[�[0;32m OK �[0m] Reached target Multi-User System.
[�[0;32m OK �[0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.1.62' (ECDSA) to the list of known hosts.
2021/11/30 11:12:57 fuzzer started
2021/11/30 11:12:57 connecting to host at 10.128.0.169:38445
2021/11/30 11:12:57 checking machine...
2021/11/30 11:12:57 checking revisions...
2021/11/30 11:12:57 testing simple program...
syzkaller login: [ 82.407856][ T6564] cgroup: Unknown subsys name 'net'
[ 82.414313][ T6564]
[ 82.416652][ T6564] =========================
[ 82.421225][ T6564] WARNING: held lock freed!
[ 82.425719][ T6564] 5.16.0-rc3-next-20211130-syzkaller #0 Not tainted
[ 82.432350][ T6564] -------------------------
[ 82.436915][ T6564] syz-executor/6564 is freeing memory ffff888021ca5000-ffff888021ca51ff, with a lock still held there!
[ 82.447971][ T6564] ffff888021ca5148 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 82.457837][ T6564] 2 locks held by syz-executor/6564:
[ 82.463119][ T6564] #0: ffffffff8bbc50c8 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900
[ 82.473642][ T6564] #1: ffff888021ca5148 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 82.483981][ T6564]
[ 82.483981][ T6564] stack backtrace:
[ 82.489861][ T6564] CPU: 0 PID: 6564 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211130-syzkaller #0
[ 82.499568][ T6564] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 82.509636][ T6564] Call Trace:
[ 82.512907][ T6564]
[ 82.515831][ T6564] dump_stack_lvl+0xcd/0x134
[ 82.520424][ T6564] debug_check_no_locks_freed.cold+0x9d/0xa9
[ 82.526595][ T6564] ? lockdep_hardirqs_on+0x79/0x100
[ 82.531822][ T6564] slab_free_freelist_hook+0x73/0x1c0
[ 82.537223][ T6564] ? kernfs_put.part.0+0x331/0x540
[ 82.542326][ T6564] kfree+0xe0/0x430
[ 82.546127][ T6564] ? kmem_cache_free+0xba/0x4a0
[ 82.551073][ T6564] ? rwlock_bug.part.0+0x90/0x90
[ 82.556047][ T6564] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 82.562288][ T6564] kernfs_put.part.0+0x331/0x540
[ 82.567272][ T6564] kernfs_put+0x42/0x50
[ 82.571544][ T6564] __kernfs_remove+0x7a3/0xb20
[ 82.576310][ T6564] ? kernfs_next_descendant_post+0x2f0/0x2f0
[ 82.582302][ T6564] ? down_write+0xde/0x150
[ 82.586712][ T6564] ? down_write_killable_nested+0x180/0x180
[ 82.592617][ T6564] kernfs_destroy_root+0x89/0xb0
[ 82.597905][ T6564] cgroup_setup_root+0x3a6/0xad0
[ 82.602938][ T6564] ? rebind_subsystems+0x10e0/0x10e0
[ 82.608225][ T6564] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 82.614462][ T6564] cgroup1_get_tree+0xd33/0x1390
[ 82.619402][ T6564] vfs_get_tree+0x89/0x2f0
[ 82.623839][ T6564] path_mount+0x1320/0x1fa0
[ 82.628353][ T6564] ? kmem_cache_free+0xba/0x4a0
[ 82.633199][ T6564] ? finish_automount+0xaf0/0xaf0
[ 82.638316][ T6564] ? putname+0xfe/0x140
[ 82.642554][ T6564] __x64_sys_mount+0x27f/0x300
[ 82.647331][ T6564] ? copy_mnt_ns+0xae0/0xae0
[ 82.651938][ T6564] ? syscall_enter_from_user_mode+0x21/0x70
[ 82.658182][ T6564] do_syscall_64+0x35/0xb0
[ 82.662686][ T6564] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 82.668663][ T6564] RIP: 0033:0x7f58b240801a
[ 82.673146][ T6564] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 82.692748][ T6564] RSP: 002b:00007ffe6565de18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 82.701263][ T6564] RAX: ffffffffffffffda RBX: 00007ffe6565dfa8 RCX: 00007f58b240801a
[ 82.709235][ T6564] RDX: 00007f58b246afe2 RSI: 00007f58b246129a RDI: 00007f58b245fd71
[ 82.717217][ T6564] RBP: 00007f58b246129a R08: 00007f58b24613f7 R09: 0000000000000026
[ 82.725413][ T6564] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe6565de20
[ 82.733402][ T6564] R13: 00007ffe6565dfc8 R14: 00007ffe6565def0 R15: 00007f58b24613f1
[ 82.741389][ T6564]
[ 82.745907][ T6564] ==================================================================
[ 82.753971][ T6564] BUG: KASAN: use-after-free in up_write+0x3ac/0x470
[ 82.760750][ T6564] Read of size 8 at addr ffff888021ca5140 by task syz-executor/6564
[ 82.768824][ T6564]
[ 82.771135][ T6564] CPU: 0 PID: 6564 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211130-syzkaller #0
[ 82.780833][ T6564] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 82.790962][ T6564] Call Trace:
[ 82.794230][ T6564]
[ 82.797209][ T6564] dump_stack_lvl+0xcd/0x134
[ 82.801818][ T6564] print_address_description.constprop.0.cold+0xa5/0x3ed
[ 82.808968][ T6564] ? up_write+0x3ac/0x470
[ 82.813294][ T6564] ? up_write+0x3ac/0x470
[ 82.817615][ T6564] kasan_report.cold+0x83/0xdf
[ 82.822443][ T6564] ? up_write+0x3ac/0x470
[ 82.826769][ T6564] up_write+0x3ac/0x470
[ 82.830916][ T6564] cgroup_setup_root+0x3a6/0xad0
[ 82.835851][ T6564] ? rebind_subsystems+0x10e0/0x10e0
[ 82.841154][ T6564] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 82.847395][ T6564] cgroup1_get_tree+0xd33/0x1390
[ 82.852417][ T6564] vfs_get_tree+0x89/0x2f0
[ 82.856823][ T6564] path_mount+0x1320/0x1fa0
[ 82.861332][ T6564] ? kmem_cache_free+0xba/0x4a0
[ 82.866184][ T6564] ? finish_automount+0xaf0/0xaf0
[ 82.871202][ T6564] ? putname+0xfe/0x140
[ 82.875362][ T6564] __x64_sys_mount+0x27f/0x300
[ 82.880147][ T6564] ? copy_mnt_ns+0xae0/0xae0
[ 82.884755][ T6564] ? syscall_enter_from_user_mode+0x21/0x70
[ 82.890685][ T6564] do_syscall_64+0x35/0xb0
[ 82.895115][ T6564] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 82.900999][ T6564] RIP: 0033:0x7f58b240801a
[ 82.905408][ T6564] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 82.925552][ T6564] RSP: 002b:00007ffe6565de18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 82.933960][ T6564] RAX: ffffffffffffffda RBX: 00007ffe6565dfa8 RCX: 00007f58b240801a
[ 82.941922][ T6564] RDX: 00007f58b246afe2 RSI: 00007f58b246129a RDI: 00007f58b245fd71
[ 82.949900][ T6564] RBP: 00007f58b246129a R08: 00007f58b24613f7 R09: 0000000000000026
[ 82.957873][ T6564] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe6565de20
[ 82.965833][ T6564] R13: 00007ffe6565dfc8 R14: 00007ffe6565def0 R15: 00007f58b24613f1
[ 82.973795][ T6564]
[ 82.976811][ T6564]
[ 82.979119][ T6564] Allocated by task 6564:
[ 82.983429][ T6564] kasan_save_stack+0x1e/0x50
[ 82.989183][ T6564] __kasan_kmalloc+0xa9/0xd0
[ 82.993757][ T6564] kernfs_create_root+0x4c/0x410
[ 82.998683][ T6564] cgroup_setup_root+0x243/0xad0
[ 83.003608][ T6564] cgroup1_get_tree+0xd33/0x1390
[ 83.008530][ T6564] vfs_get_tree+0x89/0x2f0
[ 83.012930][ T6564] path_mount+0x1320/0x1fa0
[ 83.017420][ T6564] __x64_sys_mount+0x27f/0x300
[ 83.022168][ T6564] do_syscall_64+0x35/0xb0
[ 83.026583][ T6564] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.032473][ T6564]
[ 83.034806][ T6564] Freed by task 6564:
[ 83.038763][ T6564] kasan_save_stack+0x1e/0x50
[ 83.043428][ T6564] kasan_set_track+0x21/0x30
[ 83.048063][ T6564] kasan_set_free_info+0x20/0x30
[ 83.053014][ T6564] __kasan_slab_free+0x103/0x170
[ 83.057947][ T6564] slab_free_freelist_hook+0x8b/0x1c0
[ 83.063354][ T6564] kfree+0xe0/0x430
[ 83.067160][ T6564] kernfs_put.part.0+0x331/0x540
[ 83.072091][ T6564] kernfs_put+0x42/0x50
[ 83.076233][ T6564] __kernfs_remove+0x7a3/0xb20
[ 83.081101][ T6564] kernfs_destroy_root+0x89/0xb0
[ 83.086075][ T6564] cgroup_setup_root+0x3a6/0xad0
[ 83.091017][ T6564] cgroup1_get_tree+0xd33/0x1390
[ 83.096039][ T6564] vfs_get_tree+0x89/0x2f0
[ 83.100595][ T6564] path_mount+0x1320/0x1fa0
[ 83.105095][ T6564] __x64_sys_mount+0x27f/0x300
[ 83.109940][ T6564] do_syscall_64+0x35/0xb0
[ 83.114515][ T6564] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.120484][ T6564]
[ 83.122789][ T6564] The buggy address belongs to the object at ffff888021ca5000
[ 83.122789][ T6564] which belongs to the cache kmalloc-512 of size 512
[ 83.136820][ T6564] The buggy address is located 320 bytes inside of
[ 83.136820][ T6564] 512-byte region [ffff888021ca5000, ffff888021ca5200)
[ 83.150263][ T6564] The buggy address belongs to the page:
[ 83.155907][ T6564] page:ffffea0000872900 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21ca4
[ 83.166045][ T6564] head:ffffea0000872900 order:2 compound_mapcount:0 compound_pincount:0
[ 83.174458][ T6564] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 83.182475][ T6564] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c41c80
[ 83.191069][ T6564] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 83.199644][ T6564] page dumped because: kasan: bad access detected
[ 83.206226][ T6564] page_owner tracks the page as allocated
[ 83.212035][ T6564] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2970, ts 37698408242, free_ts 28333119619
[ 83.231143][ T6564] get_page_from_freelist+0xa72/0x2f40
[ 83.236620][ T6564] __alloc_pages+0x1b2/0x500
[ 83.241292][ T6564] alloc_pages+0x1a7/0x300
[ 83.245792][ T6564] new_slab+0x261/0x460
[ 83.250164][ T6564] ___slab_alloc+0x798/0xf30
[ 83.254826][ T6564] __slab_alloc.constprop.0+0x4d/0xa0
[ 83.260201][ T6564] __kmalloc_node_track_caller+0x2cb/0x360
[ 83.266019][ T6564] __alloc_skb+0xde/0x340
[ 83.270466][ T6564] netlink_sendmsg+0x967/0xda0
[ 83.275225][ T6564] sock_sendmsg+0xcf/0x120
[ 83.279628][ T6564] ____sys_sendmsg+0x6e8/0x810
[ 83.284394][ T6564] ___sys_sendmsg+0xf3/0x170
[ 83.289228][ T6564] __sys_sendmsg+0xe5/0x1b0
[ 83.293716][ T6564] do_syscall_64+0x35/0xb0
[ 83.298120][ T6564] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.303999][ T6564] page last free stack trace:
[ 83.309519][ T6564] free_pcp_prepare+0x414/0xb60
[ 83.314373][ T6564] free_unref_page+0x19/0x690
[ 83.319032][ T6564] __unfreeze_partials+0x19f/0x1c0
[ 83.324136][ T6564] qlist_free_all+0x5a/0xf0
[ 83.328622][ T6564] kasan_quarantine_reduce+0x180/0x200
[ 83.334073][ T6564] __kasan_slab_alloc+0xa2/0xc0
[ 83.338928][ T6564] kmem_cache_alloc+0x202/0x3a0
[ 83.343764][ T6564] prepare_creds+0x3f/0x7b0
[ 83.348267][ T6564] do_faccessat+0x3f4/0x850
[ 83.352775][ T6564] do_syscall_64+0x35/0xb0
[ 83.357185][ T6564] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.363062][ T6564]
[ 83.365376][ T6564] Memory state around the buggy address:
[ 83.370990][ T6564] ffff888021ca5000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 83.379033][ T6564] ffff888021ca5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 83.387253][ T6564] >ffff888021ca5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 83.395403][ T6564] ^
[ 83.401534][ T6564] ffff888021ca5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 83.409660][ T6564] ffff888021ca5200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 83.417721][ T6564] ==================================================================
[ 83.427811][ T6564] Kernel panic - not syncing: panic_on_warn set ...
[ 83.434404][ T6564] CPU: 0 PID: 6564 Comm: syz-executor Tainted: G B 5.16.0-rc3-next-20211130-syzkaller #0
[ 83.445862][ T6564] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 83.456172][ T6564] Call Trace:
[ 83.459449][ T6564]
[ 83.462374][ T6564] dump_stack_lvl+0xcd/0x134
[ 83.466995][ T6564] panic+0x2b0/0x6dd
[ 83.470893][ T6564] ? __warn_printk+0xf3/0xf3
[ 83.475504][ T6564] ? preempt_schedule_common+0x59/0xc0
[ 83.480964][ T6564] ? up_write+0x3ac/0x470
[ 83.485381][ T6564] ? preempt_schedule_thunk+0x16/0x18
[ 83.490854][ T6564] ? trace_hardirqs_on+0x38/0x1c0
[ 83.495890][ T6564] ? trace_hardirqs_on+0x51/0x1c0
[ 83.500998][ T6564] ? up_write+0x3ac/0x470
[ 83.505499][ T6564] ? up_write+0x3ac/0x470
[ 83.509839][ T6564] end_report.cold+0x63/0x6f
[ 83.514520][ T6564] kasan_report.cold+0x71/0xdf
[ 83.519289][ T6564] ? up_write+0x3ac/0x470
[ 83.523618][ T6564] up_write+0x3ac/0x470
[ 83.527781][ T6564] cgroup_setup_root+0x3a6/0xad0
[ 83.532727][ T6564] ? rebind_subsystems+0x10e0/0x10e0
[ 83.538108][ T6564] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 83.544441][ T6564] cgroup1_get_tree+0xd33/0x1390
[ 83.549384][ T6564] vfs_get_tree+0x89/0x2f0
[ 83.553890][ T6564] path_mount+0x1320/0x1fa0
[ 83.558593][ T6564] ? kmem_cache_free+0xba/0x4a0
[ 83.563536][ T6564] ? finish_automount+0xaf0/0xaf0
[ 83.568575][ T6564] ? putname+0xfe/0x140
[ 83.572737][ T6564] __x64_sys_mount+0x27f/0x300
[ 83.577502][ T6564] ? copy_mnt_ns+0xae0/0xae0
[ 83.582092][ T6564] ? syscall_enter_from_user_mode+0x21/0x70
[ 83.587990][ T6564] do_syscall_64+0x35/0xb0
[ 83.592514][ T6564] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 83.598497][ T6564] RIP: 0033:0x7f58b240801a
[ 83.602929][ T6564] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 83.623766][ T6564] RSP: 002b:00007ffe6565de18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 83.632183][ T6564] RAX: ffffffffffffffda RBX: 00007ffe6565dfa8 RCX: 00007f58b240801a
[ 83.640866][ T6564] RDX: 00007f58b246afe2 RSI: 00007f58b246129a RDI: 00007f58b245fd71
[ 83.648866][ T6564] RBP: 00007f58b246129a R08: 00007f58b24613f7 R09: 0000000000000026
[ 83.657025][ T6564] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe6565de20
[ 83.664991][ T6564] R13: 00007ffe6565dfc8 R14: 00007ffe6565def0 R15: 00007f58b24613f1
[ 83.672987][ T6564]
[ 83.676345][ T6564] Kernel Offset: disabled
[ 83.680655][ T6564] Rebooting in 86400 seconds..