INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-386-3,10.128.0.2' (ECDSA) to the list of known hosts.
2017/10/03 17:36:49 parsed 1 programs
2017/10/03 17:36:49 executed programs: 0
syzkaller login: [   33.617344] ==================================================================
[   33.624758] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620
[   33.631391] Read of size 8 at addr ffff8801caca3068 by task syz-executor5/3857
[   33.638714] 
[   33.640311] CPU: 0 PID: 3857 Comm: syz-executor5 Not tainted 4.14.0-rc3+ #23
[   33.647460] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.656790] Call Trace:
[   33.659347]  dump_stack+0x194/0x257
[   33.662941]  ? arch_local_irq_restore+0x53/0x53
[   33.667581]  ? show_regs_print_info+0x65/0x65
[   33.672041]  ? __kernel_text_address+0xd/0x40
[   33.676503]  ? __lock_acquire+0x407b/0x4620
[   33.680790]  print_address_description+0x73/0x250
[   33.685598]  ? __lock_acquire+0x407b/0x4620
[   33.689886]  kasan_report+0x25b/0x340
[   33.693654]  __asan_report_load8_noabort+0x14/0x20
[   33.698550]  __lock_acquire+0x407b/0x4620
[   33.702670]  ? unwind_dump+0x4c0/0x4c0
[   33.706562]  ? __kernel_text_address+0xd/0x40
[   33.711046]  ? unwind_get_return_address+0x61/0xa0
[   33.715956]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   33.721124]  ? __save_stack_trace+0x61/0xd0
[   33.725439]  ? get_signal+0x73f/0x16d0
[   33.729309]  ? save_stack_trace+0x16/0x20
[   33.733447]  ? __lock_acquire+0x20fd/0x4620
[   33.737756]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   33.742920]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   33.748086]  ? save_stack_trace+0x16/0x20
[   33.752214]  ? __lock_acquire+0x20fd/0x4620
[   33.756523]  ? osq_unlock+0x350/0x350
[   33.760308]  ? save_stack_trace+0x16/0x20
[   33.764432]  ? check_noncircular+0x20/0x20
[   33.768645]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   33.773808]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   33.778973]  ? __unwind_start+0x169/0x330
[   33.783108]  ? find_held_lock+0x39/0x1d0
[   33.787156]  ? lock_downgrade+0x990/0x990
[   33.791296]  ? check_noncircular+0x20/0x20
[   33.795525]  lock_acquire+0x1d5/0x580
[   33.799301]  ? exit_pi_state_list+0x369/0x7a0
[   33.803764]  ? lock_release+0xd70/0xd70
[   33.807704]  ? do_raw_spin_trylock+0x190/0x190
[   33.812258]  ? find_held_lock+0x39/0x1d0
[   33.816313]  _raw_spin_lock_irq+0x5e/0x80
[   33.820439]  ? exit_pi_state_list+0x369/0x7a0
[   33.824911]  exit_pi_state_list+0x369/0x7a0
[   33.829234]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   33.835271]  ? lock_release+0xd70/0xd70
[   33.839216]  ? check_same_owner+0x320/0x320
[   33.843514]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   33.848605]  ? __might_sleep+0x95/0x190
[   33.852579]  ? __might_fault+0x188/0x1d0
[   33.856629]  ? do_raw_spin_trylock+0x190/0x190
[   33.861179]  mm_release+0x46d/0x590
[   33.864774]  ? do_raw_spin_trylock+0x190/0x190
[   33.869322]  ? mm_access+0x140/0x140
[   33.873016]  ? _raw_spin_unlock_irq+0x27/0x70
[   33.877491]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.882486]  ? trace_hardirqs_on+0xd/0x10
[   33.886608]  ? _raw_spin_unlock_irq+0x27/0x70
[   33.891071]  ? acct_collect+0x637/0x800
[   33.895022]  do_exit+0x481/0x1af0
[   33.898460]  ? mm_update_next_owner+0x930/0x930
[   33.903107]  ? lock_downgrade+0x990/0x990
[   33.907224]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   33.912554]  ? futex_wait+0x3ad/0x990
[   33.916329]  ? do_raw_spin_trylock+0x190/0x190
[   33.920879]  ? fault_in_user_writeable+0x90/0x90
[   33.925603]  ? futex_wake+0x680/0x680
[   33.929367]  ? fault_in_user_writeable+0x90/0x90
[   33.934095]  ? check_noncircular+0x20/0x20
[   33.938304]  ? drop_futex_key_refs.isra.13+0x63/0xb0
[   33.943378]  ? futex_wait+0x69e/0x990
[   33.947145]  ? futex_wait_setup+0x3d0/0x3d0
[   33.951444]  ? find_held_lock+0x39/0x1d0
[   33.955482]  ? lock_downgrade+0x990/0x990
[   33.959598]  ? recalc_sigpending_tsk+0x117/0x150
[   33.964328]  ? recalc_sigpending+0x103/0x160
[   33.968713]  ? recalc_sigpending_tsk+0x150/0x150
[   33.973448]  ? get_signal+0x2b2/0x16d0
[   33.977313]  do_group_exit+0x149/0x400
[   33.981174]  ? __lock_is_held+0xbc/0x140
[   33.985209]  ? SyS_exit+0x30/0x30
[   33.988631]  ? _raw_spin_unlock_irq+0x27/0x70
[   33.993093]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.998081]  get_signal+0x73f/0x16d0
[   34.001763]  ? ptrace_notify+0x130/0x130
[   34.005792]  ? lock_downgrade+0x990/0x990
[   34.009907]  ? SyS_brk+0x6f0/0x6f0
[   34.013415]  ? arch_get_unmapped_area+0x750/0x750
[   34.018236]  ? lock_acquire+0x1d5/0x580
[   34.022178]  ? vm_mmap_pgoff+0x198/0x280
[   34.026215]  ? userfaultfd_unmap_complete+0x327/0x510
[   34.031381]  do_signal+0x94/0x1ee0
[   34.034893]  ? do_mmap+0x34f/0xd50
[   34.038403]  ? up_write+0x6b/0x120
[   34.041909]  ? setup_sigcontext+0x7d0/0x7d0
[   34.046198]  ? security_mmap_file+0x143/0x180
[   34.050661]  ? vm_mmap_pgoff+0x1fc/0x280
[   34.054694]  ? vm_mmap_pgoff+0x13b/0x280
[   34.058729]  ? vma_is_stack_for_current+0xa0/0xa0
[   34.063544]  ? find_held_lock+0x39/0x1d0
[   34.067575]  ? __compat_get_timespec+0xd9/0x120
[   34.072219]  ? exit_to_usermode_loop+0x8c/0x310
[   34.076855]  exit_to_usermode_loop+0x214/0x310
[   34.081409]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   34.086916]  ? lock_acquire+0x1d5/0x580
[   34.090861]  ? do_fast_syscall_32+0x158/0xf05
[   34.095332]  do_fast_syscall_32+0x83e/0xf05
[   34.099647]  ? compat_start_thread+0x80/0x80
[   34.104039]  ? do_int80_syscall_32+0x940/0x940
[   34.108600]  ? lockdep_sys_exit+0x47/0xf0
[   34.112721]  ? syscall_return_slowpath+0x2b3/0x510
[   34.117627]  ? finish_task_switch+0x1aa/0x740
[   34.122100]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   34.127084]  ? sysret32_from_system_call+0x5/0x3b
[   34.131892]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.136699]  entry_SYSENTER_compat+0x51/0x60
[   34.141070] RIP: 0023:0xf7f9dc79
[   34.144398] RSP: 002b:00000000f7f9912c EFLAGS: 00000292 ORIG_RAX: 00000000000000f0
[   34.152072] RAX: fffffffffffffe00 RBX: 0000000008128018 RCX: 0000000000000000
[   34.159307] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   34.166540] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   34.173776] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   34.181015] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   34.188262] 
[   34.189856] Allocated by task 3884:
[   34.193451]  save_stack_trace+0x16/0x20
[   34.197391]  save_stack+0x43/0xd0
[   34.200809]  kasan_kmalloc+0xad/0xe0
[   34.204485]  kmem_cache_alloc_trace+0x136/0x750
[   34.209117]  refill_pi_state_cache.part.6+0xa5/0x2f0
[   34.214184]  futex_requeue+0x1887/0x2370
[   34.218207]  do_futex+0x7f5/0x20d0
[   34.221714]  compat_SyS_futex+0x27f/0x380
[   34.225828]  do_fast_syscall_32+0x3f2/0xf05
[   34.230116]  entry_SYSENTER_compat+0x51/0x60
[   34.234486] 
[   34.236076] Freed by task 3868:
[   34.239320]  save_stack_trace+0x16/0x20
[   34.243258]  save_stack+0x43/0xd0
[   34.246673]  kasan_slab_free+0x71/0xc0
[   34.250523]  kfree+0xca/0x250
[   34.253592]  put_pi_state+0x3f4/0x560
[   34.257355]  unqueue_me_pi+0x4a/0xc0
[   34.261038]  futex_wait_requeue_pi.constprop.19+0xc7f/0x1300
[   34.266800]  do_futex+0x825/0x20d0
[   34.270304]  compat_SyS_futex+0x27f/0x380
[   34.274416]  do_fast_syscall_32+0x3f2/0xf05
[   34.278964]  entry_SYSENTER_compat+0x51/0x60
[   34.283332] 
[   34.284925] The buggy address belongs to the object at ffff8801caca3040
[   34.284925]  which belongs to the cache kmalloc-256 of size 256
[   34.297543] The buggy address is located 40 bytes inside of
[   34.297543]  256-byte region [ffff8801caca3040, ffff8801caca3140)
[   34.309292] The buggy address belongs to the page:
[   34.314193] page:ffffea00072b28c0 count:1 mapcount:0 mapping:ffff8801caca3040 index:0x0
[   34.322296] flags: 0x200000000000100(slab)
[   34.326499] raw: 0200000000000100 ffff8801caca3040 0000000000000000 000000010000000c
[   34.334344] raw: ffffea00072bca20 ffffea00072bb220 ffff8801dac007c0 0000000000000000
[   34.343402] page dumped because: kasan: bad access detected
[   34.349081] 
[   34.350673] Memory state around the buggy address:
[   34.355567]  ffff8801caca2f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[   34.362890]  ffff8801caca2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.370214] >ffff8801caca3000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   34.377537]                                                           ^
[   34.384258]  ffff8801caca3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.391581]  ffff8801caca3100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   34.398902] ==================================================================
[   34.406224] Disabling lock debugging due to kernel taint
[   34.411661] Kernel panic - not syncing: panic_on_warn set ...
[   34.411661] 
[   34.418991] CPU: 0 PID: 3857 Comm: syz-executor5 Tainted: G    B           4.14.0-rc3+ #23
[   34.427356] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.436675] Call Trace:
[   34.439236]  dump_stack+0x194/0x257
[   34.442835]  ? arch_local_irq_restore+0x53/0x53
[   34.447469]  ? vprintk_default+0x28/0x30
[   34.451496]  ? __lock_acquire+0x3ff0/0x4620
[   34.455784]  panic+0x1e4/0x417
[   34.458939]  ? __warn+0x1d9/0x1d9
[   34.462359]  ? __lock_acquire+0x407b/0x4620
[   34.466648]  kasan_end_report+0x50/0x50
[   34.470588]  kasan_report+0x144/0x340
[   34.474355]  __asan_report_load8_noabort+0x14/0x20
[   34.479251]  __lock_acquire+0x407b/0x4620
[   34.483366]  ? unwind_dump+0x4c0/0x4c0
[   34.487219]  ? __kernel_text_address+0xd/0x40
[   34.491678]  ? unwind_get_return_address+0x61/0xa0
[   34.496583]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   34.501741]  ? __save_stack_trace+0x61/0xd0
[   34.506040]  ? get_signal+0x73f/0x16d0
[   34.509896]  ? save_stack_trace+0x16/0x20
[   34.514012]  ? __lock_acquire+0x20fd/0x4620
[   34.518307]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   34.523462]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   34.528617]  ? save_stack_trace+0x16/0x20
[   34.532736]  ? __lock_acquire+0x20fd/0x4620
[   34.537024]  ? osq_unlock+0x350/0x350
[   34.540788]  ? save_stack_trace+0x16/0x20
[   34.544904]  ? check_noncircular+0x20/0x20
[   34.549103]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   34.554257]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   34.559412]  ? __unwind_start+0x169/0x330
[   34.563525]  ? find_held_lock+0x39/0x1d0
[   34.567554]  ? lock_downgrade+0x990/0x990
[   34.571666]  ? check_noncircular+0x20/0x20
[   34.575867]  lock_acquire+0x1d5/0x580
[   34.579635]  ? exit_pi_state_list+0x369/0x7a0
[   34.584096]  ? lock_release+0xd70/0xd70
[   34.588033]  ? do_raw_spin_trylock+0x190/0x190
[   34.592581]  ? find_held_lock+0x39/0x1d0
[   34.596616]  _raw_spin_lock_irq+0x5e/0x80
[   34.600732]  ? exit_pi_state_list+0x369/0x7a0
[   34.605189]  exit_pi_state_list+0x369/0x7a0
[   34.609482]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   34.615507]  ? lock_release+0xd70/0xd70