DUID 00:04:9b:41:e3:df:54:6f:ca:1f:62:a0:1b:7c:64:71:74:ce
forked to background, child pid 3181
[   29.773551][ T3182] 8021q: adding VLAN 0 to HW filter on device bond0
[   29.787709][ T3182] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.152' (ECDSA) to the list of known hosts.
syzkaller login: [   50.637394][ T3597] cgroup: Unknown subsys name 'net'
[   50.775071][ T3597] cgroup: Unknown subsys name 'rlimit'
executing program
executing program
executing program
executing program
executing program
executing program
[   51.189705][ T3621] cgroup: fork rejected by pids controller in /syz5
[   51.250546][ T3619] cgroup: fork rejected by pids controller in /syz1
[   51.334352][ T3267] ==================================================================
[   51.342542][ T3267] BUG: KASAN: use-after-free in io_queue_worker_create+0x1cc/0x320
[   51.350549][ T3267] Write of size 8 at addr ffff88807b52f0d8 by task kworker/0:3/3267
[   51.358529][ T3267] 
[   51.360857][ T3267] CPU: 0 PID: 3267 Comm: kworker/0:3 Not tainted 5.16.0-rc4-syzkaller #0
[   51.369270][ T3267] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
executing program
executing program
executing program
executing program
[   51.379340][ T3267] Workqueue: events io_workqueue_create
[   51.384899][ T3267] Call Trace:
[   51.388185][ T3267]  <TASK>
[   51.391124][ T3267]  dump_stack_lvl+0x1dc/0x2d8
[   51.395819][ T3267]  ? show_regs_print_info+0x12/0x12
[   51.401024][ T3267]  ? _printk+0xcf/0x118
[   51.405198][ T3267]  ? wake_up_klogd+0xb2/0xf0
[   51.409800][ T3267]  ? log_buf_vmcoreinfo_setup+0x498/0x498
[   51.415526][ T3267]  ? _raw_spin_lock_irqsave+0xdd/0x120
[   51.419405][ T3927] cgroup: fork rejected by pids controller in /syz0
[   51.421029][ T3267]  print_address_description+0x65/0x380
[   51.433144][ T3267]  ? io_queue_worker_create+0x1cc/0x320
[   51.438683][ T3267]  kasan_report+0x19a/0x1f0
[   51.443178][ T3267]  ? io_queue_worker_create+0x1cc/0x320
[   51.448713][ T3267]  kasan_check_range+0x2b5/0x2f0
[   51.453640][ T3267]  io_queue_worker_create+0x1cc/0x320
[   51.458997][ T3267]  ? io_worker_cancel_cb+0x210/0x210
[   51.464282][ T3267]  io_workqueue_create+0x75/0xb0
[   51.469222][ T3267]  process_one_work+0x853/0x1140
[   51.474172][ T3267]  ? worker_detach_from_pool+0x260/0x260
[   51.479798][ T3267]  ? _raw_spin_lock_irqsave+0x120/0x120
[   51.485341][ T3267]  ? kthread_data+0x4d/0xc0
[   51.489841][ T3267]  ? wq_worker_running+0x8b/0x140
[   51.494863][ T3267]  worker_thread+0xac1/0x1320
[   51.499547][ T3267]  ? __kthread_parkme+0x166/0x1c0
[   51.504566][ T3267]  kthread+0x468/0x490
[   51.508623][ T3267]  ? rcu_lock_release+0x20/0x20
[   51.513460][ T3267]  ? kthread_blkcg+0xd0/0xd0
[   51.518036][ T3267]  ret_from_fork+0x1f/0x30
[   51.522454][ T3267]  </TASK>
[   51.525459][ T3267] 
[   51.527768][ T3267] Allocated by task 3621:
[   51.532075][ T3267]  ____kasan_kmalloc+0xdc/0x110
[   51.536915][ T3267]  kmem_cache_alloc_node_trace+0x26f/0x370
[   51.542703][ T3267]  create_io_worker+0xef/0x630
[   51.547449][ T3267]  create_worker_cb+0x16e/0x340
[   51.552281][ T3267]  task_work_run+0x146/0x1c0
[   51.556856][ T3267]  exit_to_user_mode_prepare+0x180/0x220
[   51.562477][ T3267]  syscall_exit_to_user_mode+0x2e/0x70
[   51.567921][ T3267]  do_syscall_64+0x53/0xd0
[   51.572323][ T3267]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   51.578201][ T3267] 
[   51.580511][ T3267] Freed by task 3621:
[   51.584469][ T3267]  kasan_set_track+0x4c/0x80
[   51.589041][ T3267]  kasan_set_free_info+0x1f/0x40
[   51.593965][ T3267]  ____kasan_slab_free+0x10d/0x150
[   51.599061][ T3267]  slab_free_freelist_hook+0x12e/0x1a0
[   51.604504][ T3267]  kfree+0xe1/0x330
[   51.608298][ T3267]  create_worker_cont+0x4ca/0x5a0
[   51.613328][ T3267]  task_work_run+0x146/0x1c0
[   51.617904][ T3267]  exit_to_user_mode_prepare+0x180/0x220
[   51.623524][ T3267]  syscall_exit_to_user_mode+0x2e/0x70
[   51.628967][ T3267]  do_syscall_64+0x53/0xd0
[   51.633367][ T3267]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   51.639247][ T3267] 
[   51.641555][ T3267] Last potentially related work creation:
[   51.647338][ T3267]  kasan_save_stack+0x3b/0x60
[   51.651997][ T3267]  __kasan_record_aux_stack+0xfa/0x130
[   51.657444][ T3267]  task_work_add+0x2f/0x1b0
[   51.661937][ T3267]  io_queue_worker_create+0x1b4/0x320
[   51.667293][ T3267]  io_workqueue_create+0x75/0xb0
[   51.672214][ T3267]  process_one_work+0x853/0x1140
[   51.677135][ T3267]  worker_thread+0xac1/0x1320
[   51.681795][ T3267]  kthread+0x468/0x490
[   51.685846][ T3267]  ret_from_fork+0x1f/0x30
[   51.690257][ T3267] 
[   51.692567][ T3267] Second to last potentially related work creation:
[   51.699131][ T3267]  kasan_save_stack+0x3b/0x60
[   51.703795][ T3267]  __kasan_record_aux_stack+0xfa/0x130
[   51.709238][ T3267]  insert_work+0x54/0x400
[   51.713550][ T3267]  __queue_work+0x928/0xc60
[   51.718037][ T3267]  queue_work_on+0x12b/0x220
[   51.722610][ T3267]  create_worker_cont+0x442/0x5a0
[   51.727621][ T3267]  task_work_run+0x146/0x1c0
[   51.732197][ T3267]  exit_to_user_mode_prepare+0x180/0x220
[   51.737820][ T3267]  syscall_exit_to_user_mode+0x2e/0x70
[   51.743272][ T3267]  do_syscall_64+0x53/0xd0
[   51.747687][ T3267]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   51.753569][ T3267] 
[   51.755885][ T3267] The buggy address belongs to the object at ffff88807b52f000
[   51.755885][ T3267]  which belongs to the cache kmalloc-512 of size 512
[   51.769928][ T3267] The buggy address is located 216 bytes inside of
[   51.769928][ T3267]  512-byte region [ffff88807b52f000, ffff88807b52f200)
[   51.783199][ T3267] The buggy address belongs to the page:
[   51.788843][ T3267] page:ffffea0001ed4b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b52c
[   51.798986][ T3267] head:ffffea0001ed4b00 order:2 compound_mapcount:0 compound_pincount:0
[   51.807309][ T3267] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   51.815290][ T3267] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011441c80
[   51.823863][ T3267] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[   51.832426][ T3267] page dumped because: kasan: bad access detected
[   51.838817][ T3267] page_owner tracks the page as allocated
[   51.844510][ T3267] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 3621, ts 51184877647, free_ts 17901522119
[   51.864988][ T3267]  get_page_from_freelist+0x729/0x9e0
[   51.870382][ T3267]  __alloc_pages+0x255/0x580
[   51.874965][ T3267]  allocate_slab+0x89/0x4d0
[   51.879456][ T3267]  ___slab_alloc+0x41e/0xc40
[   51.884037][ T3267]  kmem_cache_alloc_node_trace+0x2ca/0x370
[   51.889839][ T3267]  create_io_worker+0xef/0x630
[   51.894612][ T3267]  create_worker_cb+0x16e/0x340
[   51.899463][ T3267]  task_work_run+0x146/0x1c0
[   51.904058][ T3267]  exit_to_user_mode_prepare+0x180/0x220
[   51.909684][ T3267]  syscall_exit_to_user_mode+0x2e/0x70
[   51.915137][ T3267]  do_syscall_64+0x53/0xd0
[   51.919648][ T3267]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   51.925540][ T3267] page last free stack trace:
[   51.930203][ T3267]  free_pcp_prepare+0xd1c/0xe00
[   51.935048][ T3267]  free_unref_page+0x7d/0x580
[   51.939710][ T3267]  __unfreeze_partials+0x1ab/0x200
[   51.944823][ T3267]  put_cpu_partial+0x116/0x180
[   51.949580][ T3267]  ___cache_free+0xe6/0x120
[   51.954067][ T3267]  kasan_quarantine_reduce+0x151/0x1c0
[   51.959512][ T3267]  __kasan_slab_alloc+0x2f/0xf0
[   51.964349][ T3267]  __kmalloc+0x1ed/0x380
[   51.968573][ T3267]  tomoyo_realpath_from_path+0xd8/0x610
[   51.974133][ T3267]  tomoyo_path_perm+0x238/0x660
[   51.979047][ T3267]  security_inode_getattr+0xc0/0x140
[   51.984336][ T3267]  vfs_statx+0x168/0x3f0
[   51.988568][ T3267]  __se_sys_newfstatat+0xc8/0x760
[   51.993589][ T3267]  do_syscall_64+0x44/0xd0
[   51.998004][ T3267]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   52.003889][ T3267] 
[   52.006200][ T3267] Memory state around the buggy address:
[   52.011813][ T3267]  ffff88807b52ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   52.019855][ T3267]  ffff88807b52f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.027898][ T3267] >ffff88807b52f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
[   52.035937][ T3267]                                                     ^
[   52.042851][ T3267]  ffff88807b52f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.050894][ T3267]  ffff88807b52f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.058935][ T3267] ==================================================================
[   52.066976][ T3267] Disabling lock debugging due to kernel taint
executing program
[   52.122640][ T3926] cgroup: fork rejected by pids controller in /syz3
[   52.156989][ T3928] cgroup: fork rejected by pids controller in /syz2
executing program
[   52.197223][ T3267] Kernel panic - not syncing: panic_on_warn set ...
[   52.203840][ T3267] CPU: 0 PID: 3267 Comm: kworker/0:3 Tainted: G    B             5.16.0-rc4-syzkaller #0
[   52.213647][ T3267] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.223712][ T3267] Workqueue: events io_workqueue_create
[   52.229273][ T3267] Call Trace:
[   52.232552][ T3267]  <TASK>
[   52.235481][ T3267]  dump_stack_lvl+0x1dc/0x2d8
[   52.240166][ T3267]  ? show_regs_print_info+0x12/0x12
[   52.244000][ T4385] cgroup: fork rejected by pids controller in /syz4
[   52.245371][ T3267]  ? log_buf_vmcoreinfo_setup+0x498/0x498
[   52.245382][ T4385] 
[   52.245394][ T3267]  ? preempt_schedule+0x16b/0x190
[   52.264968][ T3267]  ? schedule_preempt_disabled+0x20/0x20
[   52.270610][ T3267]  panic+0x2d6/0x810
[   52.274507][ T3267]  ? trace_hardirqs_on+0x30/0x80
[   52.279448][ T3267]  ? nmi_panic+0x90/0x90
[   52.283691][ T3267]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   52.289675][ T3267]  ? print_memory_metadata+0xe0/0x140
[   52.295074][ T3267]  ? io_queue_worker_create+0x1cc/0x320
[   52.300620][ T3267]  end_report+0x83/0x90
[   52.304779][ T3267]  kasan_report+0x1bf/0x1f0
[   52.309264][ T3267]  ? io_queue_worker_create+0x1cc/0x320
[   52.315347][ T3267]  kasan_check_range+0x2b5/0x2f0
[   52.324240][ T3267]  io_queue_worker_create+0x1cc/0x320
[   52.332042][ T3267]  ? io_worker_cancel_cb+0x210/0x210
[   52.341418][ T3267]  io_workqueue_create+0x75/0xb0
[   52.346873][ T3267]  process_one_work+0x853/0x1140
[   52.351803][ T3267]  ? worker_detach_from_pool+0x260/0x260
[   52.357420][ T3267]  ? _raw_spin_lock_irqsave+0x120/0x120
[   52.362947][ T3267]  ? kthread_data+0x4d/0xc0
[   52.367431][ T3267]  ? wq_worker_running+0x8b/0x140
[   52.372445][ T3267]  worker_thread+0xac1/0x1320
[   52.377108][ T3267]  ? __kthread_parkme+0x166/0x1c0
[   52.382128][ T3267]  kthread+0x468/0x490
[   52.386178][ T3267]  ? rcu_lock_release+0x20/0x20
[   52.391011][ T3267]  ? kthread_blkcg+0xd0/0xd0
[   52.395583][ T3267]  ret_from_fork+0x1f/0x30
[   52.400164][ T3267]  </TASK>
[   52.403398][ T3267] Kernel Offset: disabled
[   52.407794][ T3267] Rebooting in 86400 seconds..