[   29.744876][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   29.753428][   T43] bridge0: port 2(bridge_slave_1) entered blocking state
[   29.760543][   T43] bridge0: port 2(bridge_slave_1) entered forwarding state
[   29.767842][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   29.775695][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   29.789469][  T382] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[   30.353886][  T187] device bridge_slave_1 left promiscuous mode
[   30.360036][  T187] bridge0: port 2(bridge_slave_1) entered disabled state
[   30.367528][  T187] device bridge_slave_0 left promiscuous mode
[   30.373772][  T187] bridge0: port 1(bridge_slave_0) entered disabled state
Warning: Permanently added '10.128.1.117' (ECDSA) to the list of known hosts.
2022/01/12 12:39:22 parsed 1 programs
[   36.559067][   T23] kauditd_printk_skb: 65 callbacks suppressed
[   36.559073][   T23] audit: type=1400 audit(1641991162.129:148): avc:  denied  { mounton } for  pid=412 comm="syz-executor" path="/syzcgroup/unified" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=dir permissive=1
[   36.559260][  T412] cgroup: Unknown subsys name 'net'
[   36.594076][  T412] cgroup: Unknown subsys name 'devices'
[   36.600275][  T412] cgroup: Unknown subsys name 'hugetlb'
[   36.605902][  T412] cgroup: Unknown subsys name 'rlimit'
[   36.611780][   T23] audit: type=1400 audit(1641991162.179:149): avc:  denied  { mounton } for  pid=412 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
2022/01/12 12:39:22 executed programs: 0
[   36.636801][   T23] audit: type=1400 audit(1641991162.179:150): avc:  denied  { mount } for  pid=412 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[   36.671997][   T23] audit: type=1400 audit(1641991162.239:151): avc:  denied  { mounton } for  pid=419 comm="syz-executor.0" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1
[   36.702256][   T23] audit: type=1400 audit(1641991162.239:152): avc:  denied  { module_request } for  pid=417 comm="syz-executor.4" kmod="netdev-nr4" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[   36.752906][  T424] bridge0: port 1(bridge_slave_0) entered blocking state
[   36.760004][  T424] bridge0: port 1(bridge_slave_0) entered disabled state
[   36.767407][  T424] device bridge_slave_0 entered promiscuous mode
[   36.784865][  T423] bridge0: port 1(bridge_slave_0) entered blocking state
[   36.791881][  T423] bridge0: port 1(bridge_slave_0) entered disabled state
[   36.799145][  T423] device bridge_slave_0 entered promiscuous mode
[   36.815214][  T424] bridge0: port 2(bridge_slave_1) entered blocking state
[   36.822408][  T424] bridge0: port 2(bridge_slave_1) entered disabled state
[   36.829858][  T424] device bridge_slave_1 entered promiscuous mode
[   36.850536][  T421] bridge0: port 1(bridge_slave_0) entered blocking state
[   36.857636][  T421] bridge0: port 1(bridge_slave_0) entered disabled state
[   36.864887][  T421] device bridge_slave_0 entered promiscuous mode
[   36.871562][  T423] bridge0: port 2(bridge_slave_1) entered blocking state
[   36.878595][  T423] bridge0: port 2(bridge_slave_1) entered disabled state
[   36.885919][  T423] device bridge_slave_1 entered promiscuous mode
[   36.907655][  T421] bridge0: port 2(bridge_slave_1) entered blocking state
[   36.914722][  T421] bridge0: port 2(bridge_slave_1) entered disabled state
[   36.921884][  T421] device bridge_slave_1 entered promiscuous mode
[   36.945822][  T419] bridge0: port 1(bridge_slave_0) entered blocking state
[   36.952840][  T419] bridge0: port 1(bridge_slave_0) entered disabled state
[   36.960276][  T419] device bridge_slave_0 entered promiscuous mode
[   36.967017][  T419] bridge0: port 2(bridge_slave_1) entered blocking state
[   36.974036][  T419] bridge0: port 2(bridge_slave_1) entered disabled state
[   36.981191][  T419] device bridge_slave_1 entered promiscuous mode
[   36.999246][  T417] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.006281][  T417] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.013479][  T417] device bridge_slave_0 entered promiscuous mode
[   37.021897][  T417] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.028994][  T417] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.036237][  T417] device bridge_slave_1 entered promiscuous mode
[   37.074916][  T424] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.081934][  T424] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.089186][  T424] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.096209][  T424] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.104009][  T425] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.111015][  T425] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.118328][  T425] device bridge_slave_0 entered promiscuous mode
[   37.153706][  T425] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.160735][  T425] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.168063][  T425] device bridge_slave_1 entered promiscuous mode
[   37.193752][  T423] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.200775][  T423] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.208020][  T423] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.215033][  T423] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.224999][  T421] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.232013][  T421] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.239250][  T421] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.246259][  T421] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.254141][   T43] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.261372][   T43] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.268723][   T43] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.275821][   T43] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.282969][   T43] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.290280][   T43] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.297807][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   37.305176][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.322760][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   37.330826][  T383] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.337827][  T383] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.364748][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   37.372041][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.379435][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   37.387724][  T383] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.394842][  T383] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.402960][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   37.411652][  T383] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.418847][  T383] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.426112][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   37.434020][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   37.441832][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   37.449939][  T383] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.456966][  T383] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.464260][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   37.472070][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   37.500352][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.508030][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   37.516438][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   37.524669][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   37.532395][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   37.542329][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   37.550431][   T43] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.557564][   T43] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.564912][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   37.572953][   T43] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.580050][   T43] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.587325][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   37.595261][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   37.603207][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.610529][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   37.618650][   T43] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.625661][   T43] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.632990][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   37.641199][   T43] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.648291][   T43] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.656039][   T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   37.675624][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   37.683976][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   37.692184][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   37.700507][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   37.708358][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   37.717386][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   37.725326][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   37.750993][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   37.759396][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.769149][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   37.777549][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   37.785749][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   37.793843][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   37.806118][   T23] audit: type=1400 audit(1641991163.379:153): avc:  denied  { mount } for  pid=421 comm="syz-executor.1" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1
[   37.823650][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   37.836911][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   37.844984][  T109] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.851978][  T109] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.859274][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   37.867549][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   37.875642][  T109] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.882728][  T109] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.890091][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   37.898025][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   37.905954][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   37.913915][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   37.921707][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   37.930020][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   37.938351][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   37.946251][  T109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   37.954254][  T387] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   37.986227][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   37.998475][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   38.011308][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   38.041295][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   38.051737][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   38.061492][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   38.071660][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   38.082457][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   38.097484][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   38.113092][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   38.123315][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   38.131756][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   38.141692][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   38.154681][  T399] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   38.182358][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   38.194939][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   38.212048][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   38.220792][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   38.230074][   T24] bridge0: port 1(bridge_slave_0) entered blocking state
[   38.237241][   T24] bridge0: port 1(bridge_slave_0) entered forwarding state
[   38.245880][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   38.257084][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   38.265465][   T24] bridge0: port 2(bridge_slave_1) entered blocking state
[   38.272476][   T24] bridge0: port 2(bridge_slave_1) entered forwarding state
[   38.280222][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   38.288442][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   38.297423][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   38.305574][   T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   38.325879][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[   38.333362][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   38.341845][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   38.349942][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   38.358832][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   38.366675][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   38.374884][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   38.382984][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   38.390724][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   38.398527][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   38.406791][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   38.414809][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   38.423106][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   38.431359][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   38.439434][  T383] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
2022/01/12 12:39:27 executed programs: 326
2022/01/12 12:39:32 executed programs: 817
2022/01/12 12:39:37 executed programs: 1311
[   52.713675][T18172] ==================================================================
[   52.721978][T18172] BUG: KASAN: double-free or invalid-free in kfree+0xc2/0x570
[   52.729487][T18172] 
[   52.731787][T18172] CPU: 1 PID: 18172 Comm: syz-executor.5 Not tainted 5.10.91-syzkaller #0
[   52.740251][T18172] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.750278][T18172] Call Trace:
[   52.753548][T18172]  dump_stack_lvl+0x81/0xac
[   52.758037][T18172]  print_address_description.constprop.0+0x24/0x150
[   52.764673][T18172]  ? kfree+0xc2/0x570
[   52.768623][T18172]  kasan_report_invalid_free+0x56/0x80
[   52.774057][T18172]  ? kfree+0xc2/0x570
[   52.778002][T18172]  __kasan_slab_free+0x134/0x150
[   52.782902][T18172]  slab_free_freelist_hook+0x9b/0x1a0
[   52.788264][T18172]  ? io_dismantle_req+0xa17/0xf50
[   52.793252][T18172]  kfree+0xc2/0x570
[   52.797031][T18172]  io_dismantle_req+0xa17/0xf50
[   52.802030][T18172]  ? preempt_schedule+0x1f/0x30
[   52.806851][T18172]  ? preempt_schedule_thunk+0x16/0x18
[   52.812276][T18172]  io_iopoll_complete+0x545/0x1220
[   52.817480][T18172]  ? try_to_wake_up+0xbcd/0x1870
[   52.822398][T18172]  ? io_write+0xab0/0xab0
[   52.826713][T18172]  ? select_fallback_rq+0x660/0x660
[   52.831886][T18172]  ? __kasan_check_write+0x14/0x20
[   52.837227][T18172]  ? wake_up_q+0x12a/0x1c0
[   52.841610][T18172]  io_do_iopoll+0x4e9/0x750
[   52.846340][T18172]  ? io_iopoll_complete+0x1220/0x1220
[   52.851674][T18172]  io_iopoll_try_reap_events.part.0+0x113/0x1d0
[   52.857881][T18172]  ? io_do_iopoll+0x750/0x750
[   52.862523][T18172]  ? __kasan_check_read+0x11/0x20
[   52.867512][T18172]  io_uring_cancel_task_requests+0xdd5/0x1110
[   52.873542][T18172]  ? io_uring_release+0x50/0x50
[   52.878374][T18172]  ? follow_p4d_mask+0x580/0x1190
[   52.883472][T18172]  ? handle_mm_fault+0x13d/0x5a0
[   52.888387][T18172]  __io_uring_files_cancel+0x114/0x1c0
[   52.893828][T18172]  ? __io_uring_free+0x1b0/0x1b0
[   52.898912][T18172]  __io_uring_task_cancel+0x201/0x220
[   52.904337][T18172]  ? __io_uring_files_cancel+0x1c0/0x1c0
[   52.910023][T18172]  ? wait_woken+0x1c0/0x1c0
[   52.914522][T18172]  ? __kasan_check_read+0x11/0x20
[   52.919528][T18172]  ? __page_pinner_migration_failed+0x8e/0x250
[   52.925833][T18172]  ? save_stack.constprop.0+0xc0/0xc0
[   52.931266][T18172]  bprm_execve+0x113/0x13d0
[   52.936535][T18172]  ? get_arg_page+0x110/0x1c0
[   52.941187][T18172]  ? acct_arg_size+0xe0/0xe0
[   52.945742][T18172]  ? open_exec+0x50/0x50
[   52.949952][T18172]  ? put_user_page+0x10e/0x160
[   52.954681][T18172]  ? copy_string_kernel+0xe8/0x260
[   52.959756][T18172]  do_execveat_common+0x553/0x730
[   52.964846][T18172]  ? bprm_execve+0x13d0/0x13d0
[   52.969753][T18172]  ? getname_flags.part.0+0x8c/0x480
[   52.975088][T18172]  ? __kasan_check_write+0x14/0x20
[   52.980165][T18172]  __x64_sys_execve+0x8a/0xb0
[   52.984809][T18172]  do_syscall_64+0x32/0x80
[   52.989191][T18172]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   52.995068][T18172] RIP: 0033:0x7fd708d75ae9
[   52.999539][T18172] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[   53.019719][T18172] RSP: 002b:00007fd708ccb188 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
[   53.028110][T18172] RAX: ffffffffffffffda RBX: 00007fd708e89020 RCX: 00007fd708d75ae9
[   53.036052][T18172] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000040
[   53.044079][T18172] RBP: 00007fd708dcff25 R08: 0000000000000000 R09: 0000000000000000
[   53.052043][T18172] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   53.059987][T18172] R13: 00007fff5fad649f R14: 00007fd708ccb300 R15: 0000000000022000
[   53.067927][T18172] 
[   53.070342][T18172] Allocated by task 18172:
[   53.074742][T18172]  kasan_save_stack+0x23/0x50
[   53.079425][T18172]  __kasan_kmalloc+0xa9/0xe0
[   53.083981][T18172]  kmem_cache_alloc_trace+0x1a9/0x340
[   53.089320][T18172]  io_uring_alloc_task_context+0x43/0x2a0
[   53.095003][T18172]  io_uring_add_task_file+0x1c8/0x250
[   53.100339][T18172]  io_uring_setup+0x174e/0x2dc0
[   53.105243][T18172]  __x64_sys_io_uring_setup+0x4f/0x70
[   53.110583][T18172]  do_syscall_64+0x32/0x80
[   53.114965][T18172]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   53.120819][T18172] 
[   53.123118][T18172] The buggy address belongs to the object at ffff8881135ab700
[   53.123118][T18172]  which belongs to the cache kmalloc-192 of size 192
[   53.137147][T18172] The buggy address is located 88 bytes inside of
[   53.137147][T18172]  192-byte region [ffff8881135ab700, ffff8881135ab7c0)
[   53.150643][T18172] The buggy address belongs to the page:
[   53.156239][T18172] page:ffffea00044d6ac0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1135ab
[   53.166439][T18172] flags: 0x8000000000000200(slab)
[   53.171440][T18172] raw: 8000000000000200 ffffea0004449040 0000000300000003 ffff888100043380
[   53.179988][T18172] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[   53.188542][T18172] page dumped because: kasan: bad access detected
[   53.195008][T18172] page_owner tracks the page as allocated
[   53.200706][T18172] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 173, ts 2973729750, free_ts 2973475524
[   53.216484][T18172]  post_alloc_hook+0x102/0x130
[   53.221225][T18172]  get_page_from_freelist+0x1ef5/0x3030
[   53.226734][T18172]  __alloc_pages_nodemask+0x28a/0x1f90
[   53.232160][T18172]  allocate_slab+0x32b/0x480
[   53.236718][T18172]  ___slab_alloc.constprop.0+0x339/0x750
[   53.242313][T18172]  kmem_cache_alloc_trace+0x2d0/0x340
[   53.247652][T18172]  kernfs_fop_open+0x244/0xc20
[   53.252397][T18172]  do_dentry_open+0x417/0x1020
[   53.257146][T18172]  vfs_open+0x9a/0xc0
[   53.261099][T18172]  path_openat+0x1dc6/0x38e0
[   53.265663][T18172]  do_filp_open+0x17d/0x3b0
[   53.270141][T18172]  do_sys_openat2+0x120/0x3c0
[   53.274793][T18172]  __x64_sys_openat+0x124/0x200
[   53.279633][T18172]  do_syscall_64+0x32/0x80
[   53.284017][T18172]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   53.289873][T18172] page last free stack trace:
[   53.294528][T18172]  free_pcp_prepare+0x18f/0x200
[   53.299368][T18172]  free_unref_page+0x15/0x1c0
[   53.304011][T18172]  __free_pages+0x41/0x100
[   53.308391][T18172]  free_pages+0x3f/0x80
[   53.312515][T18172]  tlb_finish_mmu+0x1f7/0x790
[   53.317158][T18172]  unmap_region+0x291/0x370
[   53.321625][T18172]  __do_munmap+0x48b/0x1050
[   53.326090][T18172]  __do_sys_brk+0x3a9/0x790
[   53.330563][T18172]  __x64_sys_brk+0x2c/0x40
[   53.334945][T18172]  do_syscall_64+0x32/0x80
[   53.339326][T18172]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   53.345190][T18172] 
[   53.347486][T18172] Memory state around the buggy address:
[   53.353202][T18172]  ffff8881135ab600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.361319][T18172]  ffff8881135ab680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   53.369349][T18172] >ffff8881135ab700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   53.377374][T18172]                                                     ^
[   53.384271][T18172]  ffff8881135ab780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   53.392560][T18172]  ffff8881135ab800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.400597][T18172] ==================================================================
[   53.408659][T18172] Disabling lock debugging due to kernel taint
[   53.451185][  T818] ------------[ cut here ]------------
[   53.463603][  T818] WARNING: CPU: 1 PID: 818 at fs/io_uring.c:7929 __io_uring_free+0x150/0x1b0
[   53.492312][  T818] Modules linked in:
[   53.505290][  T818] CPU: 1 PID: 818 Comm: kworker/u4:18 Tainted: G    B             5.10.91-syzkaller #0
[   53.529809][  T818] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.549514][  T818] Workqueue: events_unbound io_ring_exit_work
[   53.559179][  T818] RIP: 0010:__io_uring_free+0x150/0x1b0
[   53.571083][  T818] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 64 48 c7 83 a0 07 00 00 00 00 00 00 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <0f> 0b eb 8b 0f 0b e9 0e ff ff ff 4c 89 ef e8 3d ff e1 ff 48 8b 55
[   53.594984][  T818] RSP: 0018:ffffc90001507c68 EFLAGS: 00010297
[   53.602002][  T818] RAX: 0000000000000000 RBX: ffff888111df9380 RCX: 0000000000000000
[   53.614581][  T818] RDX: ffff8881135ab758 RSI: 0000000000000004 RDI: ffff8881135ab798
[   53.625938][  T818] RBP: ffffc90001507c98 R08: 0000000000000000 R09: ffff8881135ab79b
[   53.639554][  T818] R10: ffffed10226b56f3 R11: 0000000000000000 R12: ffff8881135ab700
[   53.648544][  T818] R13: ffff8881135ab798 R14: ffff888111df9b20 R15: ffff8881135ab7a0
[   53.661404][  T818] FS:  0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
[   53.672332][  T818] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   53.686613][  T818] CR2: 00007fd3b7283a89 CR3: 000000011a03c000 CR4: 00000000003506a0
[   53.695909][  T818] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   53.706354][  T818] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   53.728814][  T818] Call Trace:
[   53.732177][  T818]  __put_task_struct+0xe4/0x4b0
[   53.741077][  T818]  io_ring_exit_work+0x7bd/0xa50
[   53.746862][  T818]  ? finish_task_switch+0x131/0x7b0
[   53.762029][  T818]  ? io_uring_flush+0x490/0x490
[   53.768249][  T818]  ? __kasan_check_read+0x11/0x20
[   53.784469][  T818]  ? read_word_at_a_time+0x12/0x20
[   53.792052][  T818]  ? strscpy+0x9a/0x2a0
[   53.804405][  T818]  process_one_work+0x635/0xf60
[   53.809656][  T818]  worker_thread+0x548/0xf20
[   53.815643][  T818]  ? rescuer_thread+0xc60/0xc60
[   53.837404][  T818]  kthread+0x345/0x420
[   53.871067][  T818]  ? schedule_tail+0xe9/0x1e0
[   53.889485][  T818]  ? kthread_bind_mask+0x10/0x10
[   53.894651][  T818]  ret_from_fork+0x1f/0x30
[   53.926468][  T818] ---[ end trace 4c85de9ce10da0e5 ]---
2022/01/12 12:39:42 executed programs: 1711
2022/01/12 12:39:47 executed programs: 2205
[   61.883610][T28275] ==================================================================
[   61.891770][T28275] BUG: KASAN: double-free or invalid-free in kfree+0xc2/0x570
[   61.899278][T28275] 
[   61.901582][T28275] CPU: 1 PID: 28275 Comm: syz-executor.3 Tainted: G    B   W         5.10.91-syzkaller #0
[   61.911607][T28275] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   61.921815][T28275] Call Trace:
[   61.925083][T28275]  dump_stack_lvl+0x81/0xac
[   61.929556][T28275]  print_address_description.constprop.0+0x24/0x150
[   61.936118][T28275]  ? kfree+0xc2/0x570
[   61.940075][T28275]  kasan_report_invalid_free+0x56/0x80
[   61.945519][T28275]  ? kfree+0xc2/0x570
[   61.949488][T28275]  __kasan_slab_free+0x134/0x150
[   61.954409][T28275]  slab_free_freelist_hook+0x9b/0x1a0
[   61.959754][T28275]  ? io_dismantle_req+0xa17/0xf50
[   61.964853][T28275]  kfree+0xc2/0x570
[   61.968638][T28275]  ? debug_smp_processor_id+0x17/0x20
[   61.973982][T28275]  ? rcu_is_watching+0x13/0xc0
[   61.978815][T28275]  io_dismantle_req+0xa17/0xf50
[   61.983654][T28275]  ? _raw_write_lock_irqsave+0xe0/0xe0
[   61.989086][T28275]  ? __mutex_lock_slowpath+0x10/0x10
[   61.994374][T28275]  __io_free_req+0x8e/0x390
[   61.998851][T28275]  io_put_req+0x69/0xa0
[   62.003064][T28275]  io_free_work+0x10/0x20
[   62.007368][T28275]  io_wq_cancel_cb+0x313/0x680
[   62.012105][T28275]  ? io_wq_cancel_all+0x90/0x90
[   62.016938][T28275]  ? io_cancel_cb+0x50/0x50
[   62.021429][T28275]  ? _raw_spin_unlock_irq+0x42/0x6a
[   62.026609][T28275]  io_ring_ctx_wait_and_kill+0x184/0x5c0
[   62.032228][T28275]  ? io_iopoll_try_reap_events.part.0+0x1d0/0x1d0
[   62.038625][T28275]  ? fcntl_setlk+0xe60/0xe60
[   62.043193][T28275]  io_uring_release+0x3d/0x50
[   62.047852][T28275]  __fput+0x1a5/0x770
[   62.051816][T28275]  ____fput+0x9/0x10
[   62.055686][T28275]  task_work_run+0xc2/0x140
[   62.060336][T28275]  do_exit+0x966/0x23f0
[   62.064476][T28275]  ? mm_update_next_owner+0x690/0x690
[   62.069824][T28275]  ? __ia32_sys_mmap_pgoff+0x190/0x190
[   62.076031][T28275]  ? __kasan_check_write+0x14/0x20
[   62.081107][T28275]  ? _raw_spin_lock_irq+0x87/0x110
[   62.086185][T28275]  do_group_exit+0xe6/0x290
[   62.090653][T28275]  get_signal+0x312/0x1ad0
[   62.095147][T28275]  ? futex_exit_release+0x200/0x200
[   62.100323][T28275]  arch_do_signal+0x87/0x2640
[   62.105413][T28275]  ? rcu_cpu_kthread+0x5c0/0x5c0
[   62.110344][T28275]  ? kmem_cache_free+0x10e/0x4c0
[   62.115342][T28275]  ? clone_private_mount+0x300/0x300
[   62.120604][T28275]  ? security_file_free+0x91/0xb0
[   62.125609][T28275]  ? copy_siginfo_to_user32+0xa0/0xa0
[   62.130962][T28275]  ? percpu_counter_add_batch+0x82/0x160
[   62.136657][T28275]  ? __x64_sys_futex+0x2cb/0x3b0
[   62.141741][T28275]  ? copy_init_fpstate_to_fpregs+0x80/0x80
[   62.147617][T28275]  ? __unlock_page_memcg+0xb0/0xb0
[   62.152868][T28275]  ? do_futex+0x1380/0x1380
[   62.157537][T28275]  ? __kasan_check_write+0x14/0x20
[   62.162629][T28275]  exit_to_user_mode_prepare+0xb2/0xe0
[   62.168161][T28275]  syscall_exit_to_user_mode+0x27/0x160
[   62.173677][T28275]  do_syscall_64+0x3f/0x80
[   62.178063][T28275]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   62.183922][T28275] RIP: 0033:0x7fcbf97d1ae9
[   62.188496][T28275] Code: Unable to access opcode bytes at RIP 0x7fcbf97d1abf.
[   62.195840][T28275] RSP: 002b:00007fcbf9706218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   62.204304][T28275] RAX: fffffffffffffe00 RBX: 00007fcbf98e50e8 RCX: 00007fcbf97d1ae9
[   62.212264][T28275] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fcbf98e50e8
[   62.220203][T28275] RBP: 00007fcbf98e50e0 R08: 0000000000000000 R09: 0000000000000000
[   62.228216][T28275] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcbf98e50ec
[   62.236246][T28275] R13: 00007ffc2ecc51df R14: 00007fcbf9706300 R15: 0000000000022000
[   62.244188][T28275] 
[   62.246499][T28275] Allocated by task 28263:
[   62.250882][T28275]  kasan_save_stack+0x23/0x50
[   62.255543][T28275]  __kasan_kmalloc+0xa9/0xe0
[   62.260098][T28275]  kmem_cache_alloc_trace+0x1a9/0x340
[   62.265437][T28275]  io_uring_alloc_task_context+0x43/0x2a0
[   62.271137][T28275]  io_uring_add_task_file+0x1c8/0x250
[   62.276470][T28275]  io_uring_setup+0x174e/0x2dc0
[   62.281298][T28275]  __x64_sys_io_uring_setup+0x4f/0x70
[   62.286630][T28275]  do_syscall_64+0x32/0x80
[   62.291010][T28275]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   62.296865][T28275] 
[   62.299159][T28275] The buggy address belongs to the object at ffff888117055100
[   62.299159][T28275]  which belongs to the cache kmalloc-192 of size 192
[   62.313277][T28275] The buggy address is located 88 bytes inside of
[   62.313277][T28275]  192-byte region [ffff888117055100, ffff8881170551c0)
[   62.326599][T28275] The buggy address belongs to the page:
[   62.332294][T28275] page:ffffea00045c1540 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117055
[   62.342501][T28275] flags: 0x8000000000000200(slab)
[   62.347497][T28275] raw: 8000000000000200 ffffea0004595c80 0000000800000006 ffff888100043380
[   62.356149][T28275] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[   62.364701][T28275] page dumped because: kasan: bad access detected
[   62.371077][T28275] page_owner tracks the page as allocated
[   62.376849][T28275] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 160, ts 39720563293, free_ts 39715562755
[   62.393571][T28275]  post_alloc_hook+0x102/0x130
[   62.398300][T28275]  get_page_from_freelist+0x1ef5/0x3030
[   62.403807][T28275]  __alloc_pages_nodemask+0x28a/0x1f90
[   62.409269][T28275]  allocate_slab+0x32b/0x480
[   62.414020][T28275]  ___slab_alloc.constprop.0+0x339/0x750
[   62.419617][T28275]  kmem_cache_alloc_trace+0x2d0/0x340
[   62.424956][T28275]  kernfs_fop_open+0x244/0xc20
[   62.429695][T28275]  do_dentry_open+0x417/0x1020
[   62.434510][T28275]  vfs_open+0x9a/0xc0
[   62.438556][T28275]  path_openat+0x1dc6/0x38e0
[   62.443109][T28275]  do_filp_open+0x17d/0x3b0
[   62.447588][T28275]  do_sys_openat2+0x120/0x3c0
[   62.452346][T28275]  __x64_sys_openat+0x124/0x200
[   62.457166][T28275]  do_syscall_64+0x32/0x80
[   62.461547][T28275]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   62.467498][T28275] page last free stack trace:
[   62.472150][T28275]  free_pcp_prepare+0x18f/0x200
[   62.476966][T28275]  free_unref_page_list+0x1ab/0x590
[   62.482140][T28275]  release_pages+0x37c/0xa10
[   62.486696][T28275]  free_pages_and_swap_cache+0x180/0x1e0
[   62.492302][T28275]  tlb_finish_mmu+0x129/0x790
[   62.496942][T28275]  exit_mmap+0x275/0x510
[   62.501151][T28275]  mmput+0x94/0x360
[   62.505099][T28275]  free_bprm+0x62/0x2b0
[   62.509393][T28275]  do_execveat_common+0x55e/0x730
[   62.514393][T28275]  __x64_sys_execve+0x8a/0xb0
[   62.519038][T28275]  do_syscall_64+0x32/0x80
[   62.523425][T28275]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   62.529278][T28275] 
[   62.531582][T28275] Memory state around the buggy address:
[   62.537525][T28275]  ffff888117055000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.545562][T28275]  ffff888117055080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   62.553675][T28275] >ffff888117055100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   62.561699][T28275]                                                     ^
[   62.568595][T28275]  ffff888117055180: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   62.576618][T28275]  ffff888117055200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.584649][T28275] ==================================================================