./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3621277457

<...>
Warning: Permanently added '10.128.0.239' (ECDSA) to the list of known hosts.
execve("./syz-executor3621277457", ["./syz-executor3621277457"], 0x7ffd48ee21d0 /* 10 vars */) = 0
brk(NULL)                               = 0x555557165000
brk(0x555557165c40)                     = 0x555557165c40
arch_prctl(ARCH_SET_FS, 0x555557165300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3621277457", 4096) = 28
brk(0x555557186c40)                     = 0x555557186c40
brk(0x555557187000)                     = 0x555557187000
mprotect(0x7efd8b1c4000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
socket(AF_INET6, SOCK_STREAM, IPPROTO_SCTP) = 3
io_uring_setup(1488, {flags=0, sq_thread_cpu=0, sq_thread_idle=0, sq_entries=2048, cq_entries=4096, features=IORING_FEAT_SINGLE_MMAP|IORING_FEAT_NODROP|IORING_FEAT_SUBMIT_STABLE|IORING_FEAT_RW_CUR_POS|IORING_FEAT_CUR_PERSONALITY|IORING_FEAT_FAST_POLL|IORING_FEAT_POLL_32BITS|IORING_FEAT_SQPOLL_NONFIXED|IORING_FEAT_EXT_ARG|IORING_FEAT_NATIVE_WORKERS|IORING_FEAT_RSRC_TAGS|IORING_FEAT_CQE_SKIP|IORING_FEAT_LINKED_FILE, sq_off={head=0, tail=64, ring_mask=256, ring_entries=264, flags=276, dropped=272, array=65856}, cq_off={head=128, tail=192, ring_mask=260, ring_entries=268, overflow=284, cqes=320, flags=280}}) = 4
mmap(0x20ee8000, 74048, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0) = 0x20ee8000
mmap(0x20eea000, 131072, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE, 4, 0x10000000) = 0x20eea000
io_uring_enter(4, 17678, 0, 0, NULL, 0) = 1
shutdown(3, SHUT_WR)                    = -1 ENOTCONN (Transport endpoint is not connected)
exit_group(0)                           = ?
[   59.253799][ T5082] ==================================================================
[   59.261954][ T5082] BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119
[   59.269077][ T5082] Read of size 8 at addr ffff88801eda6948 by task syz-executor362/5082
[   59.277298][ T5082] 
[   59.279607][ T5082] CPU: 0 PID: 5082 Comm: syz-executor362 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   59.289480][ T5082] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   59.299521][ T5082] Call Trace:
[   59.302785][ T5082]  <TASK>
[   59.305700][ T5082]  dump_stack_lvl+0xd1/0x138
[   59.310300][ T5082]  print_report+0x15e/0x45d
[   59.314792][ T5082]  ? __phys_addr+0xc8/0x140
[   59.319289][ T5082]  ? io_fallback_tw+0x6d/0x119
[   59.324043][ T5082]  kasan_report+0xc0/0xf0
[   59.328364][ T5082]  ? io_fallback_tw+0x6d/0x119
[   59.333115][ T5082]  io_fallback_tw+0x6d/0x119
[   59.337692][ T5082]  tctx_task_work.cold+0xf/0x2c
[   59.342533][ T5082]  ? handle_tw_list+0x460/0x460
[   59.347375][ T5082]  ? lock_downgrade+0x6e0/0x6e0
[   59.352213][ T5082]  ? do_raw_spin_lock+0x124/0x2b0
[   59.357224][ T5082]  ? rwlock_bug.part.0+0x90/0x90
[   59.362149][ T5082]  ? _raw_spin_unlock_irq+0x23/0x50
[   59.367343][ T5082]  task_work_run+0x16f/0x270
[   59.371927][ T5082]  ? task_work_cancel+0x30/0x30
[   59.376770][ T5082]  ? do_raw_spin_unlock+0x175/0x230
[   59.381957][ T5082]  do_exit+0xb17/0x2a90
[   59.386117][ T5082]  ? lock_downgrade+0x6e0/0x6e0
[   59.390956][ T5082]  ? do_raw_spin_lock+0x124/0x2b0
[   59.395987][ T5082]  ? mm_update_next_owner+0x7b0/0x7b0
[   59.401353][ T5082]  ? rwlock_bug.part.0+0x90/0x90
[   59.406279][ T5082]  ? _raw_spin_unlock_irq+0x23/0x50
[   59.411473][ T5082]  do_group_exit+0xd4/0x2a0
[   59.415970][ T5082]  __x64_sys_exit_group+0x3e/0x50
[   59.420977][ T5082]  do_syscall_64+0x39/0xb0
[   59.425384][ T5082]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   59.431273][ T5082] RIP: 0033:0x7efd8b156839
[   59.435671][ T5082] Code: Unable to access opcode bytes at 0x7efd8b15680f.
[   59.442670][ T5082] RSP: 002b:00007fffd4fd7c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   59.451069][ T5082] RAX: ffffffffffffffda RBX: 00007efd8b1ca290 RCX: 00007efd8b156839
[   59.459025][ T5082] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   59.466980][ T5082] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   59.474934][ T5082] R10: 0000000000000000 R11: 0000000000000246 R12: 00007efd8b1ca290
[   59.482892][ T5082] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   59.490856][ T5082]  </TASK>
[   59.493858][ T5082] 
[   59.496167][ T5082] Allocated by task 5082:
[   59.500483][ T5082]  kasan_save_stack+0x22/0x40
[   59.505152][ T5082]  kasan_set_track+0x25/0x30
[   59.509726][ T5082]  __kasan_slab_alloc+0x7f/0x90
[   59.514562][ T5082]  kmem_cache_alloc_bulk+0x3aa/0x730
[   59.519851][ T5082]  __io_alloc_req_refill+0xcc/0x40b
[   59.525039][ T5082]  io_submit_sqes.cold+0x7c/0xc2
[   59.529962][ T5082]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   59.535583][ T5082]  do_syscall_64+0x39/0xb0
[   59.539988][ T5082]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   59.545872][ T5082] 
[   59.548178][ T5082] Freed by task 9:
[   59.551878][ T5082]  kasan_save_stack+0x22/0x40
[   59.556546][ T5082]  kasan_set_track+0x25/0x30
[   59.561121][ T5082]  kasan_save_free_info+0x2e/0x40
[   59.566133][ T5082]  ____kasan_slab_free+0x160/0x1c0
[   59.571234][ T5082]  slab_free_freelist_hook+0x8b/0x1c0
[   59.576588][ T5082]  kmem_cache_free+0xec/0x4e0
[   59.581247][ T5082]  io_req_caches_free+0x1a9/0x1e6
[   59.586265][ T5082]  io_ring_exit_work+0x2e7/0xc80
[   59.591186][ T5082]  process_one_work+0x9bf/0x1750
[   59.596111][ T5082]  worker_thread+0x669/0x1090
[   59.600773][ T5082]  kthread+0x2e8/0x3a0
[   59.604826][ T5082]  ret_from_fork+0x1f/0x30
[   59.609239][ T5082] 
[   59.611554][ T5082] The buggy address belongs to the object at ffff88801eda68c0
[   59.611554][ T5082]  which belongs to the cache io_kiocb of size 216
[   59.625327][ T5082] The buggy address is located 136 bytes inside of
[   59.625327][ T5082]  216-byte region [ffff88801eda68c0, ffff88801eda6998)
[   59.638582][ T5082] 
[   59.640891][ T5082] The buggy address belongs to the physical page:
[   59.647283][ T5082] page:ffffea00007b6980 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eda6
[   59.657431][ T5082] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   59.664976][ T5082] raw: 00fff00000000200 ffff88814644b780 dead000000000122 0000000000000000
[   59.673548][ T5082] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   59.682124][ T5082] page dumped because: kasan: bad access detected
[   59.688538][ T5082] page_owner tracks the page as allocated
[   59.694245][ T5082] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5082, tgid 5082 (syz-executor362), ts 59249655288, free_ts 59248726666
[   59.712812][ T5082]  get_page_from_freelist+0x11bb/0x2d50
[   59.718373][ T5082]  __alloc_pages+0x1cb/0x5c0
[   59.722965][ T5082]  alloc_pages+0x1aa/0x270
[   59.727375][ T5082]  allocate_slab+0x25f/0x350
[   59.731956][ T5082]  ___slab_alloc+0xa91/0x1400
[   59.736621][ T5082]  kmem_cache_alloc_bulk+0x23d/0x730
[   59.741892][ T5082]  __io_alloc_req_refill+0xcc/0x40b
[   59.747079][ T5082]  io_submit_sqes.cold+0x7c/0xc2
[   59.752010][ T5082]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   59.757552][ T5082]  do_syscall_64+0x39/0xb0
[   59.761969][ T5082]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   59.767860][ T5082] page last free stack trace:
[   59.772514][ T5082]  free_pcp_prepare+0x4d0/0x910
[   59.777357][ T5082]  free_unref_page+0x1d/0x490
[   59.782023][ T5082]  skb_free_head+0x96/0x110
[   59.786511][ T5082]  skb_release_data+0x5f4/0x870
[   59.791347][ T5082]  __kfree_skb+0x4f/0x70
[   59.795578][ T5082]  tcp_rcv_established+0x15fd/0x2270
[   59.800858][ T5082]  tcp_v4_do_rcv+0x663/0x9d0
[   59.805443][ T5082]  tcp_v4_rcv+0x2eab/0x3280
[   59.809950][ T5082]  ip_protocol_deliver_rcu+0x9f/0x480
[   59.815341][ T5082]  ip_local_deliver_finish+0x2ec/0x4f0
[   59.820804][ T5082]  ip_local_deliver+0x1ae/0x200
[   59.825646][ T5082]  ip_sublist_rcv_finish+0x9a/0x2c0
[   59.830833][ T5082]  ip_list_rcv_finish.constprop.0+0x4f9/0x6c0
[   59.836891][ T5082]  ip_list_rcv+0x347/0x4a0
[   59.841299][ T5082]  __netif_receive_skb_list_core+0x548/0x8f0
[   59.847280][ T5082]  netif_receive_skb_list_internal+0x75f/0xdc0
[   59.854838][ T5082] 
[   59.857151][ T5082] Memory state around the buggy address:
[   59.862778][ T5082]  ffff88801eda6800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   59.870828][ T5082]  ffff88801eda6880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   59.878889][ T5082] >ffff88801eda6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.886942][ T5082]                                               ^
[   59.893343][ T5082]  ffff88801eda6980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[   59.901402][ T5082]  ffff88801eda6a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   59.909456][ T5082] ==================================================================
[   59.917738][ T5082] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   59.924952][ T5082] CPU: 1 PID: 5082 Comm: syz-executor362 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   59.934848][ T5082] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   59.944908][ T5082] Call Trace:
[   59.948191][ T5082]  <TASK>
[   59.951123][ T5082]  dump_stack_lvl+0xd1/0x138
[   59.955727][ T5082]  panic+0x2cc/0x626
[   59.959640][ T5082]  ? panic_print_sys_info.part.0+0x112/0x112
[   59.965643][ T5082]  ? preempt_schedule_thunk+0x1a/0x20
[   59.971036][ T5082]  ? preempt_schedule_common+0x59/0xc0
[   59.976512][ T5082]  check_panic_on_warn.cold+0x19/0x35
[   59.981935][ T5082]  end_report.part.0+0x36/0x73
[   59.986734][ T5082]  ? io_fallback_tw+0x6d/0x119
[   59.991536][ T5082]  kasan_report.cold+0xa/0xf
[   59.996159][ T5082]  ? io_fallback_tw+0x6d/0x119
[   60.001204][ T5082]  io_fallback_tw+0x6d/0x119
[   60.005814][ T5082]  tctx_task_work.cold+0xf/0x2c
[   60.010687][ T5082]  ? handle_tw_list+0x460/0x460
[   60.015551][ T5082]  ? lock_downgrade+0x6e0/0x6e0
[   60.020411][ T5082]  ? do_raw_spin_lock+0x124/0x2b0
[   60.025446][ T5082]  ? rwlock_bug.part.0+0x90/0x90
[   60.030393][ T5082]  ? _raw_spin_unlock_irq+0x23/0x50
[   60.035651][ T5082]  task_work_run+0x16f/0x270
[   60.040266][ T5082]  ? task_work_cancel+0x30/0x30
[   60.045133][ T5082]  ? do_raw_spin_unlock+0x175/0x230
[   60.050348][ T5082]  do_exit+0xb17/0x2a90
[   60.054527][ T5082]  ? lock_downgrade+0x6e0/0x6e0
[   60.059382][ T5082]  ? do_raw_spin_lock+0x124/0x2b0
[   60.064420][ T5082]  ? mm_update_next_owner+0x7b0/0x7b0
[   60.069853][ T5082]  ? rwlock_bug.part.0+0x90/0x90
[   60.074803][ T5082]  ? _raw_spin_unlock_irq+0x23/0x50
[   60.080025][ T5082]  do_group_exit+0xd4/0x2a0
[   60.084549][ T5082]  __x64_sys_exit_group+0x3e/0x50
[   60.089579][ T5082]  do_syscall_64+0x39/0xb0
[   60.094008][ T5082]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   60.099918][ T5082] RIP: 0033:0x7efd8b156839
[   60.104337][ T5082] Code: Unable to access opcode bytes at 0x7efd8b15680f.
[   60.111350][ T5082] RSP: 002b:00007fffd4fd7c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   60.119767][ T5082] RAX: ffffffffffffffda RBX: 00007efd8b1ca290 RCX: 00007efd8b156839
[   60.127742][ T5082] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   60.135714][ T5082] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   60.143692][ T5082] R10: 0000000000000000 R11: 0000000000000246 R12: 00007efd8b1ca290
[   60.151670][ T5082] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   60.159651][ T5082]  </TASK>
[   60.162819][ T5082] Kernel Offset: disabled
[   60.167143][ T5082] Rebooting in 86400 seconds..