./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1918228372

<...>
Warning: Permanently added '10.128.0.82' (ED25519) to the list of known hosts.
execve("./syz-executor1918228372", ["./syz-executor1918228372"], 0x7ffd27561ec0 /* 10 vars */) = 0
brk(NULL)                               = 0x5555566b2000
brk(0x5555566b2e00)                     = 0x5555566b2e00
arch_prctl(ARCH_SET_FS, 0x5555566b2480) = 0
set_tid_address(0x5555566b2750)         = 5064
set_robust_list(0x5555566b2760, 24)     = 0
rseq(0x5555566b2da0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor1918228372", 4096) = 28
getrandom("\xd3\xf9\x93\x3a\x36\x31\xe3\xa0", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x5555566b2e00
brk(0x5555566d3e00)                     = 0x5555566d3e00
brk(0x5555566d4000)                     = 0x5555566d4000
mprotect(0x7ff24a906000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid()                                = 5064
openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3
write(3, "10000000000", 11)             = 11
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3
write(3, "20", 2)                       = 2
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3
write(3, "100", 3)                      = 3
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3
write(3, "7 4 1 3", 7)                  = 7
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3
write(3, "1", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1)                        = 1
close(3)                                = 0
openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3
write(3, "5064", 4)                     = 4
close(3)                                = 0
rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x7ff24a863270, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7ff24a86a450}, NULL, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x7ff24a863270, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7ff24a86a450}, NULL, 8) = 0
io_setup(8, [0x7ff24a858000])           = 0
openat(AT_FDCWD, "/dev/ptp0", O_RDONLY) = 3
io_submit(0x7ff24a858000, 3, [{aio_data=0, aio_lio_opcode=IOCB_CMD_POLL, aio_fildes=3, aio_buf=0, aio_resfd=0xffffffff}, NULL, NULL]) = 1
[   55.042434][ T5064] ==================================================================
[   55.050555][ T5064] BUG: KASAN: slab-use-after-free in __se_sys_io_cancel+0x2c7/0x2d0
[   55.058548][ T5064] Read of size 4 at addr ffff88807d7e0020 by task syz-executor191/5064
[   55.066766][ T5064] 
[   55.069072][ T5064] CPU: 0 PID: 5064 Comm: syz-executor191 Not tainted 6.8.0-rc6-syzkaller-00238-g5ad3cb0ed525 #0
[   55.079459][ T5064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[   55.089493][ T5064] Call Trace:
[   55.092754][ T5064]  <TASK>
[   55.095666][ T5064]  dump_stack_lvl+0x1e7/0x2e0
[   55.100347][ T5064]  ? __pfx_dump_stack_lvl+0x10/0x10
[   55.105528][ T5064]  ? __pfx__printk+0x10/0x10
[   55.110103][ T5064]  ? _printk+0xd5/0x120
[   55.114262][ T5064]  ? __virt_addr_valid+0x183/0x520
[   55.119369][ T5064]  ? __virt_addr_valid+0x183/0x520
[   55.124472][ T5064]  print_report+0x167/0x540
[   55.128970][ T5064]  ? __virt_addr_valid+0x183/0x520
[   55.134062][ T5064]  ? __virt_addr_valid+0x183/0x520
[   55.139169][ T5064]  ? __virt_addr_valid+0x44e/0x520
[   55.144277][ T5064]  ? __phys_addr+0xba/0x170
[   55.148782][ T5064]  ? __se_sys_io_cancel+0x2c7/0x2d0
[   55.153976][ T5064]  kasan_report+0x142/0x180
[   55.158475][ T5064]  ? __se_sys_io_cancel+0x2c7/0x2d0
[   55.163661][ T5064]  __se_sys_io_cancel+0x2c7/0x2d0
[   55.168674][ T5064]  do_syscall_64+0xf9/0x240
[   55.173176][ T5064]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[   55.179064][ T5064] RIP: 0033:0x7ff24a89afe9
[   55.183466][ T5064] Code: 48 83 c4 28 c3 e8 17 1a 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   55.203060][ T5064] RSP: 002b:00007fff21588928 EFLAGS: 00000246 ORIG_RAX: 00000000000000d2
[   55.211459][ T5064] RAX: ffffffffffffffda RBX: 00007fff215889f0 RCX: 00007ff24a89afe9
[   55.219414][ T5064] RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 00007ff24a858000
[   55.227370][ T5064] RBP: 00007fff215889f8 R08: 00007ff24a8dc1e7 R09: 00007ff24a8dc1e7
[   55.235327][ T5064] R10: 00007ff24a8dc1e7 R11: 0000000000000246 R12: 0000000000000000
[   55.243293][ T5064] R13: 00007ff24a8dc200 R14: 0000000000000001 R15: 0000000000000001
[   55.251258][ T5064]  </TASK>
[   55.254261][ T5064] 
[   55.256566][ T5064] Allocated by task 5064:
[   55.260872][ T5064]  kasan_save_track+0x3f/0x80
[   55.265541][ T5064]  __kasan_slab_alloc+0x66/0x80
[   55.270384][ T5064]  kmem_cache_alloc+0x16f/0x340
[   55.275216][ T5064]  io_submit_one+0x154/0x18b0
[   55.279878][ T5064]  __se_sys_io_submit+0x17f/0x300
[   55.284895][ T5064]  do_syscall_64+0xf9/0x240
[   55.289386][ T5064]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[   55.295266][ T5064] 
[   55.297582][ T5064] Freed by task 9:
[   55.301280][ T5064]  kasan_save_track+0x3f/0x80
[   55.305944][ T5064]  kasan_save_free_info+0x40/0x50
[   55.310951][ T5064]  poison_slab_object+0xa6/0xe0
[   55.315789][ T5064]  __kasan_slab_free+0x37/0x60
[   55.320537][ T5064]  kmem_cache_free+0x102/0x2a0
[   55.325285][ T5064]  aio_poll_complete_work+0x467/0x670
[   55.330644][ T5064]  process_scheduled_works+0x913/0x1420
[   55.336176][ T5064]  worker_thread+0xa5f/0x1000
[   55.340842][ T5064]  kthread+0x2ef/0x390
[   55.344894][ T5064]  ret_from_fork+0x4b/0x80
[   55.349296][ T5064]  ret_from_fork_asm+0x1b/0x30
[   55.354049][ T5064] 
[   55.356356][ T5064] Last potentially related work creation:
[   55.362050][ T5064]  kasan_save_stack+0x3f/0x60
[   55.366714][ T5064]  __kasan_record_aux_stack+0xac/0xc0
[   55.372068][ T5064]  insert_work+0x3e/0x330
[   55.376382][ T5064]  __queue_work+0xbf4/0x1000
[   55.380953][ T5064]  queue_work_on+0x14f/0x250
[   55.385527][ T5064]  aio_poll_cancel+0xbb/0x130
[   55.390188][ T5064]  __se_sys_io_cancel+0x126/0x2d0
[   55.395192][ T5064]  do_syscall_64+0xf9/0x240
[   55.399681][ T5064]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[   55.405563][ T5064] 
[   55.407867][ T5064] The buggy address belongs to the object at ffff88807d7e0000
[   55.407867][ T5064]  which belongs to the cache aio_kiocb of size 216
[   55.421727][ T5064] The buggy address is located 32 bytes inside of
[   55.421727][ T5064]  freed 216-byte region [ffff88807d7e0000, ffff88807d7e00d8)
[   55.435419][ T5064] 
[   55.437727][ T5064] The buggy address belongs to the physical page:
[   55.444118][ T5064] page:ffffea0001f5f800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7d7e0
[   55.454250][ T5064] flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
[   55.461772][ T5064] page_type: 0xffffffff()
[   55.466091][ T5064] raw: 00fff00000000800 ffff8880177c1c80 dead000000000122 0000000000000000
[   55.474656][ T5064] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   55.483214][ T5064] page dumped because: kasan: bad access detected
[   55.489609][ T5064] page_owner tracks the page as allocated
[   55.495305][ T5064] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5064, tgid 5064 (syz-executor191), ts 55030885394, free_ts 54298880437
[   55.513873][ T5064]  post_alloc_hook+0x1ea/0x210
[   55.518624][ T5064]  get_page_from_freelist+0x33ea/0x3580
[   55.524152][ T5064]  __alloc_pages+0x255/0x680
[   55.528725][ T5064]  alloc_slab_page+0x5f/0x160
[   55.533389][ T5064]  new_slab+0x84/0x2f0
[   55.537443][ T5064]  ___slab_alloc+0xd17/0x13e0
[   55.542108][ T5064]  kmem_cache_alloc+0x24d/0x340
[   55.546943][ T5064]  io_submit_one+0x154/0x18b0
[   55.551608][ T5064]  __se_sys_io_submit+0x17f/0x300
[   55.556617][ T5064]  do_syscall_64+0xf9/0x240
[   55.561110][ T5064]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[   55.566993][ T5064] page last free pid 5059 tgid 5059 stack trace:
[   55.573306][ T5064]  free_unref_page_prepare+0x968/0xa90
[   55.578747][ T5064]  free_unref_page+0x37/0x3f0
[   55.583493][ T5064]  __put_partials+0xeb/0x130
[   55.588067][ T5064]  put_cpu_partial+0x17b/0x250
[   55.592817][ T5064]  __slab_free+0x302/0x410
[   55.597217][ T5064]  qlist_free_all+0x5e/0xc0
[   55.601704][ T5064]  kasan_quarantine_reduce+0x14f/0x170
[   55.607155][ T5064]  __kasan_slab_alloc+0x23/0x80
[   55.611997][ T5064]  __kmalloc+0x1dd/0x490
[   55.616404][ T5064]  tomoyo_realpath_from_path+0xcf/0x5e0
[   55.621938][ T5064]  tomoyo_path_perm+0x2b7/0x740
[   55.627556][ T5064]  security_inode_getattr+0xd8/0x130
[   55.632826][ T5064]  vfs_getattr+0x45/0x430
[   55.637137][ T5064]  vfs_fstatat+0xd6/0x190
[   55.641453][ T5064]  __x64_sys_newfstatat+0x117/0x190
[   55.646637][ T5064]  do_syscall_64+0xf9/0x240
[   55.651130][ T5064] 
[   55.653436][ T5064] Memory state around the buggy address:
[   55.659047][ T5064]  ffff88807d7dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.667175][ T5064]  ffff88807d7dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.675215][ T5064] >ffff88807d7e0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.683252][ T5064]                                ^
[   55.688344][ T5064]  ffff88807d7e0080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   55.696382][ T5064]  ffff88807d7e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.704427][ T5064] ==================================================================
[   55.712810][ T5064] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   55.720018][ T5064] CPU: 1 PID: 5064 Comm: syz-executor191 Not tainted 6.8.0-rc6-syzkaller-00238-g5ad3cb0ed525 #0
[   55.730445][ T5064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
[   55.740499][ T5064] Call Trace:
[   55.743769][ T5064]  <TASK>
[   55.746687][ T5064]  dump_stack_lvl+0x1e7/0x2e0
[   55.751360][ T5064]  ? __pfx_dump_stack_lvl+0x10/0x10
[   55.756548][ T5064]  ? __pfx__printk+0x10/0x10
[   55.761131][ T5064]  ? vscnprintf+0x5d/0x90
[   55.765446][ T5064]  panic+0x349/0x860
[   55.769336][ T5064]  ? check_panic_on_warn+0x21/0xb0
[   55.774433][ T5064]  ? __pfx_panic+0x10/0x10
[   55.778842][ T5064]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   55.784808][ T5064]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   55.791124][ T5064]  ? print_report+0x4ff/0x540
[   55.795791][ T5064]  check_panic_on_warn+0x86/0xb0
[   55.800718][ T5064]  ? __se_sys_io_cancel+0x2c7/0x2d0
[   55.805901][ T5064]  end_report+0x6e/0x140
[   55.810134][ T5064]  kasan_report+0x153/0x180
[   55.814626][ T5064]  ? __se_sys_io_cancel+0x2c7/0x2d0
[   55.819810][ T5064]  __se_sys_io_cancel+0x2c7/0x2d0
[   55.824836][ T5064]  do_syscall_64+0xf9/0x240
[   55.829332][ T5064]  entry_SYSCALL_64_after_hwframe+0x6f/0x77
[   55.835229][ T5064] RIP: 0033:0x7ff24a89afe9
[   55.839630][ T5064] Code: 48 83 c4 28 c3 e8 17 1a 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   55.859219][ T5064] RSP: 002b:00007fff21588928 EFLAGS: 00000246 ORIG_RAX: 00000000000000d2
[   55.867619][ T5064] RAX: ffffffffffffffda RBX: 00007fff215889f0 RCX: 00007ff24a89afe9
[   55.875574][ T5064] RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 00007ff24a858000
[   55.883533][ T5064] RBP: 00007fff215889f8 R08: 00007ff24a8dc1e7 R09: 00007ff24a8dc1e7
[   55.891488][ T5064] R10: 00007ff24a8dc1e7 R11: 0000000000000246 R12: 0000000000000000
[   55.899440][ T5064] R13: 00007ff24a8dc200 R14: 0000000000000001 R15: 0000000000000001
[   55.907406][ T5064]  </TASK>
[   55.910811][ T5064] Kernel Offset: disabled
[   55.915134][ T5064] Rebooting in 86400 seconds..