[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.244' (ECDSA) to the list of known hosts. 2021/12/01 21:45:37 fuzzer started 2021/12/01 21:45:37 connecting to host at 10.128.0.169:37687 2021/12/01 21:45:37 checking machine... 2021/12/01 21:45:37 checking revisions... 2021/12/01 21:45:37 testing simple program... syzkaller login: [ 75.427561][ T6525] cgroup: Unknown subsys name 'net' [ 75.436771][ T6525] [ 75.439095][ T6525] ========================= [ 75.443573][ T6525] WARNING: held lock freed! [ 75.448194][ T6525] 5.16.0-rc3-next-20211201-syzkaller #0 Not tainted [ 75.454890][ T6525] ------------------------- [ 75.459381][ T6525] syz-executor/6525 is freeing memory ffff88807f6eb400-ffff88807f6eb5ff, with a lock still held there! [ 75.470511][ T6525] ffff88807f6eb548 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0 [ 75.480299][ T6525] 2 locks held by syz-executor/6525: [ 75.485567][ T6525] #0: ffffffff8bbc4e48 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900 [ 75.496119][ T6525] #1: ffff88807f6eb548 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0 [ 75.506294][ T6525] [ 75.506294][ T6525] stack backtrace: [ 75.512373][ T6525] CPU: 0 PID: 6525 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0 [ 75.522075][ T6525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.532302][ T6525] Call Trace: [ 75.535585][ T6525] [ 75.538508][ T6525] dump_stack_lvl+0xcd/0x134 [ 75.543122][ T6525] debug_check_no_locks_freed.cold+0x9d/0xa9 [ 75.549284][ T6525] ? lockdep_hardirqs_on+0x79/0x100 [ 75.554488][ T6525] slab_free_freelist_hook+0x73/0x1c0 [ 75.559963][ T6525] ? kernfs_put.part.0+0x331/0x540 [ 75.565338][ T6525] kfree+0xe0/0x430 [ 75.569334][ T6525] ? kmem_cache_free+0xba/0x4a0 [ 75.574191][ T6525] ? rwlock_bug.part.0+0x90/0x90 [ 75.583861][ T6525] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 75.590133][ T6525] kernfs_put.part.0+0x331/0x540 [ 75.595094][ T6525] kernfs_put+0x42/0x50 [ 75.599251][ T6525] __kernfs_remove+0x7a3/0xb20 [ 75.604023][ T6525] ? kernfs_next_descendant_post+0x2f0/0x2f0 [ 75.610109][ T6525] ? down_write+0xde/0x150 [ 75.614527][ T6525] ? down_write_killable_nested+0x180/0x180 [ 75.620429][ T6525] kernfs_destroy_root+0x89/0xb0 [ 75.625569][ T6525] cgroup_setup_root+0x3a6/0xad0 [ 75.630518][ T6525] ? rebind_subsystems+0x10e0/0x10e0 [ 75.635829][ T6525] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 75.642103][ T6525] cgroup1_get_tree+0xd33/0x1390 [ 75.647492][ T6525] vfs_get_tree+0x89/0x2f0 [ 75.651937][ T6525] path_mount+0x1320/0x1fa0 [ 75.656464][ T6525] ? kmem_cache_free+0xba/0x4a0 [ 75.661323][ T6525] ? finish_automount+0xaf0/0xaf0 [ 75.666358][ T6525] ? putname+0xfe/0x140 [ 75.670536][ T6525] __x64_sys_mount+0x27f/0x300 [ 75.675313][ T6525] ? copy_mnt_ns+0xae0/0xae0 [ 75.679909][ T6525] ? syscall_enter_from_user_mode+0x21/0x70 [ 75.685826][ T6525] do_syscall_64+0x35/0xb0 [ 75.690255][ T6525] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.696248][ T6525] RIP: 0033:0x7f22e749301a [ 75.700672][ T6525] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 75.720382][ T6525] RSP: 002b:00007ffc311052b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 75.728969][ T6525] RAX: ffffffffffffffda RBX: 00007ffc31105448 RCX: 00007f22e749301a [ 75.738471][ T6525] RDX: 00007f22e74f5fe2 RSI: 00007f22e74ec29a RDI: 00007f22e74ead71 [ 75.746467][ T6525] RBP: 00007f22e74ec29a R08: 00007f22e74ec3f7 R09: 0000000000000026 [ 75.754447][ T6525] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc311052c0 [ 75.762435][ T6525] R13: 00007ffc31105468 R14: 00007ffc31105390 R15: 00007f22e74ec3f1 [ 75.770414][ T6525] [ 75.775568][ T6525] ================================================================== [ 75.775579][ T6525] BUG: KASAN: use-after-free in up_write+0x3ac/0x470 [ 75.775607][ T6525] Read of size 8 at addr ffff88807f6eb540 by task syz-executor/6525 [ 75.775630][ T6525] [ 75.775636][ T6525] CPU: 0 PID: 6525 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0 [ 75.775661][ T6525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.775675][ T6525] Call Trace: [ 75.775682][ T6525] [ 75.775690][ T6525] dump_stack_lvl+0xcd/0x134 [ 75.775722][ T6525] print_address_description.constprop.0.cold+0xa5/0x3ed [ 75.775766][ T6525] ? up_write+0x3ac/0x470 [ 75.775787][ T6525] ? up_write+0x3ac/0x470 [ 75.775809][ T6525] kasan_report.cold+0x83/0xdf [ 75.775834][ T6525] ? up_write+0x3ac/0x470 [ 75.775857][ T6525] up_write+0x3ac/0x470 [ 75.775881][ T6525] cgroup_setup_root+0x3a6/0xad0 [ 75.775912][ T6525] ? rebind_subsystems+0x10e0/0x10e0 [ 75.775943][ T6525] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 75.775976][ T6525] cgroup1_get_tree+0xd33/0x1390 [ 75.776006][ T6525] vfs_get_tree+0x89/0x2f0 [ 75.776034][ T6525] path_mount+0x1320/0x1fa0 [ 75.776060][ T6525] ? kmem_cache_free+0xba/0x4a0 [ 75.776089][ T6525] ? finish_automount+0xaf0/0xaf0 [ 75.776118][ T6525] ? putname+0xfe/0x140 [ 75.776146][ T6525] __x64_sys_mount+0x27f/0x300 [ 75.776174][ T6525] ? copy_mnt_ns+0xae0/0xae0 [ 75.776201][ T6525] ? syscall_enter_from_user_mode+0x21/0x70 [ 75.776234][ T6525] do_syscall_64+0x35/0xb0 [ 75.776258][ T6525] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.776283][ T6525] RIP: 0033:0x7f22e749301a [ 75.776302][ T6525] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 75.776326][ T6525] RSP: 002b:00007ffc311052b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 75.776351][ T6525] RAX: ffffffffffffffda RBX: 00007ffc31105448 RCX: 00007f22e749301a [ 75.776368][ T6525] RDX: 00007f22e74f5fe2 RSI: 00007f22e74ec29a RDI: 00007f22e74ead71 [ 75.776384][ T6525] RBP: 00007f22e74ec29a R08: 00007f22e74ec3f7 R09: 0000000000000026 [ 75.776400][ T6525] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc311052c0 [ 75.776415][ T6525] R13: 00007ffc31105468 R14: 00007ffc31105390 R15: 00007f22e74ec3f1 [ 75.776439][ T6525] [ 75.776446][ T6525] [ 75.776450][ T6525] Allocated by task 6525: [ 75.776460][ T6525] kasan_save_stack+0x1e/0x50 [ 75.776486][ T6525] __kasan_kmalloc+0xa9/0xd0 [ 75.776511][ T6525] kernfs_create_root+0x4c/0x410 [ 75.776537][ T6525] cgroup_setup_root+0x243/0xad0 [ 75.776562][ T6525] cgroup1_get_tree+0xd33/0x1390 [ 75.776585][ T6525] vfs_get_tree+0x89/0x2f0 [ 75.776609][ T6525] path_mount+0x1320/0x1fa0 [ 75.776632][ T6525] __x64_sys_mount+0x27f/0x300 [ 75.776657][ T6525] do_syscall_64+0x35/0xb0 [ 75.776679][ T6525] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.776702][ T6525] [ 75.776706][ T6525] Freed by task 6525: [ 75.776715][ T6525] kasan_save_stack+0x1e/0x50 [ 75.776747][ T6525] kasan_set_track+0x21/0x30 [ 75.776772][ T6525] kasan_set_free_info+0x20/0x30 [ 75.776793][ T6525] __kasan_slab_free+0x103/0x170 [ 75.776819][ T6525] slab_free_freelist_hook+0x8b/0x1c0 [ 75.776844][ T6525] kfree+0xe0/0x430 [ 75.776867][ T6525] kernfs_put.part.0+0x331/0x540 [ 75.776891][ T6525] kernfs_put+0x42/0x50 [ 75.776912][ T6525] __kernfs_remove+0x7a3/0xb20 [ 75.776936][ T6525] kernfs_destroy_root+0x89/0xb0 [ 75.776960][ T6525] cgroup_setup_root+0x3a6/0xad0 [ 75.776987][ T6525] cgroup1_get_tree+0xd33/0x1390 [ 75.777009][ T6525] vfs_get_tree+0x89/0x2f0 [ 75.777031][ T6525] path_mount+0x1320/0x1fa0 [ 75.777054][ T6525] __x64_sys_mount+0x27f/0x300 [ 75.777078][ T6525] do_syscall_64+0x35/0xb0 [ 75.777101][ T6525] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.777124][ T6525] [ 75.777127][ T6525] The buggy address belongs to the object at ffff88807f6eb400 [ 75.777127][ T6525] which belongs to the cache kmalloc-512 of size 512 [ 75.777146][ T6525] The buggy address is located 320 bytes inside of [ 75.777146][ T6525] 512-byte region [ffff88807f6eb400, ffff88807f6eb600) [ 75.777169][ T6525] The buggy address belongs to the page: [ 75.777177][ T6525] page:ffffea0001fdba00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f6e8 [ 75.777202][ T6525] head:ffffea0001fdba00 order:2 compound_mapcount:0 compound_pincount:0 [ 75.777220][ T6525] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 75.777251][ T6525] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c41c80 [ 75.777272][ T6525] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 75.777285][ T6525] page dumped because: kasan: bad access detected [ 75.777294][ T6525] page_owner tracks the page as allocated [ 75.777300][ T6525] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 17073575241, free_ts 16703726592 [ 75.777335][ T6525] get_page_from_freelist+0xa72/0x2f40 [ 75.777358][ T6525] __alloc_pages+0x1b2/0x500 [ 75.777379][ T6525] alloc_pages+0x1a7/0x300 [ 75.777403][ T6525] new_slab+0x261/0x460 [ 75.777426][ T6525] ___slab_alloc+0x798/0xf30 [ 75.777450][ T6525] __slab_alloc.constprop.0+0x4d/0xa0 [ 75.777476][ T6525] __kmalloc+0x2fb/0x340 [ 75.777499][ T6525] tomoyo_init_log+0x126e/0x1ee0 [ 75.777524][ T6525] tomoyo_write_log2+0x2ed/0xa40 [ 75.777549][ T6525] tomoyo_supervisor+0x14d/0xf00 [ 75.777575][ T6525] tomoyo_path_permission+0x270/0x3a0 [ 75.777596][ T6525] tomoyo_check_open_permission+0x30f/0x380 [ 75.777618][ T6525] tomoyo_file_open+0xa3/0xd0 [ 75.777640][ T6525] security_file_open+0x45/0xb0 [ 75.777661][ T6525] do_dentry_open+0x353/0x1250 [ 75.777684][ T6525] path_openat+0x1cad/0x2750 [ 75.777707][ T6525] page last free stack trace: [ 75.777713][ T6525] free_pcp_prepare+0x414/0xb60 [ 75.777734][ T6525] free_unref_page+0x19/0x690 [ 75.777760][ T6525] __vunmap+0x781/0xb70 [ 75.777783][ T6525] free_work+0x58/0x70 [ 75.777806][ T6525] process_one_work+0x9b2/0x1690 [ 75.777826][ T6525] worker_thread+0x658/0x11f0 [ 75.777846][ T6525] kthread+0x405/0x4f0 [ 75.777869][ T6525] ret_from_fork+0x1f/0x30 [ 75.777894][ T6525] [ 75.777898][ T6525] Memory state around the buggy address: [ 75.777908][ T6525] ffff88807f6eb400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.777924][ T6525] ffff88807f6eb480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.777939][ T6525] >ffff88807f6eb500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.777950][ T6525] ^ [ 75.777962][ T6525] ffff88807f6eb580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.777978][ T6525] ffff88807f6eb600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.777989][ T6525] ================================================================== [ 75.778201][ T6525] Kernel panic - not syncing: panic_on_warn set ... [ 75.778213][ T6525] CPU: 0 PID: 6525 Comm: syz-executor Tainted: G B 5.16.0-rc3-next-20211201-syzkaller #0 [ 75.778239][ T6525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.778251][ T6525] Call Trace: [ 75.778257][ T6525] [ 75.778264][ T6525] dump_stack_lvl+0xcd/0x134 [ 75.778294][ T6525] panic+0x2b0/0x6dd [ 75.778317][ T6525] ? __warn_printk+0xf3/0xf3 [ 75.778341][ T6525] ? preempt_schedule_common+0x59/0xc0 [ 75.778369][ T6525] ? up_write+0x3ac/0x470 [ 75.778390][ T6525] ? preempt_schedule_thunk+0x16/0x18 [ 75.778418][ T6525] ? trace_hardirqs_on+0x38/0x1c0 [ 75.778439][ T6525] ? trace_hardirqs_on+0x51/0x1c0 [ 75.778463][ T6525] ? up_write+0x3ac/0x470 [ 75.778483][ T6525] ? up_write+0x3ac/0x470 [ 75.778504][ T6525] end_report.cold+0x63/0x6f [ 75.778528][ T6525] kasan_report.cold+0x71/0xdf [ 75.778554][ T6525] ? up_write+0x3ac/0x470 [ 75.778576][ T6525] up_write+0x3ac/0x470 [ 75.778600][ T6525] cgroup_setup_root+0x3a6/0xad0 [ 75.778630][ T6525] ? rebind_subsystems+0x10e0/0x10e0 [ 75.778660][ T6525] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 75.778692][ T6525] cgroup1_get_tree+0xd33/0x1390 [ 75.778720][ T6525] vfs_get_tree+0x89/0x2f0 [ 75.778753][ T6525] path_mount+0x1320/0x1fa0 [ 75.778780][ T6525] ? kmem_cache_free+0xba/0x4a0 [ 75.778808][ T6525] ? finish_automount+0xaf0/0xaf0 [ 75.778839][ T6525] ? putname+0xfe/0x140 [ 75.778865][ T6525] __x64_sys_mount+0x27f/0x300 [ 75.778888][ T6525] ? copy_mnt_ns+0xae0/0xae0 [ 75.778911][ T6525] ? syscall_enter_from_user_mode+0x21/0x70 [ 75.778938][ T6525] do_syscall_64+0x35/0xb0 [ 75.778960][ T6525] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.778982][ T6525] RIP: 0033:0x7f22e749301a [ 75.778998][ T6525] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 75.779018][ T6525] RSP: 002b:00007ffc311052b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 75.779038][ T6525] RAX: ffffffffffffffda RBX: 00007ffc31105448 RCX: 00007f22e749301a [ 75.779053][ T6525] RDX: 00007f22e74f5fe2 RSI: 00007f22e74ec29a RDI: 00007f22e74ead71 [ 75.779067][ T6525] RBP: 00007f22e74ec29a R08: 00007f22e74ec3f7 R09: 0000000000000026 [ 75.779082][ T6525] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc311052c0 [ 75.779095][ T6525] R13: 00007ffc31105468 R14: 00007ffc31105390 R15: 00007f22e74ec3f1 [ 75.779113][ T6525] [ 75.779397][ T6525] Kernel Offset: disabled [ 76.691328][ T6525] Rebooting in 86400 seconds..