.312752][ T455] __kasan_slab_alloc+0x2f/0xe0 [ 28.318352][ T455] kmem_cache_alloc_trace+0x1a5/0x3a0 [ 28.323689][ T455] io_req_defer+0x40e/0x11b0 [ 28.328251][ T455] io_queue_sqe+0x2a/0x1180 [ 28.332732][ T455] io_submit_sqe+0x385/0xfd0 [ 28.337304][ T455] io_submit_sqes+0x1050/0x2da0 [ 28.342148][ T455] __se_sys_io_uring_enter+0x322/0x12b0 [ 28.347663][ T455] [ 28.349971][ T455] Memory state around the buggy address: [ 28.355590][ T455] ffff88810c636900: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc [ 28.363629][ T455] ffff88810c636980: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc [ 28.371664][ T455] >ffff88810c636a00: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 28.379691][ T455] ^ [ 28.383730][ T455] ffff88810c636a80: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc [ 28.391775][ T455] ffff88810c636b00: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc [ 28.399901][ T455] ================================================================== [ 28.407938][ T455] Disabling lock debugging due to kernel taint executing program executing program executing program [ 28.414106][ T456] ================================================================== [ 28.422181][ T456] BUG: KASAN: use-after-free in task_work_run+0x126/0x1b0 [ 28.429309][ T456] Read of size 8 at addr ffff88810c640958 by task io_wq_manager/456 [ 28.437360][ T456] [ 28.439687][ T456] CPU: 1 PID: 456 Comm: io_wq_manager Tainted: G B 5.10.76-syzkaller-01178-g4944ec82ebb9 #0 [ 28.451030][ T456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.461078][ T456] Call Trace: executing program executing program [ 28.464376][ T456] dump_stack_lvl+0x1e2/0x24b [ 28.469069][ T456] ? printk+0xcf/0x119 [ 28.473139][ T456] ? show_regs_print_info+0x18/0x18 [ 28.478333][ T456] ? wake_up_klogd+0xb8/0xf0 [ 28.482919][ T456] ? devkmsg_release+0x127/0x127 [ 28.487862][ T456] print_address_description+0x8d/0x3d0 [ 28.493413][ T456] __kasan_report+0x142/0x220 [ 28.498096][ T456] ? task_work_run+0x126/0x1b0 [ 28.502863][ T456] kasan_report+0x51/0x70 [ 28.507204][ T456] __asan_report_load8_noabort+0x14/0x20 executing program executing program executing program [ 28.512833][ T456] task_work_run+0x126/0x1b0 [ 28.517428][ T456] io_wq_manager+0x1aa/0x8b0 [ 28.522020][ T456] ? io_wq_create+0x840/0x840 [ 28.526698][ T456] ? __kasan_check_read+0x11/0x20 [ 28.531739][ T456] ? __kthread_parkme+0xba/0x1d0 [ 28.536766][ T456] kthread+0x371/0x390 [ 28.540829][ T456] ? io_wq_create+0x840/0x840 [ 28.545501][ T456] ? kthread_blkcg+0xd0/0xd0 [ 28.550082][ T456] ret_from_fork+0x1f/0x30 [ 28.554483][ T456] [ 28.556799][ T456] Allocated by task 455: [ 28.561032][ T456] __kasan_slab_alloc+0xb2/0xe0 executing program executing program [ 28.565876][ T456] kmem_cache_alloc_bulk+0x2d5/0x3f0 [ 28.571151][ T456] io_submit_sqes+0x6bf/0x2da0 [ 28.575907][ T456] __se_sys_io_uring_enter+0x322/0x12b0 [ 28.581442][ T456] __x64_sys_io_uring_enter+0xe5/0x100 [ 28.586894][ T456] do_syscall_64+0x31/0x70 [ 28.591327][ T456] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 28.597206][ T456] [ 28.599519][ T456] Freed by task 456: [ 28.603422][ T456] kasan_set_track+0x4c/0x80 [ 28.608004][ T456] kasan_set_free_info+0x23/0x40 executing program executing program executing program [ 28.612943][ T456] ____kasan_slab_free+0x133/0x170 [ 28.618038][ T456] __kasan_slab_free+0x11/0x20 [ 28.622791][ T456] slab_free_freelist_hook+0xcc/0x1a0 [ 28.628153][ T456] kmem_cache_free+0xb5/0x1f0 [ 28.632820][ T456] __io_free_req+0x20e/0x380 [ 28.637845][ T456] __io_req_task_cancel+0x144/0x720 [ 28.643034][ T456] io_req_task_cancel+0x51/0x130 [ 28.647964][ T456] task_work_run+0x147/0x1b0 [ 28.652546][ T456] io_wq_manager+0x1aa/0x8b0 [ 28.657121][ T456] kthread+0x371/0x390 [ 28.661175][ T456] ret_from_fork+0x1f/0x30 executing program executing program [ 28.665576][ T456] [ 28.667897][ T456] Last potentially related work creation: [ 28.673717][ T456] kasan_save_stack+0x36/0x60 [ 28.678385][ T456] kasan_record_aux_stack+0xd3/0xf0 [ 28.683590][ T456] task_work_add+0xa7/0x320 [ 28.688082][ T456] io_commit_cqring+0x756/0xa00 [ 28.692927][ T456] io_do_iopoll+0x1e18/0x23f0 [ 28.697626][ T456] io_iopoll_try_reap_events+0x116/0x290 [ 28.703256][ T456] io_ring_ctx_wait_and_kill+0x295/0x670 [ 28.708883][ T456] io_uring_release+0x5b/0x70 [ 28.713550][ T456] __fput+0x348/0x7d0 executing program executing program executing program [ 28.717521][ T456] ____fput+0x15/0x20 [ 28.721495][ T456] task_work_run+0x147/0x1b0 [ 28.726077][ T456] do_exit+0x70e/0x23a0 [ 28.730224][ T456] do_group_exit+0x16a/0x2d0 [ 28.734808][ T456] __do_sys_exit_group+0x17/0x20 [ 28.739734][ T456] __se_sys_exit_group+0x14/0x20 [ 28.744682][ T456] __x64_sys_exit_group+0x3b/0x40 [ 28.749699][ T456] do_syscall_64+0x31/0x70 [ 28.754109][ T456] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 28.759978][ T456] executing program executing program [ 28.762295][ T456] The buggy address belongs to the object at ffff88810c6408c0 [ 28.762295][ T456] which belongs to the cache io_kiocb of size 216 [ 28.776073][ T456] The buggy address is located 152 bytes inside of [ 28.776073][ T456] 216-byte region [ffff88810c6408c0, ffff88810c640998) [ 28.789421][ T456] The buggy address belongs to the page: [ 28.795056][ T456] page:ffffea0004319000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10c640 [ 28.805283][ T456] flags: 0x8000000000000200(slab) executing program executing program executing program [ 28.810304][ T456] raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881049e8a80 [ 28.818881][ T456] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 28.827454][ T456] page dumped because: kasan: bad access detected [ 28.833852][ T456] page_owner tracks the page as allocated [ 28.839566][ T456] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 455, ts 27656151090, free_ts 27650337704 [ 28.855529][ T456] get_page_from_freelist+0xa74/0xa90 [ 28.860895][ T456] __alloc_pages_nodemask+0x3c8/0x820 executing program executing program [ 28.866261][ T456] allocate_slab+0x6b/0x350 [ 28.870758][ T456] ___slab_alloc+0x143/0x2f0 [ 28.875342][ T456] kmem_cache_alloc_bulk+0x167/0x3f0 [ 28.880618][ T456] io_submit_sqes+0x6bf/0x2da0 [ 28.885375][ T456] __se_sys_io_uring_enter+0x322/0x12b0 [ 28.890919][ T456] __x64_sys_io_uring_enter+0xe5/0x100 [ 28.896370][ T456] do_syscall_64+0x31/0x70 [ 28.900779][ T456] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 28.906651][ T456] page last free stack trace: [ 28.911322][ T456] __free_pages_ok+0xbe7/0xc20 executing program executing program executing program [ 28.916076][ T456] __free_pages+0x2d6/0x4a0 [ 28.920567][ T456] __free_slab+0xdf/0x1a0 [ 28.924891][ T456] unfreeze_partials+0x17d/0x1b0 [ 28.929826][ T456] put_cpu_partial+0xc8/0x190 [ 28.934493][ T456] __slab_free+0x2eb/0x4e0 [ 28.938895][ T456] ___cache_free+0x131/0x150 [ 28.943483][ T456] qlink_free+0x38/0x40 [ 28.947627][ T456] kasan_quarantine_reduce+0x178/0x1d0 [ 28.953073][ T456] __kasan_slab_alloc+0x2f/0xe0 [ 28.957908][ T456] kmem_cache_alloc_trace+0x1a5/0x3a0 [ 28.963270][ T456] io_req_defer+0x40e/0x11b0 executing program executing program [ 28.967848][ T456] io_queue_sqe+0x2a/0x1180 [ 28.972340][ T456] io_submit_sqe+0x385/0xfd0 [ 28.976919][ T456] io_submit_sqes+0x1050/0x2da0 [ 28.981758][ T456] __se_sys_io_uring_enter+0x322/0x12b0 [ 28.987280][ T456] [ 28.989597][ T456] Memory state around the buggy address: [ 28.995220][ T456] ffff88810c640800: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 29.003272][ T456] ffff88810c640880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 29.011328][ T456] >ffff88810c640900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program executing program [ 29.019383][ T456] ^ [ 29.026311][ T456] ffff88810c640980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.034366][ T456] ffff88810c640a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.042412][ T456] ================================================================== [ 29.050725][ T456] ------------[ cut here ]------------ [ 29.056170][ T456] refcount_t: underflow; use-after-free. executing program executing program [ 29.062133][ T456] WARNING: CPU: 1 PID: 456 at lib/refcount.c:28 refcount_warn_saturate+0x165/0x1b0 [ 29.071711][ T456] Modules linked in: [ 29.075773][ T456] CPU: 0 PID: 456 Comm: io_wq_manager Tainted: G B 5.10.76-syzkaller-01178-g4944ec82ebb9 #0 [ 29.087667][ T456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.099581][ T456] RIP: 0010:refcount_warn_saturate+0x165/0x1b0 executing program executing program executing program [ 29.106447][ T456] Code: c7 e0 b2 49 85 31 c0 e8 99 7b eb fe 0f 0b eb 83 e8 f0 98 18 ff c6 05 9e cc 68 04 01 48 c7 c7 40 b3 49 85 31 c0 e8 7b 7b eb fe <0f> 0b e9 62 ff ff ff e8 cf 98 18 ff c6 05 7e cc 68 04 01 48 c7 c7 [ 29.126626][ T456] RSP: 0018:ffffc90000e17d20 EFLAGS: 00010246 [ 29.133122][ T456] RAX: 55a6f4cdab1c1400 RBX: 0000000000000003 RCX: 1ffff920001c2f5c [ 29.141286][ T456] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 29.149611][ T456] RBP: ffffc90000e17d30 R08: ffffffff81545288 R09: ffffed103ee295d8 [ 29.157917][ T456] R10: ffffed103ee295d8 R11: 0000000000000000 R12: ffff88810c640918 executing program executing program [ 29.166555][ T456] R13: ffff88810c6408c0 R14: 0000000000000003 R15: ffff88810c64091c [ 29.174729][ T456] FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 29.183940][ T456] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.190730][ T456] CR2: 0000000020000084 CR3: 000000010c507000 CR4: 00000000003506a0 [ 29.198704][ T456] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.207959][ T456] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.216370][ T456] Call Trace: executing program executing program [ 29.220069][ T456] __io_req_task_cancel+0x1c3/0x720 [ 29.225802][ T456] io_req_task_cancel+0x51/0x130 [ 29.230941][ T456] task_work_run+0x147/0x1b0 [ 29.235578][ T456] io_wq_manager+0x1aa/0x8b0 [ 29.240431][ T456] ? io_wq_create+0x840/0x840 [ 29.245146][ T456] ? __kasan_check_read+0x11/0x20 [ 29.250717][ T456] ? __kthread_parkme+0xba/0x1d0 [ 29.255820][ T456] kthread+0x371/0x390 [ 29.259884][ T456] ? io_wq_create+0x840/0x840 [ 29.264693][ T456] ? kthread_blkcg+0xd0/0xd0 executing program executing program executing program executing program [ 29.269276][ T456] ret_from_fork+0x1f/0x30 [ 29.273910][ T456] ---[ end trace c87df69c4dcd6b41 ]--- executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 30.316930][ T772] list_del corruption. next->prev should be ffff8881139cba00, but was ffff8881059a4070 [ 30.326645][ T772] ------------[ cut here ]------------ [ 30.332088][ T772] kernel BUG at lib/list_debug.c:56! [ 30.337365][ T772] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 30.343412][ T772] CPU: 1 PID: 772 Comm: io_wq_manager Tainted: G B W 5.10.76-syzkaller-01178-g4944ec82ebb9 #0 [ 30.354752][ T772] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.364801][ T772] RIP: 0010:__list_del_entry_valid+0xf9/0x100 [ 30.370847][ T772] Code: 24 52 fc fe 0f 0b 48 c7 c7 40 d8 49 85 4c 89 f6 31 c0 e8 11 52 fc fe 0f 0b 48 c7 c7 a0 d8 49 85 4c 89 f6 31 c0 e8 fe 51 fc fe <0f> 0b 0f 1f 44 00 00 be 08 00 00 00 48 c7 c7 e0 44 75 86 e8 4f f0 [ 30.390431][ T772] RSP: 0018:ffffc90001777cb0 EFLAGS: 00010046 [ 30.396606][ T772] RAX: 0000000000000054 RBX: ffff8881139cbe08 RCX: ad7f12c738df4d00 [ 30.404670][ T772] RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 [ 30.412628][ T772] RBP: ffffc90001777cd0 R08: ffffffff81545288 R09: ffffed103ee295d8 [ 30.420578][ T772] R10: ffffed103ee295d8 R11: 0000000000000000 R12: dffffc0000000000 [ 30.428621][ T772] R13: ffff8881139cba00 R14: ffff8881139cba00 R15: ffff8881059a4070 [ 30.436583][ T772] FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 30.445840][ T772] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 30.452490][ T772] CR2: 00007ffc72469ad8 CR3: 0000000118382000 CR4: 00000000003506a0 [ 30.460446][ T772] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 30.468411][ T772] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 30.476372][ T772] Call Trace: [ 30.479671][ T772] io_commit_cqring+0x448/0xa00 [ 30.484515][ T772] __io_req_task_cancel+0x64/0x720 [ 30.489707][ T772] ? console_conditional_schedule+0x10/0x10 [ 30.495583][ T772] io_req_task_cancel+0x51/0x130 [ 30.500514][ T772] task_work_run+0x147/0x1b0 [ 30.505091][ T772] io_wq_manager+0x1aa/0x8b0 [ 30.509672][ T772] ? io_wq_create+0x840/0x840 [ 30.514331][ T772] ? __kasan_check_read+0x11/0x20 [ 30.519337][ T772] ? __kthread_parkme+0xba/0x1d0 [ 30.524267][ T772] kthread+0x371/0x390 [ 30.528318][ T772] ? io_wq_create+0x840/0x840 [ 30.532974][ T772] ? kthread_blkcg+0xd0/0xd0 [ 30.537543][ T772] ret_from_fork+0x1f/0x30 [ 30.541936][ T772] Modules linked in: [ 30.545818][ T772] ---[ end trace c87df69c4dcd6b42 ]--- [ 30.551258][ T772] RIP: 0010:__list_del_entry_valid+0xf9/0x100 [ 30.557302][ T772] Code: 24 52 fc fe 0f 0b 48 c7 c7 40 d8 49 85 4c 89 f6 31 c0 e8 11 52 fc fe 0f 0b 48 c7 c7 a0 d8 49 85 4c 89 f6 31 c0 e8 fe 51 fc fe <0f> 0b 0f 1f 44 00 00 be 08 00 00 00 48 c7 c7 e0 44 75 86 e8 4f f0 [ 30.576892][ T772] RSP: 0018:ffffc90001777cb0 EFLAGS: 00010046 [ 30.582941][ T772] RAX: 0000000000000054 RBX: ffff8881139cbe08 RCX: ad7f12c738df4d00 [ 30.590893][ T772] RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 [ 30.598846][ T772] RBP: ffffc90001777cd0 R08: ffffffff81545288 R09: ffffed103ee295d8 [ 30.606796][ T772] R10: ffffed103ee295d8 R11: 0000000000000000 R12: dffffc0000000000 [ 30.614748][ T772] R13: ffff8881139cba00 R14: ffff8881139cba00 R15: ffff8881059a4070 [ 30.622700][ T772] FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 30.631607][ T772] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 30.638173][ T772] CR2: 00007ffc72469ad8 CR3: 0000000118382000 CR4: 00000000003506a0 [ 30.646129][ T772] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 30.654081][ T772] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 30.662235][ T772] Kernel panic - not syncing: Fatal exception [ 30.668541][ T772] Kernel Offset: disabled [ 30.672866][ T772] Rebooting in 86400 seconds..