INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-kasan-gce-2,10.128.0.9' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [ 39.804384] ==================================================================
[ 39.805500] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[ 39.806403] Write of size 8 at addr ffff8801cf193740 by task syzkaller067398/2981
[ 39.807421]
[ 39.807658] CPU: 1 PID: 2981 Comm: syzkaller067398 Not tainted 4.13.0+ #77
[ 39.808597] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 39.809819] Call Trace:
[ 39.810200] dump_stack+0x194/0x257
[ 39.810707] ? arch_local_irq_restore+0x53/0x53
[ 39.811334] ? show_regs_print_info+0x65/0x65
[ 39.811939] ? lock_timer_base+0x1a3/0x2b0
[ 39.812557] ? detach_if_pending+0x557/0x610
[ 39.813169] print_address_description+0x73/0x250
[ 39.813840] ? detach_if_pending+0x557/0x610
[ 39.814443] kasan_report+0x24e/0x340
[ 39.814962] __asan_report_store8_noabort+0x17/0x20
[ 39.815647] detach_if_pending+0x557/0x610
[ 39.816282] ? trace_raw_output_tick_stop+0x130/0x130
[ 39.816976] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 39.817602] ? lock_timer_base+0x1a3/0x2b0
[ 39.818201] ? lock_timer_base+0x1eb/0x2b0
[ 39.818776] ? __internal_add_timer+0x2d0/0x2d0
[ 39.819404] ? trace_hardirqs_on+0xd/0x10
[ 39.820002] try_to_del_timer_sync+0xa2/0x120
[ 39.820622] ? del_timer+0x130/0x130
[ 39.821126] ? del_timer_sync+0xeb/0x240
[ 39.821694] del_timer_sync+0x18a/0x240
[ 39.822234] tun_free_netdev+0x105/0x1b0
[ 39.822823] ? tun_xdp+0x410/0x410
[ 39.823322] ? cpumask_next+0x24/0x30
[ 39.823838] ? netdev_refcnt_read+0xed/0x150
[ 39.824433] ? tun_xdp+0x410/0x410
[ 39.824914] netdev_run_todo+0x870/0xca0
[ 39.828951] ? do_group_exit+0x149/0x400
[ 39.832988] ? register_netdev+0x30/0x30
[ 39.837024] ? lock_downgrade+0x990/0x990
[ 39.841145] ? trace_hardirqs_on+0xd/0x10
[ 39.845285] ? refcount_sub_and_test+0x115/0x1b0
[ 39.850013] ? refcount_inc+0x50/0x50
[ 39.853785] ? refcount_inc+0x50/0x50
[ 39.857561] ? sk_destruct+0x4c/0x80
[ 39.861244] ? __sk_free+0x5c/0x230
[ 39.864844] ? sk_free+0x2f/0x40
[ 39.868182] ? __tun_detach+0x176/0x1390
[ 39.872223] ? tun_attach+0xf90/0xf90
[ 39.875996] ? do_raw_spin_trylock+0x190/0x190
[ 39.880552] ? locks_remove_file+0x3fa/0x5a0
[ 39.884934] ? fcntl_setlk+0x10d0/0x10d0
[ 39.888973] ? __fsnotify_parent+0xb4/0x3a0
[ 39.893265] ? fsnotify+0x1af0/0x1af0
[ 39.897040] ? __tun_detach+0x1390/0x1390
[ 39.901162] ? __tun_detach+0x1390/0x1390
[ 39.905290] rtnl_unlock+0xe/0x10
[ 39.908711] tun_chr_close+0x49/0x60
[ 39.912401] __fput+0x333/0x7f0
[ 39.915664] ? fput+0x140/0x140
[ 39.918916] ? check_same_owner+0x320/0x320
[ 39.923209] ? _raw_spin_unlock_irq+0x27/0x70
[ 39.927678] ____fput+0x15/0x20
[ 39.930935] task_work_run+0x199/0x270
[ 39.934808] ? task_work_cancel+0x210/0x210
[ 39.939126] ? _raw_spin_unlock+0x22/0x30
[ 39.943245] ? switch_task_namespaces+0x87/0xc0
[ 39.947888] do_exit+0xa52/0x1b40
[ 39.951312] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 39.956302] ? check_noncircular+0x20/0x20
[ 39.960516] ? mm_update_next_owner+0x930/0x930
[ 39.965157] ? __pmd_alloc+0x4e0/0x4e0
[ 39.969026] ? find_held_lock+0x39/0x1d0
[ 39.973068] ? lock_downgrade+0x990/0x990
[ 39.977208] ? handle_mm_fault+0x410/0x8d0
[ 39.981420] ? down_read_trylock+0xdb/0x170
[ 39.985712] ? __handle_mm_fault+0x39c0/0x39c0
[ 39.990268] ? vmacache_find+0x61/0x270
[ 39.994225] ? up_read+0x1a/0x40
[ 39.997564] ? __do_page_fault+0x35b/0xb60
[ 40.001767] ? do_vfs_ioctl+0x492/0x1530
[ 40.005806] ? do_page_fault+0xee/0x720
[ 40.009759] ? __do_page_fault+0xb60/0xb60
[ 40.013972] ? putname+0xf3/0x130
[ 40.017402] do_group_exit+0x149/0x400
[ 40.021267] ? lockdep_sys_exit+0x47/0xf0
[ 40.025386] ? SyS_exit+0x30/0x30
[ 40.028812] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 40.033801] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 40.038530] SyS_exit_group+0x1d/0x20
[ 40.042302] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 40.047025] RIP: 0033:0x443a28
[ 40.050186] RSP: 002b:00007fff0e02d428 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 40.057865] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000443a28
[ 40.065189] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[ 40.072429] RBP: 0000000000000082 R08: 00000000000000e7 R09: ffffffffffffffd4
[ 40.079669] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 40.086915] R13: 00000000006d6180 R14: 0000000000000000 R15: 0000000000000000
[ 40.094171]
[ 40.095768] Allocated by task 2981:
[ 40.099368] save_stack_trace+0x16/0x20
[ 40.103311] save_stack+0x43/0xd0
[ 40.106733] kasan_kmalloc+0xad/0xe0
[ 40.110415] __kmalloc_node+0x47/0x70
[ 40.114185] kvmalloc_node+0x64/0xd0
[ 40.117869] alloc_netdev_mqs+0x16e/0xed0
[ 40.121984] __tun_chr_ioctl+0x12be/0x3d20
[ 40.126185] tun_chr_ioctl+0x2a/0x40
[ 40.129866] do_vfs_ioctl+0x1b1/0x1530
[ 40.133718] SyS_ioctl+0x8f/0xc0
[ 40.137057] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 40.141777]
[ 40.143372] Freed by task 2981:
[ 40.146619] save_stack_trace+0x16/0x20
[ 40.150561] save_stack+0x43/0xd0
[ 40.153980] kasan_slab_free+0x71/0xc0
[ 40.157833] kfree+0xca/0x250
[ 40.160905] kvfree+0x36/0x60
[ 40.163978] free_netdev+0x2cf/0x360
[ 40.167657] __tun_chr_ioctl+0x2cf6/0x3d20
[ 40.171867] tun_chr_ioctl+0x2a/0x40
[ 40.175550] do_vfs_ioctl+0x1b1/0x1530
[ 40.179405] SyS_ioctl+0x8f/0xc0
[ 40.182748] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 40.187469]
[ 40.189066] The buggy address belongs to the object at ffff8801cf190340
[ 40.189066] which belongs to the cache kmalloc-16384 of size 16384
[ 40.202047] The buggy address is located 13312 bytes inside of
[ 40.202047] 16384-byte region [ffff8801cf190340, ffff8801cf194340)
[ 40.214494] The buggy address belongs to the page:
[ 40.219392] page:ffffea00073c6400 count:1 mapcount:0 mapping:ffff8801cf190340 index:0x0 compound_mapcount: 0
[ 40.229339] flags: 0x200000000008100(slab|head)
[ 40.233978] raw: 0200000000008100 ffff8801cf190340 0000000000000000 0000000100000001
[ 40.241826] raw: ffffea0007392620 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[ 40.249670] page dumped because: kasan: bad access detected
[ 40.255349]
[ 40.256943] Memory state around the buggy address:
[ 40.261840] ffff8801cf193600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 40.269170] ffff8801cf193680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 40.276496] >ffff8801cf193700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 40.283821] ^
[ 40.289237] ffff8801cf193780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 40.296565] ffff8801cf193800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 40.303897] ==================================================================
[ 40.311220] Disabling lock debugging due to kernel taint
[ 40.316631] Kernel panic - not syncing: panic_on_warn set ...
[ 40.316631]
[ 40.323956] CPU: 1 PID: 2981 Comm: syzkaller067398 Tainted: G B 4.13.0+ #77
[ 40.332147] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 40.341463] Call Trace:
[ 40.344017] dump_stack+0x194/0x257
[ 40.347617] ? arch_local_irq_restore+0x53/0x53
[ 40.352249] ? vprintk_default+0x28/0x30
[ 40.356277] ? detach_if_pending+0x470/0x610
[ 40.360648] panic+0x1e4/0x417
[ 40.363805] ? __warn+0x1d9/0x1d9
[ 40.367229] ? detach_if_pending+0x557/0x610
[ 40.371600] kasan_end_report+0x50/0x50
[ 40.375542] kasan_report+0x137/0x340
[ 40.379307] __asan_report_store8_noabort+0x17/0x20
[ 40.384290] detach_if_pending+0x557/0x610
[ 40.388487] ? trace_raw_output_tick_stop+0x130/0x130
[ 40.393642] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 40.398271] ? lock_timer_base+0x1a3/0x2b0
[ 40.402469] ? lock_timer_base+0x1eb/0x2b0
[ 40.406683] ? __internal_add_timer+0x2d0/0x2d0
[ 40.411318] ? trace_hardirqs_on+0xd/0x10
[ 40.415431] try_to_del_timer_sync+0xa2/0x120
[ 40.419891] ? del_timer+0x130/0x130
[ 40.423569] ? del_timer_sync+0xeb/0x240
[ 40.427596] del_timer_sync+0x18a/0x240
[ 40.431540] tun_free_netdev+0x105/0x1b0
[ 40.435576] ? tun_xdp+0x410/0x410
[ 40.439085] ? cpumask_next+0x24/0x30
[ 40.442852] ? netdev_refcnt_read+0xed/0x150
[ 40.447228] ? tun_xdp+0x410/0x410
[ 40.450730] netdev_run_todo+0x870/0xca0
[ 40.454756] ? do_group_exit+0x149/0x400
[ 40.458782] ? register_netdev+0x30/0x30
[ 40.462807] ? lock_downgrade+0x990/0x990
[ 40.466918] ? trace_hardirqs_on+0xd/0x10
[ 40.471036] ? refcount_sub_and_test+0x115/0x1b0
[ 40.475753] ? refcount_inc+0x50/0x50
[ 40.479514] ? refcount_inc+0x50/0x50
[ 40.483281] ? sk_destruct+0x4c/0x80
[ 40.486957] ? __sk_free+0x5c/0x230
[ 40.490546] ? sk_free+0x2f/0x40
[ 40.493875] ? __tun_detach+0x176/0x1390
[ 40.497903] ? tun_attach+0xf90/0xf90
[ 40.501667] ? do_raw_spin_trylock+0x190/0x190
[ 40.506218] ? locks_remove_file+0x3fa/0x5a0
[ 40.510592] ? fcntl_setlk+0x10d0/0x10d0
[ 40.514617] ? __fsnotify_parent+0xb4/0x3a0
[ 40.518902] ? fsnotify+0x1af0/0x1af0
[ 40.522666] ? __tun_detach+0x1390/0x1390
[ 40.526776] ? __tun_detach+0x1390/0x1390
[ 40.530902] rtnl_unlock+0xe/0x10
[ 40.534318] tun_chr_close+0x49/0x60
[ 40.537995] __fput+0x333/0x7f0
[ 40.541239] ? fput+0x140/0x140
[ 40.544483] ? check_same_owner+0x320/0x320
[ 40.548768] ? _raw_spin_unlock_irq+0x27/0x70
[ 40.553230] ____fput+0x15/0x20
[ 40.556473] task_work_run+0x199/0x270
[ 40.560333] ? task_work_cancel+0x210/0x210
[ 40.564618] ? _raw_spin_unlock+0x22/0x30
[ 40.568729] ? switch_task_namespaces+0x87/0xc0
[ 40.573363] do_exit+0xa52/0x1b40
[ 40.576779] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 40.581761] ? check_noncircular+0x20/0x20
[ 40.585964] ? mm_update_next_owner+0x930/0x930
[ 40.590596] ? __pmd_alloc+0x4e0/0x4e0
[ 40.594452] ? find_held_lock+0x39/0x1d0
[ 40.598485] ? lock_downgrade+0x990/0x990
[ 40.602607] ? handle_mm_fault+0x410/0x8d0
[ 40.606803] ? down_read_trylock+0xdb/0x170
[ 40.611091] ? __handle_mm_fault+0x39c0/0x39c0
[ 40.615634] ? vmacache_find+0x61/0x270
[ 40.619577] ? up_read+0x1a/0x40
[ 40.622906] ? __do_page_fault+0x35b/0xb60
[ 40.627116] ? do_vfs_ioctl+0x492/0x1530
[ 40.631160] ? do_page_fault+0xee/0x720
[ 40.635106] ? __do_page_fault+0xb60/0xb60
[ 40.639304] ? putname+0xf3/0x130
[ 40.642726] do_group_exit+0x149/0x400
[ 40.646587] ? lockdep_sys_exit+0x47/0xf0
[ 40.650697] ? SyS_exit+0x30/0x30
[ 40.654115] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 40.659096] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 40.663817] SyS_exit_group+0x1d/0x20
[ 40.667582] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 40.672303] RIP: 0033:0x443a28
[ 40.675468] RSP: 002b:00007fff0e02d428 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 40.683143] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000443a28
[ 40.690386] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[ 40.697619] RBP: 0000000000000082 R08: 00000000000000e7 R09: ffffffffffffffd4
[ 40.704854] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 40.712090] R13: 00000000006d6180 R14: 0000000000000000 R15: 0000000000000000