INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-next-kasan-gce-6,10.128.15.216' (ECDSA) to the list of known hosts.
2017/09/30 05:38:05 parsed 1 programs
2017/09/30 05:38:05 executed programs: 0
2017/09/30 05:38:10 executed programs: 100
syzkaller login: [   46.978768] ==================================================================
[   46.986146] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620
[   46.992774] Read of size 8 at addr ffff8801cc2c2a68 by task syz-executor0/3751
[   47.000094] 
[   47.001690] CPU: 1 PID: 3751 Comm: syz-executor0 Not tainted 4.14.0-rc2-next-20170929+ #32
[   47.010053] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.019372] Call Trace:
[   47.021926]  dump_stack+0x194/0x257
[   47.025518]  ? arch_local_irq_restore+0x53/0x53
[   47.030155]  ? show_regs_print_info+0x65/0x65
[   47.034617]  ? __kernel_text_address+0xd/0x40
[   47.039079]  ? __lock_acquire+0x407b/0x4620
[   47.043369]  print_address_description+0x73/0x250
[   47.048178]  ? __lock_acquire+0x407b/0x4620
[   47.052464]  kasan_report+0x25b/0x340
[   47.056229]  __asan_report_load8_noabort+0x14/0x20
[   47.061125]  __lock_acquire+0x407b/0x4620
[   47.065239]  ? unwind_dump+0x4c0/0x4c0
[   47.069093]  ? __unwind_start+0x169/0x330
[   47.073209]  ? __kernel_text_address+0xd/0x40
[   47.077671]  ? unwind_get_return_address+0x61/0xa0
[   47.082569]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   47.087724]  ? unwind_get_return_address+0x61/0xa0
[   47.092619]  ? __save_stack_trace+0x61/0xd0
[   47.096910]  ? get_signal+0x73f/0x16d0
[   47.100761]  ? save_stack_trace+0x16/0x20
[   47.104873]  ? __lock_acquire+0x20fd/0x4620
[   47.109157]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   47.114311]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   47.119466]  ? __bpf_address_lookup+0x2b0/0x2b0
[   47.124096]  ? osq_unlock+0x350/0x350
[   47.127859]  ? lock_release+0xd70/0xd70
[   47.131800]  ? __free_insn_slot+0x5c0/0x5c0
[   47.136085]  ? check_noncircular+0x20/0x20
[   47.140287]  ? is_bpf_text_address+0xa4/0x120
[   47.144746]  ? kernel_text_address+0x102/0x140
[   47.149291]  ? __kernel_text_address+0xd/0x40
[   47.153755]  ? find_held_lock+0x39/0x1d0
[   47.157782]  ? lock_downgrade+0x990/0x990
[   47.161894]  ? check_noncircular+0x20/0x20
[   47.166090]  ? kasan_kmalloc+0xad/0xe0
[   47.169939]  lock_acquire+0x1d5/0x580
[   47.173705]  ? exit_pi_state_list+0x369/0x7a0
[   47.178165]  ? lock_release+0xd70/0xd70
[   47.182100]  ? do_raw_spin_trylock+0x190/0x190
[   47.186645]  ? find_held_lock+0x39/0x1d0
[   47.190687]  _raw_spin_lock_irq+0x5e/0x80
[   47.194804]  ? exit_pi_state_list+0x369/0x7a0
[   47.199263]  exit_pi_state_list+0x369/0x7a0
[   47.203549]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   47.209570]  ? lock_release+0xd70/0xd70
[   47.213509]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   47.219355]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   47.224421]  ? __might_sleep+0x95/0x190
[   47.228361]  ? __might_fault+0x188/0x1d0
[   47.232385]  ? do_raw_spin_trylock+0x190/0x190
[   47.236933]  mm_release+0x46d/0x590
[   47.240519]  ? do_raw_spin_trylock+0x190/0x190
[   47.245066]  ? mm_access+0x140/0x140
[   47.248742]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   47.253720]  ? trace_hardirqs_on+0xd/0x10
[   47.257829]  ? _raw_spin_unlock_irq+0x27/0x70
[   47.262288]  ? acct_collect+0x637/0x800
[   47.266225]  do_exit+0x481/0x1b00
[   47.269642]  ? mm_update_next_owner+0x930/0x930
[   47.274275]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   47.280124]  ? find_held_lock+0x39/0x1d0
[   47.284153]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   47.289482]  ? check_noncircular+0x20/0x20
[   47.293682]  ? fault_in_user_writeable+0x90/0x90
[   47.298399]  ? futex_wake+0x680/0x680
[   47.302164]  ? find_held_lock+0x39/0x1d0
[   47.306192]  ? lock_downgrade+0x990/0x990
[   47.310303]  ? recalc_sigpending_tsk+0x117/0x150
[   47.315022]  ? recalc_sigpending+0x103/0x160
[   47.319393]  ? recalc_sigpending_tsk+0x150/0x150
[   47.324110]  ? get_signal+0x2b2/0x16d0
[   47.327962]  do_group_exit+0x149/0x400
[   47.331813]  ? __lock_is_held+0xbc/0x140
[   47.335840]  ? SyS_exit+0x30/0x30
[   47.339258]  ? _raw_spin_unlock_irq+0x27/0x70
[   47.343718]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   47.348698]  get_signal+0x73f/0x16d0
[   47.352393]  ? ptrace_notify+0x130/0x130
[   47.356417]  ? lock_release+0xd70/0xd70
[   47.360865]  ? __lock_is_held+0xbc/0x140
[   47.364894]  ? exit_robust_list+0x240/0x240
[   47.369180]  ? __fget+0x362/0x580
[   47.372598]  do_signal+0x94/0x1ee0
[   47.376100]  ? iterate_fd+0x3f0/0x3f0
[   47.379866]  ? __lock_is_held+0xbc/0x140
[   47.383890]  ? setup_sigcontext+0x7d0/0x7d0
[   47.388174]  ? __fget+0x362/0x580
[   47.391591]  ? __fget_light+0x29d/0x390
[   47.395530]  ? down_write+0x120/0x120
[   47.399294]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   47.405141]  ? vm_mmap_pgoff+0x1fc/0x280
[   47.409166]  ? exit_to_usermode_loop+0x8c/0x310
[   47.413797]  exit_to_usermode_loop+0x214/0x310
[   47.418340]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   47.423838]  ? fget_raw+0x20/0x20
[   47.427253]  ? kasan_check_write+0x14/0x20
[   47.431451]  syscall_return_slowpath+0x42f/0x510
[   47.436170]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   47.441149]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   47.446050]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   47.451033]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   47.455760]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   47.460480] RIP: 0033:0x4520a9
[   47.463634] RSP: 002b:00007f3e58d9bcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   47.471315] RAX: fffffffffffffe00 RBX: 0000000000718028 RCX: 00000000004520a9
[   47.478551] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718028
[   47.485787] RBP: 0000000000718000 R08: 0000000000000000 R09: 0000000000000000
[   47.493023] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   47.500259] R13: 0000000000a6f7ef R14: 00007f3e58d9c9c0 R15: 0000000000000000
[   47.507496] 
[   47.509090] Allocated by task 3753:
[   47.512688]  save_stack_trace+0x16/0x20
[   47.516626]  save_stack+0x43/0xd0
[   47.520043]  kasan_kmalloc+0xad/0xe0
[   47.523719]  kmem_cache_alloc_trace+0x136/0x750
[   47.528353]  refill_pi_state_cache.part.6+0xa5/0x2f0
[   47.533418]  futex_requeue+0x1887/0x2370
[   47.537442]  do_futex+0x7f5/0x20d0
[   47.540946]  SyS_futex+0x260/0x390
[   47.544450]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   47.549167] 
[   47.550760] Freed by task 3752:
[   47.554002]  save_stack_trace+0x16/0x20
[   47.557937]  save_stack+0x43/0xd0
[   47.561354]  kasan_slab_free+0x71/0xc0
[   47.565202]  kfree+0xca/0x250
[   47.568277]  put_pi_state+0x3f4/0x560
[   47.572039]  unqueue_me_pi+0x4a/0xc0
[   47.575724]  futex_wait_requeue_pi.constprop.19+0xc7f/0x1300
[   47.581483]  do_futex+0x825/0x20d0
[   47.584987]  SyS_futex+0x260/0x390
[   47.588487]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   47.593208] 
[   47.594802] The buggy address belongs to the object at ffff8801cc2c2a40
[   47.594802]  which belongs to the cache kmalloc-256 of size 256
[   47.607424] The buggy address is located 40 bytes inside of
[   47.607424]  256-byte region [ffff8801cc2c2a40, ffff8801cc2c2b40)
[   47.619258] The buggy address belongs to the page:
[   47.624151] page:ffffea000730b080 count:1 mapcount:0 mapping:ffff8801cc2c2040 index:0x0
[   47.632254] flags: 0x200000000000100(slab)
[   47.636461] raw: 0200000000000100 ffff8801cc2c2040 0000000000000000 000000010000000c
[   47.644302] raw: ffffea00072d1ba0 ffffea00072f3160 ffff8801dac007c0 0000000000000000
[   47.652144] page dumped because: kasan: bad access detected
[   47.657821] 
[   47.659412] Memory state around the buggy address:
[   47.664302]  ffff8801cc2c2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.671625]  ffff8801cc2c2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.678953] >ffff8801cc2c2a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   47.686273]                                                           ^
[   47.692993]  ffff8801cc2c2a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.700313]  ffff8801cc2c2b00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   47.707632] ==================================================================
[   47.714951] Disabling lock debugging due to kernel taint
[   47.720361] Kernel panic - not syncing: panic_on_warn set ...
[   47.720361] 
[   47.727684] CPU: 1 PID: 3751 Comm: syz-executor0 Tainted: G    B           4.14.0-rc2-next-20170929+ #32
[   47.737261] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.746576] Call Trace:
[   47.749133]  dump_stack+0x194/0x257
[   47.752724]  ? arch_local_irq_restore+0x53/0x53
[   47.757357]  ? vprintk_default+0x28/0x30
[   47.761383]  ? __lock_acquire+0x4000/0x4620
[   47.765672]  panic+0x1e4/0x41c
[   47.768828]  ? refcount_error_report+0x214/0x214
[   47.773550]  ? __lock_acquire+0x407b/0x4620
[   47.777834]  kasan_end_report+0x50/0x50
[   47.781772]  kasan_report+0x144/0x340
[   47.785537]  __asan_report_load8_noabort+0x14/0x20
[   47.790428]  __lock_acquire+0x407b/0x4620
[   47.794538]  ? unwind_dump+0x4c0/0x4c0
[   47.798386]  ? __unwind_start+0x169/0x330
[   47.802495]  ? __kernel_text_address+0xd/0x40
[   47.806952]  ? unwind_get_return_address+0x61/0xa0
[   47.811846]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   47.816999]  ? unwind_get_return_address+0x61/0xa0
[   47.821891]  ? __save_stack_trace+0x61/0xd0
[   47.826181]  ? get_signal+0x73f/0x16d0
[   47.830033]  ? save_stack_trace+0x16/0x20
[   47.834144]  ? __lock_acquire+0x20fd/0x4620
[   47.838430]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   47.843587]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   47.848743]  ? __bpf_address_lookup+0x2b0/0x2b0
[   47.853377]  ? osq_unlock+0x350/0x350
[   47.857142]  ? lock_release+0xd70/0xd70
[   47.861080]  ? __free_insn_slot+0x5c0/0x5c0
[   47.865380]  ? check_noncircular+0x20/0x20
[   47.869584]  ? is_bpf_text_address+0xa4/0x120
[   47.874042]  ? kernel_text_address+0x102/0x140
[   47.878588]  ? __kernel_text_address+0xd/0x40
[   47.883061]  ? find_held_lock+0x39/0x1d0
[   47.887089]  ? lock_downgrade+0x990/0x990
[   47.891199]  ? check_noncircular+0x20/0x20
[   47.895395]  ? kasan_kmalloc+0xad/0xe0
[   47.899244]  lock_acquire+0x1d5/0x580
[   47.903007]  ? exit_pi_state_list+0x369/0x7a0
[   47.907467]  ? lock_release+0xd70/0xd70
[   47.911403]  ? do_raw_spin_trylock+0x190/0x190
[   47.915946]  ? find_held_lock+0x39/0x1d0
[   47.919975]  _raw_spin_lock_irq+0x5e/0x80
[   47.924088]  ? exit_pi_state_list+0x369/0x7a0
[   47.928548]  exit_pi_state_list+0x369/0x7a0
[   47.932836]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   47.938861]  ? lock_release+0xd70/0xd70
[   47.942804]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   47.948652]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   47.953718]  ? __might_sleep+0x95/0x190
[   47.957658]  ? __might_fault+0x188/0x1d0
[   47.961683]  ? do_raw_spin_trylock+0x190/0x190
[   47.966232]  mm_release+0x46d/0x590
[   47.969821]  ? do_raw_spin_trylock+0x190/0x190
[   47.974364]  ? mm_access+0x140/0x140
[   47.978044]  ? trace_hardirqs_on_caller+0x421/0x5c0