WARNING: held lock freed in kernfs_destroy_root
cgroup: Unknown subsys name 'net'
=========================
WARNING: held lock freed!
5.16.0-rc3-next-20211202-syzkaller #0 Not tainted
-------------------------
syz-executor/6597 is freeing memory ffff888019bfbc00-ffff888019bfbdff, with a lock still held there!
ffff888019bfbd48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_remove fs/kernfs/dir.c:1396 [inline]
ffff888019bfbd48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0 fs/kernfs/dir.c:964
2 locks held by syz-executor/6597:
#0: ffffffff8bbc4e08 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900 kernel/cgroup/cgroup.c:2998
#1: ffff888019bfbd48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_remove fs/kernfs/dir.c:1396 [inline]
#1: ffff888019bfbd48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0 fs/kernfs/dir.c:964
stack backtrace:
CPU: 0 PID: 6597 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211202-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_freed_lock_bug kernel/locking/lockdep.c:6388 [inline]
debug_check_no_locks_freed.cold+0x9d/0xa9 kernel/locking/lockdep.c:6421
slab_free_hook mm/slub.c:1695 [inline]
slab_free_freelist_hook+0x73/0x1c0 mm/slub.c:1749
slab_free mm/slub.c:3513 [inline]
kfree+0xe0/0x430 mm/slub.c:4561
kernfs_put.part.0+0x331/0x540 fs/kernfs/dir.c:548
kernfs_put+0x42/0x50 fs/kernfs/dir.c:513
__kernfs_remove+0x7a3/0xb20 fs/kernfs/dir.c:1382
kernfs_remove fs/kernfs/dir.c:1397 [inline]
kernfs_destroy_root+0x89/0xb0 fs/kernfs/dir.c:964
cgroup_setup_root+0x3a6/0xad0 kernel/cgroup/cgroup.c:2077
cgroup1_root_to_use kernel/cgroup/cgroup-v1.c:1194 [inline]
cgroup1_get_tree+0xd33/0x1390 kernel/cgroup/cgroup-v1.c:1211
vfs_get_tree+0x89/0x2f0 fs/super.c:1500
do_new_mount fs/namespace.c:3004 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3334
do_mount fs/namespace.c:3347 [inline]
__do_sys_mount fs/namespace.c:3555 [inline]
__se_sys_mount fs/namespace.c:3532 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3532
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f2f4fa0ff6a
Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd4a9de488 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd4a9de618 RCX: 00007f2f4fa0ff6a
RDX: 00007f2f4fa72e6c RSI: 00007f2f4fa691b1 RDI: 00007f2f4fa67ca1
RBP: 00007f2f4fa691b1 R08: 00007f2f4fa6930e R09: 0000000000000026
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd4a9de490
R13: 00007ffd4a9de638 R14: 00007ffd4a9de560 R15: 00007f2f4fa69308
==================================================================
BUG: KASAN: use-after-free in __up_write kernel/locking/rwsem.c:1318 [inline]
BUG: KASAN: use-after-free in up_write+0x3ac/0x470 kernel/locking/rwsem.c:1576
Read of size 8 at addr ffff888019bfbd40 by task syz-executor/6597
CPU: 1 PID: 6597 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211202-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xa5/0x3ed mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
__up_write kernel/locking/rwsem.c:1318 [inline]
up_write+0x3ac/0x470 kernel/locking/rwsem.c:1576
cgroup_setup_root+0x3a6/0xad0 kernel/cgroup/cgroup.c:2077
cgroup1_root_to_use kernel/cgroup/cgroup-v1.c:1194 [inline]
cgroup1_get_tree+0xd33/0x1390 kernel/cgroup/cgroup-v1.c:1211
vfs_get_tree+0x89/0x2f0 fs/super.c:1500
do_new_mount fs/namespace.c:3004 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3334
do_mount fs/namespace.c:3347 [inline]
__do_sys_mount fs/namespace.c:3555 [inline]
__se_sys_mount fs/namespace.c:3532 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3532
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f2f4fa0ff6a
Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd4a9de488 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd4a9de618 RCX: 00007f2f4fa0ff6a
RDX: 00007f2f4fa72e6c RSI: 00007f2f4fa691b1 RDI: 00007f2f4fa67ca1
RBP: 00007f2f4fa691b1 R08: 00007f2f4fa6930e R09: 0000000000000026
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd4a9de490
R13: 00007ffd4a9de638 R14: 00007ffd4a9de560 R15: 00007f2f4fa69308
Allocated by task 6597:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:590 [inline]
kzalloc include/linux/slab.h:724 [inline]
kernfs_create_root+0x4c/0x410 fs/kernfs/dir.c:913
cgroup_setup_root+0x243/0xad0 kernel/cgroup/cgroup.c:2018
cgroup1_root_to_use kernel/cgroup/cgroup-v1.c:1194 [inline]
cgroup1_get_tree+0xd33/0x1390 kernel/cgroup/cgroup-v1.c:1211
vfs_get_tree+0x89/0x2f0 fs/super.c:1500
do_new_mount fs/namespace.c:3004 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3334
do_mount fs/namespace.c:3347 [inline]
__do_sys_mount fs/namespace.c:3555 [inline]
__se_sys_mount fs/namespace.c:3532 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3532
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 6597:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0x103/0x170 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1723 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749
slab_free mm/slub.c:3513 [inline]
kfree+0xe0/0x430 mm/slub.c:4561
kernfs_put.part.0+0x331/0x540 fs/kernfs/dir.c:548
kernfs_put+0x42/0x50 fs/kernfs/dir.c:513
__kernfs_remove+0x7a3/0xb20 fs/kernfs/dir.c:1382
kernfs_remove fs/kernfs/dir.c:1397 [inline]
kernfs_destroy_root+0x89/0xb0 fs/kernfs/dir.c:964
cgroup_setup_root+0x3a6/0xad0 kernel/cgroup/cgroup.c:2077
cgroup1_root_to_use kernel/cgroup/cgroup-v1.c:1194 [inline]
cgroup1_get_tree+0xd33/0x1390 kernel/cgroup/cgroup-v1.c:1211
vfs_get_tree+0x89/0x2f0 fs/super.c:1500
do_new_mount fs/namespace.c:3004 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3334
do_mount fs/namespace.c:3347 [inline]
__do_sys_mount fs/namespace.c:3555 [inline]
__se_sys_mount fs/namespace.c:3532 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3532
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff888019bfbc00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 320 bytes inside of
512-byte region [ffff888019bfbc00, ffff888019bfbe00)
The buggy address belongs to the page:
page:ffffea000066fe00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19bf8
head:ffffea000066fe00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888010c41c80
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 610, ts 8172658654, free_ts 0
prep_new_page mm/page_alloc.c:2433 [inline]
get_page_from_freelist+0xa72/0x2f40 mm/page_alloc.c:4164
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5376
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2193
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x261/0x460 mm/slub.c:1993
___slab_alloc+0x798/0xf30 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
kmem_cache_alloc_trace+0x289/0x2c0 mm/slub.c:3259
kmalloc include/linux/slab.h:590 [inline]
kzalloc include/linux/slab.h:724 [inline]
alloc_bprm+0x51/0x8f0 fs/exec.c:1505
kernel_execve+0x55/0x460 fs/exec.c:1945
call_usermodehelper_exec_async+0x2e3/0x580 kernel/umh.c:112
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page_owner free stack trace missing
Memory state around the buggy address:
ffff888019bfbc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888019bfbc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888019bfbd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888019bfbd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888019bfbe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts.
2021/12/02 15:06:20 fuzzer started
2021/12/02 15:06:20 connecting to host at 10.128.0.169:45003
2021/12/02 15:06:20 checking machine...
2021/12/02 15:06:20 checking revisions...
2021/12/02 15:06:20 testing simple program...
[ 72.923759][ T6597] cgroup: Unknown subsys name 'net'
[ 72.930234][ T6597]
[ 72.932572][ T6597] =========================
[ 72.937074][ T6597] WARNING: held lock freed!
[ 72.941567][ T6597] 5.16.0-rc3-next-20211202-syzkaller #0 Not tainted
[ 72.948135][ T6597] -------------------------
[ 72.952617][ T6597] syz-executor/6597 is freeing memory ffff888019bfbc00-ffff888019bfbdff, with a lock still held there!
[ 72.963615][ T6597] ffff888019bfbd48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 72.973354][ T6597] 2 locks held by syz-executor/6597:
[ 72.978619][ T6597] #0: ffffffff8bbc4e08 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xa5/0x900
[ 72.989130][ T6597] #1: ffff888019bfbd48 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_destroy_root+0x81/0xb0
[ 72.999380][ T6597]
[ 72.999380][ T6597] stack backtrace:
[ 73.005422][ T6597] CPU: 0 PID: 6597 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211202-syzkaller #0
[ 73.015137][ T6597] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 73.025198][ T6597] Call Trace:
[ 73.028468][ T6597]
[ 73.031388][ T6597] dump_stack_lvl+0xcd/0x134
[ 73.035990][ T6597] debug_check_no_locks_freed.cold+0x9d/0xa9
[ 73.041991][ T6597] ? lockdep_hardirqs_on+0x79/0x100
[ 73.047198][ T6597] slab_free_freelist_hook+0x73/0x1c0
[ 73.052586][ T6597] ? kernfs_put.part.0+0x331/0x540
[ 73.057702][ T6597] kfree+0xe0/0x430
[ 73.061507][ T6597] ? kmem_cache_free+0xba/0x4a0
[ 73.066356][ T6597] ? rwlock_bug.part.0+0x90/0x90
[ 73.071290][ T6597] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 73.077530][ T6597] kernfs_put.part.0+0x331/0x540
[ 73.082472][ T6597] kernfs_put+0x42/0x50
[ 73.086623][ T6597] __kernfs_remove+0x7a3/0xb20
[ 73.091391][ T6597] ? kernfs_next_descendant_post+0x2f0/0x2f0
[ 73.097399][ T6597] ? down_write+0xde/0x150
[ 73.101841][ T6597] ? down_write_killable_nested+0x180/0x180
[ 73.107941][ T6597] kernfs_destroy_root+0x89/0xb0
[ 73.112892][ T6597] cgroup_setup_root+0x3a6/0xad0
[ 73.117830][ T6597] ? rebind_subsystems+0x10e0/0x10e0
[ 73.123116][ T6597] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 73.129358][ T6597] cgroup1_get_tree+0xd33/0x1390
[ 73.134392][ T6597] vfs_get_tree+0x89/0x2f0
[ 73.138801][ T6597] path_mount+0x1320/0x1fa0
[ 73.143396][ T6597] ? kmem_cache_free+0xba/0x4a0
[ 73.148244][ T6597] ? finish_automount+0xaf0/0xaf0
[ 73.153440][ T6597] ? putname+0xfe/0x140
[ 73.157591][ T6597] __x64_sys_mount+0x27f/0x300
[ 73.162352][ T6597] ? copy_mnt_ns+0xae0/0xae0
[ 73.166941][ T6597] ? syscall_enter_from_user_mode+0x21/0x70
[ 73.172842][ T6597] do_syscall_64+0x35/0xb0
[ 73.177253][ T6597] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 73.183139][ T6597] RIP: 0033:0x7f2f4fa0ff6a
[ 73.187546][ T6597] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 73.207415][ T6597] RSP: 002b:00007ffd4a9de488 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 73.215819][ T6597] RAX: ffffffffffffffda RBX: 00007ffd4a9de618 RCX: 00007f2f4fa0ff6a
[ 73.223782][ T6597] RDX: 00007f2f4fa72e6c RSI: 00007f2f4fa691b1 RDI: 00007f2f4fa67ca1
[ 73.231746][ T6597] RBP: 00007f2f4fa691b1 R08: 00007f2f4fa6930e R09: 0000000000000026
[ 73.239705][ T6597] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd4a9de490
[ 73.247928][ T6597] R13: 00007ffd4a9de638 R14: 00007ffd4a9de560 R15: 00007f2f4fa69308
[ 73.255904][ T6597]
[ 73.259107][ T6597] ==================================================================
[ 73.267160][ T6597] BUG: KASAN: use-after-free in up_write+0x3ac/0x470
[ 73.273848][ T6597] Read of size 8 at addr ffff888019bfbd40 by task syz-executor/6597
[ 73.281827][ T6597]
[ 73.284144][ T6597] CPU: 1 PID: 6597 Comm: syz-executor Not tainted 5.16.0-rc3-next-20211202-syzkaller #0
[ 73.294285][ T6597] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 73.304415][ T6597] Call Trace:
[ 73.307691][ T6597]
[ 73.310608][ T6597] dump_stack_lvl+0xcd/0x134
[ 73.315206][ T6597] print_address_description.constprop.0.cold+0xa5/0x3ed
[ 73.322231][ T6597] ? up_write+0x3ac/0x470
[ 73.326650][ T6597] ? up_write+0x3ac/0x470
[ 73.330978][ T6597] kasan_report.cold+0x83/0xdf
[ 73.335735][ T6597] ? up_write+0x3ac/0x470
[ 73.340063][ T6597] up_write+0x3ac/0x470
[ 73.344209][ T6597] cgroup_setup_root+0x3a6/0xad0
[ 73.349142][ T6597] ? rebind_subsystems+0x10e0/0x10e0
[ 73.354436][ T6597] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 73.360691][ T6597] cgroup1_get_tree+0xd33/0x1390
[ 73.365643][ T6597] vfs_get_tree+0x89/0x2f0
[ 73.370050][ T6597] path_mount+0x1320/0x1fa0
[ 73.374544][ T6597] ? kmem_cache_free+0xba/0x4a0
[ 73.379390][ T6597] ? finish_automount+0xaf0/0xaf0
[ 73.384418][ T6597] ? putname+0xfe/0x140
[ 73.388574][ T6597] __x64_sys_mount+0x27f/0x300
[ 73.393344][ T6597] ? copy_mnt_ns+0xae0/0xae0
[ 73.397931][ T6597] ? syscall_enter_from_user_mode+0x21/0x70
[ 73.403835][ T6597] do_syscall_64+0x35/0xb0
[ 73.408244][ T6597] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 73.414132][ T6597] RIP: 0033:0x7f2f4fa0ff6a
[ 73.418553][ T6597] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 73.438151][ T6597] RSP: 002b:00007ffd4a9de488 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 73.446566][ T6597] RAX: ffffffffffffffda RBX: 00007ffd4a9de618 RCX: 00007f2f4fa0ff6a
[ 73.454888][ T6597] RDX: 00007f2f4fa72e6c RSI: 00007f2f4fa691b1 RDI: 00007f2f4fa67ca1
[ 73.462869][ T6597] RBP: 00007f2f4fa691b1 R08: 00007f2f4fa6930e R09: 0000000000000026
[ 73.470954][ T6597] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd4a9de490
[ 73.478918][ T6597] R13: 00007ffd4a9de638 R14: 00007ffd4a9de560 R15: 00007f2f4fa69308
[ 73.487046][ T6597]
[ 73.490063][ T6597]
[ 73.492381][ T6597] Allocated by task 6597:
[ 73.496690][ T6597] kasan_save_stack+0x1e/0x50
[ 73.501447][ T6597] __kasan_kmalloc+0xa9/0xd0
[ 73.506039][ T6597] kernfs_create_root+0x4c/0x410
[ 73.510977][ T6597] cgroup_setup_root+0x243/0xad0
[ 73.515906][ T6597] cgroup1_get_tree+0xd33/0x1390
[ 73.520833][ T6597] vfs_get_tree+0x89/0x2f0
[ 73.525240][ T6597] path_mount+0x1320/0x1fa0
[ 73.529735][ T6597] __x64_sys_mount+0x27f/0x300
[ 73.534490][ T6597] do_syscall_64+0x35/0xb0
[ 73.538899][ T6597] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 73.544791][ T6597]
[ 73.547114][ T6597] Freed by task 6597:
[ 73.551079][ T6597] kasan_save_stack+0x1e/0x50
[ 73.555750][ T6597] kasan_set_track+0x21/0x30
[ 73.560427][ T6597] kasan_set_free_info+0x20/0x30
[ 73.565354][ T6597] __kasan_slab_free+0x103/0x170
[ 73.570288][ T6597] slab_free_freelist_hook+0x8b/0x1c0
[ 73.575648][ T6597] kfree+0xe0/0x430
[ 73.579533][ T6597] kernfs_put.part.0+0x331/0x540
[ 73.584474][ T6597] kernfs_put+0x42/0x50
[ 73.588623][ T6597] __kernfs_remove+0x7a3/0xb20
[ 73.593376][ T6597] kernfs_destroy_root+0x89/0xb0
[ 73.598304][ T6597] cgroup_setup_root+0x3a6/0xad0
[ 73.603237][ T6597] cgroup1_get_tree+0xd33/0x1390
[ 73.608162][ T6597] vfs_get_tree+0x89/0x2f0
[ 73.612656][ T6597] path_mount+0x1320/0x1fa0
[ 73.617149][ T6597] __x64_sys_mount+0x27f/0x300
[ 73.621903][ T6597] do_syscall_64+0x35/0xb0
[ 73.626313][ T6597] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 73.632205][ T6597]
[ 73.634520][ T6597] The buggy address belongs to the object at ffff888019bfbc00
[ 73.634520][ T6597] which belongs to the cache kmalloc-512 of size 512
[ 73.648663][ T6597] The buggy address is located 320 bytes inside of
[ 73.648663][ T6597] 512-byte region [ffff888019bfbc00, ffff888019bfbe00)
[ 73.661948][ T6597] The buggy address belongs to the page:
[ 73.667570][ T6597] page:ffffea000066fe00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19bf8
[ 73.677721][ T6597] head:ffffea000066fe00 order:2 compound_mapcount:0 compound_pincount:0
[ 73.686036][ T6597] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 73.694014][ T6597] raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888010c41c80
[ 73.702587][ T6597] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 73.711158][ T6597] page dumped because: kasan: bad access detected
[ 73.717566][ T6597] page_owner tracks the page as allocated
[ 73.723278][ T6597] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 610, ts 8172658654, free_ts 0
[ 73.741512][ T6597] get_page_from_freelist+0xa72/0x2f40
[ 73.746969][ T6597] __alloc_pages+0x1b2/0x500
[ 73.751547][ T6597] alloc_pages+0x1a7/0x300
[ 73.755956][ T6597] new_slab+0x261/0x460
[ 73.760103][ T6597] ___slab_alloc+0x798/0xf30
[ 73.764686][ T6597] __slab_alloc.constprop.0+0x4d/0xa0
[ 73.770051][ T6597] kmem_cache_alloc_trace+0x289/0x2c0
[ 73.775427][ T6597] alloc_bprm+0x51/0x8f0
[ 73.779676][ T6597] kernel_execve+0x55/0x460
[ 73.784198][ T6597] call_usermodehelper_exec_async+0x2e3/0x580
[ 73.790260][ T6597] ret_from_fork+0x1f/0x30
[ 73.794669][ T6597] page_owner free stack trace missing
[ 73.800027][ T6597]
[ 73.802370][ T6597] Memory state around the buggy address:
[ 73.808003][ T6597] ffff888019bfbc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.816065][ T6597] ffff888019bfbc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.824118][ T6597] >ffff888019bfbd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.832249][ T6597] ^
[ 73.838489][ T6597] ffff888019bfbd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.846550][ T6597] ffff888019bfbe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 73.854619][ T6597] ==================================================================
[ 73.865154][ T6597] Kernel panic - not syncing: panic_on_warn set ...
[ 73.871754][ T6597] CPU: 0 PID: 6597 Comm: syz-executor Tainted: G B 5.16.0-rc3-next-20211202-syzkaller #0
[ 73.882900][ T6597] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 73.893052][ T6597] Call Trace:
[ 73.896361][ T6597]
[ 73.899298][ T6597] dump_stack_lvl+0xcd/0x134
[ 73.903893][ T6597] panic+0x2b0/0x6dd
[ 73.907785][ T6597] ? __warn_printk+0xf3/0xf3
[ 73.912374][ T6597] ? preempt_schedule_common+0x59/0xc0
[ 73.917869][ T6597] ? up_write+0x3ac/0x470
[ 73.922280][ T6597] ? preempt_schedule_thunk+0x16/0x18
[ 73.927648][ T6597] ? trace_hardirqs_on+0x38/0x1c0
[ 73.932671][ T6597] ? trace_hardirqs_on+0x51/0x1c0
[ 73.937694][ T6597] ? up_write+0x3ac/0x470
[ 73.942014][ T6597] ? up_write+0x3ac/0x470
[ 73.946361][ T6597] end_report.cold+0x63/0x6f
[ 73.950960][ T6597] kasan_report.cold+0x71/0xdf
[ 73.955741][ T6597] ? up_write+0x3ac/0x470
[ 73.960086][ T6597] up_write+0x3ac/0x470
[ 73.964242][ T6597] cgroup_setup_root+0x3a6/0xad0
[ 73.969190][ T6597] ? rebind_subsystems+0x10e0/0x10e0
[ 73.974475][ T6597] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 73.980729][ T6597] cgroup1_get_tree+0xd33/0x1390
[ 73.985666][ T6597] vfs_get_tree+0x89/0x2f0
[ 73.990079][ T6597] path_mount+0x1320/0x1fa0
[ 73.994682][ T6597] ? kmem_cache_free+0xba/0x4a0
[ 73.999532][ T6597] ? finish_automount+0xaf0/0xaf0
[ 74.004583][ T6597] ? putname+0xfe/0x140
[ 74.008741][ T6597] __x64_sys_mount+0x27f/0x300
[ 74.013510][ T6597] ? copy_mnt_ns+0xae0/0xae0
[ 74.018100][ T6597] ? syscall_enter_from_user_mode+0x21/0x70
[ 74.024000][ T6597] do_syscall_64+0x35/0xb0
[ 74.028415][ T6597] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 74.034303][ T6597] RIP: 0033:0x7f2f4fa0ff6a
[ 74.038798][ T6597] Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 74.058773][ T6597] RSP: 002b:00007ffd4a9de488 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 74.067190][ T6597] RAX: ffffffffffffffda RBX: 00007ffd4a9de618 RCX: 00007f2f4fa0ff6a
[ 74.075178][ T6597] RDX: 00007f2f4fa72e6c RSI: 00007f2f4fa691b1 RDI: 00007f2f4fa67ca1
[ 74.083663][ T6597] RBP: 00007f2f4fa691b1 R08: 00007f2f4fa6930e R09: 0000000000000026
[ 74.091730][ T6597] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd4a9de490
[ 74.099692][ T6597] R13: 00007ffd4a9de638 R14: 00007ffd4a9de560 R15: 00007f2f4fa69308
[ 74.107667][ T6597]
[ 74.111093][ T6597] Kernel Offset: disabled
[ 74.115413][ T6597] Rebooting in 86400 seconds..