INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-next-kasan-gce-7,10.128.15.229' (ECDSA) to the list of known hosts.
2017/09/30 19:06:10 parsed 1 programs
2017/09/30 19:06:10 executed programs: 0
2017/09/30 19:06:15 executed programs: 325
2017/09/30 19:06:20 executed programs: 640
syzkaller login: [   51.869375] ==================================================================
[   51.876796] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620
[   51.883470] Read of size 8 at addr ffff8801c3f54be8 by task syz-executor7/7313
[   51.890805] 
[   51.892407] CPU: 0 PID: 7313 Comm: syz-executor7 Not tainted 4.14.0-rc2-next-20170929+ #32
[   51.900781] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.910116] Call Trace:
[   51.912678]  dump_stack+0x194/0x257
[   51.916275]  ? arch_local_irq_restore+0x53/0x53
[   51.920929]  ? show_regs_print_info+0x65/0x65
[   51.925411]  ? __kernel_text_address+0xd/0x40
[   51.929888]  ? __lock_acquire+0x407b/0x4620
[   51.934180]  print_address_description+0x73/0x250
[   51.938998]  ? __lock_acquire+0x407b/0x4620
[   51.943302]  kasan_report+0x25b/0x340
[   51.947087]  __asan_report_load8_noabort+0x14/0x20
[   51.951987]  __lock_acquire+0x407b/0x4620
[   51.956104]  ? unwind_dump+0x4c0/0x4c0
[   51.959964]  ? __unwind_start+0x169/0x330
[   51.964087]  ? __kernel_text_address+0xd/0x40
[   51.968558]  ? unwind_get_return_address+0x61/0xa0
[   51.973471]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   51.978633]  ? unwind_get_return_address+0x61/0xa0
[   51.983533]  ? __save_stack_trace+0x61/0xd0
[   51.987831]  ? get_signal+0x73f/0x16d0
[   51.991697]  ? save_stack_trace+0x16/0x20
[   51.995815]  ? __lock_acquire+0x20fd/0x4620
[   52.000114]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.005284]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.010448]  ? save_stack_trace+0x16/0x20
[   52.014574]  ? __lock_acquire+0x20fd/0x4620
[   52.018868]  ? osq_unlock+0x350/0x350
[   52.022645]  ? save_stack_trace+0x16/0x20
[   52.026770]  ? lock_release+0xd70/0xd70
[   52.030716]  ? check_noncircular+0x20/0x20
[   52.034920]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.040084]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.045249]  ? find_held_lock+0x39/0x1d0
[   52.049281]  ? lock_downgrade+0x990/0x990
[   52.053404]  ? check_noncircular+0x20/0x20
[   52.057619]  lock_acquire+0x1d5/0x580
[   52.061394]  ? exit_pi_state_list+0x369/0x7a0
[   52.065857]  ? lock_release+0xd70/0xd70
[   52.069818]  ? do_raw_spin_trylock+0x190/0x190
[   52.074371]  ? find_held_lock+0x39/0x1d0
[   52.078412]  _raw_spin_lock_irq+0x5e/0x80
[   52.082528]  ? exit_pi_state_list+0x369/0x7a0
[   52.086998]  exit_pi_state_list+0x369/0x7a0
[   52.091296]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   52.097324]  ? lock_release+0xd70/0xd70
[   52.101267]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   52.107121]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   52.112217]  ? __might_sleep+0x95/0x190
[   52.116183]  ? __might_fault+0x188/0x1d0
[   52.120212]  ? do_raw_spin_trylock+0x190/0x190
[   52.124764]  mm_release+0x46d/0x590
[   52.128358]  ? do_raw_spin_trylock+0x190/0x190
[   52.132906]  ? mm_access+0x140/0x140
[   52.136586]  ? _raw_spin_unlock_irq+0x27/0x70
[   52.141056]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   52.146048]  ? trace_hardirqs_on+0xd/0x10
[   52.150173]  ? _raw_spin_unlock_irq+0x27/0x70
[   52.154636]  ? acct_collect+0x637/0x800
[   52.158585]  do_exit+0x481/0x1b00
[   52.162018]  ? mm_update_next_owner+0x930/0x930
[   52.166666]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   52.172525]  ? find_held_lock+0x39/0x1d0
[   52.176575]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   52.181922]  ? check_noncircular+0x20/0x20
[   52.186126]  ? fault_in_user_writeable+0x90/0x90
[   52.190850]  ? futex_wake+0x680/0x680
[   52.194625]  ? find_held_lock+0x39/0x1d0
[   52.198658]  ? lock_downgrade+0x990/0x990
[   52.202773]  ? recalc_sigpending_tsk+0x117/0x150
[   52.207500]  ? recalc_sigpending+0x103/0x160
[   52.211875]  ? recalc_sigpending_tsk+0x150/0x150
[   52.216600]  ? get_signal+0x2b2/0x16d0
[   52.220463]  do_group_exit+0x149/0x400
[   52.224331]  ? __lock_is_held+0xbc/0x140
[   52.228357]  ? SyS_exit+0x30/0x30
[   52.231777]  ? _raw_spin_unlock_irq+0x27/0x70
[   52.236239]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   52.241230]  get_signal+0x73f/0x16d0
[   52.244912]  ? ptrace_notify+0x130/0x130
[   52.248950]  ? vma_wants_writenotify+0x3b0/0x3b0
[   52.253677]  ? exit_robust_list+0x240/0x240
[   52.257967]  ? lock_downgrade+0x990/0x990
[   52.262079]  ? SyS_brk+0x6f0/0x6f0
[   52.265586]  do_signal+0x94/0x1ee0
[   52.269095]  ? arch_get_unmapped_area+0x750/0x750
[   52.273905]  ? lock_acquire+0x1d5/0x580
[   52.277851]  ? vm_mmap_pgoff+0x198/0x280
[   52.281893]  ? userfaultfd_unmap_complete+0x327/0x510
[   52.287057]  ? setup_sigcontext+0x7d0/0x7d0
[   52.291351]  ? userfaultfd_unmap_prep+0x540/0x540
[   52.296162]  ? do_mmap+0x34f/0xd50
[   52.299670]  ? up_write+0x6b/0x120
[   52.303182]  ? down_write+0x120/0x120
[   52.306952]  ? security_mmap_file+0x143/0x180
[   52.311423]  ? vm_mmap_pgoff+0x1fc/0x280
[   52.315455]  ? exit_to_usermode_loop+0x8c/0x310
[   52.320093]  exit_to_usermode_loop+0x214/0x310
[   52.324642]  ? vma_is_stack_for_current+0xa0/0xa0
[   52.329457]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   52.334973]  ? kasan_check_write+0x14/0x20
[   52.339188]  syscall_return_slowpath+0x42f/0x510
[   52.343914]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   52.348907]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   52.353811]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   52.358805]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   52.363531]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   52.368258] RIP: 0033:0x4520a9
[   52.371424] RSP: 002b:00007f73a7067cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   52.379105] RAX: fffffffffffffe00 RBX: 0000000000718188 RCX: 00000000004520a9
[   52.386348] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718188
[   52.393595] RBP: 0000000000718160 R08: 0000000000000000 R09: 0000000000000000
[   52.400834] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   52.408077] R13: 00007ffde4cdc51f R14: 00007f73a70689c0 R15: 0000000000000005
[   52.415323] 
[   52.416921] Allocated by task 7337:
[   52.420526]  save_stack_trace+0x16/0x20
[   52.424474]  save_stack+0x43/0xd0
[   52.427891]  kasan_kmalloc+0xad/0xe0
[   52.431572]  kmem_cache_alloc_trace+0x136/0x750
[   52.436207]  refill_pi_state_cache.part.6+0xa5/0x2f0
[   52.441276]  futex_requeue+0x1887/0x2370
[   52.445300]  do_futex+0x7f5/0x20d0
[   52.448802]  SyS_futex+0x260/0x390
[   52.452309]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   52.457027] 
[   52.458625] Freed by task 7301:
[   52.461870]  save_stack_trace+0x16/0x20
[   52.465809]  save_stack+0x43/0xd0
[   52.469230]  kasan_slab_free+0x71/0xc0
[   52.473084]  kfree+0xca/0x250
[   52.476162]  put_pi_state+0x3f4/0x560
[   52.479934]  unqueue_me_pi+0x4a/0xc0
[   52.483615]  futex_wait_requeue_pi.constprop.19+0xc7f/0x1300
[   52.489384]  do_futex+0x825/0x20d0
[   52.492896]  SyS_futex+0x260/0x390
[   52.496410]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   52.501133] 
[   52.502727] The buggy address belongs to the object at ffff8801c3f54bc0
[   52.502727]  which belongs to the cache kmalloc-256 of size 256
[   52.515346] The buggy address is located 40 bytes inside of
[   52.515346]  256-byte region [ffff8801c3f54bc0, ffff8801c3f54cc0)
[   52.527097] The buggy address belongs to the page:
[   52.531990] page:ffffea00070fd500 count:1 mapcount:0 mapping:ffff8801c3f54080 index:0x0
[   52.540101] flags: 0x200000000000100(slab)
[   52.544309] raw: 0200000000000100 ffff8801c3f54080 0000000000000000 000000010000000c
[   52.552160] raw: ffffea0007107be0 ffffea00070eeaa0 ffff8801dac007c0 0000000000000000
[   52.560011] page dumped because: kasan: bad access detected
[   52.565689] 
[   52.567280] Memory state around the buggy address:
[   52.572179]  ffff8801c3f54a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.579502]  ffff8801c3f54b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.586824] >ffff8801c3f54b80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   52.594146]                                                           ^
[   52.600861]  ffff8801c3f54c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.608188]  ffff8801c3f54c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   52.615514] ==================================================================
[   52.622837] Disabling lock debugging due to kernel taint
[   52.628253] Kernel panic - not syncing: panic_on_warn set ...
[   52.628253] 
[   52.635582] CPU: 0 PID: 7313 Comm: syz-executor7 Tainted: G    B           4.14.0-rc2-next-20170929+ #32
[   52.645176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.654499] Call Trace:
[   52.657057]  dump_stack+0x194/0x257
[   52.660649]  ? arch_local_irq_restore+0x53/0x53
[   52.665291]  ? vprintk_default+0x28/0x30
[   52.669326]  ? __lock_acquire+0x4000/0x4620
[   52.673621]  panic+0x1e4/0x41c
[   52.676780]  ? refcount_error_report+0x214/0x214
[   52.681505]  ? __lock_acquire+0x407b/0x4620
[   52.685793]  kasan_end_report+0x50/0x50
[   52.689734]  kasan_report+0x144/0x340
[   52.693501]  __asan_report_load8_noabort+0x14/0x20
[   52.698396]  __lock_acquire+0x407b/0x4620
[   52.702508]  ? unwind_dump+0x4c0/0x4c0
[   52.706360]  ? __unwind_start+0x169/0x330
[   52.710483]  ? __kernel_text_address+0xd/0x40
[   52.714949]  ? unwind_get_return_address+0x61/0xa0
[   52.719846]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.725000]  ? unwind_get_return_address+0x61/0xa0
[   52.729897]  ? __save_stack_trace+0x61/0xd0
[   52.734188]  ? get_signal+0x73f/0x16d0
[   52.738042]  ? save_stack_trace+0x16/0x20
[   52.742156]  ? __lock_acquire+0x20fd/0x4620
[   52.746444]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.751607]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.756762]  ? save_stack_trace+0x16/0x20
[   52.760882]  ? __lock_acquire+0x20fd/0x4620
[   52.765175]  ? osq_unlock+0x350/0x350
[   52.768944]  ? save_stack_trace+0x16/0x20
[   52.773059]  ? lock_release+0xd70/0xd70
[   52.776998]  ? check_noncircular+0x20/0x20
[   52.781205]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.786366]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.791527]  ? find_held_lock+0x39/0x1d0
[   52.795554]  ? lock_downgrade+0x990/0x990
[   52.799674]  ? check_noncircular+0x20/0x20
[   52.803878]  lock_acquire+0x1d5/0x580
[   52.807644]  ? exit_pi_state_list+0x369/0x7a0
[   52.812106]  ? lock_release+0xd70/0xd70
[   52.816044]  ? do_raw_spin_trylock+0x190/0x190
[   52.820598]  ? find_held_lock+0x39/0x1d0
[   52.824629]  _raw_spin_lock_irq+0x5e/0x80
[   52.828742]  ? exit_pi_state_list+0x369/0x7a0
[   52.833203]  exit_pi_state_list+0x369/0x7a0
[   52.837493]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   52.843517]  ? lock_release+0xd70/0xd70
[   52.847457]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   52.853307]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   52.858377]  ? __might_sleep+0x95/0x190
[   52.862317]  ? __might_fault+0x188/0x1d0
[   52.866345]  ? do_raw_spin_trylock+0x190/0x190