==================================================================
BUG: KFENCE: use-after-free write in instrument_atomic_write include/linux/instrumented.h:86 [inline]
BUG: KFENCE: use-after-free write in clear_bit_unlock include/asm-generic/bitops/instrumented-lock.h:26 [inline]
BUG: KFENCE: use-after-free write in io_queue_worker_create+0x453/0x4e0 fs/io-wq.c:366

Use-after-free write at 0xffff88823bcd20d8 (in kfence-#104):
 instrument_atomic_write include/linux/instrumented.h:86 [inline]
 clear_bit_unlock include/asm-generic/bitops/instrumented-lock.h:26 [inline]
 io_queue_worker_create+0x453/0x4e0 fs/io-wq.c:366
 io_workqueue_create+0x9e/0xe0 fs/io-wq.c:780
 process_one_work+0x9ac/0x1680 kernel/workqueue.c:2307
 worker_thread+0x652/0x11c0 kernel/workqueue.c:2454
 kthread+0x405/0x4f0 kernel/kthread.c:345
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

kfence-#104: 0xffff88823bcd2000-0xffff88823bcd213f, size=320, cache=kmalloc-512

allocated by task 19925 on cpu 1 at 1588.378338s:
 kmalloc_node include/linux/slab.h:599 [inline]
 kzalloc_node include/linux/slab.h:726 [inline]
 create_io_worker+0x108/0x640 fs/io-wq.c:792
 create_worker_cb+0x202/0x270 fs/io-wq.c:332
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_signal include/linux/tracehook.h:214 [inline]
 handle_signal_work kernel/entry/common.c:146 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x256/0x290 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

freed by task 19925 on cpu 1 at 1588.874613s:
 create_worker_cont+0x406/0x560 fs/io-wq.c:766
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_signal include/linux/tracehook.h:214 [inline]
 handle_signal_work kernel/entry/common.c:146 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x256/0x290 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

CPU: 1 PID: 15027 Comm: kworker/1:4 Not tainted 5.16.0-rc4-next-20211210-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events io_workqueue_create
RIP: 0010:arch_clear_bit arch/x86/include/asm/bitops.h:75 [inline]
RIP: 0010:arch_clear_bit_unlock arch/x86/include/asm/bitops.h:88 [inline]
RIP: 0010:clear_bit_unlock include/asm-generic/bitops/instrumented-lock.h:27 [inline]
RIP: 0010:io_queue_worker_create+0x453/0x4e0 fs/io-wq.c:366
Code: 03 f1 fc 01 e9 32 fe ff ff e8 59 18 8d ff 44 89 7c 24 30 e9 80 fd ff ff e8 4a 18 8d ff be 08 00 00 00 4c 89 f7 e8 cd 13 d8 ff <f0> 80 a5 d8 00 00 00 fe 41 bc 01 00 00 00 e9 ce fc ff ff e8 25 18
RSP: 0018:ffffc90007fa7c58 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff8880700bdb00 RCX: ffffffff81eae343
RDX: ffffed104779a41c RSI: 0000000000000008 RDI: ffff88823bcd20d8
RBP: ffff88823bcd2000 R08: 0000000000000001 R09: ffff88823bcd20df
R10: ffffed104779a41b R11: 0000000000000000 R12: ffff88807d2b6068
R13: 1ffff92000ff4f8d R14: ffff88823bcd20d8 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823bcd20d8 CR3: 0000000077350000 CR4: 00000000003526e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 000000000000d0eb
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 io_workqueue_create+0x9e/0xe0 fs/io-wq.c:780
 process_one_work+0x9ac/0x1680 kernel/workqueue.c:2307
 worker_thread+0x652/0x11c0 kernel/workqueue.c:2454
 kthread+0x405/0x4f0 kernel/kthread.c:345
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
==================================================================
----------------
Code disassembly (best guess), 4 bytes skipped:
   0:	e9 32 fe ff ff       	jmpq   0xfffffe37
   5:	e8 59 18 8d ff       	callq  0xff8d1863
   a:	44 89 7c 24 30       	mov    %r15d,0x30(%rsp)
   f:	e9 80 fd ff ff       	jmpq   0xfffffd94
  14:	e8 4a 18 8d ff       	callq  0xff8d1863
  19:	be 08 00 00 00       	mov    $0x8,%esi
  1e:	4c 89 f7             	mov    %r14,%rdi
  21:	e8 cd 13 d8 ff       	callq  0xffd813f3
* 26:	f0 80 a5 d8 00 00 00 	lock andb $0xfe,0xd8(%rbp) <-- trapping instruction
  2d:	fe
  2e:	41 bc 01 00 00 00    	mov    $0x1,%r12d
  34:	e9 ce fc ff ff       	jmpq   0xfffffd07
  39:	e8                   	.byte 0xe8
  3a:	25                   	.byte 0x25
  3b:	18                   	.byte 0x18