INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-1,10.128.0.35' (ECDSA) to the list of known hosts.
2017/09/30 19:36:53 parsed 1 programs
2017/09/30 19:36:53 executed programs: 0
syzkaller login: [   42.991652] ==================================================================
[   42.999087] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620
[   43.005748] Read of size 8 at addr ffff8801ca512de8 by task syz-executor3/4107
[   43.013094] 
[   43.014701] CPU: 1 PID: 4107 Comm: syz-executor3 Not tainted 4.14.0-rc2-mm1+ #11
[   43.022206] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.031544] Call Trace:
[   43.034124]  dump_stack+0x194/0x257
[   43.037728]  ? arch_local_irq_restore+0x53/0x53
[   43.042367]  ? show_regs_print_info+0x65/0x65
[   43.046830]  ? __kernel_text_address+0xd/0x40
[   43.051303]  ? __lock_acquire+0x407b/0x4620
[   43.055597]  print_address_description+0x73/0x250
[   43.060412]  ? __lock_acquire+0x407b/0x4620
[   43.064707]  kasan_report+0x25b/0x340
[   43.068481]  __asan_report_load8_noabort+0x14/0x20
[   43.073383]  __lock_acquire+0x407b/0x4620
[   43.077505]  ? unwind_dump+0x4c0/0x4c0
[   43.081370]  ? __unwind_start+0x169/0x330
[   43.085506]  ? __kernel_text_address+0xd/0x40
[   43.089992]  ? unwind_get_return_address+0x61/0xa0
[   43.094901]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   43.100059]  ? unwind_get_return_address+0x61/0xa0
[   43.104961]  ? __save_stack_trace+0x61/0xd0
[   43.109254]  ? get_signal+0x73f/0x16d0
[   43.113114]  ? save_stack_trace+0x16/0x20
[   43.117234]  ? __lock_acquire+0x20fd/0x4620
[   43.121532]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   43.126693]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   43.131855]  ? save_stack_trace+0x16/0x20
[   43.135986]  ? __lock_acquire+0x20fd/0x4620
[   43.140286]  ? osq_unlock+0x350/0x350
[   43.144066]  ? save_stack_trace+0x16/0x20
[   43.148190]  ? check_noncircular+0x20/0x20
[   43.152391]  ? check_noncircular+0x20/0x20
[   43.156592]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   43.161753]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   43.166909]  ? __lock_is_held+0xbc/0x140
[   43.170943]  ? find_held_lock+0x39/0x1d0
[   43.174973]  ? lock_downgrade+0x990/0x990
[   43.179086]  ? check_noncircular+0x20/0x20
[   43.183302]  lock_acquire+0x1d5/0x580
[   43.187081]  ? exit_pi_state_list+0x369/0x7a0
[   43.191564]  ? lock_release+0xd70/0xd70
[   43.195526]  ? do_raw_spin_trylock+0x190/0x190
[   43.200087]  ? find_held_lock+0x39/0x1d0
[   43.204143]  _raw_spin_lock_irq+0x5e/0x80
[   43.208262]  ? exit_pi_state_list+0x369/0x7a0
[   43.212732]  exit_pi_state_list+0x369/0x7a0
[   43.217035]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   43.223068]  ? lock_release+0xd70/0xd70
[   43.227013]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   43.232879]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   43.237966]  ? __might_sleep+0x95/0x190
[   43.241922]  ? __might_fault+0x188/0x1d0
[   43.245969]  ? do_raw_spin_trylock+0x190/0x190
[   43.250530]  mm_release+0x46d/0x590
[   43.254125]  ? do_raw_spin_trylock+0x190/0x190
[   43.258674]  ? mm_access+0x140/0x140
[   43.262356]  ? _raw_spin_unlock_irq+0x27/0x70
[   43.266826]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   43.271812]  ? trace_hardirqs_on+0xd/0x10
[   43.275935]  ? _raw_spin_unlock_irq+0x27/0x70
[   43.280408]  ? acct_collect+0x637/0x800
[   43.284355]  do_exit+0x481/0x1b00
[   43.287781]  ? mm_update_next_owner+0x930/0x930
[   43.292419]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   43.298285]  ? rcu_note_context_switch+0x710/0x710
[   43.303199]  ? futex_wait_setup+0x14a/0x3d0
[   43.307499]  ? __might_sleep+0x95/0x190
[   43.311454]  ? _cond_resched+0x14/0x30
[   43.315320]  ? futex_wait_queue_me+0x524/0x7e0
[   43.319868]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   43.325198]  ? memset+0x31/0x40
[   43.328449]  ? check_noncircular+0x20/0x20
[   43.332654]  ? futex_wait_setup+0x22e/0x3d0
[   43.336955]  ? futex_wake+0x680/0x680
[   43.340739]  ? find_held_lock+0x39/0x1d0
[   43.344787]  ? lock_downgrade+0x990/0x990
[   43.348926]  ? recalc_sigpending_tsk+0x117/0x150
[   43.353668]  ? recalc_sigpending+0x103/0x160
[   43.358049]  ? recalc_sigpending_tsk+0x150/0x150
[   43.362774]  ? get_signal+0x2b2/0x16d0
[   43.366631]  do_group_exit+0x149/0x400
[   43.370488]  ? __lock_is_held+0xbc/0x140
[   43.374515]  ? SyS_exit+0x30/0x30
[   43.377948]  ? _raw_spin_unlock_irq+0x27/0x70
[   43.382425]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   43.387411]  get_signal+0x73f/0x16d0
[   43.391105]  ? ptrace_notify+0x130/0x130
[   43.395151]  ? __schedule+0x8f0/0x2070
[   43.399023]  ? exit_robust_list+0x240/0x240
[   43.403334]  ? depot_save_stack+0x12c/0x490
[   43.407643]  do_signal+0x94/0x1ee0
[   43.411170]  ? save_stack+0xa3/0xd0
[   43.414778]  ? find_held_lock+0x39/0x1d0
[   43.418821]  ? setup_sigcontext+0x7d0/0x7d0
[   43.423123]  ? lock_downgrade+0x990/0x990
[   43.427245]  ? lock_release+0xd70/0xd70
[   43.431193]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   43.437055]  ? __fdget+0x18/0x20
[   43.440406]  ? exit_to_usermode_loop+0x8c/0x310
[   43.445062]  exit_to_usermode_loop+0x214/0x310
[   43.449628]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   43.455144]  ? kasan_check_write+0x14/0x20
[   43.459371]  syscall_return_slowpath+0x42f/0x510
[   43.464104]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   43.469098]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   43.474005]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   43.479009]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   43.483778]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   43.488514] RIP: 0033:0x4520a9
[   43.491678] RSP: 002b:00007f5720e77cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   43.499356] RAX: 0000000000000000 RBX: 0000000000718188 RCX: 00000000004520a9
[   43.506605] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718188
[   43.513853] RBP: 0000000000718160 R08: 0000000000000000 R09: 0000000000000000
[   43.521097] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   43.528333] R13: 00007ffd73283fcf R14: 00007f5720e789c0 R15: 0000000000000003
[   43.535574] 
[   43.537172] Allocated by task 4125:
[   43.540768]  save_stack_trace+0x16/0x20
[   43.544707]  save_stack+0x43/0xd0
[   43.548124]  kasan_kmalloc+0xad/0xe0
[   43.551811]  kmem_cache_alloc_trace+0x136/0x750
[   43.556451]  refill_pi_state_cache.part.6+0xa5/0x2f0
[   43.561517]  futex_requeue+0x1887/0x2370
[   43.565543]  do_futex+0x7f5/0x20d0
[   43.569048]  SyS_futex+0x260/0x390
[   43.572553]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   43.577270] 
[   43.578861] Freed by task 4101:
[   43.582105]  save_stack_trace+0x16/0x20
[   43.586045]  save_stack+0x43/0xd0
[   43.589464]  kasan_slab_free+0x71/0xc0
[   43.593315]  kfree+0xca/0x250
[   43.596383]  put_pi_state+0x3f4/0x560
[   43.600148]  unqueue_me_pi+0x4a/0xc0
[   43.603827]  futex_wait_requeue_pi.constprop.19+0xc7f/0x1300
[   43.609591]  do_futex+0x825/0x20d0
[   43.613098]  SyS_futex+0x260/0x390
[   43.616604]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   43.621320] 
[   43.622912] The buggy address belongs to the object at ffff8801ca512dc0
[   43.622912]  which belongs to the cache kmalloc-256 of size 256
[   43.635537] The buggy address is located 40 bytes inside of
[   43.635537]  256-byte region [ffff8801ca512dc0, ffff8801ca512ec0)
[   43.647286] The buggy address belongs to the page:
[   43.652182] page:ffffea0007294480 count:1 mapcount:0 mapping:ffff8801ca512000 index:0x0
[   43.660287] flags: 0x200000000000100(slab)
[   43.664488] raw: 0200000000000100 ffff8801ca512000 0000000000000000 000000010000000c
[   43.672333] raw: ffffea00072a47e0 ffffea00072ad560 ffff8801dac007c0 0000000000000000
[   43.680175] page dumped because: kasan: bad access detected
[   43.685848] 
[   43.687439] Memory state around the buggy address:
[   43.692332]  ffff8801ca512c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.699656]  ffff8801ca512d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.706977] >ffff8801ca512d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   43.714301]                                                           ^
[   43.721024]  ffff8801ca512e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.728353]  ffff8801ca512e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   43.735675] ==================================================================
[   43.743002] Disabling lock debugging due to kernel taint
[   43.748420] Kernel panic - not syncing: panic_on_warn set ...
[   43.748420] 
[   43.755753] CPU: 1 PID: 4107 Comm: syz-executor3 Tainted: G    B           4.14.0-rc2-mm1+ #11
[   43.764470] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.773788] Call Trace:
[   43.776342]  dump_stack+0x194/0x257
[   43.779945]  ? arch_local_irq_restore+0x53/0x53
[   43.784585]  ? vprintk_default+0x28/0x30
[   43.788618]  ? __lock_acquire+0x4060/0x4620
[   43.792907]  panic+0x1e4/0x41c
[   43.796064]  ? refcount_error_report+0x214/0x214
[   43.800787]  ? __lock_acquire+0x407b/0x4620
[   43.805074]  kasan_end_report+0x50/0x50
[   43.809019]  kasan_report+0x144/0x340
[   43.812786]  __asan_report_load8_noabort+0x14/0x20
[   43.817680]  __lock_acquire+0x407b/0x4620
[   43.821798]  ? unwind_dump+0x4c0/0x4c0
[   43.825649]  ? __unwind_start+0x169/0x330
[   43.829760]  ? __kernel_text_address+0xd/0x40
[   43.834220]  ? unwind_get_return_address+0x61/0xa0
[   43.839117]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   43.844269]  ? unwind_get_return_address+0x61/0xa0
[   43.849165]  ? __save_stack_trace+0x61/0xd0
[   43.853452]  ? get_signal+0x73f/0x16d0
[   43.857322]  ? save_stack_trace+0x16/0x20
[   43.861436]  ? __lock_acquire+0x20fd/0x4620
[   43.865723]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   43.870880]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   43.876037]  ? save_stack_trace+0x16/0x20
[   43.880150]  ? __lock_acquire+0x20fd/0x4620
[   43.884442]  ? osq_unlock+0x350/0x350
[   43.888206]  ? save_stack_trace+0x16/0x20
[   43.892321]  ? check_noncircular+0x20/0x20
[   43.896521]  ? check_noncircular+0x20/0x20
[   43.900728]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   43.905883]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   43.911036]  ? __lock_is_held+0xbc/0x140
[   43.915061]  ? find_held_lock+0x39/0x1d0
[   43.919089]  ? lock_downgrade+0x990/0x990
[   43.923202]  ? check_noncircular+0x20/0x20
[   43.927403]  lock_acquire+0x1d5/0x580
[   43.931172]  ? exit_pi_state_list+0x369/0x7a0
[   43.935634]  ? lock_release+0xd70/0xd70
[   43.939586]  ? do_raw_spin_trylock+0x190/0x190
[   43.944134]  ? find_held_lock+0x39/0x1d0
[   43.948163]  _raw_spin_lock_irq+0x5e/0x80
[   43.952277]  ? exit_pi_state_list+0x369/0x7a0
[   43.956737]  exit_pi_state_list+0x369/0x7a0
[   43.961028]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   43.967054]  ? lock_release+0xd70/0xd70
[   43.970999]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   43.976859]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   43.981927]  ? __might_sleep+0x95/0x190
[   43.985866]  ? __might_fault+0x188/0x1d0
[   43.989891]  ? do_raw_spin_trylock+0x190/0x190