INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.0.28' (ECDSA) to the list of known hosts.
2017/10/04 10:56:31 parsed 1 programs
2017/10/04 10:56:31 executed programs: 0
2017/10/04 10:56:36 executed programs: 56
2017/10/04 10:56:41 executed programs: 111
2017/10/04 10:56:46 executed programs: 166
syzkaller login: [   97.120970] ==================================================================
[   97.128417] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620
[   97.135047] Read of size 8 at addr ffff8801cb8a0ae8 by task syz-executor0/4041
[   97.142368] 
[   97.143962] CPU: 0 PID: 4041 Comm: syz-executor0 Not tainted 4.14.0-rc3+ #24
[   97.151110] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   97.160426] Call Trace:
[   97.162981]  dump_stack+0x194/0x257
[   97.166572]  ? arch_local_irq_restore+0x53/0x53
[   97.171206]  ? show_regs_print_info+0x65/0x65
[   97.175668]  ? __kernel_text_address+0xd/0x40
[   97.180129]  ? __lock_acquire+0x407b/0x4620
[   97.184417]  print_address_description+0x73/0x250
[   97.189225]  ? __lock_acquire+0x407b/0x4620
[   97.193513]  kasan_report+0x25b/0x340
[   97.197279]  __asan_report_load8_noabort+0x14/0x20
[   97.202173]  __lock_acquire+0x407b/0x4620
[   97.206286]  ? unwind_dump+0x4c0/0x4c0
[   97.210137]  ? __kernel_text_address+0xd/0x40
[   97.214596]  ? unwind_get_return_address+0x61/0xa0
[   97.219492]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   97.224658]  ? __save_stack_trace+0x61/0xd0
[   97.228949]  ? get_signal+0x73f/0x16d0
[   97.232803]  ? save_stack_trace+0x16/0x20
[   97.236920]  ? __lock_acquire+0x20fd/0x4620
[   97.241209]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   97.246368]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   97.251525]  ? save_stack_trace+0x16/0x20
[   97.255638]  ? __lock_acquire+0x20fd/0x4620
[   97.259924]  ? osq_unlock+0x350/0x350
[   97.263687]  ? save_stack_trace+0x16/0x20
[   97.267802]  ? check_noncircular+0x20/0x20
[   97.272004]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   97.277158]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   97.282314]  ? find_held_lock+0x39/0x1d0
[   97.286340]  ? lock_downgrade+0x990/0x990
[   97.290458]  ? check_noncircular+0x20/0x20
[   97.294659]  lock_acquire+0x1d5/0x580
[   97.298425]  ? exit_pi_state_list+0x369/0x7a0
[   97.302885]  ? lock_release+0xd70/0xd70
[   97.306823]  ? do_raw_spin_trylock+0x190/0x190
[   97.311369]  ? find_held_lock+0x39/0x1d0
[   97.315400]  _raw_spin_lock_irq+0x5e/0x80
[   97.319511]  ? exit_pi_state_list+0x369/0x7a0
[   97.323973]  exit_pi_state_list+0x369/0x7a0
[   97.328267]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   97.334294]  ? lock_release+0xd70/0xd70
[   97.338236]  ? check_same_owner+0x320/0x320
[   97.342523]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   97.347594]  ? __might_sleep+0x95/0x190
[   97.351535]  ? __might_fault+0x188/0x1d0
[   97.355561]  ? do_raw_spin_trylock+0x190/0x190
[   97.360107]  mm_release+0x46d/0x590
[   97.363697]  ? do_raw_spin_trylock+0x190/0x190
[   97.368244]  ? mm_access+0x140/0x140
[   97.371924]  ? _raw_spin_unlock_irq+0x27/0x70
[   97.376384]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   97.381365]  ? trace_hardirqs_on+0xd/0x10
[   97.385475]  ? _raw_spin_unlock_irq+0x27/0x70
[   97.389935]  ? acct_collect+0x637/0x800
[   97.393874]  do_exit+0x481/0x1af0
[   97.397291]  ? __might_sleep+0x95/0x190
[   97.401229]  ? mm_update_next_owner+0x930/0x930
[   97.405876]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   97.411205]  ? memset+0x31/0x40
[   97.414449]  ? get_futex_value_locked+0xc3/0xf0
[   97.419082]  ? futex_wait_setup+0x22e/0x3d0
[   97.423370]  ? osq_unlock+0x350/0x350
[   97.427133]  ? futex_wake+0x680/0x680
[   97.430898]  ? fault_in_user_writeable+0x90/0x90
[   97.435618]  ? check_noncircular+0x20/0x20
[   97.439815]  ? futex_wake+0x32d/0x680
[   97.443580]  ? drop_futex_key_refs.isra.13+0x63/0xb0
[   97.448645]  ? futex_wait+0x69e/0x990
[   97.452410]  ? do_raw_spin_trylock+0x190/0x190
[   97.456958]  ? futex_wait_setup+0x3d0/0x3d0
[   97.461243]  ? find_held_lock+0x39/0x1d0
[   97.465272]  ? lock_downgrade+0x990/0x990
[   97.469385]  ? recalc_sigpending_tsk+0x117/0x150
[   97.474105]  ? recalc_sigpending+0x103/0x160
[   97.478477]  ? recalc_sigpending_tsk+0x150/0x150
[   97.483197]  ? get_signal+0x2b2/0x16d0
[   97.487052]  do_group_exit+0x149/0x400
[   97.490905]  ? __lock_is_held+0xbc/0x140
[   97.494929]  ? SyS_exit+0x30/0x30
[   97.498348]  ? _raw_spin_unlock_irq+0x27/0x70
[   97.502805]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   97.507783]  get_signal+0x73f/0x16d0
[   97.511463]  ? ptrace_notify+0x130/0x130
[   97.515496]  do_signal+0x94/0x1ee0
[   97.519002]  ? setup_sigcontext+0x7d0/0x7d0
[   97.523293]  ? find_held_lock+0x39/0x1d0
[   97.527318]  ? __compat_get_timespec+0xd9/0x120
[   97.531952]  ? exit_to_usermode_loop+0x8c/0x310
[   97.536586]  exit_to_usermode_loop+0x214/0x310
[   97.541133]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   97.546632]  ? lock_acquire+0x1d5/0x580
[   97.550570]  ? do_fast_syscall_32+0x158/0xf05
[   97.555033]  do_fast_syscall_32+0x83e/0xf05
[   97.559320]  ? compat_start_thread+0x80/0x80
[   97.563692]  ? do_int80_syscall_32+0x940/0x940
[   97.568239]  ? lockdep_sys_exit+0x47/0xf0
[   97.572351]  ? syscall_return_slowpath+0x2b3/0x510
[   97.577243]  ? finish_task_switch+0x1aa/0x740
[   97.581701]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   97.586686]  ? sysret32_from_system_call+0x5/0x3b
[   97.591496]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   97.596304]  entry_SYSENTER_compat+0x51/0x60
[   97.600675] RIP: 0023:0xf7fd1c79
[   97.604003] RSP: 002b:00000000f7f8b12c EFLAGS: 00000292 ORIG_RAX: 00000000000000f0
[   97.611676] RAX: 0000000000000000 RBX: 00000000081280f8 RCX: 0000000000000000
[   97.618910] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   97.626156] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   97.633391] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   97.640624] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   97.647867] 
[   97.649459] Allocated by task 4042:
[   97.653053]  save_stack_trace+0x16/0x20
[   97.656993]  save_stack+0x43/0xd0
[   97.660414]  kasan_kmalloc+0xad/0xe0
[   97.664091]  kmem_cache_alloc_trace+0x136/0x750
[   97.668723]  refill_pi_state_cache.part.6+0xa5/0x2f0
[   97.673792]  futex_requeue+0x1887/0x2370
[   97.677815]  do_futex+0x7f5/0x20d0
[   97.681319]  compat_SyS_futex+0x27f/0x380
[   97.685432]  do_fast_syscall_32+0x3f2/0xf05
[   97.689722]  entry_SYSENTER_compat+0x51/0x60
[   97.694092] 
[   97.695684] Freed by task 4040:
[   97.698926]  save_stack_trace+0x16/0x20
[   97.702863]  save_stack+0x43/0xd0
[   97.706278]  kasan_slab_free+0x71/0xc0
[   97.710127]  kfree+0xca/0x250
[   97.713195]  put_pi_state+0x3f4/0x560
[   97.716958]  unqueue_me_pi+0x4a/0xc0
[   97.720634]  futex_wait_requeue_pi.constprop.19+0xc7f/0x1300
[   97.726393]  do_futex+0x825/0x20d0
[   97.729895]  compat_SyS_futex+0x27f/0x380
[   97.734010]  do_fast_syscall_32+0x3f2/0xf05
[   97.738295]  entry_SYSENTER_compat+0x51/0x60
[   97.742662] 
[   97.744254] The buggy address belongs to the object at ffff8801cb8a0ac0
[   97.744254]  which belongs to the cache kmalloc-256 of size 256
[   97.756872] The buggy address is located 40 bytes inside of
[   97.756872]  256-byte region [ffff8801cb8a0ac0, ffff8801cb8a0bc0)
[   97.768622] The buggy address belongs to the page:
[   97.773514] page:ffffea00072e2800 count:1 mapcount:0 mapping:ffff8801cb8a00c0 index:0x0
[   97.781617] flags: 0x200000000000100(slab)
[   97.785816] raw: 0200000000000100 ffff8801cb8a00c0 0000000000000000 000000010000000c
[   97.793659] raw: ffffea00072ea760 ffffea00072ed960 ffff8801dac007c0 0000000000000000
[   97.801498] page dumped because: kasan: bad access detected
[   97.807168] 
[   97.808760] Memory state around the buggy address:
[   97.813651]  ffff8801cb8a0980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   97.820972]  ffff8801cb8a0a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   97.828292] >ffff8801cb8a0a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   97.835613]                                                           ^
[   97.842327]  ffff8801cb8a0b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   97.849650]  ffff8801cb8a0b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   97.856971] ==================================================================
[   97.864291] Disabling lock debugging due to kernel taint
[   97.869713] Kernel panic - not syncing: panic_on_warn set ...
[   97.869713] 
[   97.877041] CPU: 0 PID: 4041 Comm: syz-executor0 Tainted: G    B           4.14.0-rc3+ #24
[   97.885406] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   97.894722] Call Trace:
[   97.897279]  dump_stack+0x194/0x257
[   97.900881]  ? arch_local_irq_restore+0x53/0x53
[   97.905513]  ? vprintk_default+0x28/0x30
[   97.909539]  ? __lock_acquire+0x3ff0/0x4620
[   97.913828]  panic+0x1e4/0x417
[   97.916989]  ? __warn+0x1d9/0x1d9
[   97.920409]  ? __lock_acquire+0x407b/0x4620
[   97.924695]  kasan_end_report+0x50/0x50
[   97.928633]  kasan_report+0x144/0x340
[   97.932398]  __asan_report_load8_noabort+0x14/0x20
[   97.937292]  __lock_acquire+0x407b/0x4620
[   97.941403]  ? unwind_dump+0x4c0/0x4c0
[   97.945254]  ? __kernel_text_address+0xd/0x40
[   97.949714]  ? unwind_get_return_address+0x61/0xa0
[   97.954611]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   97.959764]  ? __save_stack_trace+0x61/0xd0
[   97.964051]  ? get_signal+0x73f/0x16d0
[   97.967904]  ? save_stack_trace+0x16/0x20
[   97.972014]  ? __lock_acquire+0x20fd/0x4620
[   97.976300]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   97.981454]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   97.986607]  ? save_stack_trace+0x16/0x20
[   97.990721]  ? __lock_acquire+0x20fd/0x4620
[   97.995020]  ? osq_unlock+0x350/0x350
[   97.998784]  ? save_stack_trace+0x16/0x20
[   98.002899]  ? check_noncircular+0x20/0x20
[   98.007099]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   98.012256]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   98.017412]  ? find_held_lock+0x39/0x1d0
[   98.021442]  ? lock_downgrade+0x990/0x990
[   98.025559]  ? check_noncircular+0x20/0x20
[   98.029761]  lock_acquire+0x1d5/0x580
[   98.033528]  ? exit_pi_state_list+0x369/0x7a0
[   98.037995]  ? lock_release+0xd70/0xd70
[   98.041944]  ? do_raw_spin_trylock+0x190/0x190
[   98.046489]  ? find_held_lock+0x39/0x1d0
[   98.050517]  _raw_spin_lock_irq+0x5e/0x80
[   98.054627]  ? exit_pi_state_list+0x369/0x7a0
[   98.059085]  exit_pi_state_list+0x369/0x7a0
[   98.063374]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   98.069396]  ? lock_release+0xd70/0xd70
[   98.073335]  ? check_same_owner+0x320/0x320
[   98.077622]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   98.082690]  ? __might_sleep+0x95/0x190
[   98.086629]  ? __might_fault+0x188/0x1d0
[   98.090655]  ? do_raw_spin_trylock+0x190/0x190
[   98.095200]  mm_release+0x46d/0x590
[   98.098789]  ? do_raw_spin_trylock+0x190/0x190
[   98.103334]  ? mm_access+0x140/0x140
[   98.107014]  ? _raw_spin_unlock_irq+0x27/0x70
[   98.111473]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   98.116452]  ? trace_hardirqs_on+0xd/0x10
[   98.120564]  ? _raw_spin_unlock_irq+0x27/0x70