INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-3,10.128.15.226' (ECDSA) to the list of known hosts.
2017/09/29 18:58:53 parsed 1 programs
2017/09/29 18:58:53 executed programs: 0
syzkaller login: [   32.618709] ==================================================================
[   32.626163] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620
[   32.632795] Read of size 8 at addr ffff8801cd4a7a28 by task syz-executor3/3030
[   32.640115] 
[   32.641712] CPU: 0 PID: 3030 Comm: syz-executor3 Not tainted 4.14.0-rc2-mm1+ #10
[   32.649205] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.658524] Call Trace:
[   32.661078]  dump_stack+0x194/0x257
[   32.664670]  ? arch_local_irq_restore+0x53/0x53
[   32.669302]  ? show_regs_print_info+0x65/0x65
[   32.673764]  ? __kernel_text_address+0xd/0x40
[   32.678224]  ? __lock_acquire+0x407b/0x4620
[   32.682514]  print_address_description+0x73/0x250
[   32.687321]  ? __lock_acquire+0x407b/0x4620
[   32.691608]  kasan_report+0x25b/0x340
[   32.695377]  __asan_report_load8_noabort+0x14/0x20
[   32.700273]  __lock_acquire+0x407b/0x4620
[   32.704389]  ? unwind_dump+0x4c0/0x4c0
[   32.708240]  ? __unwind_start+0x169/0x330
[   32.712351]  ? __kernel_text_address+0xd/0x40
[   32.716812]  ? unwind_get_return_address+0x61/0xa0
[   32.721709]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   32.726862]  ? unwind_get_return_address+0x61/0xa0
[   32.731756]  ? __save_stack_trace+0x61/0xd0
[   32.736057]  ? get_signal+0x73f/0x16d0
[   32.739912]  ? save_stack_trace+0x16/0x20
[   32.744028]  ? __lock_acquire+0x20fd/0x4620
[   32.748326]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   32.753484]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   32.758639]  ? save_stack_trace+0x16/0x20
[   32.762750]  ? __lock_acquire+0x20fd/0x4620
[   32.767038]  ? osq_unlock+0x350/0x350
[   32.770803]  ? save_stack_trace+0x16/0x20
[   32.774916]  ? check_noncircular+0x20/0x20
[   32.779126]  ? check_noncircular+0x20/0x20
[   32.783327]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   32.788480]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   32.793646]  ? __lock_is_held+0xbc/0x140
[   32.797673]  ? find_held_lock+0x39/0x1d0
[   32.801702]  ? lock_downgrade+0x990/0x990
[   32.805815]  ? check_noncircular+0x20/0x20
[   32.810014]  lock_acquire+0x1d5/0x580
[   32.813784]  ? exit_pi_state_list+0x369/0x7a0
[   32.818244]  ? lock_release+0xd70/0xd70
[   32.822184]  ? do_raw_spin_trylock+0x190/0x190
[   32.826733]  ? find_held_lock+0x39/0x1d0
[   32.830762]  _raw_spin_lock_irq+0x5e/0x80
[   32.834877]  ? exit_pi_state_list+0x369/0x7a0
[   32.839335]  exit_pi_state_list+0x369/0x7a0
[   32.843626]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   32.849649]  ? lock_release+0xd70/0xd70
[   32.853589]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   32.859438]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   32.864508]  ? __might_sleep+0x95/0x190
[   32.868449]  ? __might_fault+0x188/0x1d0
[   32.872475]  ? do_raw_spin_trylock+0x190/0x190
[   32.877026]  mm_release+0x46d/0x590
[   32.880616]  ? do_raw_spin_trylock+0x190/0x190
[   32.885163]  ? mm_access+0x140/0x140
[   32.888843]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.893319]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.898303]  ? trace_hardirqs_on+0xd/0x10
[   32.902416]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.906876]  ? acct_collect+0x637/0x800
[   32.910815]  do_exit+0x481/0x1b00
[   32.914233]  ? mm_update_next_owner+0x930/0x930
[   32.918866]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   32.924717]  ? rcu_note_context_switch+0x710/0x710
[   32.929609]  ? futex_wait_setup+0x14a/0x3d0
[   32.933894]  ? __might_sleep+0x95/0x190
[   32.937833]  ? _cond_resched+0x14/0x30
[   32.941685]  ? futex_wait_queue_me+0x524/0x7e0
[   32.946239]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   32.951587]  ? check_noncircular+0x20/0x20
[   32.955790]  ? futex_wait_setup+0x22e/0x3d0
[   32.960077]  ? futex_wake+0x680/0x680
[   32.963845]  ? find_held_lock+0x39/0x1d0
[   32.967874]  ? lock_downgrade+0x990/0x990
[   32.971988]  ? recalc_sigpending_tsk+0x117/0x150
[   32.976706]  ? recalc_sigpending+0x103/0x160
[   32.981078]  ? recalc_sigpending_tsk+0x150/0x150
[   32.985797]  ? get_signal+0x2b2/0x16d0
[   32.989651]  do_group_exit+0x149/0x400
[   32.993503]  ? __lock_is_held+0xbc/0x140
[   32.997526]  ? SyS_exit+0x30/0x30
[   33.000948]  ? _raw_spin_unlock_irq+0x27/0x70
[   33.005407]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.010395]  get_signal+0x73f/0x16d0
[   33.014077]  ? ptrace_notify+0x130/0x130
[   33.018104]  ? lock_release+0xd70/0xd70
[   33.022045]  ? exit_robust_list+0x240/0x240
[   33.026338]  do_signal+0x94/0x1ee0
[   33.029845]  ? iterate_fd+0x3f0/0x3f0
[   33.033609]  ? setup_sigcontext+0x7d0/0x7d0
[   33.037894]  ? lock_downgrade+0x990/0x990
[   33.042011]  ? fget_raw+0x20/0x20
[   33.045428]  ? __lock_is_held+0xbc/0x140
[   33.049456]  ? exit_to_usermode_loop+0x8c/0x310
[   33.054088]  exit_to_usermode_loop+0x214/0x310
[   33.058634]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   33.064134]  ? __fdget+0x18/0x20
[   33.067466]  syscall_return_slowpath+0x42f/0x510
[   33.072189]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   33.077171]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   33.082063]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.087042]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.091763]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   33.096482] RIP: 0033:0x4520a9
[   33.099637] RSP: 002b:00007fc8342ffcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   33.107310] RAX: 0000000000000000 RBX: 0000000000718188 RCX: 00000000004520a9
[   33.114544] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718188
[   33.121779] RBP: 0000000000718160 R08: 0000000000000000 R09: 0000000000000000
[   33.129017] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   33.136254] R13: 00007ffd8df62e1f R14: 00007fc8343009c0 R15: 0000000000000003
[   33.143496] 
[   33.145090] Allocated by task 3043:
[   33.148684]  save_stack_trace+0x16/0x20
[   33.152625]  save_stack+0x43/0xd0
[   33.156043]  kasan_kmalloc+0xad/0xe0
[   33.159723]  kmem_cache_alloc_trace+0x136/0x750
[   33.164357]  refill_pi_state_cache.part.6+0xa5/0x2f0
[   33.169423]  futex_requeue+0x1887/0x2370
[   33.173449]  do_futex+0x7f5/0x20d0
[   33.176955]  SyS_futex+0x260/0x390
[   33.180462]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   33.185178] 
[   33.186771] Freed by task 3022:
[   33.190018]  save_stack_trace+0x16/0x20
[   33.193960]  save_stack+0x43/0xd0
[   33.197375]  kasan_slab_free+0x71/0xc0
[   33.201226]  kfree+0xca/0x250
[   33.204297]  put_pi_state+0x3f4/0x560
[   33.208061]  unqueue_me_pi+0x4a/0xc0
[   33.211746]  futex_wait_requeue_pi.constprop.19+0xc7f/0x1300
[   33.217507]  do_futex+0x825/0x20d0
[   33.221012]  SyS_futex+0x260/0x390
[   33.224517]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   33.229231] 
[   33.230827] The buggy address belongs to the object at ffff8801cd4a7a00
[   33.230827]  which belongs to the cache kmalloc-256 of size 256
[   33.243447] The buggy address is located 40 bytes inside of
[   33.243447]  256-byte region [ffff8801cd4a7a00, ffff8801cd4a7b00)
[   33.255198] The buggy address belongs to the page:
[   33.260096] page:ffffea00073529c0 count:1 mapcount:0 mapping:ffff8801cd4a7000 index:0x0
[   33.268204] flags: 0x200000000000100(slab)
[   33.272407] raw: 0200000000000100 ffff8801cd4a7000 0000000000000000 000000010000000c
[   33.280250] raw: ffffea000737a0a0 ffffea0007358a60 ffff8801dac007c0 0000000000000000
[   33.288092] page dumped because: kasan: bad access detected
[   33.293775] 
[   33.295367] Memory state around the buggy address:
[   33.300260]  ffff8801cd4a7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.307584]  ffff8801cd4a7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.314907] >ffff8801cd4a7a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.322228]                                   ^
[   33.326860]  ffff8801cd4a7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.334182]  ffff8801cd4a7b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   33.341504] ==================================================================
[   33.348826] Disabling lock debugging due to kernel taint
[   33.354240] Kernel panic - not syncing: panic_on_warn set ...
[   33.354240] 
[   33.361567] CPU: 0 PID: 3030 Comm: syz-executor3 Tainted: G    B           4.14.0-rc2-mm1+ #10
[   33.370277] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.379592] Call Trace:
[   33.382150]  dump_stack+0x194/0x257
[   33.385746]  ? arch_local_irq_restore+0x53/0x53
[   33.390385]  ? vprintk_default+0x28/0x30
[   33.394417]  ? __lock_acquire+0x4020/0x4620
[   33.398706]  panic+0x1e4/0x417
[   33.401863]  ? __warn+0x1d9/0x1d9
[   33.405288]  ? __lock_acquire+0x407b/0x4620
[   33.409575]  kasan_end_report+0x50/0x50
[   33.413512]  kasan_report+0x144/0x340
[   33.417279]  __asan_report_load8_noabort+0x14/0x20
[   33.422174]  __lock_acquire+0x407b/0x4620
[   33.426285]  ? unwind_dump+0x4c0/0x4c0
[   33.430138]  ? __unwind_start+0x169/0x330
[   33.434253]  ? __kernel_text_address+0xd/0x40
[   33.438711]  ? unwind_get_return_address+0x61/0xa0
[   33.443612]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   33.448765]  ? unwind_get_return_address+0x61/0xa0
[   33.453661]  ? __save_stack_trace+0x61/0xd0
[   33.457947]  ? get_signal+0x73f/0x16d0
[   33.461796]  ? save_stack_trace+0x16/0x20
[   33.465908]  ? __lock_acquire+0x20fd/0x4620
[   33.470196]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   33.475355]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   33.480510]  ? save_stack_trace+0x16/0x20
[   33.484622]  ? __lock_acquire+0x20fd/0x4620
[   33.488910]  ? osq_unlock+0x350/0x350
[   33.492674]  ? save_stack_trace+0x16/0x20
[   33.496788]  ? check_noncircular+0x20/0x20
[   33.500993]  ? check_noncircular+0x20/0x20
[   33.505195]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   33.510355]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   33.515513]  ? __lock_is_held+0xbc/0x140
[   33.519543]  ? find_held_lock+0x39/0x1d0
[   33.523573]  ? lock_downgrade+0x990/0x990
[   33.527693]  ? check_noncircular+0x20/0x20
[   33.531896]  lock_acquire+0x1d5/0x580
[   33.535666]  ? exit_pi_state_list+0x369/0x7a0
[   33.540132]  ? lock_release+0xd70/0xd70
[   33.544072]  ? do_raw_spin_trylock+0x190/0x190
[   33.548635]  ? find_held_lock+0x39/0x1d0
[   33.552676]  _raw_spin_lock_irq+0x5e/0x80
[   33.556789]  ? exit_pi_state_list+0x369/0x7a0
[   33.561257]  exit_pi_state_list+0x369/0x7a0
[   33.565550]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   33.571577]  ? lock_release+0xd70/0xd70
[   33.575521]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   33.581371]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   33.586441]  ? __might_sleep+0x95/0x190
[   33.590383]  ? __might_fault+0x188/0x1d0
[   33.594414]  ? do_raw_spin_trylock+0x190/0x190
[   33.598974]  mm_release+0x46d/0x590
[   33.602570]  ? do_raw_spin_trylock+0x190/0x190
[   33.607117]  ? mm_access+0x140/0x140
[   33.610796]  ? _raw_spin_unlock_irq+0x27/0x70
[   33.615270]  ? trace_hardirqs_on_caller+0x421/0x5c0