DUID 00:04:e6:bc:8e:bc:c3:7a:f3:fc:35:c5:a5:4f:9b:64:01:ce
forked to background, child pid 4652
[   37.774656][ T4653] 8021q: adding VLAN 0 to HW filter on device bond0
[   37.784911][ T4653] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   62.925071][ T5073] ==================================================================
[   62.933174][ T5073] BUG: KASAN: use-after-free in io_fallback_tw+0x6d/0x119
[   62.940295][ T5073] Read of size 8 at addr ffff88801d73b948 by task syz-executor352/5073
[   62.948526][ T5073] 
[   62.950847][ T5073] CPU: 1 PID: 5073 Comm: syz-executor352 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   62.960728][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   62.970875][ T5073] Call Trace:
[   62.974144][ T5073]  <TASK>
[   62.977072][ T5073]  dump_stack_lvl+0xd1/0x138
[   62.981674][ T5073]  print_report+0x15e/0x45d
[   62.986214][ T5073]  ? __phys_addr+0xc8/0x140
[   62.990720][ T5073]  ? io_fallback_tw+0x6d/0x119
[   62.995479][ T5073]  kasan_report+0xc0/0xf0
[   62.999803][ T5073]  ? io_fallback_tw+0x6d/0x119
[   63.004561][ T5073]  io_fallback_tw+0x6d/0x119
[   63.009149][ T5073]  tctx_task_work.cold+0xf/0x2c
[   63.013994][ T5073]  ? handle_tw_list+0x460/0x460
[   63.018841][ T5073]  ? lock_downgrade+0x6e0/0x6e0
[   63.023684][ T5073]  ? do_raw_spin_lock+0x124/0x2b0
[   63.028711][ T5073]  ? rwlock_bug.part.0+0x90/0x90
[   63.033666][ T5073]  ? _raw_spin_unlock_irq+0x23/0x50
[   63.038900][ T5073]  task_work_run+0x16f/0x270
[   63.043517][ T5073]  ? task_work_cancel+0x30/0x30
[   63.048404][ T5073]  ? do_raw_spin_unlock+0x175/0x230
[   63.053622][ T5073]  do_exit+0xb17/0x2a90
[   63.057804][ T5073]  ? lock_downgrade+0x6e0/0x6e0
[   63.062666][ T5073]  ? do_raw_spin_lock+0x124/0x2b0
[   63.067703][ T5073]  ? mm_update_next_owner+0x7b0/0x7b0
[   63.073103][ T5073]  ? rwlock_bug.part.0+0x90/0x90
[   63.078057][ T5073]  ? _raw_spin_unlock_irq+0x23/0x50
[   63.083288][ T5073]  do_group_exit+0xd4/0x2a0
[   63.087821][ T5073]  __x64_sys_exit_group+0x3e/0x50
[   63.092863][ T5073]  do_syscall_64+0x39/0xb0
[   63.097309][ T5073]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   63.103231][ T5073] RIP: 0033:0x7f3cb08f11d9
[   63.107652][ T5073] Code: Unable to access opcode bytes at 0x7f3cb08f11af.
[   63.114675][ T5073] RSP: 002b:00007ffe15c94ac8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   63.123103][ T5073] RAX: ffffffffffffffda RBX: 00007f3cb0965350 RCX: 00007f3cb08f11d9
[   63.131084][ T5073] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   63.139063][ T5073] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   63.147132][ T5073] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3cb0965350
[   63.155117][ T5073] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   63.163130][ T5073]  </TASK>
[   63.166158][ T5073] 
[   63.168481][ T5073] Allocated by task 5073:
[   63.172809][ T5073]  kasan_save_stack+0x22/0x40
[   63.177504][ T5073]  kasan_set_track+0x25/0x30
[   63.182111][ T5073]  __kasan_slab_alloc+0x7f/0x90
[   63.186977][ T5073]  kmem_cache_alloc_bulk+0x3aa/0x730
[   63.192275][ T5073]  __io_alloc_req_refill+0xcc/0x40b
[   63.197487][ T5073]  io_submit_sqes.cold+0x7c/0xc2
[   63.202436][ T5073]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   63.208004][ T5073]  do_syscall_64+0x39/0xb0
[   63.212434][ T5073]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   63.218347][ T5073] 
[   63.220683][ T5073] Freed by task 2849:
[   63.224674][ T5073]  kasan_save_stack+0x22/0x40
[   63.229368][ T5073]  kasan_set_track+0x25/0x30
[   63.233978][ T5073]  kasan_save_free_info+0x2e/0x40
[   63.239022][ T5073]  ____kasan_slab_free+0x160/0x1c0
[   63.244164][ T5073]  slab_free_freelist_hook+0x8b/0x1c0
[   63.249567][ T5073]  kmem_cache_free+0xec/0x4e0
[   63.254265][ T5073]  io_req_caches_free+0x1a9/0x1e6
[   63.259315][ T5073]  io_ring_exit_work+0x2e7/0xc80
[   63.264271][ T5073]  process_one_work+0x9bf/0x1750
[   63.269230][ T5073]  worker_thread+0x669/0x1090
[   63.273925][ T5073]  kthread+0x2e8/0x3a0
[   63.278006][ T5073]  ret_from_fork+0x1f/0x30
[   63.282446][ T5073] 
[   63.284770][ T5073] The buggy address belongs to the object at ffff88801d73b8c0
[   63.284770][ T5073]  which belongs to the cache io_kiocb of size 216
[   63.298571][ T5073] The buggy address is located 136 bytes inside of
[   63.298571][ T5073]  216-byte region [ffff88801d73b8c0, ffff88801d73b998)
[   63.311857][ T5073] 
[   63.314179][ T5073] The buggy address belongs to the physical page:
[   63.320586][ T5073] page:ffffea000075cec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d73b
[   63.330745][ T5073] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   63.338311][ T5073] raw: 00fff00000000200 ffff8881462addc0 dead000000000122 0000000000000000
[   63.346906][ T5073] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   63.355488][ T5073] page dumped because: kasan: bad access detected
[   63.361906][ T5073] page_owner tracks the page as allocated
[   63.367630][ T5073] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5073, tgid 5073 (syz-executor352), ts 62921585547, free_ts 56906351171
[   63.386320][ T5073]  get_page_from_freelist+0x11bb/0x2d50
[   63.391893][ T5073]  __alloc_pages+0x1cb/0x5c0
[   63.396502][ T5073]  alloc_pages+0x1aa/0x270
[   63.400942][ T5073]  allocate_slab+0x25f/0x350
[   63.405543][ T5073]  ___slab_alloc+0xa91/0x1400
[   63.410231][ T5073]  kmem_cache_alloc_bulk+0x23d/0x730
[   63.415526][ T5073]  __io_alloc_req_refill+0xcc/0x40b
[   63.420740][ T5073]  io_submit_sqes.cold+0x7c/0xc2
[   63.425691][ T5073]  __do_sys_io_uring_enter+0x9e4/0x2c10
[   63.431256][ T5073]  do_syscall_64+0x39/0xb0
[   63.435868][ T5073]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   63.441789][ T5073] page last free stack trace:
[   63.446468][ T5073]  free_pcp_prepare+0x4d0/0x910
[   63.451343][ T5073]  free_unref_page+0x1d/0x490
[   63.456048][ T5073]  __unfreeze_partials+0x17c/0x1a0
[   63.461177][ T5073]  qlist_free_all+0x6a/0x170
[   63.465797][ T5073]  kasan_quarantine_reduce+0x192/0x220
[   63.471282][ T5073]  __kasan_slab_alloc+0x63/0x90
[   63.476179][ T5073]  kmem_cache_alloc_node+0x183/0x350
[   63.481479][ T5073]  __alloc_skb+0x216/0x310
[   63.485908][ T5073]  tcp_stream_alloc_skb+0x3c/0x580
[   63.491041][ T5073]  tcp_sendmsg_locked+0xc47/0x2950
[   63.496172][ T5073]  tcp_sendmsg+0x2f/0x50
[   63.500428][ T5073]  inet_sendmsg+0x9d/0xe0
[   63.504794][ T5073]  sock_sendmsg+0xd3/0x120
[   63.509234][ T5073]  sock_write_iter+0x295/0x3d0
[   63.514021][ T5073]  vfs_write+0x9ed/0xe10
[   63.518285][ T5073]  ksys_write+0x1ec/0x250
[   63.522629][ T5073] 
[   63.524971][ T5073] Memory state around the buggy address:
[   63.530594][ T5073]  ffff88801d73b800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   63.538658][ T5073]  ffff88801d73b880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   63.546720][ T5073] >ffff88801d73b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.554778][ T5073]                                               ^
[   63.561187][ T5073]  ffff88801d73b980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[   63.569278][ T5073]  ffff88801d73ba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   63.577340][ T5073] ==================================================================
[   63.587626][ T5073] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   63.594889][ T5073] CPU: 0 PID: 5073 Comm: syz-executor352 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
[   63.604788][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   63.614856][ T5073] Call Trace:
[   63.618143][ T5073]  <TASK>
[   63.621075][ T5073]  dump_stack_lvl+0xd1/0x138
[   63.625682][ T5073]  panic+0x2cc/0x626
[   63.629601][ T5073]  ? panic_print_sys_info.part.0+0x112/0x112
[   63.635611][ T5073]  ? preempt_schedule_thunk+0x1a/0x20
[   63.641008][ T5073]  ? preempt_schedule_common+0x59/0xc0
[   63.646488][ T5073]  check_panic_on_warn.cold+0x19/0x35
[   63.651887][ T5073]  end_report.part.0+0x36/0x73
[   63.656660][ T5073]  ? io_fallback_tw+0x6d/0x119
[   63.661437][ T5073]  kasan_report.cold+0xa/0xf
[   63.666125][ T5073]  ? io_fallback_tw+0x6d/0x119
[   63.670911][ T5073]  io_fallback_tw+0x6d/0x119
[   63.675513][ T5073]  tctx_task_work.cold+0xf/0x2c
[   63.680380][ T5073]  ? handle_tw_list+0x460/0x460
[   63.685245][ T5073]  ? lock_downgrade+0x6e0/0x6e0
[   63.690117][ T5073]  ? do_raw_spin_lock+0x124/0x2b0
[   63.695159][ T5073]  ? rwlock_bug.part.0+0x90/0x90
[   63.700109][ T5073]  ? _raw_spin_unlock_irq+0x23/0x50
[   63.705334][ T5073]  task_work_run+0x16f/0x270
[   63.709951][ T5073]  ? task_work_cancel+0x30/0x30
[   63.714830][ T5073]  ? do_raw_spin_unlock+0x175/0x230
[   63.720051][ T5073]  do_exit+0xb17/0x2a90
[   63.724228][ T5073]  ? lock_downgrade+0x6e0/0x6e0
[   63.729086][ T5073]  ? do_raw_spin_lock+0x124/0x2b0
[   63.734134][ T5073]  ? mm_update_next_owner+0x7b0/0x7b0
[   63.739533][ T5073]  ? rwlock_bug.part.0+0x90/0x90
[   63.744489][ T5073]  ? _raw_spin_unlock_irq+0x23/0x50
[   63.749715][ T5073]  do_group_exit+0xd4/0x2a0
[   63.754246][ T5073]  __x64_sys_exit_group+0x3e/0x50
[   63.759280][ T5073]  do_syscall_64+0x39/0xb0
[   63.763709][ T5073]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   63.769631][ T5073] RIP: 0033:0x7f3cb08f11d9
[   63.774055][ T5073] Code: Unable to access opcode bytes at 0x7f3cb08f11af.
[   63.781074][ T5073] RSP: 002b:00007ffe15c94ac8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   63.789500][ T5073] RAX: ffffffffffffffda RBX: 00007f3cb0965350 RCX: 00007f3cb08f11d9
[   63.797478][ T5073] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   63.805461][ T5073] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
[   63.813438][ T5073] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3cb0965350
[   63.821499][ T5073] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   63.829483][ T5073]  </TASK>
[   63.832659][ T5073] Kernel Offset: disabled
[   63.836983][ T5073] Rebooting in 86400 seconds..