INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-1,10.128.0.58' (ECDSA) to the list of known hosts.
2017/09/30 09:00:22 parsed 1 programs
2017/09/30 09:00:22 executed programs: 0
syzkaller login: [   39.003100] ==================================================================
[   39.010499] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620
[   39.017129] Read of size 8 at addr ffff8801ce66b2a8 by task syz-executor6/3184
[   39.024448] 
[   39.026044] CPU: 0 PID: 3184 Comm: syz-executor6 Not tainted 4.14.0-rc2-mm1+ #11
[   39.033540] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.042858] Call Trace:
[   39.045411]  dump_stack+0x194/0x257
[   39.049001]  ? arch_local_irq_restore+0x53/0x53
[   39.053635]  ? show_regs_print_info+0x65/0x65
[   39.058095]  ? __kernel_text_address+0xd/0x40
[   39.062552]  ? __lock_acquire+0x407b/0x4620
[   39.066838]  print_address_description+0x73/0x250
[   39.071645]  ? __lock_acquire+0x407b/0x4620
[   39.075931]  kasan_report+0x25b/0x340
[   39.079698]  __asan_report_load8_noabort+0x14/0x20
[   39.084591]  __lock_acquire+0x407b/0x4620
[   39.088705]  ? unwind_dump+0x4c0/0x4c0
[   39.092555]  ? __unwind_start+0x169/0x330
[   39.096672]  ? __kernel_text_address+0xd/0x40
[   39.101132]  ? unwind_get_return_address+0x61/0xa0
[   39.106030]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   39.111182]  ? unwind_get_return_address+0x61/0xa0
[   39.116076]  ? __save_stack_trace+0x61/0xd0
[   39.120362]  ? get_signal+0x73f/0x16d0
[   39.124216]  ? save_stack_trace+0x16/0x20
[   39.128329]  ? __lock_acquire+0x20fd/0x4620
[   39.132617]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   39.137773]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   39.142935]  ? save_stack_trace+0x16/0x20
[   39.147049]  ? __lock_acquire+0x20fd/0x4620
[   39.151335]  ? osq_unlock+0x350/0x350
[   39.155099]  ? save_stack_trace+0x16/0x20
[   39.159213]  ? lock_release+0xd70/0xd70
[   39.163152]  ? check_noncircular+0x20/0x20
[   39.167353]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   39.172509]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   39.177668]  ? find_held_lock+0x39/0x1d0
[   39.181697]  ? lock_downgrade+0x990/0x990
[   39.185807]  ? check_noncircular+0x20/0x20
[   39.190005]  lock_acquire+0x1d5/0x580
[   39.193771]  ? exit_pi_state_list+0x369/0x7a0
[   39.198246]  ? lock_release+0xd70/0xd70
[   39.202182]  ? do_raw_spin_trylock+0x190/0x190
[   39.206726]  ? find_held_lock+0x39/0x1d0
[   39.210757]  _raw_spin_lock_irq+0x5e/0x80
[   39.214867]  ? exit_pi_state_list+0x369/0x7a0
[   39.219326]  exit_pi_state_list+0x369/0x7a0
[   39.223613]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   39.229635]  ? lock_release+0xd70/0xd70
[   39.233579]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   39.239429]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   39.244497]  ? __might_sleep+0x95/0x190
[   39.248437]  ? __might_fault+0x188/0x1d0
[   39.252463]  ? do_raw_spin_trylock+0x190/0x190
[   39.257011]  mm_release+0x46d/0x590
[   39.260601]  ? do_raw_spin_trylock+0x190/0x190
[   39.265146]  ? mm_access+0x140/0x140
[   39.268823]  ? _raw_spin_unlock_irq+0x27/0x70
[   39.273283]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   39.278262]  ? trace_hardirqs_on+0xd/0x10
[   39.282385]  ? _raw_spin_unlock_irq+0x27/0x70
[   39.286846]  ? acct_collect+0x637/0x800
[   39.290785]  do_exit+0x481/0x1b00
[   39.294204]  ? mm_update_next_owner+0x930/0x930
[   39.298839]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   39.304691]  ? find_held_lock+0x39/0x1d0
[   39.308722]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   39.314049]  ? check_noncircular+0x20/0x20
[   39.318250]  ? fault_in_user_writeable+0x90/0x90
[   39.322969]  ? futex_wake+0x680/0x680
[   39.326735]  ? find_held_lock+0x39/0x1d0
[   39.330763]  ? lock_downgrade+0x990/0x990
[   39.334877]  ? recalc_sigpending_tsk+0x117/0x150
[   39.339600]  ? recalc_sigpending+0x103/0x160
[   39.343972]  ? recalc_sigpending_tsk+0x150/0x150
[   39.348688]  ? get_signal+0x2b2/0x16d0
[   39.352540]  do_group_exit+0x149/0x400
[   39.356391]  ? __lock_is_held+0xbc/0x140
[   39.360424]  ? SyS_exit+0x30/0x30
[   39.363844]  ? _raw_spin_unlock_irq+0x27/0x70
[   39.368304]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   39.373282]  get_signal+0x73f/0x16d0
[   39.376961]  ? ptrace_notify+0x130/0x130
[   39.380987]  ? vma_wants_writenotify+0x3b0/0x3b0
[   39.385710]  ? exit_robust_list+0x240/0x240
[   39.389995]  ? lock_downgrade+0x990/0x990
[   39.394107]  ? SyS_brk+0x6f0/0x6f0
[   39.397613]  do_signal+0x94/0x1ee0
[   39.401116]  ? arch_get_unmapped_area+0x750/0x750
[   39.405922]  ? lock_acquire+0x1d5/0x580
[   39.409862]  ? find_held_lock+0x39/0x1d0
[   39.413887]  ? setup_sigcontext+0x7d0/0x7d0
[   39.418174]  ? lock_downgrade+0x990/0x990
[   39.422287]  ? down_write+0x120/0x120
[   39.426051]  ? lock_release+0xd70/0xd70
[   39.429990]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   39.435839]  ? vm_mmap_pgoff+0x1fc/0x280
[   39.439864]  ? exit_to_usermode_loop+0x8c/0x310
[   39.444499]  exit_to_usermode_loop+0x214/0x310
[   39.449044]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   39.454544]  ? kasan_check_write+0x14/0x20
[   39.458745]  syscall_return_slowpath+0x42f/0x510
[   39.463466]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   39.468447]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   39.473343]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   39.478324]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   39.483046]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   39.487763] RIP: 0033:0x4520a9
[   39.490918] RSP: 002b:00007fa34a9d3cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   39.498645] RAX: fffffffffffffe00 RBX: 0000000000718028 RCX: 00000000004520a9
[   39.505881] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718028
[   39.513116] RBP: 0000000000718000 R08: 0000000000000000 R09: 0000000000000000
[   39.520351] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   39.527584] R13: 00007fff5cdfaa4f R14: 00007fa34a9d49c0 R15: 0000000000000000
[   39.534825] 
[   39.536419] Allocated by task 3210:
[   39.540012]  save_stack_trace+0x16/0x20
[   39.543948]  save_stack+0x43/0xd0
[   39.547362]  kasan_kmalloc+0xad/0xe0
[   39.551040]  kmem_cache_alloc_trace+0x136/0x750
[   39.555671]  refill_pi_state_cache.part.6+0xa5/0x2f0
[   39.560736]  futex_requeue+0x1887/0x2370
[   39.564760]  do_futex+0x7f5/0x20d0
[   39.568264]  SyS_futex+0x260/0x390
[   39.571770]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   39.576573] 
[   39.578164] Freed by task 3193:
[   39.581409]  save_stack_trace+0x16/0x20
[   39.585345]  save_stack+0x43/0xd0
[   39.588772]  kasan_slab_free+0x71/0xc0
[   39.592623]  kfree+0xca/0x250
[   39.595695]  put_pi_state+0x3f4/0x560
[   39.599458]  unqueue_me_pi+0x4a/0xc0
[   39.603134]  futex_wait_requeue_pi.constprop.19+0xc7f/0x1300
[   39.608894]  do_futex+0x825/0x20d0
[   39.612398]  SyS_futex+0x260/0x390
[   39.615900]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   39.620618] 
[   39.622215] The buggy address belongs to the object at ffff8801ce66b280
[   39.622215]  which belongs to the cache kmalloc-256 of size 256
[   39.634834] The buggy address is located 40 bytes inside of
[   39.634834]  256-byte region [ffff8801ce66b280, ffff8801ce66b380)
[   39.646583] The buggy address belongs to the page:
[   39.651474] page:ffffea0007399ac0 count:1 mapcount:0 mapping:ffff8801ce66b000 index:0x0
[   39.659578] flags: 0x200000000000100(slab)
[   39.663779] raw: 0200000000000100 ffff8801ce66b000 0000000000000000 000000010000000c
[   39.671625] raw: ffffea000737a6e0 ffffea0007343ae0 ffff8801dac007c0 0000000000000000
[   39.679464] page dumped because: kasan: bad access detected
[   39.685134] 
[   39.686723] Memory state around the buggy address:
[   39.691622]  ffff8801ce66b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.698952]  ffff8801ce66b200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   39.706274] >ffff8801ce66b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.713597]                                   ^
[   39.718231]  ffff8801ce66b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.725552]  ffff8801ce66b380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   39.732872] ==================================================================
[   39.740199] Disabling lock debugging due to kernel taint
[   39.745614] Kernel panic - not syncing: panic_on_warn set ...
[   39.745614] 
[   39.752940] CPU: 0 PID: 3184 Comm: syz-executor6 Tainted: G    B           4.14.0-rc2-mm1+ #11
[   39.761651] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.770979] Call Trace:
[   39.773534]  dump_stack+0x194/0x257
[   39.777126]  ? arch_local_irq_restore+0x53/0x53
[   39.781757]  ? vprintk_default+0x28/0x30
[   39.785782]  ? __lock_acquire+0x4060/0x4620
[   39.790068]  panic+0x1e4/0x41c
[   39.793225]  ? refcount_error_report+0x214/0x214
[   39.797946]  ? __lock_acquire+0x407b/0x4620
[   39.802232]  kasan_end_report+0x50/0x50
[   39.806168]  kasan_report+0x144/0x340
[   39.809932]  __asan_report_load8_noabort+0x14/0x20
[   39.814826]  __lock_acquire+0x407b/0x4620
[   39.818936]  ? unwind_dump+0x4c0/0x4c0
[   39.822785]  ? __unwind_start+0x169/0x330
[   39.826896]  ? __kernel_text_address+0xd/0x40
[   39.831354]  ? unwind_get_return_address+0x61/0xa0
[   39.836248]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   39.841400]  ? unwind_get_return_address+0x61/0xa0
[   39.846293]  ? __save_stack_trace+0x61/0xd0
[   39.850582]  ? get_signal+0x73f/0x16d0
[   39.854432]  ? save_stack_trace+0x16/0x20
[   39.858546]  ? __lock_acquire+0x20fd/0x4620
[   39.862833]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   39.867986]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   39.873139]  ? save_stack_trace+0x16/0x20
[   39.877254]  ? __lock_acquire+0x20fd/0x4620
[   39.881538]  ? osq_unlock+0x350/0x350
[   39.885301]  ? save_stack_trace+0x16/0x20
[   39.889412]  ? lock_release+0xd70/0xd70
[   39.893350]  ? check_noncircular+0x20/0x20
[   39.897551]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   39.902704]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   39.907860]  ? find_held_lock+0x39/0x1d0
[   39.911887]  ? lock_downgrade+0x990/0x990
[   39.916008]  ? check_noncircular+0x20/0x20
[   39.920206]  lock_acquire+0x1d5/0x580
[   39.923973]  ? exit_pi_state_list+0x369/0x7a0
[   39.928432]  ? lock_release+0xd70/0xd70
[   39.932367]  ? do_raw_spin_trylock+0x190/0x190
[   39.936912]  ? find_held_lock+0x39/0x1d0
[   39.940940]  _raw_spin_lock_irq+0x5e/0x80
[   39.945049]  ? exit_pi_state_list+0x369/0x7a0
[   39.949509]  exit_pi_state_list+0x369/0x7a0
[   39.953814]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   39.959835]  ? lock_release+0xd70/0xd70
[   39.963774]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   39.969622]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   39.974692]  ? __might_sleep+0x95/0x190
[   39.978632]  ? __might_fault+0x188/0x1d0
[   39.982658]  ? do_raw_spin_trylock+0x190/0x190
[   39.987203]  mm_release+0x46d/0x590
[   39.990791]  ? do_raw_spin_trylock+0x190/0x190
[   39.995334]  ? mm_access+0x140/0x140
[   39.999009]  ? _raw_spin_unlock_irq+0x27/0x70