syzkaller login: [ 25.851869][ T2993] sftp-server (2993) used greatest stack depth: 22608 bytes left [ 32.855030][ T3010] cgroup: Unknown subsys name 'net' [ 32.985729][ T3010] cgroup: Unknown subsys name 'rlimit' [ 33.211962][ T3010] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 33.548800][ T3014] veth0_vlan: entered promiscuous mode [ 33.710821][ T3014] syz-executor.0 (3014) used greatest stack depth: 21904 bytes left [ 33.994549][ T2112] veth0_vlan: left promiscuous mode [ 34.950254][ T3005] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 35.136390][ T3005] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list Warning: Permanently added '10.128.0.85' (ED25519) to the list of known hosts. 2024/03/02 22:50:28 ignoring optional flag "sandboxArg"="0" 2024/03/02 22:50:28 parsed 1 programs 2024/03/02 22:50:28 executed programs: 0 [ 55.285179][ T3137] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 56.697858][ T3143] veth0_vlan: entered promiscuous mode [ 57.326548][ T3332] ================================================================== [ 57.335440][ T3332] BUG: KASAN: slab-use-after-free in __se_sys_io_cancel+0x30b/0x310 [ 57.343857][ T3332] Read of size 4 at addr ffff8880784372a0 by task syz-executor.0/3332 [ 57.352306][ T3332] [ 57.354810][ T3332] CPU: 0 PID: 3332 Comm: syz-executor.0 Not tainted 6.8.0-rc6-syzkaller #0 [ 57.363548][ T3332] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 [ 57.373611][ T3332] Call Trace: [ 57.376891][ T3332] [ 57.379924][ T3332] dump_stack_lvl+0xf8/0x260 [ 57.384609][ T3332] ? __pfx_dump_stack_lvl+0x10/0x10 [ 57.389906][ T3332] ? __pfx__printk+0x10/0x10 [ 57.394481][ T3332] ? _printk+0xce/0x120 [ 57.398634][ T3332] ? __virt_addr_valid+0x141/0x260 [ 57.403999][ T3332] ? __virt_addr_valid+0x219/0x260 [ 57.409169][ T3332] print_report+0x167/0x540 [ 57.413670][ T3332] ? __virt_addr_valid+0x141/0x260 [ 57.418771][ T3332] ? __virt_addr_valid+0x219/0x260 [ 57.424047][ T3332] ? __se_sys_io_cancel+0x30b/0x310 [ 57.430097][ T3332] kasan_report+0x142/0x180 [ 57.434591][ T3332] ? __se_sys_io_cancel+0x30b/0x310 [ 57.439958][ T3332] __se_sys_io_cancel+0x30b/0x310 [ 57.445358][ T3332] do_syscall_64+0x94/0x1a0 [ 57.449975][ T3332] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 57.456047][ T3332] RIP: 0033:0x7fb9a0a7dda9 [ 57.460645][ T3332] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 57.483208][ T3332] RSP: 002b:00007fb9a18240c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d2 [ 57.492126][ T3332] RAX: ffffffffffffffda RBX: 00007fb9a0babf80 RCX: 00007fb9a0a7dda9 [ 57.500525][ T3332] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 00007fb9a17c9000 [ 57.508765][ T3332] RBP: 00007fb9a0aca47a R08: 0000000000000000 R09: 0000000000000000 [ 57.516908][ T3332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 57.524953][ T3332] R13: 000000000000000b R14: 00007fb9a0babf80 R15: 00007ffeac9d98c8 [ 57.533001][ T3332] [ 57.536105][ T3332] [ 57.538594][ T3332] Allocated by task 3332: [ 57.543005][ T3332] kasan_save_track+0x3f/0x80 [ 57.547694][ T3332] __kasan_slab_alloc+0x66/0x80 [ 57.553274][ T3332] kmem_cache_alloc+0x15a/0x390 [ 57.558386][ T3332] io_submit_one+0x12e/0x1600 [ 57.563486][ T3332] __se_sys_io_submit+0x11c/0x330 [ 57.568684][ T3332] do_syscall_64+0x94/0x1a0 [ 57.573627][ T3332] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 57.579709][ T3332] [ 57.582021][ T3332] Freed by task 386: [ 57.585905][ T3332] kasan_save_track+0x3f/0x80 [ 57.590649][ T3332] kasan_save_free_info+0x4e/0x60 [ 57.595740][ T3332] poison_slab_object+0xee/0x1a0 [ 57.601185][ T3332] __kasan_slab_free+0x34/0x70 [ 57.606106][ T3332] kmem_cache_free+0x136/0x330 [ 57.611020][ T3332] aio_poll_complete_work+0x418/0x620 [ 57.616455][ T3332] process_scheduled_works+0x7e9/0xfd0 [ 57.621979][ T3332] worker_thread+0x868/0xca0 [ 57.627430][ T3332] kthread+0x267/0x2c0 [ 57.631843][ T3332] ret_from_fork+0x32/0x60 [ 57.636466][ T3332] ret_from_fork_asm+0x1b/0x30 [ 57.641445][ T3332] [ 57.643758][ T3332] Last potentially related work creation: [ 57.650532][ T3332] kasan_save_stack+0x3f/0x60 [ 57.655468][ T3332] __kasan_record_aux_stack+0xae/0x100 [ 57.660910][ T3332] insert_work+0x38/0x230 [ 57.665482][ T3332] __queue_work+0x81f/0xa70 [ 57.670255][ T3332] queue_work_on+0xf7/0x1a0 [ 57.675181][ T3332] aio_poll_cancel+0x98/0x150 [ 57.680271][ T3332] __se_sys_io_cancel+0xee/0x310 [ 57.685197][ T3332] do_syscall_64+0x94/0x1a0 [ 57.689692][ T3332] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 57.695569][ T3332] [ 57.697965][ T3332] The buggy address belongs to the object at ffff888078437280 [ 57.697965][ T3332] which belongs to the cache aio_kiocb of size 216 [ 57.712172][ T3332] The buggy address is located 32 bytes inside of [ 57.712172][ T3332] freed 216-byte region [ffff888078437280, ffff888078437358) [ 57.727319][ T3332] [ 57.730685][ T3332] The buggy address belongs to the physical page: [ 57.737193][ T3332] page:ffffea0001e10dc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78437 [ 57.748904][ T3332] flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) [ 57.756793][ T3332] page_type: 0xffffffff() [ 57.761484][ T3332] raw: 00fff00000000800 ffff88800e307a00 dead000000000122 0000000000000000 [ 57.770072][ T3332] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 57.779075][ T3332] page dumped because: kasan: bad access detected [ 57.785487][ T3332] page_owner tracks the page as allocated [ 57.791626][ T3332] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 3328, tgid 3327 (syz-executor.0), ts 57133622713, free_ts 56505551396 [ 57.810805][ T3332] post_alloc_hook+0x10f/0x130 [ 57.815652][ T3332] get_page_from_freelist+0x345c/0x3600 [ 57.821179][ T3332] __alloc_pages+0x255/0x650 [ 57.825783][ T3332] alloc_slab_page+0x5f/0x160 [ 57.830439][ T3332] new_slab+0x70/0x270 [ 57.834509][ T3332] ___slab_alloc+0xa79/0x10b0 [ 57.839168][ T3332] kmem_cache_alloc+0x235/0x390 [ 57.844252][ T3332] io_submit_one+0x12e/0x1600 [ 57.849103][ T3332] __se_sys_io_submit+0x11c/0x330 [ 57.854123][ T3332] do_syscall_64+0x94/0x1a0 [ 57.858605][ T3332] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 57.864563][ T3332] page last free pid 3264 tgid 3264 stack trace: [ 57.870861][ T3332] free_unref_page_prepare+0x896/0x9b0 [ 57.876382][ T3332] free_unref_page_list+0x54e/0x7f0 [ 57.882441][ T3332] release_pages+0x194b/0x1b10 [ 57.887270][ T3332] tlb_flush_mmu+0x273/0x3d0 [ 57.891930][ T3332] tlb_finish_mmu+0xb6/0x1c0 [ 57.896519][ T3332] exit_mmap+0x431/0xa40 [ 57.900798][ T3332] __mmput+0x9b/0x2d0 [ 57.905044][ T3332] exit_mm+0x113/0x1b0 [ 57.909536][ T3332] do_exit+0x7e2/0x2430 [ 57.913678][ T3332] do_group_exit+0x1b9/0x280 [ 57.918262][ T3332] __x64_sys_exit_group+0x3f/0x40 [ 57.923377][ T3332] do_syscall_64+0x94/0x1a0 [ 57.928290][ T3332] entry_SYSCALL_64_after_hwframe+0x6f/0x77 [ 57.934520][ T3332] [ 57.936914][ T3332] Memory state around the buggy address: [ 57.942539][ T3332] ffff888078437180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.950833][ T3332] ffff888078437200: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.958876][ T3332] >ffff888078437280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.967438][ T3332] ^ [ 57.972955][ T3332] ffff888078437300: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 57.981074][ T3332] ffff888078437380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.989126][ T3332] ================================================================== [ 58.006346][ T3332] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 58.013837][ T3332] Kernel Offset: disabled [ 58.018144][ T3332] Rebooting in 86400 seconds..