[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Started OpenBSD Secure Shell server.
[[0;32m  OK  [0m] Started getty on tty2-tty6 if dbus and logind are not available.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.81' (ECDSA) to the list of known hosts.
2021/11/26 05:42:51 fuzzer started
2021/11/26 05:42:52 connecting to host at 10.128.0.169:36905
2021/11/26 05:42:52 checking machine...
2021/11/26 05:42:52 checking revisions...
2021/11/26 05:42:52 testing simple program...
syzkaller login: [   71.677796][ T6520] cgroup: Unknown subsys name 'net'
[   71.684283][ T6520] 
[   71.686632][ T6520] =========================
[   71.691250][ T6520] WARNING: held lock freed!
[   71.695731][ T6520] 5.16.0-rc2-next-20211126-syzkaller #0 Not tainted
[   71.702384][ T6520] -------------------------
[   71.707058][ T6520] syz-executor/6520 is freeing memory ffff888012b84c00-ffff888012b84dff, with a lock still held there!
[   71.718192][ T6520] ffff888012b84d48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[   71.728450][ T6520] 2 locks held by syz-executor/6520:
[   71.733746][ T6520]  #0: ffffffff8bbc5d48 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900
[   71.744373][ T6520]  #1: ffff888012b84d48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[   71.754805][ T6520] 
[   71.754805][ T6520] stack backtrace:
[   71.760941][ T6520] CPU: 1 PID: 6520 Comm: syz-executor Not tainted 5.16.0-rc2-next-20211126-syzkaller #0
[   71.770984][ T6520] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   71.781130][ T6520] Call Trace:
[   71.784418][ T6520]  <TASK>
[   71.787337][ T6520]  dump_stack_lvl+0xcd/0x134
[   71.791938][ T6520]  debug_check_no_locks_freed.cold+0x9d/0xa9
[   71.797916][ T6520]  ? lockdep_hardirqs_on+0x79/0x100
[   71.803254][ T6520]  slab_free_freelist_hook+0x73/0x1c0
[   71.808753][ T6520]  ? kernfs_put.part.0+0x331/0x540
[   71.813879][ T6520]  kfree+0xe0/0x430
[   71.817685][ T6520]  ? kmem_cache_free+0xba/0x4a0
[   71.822536][ T6520]  ? rwlock_bug.part.0+0x90/0x90
[   71.827554][ T6520]  ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[   71.834052][ T6520]  kernfs_put.part.0+0x331/0x540
[   71.839014][ T6520]  kernfs_put+0x42/0x50
[   71.843397][ T6520]  __kernfs_remove+0x7a3/0xb20
[   71.848161][ T6520]  ? kernfs_next_descendant_post+0x2f0/0x2f0
[   71.854484][ T6520]  ? down_write+0xde/0x150
[   71.858902][ T6520]  ? down_write_killable_nested+0x180/0x180
[   71.864893][ T6520]  kernfs_destroy_root+0x89/0xb0
[   71.869855][ T6520]  cgroup_setup_root+0x3a6/0xad0
[   71.875177][ T6520]  ? rebind_subsystems+0x10e0/0x10e0
[   71.880557][ T6520]  ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[   71.886882][ T6520]  cgroup1_get_tree+0xd33/0x1390
[   71.891817][ T6520]  vfs_get_tree+0x89/0x2f0
[   71.896314][ T6520]  path_mount+0x1320/0x1fa0
[   71.900983][ T6520]  ? kmem_cache_free+0xba/0x4a0
[   71.905832][ T6520]  ? finish_automount+0xaf0/0xaf0
[   71.910861][ T6520]  ? putname+0xfe/0x140
[   71.915031][ T6520]  __x64_sys_mount+0x27f/0x300
[   71.919792][ T6520]  ? copy_mnt_ns+0xae0/0xae0
[   71.924474][ T6520]  ? syscall_enter_from_user_mode+0x21/0x70
[   71.930452][ T6520]  do_syscall_64+0x35/0xb0
[   71.934963][ T6520]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   71.941176][ T6520] RIP: 0033:0x7efe6774201a
[   71.945779][ T6520] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[   71.965467][ T6520] RSP: 002b:00007ffcbbeb87b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   71.973872][ T6520] RAX: ffffffffffffffda RBX: 00007ffcbbeb8948 RCX: 00007efe6774201a
[   71.981835][ T6520] RDX: 00007efe677a4fd6 RSI: 00007efe6779b29a RDI: 00007efe67799d71
[   71.989993][ T6520] RBP: 00007efe6779b29a R08: 00007efe6779b3f7 R09: 0000000000000026
[   71.998333][ T6520] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcbbeb87c0
[   72.006303][ T6520] R13: 00007ffcbbeb8968 R14: 00007ffcbbeb8890 R15: 00007efe6779b3f1
[   72.014278][ T6520]  </TASK>
[   72.017823][ T6520] ==================================================================
[   72.025985][ T6520] BUG: KASAN: use-after-free in up_write+0x3ac/0x470
[   72.032680][ T6520] Read of size 8 at addr ffff888012b84d40 by task syz-executor/6520
[   72.040655][ T6520] 
[   72.043185][ T6520] CPU: 1 PID: 6520 Comm: syz-executor Not tainted 5.16.0-rc2-next-20211126-syzkaller #0
[   72.053021][ T6520] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   72.063079][ T6520] Call Trace:
[   72.066353][ T6520]  <TASK>
[   72.069276][ T6520]  dump_stack_lvl+0xcd/0x134
[   72.073869][ T6520]  print_address_description.constprop.0.cold+0xa5/0x3ed
[   72.080890][ T6520]  ? up_write+0x3ac/0x470
[   72.085223][ T6520]  ? up_write+0x3ac/0x470
[   72.089559][ T6520]  kasan_report.cold+0x83/0xdf
[   72.094327][ T6520]  ? up_write+0x3ac/0x470
[   72.098663][ T6520]  up_write+0x3ac/0x470
[   72.102813][ T6520]  cgroup_setup_root+0x3a6/0xad0
[   72.107748][ T6520]  ? rebind_subsystems+0x10e0/0x10e0
[   72.113034][ T6520]  ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[   72.119278][ T6520]  cgroup1_get_tree+0xd33/0x1390
[   72.124218][ T6520]  vfs_get_tree+0x89/0x2f0
[   72.128628][ T6520]  path_mount+0x1320/0x1fa0
[   72.133153][ T6520]  ? kmem_cache_free+0xba/0x4a0
[   72.138003][ T6520]  ? finish_automount+0xaf0/0xaf0
[   72.143022][ T6520]  ? putname+0xfe/0x140
[   72.147182][ T6520]  __x64_sys_mount+0x27f/0x300
[   72.152121][ T6520]  ? copy_mnt_ns+0xae0/0xae0
[   72.156709][ T6520]  ? syscall_enter_from_user_mode+0x21/0x70
[   72.162604][ T6520]  do_syscall_64+0x35/0xb0
[   72.167020][ T6520]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   72.172909][ T6520] RIP: 0033:0x7efe6774201a
[   72.177316][ T6520] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[   72.197118][ T6520] RSP: 002b:00007ffcbbeb87b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   72.205638][ T6520] RAX: ffffffffffffffda RBX: 00007ffcbbeb8948 RCX: 00007efe6774201a
[   72.213605][ T6520] RDX: 00007efe677a4fd6 RSI: 00007efe6779b29a RDI: 00007efe67799d71
[   72.221585][ T6520] RBP: 00007efe6779b29a R08: 00007efe6779b3f7 R09: 0000000000000026
[   72.229551][ T6520] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcbbeb87c0
[   72.237524][ T6520] R13: 00007ffcbbeb8968 R14: 00007ffcbbeb8890 R15: 00007efe6779b3f1
[   72.245499][ T6520]  </TASK>
[   72.248518][ T6520] 
[   72.250834][ T6520] Allocated by task 6520:
[   72.255146][ T6520]  kasan_save_stack+0x1e/0x50
[   72.259829][ T6520]  __kasan_kmalloc+0xa9/0xd0
[   72.264414][ T6520]  kernfs_create_root+0x4c/0x410
[   72.269435][ T6520]  cgroup_setup_root+0x243/0xad0
[   72.274371][ T6520]  cgroup1_get_tree+0xd33/0x1390
[   72.279302][ T6520]  vfs_get_tree+0x89/0x2f0
[   72.283713][ T6520]  path_mount+0x1320/0x1fa0
[   72.288207][ T6520]  __x64_sys_mount+0x27f/0x300
[   72.292965][ T6520]  do_syscall_64+0x35/0xb0
[   72.297427][ T6520]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   72.303313][ T6520] 
[   72.305628][ T6520] Freed by task 6520:
[   72.309598][ T6520]  kasan_save_stack+0x1e/0x50
[   72.314275][ T6520]  kasan_set_track+0x21/0x30
[   72.319002][ T6520]  kasan_set_free_info+0x20/0x30
[   72.324104][ T6520]  __kasan_slab_free+0x103/0x170
[   72.329037][ T6520]  slab_free_freelist_hook+0x8b/0x1c0
[   72.334500][ T6520]  kfree+0xe0/0x430
[   72.338302][ T6520]  kernfs_put.part.0+0x331/0x540
[   72.343446][ T6520]  kernfs_put+0x42/0x50
[   72.347595][ T6520]  __kernfs_remove+0x7a3/0xb20
[   72.352354][ T6520]  kernfs_destroy_root+0x89/0xb0
[   72.357821][ T6520]  cgroup_setup_root+0x3a6/0xad0
[   72.362753][ T6520]  cgroup1_get_tree+0xd33/0x1390
[   72.367678][ T6520]  vfs_get_tree+0x89/0x2f0
[   72.372095][ T6520]  path_mount+0x1320/0x1fa0
[   72.376694][ T6520]  __x64_sys_mount+0x27f/0x300
[   72.381458][ T6520]  do_syscall_64+0x35/0xb0
[   72.385877][ T6520]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   72.391792][ T6520] 
[   72.394203][ T6520] The buggy address belongs to the object at ffff888012b84c00
[   72.394203][ T6520]  which belongs to the cache kmalloc-512 of size 512
[   72.408266][ T6520] The buggy address is located 320 bytes inside of
[   72.408266][ T6520]  512-byte region [ffff888012b84c00, ffff888012b84e00)
[   72.421625][ T6520] The buggy address belongs to the page:
[   72.427240][ T6520] page:ffffea00004ae100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12b84
[   72.437663][ T6520] head:ffffea00004ae100 order:2 compound_mapcount:0 compound_pincount:0
[   72.445997][ T6520] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   72.453985][ T6520] raw: 00fff00000010200 ffffea0000761f00 dead000000000002 ffff888010c41c80
[   72.462575][ T6520] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   72.471450][ T6520] page dumped because: kasan: bad access detected
[   72.477953][ T6520] page_owner tracks the page as allocated
[   72.483660][ T6520] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 2324619223, free_ts 0
[   72.501888][ T6520]  get_page_from_freelist+0xa72/0x2f40
[   72.507372][ T6520]  __alloc_pages+0x1b2/0x500
[   72.512067][ T6520]  alloc_page_interleave+0x1e/0x200
[   72.517270][ T6520]  alloc_pages+0x29f/0x300
[   72.521684][ T6520]  new_slab+0x261/0x460
[   72.525833][ T6520]  ___slab_alloc+0x798/0xf30
[   72.530421][ T6520]  __slab_alloc.constprop.0+0x4d/0xa0
[   72.535809][ T6520]  __kmalloc+0x2fb/0x340
[   72.540141][ T6520]  alloc_workqueue+0x14b/0xf00
[   72.545013][ T6520]  acpi_os_initialize1+0x19/0xa0
[   72.549984][ T6520]  acpi_init+0x15e/0x971
[   72.554330][ T6520]  do_one_initcall+0x103/0x650
[   72.559088][ T6520]  kernel_init_freeable+0x6b1/0x73a
[   72.564408][ T6520]  kernel_init+0x1a/0x1d0
[   72.568738][ T6520]  ret_from_fork+0x1f/0x30
[   72.573174][ T6520] page_owner free stack trace missing
[   72.578535][ T6520] 
[   72.580935][ T6520] Memory state around the buggy address:
[   72.586551][ T6520]  ffff888012b84c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.594946][ T6520]  ffff888012b84c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.603091][ T6520] >ffff888012b84d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.611242][ T6520]                                            ^
[   72.617581][ T6520]  ffff888012b84d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.625646][ T6520]  ffff888012b84e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   72.633711][ T6520] ==================================================================
[   72.643084][ T6520] Kernel panic - not syncing: panic_on_warn set ...
[   72.649675][ T6520] CPU: 1 PID: 6520 Comm: syz-executor Tainted: G    B             5.16.0-rc2-next-20211126-syzkaller #0
[   72.660790][ T6520] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   72.670849][ T6520] Call Trace:
[   72.674171][ T6520]  <TASK>
[   72.677585][ T6520]  dump_stack_lvl+0xcd/0x134
[   72.682196][ T6520]  panic+0x2b0/0x6dd
[   72.686089][ T6520]  ? __warn_printk+0xf3/0xf3
[   72.690678][ T6520]  ? preempt_schedule_common+0x59/0xc0
[   72.696266][ T6520]  ? up_write+0x3ac/0x470
[   72.700690][ T6520]  ? preempt_schedule_thunk+0x16/0x18
[   72.706082][ T6520]  ? trace_hardirqs_on+0x38/0x1c0
[   72.711118][ T6520]  ? trace_hardirqs_on+0x51/0x1c0
[   72.716283][ T6520]  ? up_write+0x3ac/0x470
[   72.720625][ T6520]  ? up_write+0x3ac/0x470
[   72.724966][ T6520]  end_report.cold+0x63/0x6f
[   72.729603][ T6520]  kasan_report.cold+0x71/0xdf
[   72.734437][ T6520]  ? up_write+0x3ac/0x470
[   72.738786][ T6520]  up_write+0x3ac/0x470
[   72.742950][ T6520]  cgroup_setup_root+0x3a6/0xad0
[   72.747897][ T6520]  ? rebind_subsystems+0x10e0/0x10e0
[   72.753301][ T6520]  ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[   72.759557][ T6520]  cgroup1_get_tree+0xd33/0x1390
[   72.764516][ T6520]  vfs_get_tree+0x89/0x2f0
[   72.768943][ T6520]  path_mount+0x1320/0x1fa0
[   72.773450][ T6520]  ? kmem_cache_free+0xba/0x4a0
[   72.778298][ T6520]  ? finish_automount+0xaf0/0xaf0
[   72.783435][ T6520]  ? putname+0xfe/0x140
[   72.787631][ T6520]  __x64_sys_mount+0x27f/0x300
[   72.792454][ T6520]  ? copy_mnt_ns+0xae0/0xae0
[   72.797047][ T6520]  ? syscall_enter_from_user_mode+0x21/0x70
[   72.802955][ T6520]  do_syscall_64+0x35/0xb0
[   72.807586][ T6520]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   72.813490][ T6520] RIP: 0033:0x7efe6774201a
[   72.817918][ T6520] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[   72.837525][ T6520] RSP: 002b:00007ffcbbeb87b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   72.846306][ T6520] RAX: ffffffffffffffda RBX: 00007ffcbbeb8948 RCX: 00007efe6774201a
[   72.854444][ T6520] RDX: 00007efe677a4fd6 RSI: 00007efe6779b29a RDI: 00007efe67799d71
[   72.862420][ T6520] RBP: 00007efe6779b29a R08: 00007efe6779b3f7 R09: 0000000000000026
[   72.870476][ T6520] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcbbeb87c0
[   72.878446][ T6520] R13: 00007ffcbbeb8968 R14: 00007ffcbbeb8890 R15: 00007efe6779b3f1
[   72.886433][ T6520]  </TASK>
[   72.889526][ T6520] Kernel Offset: disabled
[   72.893850][ T6520] Rebooting in 86400 seconds..