[   49.207653][  T348] bridge0: port 1(bridge_slave_0) entered disabled state
[   49.227410][  T348] device veth1_macvtap left promiscuous mode
[   49.235178][  T348] device veth0_macvtap left promiscuous mode
[   49.241294][  T348] device veth1_vlan left promiscuous mode
[   49.248634][  T348] device veth0_vlan left promiscuous mode
[   49.467743][  T348] team0 (unregistering): Port device team_slave_1 removed
[   49.481547][  T348] team0 (unregistering): Port device team_slave_0 removed
[   49.493448][  T348] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[   49.508786][  T348] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[   49.550227][  T348] bond0 (unregistering): Released all slaves
Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts.
[   64.131541][ T4140] ==================================================================
[   64.140428][ T4140] BUG: KASAN: use-after-free in add_wait_queue+0x1c0/0x260
[   64.147632][ T4140] Read of size 4 at addr ffff88801ac1ff18 by task syz-executor110/4140
[   64.155878][ T4140] 
[   64.158205][ T4140] CPU: 0 PID: 4140 Comm: syz-executor110 Not tainted 5.17.0-rc7-syzkaller #0
[   64.166966][ T4140] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   64.177345][ T4140] Call Trace:
[   64.180631][ T4140]  <TASK>
[   64.183563][ T4140]  dump_stack_lvl+0x57/0x7d
[   64.188076][ T4140]  print_address_description.constprop.0.cold+0x8d/0x336
[   64.195116][ T4140]  ? add_wait_queue+0x1c0/0x260
[   64.200177][ T4140]  ? add_wait_queue+0x1c0/0x260
[   64.205055][ T4140]  kasan_report.cold+0x83/0xdf
[   64.209978][ T4140]  ? add_wait_queue+0x1c0/0x260
[   64.214832][ T4140]  add_wait_queue+0x1c0/0x260
[   64.219538][ T4140]  n_tty_poll+0x5c/0x790
[   64.223880][ T4140]  tty_poll+0x10e/0x180
[   64.228174][ T4140]  __io_arm_poll_handler+0x373/0xb90
[   64.233475][ T4140]  ? kmem_cache_alloc_trace+0x1da/0x3d0
[   64.239027][ T4140]  io_arm_poll_handler+0x39e/0x880
[   64.244142][ T4140]  ? io_cqring_wait+0x1560/0x1560
[   64.249162][ T4140]  ? io_poll_queue_proc+0x50/0x50
[   64.254193][ T4140]  io_queue_sqe_arm_apoll+0x52/0x350
[   64.259477][ T4140]  io_submit_sqes+0x6360/0x80f0
[   64.264621][ T4140]  ? __mutex_lock+0x21a/0x12f0
[   64.269853][ T4140]  ? io_apoll_task_func+0x250/0x250
[   64.275052][ T4140]  ? percpu_ref_tryget_many.constprop.0+0x6e/0x190
[   64.281664][ T4140]  ? __do_sys_io_uring_enter+0x6d3/0x1030
[   64.287406][ T4140]  __do_sys_io_uring_enter+0x6d3/0x1030
[   64.293150][ T4140]  ? __context_tracking_exit+0x80/0x90
[   64.298648][ T4140]  ? io_submit_sqes+0x80f0/0x80f0
[   64.303678][ T4140]  ? __context_tracking_enter+0x93/0xa0
[   64.309262][ T4140]  ? lockdep_hardirqs_on_prepare+0x17b/0x400
[   64.315311][ T4140]  ? syscall_enter_from_user_mode+0x21/0x70
[   64.321218][ T4140]  do_syscall_64+0x35/0xb0
[   64.325640][ T4140]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   64.331550][ T4140] RIP: 0033:0x7f6059d99fc9
[   64.335968][ T4140] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   64.356217][ T4140] RSP: 002b:00007ffe6874fa88 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
[   64.364715][ T4140] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6059d99fc9
[   64.372684][ T4140] RDX: 0000000000000000 RSI: 0000000000001261 RDI: 0000000000000004
[   64.380654][ T4140] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   64.388624][ T4140] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000fa32
[   64.396592][ T4140] R13: 00007ffe6874faac R14: 00007ffe6874fac0 R15: 00007ffe6874fab0
[   64.404578][ T4140]  </TASK>
[   64.407600][ T4140] 
[   64.409917][ T4140] Allocated by task 4135:
[   64.414237][ T4140]  kasan_save_stack+0x1e/0x40
[   64.418915][ T4140]  __kasan_kmalloc+0xa9/0xd0
[   64.423592][ T4140]  io_arm_poll_handler+0x30e/0x880
[   64.429061][ T4140]  io_queue_sqe_arm_apoll+0x52/0x350
[   64.434341][ T4140]  io_submit_sqes+0x6360/0x80f0
[   64.439194][ T4140]  __do_sys_io_uring_enter+0x6d3/0x1030
[   64.444737][ T4140]  do_syscall_64+0x35/0xb0
[   64.449155][ T4140]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   64.455040][ T4140] 
[   64.457361][ T4140] Freed by task 4135:
[   64.461422][ T4140]  kasan_save_stack+0x1e/0x40
[   64.466095][ T4140]  kasan_set_track+0x21/0x30
[   64.470681][ T4140]  kasan_set_free_info+0x20/0x30
[   64.475611][ T4140]  ____kasan_slab_free+0x126/0x160
[   64.480718][ T4140]  slab_free_freelist_hook+0x8b/0x1c0
[   64.486084][ T4140]  kfree+0xd0/0x390
[   64.489887][ T4140]  io_clean_op+0x198/0xbc0
[   64.494300][ T4140]  __io_req_complete_post+0x77d/0xaf0
[   64.499722][ T4140]  io_req_complete_post+0x53/0x1f0
[   64.504838][ T4140]  tctx_task_work+0x50f/0xf10
[   64.509515][ T4140]  task_work_run+0xc0/0x160
[   64.514024][ T4140]  do_exit+0x9ab/0x2500
[   64.518273][ T4140]  do_group_exit+0xb2/0x2a0
[   64.522787][ T4140]  __x64_sys_exit_group+0x35/0x40
[   64.527809][ T4140]  do_syscall_64+0x35/0xb0
[   64.532230][ T4140]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   64.538111][ T4140] 
[   64.540428][ T4140] The buggy address belongs to the object at ffff88801ac1ff00
[   64.540428][ T4140]  which belongs to the cache kmalloc-96 of size 96
[   64.554467][ T4140] The buggy address is located 24 bytes inside of
[   64.554467][ T4140]  96-byte region [ffff88801ac1ff00, ffff88801ac1ff60)
[   64.567587][ T4140] The buggy address belongs to the page:
[   64.573218][ T4140] page:ffffea00006b07c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ac1f
[   64.583965][ T4140] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   64.591716][ T4140] raw: 00fff00000000200 dead000000000100 dead000000000122 ffff88800fc41780
[   64.600297][ T4140] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
[   64.608874][ T4140] page dumped because: kasan: bad access detected
[   64.615366][ T4140] page_owner tracks the page as allocated
[   64.621076][ T4140] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 44, ts 4884089645, free_ts 4883325258
[   64.636777][ T4140]  get_page_from_freelist+0xa6f/0x2f10
[   64.642234][ T4140]  __alloc_pages+0x1b2/0x500
[   64.646820][ T4140]  allocate_slab+0x27f/0x3c0
[   64.651497][ T4140]  ___slab_alloc+0xbe3/0x12a0
[   64.656170][ T4140]  __slab_alloc.constprop.0+0x4d/0xa0
[   64.661539][ T4140]  kmem_cache_alloc_trace+0x2f8/0x3d0
[   64.666903][ T4140]  blk_mq_init_allocated_queue+0x178/0x14e0
[   64.672790][ T4140]  blk_mq_init_queue+0x98/0x100
[   64.677641][ T4140]  scsi_alloc_sdev+0x827/0xc00
[   64.682403][ T4140]  scsi_probe_and_add_lun+0x1789/0x2e00
[   64.687948][ T4140]  __scsi_scan_target+0x1ab/0xad0
[   64.692981][ T4140]  scsi_scan_channel+0xdf/0x160
[   64.697877][ T4140]  scsi_scan_host_selected+0x1ef/0x2a0
[   64.703331][ T4140]  do_scan_async+0x3a/0x450
[   64.707955][ T4140]  async_run_entry_fn+0x8e/0x4f0
[   64.712902][ T4140]  process_one_work+0x879/0x1410
[   64.717839][ T4140] page last free stack trace:
[   64.722504][ T4140]  free_pcp_prepare+0x374/0x870
[   64.727351][ T4140]  free_unref_page+0x19/0x690
[   64.732026][ T4140]  __vunmap+0x5af/0x9e0
[   64.736172][ T4140]  free_work+0x4b/0x70
[   64.740239][ T4140]  process_one_work+0x879/0x1410
[   64.745197][ T4140]  worker_thread+0x5a0/0xf60
[   64.749784][ T4140]  kthread+0x299/0x340
[   64.753847][ T4140]  ret_from_fork+0x1f/0x30
[   64.758257][ T4140] 
[   64.760570][ T4140] Memory state around the buggy address:
[   64.766187][ T4140]  ffff88801ac1fe00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   64.774243][ T4140]  ffff88801ac1fe80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   64.782386][ T4140] >ffff88801ac1ff00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   64.790532][ T4140]                             ^
[   64.795378][ T4140]  ffff88801ac1ff80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   64.803435][ T4140]  ffff88801ac20000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   64.811486][ T4140] ==================================================================
[   64.819582][ T4140] Disabling lock debugging due to kernel taint
[   64.825733][ T4140] Kernel panic - not syncing: panic_on_warn set ...
[   64.832308][ T4140] CPU: 0 PID: 4140 Comm: syz-executor110 Tainted: G    B             5.17.0-rc7-syzkaller #0
[   64.842452][ T4140] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   64.852496][ T4140] Call Trace:
[   64.855771][ T4140]  <TASK>
[   64.858778][ T4140]  dump_stack_lvl+0x57/0x7d
[   64.863273][ T4140]  panic+0x214/0x49f
[   64.867160][ T4140]  ? __warn_printk+0xee/0xee
[   64.871745][ T4140]  ? add_wait_queue+0x1c0/0x260
[   64.876591][ T4140]  ? add_wait_queue+0x1c0/0x260
[   64.881441][ T4140]  end_report.cold+0x63/0x6f
[   64.886022][ T4140]  kasan_report.cold+0x71/0xdf
[   64.890865][ T4140]  ? add_wait_queue+0x1c0/0x260
[   64.895708][ T4140]  add_wait_queue+0x1c0/0x260
[   64.900382][ T4140]  n_tty_poll+0x5c/0x790
[   64.904619][ T4140]  tty_poll+0x10e/0x180
[   64.908890][ T4140]  __io_arm_poll_handler+0x373/0xb90
[   64.914172][ T4140]  ? kmem_cache_alloc_trace+0x1da/0x3d0
[   64.919713][ T4140]  io_arm_poll_handler+0x39e/0x880
[   64.924832][ T4140]  ? io_cqring_wait+0x1560/0x1560
[   64.929852][ T4140]  ? io_poll_queue_proc+0x50/0x50
[   64.934871][ T4140]  io_queue_sqe_arm_apoll+0x52/0x350
[   64.940166][ T4140]  io_submit_sqes+0x6360/0x80f0
[   64.945022][ T4140]  ? __mutex_lock+0x21a/0x12f0
[   64.949782][ T4140]  ? io_apoll_task_func+0x250/0x250
[   64.954982][ T4140]  ? percpu_ref_tryget_many.constprop.0+0x6e/0x190
[   64.961480][ T4140]  ? __do_sys_io_uring_enter+0x6d3/0x1030
[   64.967190][ T4140]  __do_sys_io_uring_enter+0x6d3/0x1030
[   64.972730][ T4140]  ? __context_tracking_exit+0x80/0x90
[   64.978181][ T4140]  ? io_submit_sqes+0x80f0/0x80f0
[   64.983242][ T4140]  ? __context_tracking_enter+0x93/0xa0
[   64.988784][ T4140]  ? lockdep_hardirqs_on_prepare+0x17b/0x400
[   64.994846][ T4140]  ? syscall_enter_from_user_mode+0x21/0x70
[   65.000739][ T4140]  do_syscall_64+0x35/0xb0
[   65.005147][ T4140]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   65.011030][ T4140] RIP: 0033:0x7f6059d99fc9
[   65.015610][ T4140] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   65.035206][ T4140] RSP: 002b:00007ffe6874fa88 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
[   65.043613][ T4140] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6059d99fc9
[   65.051577][ T4140] RDX: 0000000000000000 RSI: 0000000000001261 RDI: 0000000000000004
[   65.059539][ T4140] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   65.067511][ T4140] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000fa32
[   65.075468][ T4140] R13: 00007ffe6874faac R14: 00007ffe6874fac0 R15: 00007ffe6874fab0
[   65.083435][ T4140]  </TASK>
[   65.086630][ T4140] Kernel Offset: disabled
[   65.090953][ T4140] Rebooting in 86400 seconds..