INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-1,10.128.0.55' (ECDSA) to the list of known hosts.
2017/10/01 19:57:51 parsed 1 programs
2017/10/01 19:57:51 executed programs: 0
syzkaller login: [   35.273344] ==================================================================
[   35.280806] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620
[   35.287998] Read of size 8 at addr ffff8801c76dc368 by task syz-executor4/3363
[   35.295321] 
[   35.296919] CPU: 0 PID: 3363 Comm: syz-executor4 Not tainted 4.14.0-rc2-mm1+ #11
[   35.304414] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.313734] Call Trace:
[   35.316294]  dump_stack+0x194/0x257
[   35.319887]  ? arch_local_irq_restore+0x53/0x53
[   35.324521]  ? show_regs_print_info+0x65/0x65
[   35.328982]  ? __kernel_text_address+0xd/0x40
[   35.333445]  ? __lock_acquire+0x407b/0x4620
[   35.337753]  print_address_description+0x73/0x250
[   35.342583]  ? __lock_acquire+0x407b/0x4620
[   35.346884]  kasan_report+0x25b/0x340
[   35.350659]  __asan_report_load8_noabort+0x14/0x20
[   35.355568]  __lock_acquire+0x407b/0x4620
[   35.359697]  ? unwind_dump+0x4c0/0x4c0
[   35.363576]  ? __unwind_start+0x169/0x330
[   35.367704]  ? __kernel_text_address+0xd/0x40
[   35.372169]  ? unwind_get_return_address+0x61/0xa0
[   35.377073]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   35.382235]  ? unwind_get_return_address+0x61/0xa0
[   35.387144]  ? __save_stack_trace+0x61/0xd0
[   35.391447]  ? get_signal+0x73f/0x16d0
[   35.395306]  ? save_stack_trace+0x16/0x20
[   35.399423]  ? __lock_acquire+0x20fd/0x4620
[   35.403715]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   35.408903]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   35.414070]  ? save_stack_trace+0x16/0x20
[   35.418188]  ? __lock_acquire+0x20fd/0x4620
[   35.422477]  ? osq_unlock+0x350/0x350
[   35.426245]  ? save_stack_trace+0x16/0x20
[   35.430381]  ? lock_release+0xd70/0xd70
[   35.434345]  ? check_noncircular+0x20/0x20
[   35.438558]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   35.443719]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   35.448879]  ? find_held_lock+0x39/0x1d0
[   35.452912]  ? lock_downgrade+0x990/0x990
[   35.457038]  ? check_noncircular+0x20/0x20
[   35.461264]  lock_acquire+0x1d5/0x580
[   35.465048]  ? exit_pi_state_list+0x369/0x7a0
[   35.469532]  ? lock_release+0xd70/0xd70
[   35.473488]  ? do_raw_spin_trylock+0x190/0x190
[   35.478040]  ? find_held_lock+0x39/0x1d0
[   35.482074]  _raw_spin_lock_irq+0x5e/0x80
[   35.486196]  ? exit_pi_state_list+0x369/0x7a0
[   35.490671]  exit_pi_state_list+0x369/0x7a0
[   35.494984]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   35.501020]  ? lock_release+0xd70/0xd70
[   35.504967]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   35.510819]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   35.515893]  ? __might_sleep+0x95/0x190
[   35.519838]  ? __might_fault+0x188/0x1d0
[   35.523869]  ? do_raw_spin_trylock+0x190/0x190
[   35.528436]  mm_release+0x46d/0x590
[   35.532034]  ? do_raw_spin_trylock+0x190/0x190
[   35.536603]  ? mm_access+0x140/0x140
[   35.540303]  ? _raw_spin_unlock_irq+0x27/0x70
[   35.544784]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   35.549779]  ? trace_hardirqs_on+0xd/0x10
[   35.553902]  ? _raw_spin_unlock_irq+0x27/0x70
[   35.558377]  ? acct_collect+0x637/0x800
[   35.562339]  do_exit+0x481/0x1b00
[   35.565783]  ? mm_update_next_owner+0x930/0x930
[   35.570436]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   35.576296]  ? find_held_lock+0x39/0x1d0
[   35.580330]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   35.585665]  ? check_noncircular+0x20/0x20
[   35.589959]  ? fault_in_user_writeable+0x90/0x90
[   35.594691]  ? futex_wake+0x680/0x680
[   35.598465]  ? find_held_lock+0x39/0x1d0
[   35.602497]  ? lock_downgrade+0x990/0x990
[   35.606619]  ? recalc_sigpending_tsk+0x117/0x150
[   35.611357]  ? recalc_sigpending+0x103/0x160
[   35.615741]  ? recalc_sigpending_tsk+0x150/0x150
[   35.620465]  ? get_signal+0x2b2/0x16d0
[   35.624324]  do_group_exit+0x149/0x400
[   35.628179]  ? __lock_is_held+0xbc/0x140
[   35.632216]  ? SyS_exit+0x30/0x30
[   35.635653]  ? _raw_spin_unlock_irq+0x27/0x70
[   35.640131]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   35.645129]  get_signal+0x73f/0x16d0
[   35.648832]  ? ptrace_notify+0x130/0x130
[   35.652890]  ? __schedule+0x8f0/0x2070
[   35.656757]  ? exit_robust_list+0x240/0x240
[   35.661060]  do_signal+0x94/0x1ee0
[   35.664574]  ? lock_release+0xd70/0xd70
[   35.668522]  ? find_held_lock+0x39/0x1d0
[   35.672564]  ? setup_sigcontext+0x7d0/0x7d0
[   35.676860]  ? lock_downgrade+0x990/0x990
[   35.680990]  ? lock_release+0xd70/0xd70
[   35.684938]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   35.690793]  ? lock_acquire+0x1d5/0x580
[   35.694745]  ? finish_task_switch+0x1aa/0x740
[   35.699213]  ? exit_to_usermode_loop+0x8c/0x310
[   35.703852]  exit_to_usermode_loop+0x214/0x310
[   35.708404]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   35.713929]  ? kasan_check_write+0x14/0x20
[   35.718155]  syscall_return_slowpath+0x42f/0x510
[   35.722893]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   35.727893]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   35.732792]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   35.737785]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.742525]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   35.747252] RIP: 0033:0x4520a9
[   35.750411] RSP: 002b:00007fcc9d1e4cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   35.758090] RAX: fffffffffffffe00 RBX: 0000000000718238 RCX: 00000000004520a9
[   35.765361] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718238
[   35.772615] RBP: 0000000000718210 R08: 0000000000000000 R09: 0000000000000000
[   35.779868] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   35.787113] R13: 00007ffc10a278df R14: 00007fcc9d1e59c0 R15: 000000000000000a
[   35.794370] 
[   35.795978] Allocated by task 3379:
[   35.799589]  save_stack_trace+0x16/0x20
[   35.803532]  save_stack+0x43/0xd0
[   35.806958]  kasan_kmalloc+0xad/0xe0
[   35.810650]  kmem_cache_alloc_trace+0x136/0x750
[   35.815291]  refill_pi_state_cache.part.6+0xa5/0x2f0
[   35.820371]  futex_requeue+0x1887/0x2370
[   35.824437]  do_futex+0x7f5/0x20d0
[   35.827959]  SyS_futex+0x260/0x390
[   35.831470]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   35.836188] 
[   35.837785] Freed by task 3357:
[   35.841043]  save_stack_trace+0x16/0x20
[   35.844989]  save_stack+0x43/0xd0
[   35.848416]  kasan_slab_free+0x71/0xc0
[   35.852271]  kfree+0xca/0x250
[   35.855343]  put_pi_state+0x3f4/0x560
[   35.859111]  unqueue_me_pi+0x4a/0xc0
[   35.862814]  futex_wait_requeue_pi.constprop.19+0xc7f/0x1300
[   35.868582]  do_futex+0x825/0x20d0
[   35.872098]  SyS_futex+0x260/0x390
[   35.875615]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   35.880333] 
[   35.881929] The buggy address belongs to the object at ffff8801c76dc340
[   35.881929]  which belongs to the cache kmalloc-256 of size 256
[   35.894561] The buggy address is located 40 bytes inside of
[   35.894561]  256-byte region [ffff8801c76dc340, ffff8801c76dc440)
[   35.906332] The buggy address belongs to the page:
[   35.911246] page:ffffea00071db700 count:1 mapcount:0 mapping:ffff8801c76dc0c0 index:0x0
[   35.919367] flags: 0x200000000000100(slab)
[   35.923571] raw: 0200000000000100 ffff8801c76dc0c0 0000000000000000 000000010000000c
[   35.931419] raw: ffffea0006ff1b60 ffffea0007344720 ffff8801dac007c0 0000000000000000
[   35.939273] page dumped because: kasan: bad access detected
[   35.944947] 
[   35.946538] Memory state around the buggy address:
[   35.951432]  ffff8801c76dc200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.958754]  ffff8801c76dc280: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   35.966078] >ffff8801c76dc300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   35.973401]                                                           ^
[   35.980116]  ffff8801c76dc380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.987448]  ffff8801c76dc400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   35.994780] ==================================================================
[   36.002104] Disabling lock debugging due to kernel taint
[   36.007521] Kernel panic - not syncing: panic_on_warn set ...
[   36.007521] 
[   36.014849] CPU: 0 PID: 3363 Comm: syz-executor4 Tainted: G    B           4.14.0-rc2-mm1+ #11
[   36.023561] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.032888] Call Trace:
[   36.035444]  dump_stack+0x194/0x257
[   36.039041]  ? arch_local_irq_restore+0x53/0x53
[   36.043677]  ? vprintk_default+0x28/0x30
[   36.047708]  ? __lock_acquire+0x4060/0x4620
[   36.051996]  panic+0x1e4/0x41c
[   36.055158]  ? refcount_error_report+0x214/0x214
[   36.059881]  ? __lock_acquire+0x407b/0x4620
[   36.064171]  kasan_end_report+0x50/0x50
[   36.068110]  kasan_report+0x144/0x340
[   36.071876]  __asan_report_load8_noabort+0x14/0x20
[   36.076774]  __lock_acquire+0x407b/0x4620
[   36.080887]  ? unwind_dump+0x4c0/0x4c0
[   36.084739]  ? __unwind_start+0x169/0x330
[   36.088863]  ? __kernel_text_address+0xd/0x40
[   36.093335]  ? unwind_get_return_address+0x61/0xa0
[   36.098239]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   36.103393]  ? unwind_get_return_address+0x61/0xa0
[   36.108290]  ? __save_stack_trace+0x61/0xd0
[   36.112579]  ? get_signal+0x73f/0x16d0
[   36.116431]  ? save_stack_trace+0x16/0x20
[   36.120568]  ? __lock_acquire+0x20fd/0x4620
[   36.124856]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   36.130020]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   36.135187]  ? save_stack_trace+0x16/0x20
[   36.139300]  ? __lock_acquire+0x20fd/0x4620
[   36.143595]  ? osq_unlock+0x350/0x350
[   36.147368]  ? save_stack_trace+0x16/0x20
[   36.151483]  ? lock_release+0xd70/0xd70
[   36.155423]  ? check_noncircular+0x20/0x20
[   36.159624]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   36.164783]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   36.169942]  ? find_held_lock+0x39/0x1d0
[   36.173971]  ? lock_downgrade+0x990/0x990
[   36.178084]  ? check_noncircular+0x20/0x20
[   36.182287]  lock_acquire+0x1d5/0x580
[   36.186064]  ? exit_pi_state_list+0x369/0x7a0
[   36.190527]  ? lock_release+0xd70/0xd70
[   36.194466]  ? do_raw_spin_trylock+0x190/0x190
[   36.199017]  ? find_held_lock+0x39/0x1d0
[   36.203055]  _raw_spin_lock_irq+0x5e/0x80
[   36.207167]  ? exit_pi_state_list+0x369/0x7a0
[   36.211627]  exit_pi_state_list+0x369/0x7a0
[   36.215917]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   36.221940]  ? lock_release+0xd70/0xd70
[   36.225880]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   36.231741]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   36.236811]  ? __might_sleep+0x95/0x190
[   36.240753]  ? __might_fault+0x188/0x1d0
[   36.244783]  ? do_raw_spin_trylock+0x190/0x190
[   36.249342]  mm_release+0x46d/0x590
[   36.252937]  ? do_raw_spin_trylock+0x190/0x190
[   36.257485]  ? mm_access+0x140/0x140
[   36.261174]  ? _raw_spin_unlock_irq+0x27/0x70
[   36.265638]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   36.270621]  ? trace_hardirqs_on+0xd/0x10