[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts.
2021/12/01 08:31:35 fuzzer started
2021/12/01 08:31:35 connecting to host at 10.128.0.169:33273
2021/12/01 08:31:35 checking machine...
2021/12/01 08:31:35 checking revisions...
2021/12/01 08:31:35 testing simple program...
syzkaller login: [   75.436437][ T6503] cgroup: Unknown subsys name 'net'
[   75.442755][ T6503] 
[   75.445071][ T6503] =========================
[   75.449549][ T6503] WARNING: held lock freed!
[   75.454029][ T6503] 5.16.0-rc3-next-20211201-syzkaller #0 Not tainted
[   75.460587][ T6503] -------------------------
[   75.465102][ T6503] syz-executor/6503 is freeing memory ffff88801a24c800-ffff88801a24c9ff, with a lock still held there!
[   75.476094][ T6503] ffff88801a24c948 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[   75.485813][ T6503] 2 locks held by syz-executor/6503:
[   75.491087][ T6503]  #0: ffffffff8bbc4e48 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900
[   75.501601][ T6503]  #1: ffff88801a24c948 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[   75.511769][ T6503] 
[   75.511769][ T6503] stack backtrace:
[   75.517636][ T6503] CPU: 1 PID: 6503 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0
[   75.527383][ T6503] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   75.537427][ T6503] Call Trace:
[   75.540692][ T6503]  <TASK>
[   75.543607][ T6503]  dump_stack_lvl+0xcd/0x134
[   75.548190][ T6503]  debug_check_no_locks_freed.cold+0x9d/0xa9
[   75.554166][ T6503]  ? lockdep_hardirqs_on+0x79/0x100
[   75.559357][ T6503]  slab_free_freelist_hook+0x73/0x1c0
[   75.564716][ T6503]  ? kernfs_put.part.0+0x331/0x540
[   75.569812][ T6503]  kfree+0xe0/0x430
[   75.573607][ T6503]  ? kmem_cache_free+0xba/0x4a0
[   75.578440][ T6503]  ? rwlock_bug.part.0+0x90/0x90
[   75.583363][ T6503]  ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[   75.589685][ T6503]  kernfs_put.part.0+0x331/0x540
[   75.594613][ T6503]  kernfs_put+0x42/0x50
[   75.598752][ T6503]  __kernfs_remove+0x7a3/0xb20
[   75.603497][ T6503]  ? kernfs_next_descendant_post+0x2f0/0x2f0
[   75.609466][ T6503]  ? down_write+0xde/0x150
[   75.613866][ T6503]  ? down_write_killable_nested+0x180/0x180
[   75.619740][ T6503]  kernfs_destroy_root+0x89/0xb0
[   75.624660][ T6503]  cgroup_setup_root+0x3a6/0xad0
[   75.629668][ T6503]  ? rebind_subsystems+0x10e0/0x10e0
[   75.634934][ T6503]  ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[   75.641161][ T6503]  cgroup1_get_tree+0xd33/0x1390
[   75.646088][ T6503]  vfs_get_tree+0x89/0x2f0
[   75.650486][ T6503]  path_mount+0x1320/0x1fa0
[   75.655067][ T6503]  ? kmem_cache_free+0xba/0x4a0
[   75.659905][ T6503]  ? finish_automount+0xaf0/0xaf0
[   75.664922][ T6503]  ? putname+0xfe/0x140
[   75.669068][ T6503]  __x64_sys_mount+0x27f/0x300
[   75.673812][ T6503]  ? copy_mnt_ns+0xae0/0xae0
[   75.678385][ T6503]  ? syscall_enter_from_user_mode+0x21/0x70
[   75.684275][ T6503]  do_syscall_64+0x35/0xb0
[   75.688686][ T6503]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   75.694572][ T6503] RIP: 0033:0x7fe71e36501a
[   75.699160][ T6503] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[   75.718764][ T6503] RSP: 002b:00007ffd073d0928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   75.727179][ T6503] RAX: ffffffffffffffda RBX: 00007ffd073d0ab8 RCX: 00007fe71e36501a
[   75.735132][ T6503] RDX: 00007fe71e3c7fe2 RSI: 00007fe71e3be29a RDI: 00007fe71e3bcd71
[   75.743098][ T6503] RBP: 00007fe71e3be29a R08: 00007fe71e3be3f7 R09: 0000000000000026
[   75.751052][ T6503] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd073d0930
[   75.759014][ T6503] R13: 00007ffd073d0ad8 R14: 00007ffd073d0a00 R15: 00007fe71e3be3f1
[   75.766970][ T6503]  </TASK>
[   75.771304][ T6503] ==================================================================
[   75.779369][ T6503] BUG: KASAN: use-after-free in up_write+0x3ac/0x470
[   75.786048][ T6503] Read of size 8 at addr ffff88801a24c940 by task syz-executor/6503
[   75.794037][ T6503] 
[   75.796366][ T6503] CPU: 1 PID: 6503 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0
[   75.806078][ T6503] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   75.816127][ T6503] Call Trace:
[   75.819409][ T6503]  <TASK>
[   75.822703][ T6503]  dump_stack_lvl+0xcd/0x134
[   75.827324][ T6503]  print_address_description.constprop.0.cold+0xa5/0x3ed
[   75.834365][ T6503]  ? up_write+0x3ac/0x470
[   75.838693][ T6503]  ? up_write+0x3ac/0x470
[   75.843017][ T6503]  kasan_report.cold+0x83/0xdf
[   75.847786][ T6503]  ? up_write+0x3ac/0x470
[   75.852114][ T6503]  up_write+0x3ac/0x470
[   75.856273][ T6503]  cgroup_setup_root+0x3a6/0xad0
[   75.861217][ T6503]  ? rebind_subsystems+0x10e0/0x10e0
[   75.866505][ T6503]  ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[   75.872765][ T6503]  cgroup1_get_tree+0xd33/0x1390
[   75.877705][ T6503]  vfs_get_tree+0x89/0x2f0
[   75.882125][ T6503]  path_mount+0x1320/0x1fa0
[   75.886636][ T6503]  ? kmem_cache_free+0xba/0x4a0
[   75.891507][ T6503]  ? finish_automount+0xaf0/0xaf0
[   75.896537][ T6503]  ? putname+0xfe/0x140
[   75.900704][ T6503]  __x64_sys_mount+0x27f/0x300
[   75.905472][ T6503]  ? copy_mnt_ns+0xae0/0xae0
[   75.910068][ T6503]  ? syscall_enter_from_user_mode+0x21/0x70
[   75.915969][ T6503]  do_syscall_64+0x35/0xb0
[   75.920401][ T6503]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   75.926296][ T6503] RIP: 0033:0x7fe71e36501a
[   75.930705][ T6503] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[   75.950314][ T6503] RSP: 002b:00007ffd073d0928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   75.958724][ T6503] RAX: ffffffffffffffda RBX: 00007ffd073d0ab8 RCX: 00007fe71e36501a
[   75.966687][ T6503] RDX: 00007fe71e3c7fe2 RSI: 00007fe71e3be29a RDI: 00007fe71e3bcd71
[   75.974653][ T6503] RBP: 00007fe71e3be29a R08: 00007fe71e3be3f7 R09: 0000000000000026
[   75.982633][ T6503] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd073d0930
[   75.990597][ T6503] R13: 00007ffd073d0ad8 R14: 00007ffd073d0a00 R15: 00007fe71e3be3f1
[   75.998566][ T6503]  </TASK>
[   76.001577][ T6503] 
[   76.003886][ T6503] Allocated by task 6503:
[   76.008200][ T6503]  kasan_save_stack+0x1e/0x50
[   76.012886][ T6503]  __kasan_kmalloc+0xa9/0xd0
[   76.017647][ T6503]  kernfs_create_root+0x4c/0x410
[   76.022583][ T6503]  cgroup_setup_root+0x243/0xad0
[   76.027520][ T6503]  cgroup1_get_tree+0xd33/0x1390
[   76.032537][ T6503]  vfs_get_tree+0x89/0x2f0
[   76.036953][ T6503]  path_mount+0x1320/0x1fa0
[   76.041451][ T6503]  __x64_sys_mount+0x27f/0x300
[   76.046214][ T6503]  do_syscall_64+0x35/0xb0
[   76.050625][ T6503]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   76.056514][ T6503] 
[   76.058832][ T6503] Freed by task 6503:
[   76.062803][ T6503]  kasan_save_stack+0x1e/0x50
[   76.067479][ T6503]  kasan_set_track+0x21/0x30
[   76.072067][ T6503]  kasan_set_free_info+0x20/0x30
[   76.077005][ T6503]  __kasan_slab_free+0x103/0x170
[   76.081942][ T6503]  slab_free_freelist_hook+0x8b/0x1c0
[   76.087348][ T6503]  kfree+0xe0/0x430
[   76.091155][ T6503]  kernfs_put.part.0+0x331/0x540
[   76.096089][ T6503]  kernfs_put+0x42/0x50
[   76.100240][ T6503]  __kernfs_remove+0x7a3/0xb20
[   76.105002][ T6503]  kernfs_destroy_root+0x89/0xb0
[   76.109935][ T6503]  cgroup_setup_root+0x3a6/0xad0
[   76.114873][ T6503]  cgroup1_get_tree+0xd33/0x1390
[   76.119809][ T6503]  vfs_get_tree+0x89/0x2f0
[   76.124226][ T6503]  path_mount+0x1320/0x1fa0
[   76.128735][ T6503]  __x64_sys_mount+0x27f/0x300
[   76.133611][ T6503]  do_syscall_64+0x35/0xb0
[   76.138028][ T6503]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   76.143916][ T6503] 
[   76.146241][ T6503] The buggy address belongs to the object at ffff88801a24c800
[   76.146241][ T6503]  which belongs to the cache kmalloc-512 of size 512
[   76.160370][ T6503] The buggy address is located 320 bytes inside of
[   76.160370][ T6503]  512-byte region [ffff88801a24c800, ffff88801a24ca00)
[   76.173638][ T6503] The buggy address belongs to the page:
[   76.179259][ T6503] page:ffffea0000689300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a24c
[   76.189404][ T6503] head:ffffea0000689300 order:2 compound_mapcount:0 compound_pincount:0
[   76.197804][ T6503] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   76.205792][ T6503] raw: 00fff00000010200 ffffea0001e96100 dead000000000002 ffff888010c41c80
[   76.214369][ T6503] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   76.222955][ T6503] page dumped because: kasan: bad access detected
[   76.229366][ T6503] page_owner tracks the page as allocated
[   76.235069][ T6503] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 753, ts 7906024568, free_ts 0
[   76.253139][ T6503]  get_page_from_freelist+0xa72/0x2f40
[   76.258595][ T6503]  __alloc_pages+0x1b2/0x500
[   76.263180][ T6503]  alloc_pages+0x1a7/0x300
[   76.267592][ T6503]  new_slab+0x261/0x460
[   76.271748][ T6503]  ___slab_alloc+0x798/0xf30
[   76.276333][ T6503]  __slab_alloc.constprop.0+0x4d/0xa0
[   76.281714][ T6503]  kmem_cache_alloc_trace+0x289/0x2c0
[   76.287082][ T6503]  alloc_bprm+0x51/0x8f0
[   76.291316][ T6503]  kernel_execve+0x55/0x460
[   76.295813][ T6503]  call_usermodehelper_exec_async+0x2e3/0x580
[   76.301888][ T6503]  ret_from_fork+0x1f/0x30
[   76.306313][ T6503] page_owner free stack trace missing
[   76.311686][ T6503] 
[   76.314008][ T6503] Memory state around the buggy address:
[   76.319628][ T6503]  ffff88801a24c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.327690][ T6503]  ffff88801a24c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.335743][ T6503] >ffff88801a24c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.343788][ T6503]                                            ^
[   76.349941][ T6503]  ffff88801a24c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.358000][ T6503]  ffff88801a24ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   76.366047][ T6503] ==================================================================
[   76.384649][ T6503] Kernel panic - not syncing: panic_on_warn set ...
[   76.391444][ T6503] CPU: 1 PID: 6503 Comm: syz-executor Tainted: G    B             5.16.0-rc3-next-20211201-syzkaller #0
[   76.402568][ T6503] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   76.412713][ T6503] Call Trace:
[   76.415989][ T6503]  <TASK>
[   76.421022][ T6503]  dump_stack_lvl+0xcd/0x134
[   76.425617][ T6503]  panic+0x2b0/0x6dd
[   76.429680][ T6503]  ? __warn_printk+0xf3/0xf3
[   76.434266][ T6503]  ? preempt_schedule_common+0x59/0xc0
[   76.439726][ T6503]  ? up_write+0x3ac/0x470
[   76.444082][ T6503]  ? preempt_schedule_thunk+0x16/0x18
[   76.449538][ T6503]  ? trace_hardirqs_on+0x38/0x1c0
[   76.454568][ T6503]  ? trace_hardirqs_on+0x51/0x1c0
[   76.459587][ T6503]  ? up_write+0x3ac/0x470
[   76.463910][ T6503]  ? up_write+0x3ac/0x470
[   76.468237][ T6503]  end_report.cold+0x63/0x6f
[   76.472821][ T6503]  kasan_report.cold+0x71/0xdf
[   76.477589][ T6503]  ? up_write+0x3ac/0x470
[   76.481999][ T6503]  up_write+0x3ac/0x470
[   76.486156][ T6503]  cgroup_setup_root+0x3a6/0xad0
[   76.491094][ T6503]  ? rebind_subsystems+0x10e0/0x10e0
[   76.496464][ T6503]  ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[   76.502708][ T6503]  cgroup1_get_tree+0xd33/0x1390
[   76.507645][ T6503]  vfs_get_tree+0x89/0x2f0
[   76.512058][ T6503]  path_mount+0x1320/0x1fa0
[   76.516560][ T6503]  ? kmem_cache_free+0xba/0x4a0
[   76.521409][ T6503]  ? finish_automount+0xaf0/0xaf0
[   76.526434][ T6503]  ? putname+0xfe/0x140
[   76.530600][ T6503]  __x64_sys_mount+0x27f/0x300
[   76.535363][ T6503]  ? copy_mnt_ns+0xae0/0xae0
[   76.539951][ T6503]  ? syscall_enter_from_user_mode+0x21/0x70
[   76.545868][ T6503]  do_syscall_64+0x35/0xb0
[   76.550282][ T6503]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   76.556197][ T6503] RIP: 0033:0x7fe71e36501a
[   76.560609][ T6503] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[   76.580229][ T6503] RSP: 002b:00007ffd073d0928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   76.588637][ T6503] RAX: ffffffffffffffda RBX: 00007ffd073d0ab8 RCX: 00007fe71e36501a
[   76.596603][ T6503] RDX: 00007fe71e3c7fe2 RSI: 00007fe71e3be29a RDI: 00007fe71e3bcd71
[   76.604568][ T6503] RBP: 00007fe71e3be29a R08: 00007fe71e3be3f7 R09: 0000000000000026
[   76.612529][ T6503] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd073d0930
[   76.620498][ T6503] R13: 00007ffd073d0ad8 R14: 00007ffd073d0a00 R15: 00007fe71e3be3f1
[   76.628467][ T6503]  </TASK>
[   76.631769][ T6503] Kernel Offset: disabled
[   76.636079][ T6503] Rebooting in 86400 seconds..