[�[0;32m OK �[0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
Starting Load/Save RF Kill Switch Status...
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.83' (ECDSA) to the list of known hosts.
2021/11/29 15:17:29 fuzzer started
2021/11/29 15:17:29 connecting to host at 10.128.0.169:35765
2021/11/29 15:17:29 checking machine...
2021/11/29 15:17:29 checking revisions...
2021/11/29 15:17:29 testing simple program...
syzkaller login: [ 76.254156][ T6535] cgroup: Unknown subsys name 'net'
[ 76.260679][ T6535]
[ 76.263141][ T6535] =========================
[ 76.267625][ T6535] WARNING: held lock freed!
[ 76.272154][ T6535] 5.16.0-rc2-next-20211129-syzkaller #0 Not tainted
[ 76.278741][ T6535] -------------------------
[ 76.283229][ T6535] syz-executor/6535 is freeing memory ffff88801e1ea400-ffff88801e1ea5ff, with a lock still held there!
[ 76.294242][ T6535] ffff88801e1ea548 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 76.303998][ T6535] 2 locks held by syz-executor/6535:
[ 76.309273][ T6535] #0: ffffffff8bbc5d08 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900
[ 76.320009][ T6535] #1: ffff88801e1ea548 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 76.330214][ T6535]
[ 76.330214][ T6535] stack backtrace:
[ 76.336088][ T6535] CPU: 0 PID: 6535 Comm: syz-executor Not tainted 5.16.0-rc2-next-20211129-syzkaller #0
[ 76.345799][ T6535] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 76.355845][ T6535] Call Trace:
[ 76.359121][ T6535]
[ 76.362045][ T6535] dump_stack_lvl+0xcd/0x134
[ 76.366657][ T6535] debug_check_no_locks_freed.cold+0x9d/0xa9
[ 76.372637][ T6535] ? lockdep_hardirqs_on+0x79/0x100
[ 76.377833][ T6535] slab_free_freelist_hook+0x73/0x1c0
[ 76.383205][ T6535] ? kernfs_put.part.0+0x331/0x540
[ 76.388316][ T6535] kfree+0xe0/0x430
[ 76.392123][ T6535] ? kmem_cache_free+0xba/0x4a0
[ 76.396972][ T6535] ? rwlock_bug.part.0+0x90/0x90
[ 76.401909][ T6535] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 76.408156][ T6535] kernfs_put.part.0+0x331/0x540
[ 76.413097][ T6535] kernfs_put+0x42/0x50
[ 76.417256][ T6535] __kernfs_remove+0x7a3/0xb20
[ 76.422023][ T6535] ? kernfs_next_descendant_post+0x2f0/0x2f0
[ 76.428006][ T6535] ? down_write+0xde/0x150
[ 76.432435][ T6535] ? down_write_killable_nested+0x180/0x180
[ 76.438330][ T6535] kernfs_destroy_root+0x89/0xb0
[ 76.443275][ T6535] cgroup_setup_root+0x3a6/0xad0
[ 76.448228][ T6535] ? rebind_subsystems+0x10e0/0x10e0
[ 76.453514][ T6535] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 76.459759][ T6535] cgroup1_get_tree+0xd33/0x1390
[ 76.464697][ T6535] vfs_get_tree+0x89/0x2f0
[ 76.469113][ T6535] path_mount+0x1320/0x1fa0
[ 76.473704][ T6535] ? kmem_cache_free+0xba/0x4a0
[ 76.478558][ T6535] ? finish_automount+0xaf0/0xaf0
[ 76.483581][ T6535] ? putname+0xfe/0x140
[ 76.487738][ T6535] __x64_sys_mount+0x27f/0x300
[ 76.492500][ T6535] ? copy_mnt_ns+0xae0/0xae0
[ 76.497090][ T6535] ? syscall_enter_from_user_mode+0x21/0x70
[ 76.502996][ T6535] do_syscall_64+0x35/0xb0
[ 76.507437][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 76.513349][ T6535] RIP: 0033:0x7f7853f1b01a
[ 76.517771][ T6535] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 76.537379][ T6535] RSP: 002b:00007ffdb15861b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 76.545795][ T6535] RAX: ffffffffffffffda RBX: 00007ffdb1586348 RCX: 00007f7853f1b01a
[ 76.553864][ T6535] RDX: 00007f7853f7dfe2 RSI: 00007f7853f7429a RDI: 00007f7853f72d71
[ 76.561845][ T6535] RBP: 00007f7853f7429a R08: 00007f7853f743f7 R09: 0000000000000026
[ 76.569808][ T6535] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb15861c0
[ 76.577769][ T6535] R13: 00007ffdb1586368 R14: 00007ffdb1586290 R15: 00007f7853f743f1
[ 76.585741][ T6535]
[ 76.595094][ T6535] ==================================================================
[ 76.603196][ T6535] BUG: KASAN: use-after-free in up_write+0x3ac/0x470
[ 76.609885][ T6535] Read of size 8 at addr ffff88801e1ea540 by task syz-executor/6535
[ 76.617868][ T6535]
[ 76.620184][ T6535] CPU: 0 PID: 6535 Comm: syz-executor Not tainted 5.16.0-rc2-next-20211129-syzkaller #0
[ 76.629907][ T6535] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 76.639952][ T6535] Call Trace:
[ 76.643222][ T6535]
[ 76.646145][ T6535] dump_stack_lvl+0xcd/0x134
[ 76.650747][ T6535] print_address_description.constprop.0.cold+0xa5/0x3ed
[ 76.657771][ T6535] ? up_write+0x3ac/0x470
[ 76.662182][ T6535] ? up_write+0x3ac/0x470
[ 76.666506][ T6535] kasan_report.cold+0x83/0xdf
[ 76.671270][ T6535] ? up_write+0x3ac/0x470
[ 76.675647][ T6535] up_write+0x3ac/0x470
[ 76.679803][ T6535] cgroup_setup_root+0x3a6/0xad0
[ 76.684744][ T6535] ? rebind_subsystems+0x10e0/0x10e0
[ 76.690030][ T6535] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 76.696275][ T6535] cgroup1_get_tree+0xd33/0x1390
[ 76.701476][ T6535] vfs_get_tree+0x89/0x2f0
[ 76.705892][ T6535] path_mount+0x1320/0x1fa0
[ 76.710399][ T6535] ? kmem_cache_free+0xba/0x4a0
[ 76.715257][ T6535] ? finish_automount+0xaf0/0xaf0
[ 76.720298][ T6535] ? putname+0xfe/0x140
[ 76.724469][ T6535] __x64_sys_mount+0x27f/0x300
[ 76.729249][ T6535] ? copy_mnt_ns+0xae0/0xae0
[ 76.733839][ T6535] ? syscall_enter_from_user_mode+0x21/0x70
[ 76.740083][ T6535] do_syscall_64+0x35/0xb0
[ 76.744509][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 76.750504][ T6535] RIP: 0033:0x7f7853f1b01a
[ 76.754917][ T6535] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 76.774521][ T6535] RSP: 002b:00007ffdb15861b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 76.782927][ T6535] RAX: ffffffffffffffda RBX: 00007ffdb1586348 RCX: 00007f7853f1b01a
[ 76.790914][ T6535] RDX: 00007f7853f7dfe2 RSI: 00007f7853f7429a RDI: 00007f7853f72d71
[ 76.798892][ T6535] RBP: 00007f7853f7429a R08: 00007f7853f743f7 R09: 0000000000000026
[ 76.806857][ T6535] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb15861c0
[ 76.814820][ T6535] R13: 00007ffdb1586368 R14: 00007ffdb1586290 R15: 00007f7853f743f1
[ 76.822792][ T6535]
[ 76.825801][ T6535]
[ 76.828113][ T6535] Allocated by task 6535:
[ 76.832425][ T6535] kasan_save_stack+0x1e/0x50
[ 76.837103][ T6535] __kasan_kmalloc+0xa9/0xd0
[ 76.841691][ T6535] kernfs_create_root+0x4c/0x410
[ 76.846641][ T6535] cgroup_setup_root+0x243/0xad0
[ 76.851578][ T6535] cgroup1_get_tree+0xd33/0x1390
[ 76.856512][ T6535] vfs_get_tree+0x89/0x2f0
[ 76.860938][ T6535] path_mount+0x1320/0x1fa0
[ 76.865443][ T6535] __x64_sys_mount+0x27f/0x300
[ 76.870203][ T6535] do_syscall_64+0x35/0xb0
[ 76.874616][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 76.880509][ T6535]
[ 76.882823][ T6535] Freed by task 6535:
[ 76.886788][ T6535] kasan_save_stack+0x1e/0x50
[ 76.891463][ T6535] kasan_set_track+0x21/0x30
[ 76.896051][ T6535] kasan_set_free_info+0x20/0x30
[ 76.900982][ T6535] __kasan_slab_free+0x103/0x170
[ 76.905920][ T6535] slab_free_freelist_hook+0x8b/0x1c0
[ 76.911296][ T6535] kfree+0xe0/0x430
[ 76.915115][ T6535] kernfs_put.part.0+0x331/0x540
[ 76.920048][ T6535] kernfs_put+0x42/0x50
[ 76.924199][ T6535] __kernfs_remove+0x7a3/0xb20
[ 76.928963][ T6535] kernfs_destroy_root+0x89/0xb0
[ 76.933906][ T6535] cgroup_setup_root+0x3a6/0xad0
[ 76.938857][ T6535] cgroup1_get_tree+0xd33/0x1390
[ 76.943810][ T6535] vfs_get_tree+0x89/0x2f0
[ 76.948238][ T6535] path_mount+0x1320/0x1fa0
[ 76.952743][ T6535] __x64_sys_mount+0x27f/0x300
[ 76.957507][ T6535] do_syscall_64+0x35/0xb0
[ 76.961932][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 76.968272][ T6535]
[ 76.970582][ T6535] The buggy address belongs to the object at ffff88801e1ea400
[ 76.970582][ T6535] which belongs to the cache kmalloc-512 of size 512
[ 76.984624][ T6535] The buggy address is located 320 bytes inside of
[ 76.984624][ T6535] 512-byte region [ffff88801e1ea400, ffff88801e1ea600)
[ 76.997906][ T6535] The buggy address belongs to the page:
[ 77.003522][ T6535] page:ffffea0000787a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e1e8
[ 77.013667][ T6535] head:ffffea0000787a00 order:2 compound_mapcount:0 compound_pincount:0
[ 77.021996][ T6535] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 77.029978][ T6535] raw: 00fff00000010200 ffffea000063a900 dead000000000002 ffff888010c41c80
[ 77.038558][ T6535] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 77.047127][ T6535] page dumped because: kasan: bad access detected
[ 77.053528][ T6535] page_owner tracks the page as allocated
[ 77.059227][ T6535] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5557, ts 49272281122, free_ts 41642428720
[ 77.078334][ T6535] get_page_from_freelist+0xa72/0x2f40
[ 77.083794][ T6535] __alloc_pages+0x1b2/0x500
[ 77.088381][ T6535] alloc_pages+0x1a7/0x300
[ 77.092796][ T6535] new_slab+0x261/0x460
[ 77.096960][ T6535] ___slab_alloc+0x798/0xf30
[ 77.101546][ T6535] __slab_alloc.constprop.0+0x4d/0xa0
[ 77.106918][ T6535] kmem_cache_alloc_trace+0x289/0x2c0
[ 77.112313][ T6535] alloc_bprm+0x51/0x8f0
[ 77.116554][ T6535] do_execveat_common+0x232/0x780
[ 77.121576][ T6535] __x64_sys_execve+0x8f/0xc0
[ 77.126254][ T6535] do_syscall_64+0x35/0xb0
[ 77.130673][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 77.136572][ T6535] page last free stack trace:
[ 77.141238][ T6535] free_pcp_prepare+0x414/0xb60
[ 77.146096][ T6535] free_unref_page+0x19/0x690
[ 77.150787][ T6535] qlist_free_all+0x5a/0xf0
[ 77.155303][ T6535] kasan_quarantine_reduce+0x180/0x200
[ 77.160765][ T6535] __kasan_slab_alloc+0xa2/0xc0
[ 77.165648][ T6535] kmem_cache_alloc+0x202/0x3a0
[ 77.170502][ T6535] getname_flags.part.0+0x50/0x4f0
[ 77.175626][ T6535] getname_flags+0x9a/0xe0
[ 77.180038][ T6535] user_path_at_empty+0x2b/0x60
[ 77.184884][ T6535] vfs_statx+0x142/0x390
[ 77.189120][ T6535] __do_sys_newlstat+0x91/0x110
[ 77.193963][ T6535] do_syscall_64+0x35/0xb0
[ 77.198393][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 77.204286][ T6535]
[ 77.206598][ T6535] Memory state around the buggy address:
[ 77.212213][ T6535] ffff88801e1ea400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.220355][ T6535] ffff88801e1ea480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.228422][ T6535] >ffff88801e1ea500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.236492][ T6535] ^
[ 77.242639][ T6535] ffff88801e1ea580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.250690][ T6535] ffff88801e1ea600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.258735][ T6535] ==================================================================
[ 77.281773][ T6535] Kernel panic - not syncing: panic_on_warn set ...
[ 77.288384][ T6535] CPU: 0 PID: 6535 Comm: syz-executor Tainted: G B 5.16.0-rc2-next-20211129-syzkaller #0
[ 77.299505][ T6535] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 77.309653][ T6535] Call Trace:
[ 77.312928][ T6535]
[ 77.315848][ T6535] dump_stack_lvl+0xcd/0x134
[ 77.320437][ T6535] panic+0x2b0/0x6dd
[ 77.324328][ T6535] ? __warn_printk+0xf3/0xf3
[ 77.328914][ T6535] ? preempt_schedule_common+0x59/0xc0
[ 77.334375][ T6535] ? up_write+0x3ac/0x470
[ 77.338699][ T6535] ? preempt_schedule_thunk+0x16/0x18
[ 77.344070][ T6535] ? trace_hardirqs_on+0x38/0x1c0
[ 77.349105][ T6535] ? trace_hardirqs_on+0x51/0x1c0
[ 77.354138][ T6535] ? up_write+0x3ac/0x470
[ 77.358466][ T6535] ? up_write+0x3ac/0x470
[ 77.362791][ T6535] end_report.cold+0x63/0x6f
[ 77.367379][ T6535] kasan_report.cold+0x71/0xdf
[ 77.372138][ T6535] ? up_write+0x3ac/0x470
[ 77.376459][ T6535] up_write+0x3ac/0x470
[ 77.380658][ T6535] cgroup_setup_root+0x3a6/0xad0
[ 77.385598][ T6535] ? rebind_subsystems+0x10e0/0x10e0
[ 77.390885][ T6535] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 77.397136][ T6535] cgroup1_get_tree+0xd33/0x1390
[ 77.402075][ T6535] vfs_get_tree+0x89/0x2f0
[ 77.406576][ T6535] path_mount+0x1320/0x1fa0
[ 77.412988][ T6535] ? kmem_cache_free+0xba/0x4a0
[ 77.417836][ T6535] ? finish_automount+0xaf0/0xaf0
[ 77.422857][ T6535] ? putname+0xfe/0x140
[ 77.427008][ T6535] __x64_sys_mount+0x27f/0x300
[ 77.431975][ T6535] ? copy_mnt_ns+0xae0/0xae0
[ 77.436566][ T6535] ? syscall_enter_from_user_mode+0x21/0x70
[ 77.442474][ T6535] do_syscall_64+0x35/0xb0
[ 77.446892][ T6535] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 77.452801][ T6535] RIP: 0033:0x7f7853f1b01a
[ 77.457226][ T6535] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 77.476831][ T6535] RSP: 002b:00007ffdb15861b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 77.485248][ T6535] RAX: ffffffffffffffda RBX: 00007ffdb1586348 RCX: 00007f7853f1b01a
[ 77.493223][ T6535] RDX: 00007f7853f7dfe2 RSI: 00007f7853f7429a RDI: 00007f7853f72d71
[ 77.501190][ T6535] RBP: 00007f7853f7429a R08: 00007f7853f743f7 R09: 0000000000000026
[ 77.509155][ T6535] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb15861c0
[ 77.517135][ T6535] R13: 00007ffdb1586368 R14: 00007ffdb1586290 R15: 00007f7853f743f1
[ 77.525108][ T6535]
[ 77.528384][ T6535] Kernel Offset: disabled
[ 77.532740][ T6535] Rebooting in 86400 seconds..