INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-386-1,10.128.15.200' (ECDSA) to the list of known hosts.
2017/10/04 08:41:08 parsed 1 programs
2017/10/04 08:41:08 executed programs: 0
syzkaller login: [   23.890945] ==================================================================
[   23.898373] BUG: KASAN: use-after-free in __lock_acquire+0x407b/0x4620
[   23.905008] Read of size 8 at addr ffff8801ce7d35e8 by task syz-executor3/3126
[   23.912333] 
[   23.913933] CPU: 0 PID: 3126 Comm: syz-executor3 Not tainted 4.14.0-rc3+ #24
[   23.921105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.930447] Call Trace:
[   23.933011]  dump_stack+0x194/0x257
[   23.936605]  ? arch_local_irq_restore+0x53/0x53
[   23.941242]  ? show_regs_print_info+0x65/0x65
[   23.945707]  ? __kernel_text_address+0xd/0x40
[   23.950174]  ? __lock_acquire+0x407b/0x4620
[   23.954464]  print_address_description+0x73/0x250
[   23.959272]  ? __lock_acquire+0x407b/0x4620
[   23.963559]  kasan_report+0x25b/0x340
[   23.967327]  __asan_report_load8_noabort+0x14/0x20
[   23.972227]  __lock_acquire+0x407b/0x4620
[   23.976342]  ? unwind_dump+0x4c0/0x4c0
[   23.980200]  ? __kernel_text_address+0xd/0x40
[   23.984660]  ? unwind_get_return_address+0x61/0xa0
[   23.989561]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   23.994721]  ? __save_stack_trace+0x61/0xd0
[   23.999010]  ? get_signal+0x73f/0x16d0
[   24.002866]  ? save_stack_trace+0x16/0x20
[   24.006983]  ? __lock_acquire+0x20fd/0x4620
[   24.011273]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.016432]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.021590]  ? save_stack_trace+0x16/0x20
[   24.025707]  ? __lock_acquire+0x20fd/0x4620
[   24.029995]  ? osq_unlock+0x350/0x350
[   24.033761]  ? save_stack_trace+0x16/0x20
[   24.037876]  ? check_noncircular+0x20/0x20
[   24.042077]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.047234]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.052403]  ? __unwind_start+0x169/0x330
[   24.056522]  ? find_held_lock+0x39/0x1d0
[   24.060550]  ? lock_downgrade+0x990/0x990
[   24.064662]  ? check_noncircular+0x20/0x20
[   24.068865]  lock_acquire+0x1d5/0x580
[   24.072634]  ? exit_pi_state_list+0x369/0x7a0
[   24.077096]  ? lock_release+0xd70/0xd70
[   24.081041]  ? do_raw_spin_trylock+0x190/0x190
[   24.085589]  ? find_held_lock+0x39/0x1d0
[   24.089625]  _raw_spin_lock_irq+0x5e/0x80
[   24.093737]  ? exit_pi_state_list+0x369/0x7a0
[   24.098196]  exit_pi_state_list+0x369/0x7a0
[   24.102488]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   24.108523]  ? lock_release+0xd70/0xd70
[   24.112465]  ? check_same_owner+0x320/0x320
[   24.116760]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[   24.121836]  ? __might_sleep+0x95/0x190
[   24.125782]  ? __might_fault+0x188/0x1d0
[   24.129811]  ? do_raw_spin_trylock+0x190/0x190
[   24.134362]  mm_release+0x46d/0x590
[   24.137957]  ? do_raw_spin_trylock+0x190/0x190
[   24.142504]  ? mm_access+0x140/0x140
[   24.146185]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.150647]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.155633]  ? trace_hardirqs_on+0xd/0x10
[   24.159750]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.164212]  ? acct_collect+0x637/0x800
[   24.168152]  do_exit+0x481/0x1af0
[   24.171574]  ? mm_update_next_owner+0x930/0x930
[   24.176210]  ? lock_downgrade+0x990/0x990
[   24.180326]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   24.185656]  ? futex_wait+0x3ad/0x990
[   24.189422]  ? do_raw_spin_trylock+0x190/0x190
[   24.193970]  ? fault_in_user_writeable+0x90/0x90
[   24.198695]  ? futex_wake+0x680/0x680
[   24.202461]  ? fault_in_user_writeable+0x90/0x90
[   24.207187]  ? check_noncircular+0x20/0x20
[   24.211391]  ? drop_futex_key_refs.isra.13+0x63/0xb0
[   24.216460]  ? futex_wait+0x69e/0x990
[   24.220242]  ? futex_wait_setup+0x3d0/0x3d0
[   24.224532]  ? find_held_lock+0x39/0x1d0
[   24.228561]  ? lock_downgrade+0x990/0x990
[   24.232681]  ? recalc_sigpending_tsk+0x117/0x150
[   24.237407]  ? recalc_sigpending+0x103/0x160
[   24.241783]  ? recalc_sigpending_tsk+0x150/0x150
[   24.246507]  ? get_signal+0x2b2/0x16d0
[   24.250364]  do_group_exit+0x149/0x400
[   24.254219]  ? __lock_is_held+0xbc/0x140
[   24.258245]  ? SyS_exit+0x30/0x30
[   24.261665]  ? _raw_spin_unlock_irq+0x27/0x70
[   24.266128]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.271110]  get_signal+0x73f/0x16d0
[   24.274793]  ? ptrace_notify+0x130/0x130
[   24.278828]  ? lock_downgrade+0x990/0x990
[   24.282956]  ? SyS_brk+0x6f0/0x6f0
[   24.286466]  ? arch_get_unmapped_area+0x750/0x750
[   24.291272]  ? lock_acquire+0x1d5/0x580
[   24.295213]  ? vm_mmap_pgoff+0x198/0x280
[   24.299239]  ? userfaultfd_unmap_complete+0x327/0x510
[   24.304397]  do_signal+0x94/0x1ee0
[   24.307903]  ? do_mmap+0x34f/0xd50
[   24.311409]  ? up_write+0x6b/0x120
[   24.314916]  ? setup_sigcontext+0x7d0/0x7d0
[   24.319205]  ? security_mmap_file+0x143/0x180
[   24.323669]  ? vm_mmap_pgoff+0x1fc/0x280
[   24.327705]  ? vm_mmap_pgoff+0x13b/0x280
[   24.331744]  ? vma_is_stack_for_current+0xa0/0xa0
[   24.336555]  ? find_held_lock+0x39/0x1d0
[   24.340583]  ? __compat_get_timespec+0xd9/0x120
[   24.345223]  ? exit_to_usermode_loop+0x8c/0x310
[   24.349862]  exit_to_usermode_loop+0x214/0x310
[   24.354412]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   24.359919]  ? lock_acquire+0x1d5/0x580
[   24.363861]  ? do_fast_syscall_32+0x158/0xf05
[   24.368326]  do_fast_syscall_32+0x83e/0xf05
[   24.372633]  ? compat_start_thread+0x80/0x80
[   24.377010]  ? do_int80_syscall_32+0x940/0x940
[   24.381559]  ? lockdep_sys_exit+0x47/0xf0
[   24.385684]  ? syscall_return_slowpath+0x2b3/0x510
[   24.390580]  ? finish_task_switch+0x1aa/0x740
[   24.395041]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   24.400024]  ? sysret32_from_system_call+0x5/0x3b
[   24.404832]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.409643]  entry_SYSENTER_compat+0x51/0x60
[   24.414034] RIP: 0023:0xf7f4bc79
[   24.417366] RSP: 002b:00000000f7f4712c EFLAGS: 00000292 ORIG_RAX: 00000000000000f0
[   24.425058] RAX: fffffffffffffe00 RBX: 0000000008128018 RCX: 0000000000000000
[   24.432298] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   24.439539] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   24.446783] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   24.454035] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   24.461295] 
[   24.462911] Allocated by task 3154:
[   24.466537]  save_stack_trace+0x16/0x20
[   24.470479]  save_stack+0x43/0xd0
[   24.473896]  kasan_kmalloc+0xad/0xe0
[   24.477573]  kmem_cache_alloc_trace+0x136/0x750
[   24.482207]  refill_pi_state_cache.part.6+0xa5/0x2f0
[   24.487271]  futex_requeue+0x1887/0x2370
[   24.491293]  do_futex+0x7f5/0x20d0
[   24.494798]  compat_SyS_futex+0x27f/0x380
[   24.498929]  do_fast_syscall_32+0x3f2/0xf05
[   24.503227]  entry_SYSENTER_compat+0x51/0x60
[   24.507599] 
[   24.509193] Freed by task 3146:
[   24.512439]  save_stack_trace+0x16/0x20
[   24.516380]  save_stack+0x43/0xd0
[   24.519798]  kasan_slab_free+0x71/0xc0
[   24.523650]  kfree+0xca/0x250
[   24.526719]  put_pi_state+0x3f4/0x560
[   24.530481]  unqueue_me_pi+0x4a/0xc0
[   24.534158]  futex_wait_requeue_pi.constprop.19+0xc7f/0x1300
[   24.539918]  do_futex+0x825/0x20d0
[   24.543425]  compat_SyS_futex+0x27f/0x380
[   24.547535]  do_fast_syscall_32+0x3f2/0xf05
[   24.551820]  entry_SYSENTER_compat+0x51/0x60
[   24.556188] 
[   24.557780] The buggy address belongs to the object at ffff8801ce7d35c0
[   24.557780]  which belongs to the cache kmalloc-256 of size 256
[   24.571354] The buggy address is located 40 bytes inside of
[   24.571354]  256-byte region [ffff8801ce7d35c0, ffff8801ce7d36c0)
[   24.583103] The buggy address belongs to the page:
[   24.587998] page:ffffea000739f4c0 count:1 mapcount:0 mapping:ffff8801ce7d30c0 index:0x0
[   24.596103] flags: 0x200000000000100(slab)
[   24.600305] raw: 0200000000000100 ffff8801ce7d30c0 0000000000000000 000000010000000c
[   24.608149] raw: ffffea0007385d20 ffffea00073896e0 ffff8801dac007c0 0000000000000000
[   24.615994] page dumped because: kasan: bad access detected
[   24.621664] 
[   24.623254] Memory state around the buggy address:
[   24.628146]  ffff8801ce7d3480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.635468]  ffff8801ce7d3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.642791] >ffff8801ce7d3580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   24.650116]                                                           ^
[   24.656834]  ffff8801ce7d3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.664155]  ffff8801ce7d3680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   24.671476] ==================================================================
[   24.678797] Disabling lock debugging due to kernel taint
[   24.684208] Kernel panic - not syncing: panic_on_warn set ...
[   24.684208] 
[   24.691533] CPU: 0 PID: 3126 Comm: syz-executor3 Tainted: G    B           4.14.0-rc3+ #24
[   24.699895] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.709216] Call Trace:
[   24.711779]  dump_stack+0x194/0x257
[   24.715372]  ? arch_local_irq_restore+0x53/0x53
[   24.720009]  ? vprintk_default+0x28/0x30
[   24.724040]  ? __lock_acquire+0x3ff0/0x4620
[   24.728329]  panic+0x1e4/0x417
[   24.731485]  ? __warn+0x1d9/0x1d9
[   24.734909]  ? __lock_acquire+0x407b/0x4620
[   24.739198]  kasan_end_report+0x50/0x50
[   24.743135]  kasan_report+0x144/0x340
[   24.746912]  __asan_report_load8_noabort+0x14/0x20
[   24.751814]  __lock_acquire+0x407b/0x4620
[   24.755927]  ? unwind_dump+0x4c0/0x4c0
[   24.759783]  ? __kernel_text_address+0xd/0x40
[   24.764242]  ? unwind_get_return_address+0x61/0xa0
[   24.769147]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.774302]  ? __save_stack_trace+0x61/0xd0
[   24.778592]  ? get_signal+0x73f/0x16d0
[   24.782444]  ? save_stack_trace+0x16/0x20
[   24.786558]  ? __lock_acquire+0x20fd/0x4620
[   24.790848]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.796017]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.801173]  ? save_stack_trace+0x16/0x20
[   24.805289]  ? __lock_acquire+0x20fd/0x4620
[   24.809577]  ? osq_unlock+0x350/0x350
[   24.813343]  ? save_stack_trace+0x16/0x20
[   24.817459]  ? check_noncircular+0x20/0x20
[   24.821660]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.826829]  ? debug_check_no_locks_freed+0x3d0/0x3d0
[   24.832008]  ? __unwind_start+0x169/0x330
[   24.836144]  ? find_held_lock+0x39/0x1d0
[   24.840198]  ? lock_downgrade+0x990/0x990
[   24.844337]  ? check_noncircular+0x20/0x20
[   24.848561]  lock_acquire+0x1d5/0x580
[   24.852348]  ? exit_pi_state_list+0x369/0x7a0
[   24.856826]  ? lock_release+0xd70/0xd70
[   24.860778]  ? do_raw_spin_trylock+0x190/0x190
[   24.865330]  ? find_held_lock+0x39/0x1d0
[   24.869363]  _raw_spin_lock_irq+0x5e/0x80
[   24.873476]  ? exit_pi_state_list+0x369/0x7a0
[   24.877934]  exit_pi_state_list+0x369/0x7a0
[   24.882226]  ? futex_wait_requeue_pi.constprop.19+0x1300/0x1300
[   24.888250]  ? lock_release+0xd70/0xd70