Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
2021/12/01 21:45:41 fuzzer started
2021/12/01 21:45:41 connecting to host at 10.128.0.169:34197
2021/12/01 21:45:41 checking machine...
2021/12/01 21:45:41 checking revisions...
2021/12/01 21:45:41 testing simple program...
syzkaller login: [ 76.358531][ T6548] cgroup: Unknown subsys name 'net'
[ 76.365118][ T6548]
[ 76.367620][ T6548] =========================
[ 76.372203][ T6548] WARNING: held lock freed!
[ 76.376683][ T6548] 5.16.0-rc3-next-20211201-syzkaller #0 Not tainted
[ 76.383252][ T6548] -------------------------
[ 76.387732][ T6548] syz-executor/6548 is freeing memory ffff88801da0f400-ffff88801da0f5ff, with a lock still held there!
[ 76.398941][ T6548] ffff88801da0f548 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 76.408703][ T6548] 2 locks held by syz-executor/6548:
[ 76.414187][ T6548] #0: ffffffff8bbc4e48 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900
[ 76.424800][ T6548] #1: ffff88801da0f548 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 76.435244][ T6548]
[ 76.435244][ T6548] stack backtrace:
[ 76.441217][ T6548] CPU: 1 PID: 6548 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0
[ 76.451357][ T6548] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 76.461588][ T6548] Call Trace:
[ 76.464909][ T6548]
[ 76.467832][ T6548] dump_stack_lvl+0xcd/0x134
[ 76.472609][ T6548] debug_check_no_locks_freed.cold+0x9d/0xa9
[ 76.478697][ T6548] ? lockdep_hardirqs_on+0x79/0x100
[ 76.483881][ T6548] slab_free_freelist_hook+0x73/0x1c0
[ 76.489240][ T6548] ? kernfs_put.part.0+0x331/0x540
[ 76.494335][ T6548] kfree+0xe0/0x430
[ 76.498139][ T6548] ? kmem_cache_free+0xba/0x4a0
[ 76.502978][ T6548] ? rwlock_bug.part.0+0x90/0x90
[ 76.507999][ T6548] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 76.514227][ T6548] kernfs_put.part.0+0x331/0x540
[ 76.519250][ T6548] kernfs_put+0x42/0x50
[ 76.523396][ T6548] __kernfs_remove+0x7a3/0xb20
[ 76.528317][ T6548] ? kernfs_next_descendant_post+0x2f0/0x2f0
[ 76.534278][ T6548] ? down_write+0xde/0x150
[ 76.538678][ T6548] ? down_write_killable_nested+0x180/0x180
[ 76.544576][ T6548] kernfs_destroy_root+0x89/0xb0
[ 76.549504][ T6548] cgroup_setup_root+0x3a6/0xad0
[ 76.554426][ T6548] ? rebind_subsystems+0x10e0/0x10e0
[ 76.560138][ T6548] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 76.566365][ T6548] cgroup1_get_tree+0xd33/0x1390
[ 76.571325][ T6548] vfs_get_tree+0x89/0x2f0
[ 76.576086][ T6548] path_mount+0x1320/0x1fa0
[ 76.580579][ T6548] ? kmem_cache_free+0xba/0x4a0
[ 76.585415][ T6548] ? finish_automount+0xaf0/0xaf0
[ 76.590437][ T6548] ? putname+0xfe/0x140
[ 76.594602][ T6548] __x64_sys_mount+0x27f/0x300
[ 76.599450][ T6548] ? copy_mnt_ns+0xae0/0xae0
[ 76.604041][ T6548] ? syscall_enter_from_user_mode+0x21/0x70
[ 76.610030][ T6548] do_syscall_64+0x35/0xb0
[ 76.614603][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 76.620694][ T6548] RIP: 0033:0x7fa845bf701a
[ 76.625209][ T6548] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 76.644812][ T6548] RSP: 002b:00007ffe7483d538 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 76.653212][ T6548] RAX: ffffffffffffffda RBX: 00007ffe7483d6c8 RCX: 00007fa845bf701a
[ 76.661277][ T6548] RDX: 00007fa845c59fe2 RSI: 00007fa845c5029a RDI: 00007fa845c4ed71
[ 76.669243][ T6548] RBP: 00007fa845c5029a R08: 00007fa845c503f7 R09: 0000000000000026
[ 76.679194][ T6548] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe7483d540
[ 76.687230][ T6548] R13: 00007ffe7483d6e8 R14: 00007ffe7483d610 R15: 00007fa845c503f1
[ 76.695190][ T6548]
[ 76.699923][ T6548] ==================================================================
[ 76.708017][ T6548] BUG: KASAN: use-after-free in up_write+0x3ac/0x470
[ 76.714711][ T6548] Read of size 8 at addr ffff88801da0f540 by task syz-executor/6548
[ 76.722983][ T6548]
[ 76.725309][ T6548] CPU: 0 PID: 6548 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0
[ 76.735118][ T6548] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 76.745159][ T6548] Call Trace:
[ 76.748425][ T6548]
[ 76.751340][ T6548] dump_stack_lvl+0xcd/0x134
[ 76.755922][ T6548] print_address_description.constprop.0.cold+0xa5/0x3ed
[ 76.762936][ T6548] ? up_write+0x3ac/0x470
[ 76.767262][ T6548] ? up_write+0x3ac/0x470
[ 76.771602][ T6548] kasan_report.cold+0x83/0xdf
[ 76.776380][ T6548] ? up_write+0x3ac/0x470
[ 76.780702][ T6548] up_write+0x3ac/0x470
[ 76.784845][ T6548] cgroup_setup_root+0x3a6/0xad0
[ 76.789910][ T6548] ? rebind_subsystems+0x10e0/0x10e0
[ 76.795195][ T6548] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 76.801434][ T6548] cgroup1_get_tree+0xd33/0x1390
[ 76.806453][ T6548] vfs_get_tree+0x89/0x2f0
[ 76.811048][ T6548] path_mount+0x1320/0x1fa0
[ 76.815561][ T6548] ? kmem_cache_free+0xba/0x4a0
[ 76.820413][ T6548] ? finish_automount+0xaf0/0xaf0
[ 76.825424][ T6548] ? putname+0xfe/0x140
[ 76.829568][ T6548] __x64_sys_mount+0x27f/0x300
[ 76.834324][ T6548] ? copy_mnt_ns+0xae0/0xae0
[ 76.838911][ T6548] ? syscall_enter_from_user_mode+0x21/0x70
[ 76.844888][ T6548] do_syscall_64+0x35/0xb0
[ 76.849317][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 76.855214][ T6548] RIP: 0033:0x7fa845bf701a
[ 76.859624][ T6548] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 76.879900][ T6548] RSP: 002b:00007ffe7483d538 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 76.889438][ T6548] RAX: ffffffffffffffda RBX: 00007ffe7483d6c8 RCX: 00007fa845bf701a
[ 76.897397][ T6548] RDX: 00007fa845c59fe2 RSI: 00007fa845c5029a RDI: 00007fa845c4ed71
[ 76.905355][ T6548] RBP: 00007fa845c5029a R08: 00007fa845c503f7 R09: 0000000000000026
[ 76.913401][ T6548] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe7483d540
[ 76.921355][ T6548] R13: 00007ffe7483d6e8 R14: 00007ffe7483d610 R15: 00007fa845c503f1
[ 76.929324][ T6548]
[ 76.932340][ T6548]
[ 76.934651][ T6548] Allocated by task 6548:
[ 76.938967][ T6548] kasan_save_stack+0x1e/0x50
[ 76.943640][ T6548] __kasan_kmalloc+0xa9/0xd0
[ 76.948221][ T6548] kernfs_create_root+0x4c/0x410
[ 76.953162][ T6548] cgroup_setup_root+0x243/0xad0
[ 76.958103][ T6548] cgroup1_get_tree+0xd33/0x1390
[ 76.963089][ T6548] vfs_get_tree+0x89/0x2f0
[ 76.967512][ T6548] path_mount+0x1320/0x1fa0
[ 76.972011][ T6548] __x64_sys_mount+0x27f/0x300
[ 76.976760][ T6548] do_syscall_64+0x35/0xb0
[ 76.981160][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 76.987034][ T6548]
[ 76.989341][ T6548] Freed by task 6548:
[ 76.993302][ T6548] kasan_save_stack+0x1e/0x50
[ 76.997981][ T6548] kasan_set_track+0x21/0x30
[ 77.002572][ T6548] kasan_set_free_info+0x20/0x30
[ 77.007498][ T6548] __kasan_slab_free+0x103/0x170
[ 77.012430][ T6548] slab_free_freelist_hook+0x8b/0x1c0
[ 77.017921][ T6548] kfree+0xe0/0x430
[ 77.021719][ T6548] kernfs_put.part.0+0x331/0x540
[ 77.026643][ T6548] kernfs_put+0x42/0x50
[ 77.030801][ T6548] __kernfs_remove+0x7a3/0xb20
[ 77.035551][ T6548] kernfs_destroy_root+0x89/0xb0
[ 77.040473][ T6548] cgroup_setup_root+0x3a6/0xad0
[ 77.045482][ T6548] cgroup1_get_tree+0xd33/0x1390
[ 77.050398][ T6548] vfs_get_tree+0x89/0x2f0
[ 77.054796][ T6548] path_mount+0x1320/0x1fa0
[ 77.059280][ T6548] __x64_sys_mount+0x27f/0x300
[ 77.064111][ T6548] do_syscall_64+0x35/0xb0
[ 77.068515][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 77.074646][ T6548]
[ 77.076967][ T6548] Last potentially related work creation:
[ 77.083090][ T6548] kasan_save_stack+0x1e/0x50
[ 77.087760][ T6548] __kasan_record_aux_stack+0xfe/0x1b0
[ 77.093221][ T6548] kvfree_call_rcu+0x74/0x990
[ 77.097899][ T6548] timerfd_release+0x105/0x290
[ 77.102733][ T6548] __fput+0x286/0x9f0
[ 77.106698][ T6548] task_work_run+0xdd/0x1a0
[ 77.111183][ T6548] exit_to_user_mode_prepare+0x27e/0x290
[ 77.116809][ T6548] syscall_exit_to_user_mode+0x19/0x60
[ 77.122401][ T6548] do_syscall_64+0x42/0xb0
[ 77.126820][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 77.132711][ T6548]
[ 77.135020][ T6548] The buggy address belongs to the object at ffff88801da0f400
[ 77.135020][ T6548] which belongs to the cache kmalloc-512 of size 512
[ 77.149066][ T6548] The buggy address is located 320 bytes inside of
[ 77.149066][ T6548] 512-byte region [ffff88801da0f400, ffff88801da0f600)
[ 77.162465][ T6548] The buggy address belongs to the page:
[ 77.168084][ T6548] page:ffffea0000768300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1da0c
[ 77.178245][ T6548] head:ffffea0000768300 order:2 compound_mapcount:0 compound_pincount:0
[ 77.186556][ T6548] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 77.194522][ T6548] raw: 00fff00000010200 ffffea0000890600 dead000000000002 ffff888010c41c80
[ 77.203198][ T6548] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 77.211760][ T6548] page dumped because: kasan: bad access detected
[ 77.218162][ T6548] page_owner tracks the page as allocated
[ 77.223864][ T6548] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1462, ts 9288859869, free_ts 0
[ 77.242038][ T6548] get_page_from_freelist+0xa72/0x2f40
[ 77.247493][ T6548] __alloc_pages+0x1b2/0x500
[ 77.252067][ T6548] alloc_pages+0x1a7/0x300
[ 77.256477][ T6548] new_slab+0x261/0x460
[ 77.260787][ T6548] ___slab_alloc+0x798/0xf30
[ 77.265455][ T6548] __slab_alloc.constprop.0+0x4d/0xa0
[ 77.270816][ T6548] kmem_cache_alloc_trace+0x289/0x2c0
[ 77.276182][ T6548] alloc_bprm+0x51/0x8f0
[ 77.280404][ T6548] kernel_execve+0x55/0x460
[ 77.284891][ T6548] call_usermodehelper_exec_async+0x2e3/0x580
[ 77.291047][ T6548] ret_from_fork+0x1f/0x30
[ 77.295506][ T6548] page_owner free stack trace missing
[ 77.300902][ T6548]
[ 77.303231][ T6548] Memory state around the buggy address:
[ 77.308855][ T6548] ffff88801da0f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.316969][ T6548] ffff88801da0f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.325022][ T6548] >ffff88801da0f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.333063][ T6548] ^
[ 77.339193][ T6548] ffff88801da0f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.347502][ T6548] ffff88801da0f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.355538][ T6548] ==================================================================
[ 77.366458][ T6548] Kernel panic - not syncing: panic_on_warn set ...
[ 77.373061][ T6548] CPU: 0 PID: 6548 Comm: syz-executor Tainted: G B 5.16.0-rc3-next-20211201-syzkaller #0
[ 77.384188][ T6548] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 77.394267][ T6548] Call Trace:
[ 77.397548][ T6548]
[ 77.400645][ T6548] dump_stack_lvl+0xcd/0x134
[ 77.405227][ T6548] panic+0x2b0/0x6dd
[ 77.409111][ T6548] ? __warn_printk+0xf3/0xf3
[ 77.413695][ T6548] ? preempt_schedule_common+0x59/0xc0
[ 77.419143][ T6548] ? up_write+0x3ac/0x470
[ 77.423456][ T6548] ? preempt_schedule_thunk+0x16/0x18
[ 77.428813][ T6548] ? trace_hardirqs_on+0x38/0x1c0
[ 77.433905][ T6548] ? trace_hardirqs_on+0x51/0x1c0
[ 77.438909][ T6548] ? up_write+0x3ac/0x470
[ 77.443220][ T6548] ? up_write+0x3ac/0x470
[ 77.447539][ T6548] end_report.cold+0x63/0x6f
[ 77.452129][ T6548] kasan_report.cold+0x71/0xdf
[ 77.456890][ T6548] ? up_write+0x3ac/0x470
[ 77.461208][ T6548] up_write+0x3ac/0x470
[ 77.465363][ T6548] cgroup_setup_root+0x3a6/0xad0
[ 77.470304][ T6548] ? rebind_subsystems+0x10e0/0x10e0
[ 77.475573][ T6548] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 77.481906][ T6548] cgroup1_get_tree+0xd33/0x1390
[ 77.486831][ T6548] vfs_get_tree+0x89/0x2f0
[ 77.491253][ T6548] path_mount+0x1320/0x1fa0
[ 77.495740][ T6548] ? kmem_cache_free+0xba/0x4a0
[ 77.500575][ T6548] ? finish_automount+0xaf0/0xaf0
[ 77.505583][ T6548] ? putname+0xfe/0x140
[ 77.509746][ T6548] __x64_sys_mount+0x27f/0x300
[ 77.514775][ T6548] ? copy_mnt_ns+0xae0/0xae0
[ 77.519375][ T6548] ? syscall_enter_from_user_mode+0x21/0x70
[ 77.525367][ T6548] do_syscall_64+0x35/0xb0
[ 77.530731][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 77.536612][ T6548] RIP: 0033:0x7fa845bf701a
[ 77.541012][ T6548] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 77.560793][ T6548] RSP: 002b:00007ffe7483d538 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 77.569303][ T6548] RAX: ffffffffffffffda RBX: 00007ffe7483d6c8 RCX: 00007fa845bf701a
[ 77.577353][ T6548] RDX: 00007fa845c59fe2 RSI: 00007fa845c5029a RDI: 00007fa845c4ed71
[ 77.585483][ T6548] RBP: 00007fa845c5029a R08: 00007fa845c503f7 R09: 0000000000000026
[ 77.593435][ T6548] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe7483d540
[ 77.601385][ T6548] R13: 00007ffe7483d6e8 R14: 00007ffe7483d610 R15: 00007fa845c503f1
[ 77.609444][ T6548]
[ 77.612741][ T6548] Kernel Offset: disabled
[ 77.617137][ T6548] Rebooting in 86400 seconds..