INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-5,10.128.0.19' (ECDSA) to the list of known hosts.
2017/08/15 11:08:56 parsed 1 programs
2017/08/15 11:08:56 executed programs: 0
2017/08/15 11:09:01 executed programs: 212
syzkaller login: [   48.801758] ==================================================================
[   48.803166] BUG: KASAN: use-after-free in free_ldt_struct.part.2+0x10a/0x150
[   48.804127] Read of size 4 at addr ffff8801d04c5448 by task syz-executor1/6194
[   48.805108] 
[   48.805355] CPU: 1 PID: 6194 Comm: syz-executor1 Not tainted 4.13.0-rc5+ #36
[   48.806429] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   48.807682] Call Trace:
[   48.808075]  dump_stack+0x194/0x257
[   48.808655]  ? arch_local_irq_restore+0x53/0x53
[   48.809506]  ? show_regs_print_info+0x65/0x65
[   48.810134]  ? free_ldt_struct.part.2+0x10a/0x150
[   48.810836]  print_address_description+0x73/0x250
[   48.811586]  ? free_ldt_struct.part.2+0x10a/0x150
[   48.812268]  kasan_report+0x24e/0x340
[   48.812809]  __asan_report_load4_noabort+0x14/0x20
[   48.813506]  free_ldt_struct.part.2+0x10a/0x150
[   48.814150]  ? rcu_pm_notify+0xc0/0xc0
[   48.814692]  destroy_context_ldt+0x60/0x80
[   48.815296]  __mmdrop+0xe9/0x530
[   48.815780]  ? sighand_ctor+0x50/0x50
[   48.816309]  ? trace_hardirqs_on+0xd/0x10
[   48.816908]  ? percpu_counter_add_batch+0xce/0x130
[   48.817595]  ? free_modinfo_version+0x70/0x70
[   48.818232]  ? __khugepaged_exit+0x43d/0x650
[   48.818853]  ? SyS_munmap+0x30/0x30
[   48.819367]  ? ___might_sleep+0x1/0x470
[   48.820128]  ? __might_sleep+0x95/0x190
[   48.820756]  mmput+0x541/0x6e0
[   48.821238]  ? get_task_exe_file+0xc0/0xc0
[   48.821836]  ? is_current_pgrp_orphaned+0xa0/0xa0
[   48.825780]  ? do_exit+0x979/0x1b10
[   48.829397]  ? lock_downgrade+0x990/0x990
[   48.833545]  ? do_raw_spin_trylock+0x190/0x190
[   48.838125]  ? down_read+0x96/0x150
[   48.841744]  ? do_exit+0x49c/0x1b10
[   48.845363]  ? __down_interruptible+0x6a0/0x6a0
[   48.850021]  ? trace_hardirqs_on+0xd/0x10
[   48.854157]  ? _raw_spin_unlock_irq+0x27/0x70
[   48.858652]  do_exit+0x989/0x1b10
[   48.862100]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   48.867299]  ? mm_update_next_owner+0x930/0x930
[   48.871979]  ? __cleanup_sighand+0x40/0x40
[   48.876256]  ? perf_trace_lock+0xf1/0x860
[   48.880406]  ? check_noncircular+0x20/0x20
[   48.884676]  ? find_held_lock+0x35/0x1d0
[   48.888744]  ? get_signal+0x855/0x17e0
[   48.892621]  ? lock_downgrade+0x990/0x990
[   48.896774]  do_group_exit+0x149/0x400
[   48.900648]  ? __lock_is_held+0xb6/0x140
[   48.904707]  ? SyS_exit+0x30/0x30
[   48.908161]  ? _raw_spin_unlock_irq+0x27/0x70
[   48.912647]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   48.917664]  get_signal+0x7e8/0x17e0
[   48.921420]  ? ptrace_notify+0x130/0x130
[   48.925534]  do_signal+0x94/0x1ee0
[   48.929081]  ? _do_fork+0x1ef/0xfb0
[   48.932694]  ? _do_fork+0x2dc/0xfb0
[   48.936311]  ? setup_sigcontext+0x7d0/0x7d0
[   48.940622]  ? fork_idle+0x2d0/0x2d0
[   48.944347]  ? __perf_event_task_sched_in+0x219/0xa10
[   48.949549]  ? find_held_lock+0x35/0x1d0
[   48.953600]  ? exit_to_usermode_loop+0x98/0x300
[   48.958271]  exit_to_usermode_loop+0x224/0x300
[   48.962853]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   48.968378]  ? do_raw_spin_trylock+0x190/0x190
[   48.972965]  do_syscall_64+0x5d4/0x800
[   48.976845]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   48.981862]  ? syscall_return_slowpath+0x450/0x450
[   48.986784]  ? syscall_return_slowpath+0x22f/0x450
[   48.991702]  ? prepare_exit_to_usermode+0x220/0x220
[   48.996709]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
[   49.001546]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   49.006382]  ? sys_vfork+0x30/0x30
[   49.009918]  entry_SYSCALL64_slow_path+0x25/0x25
[   49.014670] RIP: 0033:0x4512e9
[   49.017844] RSP: 002b:00007f04e7924c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000038
[   49.025548] RAX: fffffffffffffdff RBX: 00000000007182a0 RCX: 00000000004512e9
[   49.032800] RDX: 0000000020507ffc RSI: 00000000208a8f43 RDI: 0000000000002000
[   49.040059] RBP: 00000000000003b0 R08: 00000000201e7ffe R09: 0000000000000000
[   49.047315] R10: 0000000020117ffc R11: 0000000000000216 R12: 00000000004b65e1
[   49.054566] R13: 00000000ffffffff R14: 0000000000002000 R15: 00000000208a8f43
[   49.061857] 
[   49.063468] Allocated by task 6115:
[   49.067083]  save_stack_trace+0x16/0x20
[   49.071046]  save_stack+0x43/0xd0
[   49.074486]  kasan_kmalloc+0xad/0xe0
[   49.078185]  kmem_cache_alloc_trace+0x12f/0x740
[   49.082844]  alloc_ldt_struct+0x52/0x140
[   49.086896]  write_ldt+0x3e9/0xac0
[   49.090430]  sys_modify_ldt+0x1ef/0x240
[   49.094391]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   49.099140] 
[   49.100751] Freed by task 6194:
[   49.104017]  save_stack_trace+0x16/0x20
[   49.107980]  save_stack+0x43/0xd0
[   49.111424]  kasan_slab_free+0x71/0xc0
[   49.115295]  kfree+0xca/0x250
[   49.118388]  free_ldt_struct.part.2+0xdd/0x150
[   49.122955]  destroy_context_ldt+0x60/0x80
[   49.127172]  __mmdrop+0xe9/0x530
[   49.130520]  mmput+0x541/0x6e0
[   49.133699]  copy_process.part.34+0x2315/0x4bd0
[   49.138352]  _do_fork+0x1ef/0xfb0
[   49.141789]  SyS_clone+0x37/0x50
[   49.145160]  do_syscall_64+0x26c/0x800
[   49.149045]  return_from_SYSCALL_64+0x0/0x7a
[   49.153433] 
[   49.155043] The buggy address belongs to the object at ffff8801d04c5440
[   49.155043]  which belongs to the cache kmalloc-32 of size 32
[   49.167524] The buggy address is located 8 bytes inside of
[   49.167524]  32-byte region [ffff8801d04c5440, ffff8801d04c5460)
[   49.179117] The buggy address belongs to the page:
[   49.184030] page:ffffea0007413140 count:1 mapcount:0 mapping:ffff8801d04c5000 index:0xffff8801d04c5fc1
[   49.193462] flags: 0x200000000000100(slab)
[   49.197682] raw: 0200000000000100 ffff8801d04c5000 ffff8801d04c5fc1 0000000100000026
[   49.205547] raw: ffffea000746a4e0 ffffea000765af60 ffff8801dac001c0 0000000000000000
[   49.213420] page dumped because: kasan: bad access detected
[   49.219113] 
[   49.220732] Memory state around the buggy address:
[   49.225645]  ffff8801d04c5300: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   49.232988]  ffff8801d04c5380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   49.240330] >ffff8801d04c5400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   49.247669]                                               ^
[   49.253363]  ffff8801d04c5480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   49.260708]  ffff8801d04c5500: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   49.268048] ==================================================================
[   49.275386] Disabling lock debugging due to kernel taint
[   49.280953] Kernel panic - not syncing: panic_on_warn set ...
[   49.280953] 
[   49.288303] CPU: 1 PID: 6194 Comm: syz-executor1 Tainted: G    B           4.13.0-rc5+ #36
[   49.296695] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   49.306073] Call Trace:
[   49.308646]  dump_stack+0x194/0x257
[   49.312260]  ? arch_local_irq_restore+0x53/0x53
[   49.316929]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   49.321667]  ? free_ldt_struct.part.2+0xe0/0x150
[   49.326390]  panic+0x1e4/0x417
[   49.329551]  ? __warn+0x1d9/0x1d9
[   49.332980]  ? free_ldt_struct.part.2+0x10a/0x150
[   49.337831]  kasan_end_report+0x50/0x50
[   49.341796]  kasan_report+0x137/0x340
[   49.345567]  __asan_report_load4_noabort+0x14/0x20
[   49.350461]  free_ldt_struct.part.2+0x10a/0x150
[   49.355097]  ? rcu_pm_notify+0xc0/0xc0
[   49.358953]  destroy_context_ldt+0x60/0x80
[   49.363153]  __mmdrop+0xe9/0x530
[   49.366488]  ? sighand_ctor+0x50/0x50
[   49.370254]  ? trace_hardirqs_on+0xd/0x10
[   49.374372]  ? percpu_counter_add_batch+0xce/0x130
[   49.379272]  ? free_modinfo_version+0x70/0x70
[   49.383733]  ? __khugepaged_exit+0x43d/0x650
[   49.388113]  ? SyS_munmap+0x30/0x30
[   49.391718]  ? ___might_sleep+0x1/0x470
[   49.395665]  ? __might_sleep+0x95/0x190
[   49.399606]  mmput+0x541/0x6e0
[   49.402766]  ? get_task_exe_file+0xc0/0xc0
[   49.406970]  ? is_current_pgrp_orphaned+0xa0/0xa0
[   49.411776]  ? do_exit+0x979/0x1b10
[   49.415383]  ? lock_downgrade+0x990/0x990
[   49.419510]  ? do_raw_spin_trylock+0x190/0x190
[   49.424076]  ? down_read+0x96/0x150
[   49.427678]  ? do_exit+0x49c/0x1b10
[   49.431274]  ? __down_interruptible+0x6a0/0x6a0
[   49.435908]  ? trace_hardirqs_on+0xd/0x10
[   49.440026]  ? _raw_spin_unlock_irq+0x27/0x70
[   49.444496]  do_exit+0x989/0x1b10
[   49.447918]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   49.453079]  ? mm_update_next_owner+0x930/0x930
[   49.457721]  ? __cleanup_sighand+0x40/0x40
[   49.461937]  ? perf_trace_lock+0xf1/0x860
[   49.466062]  ? check_noncircular+0x20/0x20
[   49.470275]  ? find_held_lock+0x35/0x1d0
[   49.474306]  ? get_signal+0x855/0x17e0
[   49.478159]  ? lock_downgrade+0x990/0x990
[   49.482284]  do_group_exit+0x149/0x400
[   49.486147]  ? __lock_is_held+0xb6/0x140
[   49.490172]  ? SyS_exit+0x30/0x30
[   49.493591]  ? _raw_spin_unlock_irq+0x27/0x70
[   49.498053]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   49.503038]  get_signal+0x7e8/0x17e0
[   49.506751]  ? ptrace_notify+0x130/0x130
[   49.510805]  do_signal+0x94/0x1ee0
[   49.514319]  ? _do_fork+0x1ef/0xfb0
[   49.517910]  ? _do_fork+0x2dc/0xfb0
[   49.521502]  ? setup_sigcontext+0x7d0/0x7d0
[   49.525789]  ? fork_idle+0x2d0/0x2d0
[   49.529477]  ? __perf_event_task_sched_in+0x219/0xa10
[   49.534637]  ? find_held_lock+0x35/0x1d0
[   49.538665]  ? exit_to_usermode_loop+0x98/0x300
[   49.543302]  exit_to_usermode_loop+0x224/0x300
[   49.547852]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   49.553356]  ? do_raw_spin_trylock+0x190/0x190
[   49.557911]  do_syscall_64+0x5d4/0x800
[   49.561766]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   49.566751]  ? syscall_return_slowpath+0x450/0x450
[   49.571649]  ? syscall_return_slowpath+0x22f/0x450
[   49.576545]  ? prepare_exit_to_usermode+0x220/0x220
[   49.581528]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
[   49.586339]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   49.591148]  ? sys_vfork+0x30/0x30
[   49.594654]  entry_SYSCALL64_slow_path+0x25/0x25
[   49.599374] RIP: 0033:0x4512e9
[   49.602528] RSP: 002b:00007f04e7924c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000038
[   49.610204] RAX: fffffffffffffdff RBX: 00000000007182a0 RCX: 00000000004512e9
[   49.617448] RDX: 0000000020507ffc RSI: 00000000208a8f43 RDI: 0000000000002000
[   49.624685] RBP: 00000000000003b0 R08: 00000000201e7ffe R09: 0000000000000000
[   49.631921] R10: 0000000020117ffc R11: 0000000000000216 R12: 00000000004b65e1
[   49.639159] R13: 00000000ffffffff R14: 0000000000002000 R15: 00000000208a8f43
[   49.646750] Dumping ftrace buffer:
[   49.650256]    (ftrace buffer empty)
[   49.653929] Kernel Offset: disabled
[   49.657521] Rebooting in 86400 seconds..