[ OK ] Started Daily apt download activities. Starting System Logging Service... [ OK ] Started Daily apt upgrade and clean activities. [ OK ] Started Daily Cleanup of Temporary Directories. [ OK ] Reached target Timers. Starting OpenBSD Secure Shell server... [ OK ] Started Permit User Sessions. [ OK ] Started System Logging Service. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. Starting Load/Save RF Kill Switch Status... [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.78' (ECDSA) to the list of known hosts. 2021/12/01 06:05:22 fuzzer started 2021/12/01 06:05:22 connecting to host at 10.128.0.169:44807 2021/12/01 06:05:22 checking machine... 2021/12/01 06:05:22 checking revisions... 2021/12/01 06:05:22 testing simple program... syzkaller login: [ 77.257063][ T6522] cgroup: Unknown subsys name 'net' [ 77.264228][ T6522] [ 77.266569][ T6522] ========================= [ 77.271073][ T6522] WARNING: held lock freed! [ 77.275662][ T6522] 5.16.0-rc3-next-20211201-syzkaller #0 Not tainted [ 77.282414][ T6522] ------------------------- [ 77.287129][ T6522] syz-executor/6522 is freeing memory ffff88801c4cd000-ffff88801c4cd1ff, with a lock still held there! [ 77.298322][ T6522] ffff88801c4cd148 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0 [ 77.308141][ T6522] 2 locks held by syz-executor/6522: [ 77.313455][ T6522] #0: ffffffff8bbc4e48 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900 [ 77.324027][ T6522] #1: ffff88801c4cd148 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0 [ 77.334262][ T6522] [ 77.334262][ T6522] stack backtrace: [ 77.340147][ T6522] CPU: 0 PID: 6522 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0 [ 77.350024][ T6522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.360324][ T6522] Call Trace: [ 77.363595][ T6522] [ 77.366523][ T6522] dump_stack_lvl+0xcd/0x134 [ 77.371119][ T6522] debug_check_no_locks_freed.cold+0x9d/0xa9 [ 77.377096][ T6522] ? lockdep_hardirqs_on+0x79/0x100 [ 77.382324][ T6522] slab_free_freelist_hook+0x73/0x1c0 [ 77.387695][ T6522] ? kernfs_put.part.0+0x331/0x540 [ 77.392794][ T6522] kfree+0xe0/0x430 [ 77.396592][ T6522] ? kmem_cache_free+0xba/0x4a0 [ 77.401442][ T6522] ? rwlock_bug.part.0+0x90/0x90 [ 77.406384][ T6522] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 77.412876][ T6522] kernfs_put.part.0+0x331/0x540 [ 77.417894][ T6522] kernfs_put+0x42/0x50 [ 77.422045][ T6522] __kernfs_remove+0x7a3/0xb20 [ 77.426810][ T6522] ? kernfs_next_descendant_post+0x2f0/0x2f0 [ 77.432777][ T6522] ? down_write+0xde/0x150 [ 77.437355][ T6522] ? down_write_killable_nested+0x180/0x180 [ 77.443543][ T6522] kernfs_destroy_root+0x89/0xb0 [ 77.448483][ T6522] cgroup_setup_root+0x3a6/0xad0 [ 77.453996][ T6522] ? rebind_subsystems+0x10e0/0x10e0 [ 77.459391][ T6522] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 77.465914][ T6522] cgroup1_get_tree+0xd33/0x1390 [ 77.470947][ T6522] vfs_get_tree+0x89/0x2f0 [ 77.475363][ T6522] path_mount+0x1320/0x1fa0 [ 77.479859][ T6522] ? kmem_cache_free+0xba/0x4a0 [ 77.484705][ T6522] ? finish_automount+0xaf0/0xaf0 [ 77.489982][ T6522] ? putname+0xfe/0x140 [ 77.494141][ T6522] __x64_sys_mount+0x27f/0x300 [ 77.498905][ T6522] ? copy_mnt_ns+0xae0/0xae0 [ 77.503672][ T6522] ? syscall_enter_from_user_mode+0x21/0x70 [ 77.509561][ T6522] do_syscall_64+0x35/0xb0 [ 77.513986][ T6522] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 77.519878][ T6522] RIP: 0033:0x7feff185f01a [ 77.524305][ T6522] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 77.544068][ T6522] RSP: 002b:00007fff83709918 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 77.552598][ T6522] RAX: ffffffffffffffda RBX: 00007fff83709aa8 RCX: 00007feff185f01a [ 77.560673][ T6522] RDX: 00007feff18c1fe2 RSI: 00007feff18b829a RDI: 00007feff18b6d71 [ 77.568995][ T6522] RBP: 00007feff18b829a R08: 00007feff18b83f7 R09: 0000000000000026 [ 77.577307][ T6522] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff83709920 [ 77.585374][ T6522] R13: 00007fff83709ac8 R14: 00007fff837099f0 R15: 00007feff18b83f1 [ 77.593673][ T6522] [ 77.597846][ T6522] ================================================================== [ 77.606089][ T6522] BUG: KASAN: use-after-free in up_write+0x3ac/0x470 [ 77.612772][ T6522] Read of size 8 at addr ffff88801c4cd140 by task syz-executor/6522 [ 77.620761][ T6522] [ 77.623079][ T6522] CPU: 0 PID: 6522 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0 [ 77.632812][ T6522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.643069][ T6522] Call Trace: [ 77.646347][ T6522] [ 77.649292][ T6522] dump_stack_lvl+0xcd/0x134 [ 77.653918][ T6522] print_address_description.constprop.0.cold+0xa5/0x3ed [ 77.660942][ T6522] ? up_write+0x3ac/0x470 [ 77.665269][ T6522] ? up_write+0x3ac/0x470 [ 77.669595][ T6522] kasan_report.cold+0x83/0xdf [ 77.674357][ T6522] ? up_write+0x3ac/0x470 [ 77.678771][ T6522] up_write+0x3ac/0x470 [ 77.682927][ T6522] cgroup_setup_root+0x3a6/0xad0 [ 77.687882][ T6522] ? rebind_subsystems+0x10e0/0x10e0 [ 77.693172][ T6522] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 77.699422][ T6522] cgroup1_get_tree+0xd33/0x1390 [ 77.704378][ T6522] vfs_get_tree+0x89/0x2f0 [ 77.708800][ T6522] path_mount+0x1320/0x1fa0 [ 77.713307][ T6522] ? kmem_cache_free+0xba/0x4a0 [ 77.718179][ T6522] ? finish_automount+0xaf0/0xaf0 [ 77.723378][ T6522] ? putname+0xfe/0x140 [ 77.727536][ T6522] __x64_sys_mount+0x27f/0x300 [ 77.732305][ T6522] ? copy_mnt_ns+0xae0/0xae0 [ 77.736893][ T6522] ? syscall_enter_from_user_mode+0x21/0x70 [ 77.742906][ T6522] do_syscall_64+0x35/0xb0 [ 77.747333][ T6522] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 77.753227][ T6522] RIP: 0033:0x7feff185f01a [ 77.757639][ T6522] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 77.777252][ T6522] RSP: 002b:00007fff83709918 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 77.786033][ T6522] RAX: ffffffffffffffda RBX: 00007fff83709aa8 RCX: 00007feff185f01a [ 77.794146][ T6522] RDX: 00007feff18c1fe2 RSI: 00007feff18b829a RDI: 00007feff18b6d71 [ 77.802189][ T6522] RBP: 00007feff18b829a R08: 00007feff18b83f7 R09: 0000000000000026 [ 77.810179][ T6522] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff83709920 [ 77.818161][ T6522] R13: 00007fff83709ac8 R14: 00007fff837099f0 R15: 00007feff18b83f1 [ 77.826142][ T6522] [ 77.829157][ T6522] [ 77.831473][ T6522] Allocated by task 6522: [ 77.835801][ T6522] kasan_save_stack+0x1e/0x50 [ 77.840586][ T6522] __kasan_kmalloc+0xa9/0xd0 [ 77.845265][ T6522] kernfs_create_root+0x4c/0x410 [ 77.850203][ T6522] cgroup_setup_root+0x243/0xad0 [ 77.855143][ T6522] cgroup1_get_tree+0xd33/0x1390 [ 77.860078][ T6522] vfs_get_tree+0x89/0x2f0 [ 77.864503][ T6522] path_mount+0x1320/0x1fa0 [ 77.869005][ T6522] __x64_sys_mount+0x27f/0x300 [ 77.873828][ T6522] do_syscall_64+0x35/0xb0 [ 77.878248][ T6522] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 77.884144][ T6522] [ 77.886455][ T6522] Freed by task 6522: [ 77.890421][ T6522] kasan_save_stack+0x1e/0x50 [ 77.895101][ T6522] kasan_set_track+0x21/0x30 [ 77.899688][ T6522] kasan_set_free_info+0x20/0x30 [ 77.904618][ T6522] __kasan_slab_free+0x103/0x170 [ 77.909552][ T6522] slab_free_freelist_hook+0x8b/0x1c0 [ 77.914919][ T6522] kfree+0xe0/0x430 [ 77.918720][ T6522] kernfs_put.part.0+0x331/0x540 [ 77.923656][ T6522] kernfs_put+0x42/0x50 [ 77.927804][ T6522] __kernfs_remove+0x7a3/0xb20 [ 77.932565][ T6522] kernfs_destroy_root+0x89/0xb0 [ 77.937512][ T6522] cgroup_setup_root+0x3a6/0xad0 [ 77.942449][ T6522] cgroup1_get_tree+0xd33/0x1390 [ 77.947383][ T6522] vfs_get_tree+0x89/0x2f0 [ 77.951807][ T6522] path_mount+0x1320/0x1fa0 [ 77.956307][ T6522] __x64_sys_mount+0x27f/0x300 [ 77.961080][ T6522] do_syscall_64+0x35/0xb0 [ 77.965507][ T6522] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 77.971413][ T6522] [ 77.973728][ T6522] The buggy address belongs to the object at ffff88801c4cd000 [ 77.973728][ T6522] which belongs to the cache kmalloc-512 of size 512 [ 77.987781][ T6522] The buggy address is located 320 bytes inside of [ 77.987781][ T6522] 512-byte region [ffff88801c4cd000, ffff88801c4cd200) [ 78.001136][ T6522] The buggy address belongs to the page: [ 78.006755][ T6522] page:ffffea0000713300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c4cc [ 78.017076][ T6522] head:ffffea0000713300 order:2 compound_mapcount:0 compound_pincount:0 [ 78.025482][ T6522] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 78.033466][ T6522] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c41c80 [ 78.042143][ T6522] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 78.050712][ T6522] page dumped because: kasan: bad access detected [ 78.057110][ T6522] page_owner tracks the page as allocated [ 78.062809][ T6522] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1180, ts 9082052809, free_ts 0 [ 78.081169][ T6522] get_page_from_freelist+0xa72/0x2f40 [ 78.086822][ T6522] __alloc_pages+0x1b2/0x500 [ 78.091408][ T6522] alloc_pages+0x1a7/0x300 [ 78.095911][ T6522] new_slab+0x261/0x460 [ 78.100077][ T6522] ___slab_alloc+0x798/0xf30 [ 78.104942][ T6522] __slab_alloc.constprop.0+0x4d/0xa0 [ 78.110313][ T6522] kmem_cache_alloc_trace+0x289/0x2c0 [ 78.115686][ T6522] alloc_bprm+0x51/0x8f0 [ 78.119937][ T6522] kernel_execve+0x55/0x460 [ 78.124453][ T6522] call_usermodehelper_exec_async+0x2e3/0x580 [ 78.130521][ T6522] ret_from_fork+0x1f/0x30 [ 78.134946][ T6522] page_owner free stack trace missing [ 78.140388][ T6522] [ 78.142711][ T6522] Memory state around the buggy address: [ 78.148329][ T6522] ffff88801c4cd000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.156651][ T6522] ffff88801c4cd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.165154][ T6522] >ffff88801c4cd100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.173548][ T6522] ^ [ 78.179786][ T6522] ffff88801c4cd180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.187923][ T6522] ffff88801c4cd200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.195986][ T6522] ================================================================== [ 78.210930][ T6522] Kernel panic - not syncing: panic_on_warn set ... [ 78.217626][ T6522] CPU: 0 PID: 6522 Comm: syz-executor Tainted: G B 5.16.0-rc3-next-20211201-syzkaller #0 [ 78.228825][ T6522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.238887][ T6522] Call Trace: [ 78.242339][ T6522] [ 78.245311][ T6522] dump_stack_lvl+0xcd/0x134 [ 78.250276][ T6522] panic+0x2b0/0x6dd [ 78.254206][ T6522] ? __warn_printk+0xf3/0xf3 [ 78.258796][ T6522] ? preempt_schedule_common+0x59/0xc0 [ 78.264353][ T6522] ? up_write+0x3ac/0x470 [ 78.268697][ T6522] ? preempt_schedule_thunk+0x16/0x18 [ 78.274117][ T6522] ? trace_hardirqs_on+0x38/0x1c0 [ 78.279154][ T6522] ? trace_hardirqs_on+0x51/0x1c0 [ 78.284519][ T6522] ? up_write+0x3ac/0x470 [ 78.288853][ T6522] ? up_write+0x3ac/0x470 [ 78.293203][ T6522] end_report.cold+0x63/0x6f [ 78.297805][ T6522] kasan_report.cold+0x71/0xdf [ 78.302755][ T6522] ? up_write+0x3ac/0x470 [ 78.307093][ T6522] up_write+0x3ac/0x470 [ 78.312169][ T6522] cgroup_setup_root+0x3a6/0xad0 [ 78.317162][ T6522] ? rebind_subsystems+0x10e0/0x10e0 [ 78.322485][ T6522] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 78.328739][ T6522] cgroup1_get_tree+0xd33/0x1390 [ 78.333683][ T6522] vfs_get_tree+0x89/0x2f0 [ 78.338118][ T6522] path_mount+0x1320/0x1fa0 [ 78.342623][ T6522] ? kmem_cache_free+0xba/0x4a0 [ 78.347482][ T6522] ? finish_automount+0xaf0/0xaf0 [ 78.352509][ T6522] ? putname+0xfe/0x140 [ 78.356760][ T6522] __x64_sys_mount+0x27f/0x300 [ 78.361528][ T6522] ? copy_mnt_ns+0xae0/0xae0 [ 78.366203][ T6522] ? syscall_enter_from_user_mode+0x21/0x70 [ 78.372188][ T6522] do_syscall_64+0x35/0xb0 [ 78.376604][ T6522] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 78.382500][ T6522] RIP: 0033:0x7feff185f01a [ 78.386922][ T6522] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 78.406643][ T6522] RSP: 002b:00007fff83709918 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 78.415146][ T6522] RAX: ffffffffffffffda RBX: 00007fff83709aa8 RCX: 00007feff185f01a [ 78.423116][ T6522] RDX: 00007feff18c1fe2 RSI: 00007feff18b829a RDI: 00007feff18b6d71 [ 78.431080][ T6522] RBP: 00007feff18b829a R08: 00007feff18b83f7 R09: 0000000000000026 [ 78.439057][ T6522] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff83709920 [ 78.447207][ T6522] R13: 00007fff83709ac8 R14: 00007fff837099f0 R15: 00007feff18b83f1 [ 78.455353][ T6522] [ 78.458428][ T6522] Kernel Offset: disabled [ 78.462805][ T6522] Rebooting in 86400 seconds..