[�[0;32m OK �[0m] Started Getty on tty2.
[�[0;32m OK �[0m] Started Getty on tty1.
[�[0;32m OK �[0m] Started Serial Getty on ttyS0.
[�[0;32m OK �[0m] Started OpenBSD Secure Shell server.
[�[0;32m OK �[0m] Started getty on tty2-tty6 if dbus and logind are not available.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
2021/12/03 08:48:00 fuzzer started
2021/12/03 08:48:00 connecting to host at 10.128.0.169:41809
2021/12/03 08:48:00 checking machine...
2021/12/03 08:48:00 checking revisions...
2021/12/03 08:48:00 testing simple program...
syzkaller login: [ 73.885807][ T6533] cgroup: Unknown subsys name 'net'
[ 73.892129][ T6533]
[ 73.894471][ T6533] =========================
[ 73.899129][ T6533] WARNING: held lock freed!
[ 73.903626][ T6533] 5.16.0-rc3-next-20211203-syzkaller #0 Not tainted
[ 73.910189][ T6533] -------------------------
[ 73.914667][ T6533] syz-executor/6533 is freeing memory ffff888022eddc00-ffff888022edddff, with a lock still held there!
[ 73.925677][ T6533] ffff888022eddd48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 73.935450][ T6533] 2 locks held by syz-executor/6533:
[ 73.940805][ T6533] #0: ffffffff8bbc4e48 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900
[ 73.951323][ T6533] #1: ffff888022eddd48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 73.961497][ T6533]
[ 73.961497][ T6533] stack backtrace:
[ 73.967387][ T6533] CPU: 0 PID: 6533 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211203-syzkaller #0
[ 73.977090][ T6533] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 73.987144][ T6533] Call Trace:
[ 73.990416][ T6533] <TASK>
[ 73.993345][ T6533] dump_stack_lvl+0xcd/0x134
[ 73.997973][ T6533] debug_check_no_locks_freed.cold+0x9d/0xa9
[ 74.003951][ T6533] ? lockdep_hardirqs_on+0x79/0x100
[ 74.009504][ T6533] slab_free_freelist_hook+0x73/0x1c0
[ 74.014866][ T6533] ? kernfs_put.part.0+0x331/0x540
[ 74.019976][ T6533] kfree+0xd0/0x4b0
[ 74.023772][ T6533] ? kmem_cache_free+0xdd/0x580
[ 74.028629][ T6533] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 74.034873][ T6533] kernfs_put.part.0+0x331/0x540
[ 74.039820][ T6533] kernfs_put+0x42/0x50
[ 74.043981][ T6533] __kernfs_remove+0x7a3/0xb20
[ 74.048758][ T6533] ? kernfs_next_descendant_post+0x2f0/0x2f0
[ 74.054727][ T6533] ? down_write+0xde/0x150
[ 74.059151][ T6533] ? down_write_killable_nested+0x180/0x180
[ 74.065039][ T6533] kernfs_destroy_root+0x89/0xb0
[ 74.069974][ T6533] cgroup_setup_root+0x3a6/0xad0
[ 74.074994][ T6533] ? rebind_subsystems+0x10e0/0x10e0
[ 74.080270][ T6533] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 74.086508][ T6533] cgroup1_get_tree+0xd33/0x1390
[ 74.091434][ T6533] vfs_get_tree+0x89/0x2f0
[ 74.095960][ T6533] path_mount+0x1320/0x1fa0
[ 74.100469][ T6533] ? kmem_cache_free+0xdd/0x580
[ 74.105320][ T6533] ? finish_automount+0xaf0/0xaf0
[ 74.110339][ T6533] ? putname+0xfe/0x140
[ 74.114487][ T6533] __x64_sys_mount+0x27f/0x300
[ 74.119249][ T6533] ? copy_mnt_ns+0xae0/0xae0
[ 74.123838][ T6533] ? syscall_enter_from_user_mode+0x21/0x70
[ 74.129789][ T6533] do_syscall_64+0x35/0xb0
[ 74.134335][ T6533] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 74.140315][ T6533] RIP: 0033:0x7fe70e84201a
[ 74.144730][ T6533] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 74.165324][ T6533] RSP: 002b:00007ffcd9627338 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 74.173756][ T6533] RAX: ffffffffffffffda RBX: 00007ffcd96274c8 RCX: 00007fe70e84201a
[ 74.181832][ T6533] RDX: 00007fe70e8a4fe2 RSI: 00007fe70e89b29a RDI: 00007fe70e899d71
[ 74.189797][ T6533] RBP: 00007fe70e89b29a R08: 00007fe70e89b3f7 R09: 0000000000000026
[ 74.197766][ T6533] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcd9627340
[ 74.205811][ T6533] R13: 00007ffcd96274e8 R14: 00007ffcd9627410 R15: 00007fe70e89b3f1
[ 74.213863][ T6533] </TASK>
[ 74.218311][ T6533] ==================================================================
[ 74.226410][ T6533] BUG: KASAN: use-after-free in up_write+0x3ac/0x470
[ 74.233090][ T6533] Read of size 8 at addr ffff888022eddd40 by task syz-executor/6533
[ 74.241233][ T6533]
[ 74.243546][ T6533] CPU: 1 PID: 6533 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211203-syzkaller #0
[ 74.253250][ T6533] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 74.263320][ T6533] Call Trace:
[ 74.266593][ T6533] <TASK>
[ 74.269515][ T6533] dump_stack_lvl+0xcd/0x134
[ 74.274118][ T6533] print_address_description.constprop.0.cold+0xa5/0x3ed
[ 74.281292][ T6533] ? up_write+0x3ac/0x470
[ 74.285816][ T6533] ? up_write+0x3ac/0x470
[ 74.290252][ T6533] kasan_report.cold+0x83/0xdf
[ 74.295332][ T6533] ? up_write+0x3ac/0x470
[ 74.299668][ T6533] up_write+0x3ac/0x470
[ 74.304008][ T6533] cgroup_setup_root+0x3a6/0xad0
[ 74.309119][ T6533] ? rebind_subsystems+0x10e0/0x10e0
[ 74.314657][ T6533] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 74.321316][ T6533] cgroup1_get_tree+0xd33/0x1390
[ 74.327323][ T6533] vfs_get_tree+0x89/0x2f0
[ 74.332000][ T6533] path_mount+0x1320/0x1fa0
[ 74.336530][ T6533] ? kmem_cache_free+0xdd/0x580
[ 74.342017][ T6533] ? finish_automount+0xaf0/0xaf0
[ 74.347592][ T6533] ? putname+0xfe/0x140
[ 74.352772][ T6533] __x64_sys_mount+0x27f/0x300
[ 74.357545][ T6533] ? copy_mnt_ns+0xae0/0xae0
[ 74.362131][ T6533] ? syscall_enter_from_user_mode+0x21/0x70
[ 74.368949][ T6533] do_syscall_64+0x35/0xb0
[ 74.373462][ T6533] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 74.379354][ T6533] RIP: 0033:0x7fe70e84201a
[ 74.384029][ T6533] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 74.404121][ T6533] RSP: 002b:00007ffcd9627338 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 74.412900][ T6533] RAX: ffffffffffffffda RBX: 00007ffcd96274c8 RCX: 00007fe70e84201a
[ 74.421424][ T6533] RDX: 00007fe70e8a4fe2 RSI: 00007fe70e89b29a RDI: 00007fe70e899d71
[ 74.429847][ T6533] RBP: 00007fe70e89b29a R08: 00007fe70e89b3f7 R09: 0000000000000026
[ 74.438890][ T6533] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcd9627340
[ 74.447045][ T6533] R13: 00007ffcd96274e8 R14: 00007ffcd9627410 R15: 00007fe70e89b3f1
[ 74.455135][ T6533] </TASK>
[ 74.458161][ T6533]
[ 74.460553][ T6533] Allocated by task 6533:
[ 74.464955][ T6533] kasan_save_stack+0x1e/0x40
[ 74.469639][ T6533] __kasan_kmalloc+0xa9/0xd0
[ 74.474480][ T6533] kernfs_create_root+0x4c/0x410
[ 74.479703][ T6533] cgroup_setup_root+0x243/0xad0
[ 74.484766][ T6533] cgroup1_get_tree+0xd33/0x1390
[ 74.489878][ T6533] vfs_get_tree+0x89/0x2f0
[ 74.494364][ T6533] path_mount+0x1320/0x1fa0
[ 74.499237][ T6533] __x64_sys_mount+0x27f/0x300
[ 74.504193][ T6533] do_syscall_64+0x35/0xb0
[ 74.508950][ T6533] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 74.514864][ T6533]
[ 74.517186][ T6533] Freed by task 6533:
[ 74.521255][ T6533] kasan_save_stack+0x1e/0x40
[ 74.526031][ T6533] kasan_set_track+0x21/0x30
[ 74.530639][ T6533] kasan_set_free_info+0x20/0x30
[ 74.535585][ T6533] ____kasan_slab_free+0x166/0x1a0
[ 74.540962][ T6533] slab_free_freelist_hook+0x8b/0x1c0
[ 74.546524][ T6533] kfree+0xd0/0x4b0
[ 74.550437][ T6533] kernfs_put.part.0+0x331/0x540
[ 74.555376][ T6533] kernfs_put+0x42/0x50
[ 74.559805][ T6533] __kernfs_remove+0x7a3/0xb20
[ 74.565798][ T6533] kernfs_destroy_root+0x89/0xb0
[ 74.570825][ T6533] cgroup_setup_root+0x3a6/0xad0
[ 74.575854][ T6533] cgroup1_get_tree+0xd33/0x1390
[ 74.580957][ T6533] vfs_get_tree+0x89/0x2f0
[ 74.585363][ T6533] path_mount+0x1320/0x1fa0
[ 74.589944][ T6533] __x64_sys_mount+0x27f/0x300
[ 74.594699][ T6533] do_syscall_64+0x35/0xb0
[ 74.599123][ T6533] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 74.605185][ T6533]
[ 74.607504][ T6533] The buggy address belongs to the object at ffff888022eddc00
[ 74.607504][ T6533] which belongs to the cache kmalloc-512 of size 512
[ 74.621803][ T6533] The buggy address is located 320 bytes inside of
[ 74.621803][ T6533] 512-byte region [ffff888022eddc00, ffff888022edde00)
[ 74.635156][ T6533] The buggy address belongs to the page:
[ 74.640884][ T6533] page:ffffea00008bb700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22edc
[ 74.651117][ T6533] head:ffffea00008bb700 order:2 compound_mapcount:0 compound_pincount:0
[ 74.659514][ T6533] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 74.667525][ T6533] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c41c80
[ 74.676107][ T6533] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 74.684849][ T6533] page dumped because: kasan: bad access detected
[ 74.691255][ T6533] page_owner tracks the page as allocated
[ 74.696967][ T6533] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4546, ts 49852110280, free_ts 40278774665
[ 74.716065][ T6533] get_page_from_freelist+0xa72/0x2f40
[ 74.721525][ T6533] __alloc_pages+0x1b2/0x500
[ 74.726106][ T6533] alloc_pages+0x1aa/0x310
[ 74.730515][ T6533] new_slab+0x28d/0x3a0
[ 74.734661][ T6533] ___slab_alloc+0x6be/0xd60
[ 74.739246][ T6533] __slab_alloc.constprop.0+0x4d/0xa0
[ 74.744611][ T6533] kmem_cache_alloc_trace+0x289/0x2c0
[ 74.749978][ T6533] kernfs_fop_open+0x2b9/0xd30
[ 74.754735][ T6533] do_dentry_open+0x4c8/0x1250
[ 74.759495][ T6533] path_openat+0x1cad/0x2750
[ 74.764084][ T6533] do_filp_open+0x1aa/0x400
[ 74.768582][ T6533] do_sys_openat2+0x16d/0x4d0
[ 74.773248][ T6533] __x64_sys_open+0x119/0x1c0
[ 74.777913][ T6533] do_syscall_64+0x35/0xb0
[ 74.782345][ T6533] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 74.788230][ T6533] page last free stack trace:
[ 74.792906][ T6533] free_pcp_prepare+0x414/0xb60
[ 74.797764][ T6533] free_unref_page+0x19/0x690
[ 74.802446][ T6533] __unfreeze_partials+0x17c/0x1a0
[ 74.807570][ T6533] qlist_free_all+0x5a/0x100
[ 74.812158][ T6533] kasan_quarantine_reduce+0x180/0x200
[ 74.817633][ T6533] __kasan_slab_alloc+0xa2/0xc0
[ 74.822507][ T6533] kmem_cache_alloc+0x202/0x3a0
[ 74.827391][ T6533] getname_flags.part.0+0x50/0x4f0
[ 74.832509][ T6533] getname+0x8e/0xd0
[ 74.836411][ T6533] do_sys_openat2+0xf5/0x4d0
[ 74.841006][ T6533] __x64_sys_open+0x119/0x1c0
[ 74.846281][ T6533] do_syscall_64+0x35/0xb0
[ 74.850708][ T6533] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 74.856609][ T6533]
[ 74.858929][ T6533] Memory state around the buggy address:
[ 74.864672][ T6533] ffff888022eddc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.872930][ T6533] ffff888022eddc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.881867][ T6533] >ffff888022eddd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.890379][ T6533] ^
[ 74.896713][ T6533] ffff888022eddd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.904967][ T6533] ffff888022edde00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 74.914073][ T6533] ==================================================================
[ 74.926435][ T6533] Kernel panic - not syncing: panic_on_warn set ...
[ 74.933386][ T6533] CPU: 1 PID: 6533 Comm: syz-executor Tainted: G B 5.16.0-rc3-next-20211203-syzkaller #0
[ 74.945024][ T6533] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 74.955552][ T6533] Call Trace:
[ 74.958832][ T6533] <TASK>
[ 74.961814][ T6533] dump_stack_lvl+0xcd/0x134
[ 74.966618][ T6533] panic+0x2b0/0x6dd
[ 74.970657][ T6533] ? __warn_printk+0xf3/0xf3
[ 74.975346][ T6533] ? preempt_schedule_common+0x59/0xc0
[ 74.980991][ T6533] ? up_write+0x3ac/0x470
[ 74.985834][ T6533] ? preempt_schedule_thunk+0x16/0x18
[ 74.991295][ T6533] ? trace_hardirqs_on+0x38/0x1c0
[ 74.996363][ T6533] ? trace_hardirqs_on+0x51/0x1c0
[ 75.001381][ T6533] ? up_write+0x3ac/0x470
[ 75.006239][ T6533] ? up_write+0x3ac/0x470
[ 75.010647][ T6533] end_report.cold+0x63/0x6f
[ 75.015697][ T6533] kasan_report.cold+0x71/0xdf
[ 75.020571][ T6533] ? up_write+0x3ac/0x470
[ 75.024999][ T6533] up_write+0x3ac/0x470
[ 75.029177][ T6533] cgroup_setup_root+0x3a6/0xad0
[ 75.034481][ T6533] ? rebind_subsystems+0x10e0/0x10e0
[ 75.039788][ T6533] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 75.046288][ T6533] cgroup1_get_tree+0xd33/0x1390
[ 75.053014][ T6533] vfs_get_tree+0x89/0x2f0
[ 75.057474][ T6533] path_mount+0x1320/0x1fa0
[ 75.062541][ T6533] ? kmem_cache_free+0xdd/0x580
[ 75.067502][ T6533] ? finish_automount+0xaf0/0xaf0
[ 75.072538][ T6533] ? putname+0xfe/0x140
[ 75.076689][ T6533] __x64_sys_mount+0x27f/0x300
[ 75.081445][ T6533] ? copy_mnt_ns+0xae0/0xae0
[ 75.086202][ T6533] ? syscall_enter_from_user_mode+0x21/0x70
[ 75.092125][ T6533] do_syscall_64+0x35/0xb0
[ 75.096537][ T6533] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 75.102437][ T6533] RIP: 0033:0x7fe70e84201a
[ 75.106859][ T6533] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 75.126465][ T6533] RSP: 002b:00007ffcd9627338 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 75.134887][ T6533] RAX: ffffffffffffffda RBX: 00007ffcd96274c8 RCX: 00007fe70e84201a
[ 75.143034][ T6533] RDX: 00007fe70e8a4fe2 RSI: 00007fe70e89b29a RDI: 00007fe70e899d71
[ 75.150995][ T6533] RBP: 00007fe70e89b29a R08: 00007fe70e89b3f7 R09: 0000000000000026
[ 75.158964][ T6533] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcd9627340
[ 75.166948][ T6533] R13: 00007ffcd96274e8 R14: 00007ffcd9627410 R15: 00007fe70e89b3f1
[ 75.174945][ T6533] </TASK>
[ 75.178255][ T6533] Kernel Offset: disabled
[ 75.182566][ T6533] Rebooting in 86400 seconds..