INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-9,10.128.15.193' (ECDSA) to the list of known hosts.
2017/10/01 01:58:01 parsed 1 programs
2017/10/01 01:58:01 executed programs: 0
2017/10/01 01:58:06 executed programs: 200
2017/10/01 01:58:11 executed programs: 427
syzkaller login: [   44.066816] ==================================================================
[   44.074209] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620
[   44.080847] Read of size 8 at addr ffff8801d6b556a8 by task syz-executor6/7073
[   44.080849] 
[   44.080856] CPU: 1 PID: 7073 Comm: syz-executor6 Not tainted 4.14.0-rc2-mm1+ #11
[   44.080859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.080864] Call Trace:
[   44.080875]  dump_stack+0x194/0x257
[   44.080883]  ? arch_local_irq_restore+0x53/0x53
[   44.080890]  ? show_regs_print_info+0x65/0x65
[   44.080898]  ? __kernel_text_address+0xd/0x40
[   44.080906]  ? __lock_acquire+0x407b/0x4620
[   44.080913]  print_address_description+0x73/0x250
[   44.080920]  ? __lock_acquire+0x407b/0x4620
[   44.080925]  kasan_report+0x25b/0x340
[   44.080933]  __asan_report_load8_noabort+0x14/0x20
[   44.080939]  __lock_acquire+0x407b/0x4620
[   44.080947]  ? unwind_dump+0x4c0/0x4c0
[   44.080951]  ? __unwind_start+0x169/0x330
[   44.080957]  ? __kernel_text_address+0xd/0x40
[   44.080963]  ? unwind_get_return_address+0x61/0xa0
[   44.080974]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   44.080979]  ? unwind_get_return_address+0x61/0xa0
[   44.080985]  ? __save_stack_trace+0x61/0xd0
[   44.080993]  ? get_signal+0x73f/0x16d0
[   44.081000]  ? save_stack_trace+0x16/0x20
[   44.081006]  ? __lock_acquire+0x20fd/0x4620
[   44.081015]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   44.081027]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   44.081033]  ? save_stack_trace+0x16/0x20
[   44.081039]  ? __lock_acquire+0x20fd/0x4620
[   44.081045]  ? osq_unlock+0x350/0x350
[   44.081050]  ? save_stack_trace+0x16/0x20
[   44.081057]  ? lock_release+0xd70/0xd70
[   44.081065]  ? check_noncircular+0x20/0x20
[   44.081073]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   44.081081]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   44.081093]  ? find_held_lock+0x39/0x1d0
[   44.081103]  ? lock_downgrade+0x990/0x990
[   44.081109]  ? check_noncircular+0x20/0x20
[   44.081116]  lock_acquire+0x1d5/0x580
[   44.081123]  ? exit_pi_state_list+0x369/0x7a0
[   44.081131]  ? lock_release+0xd70/0xd70
[   44.081136]  ? do_raw_spin_trylock+0x190/0x190
[   44.081141]  ? find_held_lock+0x39/0x1d0
[   44.081155]  _raw_spin_lock_irq+0x5e/0x80
[   44.081160]  ? exit_pi_state_list+0x369/0x7a0
[   44.081165]  exit_pi_state_list+0x369/0x7a0
[   44.081177]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   44.081184]  ? lock_release+0xd70/0xd70
[   44.081191]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   44.081197]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   44.081206]  ? __might_sleep+0x95/0x190
[   44.081214]  ? __might_fault+0x188/0x1d0
[   44.081222]  ? do_raw_spin_trylock+0x190/0x190
[   44.081230]  mm_release+0x46d/0x590
[   44.081235]  ? do_raw_spin_trylock+0x190/0x190
[   44.081241]  ? mm_access+0x140/0x140
[   44.081247]  ? _raw_spin_unlock_irq+0x27/0x70
[   44.081254]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   44.081265]  ? trace_hardirqs_on+0xd/0x10
[   44.081271]  ? _raw_spin_unlock_irq+0x27/0x70
[   44.081276]  ? acct_collect+0x637/0x800
[   44.081283]  do_exit+0x481/0x1b00
[   44.081291]  ? mm_update_next_owner+0x930/0x930
[   44.081299]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   44.081307]  ? find_held_lock+0x39/0x1d0
[   44.081319]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   44.081327]  ? check_noncircular+0x20/0x20
[   44.081337]  ? fault_in_user_writeable+0x90/0x90
[   44.081344]  ? futex_wake+0x680/0x680
[   44.081352]  ? find_held_lock+0x39/0x1d0
[   44.081363]  ? lock_downgrade+0x990/0x990
[   44.081369]  ? recalc_sigpending_tsk+0x117/0x150
[   44.081376]  ? recalc_sigpending+0x103/0x160
[   44.081383]  ? recalc_sigpending_tsk+0x150/0x150
[   44.081387]  ? get_signal+0x2b2/0x16d0
[   44.081397]  do_group_exit+0x149/0x400
[   44.081403]  ? __lock_is_held+0xbc/0x140
[   44.081408]  ? SyS_exit+0x30/0x30
[   44.081414]  ? _raw_spin_unlock_irq+0x27/0x70
[   44.081421]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   44.081428]  get_signal+0x73f/0x16d0
[   44.081438]  ? ptrace_notify+0x130/0x130
[   44.081450]  ? exit_robust_list+0x240/0x240
[   44.081461]  do_signal+0x94/0x1ee0
[   44.081467]  ? lock_release+0xd70/0xd70
[   44.081475]  ? find_held_lock+0x39/0x1d0
[   44.081482]  ? setup_sigcontext+0x7d0/0x7d0
[   44.081491]  ? lock_downgrade+0x990/0x990
[   44.081504]  ? lock_release+0xd70/0xd70
[   44.081510]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   44.081518]  ? exit_to_usermode_loop+0x8c/0x310
[   44.081526]  exit_to_usermode_loop+0x214/0x310
[   44.081534]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   44.081539]  ? kasan_check_write+0x14/0x20
[   44.081549]  syscall_return_slowpath+0x42f/0x510
[   44.081556]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   44.081563]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   44.081570]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   44.081576]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   44.081586]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   44.081590] RIP: 0033:0x4520a9
[   44.081593] RSP: 002b:00007f93ff400cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   44.081599] RAX: fffffffffffffe00 RBX: 0000000000718238 RCX: 00000000004520a9
[   44.081602] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718238
[   44.081606] RBP: 0000000000718210 R08: 0000000000000000 R09: 0000000000000000
[   44.081609] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   44.081612] R13: 00007ffdb40e374f R14: 00007f93ff4019c0 R15: 000000000000000e
[   44.081621] 
[   44.081624] Allocated by task 7095:
[   44.081630]  save_stack_trace+0x16/0x20
[   44.081634]  save_stack+0x43/0xd0
[   44.081638]  kasan_kmalloc+0xad/0xe0
[   44.081644]  kmem_cache_alloc_trace+0x136/0x750
[   44.081649]  refill_pi_state_cache.part.6+0xa5/0x2f0
[   44.081653]  futex_requeue+0x1887/0x2370
[   44.081658]  do_futex+0x7f5/0x20d0
[   44.081662]  SyS_futex+0x260/0x390
[   44.081667]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   44.081668] 
[   44.081670] Freed by task 7063:
[   44.081675]  save_stack_trace+0x16/0x20
[   44.081679]  save_stack+0x43/0xd0
[   44.081683]  kasan_slab_free+0x71/0xc0
[   44.081687]  kfree+0xca/0x250
[   44.081691]  put_pi_state+0x3f4/0x560
[   44.081695]  unqueue_me_pi+0x4a/0xc0
[   44.081701]  futex_wait_requeue_pi.constprop.19+0xc7f/0x1300
[   44.081705]  do_futex+0x825/0x20d0
[   44.081709]  SyS_futex+0x260/0x390
[   44.081714]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   44.081715] 
[   44.081720] The buggy address belongs to the object at ffff8801d6b55680
[   44.081720]  which belongs to the cache kmalloc-256 of size 256
[   44.081724] The buggy address is located 40 bytes inside of
[   44.081724]  256-byte region [ffff8801d6b55680, ffff8801d6b55780)
[   44.081726] The buggy address belongs to the page:
[   44.081730] page:ffffea00075ad540 count:1 mapcount:0 mapping:ffff8801d6b55040 index:0x0
[   44.081735] flags: 0x200000000000100(slab)
[   44.081744] raw: 0200000000000100 ffff8801d6b55040 0000000000000000 000000010000000c
[   44.081750] raw: ffffea000763bf20 ffff8801dac01650 ffff8801dac007c0 0000000000000000
[   44.081752] page dumped because: kasan: bad access detected
[   44.081753] 
[   44.081755] Memory state around the buggy address:
[   44.081759]  ffff8801d6b55580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   44.081764]  ffff8801d6b55600: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.081768] >ffff8801d6b55680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.081770]                                   ^
[   44.081774]  ffff8801d6b55700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.081778]  ffff8801d6b55780: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   44.081780] ==================================================================
[   44.081781] Disabling lock debugging due to kernel taint
[   44.081784] Kernel panic - not syncing: panic_on_warn set ...
[   44.081784] 
[   44.081790] CPU: 1 PID: 7073 Comm: syz-executor6 Tainted: G    B           4.14.0-rc2-mm1+ #11
[   44.081793] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.081794] Call Trace:
[   44.081800]  dump_stack+0x194/0x257
[   44.081808]  ? arch_local_irq_restore+0x53/0x53
[   44.081814]  ? vprintk_default+0x28/0x30
[   44.081821]  ? __lock_acquire+0x4060/0x4620
[   44.081827]  panic+0x1e4/0x41c
[   44.081833]  ? refcount_error_report+0x214/0x214
[   44.081845]  ? __lock_acquire+0x407b/0x4620
[   44.081850]  kasan_end_report+0x50/0x50
[   44.081856]  kasan_report+0x144/0x340
[   44.081863]  __asan_report_load8_noabort+0x14/0x20
[   44.081869]  __lock_acquire+0x407b/0x4620
[   44.081875]  ? unwind_dump+0x4c0/0x4c0
[   44.081879]  ? __unwind_start+0x169/0x330
[   44.081885]  ? __kernel_text_address+0xd/0x40
[   44.081890]  ? unwind_get_return_address+0x61/0xa0
[   44.081901]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   44.081906]  ? unwind_get_return_address+0x61/0xa0
[   44.081911]  ? __save_stack_trace+0x61/0xd0
[   44.081919]  ? get_signal+0x73f/0x16d0
[   44.081925]  ? save_stack_trace+0x16/0x20
[   44.081931]  ? __lock_acquire+0x20fd/0x4620
[   44.081940]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   44.081951]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   44.081957]  ? save_stack_trace+0x16/0x20
[   44.081963]  ? __lock_acquire+0x20fd/0x4620
[   44.081968]  ? osq_unlock+0x350/0x350
[   44.081973]  ? save_stack_trace+0x16/0x20
[   44.081981]  ? lock_release+0xd70/0xd70
[   44.081988]  ? check_noncircular+0x20/0x20
[   44.081996]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   44.082004]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   44.082015]  ? find_held_lock+0x39/0x1d0
[   44.082025]  ? lock_downgrade+0x990/0x990
[   44.082031]  ? check_noncircular+0x20/0x20
[   44.082038]  lock_acquire+0x1d5/0x580
[   44.082043]  ? exit_pi_state_list+0x369/0x7a0
[   44.082052]  ? lock_release+0xd70/0xd70
[   44.082057]  ? do_raw_spin_trylock+0x190/0x190
[   44.082062]  ? find_held_lock+0x39/0x1d0
[   44.082074]  _raw_spin_lock_irq+0x5e/0x80
[   44.082079]  ? exit_pi_state_list+0x369/0x7a0
[   44.082084]  exit_pi_state_list+0x369/0x7a0
[   44.082095]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   44.082102]  ? lock_release+0xd70/0xd70
[   44.082108]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   44.082115]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   44.082123]  ? __might_sleep+0x95/0x190
[   44.082130]  ? __might_fault+0x188/0x1d0
[   44.082138]  ? do_raw_spin_trylock+0x190/0x190
[   44.082145]  mm_release+0x46d/0x590
[   44.082150]  ? do_raw_spin_trylock+0x190/0x190
[   44.082155]  ? mm_access+0x140/0x140
[   44.082161]  ? _raw_spin_unlock_irq+0x27/0x70
[   44.082168]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   44.082175]  ? trace_hardirqs_on+0xd/0x10
[   44.082180]  ? _raw_spin_unlock_irq+0x27/0x70
[   44.082186]  ? acct_collect+0x637/0x800
[   44.082192]  do_exit+0x481/0x1b00
[   44.082200]  ? mm_update_next_owner+0x930/0x930