[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.1' (ECDSA) to the list of known hosts. 2021/12/03 08:48:08 fuzzer started 2021/12/03 08:48:08 connecting to host at 10.128.0.169:41151 2021/12/03 08:48:08 checking machine... 2021/12/03 08:48:08 checking revisions... 2021/12/03 08:48:08 testing simple program... syzkaller login: [ 71.793460][ T6546] cgroup: Unknown subsys name 'net' [ 71.809821][ T6546] [ 71.812187][ T6546] ========================= [ 71.816763][ T6546] WARNING: held lock freed! [ 71.821250][ T6546] 5.16.0-rc3-next-20211203-syzkaller #0 Not tainted [ 71.827834][ T6546] ------------------------- [ 71.832320][ T6546] syz-executor/6546 is freeing memory ffff88807cb3a400-ffff88807cb3a5ff, with a lock still held there! [ 71.843330][ T6546] ffff88807cb3a548 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0 [ 71.853082][ T6546] 2 locks held by syz-executor/6546: [ 71.858357][ T6546] #0: ffffffff8bbc4e48 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900 [ 71.869108][ T6546] #1: ffff88807cb3a548 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0 [ 71.879297][ T6546] [ 71.879297][ T6546] stack backtrace: [ 71.885175][ T6546] CPU: 0 PID: 6546 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211203-syzkaller #0 [ 71.894890][ T6546] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.904946][ T6546] Call Trace: [ 71.908227][ T6546] [ 71.911188][ T6546] dump_stack_lvl+0xcd/0x134 [ 71.915787][ T6546] debug_check_no_locks_freed.cold+0x9d/0xa9 [ 71.921791][ T6546] ? lockdep_hardirqs_on+0x79/0x100 [ 71.926996][ T6546] slab_free_freelist_hook+0x73/0x1c0 [ 71.932370][ T6546] ? kernfs_put.part.0+0x331/0x540 [ 71.937486][ T6546] kfree+0xd0/0x4b0 [ 71.941296][ T6546] ? kmem_cache_free+0xdd/0x580 [ 71.946618][ T6546] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 71.952866][ T6546] kernfs_put.part.0+0x331/0x540 [ 71.957816][ T6546] kernfs_put+0x42/0x50 [ 71.962056][ T6546] __kernfs_remove+0x7a3/0xb20 [ 71.966823][ T6546] ? kernfs_next_descendant_post+0x2f0/0x2f0 [ 71.972806][ T6546] ? down_write+0xde/0x150 [ 71.977220][ T6546] ? down_write_killable_nested+0x180/0x180 [ 71.983205][ T6546] kernfs_destroy_root+0x89/0xb0 [ 71.988151][ T6546] cgroup_setup_root+0x3a6/0xad0 [ 71.993091][ T6546] ? rebind_subsystems+0x10e0/0x10e0 [ 71.998380][ T6546] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 72.004627][ T6546] cgroup1_get_tree+0xd33/0x1390 [ 72.009564][ T6546] vfs_get_tree+0x89/0x2f0 [ 72.013979][ T6546] path_mount+0x1320/0x1fa0 [ 72.018497][ T6546] ? kmem_cache_free+0xdd/0x580 [ 72.023350][ T6546] ? finish_automount+0xaf0/0xaf0 [ 72.028387][ T6546] ? putname+0xfe/0x140 [ 72.032559][ T6546] __x64_sys_mount+0x27f/0x300 [ 72.037335][ T6546] ? copy_mnt_ns+0xae0/0xae0 [ 72.042006][ T6546] ? syscall_enter_from_user_mode+0x21/0x70 [ 72.047905][ T6546] do_syscall_64+0x35/0xb0 [ 72.052381][ T6546] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.058285][ T6546] RIP: 0033:0x7f8fcf43e01a [ 72.062709][ T6546] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 72.082415][ T6546] RSP: 002b:00007ffcd056fd58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 72.091307][ T6546] RAX: ffffffffffffffda RBX: 00007ffcd056fee8 RCX: 00007f8fcf43e01a [ 72.099525][ T6546] RDX: 00007f8fcf4a0fe2 RSI: 00007f8fcf49729a RDI: 00007f8fcf495d71 [ 72.107616][ T6546] RBP: 00007f8fcf49729a R08: 00007f8fcf4973f7 R09: 0000000000000026 [ 72.115599][ T6546] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcd056fd60 [ 72.123593][ T6546] R13: 00007ffcd056ff08 R14: 00007ffcd056fe30 R15: 00007f8fcf4973f1 [ 72.131582][ T6546] [ 72.136412][ T6546] ================================================================== [ 72.144653][ T6546] BUG: KASAN: use-after-free in up_write+0x3ac/0x470 [ 72.151447][ T6546] Read of size 8 at addr ffff88807cb3a540 by task syz-executor/6546 [ 72.159523][ T6546] [ 72.161835][ T6546] CPU: 0 PID: 6546 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211203-syzkaller #0 [ 72.171647][ T6546] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.181790][ T6546] Call Trace: [ 72.185056][ T6546] [ 72.187993][ T6546] dump_stack_lvl+0xcd/0x134 [ 72.192603][ T6546] print_address_description.constprop.0.cold+0xa5/0x3ed [ 72.199639][ T6546] ? up_write+0x3ac/0x470 [ 72.203978][ T6546] ? up_write+0x3ac/0x470 [ 72.208747][ T6546] kasan_report.cold+0x83/0xdf [ 72.213693][ T6546] ? up_write+0x3ac/0x470 [ 72.218089][ T6546] up_write+0x3ac/0x470 [ 72.222252][ T6546] cgroup_setup_root+0x3a6/0xad0 [ 72.227200][ T6546] ? rebind_subsystems+0x10e0/0x10e0 [ 72.232490][ T6546] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 72.238727][ T6546] cgroup1_get_tree+0xd33/0x1390 [ 72.243858][ T6546] vfs_get_tree+0x89/0x2f0 [ 72.248275][ T6546] path_mount+0x1320/0x1fa0 [ 72.252788][ T6546] ? kmem_cache_free+0xdd/0x580 [ 72.257805][ T6546] ? finish_automount+0xaf0/0xaf0 [ 72.262909][ T6546] ? putname+0xfe/0x140 [ 72.267071][ T6546] __x64_sys_mount+0x27f/0x300 [ 72.271930][ T6546] ? copy_mnt_ns+0xae0/0xae0 [ 72.276512][ T6546] ? syscall_enter_from_user_mode+0x21/0x70 [ 72.282492][ T6546] do_syscall_64+0x35/0xb0 [ 72.286898][ T6546] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.292785][ T6546] RIP: 0033:0x7f8fcf43e01a [ 72.297303][ T6546] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 72.316895][ T6546] RSP: 002b:00007ffcd056fd58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 72.325469][ T6546] RAX: ffffffffffffffda RBX: 00007ffcd056fee8 RCX: 00007f8fcf43e01a [ 72.333434][ T6546] RDX: 00007f8fcf4a0fe2 RSI: 00007f8fcf49729a RDI: 00007f8fcf495d71 [ 72.341481][ T6546] RBP: 00007f8fcf49729a R08: 00007f8fcf4973f7 R09: 0000000000000026 [ 72.349526][ T6546] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcd056fd60 [ 72.357483][ T6546] R13: 00007ffcd056ff08 R14: 00007ffcd056fe30 R15: 00007f8fcf4973f1 [ 72.365459][ T6546] [ 72.368464][ T6546] [ 72.370773][ T6546] Allocated by task 6546: [ 72.375168][ T6546] kasan_save_stack+0x1e/0x40 [ 72.379841][ T6546] __kasan_kmalloc+0xa9/0xd0 [ 72.384521][ T6546] kernfs_create_root+0x4c/0x410 [ 72.389534][ T6546] cgroup_setup_root+0x243/0xad0 [ 72.394462][ T6546] cgroup1_get_tree+0xd33/0x1390 [ 72.399397][ T6546] vfs_get_tree+0x89/0x2f0 [ 72.403895][ T6546] path_mount+0x1320/0x1fa0 [ 72.408405][ T6546] __x64_sys_mount+0x27f/0x300 [ 72.413311][ T6546] do_syscall_64+0x35/0xb0 [ 72.417743][ T6546] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.423729][ T6546] [ 72.426035][ T6546] Freed by task 6546: [ 72.429993][ T6546] kasan_save_stack+0x1e/0x40 [ 72.434659][ T6546] kasan_set_track+0x21/0x30 [ 72.439517][ T6546] kasan_set_free_info+0x20/0x30 [ 72.444441][ T6546] ____kasan_slab_free+0x166/0x1a0 [ 72.449553][ T6546] slab_free_freelist_hook+0x8b/0x1c0 [ 72.454925][ T6546] kfree+0xd0/0x4b0 [ 72.458719][ T6546] kernfs_put.part.0+0x331/0x540 [ 72.463651][ T6546] kernfs_put+0x42/0x50 [ 72.467796][ T6546] __kernfs_remove+0x7a3/0xb20 [ 72.472634][ T6546] kernfs_destroy_root+0x89/0xb0 [ 72.477674][ T6546] cgroup_setup_root+0x3a6/0xad0 [ 72.482702][ T6546] cgroup1_get_tree+0xd33/0x1390 [ 72.487807][ T6546] vfs_get_tree+0x89/0x2f0 [ 72.492226][ T6546] path_mount+0x1320/0x1fa0 [ 72.496722][ T6546] __x64_sys_mount+0x27f/0x300 [ 72.501488][ T6546] do_syscall_64+0x35/0xb0 [ 72.505895][ T6546] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.511773][ T6546] [ 72.514090][ T6546] The buggy address belongs to the object at ffff88807cb3a400 [ 72.514090][ T6546] which belongs to the cache kmalloc-512 of size 512 [ 72.528134][ T6546] The buggy address is located 320 bytes inside of [ 72.528134][ T6546] 512-byte region [ffff88807cb3a400, ffff88807cb3a600) [ 72.541401][ T6546] The buggy address belongs to the page: [ 72.547194][ T6546] page:ffffea0001f2ce00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88807cb3a000 pfn:0x7cb38 [ 72.558631][ T6546] head:ffffea0001f2ce00 order:2 compound_mapcount:0 compound_pincount:0 [ 72.566937][ T6546] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 72.574907][ T6546] raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888010c41c80 [ 72.583487][ T6546] raw: ffff88807cb3a000 000000008010000f 00000001ffffffff 0000000000000000 [ 72.592149][ T6546] page dumped because: kasan: bad access detected [ 72.598538][ T6546] page_owner tracks the page as allocated [ 72.604315][ T6546] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4558, ts 48974385985, free_ts 37322050759 [ 72.623678][ T6546] get_page_from_freelist+0xa72/0x2f40 [ 72.629569][ T6546] __alloc_pages+0x1b2/0x500 [ 72.634151][ T6546] alloc_pages+0x1aa/0x310 [ 72.638561][ T6546] new_slab+0x28d/0x3a0 [ 72.642789][ T6546] ___slab_alloc+0x6be/0xd60 [ 72.647383][ T6546] __slab_alloc.constprop.0+0x4d/0xa0 [ 72.652741][ T6546] kmem_cache_alloc_trace+0x289/0x2c0 [ 72.658108][ T6546] __do_sys_timerfd_create+0x265/0x370 [ 72.663566][ T6546] do_syscall_64+0x35/0xb0 [ 72.668231][ T6546] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.674283][ T6546] page last free stack trace: [ 72.678935][ T6546] free_pcp_prepare+0x414/0xb60 [ 72.683804][ T6546] free_unref_page+0x19/0x690 [ 72.688465][ T6546] __unfreeze_partials+0x17c/0x1a0 [ 72.693564][ T6546] qlist_free_all+0x5a/0x100 [ 72.698140][ T6546] kasan_quarantine_reduce+0x180/0x200 [ 72.703595][ T6546] __kasan_slab_alloc+0xa2/0xc0 [ 72.708432][ T6546] kmem_cache_alloc+0x202/0x3a0 [ 72.713276][ T6546] getname_flags.part.0+0x50/0x4f0 [ 72.718380][ T6546] getname_flags+0x9a/0xe0 [ 72.722782][ T6546] user_path_at_empty+0x2b/0x60 [ 72.727621][ T6546] vfs_statx+0x142/0x390 [ 72.731862][ T6546] __do_sys_newlstat+0x91/0x110 [ 72.736871][ T6546] do_syscall_64+0x35/0xb0 [ 72.741804][ T6546] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.747692][ T6546] [ 72.749997][ T6546] Memory state around the buggy address: [ 72.755610][ T6546] ffff88807cb3a400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.763653][ T6546] ffff88807cb3a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.771787][ T6546] >ffff88807cb3a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.779825][ T6546] ^ [ 72.785954][ T6546] ffff88807cb3a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.794281][ T6546] ffff88807cb3a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.802497][ T6546] ================================================================== [ 72.811307][ T6546] Kernel panic - not syncing: panic_on_warn set ... [ 72.817898][ T6546] CPU: 1 PID: 6546 Comm: syz-executor Tainted: G B 5.16.0-rc3-next-20211203-syzkaller #0 [ 72.829097][ T6546] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.839148][ T6546] Call Trace: [ 72.842431][ T6546] [ 72.845453][ T6546] dump_stack_lvl+0xcd/0x134 [ 72.850064][ T6546] panic+0x2b0/0x6dd [ 72.854162][ T6546] ? __warn_printk+0xf3/0xf3 [ 72.858772][ T6546] ? preempt_schedule_common+0x59/0xc0 [ 72.864262][ T6546] ? up_write+0x3ac/0x470 [ 72.868588][ T6546] ? preempt_schedule_thunk+0x16/0x18 [ 72.874028][ T6546] ? trace_hardirqs_on+0x38/0x1c0 [ 72.879130][ T6546] ? trace_hardirqs_on+0x51/0x1c0 [ 72.884236][ T6546] ? up_write+0x3ac/0x470 [ 72.888554][ T6546] ? up_write+0x3ac/0x470 [ 72.892872][ T6546] end_report.cold+0x63/0x6f [ 72.897455][ T6546] kasan_report.cold+0x71/0xdf [ 72.902212][ T6546] ? up_write+0x3ac/0x470 [ 72.906531][ T6546] up_write+0x3ac/0x470 [ 72.910676][ T6546] cgroup_setup_root+0x3a6/0xad0 [ 72.915629][ T6546] ? rebind_subsystems+0x10e0/0x10e0 [ 72.920916][ T6546] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 72.927504][ T6546] cgroup1_get_tree+0xd33/0x1390 [ 72.932434][ T6546] vfs_get_tree+0x89/0x2f0 [ 72.936852][ T6546] path_mount+0x1320/0x1fa0 [ 72.941353][ T6546] ? kmem_cache_free+0xdd/0x580 [ 72.946197][ T6546] ? finish_automount+0xaf0/0xaf0 [ 72.951215][ T6546] ? putname+0xfe/0x140 [ 72.955384][ T6546] __x64_sys_mount+0x27f/0x300 [ 72.960172][ T6546] ? copy_mnt_ns+0xae0/0xae0 [ 72.964893][ T6546] ? syscall_enter_from_user_mode+0x21/0x70 [ 72.970784][ T6546] do_syscall_64+0x35/0xb0 [ 72.975192][ T6546] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 72.981074][ T6546] RIP: 0033:0x7f8fcf43e01a [ 72.985586][ T6546] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 73.005267][ T6546] RSP: 002b:00007ffcd056fd58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 73.013927][ T6546] RAX: ffffffffffffffda RBX: 00007ffcd056fee8 RCX: 00007f8fcf43e01a [ 73.021908][ T6546] RDX: 00007f8fcf4a0fe2 RSI: 00007f8fcf49729a RDI: 00007f8fcf495d71 [ 73.029876][ T6546] RBP: 00007f8fcf49729a R08: 00007f8fcf4973f7 R09: 0000000000000026 [ 73.037933][ T6546] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcd056fd60 [ 73.045892][ T6546] R13: 00007ffcd056ff08 R14: 00007ffcd056fe30 R15: 00007f8fcf4973f1 [ 73.053985][ T6546] [ 73.057271][ T6546] Kernel Offset: disabled [ 73.061679][ T6546] Rebooting in 86400 seconds..