[�[0;32m OK �[0m] Started Serial Getty on ttyS0.
[�[0;32m OK �[0m] Started Getty on tty1.
[�[0;32m OK �[0m] Reached target Login Prompts.
[�[0;32m OK �[0m] Reached target Multi-User System.
[�[0;32m OK �[0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.128' (ECDSA) to the list of known hosts.
2021/12/01 21:45:43 fuzzer started
2021/12/01 21:45:44 connecting to host at 10.128.0.169:37287
2021/12/01 21:45:44 checking machine...
2021/12/01 21:45:44 checking revisions...
2021/12/01 21:45:44 testing simple program...
syzkaller login: [ 80.915674][ T6554] cgroup: Unknown subsys name 'net'
[ 80.923220][ T6554]
[ 80.925646][ T6554] =========================
[ 80.930231][ T6554] WARNING: held lock freed!
[ 80.936261][ T6554] 5.16.0-rc3-next-20211201-syzkaller #0 Not tainted
[ 80.943198][ T6554] -------------------------
[ 80.947736][ T6554] syz-executor/6554 is freeing memory ffff88814aaef800-ffff88814aaef9ff, with a lock still held there!
[ 80.959095][ T6554] ffff88814aaef948 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 80.968942][ T6554] 2 locks held by syz-executor/6554:
[ 80.974984][ T6554] #0: ffffffff8bbc4e48 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900
[ 80.986206][ T6554] #1: ffff88814aaef948 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 80.996975][ T6554]
[ 80.996975][ T6554] stack backtrace:
[ 81.003127][ T6554] CPU: 0 PID: 6554 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0
[ 81.013547][ T6554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 81.024080][ T6554] Call Trace:
[ 81.027439][ T6554]
[ 81.030458][ T6554] dump_stack_lvl+0xcd/0x134
[ 81.035845][ T6554] debug_check_no_locks_freed.cold+0x9d/0xa9
[ 81.042025][ T6554] ? lockdep_hardirqs_on+0x79/0x100
[ 81.047415][ T6554] slab_free_freelist_hook+0x73/0x1c0
[ 81.052810][ T6554] ? kernfs_put.part.0+0x331/0x540
[ 81.058050][ T6554] kfree+0xe0/0x430
[ 81.061964][ T6554] ? kmem_cache_free+0xba/0x4a0
[ 81.066856][ T6554] ? rwlock_bug.part.0+0x90/0x90
[ 81.072185][ T6554] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 81.078704][ T6554] kernfs_put.part.0+0x331/0x540
[ 81.084020][ T6554] kernfs_put+0x42/0x50
[ 81.088275][ T6554] __kernfs_remove+0x7a3/0xb20
[ 81.093051][ T6554] ? kernfs_next_descendant_post+0x2f0/0x2f0
[ 81.099124][ T6554] ? down_write+0xde/0x150
[ 81.103724][ T6554] ? down_write_killable_nested+0x180/0x180
[ 81.109729][ T6554] kernfs_destroy_root+0x89/0xb0
[ 81.114954][ T6554] cgroup_setup_root+0x3a6/0xad0
[ 81.119922][ T6554] ? rebind_subsystems+0x10e0/0x10e0
[ 81.125643][ T6554] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 81.132676][ T6554] cgroup1_get_tree+0xd33/0x1390
[ 81.138669][ T6554] vfs_get_tree+0x89/0x2f0
[ 81.143447][ T6554] path_mount+0x1320/0x1fa0
[ 81.147955][ T6554] ? kmem_cache_free+0xba/0x4a0
[ 81.153289][ T6554] ? finish_automount+0xaf0/0xaf0
[ 81.158587][ T6554] ? putname+0xfe/0x140
[ 81.162821][ T6554] __x64_sys_mount+0x27f/0x300
[ 81.167891][ T6554] ? copy_mnt_ns+0xae0/0xae0
[ 81.172961][ T6554] ? syscall_enter_from_user_mode+0x21/0x70
[ 81.179120][ T6554] do_syscall_64+0x35/0xb0
[ 81.183574][ T6554] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 81.189638][ T6554] RIP: 0033:0x7f43413c501a
[ 81.194056][ T6554] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 81.213654][ T6554] RSP: 002b:00007ffdee2992a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 81.222236][ T6554] RAX: ffffffffffffffda RBX: 00007ffdee299438 RCX: 00007f43413c501a
[ 81.230798][ T6554] RDX: 00007f4341427fe2 RSI: 00007f434141e29a RDI: 00007f434141cd71
[ 81.239346][ T6554] RBP: 00007f434141e29a R08: 00007f434141e3f7 R09: 0000000000000026
[ 81.247497][ T6554] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdee2992b0
[ 81.255829][ T6554] R13: 00007ffdee299458 R14: 00007ffdee299380 R15: 00007f434141e3f1
[ 81.263809][ T6554]
[ 81.268408][ T6554] ==================================================================
[ 81.277346][ T6554] BUG: KASAN: use-after-free in up_write+0x3ac/0x470
[ 81.284118][ T6554] Read of size 8 at addr ffff88814aaef940 by task syz-executor/6554
[ 81.292247][ T6554]
[ 81.294561][ T6554] CPU: 0 PID: 6554 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211201-syzkaller #0
[ 81.304643][ T6554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 81.314894][ T6554] Call Trace:
[ 81.318270][ T6554]
[ 81.321199][ T6554] dump_stack_lvl+0xcd/0x134
[ 81.325900][ T6554] print_address_description.constprop.0.cold+0xa5/0x3ed
[ 81.334161][ T6554] ? up_write+0x3ac/0x470
[ 81.338607][ T6554] ? up_write+0x3ac/0x470
[ 81.343246][ T6554] kasan_report.cold+0x83/0xdf
[ 81.348642][ T6554] ? up_write+0x3ac/0x470
[ 81.353355][ T6554] up_write+0x3ac/0x470
[ 81.358306][ T6554] cgroup_setup_root+0x3a6/0xad0
[ 81.363268][ T6554] ? rebind_subsystems+0x10e0/0x10e0
[ 81.368704][ T6554] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 81.375358][ T6554] cgroup1_get_tree+0xd33/0x1390
[ 81.380400][ T6554] vfs_get_tree+0x89/0x2f0
[ 81.385025][ T6554] path_mount+0x1320/0x1fa0
[ 81.389912][ T6554] ? kmem_cache_free+0xba/0x4a0
[ 81.394942][ T6554] ? finish_automount+0xaf0/0xaf0
[ 81.399992][ T6554] ? putname+0xfe/0x140
[ 81.404546][ T6554] __x64_sys_mount+0x27f/0x300
[ 81.409531][ T6554] ? copy_mnt_ns+0xae0/0xae0
[ 81.414361][ T6554] ? syscall_enter_from_user_mode+0x21/0x70
[ 81.420536][ T6554] do_syscall_64+0x35/0xb0
[ 81.425333][ T6554] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 81.431344][ T6554] RIP: 0033:0x7f43413c501a
[ 81.435854][ T6554] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 81.455876][ T6554] RSP: 002b:00007ffdee2992a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 81.465103][ T6554] RAX: ffffffffffffffda RBX: 00007ffdee299438 RCX: 00007f43413c501a
[ 81.473100][ T6554] RDX: 00007f4341427fe2 RSI: 00007f434141e29a RDI: 00007f434141cd71
[ 81.481612][ T6554] RBP: 00007f434141e29a R08: 00007f434141e3f7 R09: 0000000000000026
[ 81.489975][ T6554] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdee2992b0
[ 81.498205][ T6554] R13: 00007ffdee299458 R14: 00007ffdee299380 R15: 00007f434141e3f1
[ 81.506609][ T6554]
[ 81.509944][ T6554]
[ 81.512469][ T6554] Allocated by task 6554:
[ 81.517076][ T6554] kasan_save_stack+0x1e/0x50
[ 81.522525][ T6554] __kasan_kmalloc+0xa9/0xd0
[ 81.527210][ T6554] kernfs_create_root+0x4c/0x410
[ 81.532625][ T6554] cgroup_setup_root+0x243/0xad0
[ 81.538099][ T6554] cgroup1_get_tree+0xd33/0x1390
[ 81.543120][ T6554] vfs_get_tree+0x89/0x2f0
[ 81.547545][ T6554] path_mount+0x1320/0x1fa0
[ 81.552241][ T6554] __x64_sys_mount+0x27f/0x300
[ 81.557440][ T6554] do_syscall_64+0x35/0xb0
[ 81.561861][ T6554] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 81.567946][ T6554]
[ 81.570352][ T6554] Freed by task 6554:
[ 81.574427][ T6554] kasan_save_stack+0x1e/0x50
[ 81.579359][ T6554] kasan_set_track+0x21/0x30
[ 81.584321][ T6554] kasan_set_free_info+0x20/0x30
[ 81.589264][ T6554] __kasan_slab_free+0x103/0x170
[ 81.594221][ T6554] slab_free_freelist_hook+0x8b/0x1c0
[ 81.600034][ T6554] kfree+0xe0/0x430
[ 81.603924][ T6554] kernfs_put.part.0+0x331/0x540
[ 81.609113][ T6554] kernfs_put+0x42/0x50
[ 81.613271][ T6554] __kernfs_remove+0x7a3/0xb20
[ 81.618223][ T6554] kernfs_destroy_root+0x89/0xb0
[ 81.623157][ T6554] cgroup_setup_root+0x3a6/0xad0
[ 81.628356][ T6554] cgroup1_get_tree+0xd33/0x1390
[ 81.633383][ T6554] vfs_get_tree+0x89/0x2f0
[ 81.637797][ T6554] path_mount+0x1320/0x1fa0
[ 81.642389][ T6554] __x64_sys_mount+0x27f/0x300
[ 81.647151][ T6554] do_syscall_64+0x35/0xb0
[ 81.651649][ T6554] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 81.657634][ T6554]
[ 81.659950][ T6554] Last potentially related work creation:
[ 81.665659][ T6554] kasan_save_stack+0x1e/0x50
[ 81.670605][ T6554] __kasan_record_aux_stack+0xfe/0x1b0
[ 81.676172][ T6554] kvfree_call_rcu+0x74/0x990
[ 81.680946][ T6554] timerfd_release+0x105/0x290
[ 81.685889][ T6554] __fput+0x286/0x9f0
[ 81.689956][ T6554] task_work_run+0xdd/0x1a0
[ 81.694564][ T6554] exit_to_user_mode_prepare+0x27e/0x290
[ 81.700564][ T6554] syscall_exit_to_user_mode+0x19/0x60
[ 81.706144][ T6554] do_syscall_64+0x42/0xb0
[ 81.710753][ T6554] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 81.716749][ T6554]
[ 81.719083][ T6554] The buggy address belongs to the object at ffff88814aaef800
[ 81.719083][ T6554] which belongs to the cache kmalloc-512 of size 512
[ 81.733849][ T6554] The buggy address is located 320 bytes inside of
[ 81.733849][ T6554] 512-byte region [ffff88814aaef800, ffff88814aaefa00)
[ 81.747119][ T6554] The buggy address belongs to the page:
[ 81.752867][ T6554] page:ffffea00052abb00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14aaec
[ 81.763286][ T6554] head:ffffea00052abb00 order:2 compound_mapcount:0 compound_pincount:0
[ 81.771872][ T6554] flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff)
[ 81.780317][ T6554] raw: 057ff00000010200 0000000000000000 dead000000000001 ffff888010c41c80
[ 81.789378][ T6554] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 81.798332][ T6554] page dumped because: kasan: bad access detected
[ 81.804745][ T6554] page_owner tracks the page as allocated
[ 81.810811][ T6554] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 18903965293, free_ts 0
[ 81.829794][ T6554] get_page_from_freelist+0xa72/0x2f40
[ 81.835757][ T6554] __alloc_pages+0x1b2/0x500
[ 81.840638][ T6554] alloc_page_interleave+0x1e/0x200
[ 81.846209][ T6554] alloc_pages+0x29f/0x300
[ 81.850731][ T6554] new_slab+0x261/0x460
[ 81.856211][ T6554] ___slab_alloc+0x798/0xf30
[ 81.861016][ T6554] __slab_alloc.constprop.0+0x4d/0xa0
[ 81.866718][ T6554] kmem_cache_alloc_trace+0x289/0x2c0
[ 81.872299][ T6554] device_add+0x11a7/0x1ee0
[ 81.878650][ T6554] workqueue_sysfs_register+0x19f/0x3e0
[ 81.885416][ T6554] alloc_workqueue+0x6ff/0xf00
[ 81.890284][ T6554] nf_flow_table_offload_init+0x42/0xc0
[ 81.896191][ T6554] do_one_initcall+0x103/0x650
[ 81.901164][ T6554] kernel_init_freeable+0x6b1/0x73a
[ 81.906544][ T6554] kernel_init+0x1a/0x1d0
[ 81.910878][ T6554] ret_from_fork+0x1f/0x30
[ 81.915316][ T6554] page_owner free stack trace missing
[ 81.920668][ T6554]
[ 81.923067][ T6554] Memory state around the buggy address:
[ 81.928787][ T6554] ffff88814aaef800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 81.937385][ T6554] ffff88814aaef880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 81.945986][ T6554] >ffff88814aaef900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 81.954134][ T6554] ^
[ 81.960282][ T6554] ffff88814aaef980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 81.968333][ T6554] ffff88814aaefa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 81.976413][ T6554] ==================================================================
[ 81.994282][ T6554] Kernel panic - not syncing: panic_on_warn set ...
[ 82.001160][ T6554] CPU: 0 PID: 6554 Comm: syz-executor Tainted: G B 5.16.0-rc3-next-20211201-syzkaller #0
[ 82.012864][ T6554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 82.023028][ T6554] Call Trace:
[ 82.026393][ T6554]
[ 82.029408][ T6554] dump_stack_lvl+0xcd/0x134
[ 82.034206][ T6554] panic+0x2b0/0x6dd
[ 82.038279][ T6554] ? __warn_printk+0xf3/0xf3
[ 82.043242][ T6554] ? preempt_schedule_common+0x59/0xc0
[ 82.048962][ T6554] ? up_write+0x3ac/0x470
[ 82.053286][ T6554] ? preempt_schedule_thunk+0x16/0x18
[ 82.058660][ T6554] ? trace_hardirqs_on+0x38/0x1c0
[ 82.063783][ T6554] ? trace_hardirqs_on+0x51/0x1c0
[ 82.068890][ T6554] ? up_write+0x3ac/0x470
[ 82.073311][ T6554] ? up_write+0x3ac/0x470
[ 82.077722][ T6554] end_report.cold+0x63/0x6f
[ 82.082600][ T6554] kasan_report.cold+0x71/0xdf
[ 82.087546][ T6554] ? up_write+0x3ac/0x470
[ 82.091872][ T6554] up_write+0x3ac/0x470
[ 82.096133][ T6554] cgroup_setup_root+0x3a6/0xad0
[ 82.101917][ T6554] ? rebind_subsystems+0x10e0/0x10e0
[ 82.107210][ T6554] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 82.113474][ T6554] cgroup1_get_tree+0xd33/0x1390
[ 82.118440][ T6554] vfs_get_tree+0x89/0x2f0
[ 82.123040][ T6554] path_mount+0x1320/0x1fa0
[ 82.127751][ T6554] ? kmem_cache_free+0xba/0x4a0
[ 82.132807][ T6554] ? finish_automount+0xaf0/0xaf0
[ 82.138063][ T6554] ? putname+0xfe/0x140
[ 82.142414][ T6554] __x64_sys_mount+0x27f/0x300
[ 82.147202][ T6554] ? copy_mnt_ns+0xae0/0xae0
[ 82.152067][ T6554] ? syscall_enter_from_user_mode+0x21/0x70
[ 82.158143][ T6554] do_syscall_64+0x35/0xb0
[ 82.162581][ T6554] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 82.168565][ T6554] RIP: 0033:0x7f43413c501a
[ 82.172975][ T6554] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 82.194177][ T6554] RSP: 002b:00007ffdee2992a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 82.202912][ T6554] RAX: ffffffffffffffda RBX: 00007ffdee299438 RCX: 00007f43413c501a
[ 82.211352][ T6554] RDX: 00007f4341427fe2 RSI: 00007f434141e29a RDI: 00007f434141cd71
[ 82.219450][ T6554] RBP: 00007f434141e29a R08: 00007f434141e3f7 R09: 0000000000000026
[ 82.227791][ T6554] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdee2992b0
[ 82.235773][ T6554] R13: 00007ffdee299458 R14: 00007ffdee299380 R15: 00007f434141e3f1
[ 82.243933][ T6554]
[ 82.247329][ T6554] Kernel Offset: disabled
[ 82.252131][ T6554] Rebooting in 86400 seconds..