Warning: Permanently added '10.128.0.108' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   50.086467][ T5058] ==================================================================
[   50.094571][ T5058] BUG: KASAN: use-after-free in io_worker_get+0x77/0x2a0
[   50.096918][ T5062] ------------[ cut here ]------------
[   50.101689][ T5058] Read of size 4 at addr ffff888028085c00 by task syz-executor161/5058
[   50.101706][ T5058] 
[   50.101711][ T5058] CPU: 0 PID: 5058 Comm: syz-executor161 Not tainted 6.2.0-rc2-syzkaller-00256-ga689b938df39 #0
[   50.101728][ T5058] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   50.101736][ T5058] Call Trace:
[   50.101741][ T5058]  <TASK>
[   50.101748][ T5058]  dump_stack_lvl+0x1e3/0x2d0
[   50.101776][ T5058]  ? nf_tcp_handle_invalid+0x630/0x630
[   50.107250][ T5062] refcount_t: underflow; use-after-free.
[   50.115855][ T5058]  ? __wake_up_klogd+0xcd/0x100
[   50.115878][ T5058]  ? panic+0x770/0x770
[   50.115896][ T5058]  ? _printk+0xcf/0x110
[   50.115914][ T5058]  print_address_description+0x74/0x340
[   50.115936][ T5058]  print_report+0x107/0x220
[   50.120563][ T5062] WARNING: CPU: 1 PID: 5062 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0
[   50.128879][ T5058]  ? do_raw_spin_unlock+0x134/0x8a0
[   50.128903][ T5058]  ? __virt_addr_valid+0x21b/0x2d0
[   50.128922][ T5058]  ? __phys_addr+0xb5/0x160
[   50.128940][ T5058]  ? io_worker_get+0x77/0x2a0
[   50.128953][ T5058]  kasan_report+0x139/0x170
[   50.128974][ T5058]  ? io_worker_get+0x77/0x2a0
[   50.139872][ T5062] Modules linked in:
[   50.142384][ T5058]  kasan_check_range+0x2a7/0x2e0
[   50.142410][ T5058]  io_worker_get+0x77/0x2a0
[   50.142425][ T5058]  ? create_worker_cb+0x330/0x330
[   50.142439][ T5058]  ? io_wq_put_and_exit+0x137/0xcb0
[   50.142451][ T5058]  ? __kmem_cache_free+0x71/0x110
[   50.146093][ T5062] 
[   50.150019][ T5058]  io_wq_put_and_exit+0x2f8/0xcb0
[   50.155945][ T5062] CPU: 1 PID: 5062 Comm: iou-wrk-5058 Not tainted 6.2.0-rc2-syzkaller-00256-ga689b938df39 #0
[   50.161144][ T5058]  ? xa_find+0x410/0x410
[   50.166285][ T5062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   50.170026][ T5058]  ? io_wq_exit_start+0x20/0x20
[   50.174497][ T5062] RIP: 0010:refcount_warn_saturate+0x15b/0x1a0
[   50.179672][ T5058]  ? io_uring_clean_tctx+0x106/0x1d0
[   50.301528][ T5058]  ? __kmem_cache_free+0x71/0x110
[   50.306553][ T5058]  io_uring_clean_tctx+0x164/0x1d0
[   50.311669][ T5058]  ? io_uring_del_tctx_node+0x2b0/0x2b0
[   50.317297][ T5058]  ? io_uring_drop_tctx_refs+0x11b/0x1b0
[   50.323618][ T5058]  io_uring_cancel_generic+0x60e/0x670
[   50.329101][ T5058]  ? io_uring_drop_tctx_refs+0x1b0/0x1b0
[   50.334741][ T5058]  ? wake_bit_function+0x240/0x240
[   50.339945][ T5058]  ? print_irqtrace_events+0x220/0x220
[   50.345408][ T5058]  ? do_exit+0x2150/0x2150
[   50.349839][ T5058]  do_exit+0x2ad/0x2150
[   50.353996][ T5058]  ? mm_update_next_owner+0x6d0/0x6d0
[   50.359364][ T5058]  ? _raw_spin_unlock_irq+0x25/0x40
[   50.364555][ T5058]  do_group_exit+0x1fd/0x2b0
[   50.369142][ T5058]  __x64_sys_exit_group+0x3b/0x40
[   50.374160][ T5058]  do_syscall_64+0x2b/0x70
[   50.378681][ T5058]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   50.384741][ T5058] RIP: 0033:0x7f43fd8b3ce9
[   50.389146][ T5058] Code: 00 49 c7 c0 c0 ff ff ff be e7 00 00 00 ba 3c 00 00 00 eb 12 0f 1f 44 00 00 89 d0 0f 05 48 3d 00 f0 ff ff 77 1c f4 89 f0 0f 05 <48> 3d 00 f0 ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00
[   50.409371][ T5058] RSP: 002b:00007fffe594c5b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   50.417799][ T5058] RAX: ffffffffffffffda RBX: 00007f43fd929350 RCX: 00007f43fd8b3ce9
[   50.425766][ T5058] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   50.434617][ T5058] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   50.442685][ T5058] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f43fd929350
[   50.450673][ T5058] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   50.458644][ T5058]  </TASK>
[   50.461652][ T5058] 
[   50.463961][ T5058] Allocated by task 5058:
[   50.468416][ T5058]  kasan_set_track+0x4c/0x70
[   50.473014][ T5058]  __kasan_kmalloc+0x97/0xb0
[   50.477619][ T5058]  create_io_worker+0xef/0x630
[   50.482396][ T5058]  create_worker_cb+0x16b/0x330
[   50.487335][ T5058]  task_work_run+0x243/0x300
[   50.491923][ T5058]  get_signal+0x1654/0x1820
[   50.496427][ T5058]  arch_do_signal_or_restart+0x8d/0x5f0
[   50.501963][ T5058]  exit_to_user_mode_loop+0x74/0x160
[   50.507322][ T5058]  exit_to_user_mode_prepare+0xad/0x110
[   50.512945][ T5058]  irqentry_exit_to_user_mode+0x5/0x30
[   50.518396][ T5058]  exc_page_fault+0xa2/0x120
[   50.523146][ T5058]  asm_exc_page_fault+0x22/0x30
[   50.527986][ T5058] 
[   50.530297][ T5058] Freed by task 5058:
[   50.534259][ T5058]  kasan_set_track+0x4c/0x70
[   50.538863][ T5058]  kasan_save_free_info+0x27/0x40
[   50.543894][ T5058]  ____kasan_slab_free+0xd6/0x120
[   50.548924][ T5058]  slab_free_freelist_hook+0x12e/0x1a0
[   50.554374][ T5058]  __kmem_cache_free+0x71/0x110
[   50.559219][ T5058]  io_wq_put_and_exit+0x137/0xcb0
[   50.564237][ T5058]  io_uring_clean_tctx+0x164/0x1d0
[   50.569516][ T5058]  io_uring_cancel_generic+0x60e/0x670
[   50.574970][ T5058]  do_exit+0x2ad/0x2150
[   50.579139][ T5058]  do_group_exit+0x1fd/0x2b0
[   50.583722][ T5058]  __x64_sys_exit_group+0x3b/0x40
[   50.588829][ T5058]  do_syscall_64+0x2b/0x70
[   50.593319][ T5058]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   50.599204][ T5058] 
[   50.602296][ T5058] Last potentially related work creation:
[   50.607996][ T5058]  kasan_save_stack+0x3b/0x60
[   50.612662][ T5058]  __kasan_record_aux_stack+0xb0/0xc0
[   50.618027][ T5058]  task_work_add+0x87/0x340
[   50.622521][ T5058]  io_queue_worker_create+0x1e2/0x430
[   50.628311][ T5058]  schedule+0x63/0x190
[   50.632372][ T5058]  schedule_timeout+0xac/0x300
[   50.637130][ T5058]  wait_woken+0xca/0x1b0
[   50.641360][ T5058]  af_alg_wait_for_data+0x458/0x700
[   50.646551][ T5058]  skcipher_recvmsg+0x2d9/0xea0
[   50.651393][ T5058]  sock_read_iter+0x3fa/0x530
[   50.656063][ T5058]  io_read+0x4a8/0x1310
[   50.660220][ T5058]  io_issue_sqe+0x44e/0xcd0
[   50.664714][ T5058]  io_wq_submit_work+0x44a/0x9c0
[   50.669645][ T5058]  io_worker_handle_work+0x8e1/0xee0
[   50.675178][ T5058]  io_wqe_worker+0x36c/0xde0
[   50.679758][ T5058]  ret_from_fork+0x1f/0x30
[   50.684181][ T5058] 
[   50.686509][ T5058] The buggy address belongs to the object at ffff888028085c00
[   50.686509][ T5058]  which belongs to the cache kmalloc-512 of size 512
[   50.700574][ T5058] The buggy address is located 0 bytes inside of
[   50.700574][ T5058]  512-byte region [ffff888028085c00, ffff888028085e00)
[   50.713667][ T5058] 
[   50.715988][ T5058] The buggy address belongs to the physical page:
[   50.722390][ T5058] page:ffffea0000a02100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28084
[   50.732783][ T5058] head:ffffea0000a02100 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
[   50.742829][ T5058] anon flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   50.751250][ T5058] raw: 00fff00000010200 ffff888012841c80 0000000000000000 dead000000000001
[   50.759849][ T5058] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   50.768427][ T5058] page dumped because: kasan: bad access detected
[   50.774826][ T5058] page_owner tracks the page as allocated
[   50.780546][ T5058] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 9757639976, free_ts 0
[   50.800175][ T5058]  get_page_from_freelist+0x72b/0x7a0
[   50.805550][ T5058]  __alloc_pages+0x259/0x560
[   50.810133][ T5058]  alloc_page_interleave+0x22/0x1c0
[   50.815490][ T5058]  alloc_slab_page+0xbd/0x190
[   50.820156][ T5058]  allocate_slab+0x5e/0x3c0
[   50.824642][ T5058]  ___slab_alloc+0x7f4/0xeb0
[   50.829477][ T5058]  __kmem_cache_alloc_node+0x25b/0x340
[   50.835005][ T5058]  kmalloc_trace+0x26/0x60
[   50.839495][ T5058]  device_add+0xb6/0xf90
[   50.843723][ T5058]  netdev_register_kobject+0x178/0x310
[   50.849168][ T5058]  register_netdevice+0x136c/0x1a30
[   50.854386][ T5058]  register_netdev+0x37/0x50
[   50.858966][ T5058]  rose_proto_init+0x197/0x7c0
[   50.863729][ T5058]  do_one_initcall+0xbd/0x2c0
[   50.868393][ T5058]  do_initcall_level+0x168/0x220
[   50.873333][ T5058]  do_initcalls+0x43/0x90
[   50.877650][ T5058] page_owner free stack trace missing
[   50.883001][ T5058] 
[   50.885307][ T5058] Memory state around the buggy address:
[   50.890920][ T5058]  ffff888028085b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.898965][ T5058]  ffff888028085b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.907032][ T5058] >ffff888028085c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.915088][ T5058]                    ^
[   50.919147][ T5058]  ffff888028085c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.927195][ T5058]  ffff888028085d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.935240][ T5058] ==================================================================
[   50.949649][ T5062] Code: c7 80 32 69 8b 31 c0 e8 93 c0 10 fd 0f 0b eb 85 e8 fa 6d 4a fd c6 05 4a f9 58 0a 01 48 c7 c7 e0 32 69 8b 31 c0 e8 75 c0 10 fd <0f> 0b e9 64 ff ff ff e8 d9 6d 4a fd c6 05 2a f9 58 0a 01 48 c7 c7
[   50.951325][ T5058] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   50.951336][ T5058] CPU: 1 PID: 5058 Comm: syz-executor161 Not tainted 6.2.0-rc2-syzkaller-00256-ga689b938df39 #0
[   50.951353][ T5058] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   50.951361][ T5058] Call Trace:
[   50.951367][ T5058]  <TASK>
[   50.951372][ T5058]  dump_stack_lvl+0x1e3/0x2d0
[   50.951395][ T5058]  ? nf_tcp_handle_invalid+0x630/0x630
[   50.951410][ T5058]  ? panic+0x770/0x770
[   50.951428][ T5058]  ? preempt_schedule_common+0xb7/0xe0
[   50.951447][ T5058]  ? vscnprintf+0x59/0x80
[   50.951468][ T5058]  panic+0x316/0x770
[   50.951487][ T5058]  ? check_panic_on_warn+0x1d/0xa0
[   50.951505][ T5058]  ? memcpy_page_flushcache+0x100/0x100
[   50.951525][ T5058]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   50.951545][ T5058]  ? _raw_spin_unlock+0x40/0x40
[   50.951563][ T5058]  ? print_report+0x1e0/0x220
[   50.951586][ T5058]  check_panic_on_warn+0x80/0xa0
[   50.951603][ T5058]  ? io_worker_get+0x77/0x2a0
[   50.951617][ T5058]  end_report+0x47/0x90
[   50.951635][ T5058]  kasan_report+0x146/0x170
[   50.951654][ T5058]  ? io_worker_get+0x77/0x2a0
[   50.951670][ T5058]  kasan_check_range+0x2a7/0x2e0
[   50.951690][ T5058]  io_worker_get+0x77/0x2a0
[   50.951704][ T5058]  ? create_worker_cb+0x330/0x330
[   50.951717][ T5058]  ? io_wq_put_and_exit+0x137/0xcb0
[   50.951731][ T5058]  ? __kmem_cache_free+0x71/0x110
[   50.951747][ T5058]  io_wq_put_and_exit+0x2f8/0xcb0
[   50.951764][ T5058]  ? xa_find+0x410/0x410
[   50.951778][ T5058]  ? io_wq_exit_start+0x20/0x20
[   50.951801][ T5058]  ? io_uring_clean_tctx+0x106/0x1d0
[   50.951821][ T5058]  ? __kmem_cache_free+0x71/0x110
[   50.951838][ T5058]  io_uring_clean_tctx+0x164/0x1d0
[   50.951860][ T5058]  ? io_uring_del_tctx_node+0x2b0/0x2b0
[   50.951883][ T5058]  ? io_uring_drop_tctx_refs+0x11b/0x1b0
[   50.951904][ T5058]  io_uring_cancel_generic+0x60e/0x670
[   50.951928][ T5058]  ? io_uring_drop_tctx_refs+0x1b0/0x1b0
[   50.951948][ T5058]  ? wake_bit_function+0x240/0x240
[   50.951966][ T5058]  ? print_irqtrace_events+0x220/0x220
[   50.951982][ T5058]  ? do_exit+0x2150/0x2150
[   50.952006][ T5058]  do_exit+0x2ad/0x2150
[   50.952032][ T5058]  ? mm_update_next_owner+0x6d0/0x6d0
[   50.952056][ T5058]  ? _raw_spin_unlock_irq+0x25/0x40
[   50.952077][ T5058]  do_group_exit+0x1fd/0x2b0
[   50.952099][ T5058]  __x64_sys_exit_group+0x3b/0x40
[   50.952121][ T5058]  do_syscall_64+0x2b/0x70
[   50.952134][ T5058]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   50.952158][ T5058] RIP: 0033:0x7f43fd8b3ce9
[   50.952172][ T5058] Code: 00 49 c7 c0 c0 ff ff ff be e7 00 00 00 ba 3c 00 00 00 eb 12 0f 1f 44 00 00 89 d0 0f 05 48 3d 00 f0 ff ff 77 1c f4 89 f0 0f 05 <48> 3d 00 f0 ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00
[   50.952183][ T5058] RSP: 002b:00007fffe594c5b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   50.952200][ T5058] RAX: ffffffffffffffda RBX: 00007f43fd929350 RCX: 00007f43fd8b3ce9
[   50.952211][ T5058] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   50.952220][ T5058] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   50.952230][ T5058] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f43fd929350
[   50.952240][ T5058] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   50.952260][ T5058]  </TASK>
[   50.969428][ T5058] Kernel Offset: disabled
[   51.285433][ T5058] Rebooting in 86400 seconds..