[   29.748493][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   29.757243][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   29.766275][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   29.774447][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   29.782641][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   29.796848][  T374] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[   30.271719][  T104] device bridge_slave_1 left promiscuous mode
[   30.278070][  T104] bridge0: port 2(bridge_slave_1) entered disabled state
[   30.286310][  T104] device bridge_slave_0 left promiscuous mode
[   30.292652][  T104] bridge0: port 1(bridge_slave_0) entered disabled state
Warning: Permanently added '10.128.0.215' (ECDSA) to the list of known hosts.
2022/02/11 12:59:53 parsed 1 programs
[   36.666013][   T23] kauditd_printk_skb: 65 callbacks suppressed
[   36.666018][   T23] audit: type=1400 audit(1644584393.789:148): avc:  denied  { mounton } for  pid=403 comm="syz-executor" path="/syzcgroup/unified" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=dir permissive=1
[   36.670641][  T403] cgroup: Unknown subsys name 'net'
[   36.703689][  T403] cgroup: Unknown subsys name 'devices'
2022/02/11 12:59:53 executed programs: 0
[   36.711207][  T403] cgroup: Unknown subsys name 'hugetlb'
[   36.717265][  T403] cgroup: Unknown subsys name 'rlimit'
[   36.723510][   T23] audit: type=1400 audit(1644584393.849:149): avc:  denied  { mounton } for  pid=403 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[   36.766780][   T23] audit: type=1400 audit(1644584393.849:150): avc:  denied  { mount } for  pid=403 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[   36.795240][   T23] audit: type=1400 audit(1644584393.869:151): avc:  denied  { mounton } for  pid=409 comm="syz-executor.0" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1
[   36.823611][   T23] audit: type=1400 audit(1644584393.869:152): avc:  denied  { module_request } for  pid=409 comm="syz-executor.0" kmod="netdev-nr0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[   36.868980][  T407] bridge0: port 1(bridge_slave_0) entered blocking state
[   36.876155][  T407] bridge0: port 1(bridge_slave_0) entered disabled state
[   36.883886][  T407] device bridge_slave_0 entered promiscuous mode
[   36.901912][  T409] bridge0: port 1(bridge_slave_0) entered blocking state
[   36.911468][  T409] bridge0: port 1(bridge_slave_0) entered disabled state
[   36.932863][  T409] device bridge_slave_0 entered promiscuous mode
[   36.952072][  T407] bridge0: port 2(bridge_slave_1) entered blocking state
[   36.959910][  T407] bridge0: port 2(bridge_slave_1) entered disabled state
[   36.967970][  T407] device bridge_slave_1 entered promiscuous mode
[   36.986431][  T409] bridge0: port 2(bridge_slave_1) entered blocking state
[   36.994149][  T409] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.001987][  T409] device bridge_slave_1 entered promiscuous mode
[   37.052707][  T415] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.060758][  T415] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.068897][  T415] device bridge_slave_0 entered promiscuous mode
[   37.077135][  T412] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.084980][  T412] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.094167][  T412] device bridge_slave_0 entered promiscuous mode
[   37.101497][  T413] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.108619][  T413] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.116681][  T413] device bridge_slave_0 entered promiscuous mode
[   37.130349][  T415] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.138779][  T415] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.146442][  T415] device bridge_slave_1 entered promiscuous mode
[   37.153191][  T412] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.160558][  T412] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.169316][  T412] device bridge_slave_1 entered promiscuous mode
[   37.183653][  T407] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.190968][  T407] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.198378][  T407] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.205678][  T407] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.213572][  T413] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.220858][  T413] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.228357][  T413] device bridge_slave_1 entered promiscuous mode
[   37.250007][  T409] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.258103][  T409] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.266027][  T409] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.273587][  T409] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.327820][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   37.336438][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   37.344926][  T125] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.352609][  T125] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.360463][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   37.369052][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.385303][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   37.393562][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.401013][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   37.409121][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   37.435152][  T417] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.442964][  T417] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.450821][  T417] device bridge_slave_0 entered promiscuous mode
[   37.457781][  T417] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.465609][  T417] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.473467][  T417] device bridge_slave_1 entered promiscuous mode
[   37.499259][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   37.508427][  T378] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.516025][  T378] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.524225][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   37.533140][  T378] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.540859][  T378] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.562897][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   37.571688][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   37.579839][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   37.587866][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   37.616965][   T52] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.625164][   T52] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   37.635005][   T52] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   37.643907][   T52] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   37.653322][   T52] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.661001][   T52] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   37.670635][   T52] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.678662][   T52] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.687196][   T52] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   37.702092][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   37.710338][  T378] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.717688][  T378] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.725444][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   37.734511][  T378] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.741837][  T378] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.764241][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   37.774182][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   37.782424][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   37.791815][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   37.802382][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   37.812375][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   37.820946][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   37.830082][  T378] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.837679][  T378] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.846391][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   37.855013][  T378] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   37.872918][   T23] audit: type=1400 audit(1644584394.999:153): avc:  denied  { mount } for  pid=409 comm="syz-executor.0" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1
[   37.906185][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   37.917998][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.927914][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   37.937509][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   37.947308][  T125] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.954975][  T125] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.963071][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   37.971862][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   37.980308][  T125] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.987372][  T125] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.995251][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   38.003578][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   38.011643][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   38.020125][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   38.028717][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   38.037511][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   38.046580][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   38.055667][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   38.064181][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   38.072916][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   38.082273][  T125] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   38.103988][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   38.113723][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   38.122375][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   38.131038][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   38.139442][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   38.147869][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   38.156287][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   38.164400][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   38.195027][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   38.204581][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   38.214827][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   38.223820][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   38.231701][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   38.240083][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   38.248787][   T19] bridge0: port 1(bridge_slave_0) entered blocking state
[   38.256652][   T19] bridge0: port 1(bridge_slave_0) entered forwarding state
[   38.265205][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   38.274873][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   38.283171][   T19] bridge0: port 2(bridge_slave_1) entered blocking state
[   38.290312][   T19] bridge0: port 2(bridge_slave_1) entered forwarding state
[   38.298612][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   38.307319][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   38.316051][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   38.325015][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   38.333939][  T372] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   38.344587][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   38.353040][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   38.361053][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   38.369640][  T435] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   38.386272][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   38.394650][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   38.403870][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   38.412704][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   38.422276][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   38.430743][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   38.449565][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   38.459585][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   38.469106][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   38.478571][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   38.487379][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   38.496147][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   38.505172][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   38.513416][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   38.534184][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   38.543652][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   38.552750][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   38.561055][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   38.569889][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   38.580276][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   38.591047][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   38.601212][   T19] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   38.613260][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   38.622839][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
2022/02/11 12:59:58 executed programs: 286
2022/02/11 13:00:03 executed programs: 716
2022/02/11 13:00:08 executed programs: 1152
2022/02/11 13:00:13 executed programs: 1573
[   60.507855][T23966] ==================================================================
[   60.516485][T23966] BUG: KASAN: double-free or invalid-free in kfree+0xc2/0x570
[   60.524105][T23966] 
[   60.526452][T23966] CPU: 1 PID: 23966 Comm: syz-executor.0 Not tainted 5.10.99-syzkaller #0
[   60.535544][T23966] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   60.545734][T23966] Call Trace:
[   60.549022][T23966]  dump_stack_lvl+0x81/0xac
[   60.553527][T23966]  print_address_description.constprop.0+0x24/0x150
[   60.560209][T23966]  ? kfree+0xc2/0x570
[   60.565506][T23966]  kasan_report_invalid_free+0x56/0x80
[   60.571404][T23966]  ? kfree+0xc2/0x570
[   60.575678][T23966]  __kasan_slab_free+0x134/0x150
[   60.580712][T23966]  slab_free_freelist_hook+0x9b/0x1a0
[   60.586279][T23966]  ? io_dismantle_req+0xa17/0xf50
[   60.592805][T23966]  kfree+0xc2/0x570
[   60.596914][T23966]  io_dismantle_req+0xa17/0xf50
[   60.601776][T23966]  ? arch_stack_walk+0x93/0xe0
[   60.606691][T23966]  io_iopoll_complete+0x545/0x1220
[   60.611911][T23966]  ? io_write+0xab0/0xab0
[   60.616624][T23966]  ? rcu_is_watching+0x13/0xc0
[   60.621497][T23966]  ? _raw_spin_unlock_irqrestore+0x47/0x80
[   60.627910][T23966]  ? __kasan_check_write+0x14/0x20
[   60.633732][T23966]  ? io_wq_for_each_worker.isra.0+0x1c5/0x2c0
[   60.640257][T23966]  io_do_iopoll+0x4e9/0x750
[   60.649475][T23966]  ? io_iopoll_complete+0x1220/0x1220
[   60.655246][T23966]  ? io_wq_cancel_cb+0x3b2/0x680
[   60.660363][T23966]  io_iopoll_try_reap_events.part.0+0x113/0x1d0
[   60.666952][T23966]  ? io_do_iopoll+0x750/0x750
[   60.671970][T23966]  io_ring_ctx_wait_and_kill+0x1b4/0x5c0
[   60.677598][T23966]  ? io_iopoll_try_reap_events.part.0+0x1d0/0x1d0
[   60.684238][T23966]  ? fcntl_setlk+0xe60/0xe60
[   60.689491][T23966]  io_uring_release+0x3d/0x50
[   60.694562][T23966]  __fput+0x1a5/0x770
[   60.698869][T23966]  ____fput+0x9/0x10
[   60.702879][T23966]  task_work_run+0xc2/0x140
[   60.707720][T23966]  do_exit+0x966/0x23f0
[   60.712006][T23966]  ? mm_update_next_owner+0x690/0x690
[   60.718110][T23966]  ? __kasan_check_write+0x14/0x20
[   60.723885][T23966]  ? __kasan_check_write+0x14/0x20
[   60.729067][T23966]  ? _raw_spin_lock_irq+0x87/0x110
[   60.734350][T23966]  do_group_exit+0xe6/0x290
[   60.738939][T23966]  get_signal+0x312/0x1ad0
[   60.743423][T23966]  ? futex_exit_release+0x200/0x200
[   60.748960][T23966]  arch_do_signal+0x87/0x2640
[   60.753974][T23966]  ? rcu_cpu_kthread+0x5c0/0x5c0
[   60.759706][T23966]  ? kmem_cache_free+0x10e/0x4c0
[   60.764878][T23966]  ? putname+0xab/0xf0
[   60.769962][T23966]  ? security_file_free+0x91/0xb0
[   60.775197][T23966]  ? copy_siginfo_to_user32+0xa0/0xa0
[   60.781145][T23966]  ? percpu_counter_add_batch+0x82/0x160
[   60.787209][T23966]  ? __x64_sys_futex+0x2cb/0x3b0
[   60.792366][T23966]  ? copy_init_fpstate_to_fpregs+0x80/0x80
[   60.798722][T23966]  ? __unlock_page_memcg+0xb0/0xb0
[   60.803945][T23966]  ? do_futex+0x1380/0x1380
[   60.808440][T23966]  exit_to_user_mode_prepare+0xb2/0xe0
[   60.813972][T23966]  syscall_exit_to_user_mode+0x27/0x160
[   60.820028][T23966]  do_syscall_64+0x3f/0x80
[   60.825710][T23966]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   60.832674][T23966] RIP: 0033:0x7f08e07f8ae9
[   60.837431][T23966] Code: Unable to access opcode bytes at RIP 0x7f08e07f8abf.
[   60.846172][T23966] RSP: 002b:00007f08e074e218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   60.855480][T23966] RAX: fffffffffffffe00 RBX: 00007f08e090c028 RCX: 00007f08e07f8ae9
[   60.864003][T23966] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f08e090c028
[   60.873125][T23966] RBP: 00007f08e090c020 R08: 0000000000000000 R09: 0000000000000000
[   60.881883][T23966] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f08e090c02c
[   60.889843][T23966] R13: 00007ffc865e998f R14: 00007f08e074e300 R15: 0000000000022000
[   60.898199][T23966] 
[   60.900675][T23966] Allocated by task 23966:
[   60.905648][T23966]  kasan_save_stack+0x23/0x50
[   60.910546][T23966]  __kasan_kmalloc+0xa9/0xe0
[   60.915357][T23966]  kmem_cache_alloc_trace+0x1a9/0x340
[   60.920804][T23966]  io_uring_alloc_task_context+0x43/0x2a0
[   60.926727][T23966]  io_uring_add_task_file+0x1c8/0x250
[   60.932628][T23966]  io_uring_setup+0x174e/0x2dc0
[   60.938611][T23966]  __x64_sys_io_uring_setup+0x4f/0x70
[   60.944290][T23966]  do_syscall_64+0x32/0x80
[   60.949349][T23966]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   60.955621][T23966] 
[   60.957955][T23966] The buggy address belongs to the object at ffff88811408b700
[   60.957955][T23966]  which belongs to the cache kmalloc-192 of size 192
[   60.973252][T23966] The buggy address is located 88 bytes inside of
[   60.973252][T23966]  192-byte region [ffff88811408b700, ffff88811408b7c0)
[   60.987273][T23966] The buggy address belongs to the page:
[   60.993864][T23966] page:ffffea00045022c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11408b
[   61.004740][T23966] flags: 0x8000000000000200(slab)
[   61.009838][T23966] raw: 8000000000000200 ffffea00044d14c0 0000000200000002 ffff888100043380
[   61.018831][T23966] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[   61.027669][T23966] page dumped because: kasan: bad access detected
[   61.034682][T23966] page_owner tracks the page as allocated
[   61.040417][T23966] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 165, ts 3561203725, free_ts 3561120640
[   61.056754][T23966]  post_alloc_hook+0x102/0x130
[   61.062253][T23966]  get_page_from_freelist+0x1ef5/0x3030
[   61.068210][T23966]  __alloc_pages_nodemask+0x28a/0x1e70
[   61.074058][T23966]  allocate_slab+0x32b/0x480
[   61.078630][T23966]  ___slab_alloc.constprop.0+0x339/0x750
[   61.084365][T23966]  kmem_cache_alloc_trace+0x2d0/0x340
[   61.089806][T23966]  kernfs_fop_open+0x244/0xc20
[   61.094567][T23966]  do_dentry_open+0x417/0x1020
[   61.099320][T23966]  vfs_open+0x9a/0xc0
[   61.103471][T23966]  path_openat+0x1dc6/0x38e0
[   61.108135][T23966]  do_filp_open+0x17d/0x3b0
[   61.113059][T23966]  do_sys_openat2+0x120/0x3c0
[   61.117810][T23966]  __x64_sys_openat+0x124/0x200
[   61.122807][T23966]  do_syscall_64+0x32/0x80
[   61.127445][T23966]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   61.133713][T23966] page last free stack trace:
[   61.138550][T23966]  free_pcp_prepare+0x18f/0x200
[   61.144179][T23966]  free_unref_page+0x15/0x1c0
[   61.149144][T23966]  __free_pages+0x41/0x100
[   61.154124][T23966]  free_pages+0x3f/0x80
[   61.158438][T23966]  inode_doinit_with_dentry+0x780/0x1400
[   61.164249][T23966]  selinux_d_instantiate+0x17/0x20
[   61.170085][T23966]  security_d_instantiate+0x47/0xc0
[   61.175734][T23966]  d_splice_alias+0x70/0xb40
[   61.180609][T23966]  kernfs_iop_lookup+0x1a2/0x230
[   61.185837][T23966]  __lookup_slow+0x19b/0x3d0
[   61.190529][T23966]  walk_component+0x3ad/0x710
[   61.195180][T23966]  path_lookupat+0x112/0x6a0
[   61.200216][T23966]  filename_lookup+0x16d/0x500
[   61.205570][T23966]  user_path_at_empty+0xa2/0xf0
[   61.211237][T23966]  vfs_statx+0xeb/0x330
[   61.215363][T23966]  __do_sys_newfstatat+0x8b/0xe0
[   61.220437][T23966] 
[   61.223028][T23966] Memory state around the buggy address:
[   61.230929][T23966]  ffff88811408b600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.239442][T23966]  ffff88811408b680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   61.247938][T23966] >ffff88811408b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   61.256371][T23966]                                                     ^
[   61.264704][T23966]  ffff88811408b780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   61.273522][T23966]  ffff88811408b800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.282134][T23966] ==================================================================
[   61.290668][T23966] Disabling lock debugging due to kernel taint
[   61.338126][  T972] ------------[ cut here ]------------
[   61.346092][  T972] WARNING: CPU: 1 PID: 972 at fs/io_uring.c:7929 __io_uring_free+0x150/0x1b0
[   61.365705][  T972] Modules linked in:
[   61.375624][  T972] CPU: 0 PID: 972 Comm: kworker/u4:20 Tainted: G    B             5.10.99-syzkaller #0
[   61.386965][  T972] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   61.407536][  T972] Workqueue: events_unbound io_ring_exit_work
[   61.419132][  T972] RIP: 0010:__io_uring_free+0x150/0x1b0
[   61.429590][  T972] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 64 48 c7 83 a0 07 00 00 00 00 00 00 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <0f> 0b eb 8b 0f 0b e9 0e ff ff ff 4c 89 ef e8 5d f9 e1 ff 48 8b 55
[   61.451867][  T972] RSP: 0018:ffffc90002137c68 EFLAGS: 00010297
[   61.458694][  T972] RAX: 0000000000000000 RBX: ffff888125038000 RCX: 0000000000000000
[   61.480503][  T972] RDX: ffff88811408b758 RSI: 0000000000000004 RDI: ffff88811408b798
[   61.492677][  T972] RBP: ffffc90002137c98 R08: 0000000000000000 R09: ffff88811408b79b
[   61.508671][  T972] R10: ffffed10228116f3 R11: 0000000000000000 R12: ffff88811408b700
[   61.523311][  T972] R13: ffff88811408b798 R14: ffff8881250387a0 R15: ffff88811408b7a0
[   61.538445][  T972] FS:  0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
[   61.561091][  T972] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   61.583164][  T972] CR2: 0000000020000042 CR3: 0000000116f1a000 CR4: 00000000003506a0
[   61.595817][  T972] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   61.604769][  T972] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   61.618487][  T972] Call Trace:
[   61.622821][  T972]  __put_task_struct+0xe4/0x4b0
[   61.631710][  T972]  io_ring_exit_work+0x7bd/0xa50
[   61.637920][  T972]  ? finish_task_switch+0x131/0x7b0
[   61.645084][  T972]  ? io_uring_flush+0x490/0x490
[   61.650562][  T972]  ? __kasan_check_read+0x11/0x20
[   61.663898][  T972]  ? read_word_at_a_time+0x12/0x20
[   61.670835][  T972]  ? strscpy+0x9a/0x2a0
[   61.690002][  T972]  process_one_work+0x635/0xf60
[   61.695547][  T972]  worker_thread+0x548/0xf20
[   61.700407][  T972]  ? rescuer_thread+0xc60/0xc60
[   61.709224][  T972]  kthread+0x345/0x420
[   61.714382][  T972]  ? schedule_tail+0xe9/0x1e0
[   61.722695][  T972]  ? kthread_bind_mask+0x10/0x10
[   61.727748][  T972]  ret_from_fork+0x1f/0x30
2022/02/11 13:00:18 executed programs: 1919
[   61.747247][  T972] ---[ end trace eff8cfeb6e4ca98c ]---
2022/02/11 13:00:23 executed programs: 2329
[   66.811444][  T435] ==================================================================
[   66.819814][  T435] BUG: KASAN: double-free or invalid-free in kfree+0xc2/0x570
[   66.827549][  T435] 
[   66.829900][  T435] CPU: 0 PID: 435 Comm: kworker/0:4 Tainted: G    B   W         5.10.99-syzkaller #0
[   66.839517][  T435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   66.850352][  T435] Workqueue: events delayed_fput
[   66.855537][  T435] Call Trace:
[   66.858997][  T435]  dump_stack_lvl+0x81/0xac
[   66.864066][  T435]  print_address_description.constprop.0+0x24/0x150
[   66.870866][  T435]  ? kfree+0xc2/0x570
[   66.875290][  T435]  kasan_report_invalid_free+0x56/0x80
[   66.881072][  T435]  ? kfree+0xc2/0x570
[   66.885171][  T435]  __kasan_slab_free+0x134/0x150
[   66.890453][  T435]  slab_free_freelist_hook+0x9b/0x1a0
[   66.896104][  T435]  ? io_dismantle_req+0xa17/0xf50
[   66.901836][  T435]  kfree+0xc2/0x570
[   66.906235][  T435]  io_dismantle_req+0xa17/0xf50
[   66.912333][  T435]  ? stack_trace_save+0x8f/0xc0
[   66.918509][  T435]  ? stack_trace_consume_entry+0x170/0x170
[   66.926476][  T435]  io_iopoll_complete+0x545/0x1220
[   66.932528][  T435]  ? io_write+0xab0/0xab0
[   66.938065][  T435]  ? rcu_is_watching+0x13/0xc0
[   66.943109][  T435]  ? _raw_spin_unlock_irqrestore+0x47/0x80
[   66.949727][  T435]  ? __kasan_check_write+0x14/0x20
[   66.955471][  T435]  ? io_wq_for_each_worker.isra.0+0x1c5/0x2c0
[   66.961814][  T435]  io_do_iopoll+0x4e9/0x750
[   66.966980][  T435]  ? io_iopoll_complete+0x1220/0x1220
[   66.972721][  T435]  ? io_wq_cancel_cb+0x3b2/0x680
[   66.978174][  T435]  io_iopoll_try_reap_events.part.0+0x113/0x1d0
[   66.984624][  T435]  ? io_do_iopoll+0x750/0x750
[   66.989394][  T435]  io_ring_ctx_wait_and_kill+0x1b4/0x5c0
[   66.995806][  T435]  ? io_iopoll_try_reap_events.part.0+0x1d0/0x1d0
[   67.002393][  T435]  ? fcntl_setlk+0xe60/0xe60
[   67.007183][  T435]  ? _raw_spin_unlock_irq+0x42/0x6a
[   67.012649][  T435]  io_uring_release+0x3d/0x50
[   67.018566][  T435]  __fput+0x1a5/0x770
[   67.022755][  T435]  ? __kasan_check_read+0x11/0x20
[   67.028585][  T435]  delayed_fput+0x4f/0x70
[   67.034040][  T435]  process_one_work+0x635/0xf60
[   67.039992][  T435]  worker_thread+0x548/0xf20
[   67.045772][  T435]  ? rescuer_thread+0xc60/0xc60
[   67.051619][  T435]  kthread+0x345/0x420
[   67.056215][  T435]  ? schedule_tail+0xe9/0x1e0
[   67.060898][  T435]  ? kthread_bind_mask+0x10/0x10
[   67.066020][  T435]  ret_from_fork+0x1f/0x30
[   67.070794][  T435] 
[   67.073114][  T435] Allocated by task 29543:
[   67.077942][  T435]  kasan_save_stack+0x23/0x50
[   67.083232][  T435]  __kasan_kmalloc+0xa9/0xe0
[   67.088232][  T435]  kmem_cache_alloc_trace+0x1a9/0x340
[   67.094192][  T435]  io_uring_alloc_task_context+0x43/0x2a0
[   67.100506][  T435]  io_uring_add_task_file+0x1c8/0x250
[   67.106399][  T435]  io_uring_setup+0x174e/0x2dc0
[   67.111518][  T435]  __x64_sys_io_uring_setup+0x4f/0x70
[   67.117514][  T435]  do_syscall_64+0x32/0x80
[   67.122201][  T435]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   67.131674][  T435] 
[   67.134549][  T435] The buggy address belongs to the object at ffff8881107ab800
[   67.134549][  T435]  which belongs to the cache kmalloc-192 of size 192
[   67.150733][  T435] The buggy address is located 88 bytes inside of
[   67.150733][  T435]  192-byte region [ffff8881107ab800, ffff8881107ab8c0)
[   67.167626][  T435] The buggy address belongs to the page:
[   67.175467][  T435] page:ffffea000441eac0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1107ab
[   67.193072][  T435] flags: 0x8000000000000200(slab)
[   67.198185][  T435] raw: 8000000000000200 ffffea00045022c0 0000000300000003 ffff888100043380
[   67.206905][  T435] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[   67.216054][  T435] page dumped because: kasan: bad access detected
[   67.222876][  T435] page_owner tracks the page as allocated
[   67.229508][  T435] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 174, ts 3394615264, free_ts 0
[   67.247939][  T435]  post_alloc_hook+0x102/0x130
[   67.254548][  T435]  get_page_from_freelist+0x1ef5/0x3030
[   67.261426][  T435]  __alloc_pages_nodemask+0x28a/0x1e70
[   67.268211][  T435]  allocate_slab+0x32b/0x480
[   67.273570][  T435]  ___slab_alloc.constprop.0+0x339/0x750
[   67.279704][  T435]  kmem_cache_alloc_trace+0x2d0/0x340
[   67.286502][  T435]  kernfs_fop_open+0x244/0xc20
[   67.291695][  T435]  do_dentry_open+0x417/0x1020
[   67.296646][  T435]  vfs_open+0x9a/0xc0
[   67.300866][  T435]  path_openat+0x1dc6/0x38e0
[   67.306185][  T435]  do_filp_open+0x17d/0x3b0
[   67.311235][  T435]  do_sys_openat2+0x120/0x3c0
[   67.316132][  T435]  __x64_sys_openat+0x124/0x200
[   67.321058][  T435]  do_syscall_64+0x32/0x80
[   67.325745][  T435]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   67.331602][  T435] page_owner free stack trace missing
[   67.337234][  T435] 
[   67.339533][  T435] Memory state around the buggy address:
[   67.345680][  T435]  ffff8881107ab700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.354681][  T435]  ffff8881107ab780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   67.363774][  T435] >ffff8881107ab800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.375536][  T435]                                                     ^
[   67.383198][  T435]  ffff8881107ab880: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   67.392712][  T435]  ffff8881107ab900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.402111][  T435] ==================================================================