Debian GNU/Linux 7 syzkaller ttyS0 executing program executing program syzkaller login: [ 23.209744] ================================================================== [ 23.210603] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 [ 23.211280] Write of size 8 at addr ffff88006b6f36c8 by task syzkaller105245/2984 [ 23.212388] [ 23.212551] CPU: 3 PID: 2984 Comm: syzkaller105245 Not tainted 4.13.0-next-20170905+ #15 [ 23.213303] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 23.213950] Call Trace: [ 23.214165] dump_stack+0x194/0x257 [ 23.214434] ? arch_local_irq_restore+0x53/0x53 [ 23.214754] ? show_regs_print_info+0x65/0x65 [ 23.215062] ? __kernel_text_address+0xae/0xe0 [ 23.215388] ? __internal_add_timer+0x275/0x2d0 [ 23.215704] print_address_description+0x73/0x250 [ 23.216039] ? __internal_add_timer+0x275/0x2d0 [ 23.216436] kasan_report+0x24e/0x340 [ 23.216799] __asan_report_store8_noabort+0x17/0x20 [ 23.217349] __internal_add_timer+0x275/0x2d0 [ 23.217848] ? calc_wheel_index+0x200/0x200 [ 23.218511] mod_timer+0x622/0x15b0 [ 23.218936] ? mod_timer_pending+0x14e0/0x14e0 [ 23.219458] ? __lock_is_held+0xbc/0x140 [ 23.219925] ? __lock_is_held+0xbc/0x140 [ 23.220390] ? __lockdep_init_map+0xe4/0x650 [ 23.220897] ? lockdep_init_map+0x3d/0x70 [ 23.221377] ? rcu_read_lock_sched_held+0x108/0x120 [ 23.221927] ? init_timer_key+0x126/0x3b0 [ 23.222387] ? try_to_del_timer_sync+0x120/0x120 [ 23.222909] ? round_jiffies_up+0xce/0x100 [ 23.223397] ? __round_jiffies_up_relative+0x150/0x150 [ 23.224002] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 23.224521] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 23.225104] __tun_chr_ioctl+0x1b23/0x3d20 [ 23.225568] ? tun_chr_read_iter+0x1e0/0x1e0 [ 23.226063] ? lock_downgrade+0x990/0x990 [ 23.226589] ? check_same_owner+0x320/0x320 [ 23.227100] ? __handle_mm_fault+0x39c0/0x39c0 [ 23.227584] ? vmacache_find+0x61/0x270 [ 23.228006] ? tun_chr_compat_ioctl+0x30/0x30 [ 23.228482] tun_chr_ioctl+0x2a/0x40 [ 23.228874] ? tun_chr_ioctl+0x2a/0x40 [ 23.229275] do_vfs_ioctl+0x1b1/0x1530 [ 23.229700] ? ioctl_preallocate+0x2b0/0x2b0 [ 23.230199] ? selinux_capable+0x40/0x40 [ 23.230624] ? putname+0xf3/0x130 [ 23.231019] ? do_sys_open+0x320/0x6d0 [ 23.231467] ? security_file_ioctl+0x7d/0xb0 [ 23.231860] ? security_file_ioctl+0x89/0xb0 [ 23.232155] SyS_ioctl+0x8f/0xc0 [ 23.232403] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 23.232748] RIP: 0033:0x439019 [ 23.233329] RSP: 002b:00007ffc4e78b668 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 23.234100] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000439019 [ 23.234709] RDX: 0000000020b14fd8 RSI: 00000000400454ca RDI: 0000000000000004 [ 23.235288] RBP: 0000000000000082 R08: 00000000000000fd R09: 0000000000000000 [ 23.235887] R10: 0000000000000000 R11: 0000000000000206 R12: 171a62f0e32e9b3a [ 23.236461] R13: 74656e2f7665642f R14: 0000000000401d00 R15: 0000000000000000 [ 23.237089] [ 23.237259] Allocated by task 2984: [ 23.237630] save_stack_trace+0x16/0x20 [ 23.238037] save_stack+0x43/0xd0 [ 23.238391] kasan_kmalloc+0xad/0xe0 [ 23.238766] __kmalloc_node+0x47/0x70 [ 23.239158] kvmalloc_node+0x64/0xd0 [ 23.239538] alloc_netdev_mqs+0x16e/0xed0 [ 23.239958] __tun_chr_ioctl+0x12be/0x3d20 [ 23.240381] tun_chr_ioctl+0x2a/0x40 [ 23.240760] do_vfs_ioctl+0x1b1/0x1530 [ 23.241149] SyS_ioctl+0x8f/0xc0 [ 23.241494] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 23.241974] [ 23.242144] Freed by task 2984: [ 23.242482] save_stack_trace+0x16/0x20 [ 23.242885] save_stack+0x43/0xd0 [ 23.243248] kasan_slab_free+0x71/0xc0 [ 23.243640] kfree+0xca/0x250 [ 23.243955] kvfree+0x36/0x60 [ 23.244269] free_netdev+0x2cf/0x360 [ 23.244658] __tun_chr_ioctl+0x2cf6/0x3d20 [ 23.245092] tun_chr_ioctl+0x2a/0x40 [ 23.245479] do_vfs_ioctl+0x1b1/0x1530 [ 23.245882] SyS_ioctl+0x8f/0xc0 [ 23.246236] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 23.246723] [ 23.246897] The buggy address belongs to the object at ffff88006b6f02c0 [ 23.246897] which belongs to the cache kmalloc-16384 of size 16384 [ 23.248246] The buggy address is located 13320 bytes inside of [ 23.248246] 16384-byte region [ffff88006b6f02c0, ffff88006b6f42c0) [ 23.249499] The buggy address belongs to the page: [ 23.250010] page:ffffea0001adbc00 count:1 mapcount:0 mapping:ffff88006b6f02c0 index:0x0 compound_mapcount: 0 [ 23.251018] flags: 0x500000000008100(slab|head) [ 23.251507] raw: 0500000000008100 ffff88006b6f02c0 0000000000000000 0000000100000001 [ 23.252313] raw: ffffea00019b1620 ffffea0001af7020 ffff88003e802200 0000000000000000 [ 23.252942] page dumped because: kasan: bad access detected [ 23.253512] [ 23.253670] Memory state around the buggy address: [ 23.254114] ffff88006b6f3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.255199] ffff88006b6f3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.255990] >ffff88006b6f3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.256748] ^ [ 23.257335] ffff88006b6f3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.257918] ffff88006b6f3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.258486] ================================================================== [ 23.259061] Disabling lock debugging due to kernel taint [ 23.259496] Kernel panic - not syncing: panic_on_warn set ... [ 23.259496] [ 23.260096] CPU: 3 PID: 2984 Comm: syzkaller105245 Tainted: G B 4.13.0-next-20170905+ #15 [ 23.260822] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 23.261444] Call Trace: [ 23.261666] dump_stack+0x194/0x257 [ 23.261934] ? arch_local_irq_restore+0x53/0x53 [ 23.262319] ? vprintk_default+0x28/0x30 [ 23.262719] ? __internal_add_timer+0x1e0/0x2d0 [ 23.263104] panic+0x1e4/0x417 [ 23.263415] ? __warn+0x1d9/0x1d9 [ 23.263776] ? __internal_add_timer+0x275/0x2d0 [ 23.264131] kasan_end_report+0x50/0x50 [ 23.264433] kasan_report+0x137/0x340 [ 23.264751] __asan_report_store8_noabort+0x17/0x20 [ 23.265121] __internal_add_timer+0x275/0x2d0 [ 23.265455] ? calc_wheel_index+0x200/0x200 [ 23.265793] mod_timer+0x622/0x15b0 [ 23.266068] ? mod_timer_pending+0x14e0/0x14e0 [ 23.266407] ? __lock_is_held+0xbc/0x140 [ 23.266727] ? __lock_is_held+0xbc/0x140 [ 23.267029] ? __lockdep_init_map+0xe4/0x650 [ 23.267359] ? lockdep_init_map+0x3d/0x70 [ 23.267690] ? rcu_read_lock_sched_held+0x108/0x120 [ 23.268069] ? init_timer_key+0x126/0x3b0 [ 23.268353] ? try_to_del_timer_sync+0x120/0x120 [ 23.268690] ? round_jiffies_up+0xce/0x100 [ 23.269120] ? __round_jiffies_up_relative+0x150/0x150 [ 23.269642] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 23.270127] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 23.270695] __tun_chr_ioctl+0x1b23/0x3d20 [ 23.271119] ? tun_chr_read_iter+0x1e0/0x1e0 [ 23.271565] ? lock_downgrade+0x990/0x990 [ 23.271987] ? check_same_owner+0x320/0x320 [ 23.272386] ? __handle_mm_fault+0x39c0/0x39c0 [ 23.272847] ? vmacache_find+0x61/0x270 [ 23.273251] ? tun_chr_compat_ioctl+0x30/0x30 [ 23.273718] tun_chr_ioctl+0x2a/0x40 [ 23.274094] ? tun_chr_ioctl+0x2a/0x40 [ 23.274480] do_vfs_ioctl+0x1b1/0x1530 [ 23.275329] ? ioctl_preallocate+0x2b0/0x2b0 [ 23.275780] ? selinux_capable+0x40/0x40 [ 23.276117] ? putname+0xf3/0x130 [ 23.276376] ? do_sys_open+0x320/0x6d0 [ 23.276675] ? security_file_ioctl+0x7d/0xb0 [ 23.276990] ? security_file_ioctl+0x89/0xb0 [ 23.277314] SyS_ioctl+0x8f/0xc0 [ 23.277553] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 23.277889] RIP: 0033:0x439019 [ 23.278207] RSP: 002b:00007ffc4e78b668 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 23.278968] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000439019 [ 23.279666] RDX: 0000000020b14fd8 RSI: 00000000400454ca RDI: 0000000000000004 [ 23.280304] RBP: 0000000000000082 R08: 00000000000000fd R09: 0000000000000000 [ 23.281042] R10: 0000000000000000 R11: 0000000000000206 R12: 171a62f0e32e9b3a [ 23.281719] R13: 74656e2f7665642f R14: 0000000000401d00 R15: 0000000000000000 [ 23.282291] Dumping ftrace buffer: [ 23.282586] (ftrace buffer empty) [ 23.282937] Kernel Offset: disabled [ 23.283261] Rebooting in 86400 seconds..