INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-kasan-gce-386-0,10.128.0.23' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [ 32.572451] ==================================================================
[ 32.579880] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[ 32.586610] Write of size 8 at addr ffff8801ce19b780 by task syzkaller522113/2981
[ 32.594198]
[ 32.595797] CPU: 0 PID: 2981 Comm: syzkaller522113 Not tainted 4.14.0-rc2+ #20
[ 32.603539] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 32.612862] Call Trace:
[ 32.615420] dump_stack+0x194/0x257
[ 32.619019] ? arch_local_irq_restore+0x53/0x53
[ 32.623656] ? show_regs_print_info+0x65/0x65
[ 32.628122] ? lock_timer_base+0x1a3/0x2b0
[ 32.632337] ? detach_if_pending+0x557/0x610
[ 32.636718] print_address_description+0x73/0x250
[ 32.641527] ? detach_if_pending+0x557/0x610
[ 32.645903] kasan_report+0x25b/0x340
[ 32.649675] __asan_report_store8_noabort+0x17/0x20
[ 32.654665] detach_if_pending+0x557/0x610
[ 32.658876] ? trace_raw_output_tick_stop+0x130/0x130
[ 32.664042] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 32.668688] ? lock_timer_base+0x1a3/0x2b0
[ 32.672901] ? lock_timer_base+0x1eb/0x2b0
[ 32.677111] ? __internal_add_timer+0x2d0/0x2d0
[ 32.681754] ? trace_hardirqs_on+0xd/0x10
[ 32.685879] try_to_del_timer_sync+0xa2/0x120
[ 32.690343] ? del_timer+0x130/0x130
[ 32.694026] ? del_timer_sync+0xeb/0x240
[ 32.698064] del_timer_sync+0x18a/0x240
[ 32.702010] tun_free_netdev+0x105/0x1b0
[ 32.706057] ? tun_xdp+0x410/0x410
[ 32.709567] ? cpumask_next+0x24/0x30
[ 32.713338] ? netdev_refcnt_read+0xed/0x150
[ 32.717719] ? tun_xdp+0x410/0x410
[ 32.721227] netdev_run_todo+0x870/0xca0
[ 32.725258] ? do_group_exit+0x149/0x400
[ 32.729292] ? register_netdev+0x30/0x30
[ 32.733323] ? lock_downgrade+0x990/0x990
[ 32.737438] ? trace_hardirqs_on+0xd/0x10
[ 32.741574] ? refcount_sub_and_test+0x115/0x1b0
[ 32.746300] ? refcount_inc+0x50/0x50
[ 32.750069] ? refcount_inc+0x50/0x50
[ 32.753844] ? sk_destruct+0x4c/0x80
[ 32.757526] ? __sk_free+0x5c/0x230
[ 32.761122] ? sk_free+0x2f/0x40
[ 32.764458] ? __tun_detach+0x176/0x1390
[ 32.768499] ? tun_attach+0xf90/0xf90
[ 32.772279] ? locks_remove_file+0x3fa/0x5a0
[ 32.776659] ? fcntl_setlk+0x10d0/0x10d0
[ 32.780710] ? __fsnotify_parent+0xb4/0x3a0
[ 32.785002] ? fsnotify+0x1af0/0x1af0
[ 32.788777] ? __tun_detach+0x1390/0x1390
[ 32.792893] ? __tun_detach+0x1390/0x1390
[ 32.797010] rtnl_unlock+0xe/0x10
[ 32.800430] tun_chr_close+0x49/0x60
[ 32.804111] __fput+0x333/0x7f0
[ 32.807364] ? fput+0x140/0x140
[ 32.810613] ? check_same_owner+0x320/0x320
[ 32.814909] ____fput+0x15/0x20
[ 32.818157] task_work_run+0x199/0x270
[ 32.822017] ? task_work_cancel+0x210/0x210
[ 32.826309] ? free_nsproxy+0x185/0x1f0
[ 32.830252] ? switch_task_namespaces+0xa2/0xc0
[ 32.834892] do_exit+0x9d2/0x1af0
[ 32.838321] ? trace_hardirqs_on+0xd/0x10
[ 32.842443] ? mm_update_next_owner+0x930/0x930
[ 32.847081] ? lock_acquire+0x1d5/0x580
[ 32.851026] ? __handle_mm_fault+0xf07/0x39c0
[ 32.855498] ? lock_release+0xd70/0xd70
[ 32.859439] ? check_noncircular+0x20/0x20
[ 32.863645] ? kvfree+0x3b/0x60
[ 32.866900] ? rtnl_unlock+0xe/0x10
[ 32.870500] ? check_noncircular+0x20/0x20
[ 32.874708] ? __handle_mm_fault+0x587/0x39c0
[ 32.879179] ? __pmd_alloc+0x4e0/0x4e0
[ 32.883047] ? find_held_lock+0x39/0x1d0
[ 32.887087] ? lock_downgrade+0x990/0x990
[ 32.891227] do_group_exit+0x149/0x400
[ 32.895081] ? __handle_mm_fault+0x39c0/0x39c0
[ 32.899631] ? vmacache_find+0x5f/0x280
[ 32.903573] ? SyS_exit+0x30/0x30
[ 32.907002] ? do_fast_syscall_32+0x158/0xf05
[ 32.911467] ? do_group_exit+0x400/0x400
[ 32.915500] SyS_exit_group+0x1d/0x20
[ 32.919268] do_fast_syscall_32+0x3f2/0xf05
[ 32.923567] ? do_int80_syscall_32+0x940/0x940
[ 32.928122] ? lockdep_sys_exit+0x47/0xf0
[ 32.932241] ? syscall_return_slowpath+0x2b3/0x510
[ 32.937136] ? finish_task_switch+0x1aa/0x740
[ 32.941605] ? lockdep_sys_exit+0x47/0xf0
[ 32.945720] ? retint_user+0x18/0x20
[ 32.949407] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 32.954226] entry_SYSENTER_compat+0x51/0x60
[ 32.958602] RIP: 0023:0xf7f41c79
[ 32.961934] RSP: 002b:000000000820fe2c EFLAGS: 00000202 ORIG_RAX: 00000000000000fc
[ 32.969614] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000000000
[ 32.976852] RDX: 0000000000000001 RSI: 0000000020001fd8 RDI: 00000000400454ca
[ 32.984097] RBP: 0000000008072ca6 R08: 0000000000000000 R09: 0000000000000000
[ 32.991336] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 32.998574] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 33.005830]
[ 33.007427] Allocated by task 2981:
[ 33.011024] save_stack_trace+0x16/0x20
[ 33.014966] save_stack+0x43/0xd0
[ 33.018385] kasan_kmalloc+0xad/0xe0
[ 33.022070] __kmalloc_node+0x47/0x70
[ 33.025837] kvmalloc_node+0x64/0xd0
[ 33.029519] alloc_netdev_mqs+0x16e/0xed0
[ 33.033634] __tun_chr_ioctl+0x12be/0x3d20
[ 33.037837] tun_chr_compat_ioctl+0x29/0x30
[ 33.042125] compat_SyS_ioctl+0x1d7/0x3290
[ 33.046326] do_fast_syscall_32+0x3f2/0xf05
[ 33.050617] entry_SYSENTER_compat+0x51/0x60
[ 33.054987]
[ 33.056580] Freed by task 2981:
[ 33.059827] save_stack_trace+0x16/0x20
[ 33.063766] save_stack+0x43/0xd0
[ 33.067185] kasan_slab_free+0x71/0xc0
[ 33.071036] kfree+0xca/0x250
[ 33.074108] kvfree+0x36/0x60
[ 33.077179] free_netdev+0x2cf/0x360
[ 33.080858] __tun_chr_ioctl+0x2cf6/0x3d20
[ 33.085059] tun_chr_compat_ioctl+0x29/0x30
[ 33.089345] compat_SyS_ioctl+0x1d7/0x3290
[ 33.093546] do_fast_syscall_32+0x3f2/0xf05
[ 33.097833] entry_SYSENTER_compat+0x51/0x60
[ 33.102203]
[ 33.103799] The buggy address belongs to the object at ffff8801ce198380
[ 33.103799] which belongs to the cache kmalloc-16384 of size 16384
[ 33.116766] The buggy address is located 13312 bytes inside of
[ 33.116766] 16384-byte region [ffff8801ce198380, ffff8801ce19c380)
[ 33.128950] The buggy address belongs to the page:
[ 33.133845] page:ffffea0007386600 count:1 mapcount:0 mapping:ffff8801ce198380 index:0x0 compound_mapcount: 0
[ 33.143786] flags: 0x200000000008100(slab|head)
[ 33.148424] raw: 0200000000008100 ffff8801ce198380 0000000000000000 0000000100000001
[ 33.156270] raw: ffffea0007374820 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[ 33.164114] page dumped because: kasan: bad access detected
[ 33.169788]
[ 33.171383] Memory state around the buggy address:
[ 33.176279] ffff8801ce19b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.183605] ffff8801ce19b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.190929] >ffff8801ce19b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.198255] ^
[ 33.201591] ffff8801ce19b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.208916] ffff8801ce19b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.216241] ==================================================================
[ 33.223568] Disabling lock debugging due to kernel taint
[ 33.228983] Kernel panic - not syncing: panic_on_warn set ...
[ 33.228983]
[ 33.236315] CPU: 0 PID: 2981 Comm: syzkaller522113 Tainted: G B 4.14.0-rc2+ #20
[ 33.244848] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 33.254162] Call Trace:
[ 33.256711] dump_stack+0x194/0x257
[ 33.260301] ? arch_local_irq_restore+0x53/0x53
[ 33.264935] ? vprintk_default+0x28/0x30
[ 33.268962] ? detach_if_pending+0x4d0/0x610
[ 33.273336] panic+0x1e4/0x417
[ 33.276491] ? __warn+0x1d9/0x1d9
[ 33.279914] ? detach_if_pending+0x557/0x610
[ 33.284284] kasan_end_report+0x50/0x50
[ 33.288222] kasan_report+0x144/0x340
[ 33.291987] __asan_report_store8_noabort+0x17/0x20
[ 33.296964] detach_if_pending+0x557/0x610
[ 33.301167] ? trace_raw_output_tick_stop+0x130/0x130
[ 33.306321] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 33.310955] ? lock_timer_base+0x1a3/0x2b0
[ 33.315153] ? lock_timer_base+0x1eb/0x2b0
[ 33.319354] ? __internal_add_timer+0x2d0/0x2d0
[ 33.323989] ? trace_hardirqs_on+0xd/0x10
[ 33.328103] try_to_del_timer_sync+0xa2/0x120
[ 33.332564] ? del_timer+0x130/0x130
[ 33.336252] ? del_timer_sync+0xeb/0x240
[ 33.340278] del_timer_sync+0x18a/0x240
[ 33.344215] tun_free_netdev+0x105/0x1b0
[ 33.348237] ? tun_xdp+0x410/0x410
[ 33.351738] ? cpumask_next+0x24/0x30
[ 33.355502] ? netdev_refcnt_read+0xed/0x150
[ 33.359873] ? tun_xdp+0x410/0x410
[ 33.363374] netdev_run_todo+0x870/0xca0
[ 33.367397] ? do_group_exit+0x149/0x400
[ 33.371423] ? register_netdev+0x30/0x30
[ 33.375449] ? lock_downgrade+0x990/0x990
[ 33.379559] ? trace_hardirqs_on+0xd/0x10
[ 33.383681] ? refcount_sub_and_test+0x115/0x1b0
[ 33.388397] ? refcount_inc+0x50/0x50
[ 33.392159] ? refcount_inc+0x50/0x50
[ 33.395924] ? sk_destruct+0x4c/0x80
[ 33.399599] ? __sk_free+0x5c/0x230
[ 33.403191] ? sk_free+0x2f/0x40
[ 33.406522] ? __tun_detach+0x176/0x1390
[ 33.410549] ? tun_attach+0xf90/0xf90
[ 33.414317] ? locks_remove_file+0x3fa/0x5a0
[ 33.418691] ? fcntl_setlk+0x10d0/0x10d0
[ 33.422717] ? __fsnotify_parent+0xb4/0x3a0
[ 33.427002] ? fsnotify+0x1af0/0x1af0
[ 33.430766] ? __tun_detach+0x1390/0x1390
[ 33.434876] ? __tun_detach+0x1390/0x1390
[ 33.438987] rtnl_unlock+0xe/0x10
[ 33.442403] tun_chr_close+0x49/0x60
[ 33.446082] __fput+0x333/0x7f0
[ 33.449327] ? fput+0x140/0x140
[ 33.452571] ? check_same_owner+0x320/0x320
[ 33.456858] ____fput+0x15/0x20
[ 33.460101] task_work_run+0x199/0x270
[ 33.463952] ? task_work_cancel+0x210/0x210
[ 33.468236] ? free_nsproxy+0x185/0x1f0
[ 33.472184] ? switch_task_namespaces+0xa2/0xc0
[ 33.476816] do_exit+0x9d2/0x1af0
[ 33.480232] ? trace_hardirqs_on+0xd/0x10
[ 33.484344] ? mm_update_next_owner+0x930/0x930
[ 33.488976] ? lock_acquire+0x1d5/0x580
[ 33.492913] ? __handle_mm_fault+0xf07/0x39c0
[ 33.497374] ? lock_release+0xd70/0xd70
[ 33.501311] ? check_noncircular+0x20/0x20
[ 33.505509] ? kvfree+0x3b/0x60
[ 33.508756] ? rtnl_unlock+0xe/0x10
[ 33.512345] ? check_noncircular+0x20/0x20
[ 33.516544] ? __handle_mm_fault+0x587/0x39c0
[ 33.521003] ? __pmd_alloc+0x4e0/0x4e0
[ 33.524857] ? find_held_lock+0x39/0x1d0
[ 33.528884] ? lock_downgrade+0x990/0x990
[ 33.533007] do_group_exit+0x149/0x400
[ 33.536856] ? __handle_mm_fault+0x39c0/0x39c0
[ 33.541401] ? vmacache_find+0x5f/0x280
[ 33.545335] ? SyS_exit+0x30/0x30
[ 33.548753] ? do_fast_syscall_32+0x158/0xf05
[ 33.553210] ? do_group_exit+0x400/0x400
[ 33.557235] SyS_exit_group+0x1d/0x20
[ 33.560998] do_fast_syscall_32+0x3f2/0xf05
[ 33.565285] ? do_int80_syscall_32+0x940/0x940
[ 33.569832] ? lockdep_sys_exit+0x47/0xf0