[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.108' (ECDSA) to the list of known hosts. 2021/12/03 12:02:00 fuzzer started 2021/12/03 12:02:00 connecting to host at 10.128.0.169:34171 2021/12/03 12:02:00 checking machine... 2021/12/03 12:02:00 checking revisions... 2021/12/03 12:02:00 testing simple program... syzkaller login: [ 70.355788][ T6518] cgroup: Unknown subsys name 'net' [ 70.362129][ T6518] [ 70.364465][ T6518] ========================= [ 70.369040][ T6518] WARNING: held lock freed! [ 70.373550][ T6518] 5.16.0-rc3-next-20211203-syzkaller #0 Not tainted [ 70.380115][ T6518] ------------------------- [ 70.384679][ T6518] syz-executor/6518 is freeing memory ffff88801ed72800-ffff88801ed729ff, with a lock still held there! [ 70.395681][ T6518] ffff88801ed72948 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0 [ 70.405401][ T6518] 2 locks held by syz-executor/6518: [ 70.410835][ T6518] #0: ffffffff8bbc4e48 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900 [ 70.421561][ T6518] #1: ffff88801ed72948 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0 [ 70.431903][ T6518] [ 70.431903][ T6518] stack backtrace: [ 70.437776][ T6518] CPU: 0 PID: 6518 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211203-syzkaller #0 [ 70.447491][ T6518] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.457524][ T6518] Call Trace: [ 70.460806][ T6518] [ 70.463720][ T6518] dump_stack_lvl+0xcd/0x134 [ 70.468300][ T6518] debug_check_no_locks_freed.cold+0x9d/0xa9 [ 70.474279][ T6518] ? lockdep_hardirqs_on+0x79/0x100 [ 70.479464][ T6518] slab_free_freelist_hook+0x73/0x1c0 [ 70.484819][ T6518] ? kernfs_put.part.0+0x331/0x540 [ 70.489940][ T6518] kfree+0xd0/0x4b0 [ 70.493731][ T6518] ? kmem_cache_free+0xdd/0x580 [ 70.498563][ T6518] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 70.504787][ T6518] kernfs_put.part.0+0x331/0x540 [ 70.509708][ T6518] kernfs_put+0x42/0x50 [ 70.513844][ T6518] __kernfs_remove+0x7a3/0xb20 [ 70.518593][ T6518] ? kernfs_next_descendant_post+0x2f0/0x2f0 [ 70.524557][ T6518] ? down_write+0xde/0x150 [ 70.528971][ T6518] ? down_write_killable_nested+0x180/0x180 [ 70.534861][ T6518] kernfs_destroy_root+0x89/0xb0 [ 70.539783][ T6518] cgroup_setup_root+0x3a6/0xad0 [ 70.544704][ T6518] ? rebind_subsystems+0x10e0/0x10e0 [ 70.549975][ T6518] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 70.556214][ T6518] cgroup1_get_tree+0xd33/0x1390 [ 70.561139][ T6518] vfs_get_tree+0x89/0x2f0 [ 70.565553][ T6518] path_mount+0x1320/0x1fa0 [ 70.570045][ T6518] ? kmem_cache_free+0xdd/0x580 [ 70.574877][ T6518] ? finish_automount+0xaf0/0xaf0 [ 70.579895][ T6518] ? putname+0xfe/0x140 [ 70.584037][ T6518] __x64_sys_mount+0x27f/0x300 [ 70.588786][ T6518] ? copy_mnt_ns+0xae0/0xae0 [ 70.593362][ T6518] ? syscall_enter_from_user_mode+0x21/0x70 [ 70.599247][ T6518] do_syscall_64+0x35/0xb0 [ 70.603669][ T6518] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 70.609580][ T6518] RIP: 0033:0x7f826f09a04a [ 70.613998][ T6518] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 70.633596][ T6518] RSP: 002b:00007ffd1d980228 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 70.641989][ T6518] RAX: ffffffffffffffda RBX: 00007ffd1d9803b8 RCX: 00007f826f09a04a [ 70.649941][ T6518] RDX: 00007f826f0fd012 RSI: 00007f826f0f32cc RDI: 00007f826f0f1d71 [ 70.657893][ T6518] RBP: 00007f826f0f32cc R08: 00007f826f0f3429 R09: 0000000000000026 [ 70.665852][ T6518] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd1d980230 [ 70.673802][ T6518] R13: 00007ffd1d9803d8 R14: 00007ffd1d980300 R15: 00007f826f0f3423 [ 70.681785][ T6518] [ 70.685053][ T6518] ================================================================== [ 70.693301][ T6518] BUG: KASAN: use-after-free in up_write+0x3ac/0x470 [ 70.699984][ T6518] Read of size 8 at addr ffff88801ed72940 by task syz-executor/6518 [ 70.707952][ T6518] [ 70.710267][ T6518] CPU: 1 PID: 6518 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211203-syzkaller #0 [ 70.719997][ T6518] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.730051][ T6518] Call Trace: [ 70.733341][ T6518] [ 70.736261][ T6518] dump_stack_lvl+0xcd/0x134 [ 70.740855][ T6518] print_address_description.constprop.0.cold+0xa5/0x3ed [ 70.747879][ T6518] ? up_write+0x3ac/0x470 [ 70.752203][ T6518] ? up_write+0x3ac/0x470 [ 70.756521][ T6518] kasan_report.cold+0x83/0xdf [ 70.761276][ T6518] ? up_write+0x3ac/0x470 [ 70.765593][ T6518] up_write+0x3ac/0x470 [ 70.769737][ T6518] cgroup_setup_root+0x3a6/0xad0 [ 70.774686][ T6518] ? rebind_subsystems+0x10e0/0x10e0 [ 70.779969][ T6518] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 70.786207][ T6518] cgroup1_get_tree+0xd33/0x1390 [ 70.791137][ T6518] vfs_get_tree+0x89/0x2f0 [ 70.795548][ T6518] path_mount+0x1320/0x1fa0 [ 70.800041][ T6518] ? kmem_cache_free+0xdd/0x580 [ 70.804882][ T6518] ? finish_automount+0xaf0/0xaf0 [ 70.810003][ T6518] ? putname+0xfe/0x140 [ 70.814153][ T6518] __x64_sys_mount+0x27f/0x300 [ 70.818928][ T6518] ? copy_mnt_ns+0xae0/0xae0 [ 70.823509][ T6518] ? syscall_enter_from_user_mode+0x21/0x70 [ 70.829401][ T6518] do_syscall_64+0x35/0xb0 [ 70.833808][ T6518] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 70.839691][ T6518] RIP: 0033:0x7f826f09a04a [ 70.844179][ T6518] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 70.863778][ T6518] RSP: 002b:00007ffd1d980228 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 70.872179][ T6518] RAX: ffffffffffffffda RBX: 00007ffd1d9803b8 RCX: 00007f826f09a04a [ 70.880140][ T6518] RDX: 00007f826f0fd012 RSI: 00007f826f0f32cc RDI: 00007f826f0f1d71 [ 70.888096][ T6518] RBP: 00007f826f0f32cc R08: 00007f826f0f3429 R09: 0000000000000026 [ 70.896054][ T6518] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd1d980230 [ 70.904013][ T6518] R13: 00007ffd1d9803d8 R14: 00007ffd1d980300 R15: 00007f826f0f3423 [ 70.911979][ T6518] [ 70.914983][ T6518] [ 70.917292][ T6518] Allocated by task 6518: [ 70.921600][ T6518] kasan_save_stack+0x1e/0x40 [ 70.926312][ T6518] __kasan_kmalloc+0xa9/0xd0 [ 70.930900][ T6518] kernfs_create_root+0x4c/0x410 [ 70.935829][ T6518] cgroup_setup_root+0x243/0xad0 [ 70.940761][ T6518] cgroup1_get_tree+0xd33/0x1390 [ 70.945691][ T6518] vfs_get_tree+0x89/0x2f0 [ 70.950097][ T6518] path_mount+0x1320/0x1fa0 [ 70.954936][ T6518] __x64_sys_mount+0x27f/0x300 [ 70.959691][ T6518] do_syscall_64+0x35/0xb0 [ 70.964097][ T6518] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 70.969979][ T6518] [ 70.972287][ T6518] Freed by task 6518: [ 70.976268][ T6518] kasan_save_stack+0x1e/0x40 [ 70.980947][ T6518] kasan_set_track+0x21/0x30 [ 70.985529][ T6518] kasan_set_free_info+0x20/0x30 [ 70.990453][ T6518] ____kasan_slab_free+0x166/0x1a0 [ 70.995556][ T6518] slab_free_freelist_hook+0x8b/0x1c0 [ 71.000930][ T6518] kfree+0xd0/0x4b0 [ 71.004729][ T6518] kernfs_put.part.0+0x331/0x540 [ 71.009671][ T6518] kernfs_put+0x42/0x50 [ 71.013815][ T6518] __kernfs_remove+0x7a3/0xb20 [ 71.018670][ T6518] kernfs_destroy_root+0x89/0xb0 [ 71.023599][ T6518] cgroup_setup_root+0x3a6/0xad0 [ 71.028532][ T6518] cgroup1_get_tree+0xd33/0x1390 [ 71.033458][ T6518] vfs_get_tree+0x89/0x2f0 [ 71.037863][ T6518] path_mount+0x1320/0x1fa0 [ 71.042360][ T6518] __x64_sys_mount+0x27f/0x300 [ 71.047141][ T6518] do_syscall_64+0x35/0xb0 [ 71.051557][ T6518] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 71.057436][ T6518] [ 71.059748][ T6518] The buggy address belongs to the object at ffff88801ed72800 [ 71.059748][ T6518] which belongs to the cache kmalloc-512 of size 512 [ 71.073782][ T6518] The buggy address is located 320 bytes inside of [ 71.073782][ T6518] 512-byte region [ffff88801ed72800, ffff88801ed72a00) [ 71.087043][ T6518] The buggy address belongs to the page: [ 71.092661][ T6518] page:ffffea00007b5c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ed70 [ 71.102802][ T6518] head:ffffea00007b5c00 order:2 compound_mapcount:0 compound_pincount:0 [ 71.111195][ T6518] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 71.119168][ T6518] raw: 00fff00000010200 ffffea000063bb00 dead000000000002 ffff888010c41c80 [ 71.127737][ T6518] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 71.136304][ T6518] page dumped because: kasan: bad access detected [ 71.142697][ T6518] page_owner tracks the page as allocated [ 71.148564][ T6518] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5, ts 9915764640, free_ts 9901921225 [ 71.167215][ T6518] get_page_from_freelist+0xa72/0x2f40 [ 71.172666][ T6518] __alloc_pages+0x1b2/0x500 [ 71.177245][ T6518] alloc_pages+0x1aa/0x310 [ 71.181652][ T6518] new_slab+0x28d/0x3a0 [ 71.185796][ T6518] ___slab_alloc+0x6be/0xd60 [ 71.190374][ T6518] __slab_alloc.constprop.0+0x4d/0xa0 [ 71.195823][ T6518] kmem_cache_alloc_trace+0x289/0x2c0 [ 71.201184][ T6518] device_add+0x11a7/0x1ee0 [ 71.205779][ T6518] serio_handle_event+0x3b6/0xa30 [ 71.210795][ T6518] process_one_work+0x9b2/0x1690 [ 71.215717][ T6518] worker_thread+0x658/0x11f0 [ 71.220728][ T6518] kthread+0x405/0x4f0 [ 71.224788][ T6518] ret_from_fork+0x1f/0x30 [ 71.229197][ T6518] page last free stack trace: [ 71.233858][ T6518] free_pcp_prepare+0x414/0xb60 [ 71.238699][ T6518] free_unref_page+0x19/0x690 [ 71.243378][ T6518] __stack_depot_save+0x168/0x500 [ 71.248403][ T6518] kasan_save_stack+0x2e/0x40 [ 71.253593][ T6518] kasan_set_track+0x21/0x30 [ 71.258189][ T6518] kasan_set_free_info+0x20/0x30 [ 71.263113][ T6518] ____kasan_slab_free+0x166/0x1a0 [ 71.268214][ T6518] slab_free_freelist_hook+0x8b/0x1c0 [ 71.273575][ T6518] kmem_cache_free+0xdd/0x580 [ 71.278242][ T6518] kernfs_put.part.0+0x2c4/0x540 [ 71.283184][ T6518] kernfs_put+0x42/0x50 [ 71.287327][ T6518] __kernfs_remove+0x7a3/0xb20 [ 71.292181][ T6518] kernfs_remove_by_name_ns+0xa8/0x110 [ 71.297650][ T6518] device_links_driver_bound+0xf9/0x820 [ 71.303186][ T6518] driver_bound+0xf9/0x300 [ 71.307604][ T6518] really_probe+0x3e1/0xcc0 [ 71.312195][ T6518] [ 71.314504][ T6518] Memory state around the buggy address: [ 71.320218][ T6518] ffff88801ed72800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.328265][ T6518] ffff88801ed72880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.336314][ T6518] >ffff88801ed72900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.344383][ T6518] ^ [ 71.350516][ T6518] ffff88801ed72980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.358582][ T6518] ffff88801ed72a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 71.366624][ T6518] ================================================================== [ 71.377470][ T6518] Kernel panic - not syncing: panic_on_warn set ... [ 71.384071][ T6518] CPU: 1 PID: 6518 Comm: syz-executor Tainted: G B 5.16.0-rc3-next-20211203-syzkaller #0 [ 71.395184][ T6518] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.405227][ T6518] Call Trace: [ 71.408500][ T6518] [ 71.411419][ T6518] dump_stack_lvl+0xcd/0x134 [ 71.416007][ T6518] panic+0x2b0/0x6dd [ 71.419893][ T6518] ? __warn_printk+0xf3/0xf3 [ 71.424474][ T6518] ? preempt_schedule_common+0x59/0xc0 [ 71.429924][ T6518] ? up_write+0x3ac/0x470 [ 71.434240][ T6518] ? preempt_schedule_thunk+0x16/0x18 [ 71.439602][ T6518] ? trace_hardirqs_on+0x38/0x1c0 [ 71.444611][ T6518] ? trace_hardirqs_on+0x51/0x1c0 [ 71.449624][ T6518] ? up_write+0x3ac/0x470 [ 71.453938][ T6518] ? up_write+0x3ac/0x470 [ 71.458257][ T6518] end_report.cold+0x63/0x6f [ 71.463024][ T6518] kasan_report.cold+0x71/0xdf [ 71.467778][ T6518] ? up_write+0x3ac/0x470 [ 71.472191][ T6518] up_write+0x3ac/0x470 [ 71.476352][ T6518] cgroup_setup_root+0x3a6/0xad0 [ 71.481287][ T6518] ? rebind_subsystems+0x10e0/0x10e0 [ 71.486579][ T6518] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 71.492815][ T6518] cgroup1_get_tree+0xd33/0x1390 [ 71.497760][ T6518] vfs_get_tree+0x89/0x2f0 [ 71.502175][ T6518] path_mount+0x1320/0x1fa0 [ 71.506670][ T6518] ? kmem_cache_free+0xdd/0x580 [ 71.511516][ T6518] ? finish_automount+0xaf0/0xaf0 [ 71.516542][ T6518] ? putname+0xfe/0x140 [ 71.520700][ T6518] __x64_sys_mount+0x27f/0x300 [ 71.525464][ T6518] ? copy_mnt_ns+0xae0/0xae0 [ 71.530061][ T6518] ? syscall_enter_from_user_mode+0x21/0x70 [ 71.535955][ T6518] do_syscall_64+0x35/0xb0 [ 71.540369][ T6518] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 71.546279][ T6518] RIP: 0033:0x7f826f09a04a [ 71.550690][ T6518] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 71.570287][ T6518] RSP: 002b:00007ffd1d980228 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 71.578785][ T6518] RAX: ffffffffffffffda RBX: 00007ffd1d9803b8 RCX: 00007f826f09a04a [ 71.586817][ T6518] RDX: 00007f826f0fd012 RSI: 00007f826f0f32cc RDI: 00007f826f0f1d71 [ 71.594810][ T6518] RBP: 00007f826f0f32cc R08: 00007f826f0f3429 R09: 0000000000000026 [ 71.602782][ T6518] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd1d980230 [ 71.610747][ T6518] R13: 00007ffd1d9803d8 R14: 00007ffd1d980300 R15: 00007f826f0f3423 [ 71.618712][ T6518] [ 71.621965][ T6518] Kernel Offset: disabled [ 71.626409][ T6518] Rebooting in 86400 seconds..