INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.0.62' (ECDSA) to the list of known hosts.
2017/10/04 14:00:29 parsed 1 programs
2017/10/04 14:00:29 executed programs: 0
2017/10/04 14:00:34 executed programs: 394
2017/10/04 14:00:39 executed programs: 784
syzkaller login: [   51.223462] ==================================================================
[   51.230881] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620
[   51.237512] Read of size 8 at addr ffff8801c26c8b68 by task syz-executor3/7968
[   51.244841] 
[   51.246446] CPU: 1 PID: 7968 Comm: syz-executor3 Not tainted 4.14.0-rc3+ #24
[   51.253603] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.262926] Call Trace:
[   51.265487]  dump_stack+0x194/0x257
[   51.269091]  ? arch_local_irq_restore+0x53/0x53
[   51.273727]  ? show_regs_print_info+0x65/0x65
[   51.278189]  ? __kernel_text_address+0xd/0x40
[   51.282660]  ? __lock_acquire+0x407b/0x4620
[   51.286956]  print_address_description+0x73/0x250
[   51.291768]  ? __lock_acquire+0x407b/0x4620
[   51.296064]  kasan_report+0x25b/0x340
[   51.299839]  __asan_report_load8_noabort+0x14/0x20
[   51.304738]  __lock_acquire+0x407b/0x4620
[   51.308858]  ? unwind_dump+0x4c0/0x4c0
[   51.312711]  ? __kernel_text_address+0xd/0x40
[   51.317181]  ? unwind_get_return_address+0x61/0xa0
[   51.322096]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   51.327262]  ? __save_stack_trace+0x61/0xd0
[   51.331552]  ? get_signal+0x73f/0x16d0
[   51.335414]  ? save_stack_trace+0x16/0x20
[   51.339534]  ? __lock_acquire+0x20fd/0x4620
[   51.343822]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   51.348981]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   51.354142]  ? save_stack_trace+0x16/0x20
[   51.358262]  ? __lock_acquire+0x20fd/0x4620
[   51.362549]  ? osq_unlock+0x350/0x350
[   51.366314]  ? save_stack_trace+0x16/0x20
[   51.370432]  ? check_noncircular+0x20/0x20
[   51.374642]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   51.379804]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   51.384958]  ? __unwind_start+0x169/0x330
[   51.389079]  ? find_held_lock+0x39/0x1d0
[   51.393126]  ? lock_downgrade+0x990/0x990
[   51.397246]  ? check_noncircular+0x20/0x20
[   51.401456]  lock_acquire+0x1d5/0x580
[   51.405232]  ? exit_pi_state_list+0x369/0x7a0
[   51.409696]  ? lock_release+0xd70/0xd70
[   51.413642]  ? do_raw_spin_trylock+0x190/0x190
[   51.418203]  ? find_held_lock+0x39/0x1d0
[   51.422245]  _raw_spin_lock_irq+0x5e/0x80
[   51.426363]  ? exit_pi_state_list+0x369/0x7a0
[   51.430821]  exit_pi_state_list+0x369/0x7a0
[   51.435112]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   51.441142]  ? lock_release+0xd70/0xd70
[   51.445093]  ? check_same_owner+0x320/0x320
[   51.449381]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   51.454451]  ? __might_sleep+0x95/0x190
[   51.458394]  ? __might_fault+0x188/0x1d0
[   51.462423]  ? do_raw_spin_trylock+0x190/0x190
[   51.466975]  mm_release+0x46d/0x590
[   51.470568]  ? do_raw_spin_trylock+0x190/0x190
[   51.475119]  ? mm_access+0x140/0x140
[   51.478807]  ? _raw_spin_unlock_irq+0x27/0x70
[   51.483270]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   51.488262]  ? trace_hardirqs_on+0xd/0x10
[   51.492385]  ? _raw_spin_unlock_irq+0x27/0x70
[   51.496847]  ? acct_collect+0x637/0x800
[   51.500792]  do_exit+0x481/0x1af0
[   51.504221]  ? mm_update_next_owner+0x930/0x930
[   51.509552]  ? lock_downgrade+0x990/0x990
[   51.513677]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   51.519016]  ? futex_wait+0x3ad/0x990
[   51.522790]  ? do_raw_spin_trylock+0x190/0x190
[   51.527339]  ? fault_in_user_writeable+0x90/0x90
[   51.532060]  ? futex_wake+0x680/0x680
[   51.535829]  ? check_noncircular+0x20/0x20
[   51.540041]  ? drop_futex_key_refs.isra.13+0x63/0xb0
[   51.545115]  ? futex_wait+0x69e/0x990
[   51.548883]  ? futex_wait_setup+0x3d0/0x3d0
[   51.553178]  ? find_held_lock+0x39/0x1d0
[   51.557215]  ? lock_downgrade+0x990/0x990
[   51.561336]  ? recalc_sigpending_tsk+0x117/0x150
[   51.566066]  ? recalc_sigpending+0x103/0x160
[   51.570441]  ? recalc_sigpending_tsk+0x150/0x150
[   51.575162]  ? get_signal+0x2b2/0x16d0
[   51.579026]  do_group_exit+0x149/0x400
[   51.582884]  ? __lock_is_held+0xbc/0x140
[   51.586913]  ? SyS_exit+0x30/0x30
[   51.590333]  ? _raw_spin_unlock_irq+0x27/0x70
[   51.594793]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   51.599783]  get_signal+0x73f/0x16d0
[   51.603470]  ? ptrace_notify+0x130/0x130
[   51.607519]  do_signal+0x94/0x1ee0
[   51.611049]  ? setup_sigcontext+0x7d0/0x7d0
[   51.615365]  ? find_held_lock+0x39/0x1d0
[   51.619400]  ? __compat_get_timespec+0xd9/0x120
[   51.624048]  ? exit_to_usermode_loop+0x8c/0x310
[   51.628693]  exit_to_usermode_loop+0x214/0x310
[   51.633242]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   51.638747]  ? lock_acquire+0x1d5/0x580
[   51.642689]  ? do_fast_syscall_32+0x158/0xf05
[   51.647157]  do_fast_syscall_32+0x83e/0xf05
[   51.651451]  ? compat_start_thread+0x80/0x80
[   51.655837]  ? do_int80_syscall_32+0x940/0x940
[   51.660405]  ? lockdep_sys_exit+0x47/0xf0
[   51.664518]  ? syscall_return_slowpath+0x2b3/0x510
[   51.669425]  ? finish_task_switch+0x1aa/0x740
[   51.673896]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   51.678887]  ? sysret32_from_system_call+0x5/0x3b
[   51.683714]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   51.688531]  entry_SYSENTER_compat+0x51/0x60
[   51.692904] RIP: 0023:0xf7f13c79
[   51.696233] RSP: 002b:00000000f7eac12c EFLAGS: 00000292 ORIG_RAX: 00000000000000f0
[   51.703910] RAX: fffffffffffffe00 RBX: 0000000008128168 RCX: 0000000000000000
[   51.711156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   51.718400] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   51.725642] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   51.732885] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   51.740127] 
[   51.741720] Allocated by task 7985:
[   51.745315]  save_stack_trace+0x16/0x20
[   51.749257]  save_stack+0x43/0xd0
[   51.752691]  kasan_kmalloc+0xad/0xe0
[   51.756396]  kmem_cache_alloc_trace+0x136/0x750
[   51.761044]  refill_pi_state_cache.part.6+0xa5/0x2f0
[   51.766114]  futex_requeue+0x1887/0x2370
[   51.770138]  do_futex+0x7f5/0x20d0
[   51.773648]  compat_SyS_futex+0x27f/0x380
[   51.777779]  do_fast_syscall_32+0x3f2/0xf05
[   51.782071]  entry_SYSENTER_compat+0x51/0x60
[   51.786446] 
[   51.788047] Freed by task 7950:
[   51.791294]  save_stack_trace+0x16/0x20
[   51.795236]  save_stack+0x43/0xd0
[   51.798661]  kasan_slab_free+0x71/0xc0
[   51.802524]  kfree+0xca/0x250
[   51.805610]  put_pi_state+0x3f4/0x560
[   51.809394]  unqueue_me_pi+0x4a/0xc0
[   51.813082]  futex_wait_requeue_pi.constprop.19+0xc7f/0x1300
[   51.818852]  do_futex+0x825/0x20d0
[   51.822367]  compat_SyS_futex+0x27f/0x380
[   51.826491]  do_fast_syscall_32+0x3f2/0xf05
[   51.830779]  entry_SYSENTER_compat+0x51/0x60
[   51.835147] 
[   51.836743] The buggy address belongs to the object at ffff8801c26c8b40
[   51.836743]  which belongs to the cache kmalloc-256 of size 256
[   51.849360] The buggy address is located 40 bytes inside of
[   51.849360]  256-byte region [ffff8801c26c8b40, ffff8801c26c8c40)
[   51.861108] The buggy address belongs to the page:
[   51.866001] page:ffffea000709b200 count:1 mapcount:0 mapping:ffff8801c26c8000 index:0x0
[   51.874113] flags: 0x200000000000100(slab)
[   51.878312] raw: 0200000000000100 ffff8801c26c8000 0000000000000000 000000010000000c
[   51.886155] raw: ffffea00070a6e60 ffffea00070abea0 ffff8801dac007c0 0000000000000000
[   51.893996] page dumped because: kasan: bad access detected
[   51.899669] 
[   51.901259] Memory state around the buggy address:
[   51.906148]  ffff8801c26c8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.913469]  ffff8801c26c8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.920789] >ffff8801c26c8b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   51.928112]                                                           ^
[   51.934826]  ffff8801c26c8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.942149]  ffff8801c26c8c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   51.949467] ==================================================================
[   51.956787] Disabling lock debugging due to kernel taint
[   51.962199] Kernel panic - not syncing: panic_on_warn set ...
[   51.962199] 
[   51.969523] CPU: 1 PID: 7968 Comm: syz-executor3 Tainted: G    B           4.14.0-rc3+ #24
[   51.977883] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.987200] Call Trace:
[   51.989754]  dump_stack+0x194/0x257
[   51.993349]  ? arch_local_irq_restore+0x53/0x53
[   51.997980]  ? vprintk_default+0x28/0x30
[   52.002021]  ? __lock_acquire+0x3ff0/0x4620
[   52.006311]  panic+0x1e4/0x417
[   52.009469]  ? __warn+0x1d9/0x1d9
[   52.012890]  ? __lock_acquire+0x407b/0x4620
[   52.017176]  kasan_end_report+0x50/0x50
[   52.021113]  kasan_report+0x144/0x340
[   52.024878]  __asan_report_load8_noabort+0x14/0x20
[   52.029769]  __lock_acquire+0x407b/0x4620
[   52.033882]  ? unwind_dump+0x4c0/0x4c0
[   52.037734]  ? __kernel_text_address+0xd/0x40
[   52.042194]  ? unwind_get_return_address+0x61/0xa0
[   52.047092]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.052246]  ? __save_stack_trace+0x61/0xd0
[   52.056532]  ? get_signal+0x73f/0x16d0
[   52.060390]  ? save_stack_trace+0x16/0x20
[   52.064500]  ? __lock_acquire+0x20fd/0x4620
[   52.068785]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.073942]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.079094]  ? save_stack_trace+0x16/0x20
[   52.083206]  ? __lock_acquire+0x20fd/0x4620
[   52.087491]  ? osq_unlock+0x350/0x350
[   52.091253]  ? save_stack_trace+0x16/0x20
[   52.095367]  ? check_noncircular+0x20/0x20
[   52.099567]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.104721]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   52.109875]  ? __unwind_start+0x169/0x330
[   52.113986]  ? find_held_lock+0x39/0x1d0
[   52.118018]  ? lock_downgrade+0x990/0x990
[   52.122134]  ? check_noncircular+0x20/0x20
[   52.126336]  lock_acquire+0x1d5/0x580
[   52.130101]  ? exit_pi_state_list+0x369/0x7a0
[   52.134562]  ? lock_release+0xd70/0xd70
[   52.138501]  ? do_raw_spin_trylock+0x190/0x190
[   52.143046]  ? find_held_lock+0x39/0x1d0
[   52.147074]  _raw_spin_lock_irq+0x5e/0x80
[   52.151184]  ? exit_pi_state_list+0x369/0x7a0
[   52.155640]  exit_pi_state_list+0x369/0x7a0
[   52.159928]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   52.165951]  ? lock_release+0xd70/0xd70
[   52.169889]  ? check_same_owner+0x320/0x320
[   52.174173]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   52.179241]  ? __might_sleep+0x95/0x190
[   52.183179]  ? __might_fault+0x188/0x1d0
[   52.187207]  ? do_raw_spin_trylock+0x190/0x190
[   52.191753]  mm_release+0x46d/0x590
[   52.195342]  ? do_raw_spin_trylock+0x190/0x190
[   52.199887]  ? mm_access+0x140/0x140
[   52.203565]  ? _raw_spin_unlock_irq+0x27/0x70
[   52.208029]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   52.213018]  ? trace_hardirqs_on+0xd/0x10
[   52.217134]  ? _raw_spin_unlock_irq+0x27/0x70
[   52.221593]  ? acct_collect+0x637/0x800