Warning: Permanently added '10.128.0.78' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   60.085931][T18434] ==================================================================
[   60.094024][T18434] BUG: KASAN: use-after-free in io_wq_worker_wake+0xa8/0xb0
[   60.101318][T18434] Read of size 8 at addr ffff88801cdd7028 by task syz-executor318/18434
[   60.109624][T18434] 
[   60.111938][T18434] CPU: 1 PID: 18434 Comm: syz-executor318 Not tainted 6.2.0-rc3-syzkaller-00008-g1fe4fd6f5cad #0
[   60.123807][T18434] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   60.133852][T18434] Call Trace:
[   60.137133][T18434]  <TASK>
[   60.140064][T18434]  dump_stack_lvl+0xd1/0x138
[   60.144673][T18434]  print_report+0x15e/0x45d
[   60.149198][T18434]  ? __phys_addr+0xc8/0x140
[   60.153715][T18434]  ? io_wq_worker_wake+0xa8/0xb0
[   60.158670][T18434]  kasan_report+0xbf/0x1f0
[   60.163098][T18434]  ? io_wq_worker_wake+0xa8/0xb0
[   60.168057][T18434]  io_wq_worker_wake+0xa8/0xb0
[   60.172836][T18434]  io_wq_put_and_exit+0x52a/0xe30
[   60.177878][T18434]  ? io_wq_exit_start+0x20/0x20
[   60.182742][T18434]  ? io_uring_del_tctx_node+0x2ab/0x2ba
[   60.188299][T18434]  io_uring_clean_tctx+0x117/0x178
[   60.193416][T18434]  ? io_uring_del_tctx_node+0x2ba/0x2ba
[   60.198965][T18434]  ? percpu_counter_add_batch+0xc1/0x180
[   60.204618][T18434]  ? __refcount_sub_and_test.constprop.0+0x61/0xb0
[   60.211142][T18434]  io_uring_cancel_generic+0x5ae/0x606
[   60.216624][T18434]  ? io_submit_sqes.cold+0xc5/0xc5
[   60.221773][T18434]  ? lockdep_hardirqs_on+0x7d/0x100
[   60.226987][T18434]  ? asm_sysvec_reschedule_ipi+0x1a/0x20
[   60.232645][T18434]  ? prepare_to_wait_exclusive+0x2c0/0x2c0
[   60.238466][T18434]  ? do_exit+0x516/0x2950
[   60.242819][T18434]  do_exit+0x522/0x2950
[   60.246991][T18434]  ? find_held_lock+0x2d/0x110
[   60.251778][T18434]  ? get_signal+0x8a0/0x2450
[   60.256375][T18434]  ? mm_update_next_owner+0x7b0/0x7b0
[   60.261769][T18434]  do_group_exit+0xd4/0x2a0
[   60.266305][T18434]  get_signal+0x21c3/0x2450
[   60.270821][T18434]  ? __do_sys_io_uring_enter+0x5df/0x2540
[   60.276565][T18434]  ? exit_signals+0x8b0/0x8b0
[   60.281257][T18434]  arch_do_signal_or_restart+0x79/0x5c0
[   60.286817][T18434]  ? get_sigframe_size+0x10/0x10
[   60.291764][T18434]  ? xfd_validate_state+0x5d/0x180
[   60.296896][T18434]  exit_to_user_mode_prepare+0x15f/0x250
[   60.302544][T18434]  syscall_exit_to_user_mode+0x1d/0x50
[   60.308010][T18434]  do_syscall_64+0x46/0xb0
[   60.312441][T18434]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   60.318346][T18434] RIP: 0033:0x7fbc7f2cbb99
[   60.322761][T18434] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   60.342372][T18434] RSP: 002b:00007fbc7f27d2e8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
[   60.350789][T18434] RAX: 00000000000002ff RBX: 00007fbc7f353428 RCX: 00007fbc7f2cbb99
[   60.358762][T18434] RDX: 0000000000000000 RSI: 00000000000002ff RDI: 0000000000000003
[   60.366730][T18434] RBP: 00007fbc7f353420 R08: 0000000000000000 R09: 0000000000000000
[   60.374699][T18434] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbc7f35342c
[   60.382671][T18434] R13: 00007fbc7f321074 R14: 8000000000000001 R15: 0000000000000003
[   60.390649][T18434]  </TASK>
[   60.393663][T18434] 
[   60.395978][T18434] Allocated by task 18434:
[   60.400384][T18434]  kasan_save_stack+0x22/0x40
[   60.405064][T18434]  kasan_set_track+0x25/0x30
[   60.409659][T18434]  __kasan_kmalloc+0xa5/0xb0
[   60.414251][T18434]  create_io_worker+0x10c/0x630
[   60.419115][T18434]  io_wqe_enqueue+0x6c3/0xbc0
[   60.423805][T18434]  io_queue_iowq+0x282/0x5c0
[   60.428405][T18434]  io_queue_sqe_fallback+0xf3/0x190
[   60.433612][T18434]  io_submit_sqes+0x11db/0x1e60
[   60.438473][T18434]  __do_sys_io_uring_enter+0xc1d/0x2540
[   60.444036][T18434]  do_syscall_64+0x39/0xb0
[   60.448463][T18434]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   60.454361][T18434] 
[   60.456678][T18434] Freed by task 18437:
[   60.460737][T18434]  kasan_save_stack+0x22/0x40
[   60.465422][T18434]  kasan_set_track+0x25/0x30
[   60.470012][T18434]  kasan_save_free_info+0x2e/0x40
[   60.475044][T18434]  ____kasan_slab_free+0x160/0x1c0
[   60.480157][T18434]  slab_free_freelist_hook+0x8b/0x1c0
[   60.485540][T18434]  __kmem_cache_free+0xaf/0x3b0
[   60.490390][T18434]  io_queue_worker_create+0x567/0x660
[   60.495771][T18434]  io_wqe_dec_running+0x1e4/0x240
[   60.500804][T18434]  io_wq_worker_sleeping+0xa6/0xc0
[   60.505925][T18434]  schedule+0x16e/0x1b0
[   60.510105][T18434]  schedule_preempt_disabled+0x13/0x20
[   60.515583][T18434]  __mutex_lock+0xa48/0x1360
[   60.520172][T18434]  io_wq_submit_work+0x5f7/0xdc0
[   60.525120][T18434]  io_worker_handle_work+0xc41/0x1c60
[   60.530506][T18434]  io_wqe_worker+0xa5b/0xe40
[   60.535107][T18434]  ret_from_fork+0x1f/0x30
[   60.539534][T18434] 
[   60.541852][T18434] Last potentially related work creation:
[   60.547556][T18434]  kasan_save_stack+0x22/0x40
[   60.552235][T18434]  __kasan_record_aux_stack+0xbc/0xd0
[   60.557618][T18434]  task_work_add+0x7f/0x2c0
[   60.562136][T18434]  io_queue_worker_create+0x41d/0x660
[   60.567779][T18434]  io_wqe_dec_running+0x1e4/0x240
[   60.572813][T18434]  io_wq_worker_sleeping+0xa6/0xc0
[   60.577936][T18434]  schedule+0x16e/0x1b0
[   60.582104][T18434]  schedule_preempt_disabled+0x13/0x20
[   60.587580][T18434]  __mutex_lock+0xa48/0x1360
[   60.592169][T18434]  io_wq_submit_work+0x5f7/0xdc0
[   60.597121][T18434]  io_worker_handle_work+0xc41/0x1c60
[   60.602516][T18434]  io_wqe_worker+0xa5b/0xe40
[   60.607122][T18434]  ret_from_fork+0x1f/0x30
[   60.611551][T18434] 
[   60.613866][T18434] The buggy address belongs to the object at ffff88801cdd7000
[   60.613866][T18434]  which belongs to the cache kmalloc-512 of size 512
[   60.627914][T18434] The buggy address is located 40 bytes inside of
[   60.627914][T18434]  512-byte region [ffff88801cdd7000, ffff88801cdd7200)
[   60.641106][T18434] 
[   60.643427][T18434] The buggy address belongs to the physical page:
[   60.649826][T18434] page:ffffea0000737500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1cdd4
[   60.659974][T18434] head:ffffea0000737500 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
[   60.670031][T18434] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   60.678017][T18434] raw: 00fff00000010200 ffff888012441c80 dead000000000122 0000000000000000
[   60.686600][T18434] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[   60.695176][T18434] page dumped because: kasan: bad access detected
[   60.701579][T18434] page_owner tracks the page as allocated
[   60.707284][T18434] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 18245, tgid 18244 (syz-executor318), ts 59882596706, free_ts 59723498525
[   60.729082][T18434]  get_page_from_freelist+0x119c/0x2ce0
[   60.734645][T18434]  __alloc_pages+0x1cb/0x5b0
[   60.739241][T18434]  allocate_slab+0xa7/0x350
[   60.743759][T18434]  ___slab_alloc+0xa91/0x1400
[   60.748433][T18434]  __slab_alloc.constprop.0+0x56/0xa0
[   60.753805][T18434]  __kmem_cache_alloc_node+0x1a4/0x430
[   60.759263][T18434]  kmalloc_node_trace+0x21/0x60
[   60.764128][T18434]  create_io_worker+0x10c/0x630
[   60.768990][T18434]  io_wqe_enqueue+0x6c3/0xbc0
[   60.773676][T18434]  io_queue_iowq+0x282/0x5c0
[   60.778277][T18434]  io_queue_sqe_fallback+0xf3/0x190
[   60.783492][T18434]  io_submit_sqes+0x11db/0x1e60
[   60.788355][T18434]  __do_sys_io_uring_enter+0xc1d/0x2540
[   60.793912][T18434]  do_syscall_64+0x39/0xb0
[   60.798342][T18434]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   60.804241][T18434] page last free stack trace:
[   60.808903][T18434]  free_pcp_prepare+0x65c/0xc00
[   60.813758][T18434]  free_unref_page+0x1d/0x490
[   60.818444][T18434]  __vunmap+0x85d/0xd30
[   60.822598][T18434]  free_work+0x5c/0x80
[   60.826666][T18434]  process_one_work+0x9bf/0x1710
[   60.831609][T18434]  worker_thread+0x669/0x1090
[   60.836291][T18434]  kthread+0x2e8/0x3a0
[   60.840361][T18434]  ret_from_fork+0x1f/0x30
[   60.844786][T18434] 
[   60.847108][T18434] Memory state around the buggy address:
[   60.852731][T18434]  ffff88801cdd6f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   60.860791][T18434]  ffff88801cdd6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   60.868848][T18434] >ffff88801cdd7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   60.876904][T18434]                                   ^
[   60.882267][T18434]  ffff88801cdd7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   60.890333][T18434]  ffff88801cdd7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   60.898386][T18434] ==================================================================
[   60.908287][T18434] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   60.915498][T18434] CPU: 0 PID: 18434 Comm: syz-executor318 Not tainted 6.2.0-rc3-syzkaller-00008-g1fe4fd6f5cad #0
[   60.925977][T18434] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   60.936013][T18434] Call Trace:
[   60.939276][T18434]  <TASK>
[   60.942191][T18434]  dump_stack_lvl+0xd1/0x138
[   60.946774][T18434]  panic+0x2cc/0x626
[   60.950660][T18434]  ? panic_print_sys_info.part.0+0x110/0x110
[   60.956636][T18434]  ? preempt_schedule_thunk+0x1a/0x20
[   60.962000][T18434]  ? preempt_schedule_common+0x59/0xc0
[   60.967451][T18434]  check_panic_on_warn.cold+0x19/0x35
[   60.972814][T18434]  end_report.part.0+0x36/0x73
[   60.977571][T18434]  ? io_wq_worker_wake+0xa8/0xb0
[   60.982501][T18434]  kasan_report.cold+0xa/0xf
[   60.987085][T18434]  ? io_wq_worker_wake+0xa8/0xb0
[   60.992014][T18434]  io_wq_worker_wake+0xa8/0xb0
[   60.996767][T18434]  io_wq_put_and_exit+0x52a/0xe30
[   61.001783][T18434]  ? io_wq_exit_start+0x20/0x20
[   61.006621][T18434]  ? io_uring_del_tctx_node+0x2ab/0x2ba
[   61.012155][T18434]  io_uring_clean_tctx+0x117/0x178
[   61.017251][T18434]  ? io_uring_del_tctx_node+0x2ba/0x2ba
[   61.022779][T18434]  ? percpu_counter_add_batch+0xc1/0x180
[   61.028404][T18434]  ? __refcount_sub_and_test.constprop.0+0x61/0xb0
[   61.034896][T18434]  io_uring_cancel_generic+0x5ae/0x606
[   61.040346][T18434]  ? io_submit_sqes.cold+0xc5/0xc5
[   61.045459][T18434]  ? lockdep_hardirqs_on+0x7d/0x100
[   61.050640][T18434]  ? asm_sysvec_reschedule_ipi+0x1a/0x20
[   61.056259][T18434]  ? prepare_to_wait_exclusive+0x2c0/0x2c0
[   61.062049][T18434]  ? do_exit+0x516/0x2950
[   61.066370][T18434]  do_exit+0x522/0x2950
[   61.070516][T18434]  ? find_held_lock+0x2d/0x110
[   61.075270][T18434]  ? get_signal+0x8a0/0x2450
[   61.079843][T18434]  ? mm_update_next_owner+0x7b0/0x7b0
[   61.085223][T18434]  do_group_exit+0xd4/0x2a0
[   61.089730][T18434]  get_signal+0x21c3/0x2450
[   61.094232][T18434]  ? __do_sys_io_uring_enter+0x5df/0x2540
[   61.099952][T18434]  ? exit_signals+0x8b0/0x8b0
[   61.104626][T18434]  arch_do_signal_or_restart+0x79/0x5c0
[   61.110171][T18434]  ? get_sigframe_size+0x10/0x10
[   61.115094][T18434]  ? xfd_validate_state+0x5d/0x180
[   61.120199][T18434]  exit_to_user_mode_prepare+0x15f/0x250
[   61.125821][T18434]  syscall_exit_to_user_mode+0x1d/0x50
[   61.131266][T18434]  do_syscall_64+0x46/0xb0
[   61.135671][T18434]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   61.141554][T18434] RIP: 0033:0x7fbc7f2cbb99
[   61.145951][T18434] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   61.165548][T18434] RSP: 002b:00007fbc7f27d2e8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
[   61.173956][T18434] RAX: 00000000000002ff RBX: 00007fbc7f353428 RCX: 00007fbc7f2cbb99
[   61.181910][T18434] RDX: 0000000000000000 RSI: 00000000000002ff RDI: 0000000000000003
[   61.189864][T18434] RBP: 00007fbc7f353420 R08: 0000000000000000 R09: 0000000000000000
[   61.197905][T18434] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbc7f35342c
[   61.205860][T18434] R13: 00007fbc7f321074 R14: 8000000000000001 R15: 0000000000000003
[   61.213819][T18434]  </TASK>
[   61.216975][T18434] Kernel Offset: disabled
[   61.221291][T18434] Rebooting in 86400 seconds..