net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   29.051402] ==================================================================
[   29.052137] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   29.052759] Write of size 8 at addr ffff88003d8138c0 by task syzkaller938162/2990
[   29.053486] 
[   29.053609] CPU: 1 PID: 2990 Comm: syzkaller938162 Not tainted 4.13.0-rc7-next-20170829+ #11
[   29.054196] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   29.054966] Call Trace:
[   29.055210]  dump_stack+0x194/0x257
[   29.055558]  ? arch_local_irq_restore+0x53/0x53
[   29.055984]  ? show_regs_print_info+0x65/0x65
[   29.056405]  ? lock_timer_base+0x1a3/0x2b0
[   29.056797]  ? detach_if_pending+0x557/0x610
[   29.057203]  print_address_description+0x73/0x250
[   29.057655]  ? detach_if_pending+0x557/0x610
[   29.058062]  kasan_report+0x24e/0x340
[   29.058470]  __asan_report_store8_noabort+0x17/0x20
[   29.058835]  detach_if_pending+0x557/0x610
[   29.059131]  ? trace_raw_output_tick_stop+0x130/0x130
[   29.059501]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   29.059824]  ? lock_timer_base+0x1a3/0x2b0
[   29.060138]  ? lock_timer_base+0x1eb/0x2b0
[   29.060604]  ? __internal_add_timer+0x2d0/0x2d0
[   29.061090]  ? trace_hardirqs_on+0xd/0x10
[   29.061535]  try_to_del_timer_sync+0xa2/0x120
[   29.062010]  ? del_timer+0x130/0x130
[   29.062286]  ? del_timer_sync+0xeb/0x240
[   29.062589]  del_timer_sync+0x18a/0x240
[   29.062906]  tun_free_netdev+0x105/0x1b0
[   29.063224]  ? tun_xdp+0x410/0x410
[   29.063496]  ? cpumask_next+0x24/0x30
[   29.063774]  ? netdev_refcnt_read+0xed/0x150
[   29.064105]  ? tun_xdp+0x410/0x410
[   29.064340]  netdev_run_todo+0x870/0xca0
[   29.064586]  ? do_group_exit+0x149/0x400
[   29.064865]  ? register_netdev+0x30/0x30
[   29.065210]  ? lock_downgrade+0x990/0x990
[   29.065634]  ? trace_hardirqs_on+0xd/0x10
[   29.066040]  ? refcount_sub_and_test+0x115/0x1b0
[   29.066497]  ? refcount_inc+0x50/0x50
[   29.066850]  ? refcount_inc+0x50/0x50
[   29.067221]  ? sk_destruct+0x4c/0x80
[   29.067562]  ? __sk_free+0x5c/0x230
[   29.067894]  ? sk_free+0x2f/0x40
[   29.068214]  ? __tun_detach+0x176/0x1390
[   29.068592]  ? tun_attach+0xf90/0xf90
[   29.068942]  ? do_raw_spin_trylock+0x190/0x190
[   29.069385]  ? locks_remove_file+0x3fa/0x5a0
[   29.069787]  ? fcntl_setlk+0x10d0/0x10d0
[   29.070181]  ? __fsnotify_parent+0xb4/0x3a0
[   29.070588]  ? fsnotify+0x1af0/0x1af0
[   29.070937]  ? rcu_note_context_switch+0x710/0x710
[   29.071397]  ? __tun_detach+0x1390/0x1390
[   29.071770]  ? __tun_detach+0x1390/0x1390
[   29.072830]  rtnl_unlock+0xe/0x10
[   29.073163]  tun_chr_close+0x49/0x60
[   29.073497]  __fput+0x333/0x7f0
[   29.073797]  ? fput+0x140/0x140
[   29.074115]  ? check_same_owner+0x320/0x320
[   29.074528]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.075003]  ____fput+0x15/0x20
[   29.075355]  task_work_run+0x199/0x270
[   29.075767]  ? task_work_cancel+0x210/0x210
[   29.076195]  ? _raw_spin_unlock+0x22/0x30
[   29.076568]  ? switch_task_namespaces+0x87/0xc0
[   29.077006]  do_exit+0xa52/0x1b40
[   29.077328]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.077791]  ? check_noncircular+0x20/0x20
[   29.078182]  ? __handle_mm_fault+0x587/0x39c0
[   29.078597]  ? mm_update_next_owner+0x930/0x930
[   29.079036]  ? __pmd_alloc+0x4e0/0x4e0
[   29.079401]  ? find_held_lock+0x39/0x1d0
[   29.079777]  ? lock_downgrade+0x990/0x990
[   29.080167]  ? handle_mm_fault+0x4a2/0x860
[   29.080515]  ? down_read_trylock+0xdb/0x170
[   29.080833]  ? __handle_mm_fault+0x39c0/0x39c0
[   29.081175]  ? vmacache_find+0x61/0x270
[   29.081479]  ? up_read+0x1a/0x40
[   29.081791]  ? __do_page_fault+0x35b/0xb60
[   29.082188]  ? trace_do_page_fault+0x141/0x730
[   29.082657]  ? do_page_fault+0x70/0x70
[   29.083143]  ? putname+0xf3/0x130
[   29.083591]  do_group_exit+0x149/0x400
[   29.084055]  ? lockdep_sys_exit+0x1c4/0x2b0
[   29.084516]  ? SyS_exit+0x30/0x30
[   29.084874]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.085394]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.085907]  SyS_exit_group+0x1d/0x20
[   29.086312]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   29.086803] RIP: 0033:0x438c99
[   29.087148] RSP: 002b:00007ffcba039ae8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   29.087969] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000438c99
[   29.088742] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   29.089497] RBP: 0000000000000086 R08: 000000000000003c R09: 00000000000000e7
[   29.090258] R10: ffffffffffffffcc R11: 0000000000000246 R12: 0000000000000001
[   29.091009] R13: 00000000006cc300 R14: 0000000000402790 R15: 0000000000000000
[   29.091769] 
[   29.091991] Allocated by task 2990:
[   29.092385]  save_stack_trace+0x16/0x20
[   29.092830]  save_stack+0x43/0xd0
[   29.093191]  kasan_kmalloc+0xad/0xe0
[   29.093793]  __kmalloc_node+0x47/0x70
[   29.094175]  kvmalloc_node+0x64/0xd0
[   29.094542]  alloc_netdev_mqs+0x16e/0xed0
[   29.094992]  __tun_chr_ioctl+0x12be/0x3d20
[   29.095428]  tun_chr_ioctl+0x2a/0x40
[   29.095820]  do_vfs_ioctl+0x1b1/0x1530
[   29.096229]  SyS_ioctl+0x8f/0xc0
[   29.096586]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   29.097083] 
[   29.097256] Freed by task 2990:
[   29.097602]  save_stack_trace+0x16/0x20
[   29.098018]  save_stack+0x43/0xd0
[   29.098378]  kasan_slab_free+0x71/0xc0
[   29.098787]  kfree+0xca/0x250
[   29.099115]  kvfree+0x36/0x60
[   29.099441]  free_netdev+0x2cf/0x360
[   29.099854]  __tun_chr_ioctl+0x2cf6/0x3d20
[   29.100278]  tun_chr_ioctl+0x2a/0x40
[   29.100655]  do_vfs_ioctl+0x1b1/0x1530
[   29.101048]  SyS_ioctl+0x8f/0xc0
[   29.101391]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   29.101865] 
[   29.102039] The buggy address belongs to the object at ffff88003d8104c0
[   29.102039]  which belongs to the cache kmalloc-16384 of size 16384
[   29.103275] The buggy address is located 13312 bytes inside of
[   29.103275]  16384-byte region [ffff88003d8104c0, ffff88003d8144c0)
[   29.104301] The buggy address belongs to the page:
[   29.104730] page:ffffea0000f60400 count:1 mapcount:0 mapping:ffff88003d8104c0 index:0x0 compound_mapcount: 0
[   29.105595] flags: 0x100000000008100(slab|head)
[   29.106003] raw: 0100000000008100 ffff88003d8104c0 0000000000000000 0000000100000001
[   29.106686] raw: ffffea0000e35420 ffff88003e801c50 ffff88003e802200 0000000000000000
[   29.107459] page dumped because: kasan: bad access detected
[   29.108010] 
[   29.108183] Memory state around the buggy address:
[   29.108680]  ffff88003d813780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.109418]  ffff88003d813800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.110161] >ffff88003d813880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.110902]                                            ^
[   29.111446]  ffff88003d813900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.112179]  ffff88003d813980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.112920] ==================================================================
[   29.113657] Disabling lock debugging due to kernel taint
[   29.114195] Kernel panic - not syncing: panic_on_warn set ...
[   29.114195] 
[   29.115158] CPU: 1 PID: 2990 Comm: syzkaller938162 Tainted: G    B           4.13.0-rc7-next-20170829+ #11
[   29.116128] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   29.116949] Call Trace:
[   29.117210]  dump_stack+0x194/0x257
[   29.117573]  ? arch_local_irq_restore+0x53/0x53
[   29.118044]  ? vprintk_default+0x28/0x30
[   29.118451]  ? detach_if_pending+0x4b0/0x610
[   29.118906]  panic+0x1e4/0x41c
[   29.119228]  ? refcount_error_report+0x214/0x214
[   29.119710]  ? detach_if_pending+0x557/0x610
[   29.120149]  kasan_end_report+0x50/0x50
[   29.120549]  kasan_report+0x137/0x340
[   29.120930]  __asan_report_store8_noabort+0x17/0x20
[   29.121427]  detach_if_pending+0x557/0x610
[   29.121850]  ? trace_raw_output_tick_stop+0x130/0x130
[   29.122369]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   29.122841]  ? lock_timer_base+0x1a3/0x2b0
[   29.123260]  ? lock_timer_base+0x1eb/0x2b0
[   29.123680]  ? __internal_add_timer+0x2d0/0x2d0
[   29.124145]  ? trace_hardirqs_on+0xd/0x10
[   29.124561]  try_to_del_timer_sync+0xa2/0x120
[   29.125008]  ? del_timer+0x130/0x130
[   29.125382]  ? del_timer_sync+0xeb/0x240
[   29.125792]  del_timer_sync+0x18a/0x240
[   29.126192]  tun_free_netdev+0x105/0x1b0
[   29.126583]  ? tun_xdp+0x410/0x410
[   29.126942]  ? cpumask_next+0x24/0x30
[   29.127323]  ? netdev_refcnt_read+0xed/0x150
[   29.127769]  ? tun_xdp+0x410/0x410
[   29.128129]  netdev_run_todo+0x870/0xca0
[   29.128543]  ? do_group_exit+0x149/0x400
[   29.128957]  ? register_netdev+0x30/0x30
[   29.129368]  ? lock_downgrade+0x990/0x990
[   29.129766]  ? trace_hardirqs_on+0xd/0x10
[   29.130197]  ? refcount_sub_and_test+0x115/0x1b0
[   29.130681]  ? refcount_inc+0x50/0x50
[   29.131065]  ? refcount_inc+0x50/0x50
[   29.131453]  ? sk_destruct+0x4c/0x80
[   29.131874]  ? __sk_free+0x5c/0x230
[   29.132259]  ? sk_free+0x2f/0x40
[   29.132604]  ? __tun_detach+0x176/0x1390
[   29.133014]  ? tun_attach+0xf90/0xf90
[   29.133394]  ? do_raw_spin_trylock+0x190/0x190
[   29.133924]  ? locks_remove_file+0x3fa/0x5a0
[   29.134385]  ? fcntl_setlk+0x10d0/0x10d0
[   29.134809]  ? __fsnotify_parent+0xb4/0x3a0
[   29.135142]  ? fsnotify+0x1af0/0x1af0
[   29.135397]  ? rcu_note_context_switch+0x710/0x710
[   29.135744]  ? __tun_detach+0x1390/0x1390
[   29.136239]  ? __tun_detach+0x1390/0x1390
[   29.136524]  rtnl_unlock+0xe/0x10
[   29.136761]  tun_chr_close+0x49/0x60
[   29.137017]  __fput+0x333/0x7f0
[   29.137243]  ? fput+0x140/0x140
[   29.137469]  ? check_same_owner+0x320/0x320
[   29.137764]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.138073]  ____fput+0x15/0x20
[   29.138299]  task_work_run+0x199/0x270
[   29.138566]  ? task_work_cancel+0x210/0x210
[   29.138876]  ? _raw_spin_unlock+0x22/0x30
[   29.139161]  ? switch_task_namespaces+0x87/0xc0
[   29.139482]  do_exit+0xa52/0x1b40
[   29.139720]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.140059]  ? check_noncircular+0x20/0x20
[   29.140352]  ? __handle_mm_fault+0x587/0x39c0
[   29.140656]  ? mm_update_next_owner+0x930/0x930
[   29.140969]  ? __pmd_alloc+0x4e0/0x4e0
[   29.141241]  ? find_held_lock+0x39/0x1d0
[   29.141525]  ? lock_downgrade+0x990/0x990
[   29.141819]  ? handle_mm_fault+0x4a2/0x860
[   29.142109]  ? down_read_trylock+0xdb/0x170
[   29.142404]  ? __handle_mm_fault+0x39c0/0x39c0
[   29.142726]  ? vmacache_find+0x61/0x270
[   29.143004]  ? up_read+0x1a/0x40
[   29.143237]  ? __do_page_fault+0x35b/0xb60
[   29.143534]  ? trace_do_page_fault+0x141/0x730
[   29.143851]  ? do_page_fault+0x70/0x70
[   29.144120]  ? putname+0xf3/0x130
[   29.144361]  do_group_exit+0x149/0x400
[   29.144670]  ? lockdep_sys_exit+0x1c4/0x2b0
[   29.145017]  ? SyS_exit+0x30/0x30
[   29.145264]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.145615]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.145952]  SyS_exit_group+0x1d/0x20
[   29.146282]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   29.146609] RIP: 0033:0x438c99
[   29.146831] RSP: 002b:00007ffcba039ae8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   29.147350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000438c99
[   29.147839] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   29.148324] RBP: 0000000000000086 R08: 000000000000003c R09: 00000000000000e7
[   29.148816] R10: ffffffffffffffcc R11: 0000000000000246 R12: 0000000000000001
[   29.149308] R13: 00000000006cc300 R14: 0000000000402790 R15: 0000000000000000
[   29.149896] Dumping ftrace buffer:
[   29.150140]    (ftrace buffer empty)
[   29.150393] Kernel Offset: disabled
[   29.150644] Rebooting in 86400 seconds..