[�[0;32m OK �[0m] Reached target Multi-User System.
[�[0;32m OK �[0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.168' (ECDSA) to the list of known hosts.
2021/12/01 06:05:25 fuzzer started
2021/12/01 06:05:25 connecting to host at 10.128.0.169:44903
2021/12/01 06:05:25 checking machine...
2021/12/01 06:05:25 checking revisions...
2021/12/01 06:05:26 testing simple program...
syzkaller login: [ 79.841806][ T6534] cgroup: Unknown subsys name 'net'
[ 79.848305][ T6534]
[ 79.850738][ T6534] =========================
[ 79.855330][ T6534] WARNING: held lock freed!
[ 79.859836][ T6534] 5.16.0-rc3-next-20211201-syzkaller #0 Not tainted
[ 79.866597][ T6534] -------------------------
[ 79.871097][ T6534] syz-executor/6534 is freeing memory ffff88814728ac00-ffff88814728adff, with a lock still held there!
[ 79.882224][ T6534] ffff88814728ad48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 79.891966][ T6534] 2 locks held by syz-executor/6534:
[ 79.897244][ T6534] #0: ffffffff8bbc4e48 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900
[ 79.907790][ T6534] #1: ffff88814728ad48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 79.918091][ T6534]
[ 79.918091][ T6534] stack backtrace:
[ 79.924053][ T6534] CPU: 0 PID: 6534 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0
[ 79.933765][ T6534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 79.943811][ T6534] Call Trace:
[ 79.947084][ T6534]
[ 79.950009][ T6534] dump_stack_lvl+0xcd/0x134
[ 79.955051][ T6534] debug_check_no_locks_freed.cold+0x9d/0xa9
[ 79.961127][ T6534] ? lockdep_hardirqs_on+0x79/0x100
[ 79.966428][ T6534] slab_free_freelist_hook+0x73/0x1c0
[ 79.971795][ T6534] ? kernfs_put.part.0+0x331/0x540
[ 79.976902][ T6534] kfree+0xe0/0x430
[ 79.980722][ T6534] ? kmem_cache_free+0xba/0x4a0
[ 79.985563][ T6534] ? rwlock_bug.part.0+0x90/0x90
[ 79.990506][ T6534] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 79.996921][ T6534] kernfs_put.part.0+0x331/0x540
[ 80.001877][ T6534] kernfs_put+0x42/0x50
[ 80.006043][ T6534] __kernfs_remove+0x7a3/0xb20
[ 80.010804][ T6534] ? kernfs_next_descendant_post+0x2f0/0x2f0
[ 80.016780][ T6534] ? down_write+0xde/0x150
[ 80.021189][ T6534] ? down_write_killable_nested+0x180/0x180
[ 80.027085][ T6534] kernfs_destroy_root+0x89/0xb0
[ 80.032046][ T6534] cgroup_setup_root+0x3a6/0xad0
[ 80.037005][ T6534] ? rebind_subsystems+0x10e0/0x10e0
[ 80.042292][ T6534] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 80.048542][ T6534] cgroup1_get_tree+0xd33/0x1390
[ 80.053474][ T6534] vfs_get_tree+0x89/0x2f0
[ 80.057895][ T6534] path_mount+0x1320/0x1fa0
[ 80.062588][ T6534] ? kmem_cache_free+0xba/0x4a0
[ 80.067449][ T6534] ? finish_automount+0xaf0/0xaf0
[ 80.072472][ T6534] ? putname+0xfe/0x140
[ 80.076623][ T6534] __x64_sys_mount+0x27f/0x300
[ 80.081484][ T6534] ? copy_mnt_ns+0xae0/0xae0
[ 80.086092][ T6534] ? syscall_enter_from_user_mode+0x21/0x70
[ 80.092085][ T6534] do_syscall_64+0x35/0xb0
[ 80.096505][ T6534] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 80.102482][ T6534] RIP: 0033:0x7fbea0d6901a
[ 80.107069][ T6534] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 80.126926][ T6534] RSP: 002b:00007ffffe022b08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 80.135344][ T6534] RAX: ffffffffffffffda RBX: 00007ffffe022c98 RCX: 00007fbea0d6901a
[ 80.143312][ T6534] RDX: 00007fbea0dcbfe2 RSI: 00007fbea0dc229a RDI: 00007fbea0dc0d71
[ 80.151288][ T6534] RBP: 00007fbea0dc229a R08: 00007fbea0dc23f7 R09: 0000000000000026
[ 80.159687][ T6534] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffffe022b10
[ 80.167743][ T6534] R13: 00007ffffe022cb8 R14: 00007ffffe022be0 R15: 00007fbea0dc23f1
[ 80.175978][ T6534]
[ 80.181240][ T6534] ==================================================================
[ 80.189311][ T6534] BUG: KASAN: use-after-free in up_write+0x3ac/0x470
[ 80.196111][ T6534] Read of size 8 at addr ffff88814728ad40 by task syz-executor/6534
[ 80.204205][ T6534]
[ 80.206520][ T6534] CPU: 1 PID: 6534 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0
[ 80.216262][ T6534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 80.226746][ T6534] Call Trace:
[ 80.230019][ T6534]
[ 80.232939][ T6534] dump_stack_lvl+0xcd/0x134
[ 80.237529][ T6534] print_address_description.constprop.0.cold+0xa5/0x3ed
[ 80.245110][ T6534] ? up_write+0x3ac/0x470
[ 80.249440][ T6534] ? up_write+0x3ac/0x470
[ 80.253759][ T6534] kasan_report.cold+0x83/0xdf
[ 80.258519][ T6534] ? up_write+0x3ac/0x470
[ 80.262992][ T6534] up_write+0x3ac/0x470
[ 80.267152][ T6534] cgroup_setup_root+0x3a6/0xad0
[ 80.272092][ T6534] ? rebind_subsystems+0x10e0/0x10e0
[ 80.277380][ T6534] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 80.283611][ T6534] cgroup1_get_tree+0xd33/0x1390
[ 80.288723][ T6534] vfs_get_tree+0x89/0x2f0
[ 80.293214][ T6534] path_mount+0x1320/0x1fa0
[ 80.297796][ T6534] ? kmem_cache_free+0xba/0x4a0
[ 80.302634][ T6534] ? finish_automount+0xaf0/0xaf0
[ 80.307657][ T6534] ? putname+0xfe/0x140
[ 80.311800][ T6534] __x64_sys_mount+0x27f/0x300
[ 80.316555][ T6534] ? copy_mnt_ns+0xae0/0xae0
[ 80.321129][ T6534] ? syscall_enter_from_user_mode+0x21/0x70
[ 80.327015][ T6534] do_syscall_64+0x35/0xb0
[ 80.331421][ T6534] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 80.337309][ T6534] RIP: 0033:0x7fbea0d6901a
[ 80.341708][ T6534] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 80.361488][ T6534] RSP: 002b:00007ffffe022b08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 80.370002][ T6534] RAX: ffffffffffffffda RBX: 00007ffffe022c98 RCX: 00007fbea0d6901a
[ 80.377965][ T6534] RDX: 00007fbea0dcbfe2 RSI: 00007fbea0dc229a RDI: 00007fbea0dc0d71
[ 80.385954][ T6534] RBP: 00007fbea0dc229a R08: 00007fbea0dc23f7 R09: 0000000000000026
[ 80.394031][ T6534] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffffe022b10
[ 80.402004][ T6534] R13: 00007ffffe022cb8 R14: 00007ffffe022be0 R15: 00007fbea0dc23f1
[ 80.409989][ T6534]
[ 80.413003][ T6534]
[ 80.415314][ T6534] Allocated by task 6534:
[ 80.419627][ T6534] kasan_save_stack+0x1e/0x50
[ 80.424392][ T6534] __kasan_kmalloc+0xa9/0xd0
[ 80.428982][ T6534] kernfs_create_root+0x4c/0x410
[ 80.434081][ T6534] cgroup_setup_root+0x243/0xad0
[ 80.439166][ T6534] cgroup1_get_tree+0xd33/0x1390
[ 80.444391][ T6534] vfs_get_tree+0x89/0x2f0
[ 80.448871][ T6534] path_mount+0x1320/0x1fa0
[ 80.453364][ T6534] __x64_sys_mount+0x27f/0x300
[ 80.458137][ T6534] do_syscall_64+0x35/0xb0
[ 80.462562][ T6534] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 80.468690][ T6534]
[ 80.471072][ T6534] Freed by task 6534:
[ 80.475042][ T6534] kasan_save_stack+0x1e/0x50
[ 80.479728][ T6534] kasan_set_track+0x21/0x30
[ 80.484614][ T6534] kasan_set_free_info+0x20/0x30
[ 80.489567][ T6534] __kasan_slab_free+0x103/0x170
[ 80.494646][ T6534] slab_free_freelist_hook+0x8b/0x1c0
[ 80.500123][ T6534] kfree+0xe0/0x430
[ 80.504014][ T6534] kernfs_put.part.0+0x331/0x540
[ 80.508951][ T6534] kernfs_put+0x42/0x50
[ 80.513109][ T6534] __kernfs_remove+0x7a3/0xb20
[ 80.517882][ T6534] kernfs_destroy_root+0x89/0xb0
[ 80.522804][ T6534] cgroup_setup_root+0x3a6/0xad0
[ 80.527739][ T6534] cgroup1_get_tree+0xd33/0x1390
[ 80.532680][ T6534] vfs_get_tree+0x89/0x2f0
[ 80.537093][ T6534] path_mount+0x1320/0x1fa0
[ 80.541679][ T6534] __x64_sys_mount+0x27f/0x300
[ 80.546540][ T6534] do_syscall_64+0x35/0xb0
[ 80.551028][ T6534] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 80.556923][ T6534]
[ 80.559235][ T6534] Last potentially related work creation:
[ 80.565004][ T6534] kasan_save_stack+0x1e/0x50
[ 80.569773][ T6534] __kasan_record_aux_stack+0xfe/0x1b0
[ 80.575215][ T6534] call_rcu+0xb1/0x740
[ 80.579401][ T6534] percpu_ref_put_many.constprop.0+0x22b/0x260
[ 80.585554][ T6534] rcu_core+0x7b8/0x1520
[ 80.589806][ T6534] __do_softirq+0x29b/0x9c2
[ 80.594315][ T6534]
[ 80.596723][ T6534] The buggy address belongs to the object at ffff88814728ac00
[ 80.596723][ T6534] which belongs to the cache kmalloc-512 of size 512
[ 80.610845][ T6534] The buggy address is located 320 bytes inside of
[ 80.610845][ T6534] 512-byte region [ffff88814728ac00, ffff88814728ae00)
[ 80.624307][ T6534] The buggy address belongs to the page:
[ 80.630033][ T6534] page:ffffea00051ca200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x147288
[ 80.640423][ T6534] head:ffffea00051ca200 order:2 compound_mapcount:0 compound_pincount:0
[ 80.648745][ T6534] flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff)
[ 80.656998][ T6534] raw: 057ff00000010200 dead000000000100 dead000000000122 ffff888010c41c80
[ 80.665796][ T6534] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 80.674366][ T6534] page dumped because: kasan: bad access detected
[ 80.680848][ T6534] page_owner tracks the page as allocated
[ 80.686539][ T6534] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 8955105137, free_ts 8946689868
[ 80.705386][ T6534] get_page_from_freelist+0xa72/0x2f40
[ 80.710875][ T6534] __alloc_pages+0x1b2/0x500
[ 80.715458][ T6534] alloc_page_interleave+0x1e/0x200
[ 80.720645][ T6534] alloc_pages+0x29f/0x300
[ 80.725139][ T6534] new_slab+0x261/0x460
[ 80.729323][ T6534] ___slab_alloc+0x798/0xf30
[ 80.733926][ T6534] __slab_alloc.constprop.0+0x4d/0xa0
[ 80.739287][ T6534] kmem_cache_alloc_trace+0x289/0x2c0
[ 80.744641][ T6534] device_add+0x11a7/0x1ee0
[ 80.749245][ T6534] device_create_groups_vargs+0x203/0x280
[ 80.754970][ T6534] device_create+0xdf/0x120
[ 80.759484][ T6534] ppp_init+0x13c/0x177
[ 80.763891][ T6534] do_one_initcall+0x103/0x650
[ 80.768659][ T6534] kernel_init_freeable+0x6b1/0x73a
[ 80.773920][ T6534] kernel_init+0x1a/0x1d0
[ 80.778377][ T6534] ret_from_fork+0x1f/0x30
[ 80.782780][ T6534] page last free stack trace:
[ 80.787430][ T6534] free_pcp_prepare+0x414/0xb60
[ 80.792265][ T6534] free_unref_page+0x19/0x690
[ 80.797011][ T6534] __stack_depot_save+0x16d/0x4f0
[ 80.802140][ T6534] kasan_save_stack+0x38/0x50
[ 80.806824][ T6534] __kasan_slab_alloc+0x90/0xc0
[ 80.811676][ T6534] kmem_cache_alloc+0x202/0x3a0
[ 80.816541][ T6534] __kernfs_new_node+0xd4/0x8b0
[ 80.821405][ T6534] kernfs_new_node+0x93/0x120
[ 80.826085][ T6534] __kernfs_create_file+0x51/0x350
[ 80.831214][ T6534] sysfs_add_file_mode_ns+0x20f/0x3f0
[ 80.836600][ T6534] internal_create_group+0x322/0xb10
[ 80.841874][ T6534] internal_create_groups.part.0+0x90/0x140
[ 80.847761][ T6534] sysfs_create_groups+0x25/0x50
[ 80.852702][ T6534] bus_add_driver+0x34e/0x630
[ 80.857440][ T6534] driver_register+0x220/0x3a0
[ 80.862212][ T6534] mlx4_init+0x223/0x262
[ 80.866554][ T6534]
[ 80.868886][ T6534] Memory state around the buggy address:
[ 80.874508][ T6534] ffff88814728ac00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.882558][ T6534] ffff88814728ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.890701][ T6534] >ffff88814728ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.898869][ T6534] ^
[ 80.905136][ T6534] ffff88814728ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.913297][ T6534] ffff88814728ae00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 80.921345][ T6534] ==================================================================
[ 80.933191][ T6534] Kernel panic - not syncing: panic_on_warn set ...
[ 80.939800][ T6534] CPU: 1 PID: 6534 Comm: syz-executor Tainted: G B 5.16.0-rc3-next-20211201-syzkaller #0
[ 80.950916][ T6534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 80.961067][ T6534] Call Trace:
[ 80.964347][ T6534]
[ 80.967276][ T6534] dump_stack_lvl+0xcd/0x134
[ 80.971887][ T6534] panic+0x2b0/0x6dd
[ 80.975772][ T6534] ? __warn_printk+0xf3/0xf3
[ 80.980368][ T6534] ? preempt_schedule_common+0x59/0xc0
[ 80.985835][ T6534] ? up_write+0x3ac/0x470
[ 80.990169][ T6534] ? preempt_schedule_thunk+0x16/0x18
[ 80.995615][ T6534] ? trace_hardirqs_on+0x38/0x1c0
[ 81.000634][ T6534] ? trace_hardirqs_on+0x51/0x1c0
[ 81.005664][ T6534] ? up_write+0x3ac/0x470
[ 81.010008][ T6534] ? up_write+0x3ac/0x470
[ 81.014326][ T6534] end_report.cold+0x63/0x6f
[ 81.018914][ T6534] kasan_report.cold+0x71/0xdf
[ 81.023663][ T6534] ? up_write+0x3ac/0x470
[ 81.027989][ T6534] up_write+0x3ac/0x470
[ 81.032175][ T6534] cgroup_setup_root+0x3a6/0xad0
[ 81.037121][ T6534] ? rebind_subsystems+0x10e0/0x10e0
[ 81.042405][ T6534] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 81.048654][ T6534] cgroup1_get_tree+0xd33/0x1390
[ 81.053599][ T6534] vfs_get_tree+0x89/0x2f0
[ 81.058017][ T6534] path_mount+0x1320/0x1fa0
[ 81.062697][ T6534] ? kmem_cache_free+0xba/0x4a0
[ 81.067642][ T6534] ? finish_automount+0xaf0/0xaf0
[ 81.072827][ T6534] ? putname+0xfe/0x140
[ 81.077006][ T6534] __x64_sys_mount+0x27f/0x300
[ 81.081984][ T6534] ? copy_mnt_ns+0xae0/0xae0
[ 81.086607][ T6534] ? syscall_enter_from_user_mode+0x21/0x70
[ 81.092536][ T6534] do_syscall_64+0x35/0xb0
[ 81.097046][ T6534] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 81.102957][ T6534] RIP: 0033:0x7fbea0d6901a
[ 81.107373][ T6534] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 81.126994][ T6534] RSP: 002b:00007ffffe022b08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 81.135491][ T6534] RAX: ffffffffffffffda RBX: 00007ffffe022c98 RCX: 00007fbea0d6901a
[ 81.143645][ T6534] RDX: 00007fbea0dcbfe2 RSI: 00007fbea0dc229a RDI: 00007fbea0dc0d71
[ 81.151709][ T6534] RBP: 00007fbea0dc229a R08: 00007fbea0dc23f7 R09: 0000000000000026
[ 81.159761][ T6534] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffffe022b10
[ 81.167760][ T6534] R13: 00007ffffe022cb8 R14: 00007ffffe022be0 R15: 00007fbea0dc23f1
[ 81.175830][ T6534]
[ 81.178902][ T6534] Kernel Offset: disabled
[ 81.183316][ T6534] Rebooting in 86400 seconds..