Debian GNU/Linux 7 syzkaller ttyS0

net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   23.348554] ==================================================================
[   23.349393] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   23.350100] Write of size 8 at addr ffff88003d0236c0 by task syzkaller091500/3000
[   23.350900] 
[   23.351086] CPU: 0 PID: 3000 Comm: syzkaller091500 Not tainted 4.13.0-next-20170905+ #15
[   23.351986] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   23.353151] Call Trace:
[   23.357437]  dump_stack+0x194/0x257
[   23.358352]  ? arch_local_irq_restore+0x53/0x53
[   23.359195]  ? show_regs_print_info+0x65/0x65
[   23.360035]  ? lock_timer_base+0x1a3/0x2b0
[   23.360817]  ? detach_if_pending+0x557/0x610
[   23.361667]  print_address_description+0x73/0x250
[   23.362544]  ? detach_if_pending+0x557/0x610
[   23.363379]  kasan_report+0x24e/0x340
[   23.364458]  __asan_report_store8_noabort+0x17/0x20
[   23.366135]  detach_if_pending+0x557/0x610
[   23.367579]  ? trace_raw_output_tick_stop+0x130/0x130
[   23.369332]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   23.371390]  ? lock_timer_base+0x1a3/0x2b0
[   23.371904]  ? lock_timer_base+0x1eb/0x2b0
[   23.376191]  ? __internal_add_timer+0x2d0/0x2d0
[   23.376597]  ? trace_hardirqs_on+0xd/0x10
[   23.376994]  try_to_del_timer_sync+0xa2/0x120
[   23.377411]  ? del_timer+0x130/0x130
[   23.377828]  ? del_timer_sync+0xeb/0x240
[   23.378607]  del_timer_sync+0x18a/0x240
[   23.379357]  tun_free_netdev+0x105/0x1b0
[   23.380113]  ? tun_xdp+0x410/0x410
[   23.382521]  ? cpumask_next+0x24/0x30
[   23.383246]  ? netdev_refcnt_read+0xed/0x150
[   23.384074]  ? tun_xdp+0x410/0x410
[   23.384737]  netdev_run_todo+0x870/0xca0
[   23.393507]  ? do_group_exit+0x149/0x400
[   23.393888]  ? register_netdev+0x30/0x30
[   23.394364]  ? lock_downgrade+0x990/0x990
[   23.395148]  ? trace_hardirqs_on+0xd/0x10
[   23.395972]  ? refcount_sub_and_test+0x115/0x1b0
[   23.396884]  ? refcount_inc+0x50/0x50
[   23.397661]  ? refcount_inc+0x50/0x50
[   23.398417]  ? sk_destruct+0x4c/0x80
[   23.399159]  ? __sk_free+0x5c/0x230
[   23.399875]  ? sk_free+0x2f/0x40
[   23.400518]  ? __tun_detach+0x176/0x1390
[   23.401305]  ? tun_attach+0xf90/0xf90
[   23.402071]  ? locks_remove_file+0x3fa/0x5a0
[   23.402964]  ? fcntl_setlk+0x10d0/0x10d0
[   23.403756]  ? __fsnotify_parent+0xb4/0x3a0
[   23.404578]  ? fsnotify+0x1af0/0x1af0
[   23.405307]  ? __tun_detach+0x1390/0x1390
[   23.408700]  ? __tun_detach+0x1390/0x1390
[   23.409501]  rtnl_unlock+0xe/0x10
[   23.410173]  tun_chr_close+0x49/0x60
[   23.412154]  __fput+0x333/0x7f0
[   23.412787]  ? fput+0x140/0x140
[   23.427616]  ? check_same_owner+0x320/0x320
[   23.428080]  ____fput+0x15/0x20
[   23.428422]  task_work_run+0x199/0x270
[   23.428829]  ? task_work_cancel+0x210/0x210
[   23.429272]  ? free_nsproxy+0x185/0x1f0
[   23.429695]  ? switch_task_namespaces+0xa2/0xc0
[   23.430178]  do_exit+0xa52/0x1b40
[   23.430532]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.431053]  ? check_noncircular+0x20/0x20
[   23.431501]  ? __handle_mm_fault+0x587/0x39c0
[   23.431967]  ? mm_update_next_owner+0x930/0x930
[   23.432454]  ? __pmd_alloc+0x4e0/0x4e0
[   23.432883]  ? find_held_lock+0x39/0x1d0
[   23.433336]  ? lock_downgrade+0x990/0x990
[   23.433797]  ? handle_mm_fault+0x4a2/0x860
[   23.434541]  ? down_read_trylock+0xdb/0x170
[   23.434935]  ? __handle_mm_fault+0x39c0/0x39c0
[   23.435370]  ? vmacache_find+0x61/0x270
[   23.435792]  ? vmacache_update+0xfe/0x130
[   23.436226]  ? up_read+0x1a/0x40
[   23.436573]  ? __do_page_fault+0x35b/0xb60
[   23.437892]  ? do_page_fault+0xee/0x720
[   23.438656]  ? __do_page_fault+0xb60/0xb60
[   23.440948]  ? putname+0xf3/0x130
[   23.441736]  do_group_exit+0x149/0x400
[   23.442217]  ? lockdep_sys_exit+0x47/0xf0
[   23.442619]  ? SyS_exit+0x30/0x30
[   23.443005]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.443557]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.446937]  SyS_exit_group+0x1d/0x20
[   23.447547]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.450091] RIP: 0033:0x43a069
[   23.450700] RSP: 002b:00007ffd731d45b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   23.451522] RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 000000000043a069
[   23.452282] RDX: 000000000043a069 RSI: 0000000020115000 RDI: 0000000000000001
[   23.453053] RBP: 0000000000000082 R08: 0000000000000000 R09: 00000000ffffffff
[   23.453818] R10: 00000000000000fd R11: 0000000000000206 R12: 0000000000000000
[   23.455730] R13: 00000000004023a0 R14: 0000000000402430 R15: 0000000000000000
[   23.461664] 
[   23.461875] Allocated by task 3000:
[   23.462563]  save_stack_trace+0x16/0x20
[   23.469155]  save_stack+0x43/0xd0
[   23.469539]  kasan_kmalloc+0xad/0xe0
[   23.472895]  __kmalloc_node+0x47/0x70
[   23.473458]  kvmalloc_node+0x64/0xd0
[   23.473972]  alloc_netdev_mqs+0x16e/0xed0
[   23.474587]  __tun_chr_ioctl+0x12be/0x3d20
[   23.475109]  tun_chr_ioctl+0x2a/0x40
[   23.475613]  do_vfs_ioctl+0x1b1/0x1530
[   23.477977]  SyS_ioctl+0x8f/0xc0
[   23.478544]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.478972] 
[   23.479178] Freed by task 3000:
[   23.479586]  save_stack_trace+0x16/0x20
[   23.479942]  save_stack+0x43/0xd0
[   23.480306]  kasan_slab_free+0x71/0xc0
[   23.480743]  kfree+0xca/0x250
[   23.481088]  kvfree+0x36/0x60
[   23.481398]  free_netdev+0x2cf/0x360
[   23.481786]  __tun_chr_ioctl+0x2cf6/0x3d20
[   23.482199]  tun_chr_ioctl+0x2a/0x40
[   23.482605]  do_vfs_ioctl+0x1b1/0x1530
[   23.482947]  SyS_ioctl+0x8f/0xc0
[   23.483296]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.483781] 
[   23.483932] The buggy address belongs to the object at ffff88003d0202c0
[   23.483932]  which belongs to the cache kmalloc-16384 of size 16384
[   23.485127] The buggy address is located 13312 bytes inside of
[   23.485127]  16384-byte region [ffff88003d0202c0, ffff88003d0242c0)
[   23.487024] The buggy address belongs to the page:
[   23.488802] page:ffffea0000f40800 count:1 mapcount:0 mapping:ffff88003d0202c0 index:0x0 compound_mapcount: 0
[   23.491149] flags: 0x100000000008100(slab|head)
[   23.492219] raw: 0100000000008100 ffff88003d0202c0 0000000000000000 0000000100000001
[   23.494967] raw: ffffea0000f79420 ffff88003e801c50 ffff88003e802200 0000000000000000
[   23.499758] page dumped because: kasan: bad access detected
[   23.507977] 
[   23.508882] Memory state around the buggy address:
[   23.513761]  ffff88003d023580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.515778]  ffff88003d023600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.517311] >ffff88003d023680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.520508]                                            ^
[   23.521340]  ffff88003d023700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.522443]  ffff88003d023780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.523330] ==================================================================
[   23.524094] Disabling lock debugging due to kernel taint
[   23.525038] Kernel panic - not syncing: panic_on_warn set ...
[   23.525038] 
[   23.526334] CPU: 0 PID: 3000 Comm: syzkaller091500 Tainted: G    B           4.13.0-next-20170905+ #15
[   23.527458] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   23.528599] Call Trace:
[   23.529058]  dump_stack+0x194/0x257
[   23.529622]  ? arch_local_irq_restore+0x53/0x53
[   23.530397]  ? vprintk_default+0x28/0x30
[   23.530988]  ? detach_if_pending+0x530/0x610
[   23.531700]  panic+0x1e4/0x417
[   23.532183]  ? __warn+0x1d9/0x1d9
[   23.532720]  ? detach_if_pending+0x557/0x610
[   23.533361]  kasan_end_report+0x50/0x50
[   23.533813]  kasan_report+0x137/0x340
[   23.534285]  __asan_report_store8_noabort+0x17/0x20
[   23.534825]  detach_if_pending+0x557/0x610
[   23.535566]  ? trace_raw_output_tick_stop+0x130/0x130
[   23.536277]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   23.537025]  ? lock_timer_base+0x1a3/0x2b0
[   23.537571]  ? lock_timer_base+0x1eb/0x2b0
[   23.538285]  ? __internal_add_timer+0x2d0/0x2d0
[   23.539026]  ? trace_hardirqs_on+0xd/0x10
[   23.539719]  try_to_del_timer_sync+0xa2/0x120
[   23.541253]  ? del_timer+0x130/0x130
[   23.541873]  ? del_timer_sync+0xeb/0x240
[   23.542309]  del_timer_sync+0x18a/0x240
[   23.542727]  tun_free_netdev+0x105/0x1b0
[   23.543153]  ? tun_xdp+0x410/0x410
[   23.543713]  ? cpumask_next+0x24/0x30
[   23.544387]  ? netdev_refcnt_read+0xed/0x150
[   23.545083]  ? tun_xdp+0x410/0x410
[   23.545643]  netdev_run_todo+0x870/0xca0
[   23.546308]  ? do_group_exit+0x149/0x400
[   23.547249]  ? register_netdev+0x30/0x30
[   23.547909]  ? lock_downgrade+0x990/0x990
[   23.548322]  ? trace_hardirqs_on+0xd/0x10
[   23.548719]  ? refcount_sub_and_test+0x115/0x1b0
[   23.549169]  ? refcount_inc+0x50/0x50
[   23.549545]  ? refcount_inc+0x50/0x50
[   23.549910]  ? sk_destruct+0x4c/0x80
[   23.550296]  ? __sk_free+0x5c/0x230
[   23.550670]  ? sk_free+0x2f/0x40
[   23.550998]  ? __tun_detach+0x176/0x1390
[   23.551495]  ? tun_attach+0xf90/0xf90
[   23.552024]  ? locks_remove_file+0x3fa/0x5a0
[   23.552634]  ? fcntl_setlk+0x10d0/0x10d0
[   23.553433]  ? __fsnotify_parent+0xb4/0x3a0
[   23.554277]  ? fsnotify+0x1af0/0x1af0
[   23.554686]  ? __tun_detach+0x1390/0x1390
[   23.555471]  ? __tun_detach+0x1390/0x1390
[   23.556117]  rtnl_unlock+0xe/0x10
[   23.556759]  tun_chr_close+0x49/0x60
[   23.557329]  __fput+0x333/0x7f0
[   23.557869]  ? fput+0x140/0x140
[   23.558414]  ? check_same_owner+0x320/0x320
[   23.559112]  ____fput+0x15/0x20
[   23.559664]  task_work_run+0x199/0x270
[   23.560327]  ? task_work_cancel+0x210/0x210
[   23.561040]  ? free_nsproxy+0x185/0x1f0
[   23.562210]  ? switch_task_namespaces+0xa2/0xc0
[   23.562840]  do_exit+0xa52/0x1b40
[   23.563255]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.563798]  ? check_noncircular+0x20/0x20
[   23.564585]  ? __handle_mm_fault+0x587/0x39c0
[   23.565310]  ? mm_update_next_owner+0x930/0x930
[   23.566069]  ? __pmd_alloc+0x4e0/0x4e0
[   23.566715]  ? find_held_lock+0x39/0x1d0
[   23.567174]  ? lock_downgrade+0x990/0x990
[   23.567906]  ? handle_mm_fault+0x4a2/0x860
[   23.568610]  ? down_read_trylock+0xdb/0x170
[   23.569078]  ? __handle_mm_fault+0x39c0/0x39c0
[   23.569568]  ? vmacache_find+0x61/0x270
[   23.569989]  ? vmacache_update+0xfe/0x130
[   23.570881]  ? up_read+0x1a/0x40
[   23.571481]  ? __do_page_fault+0x35b/0xb60
[   23.572153]  ? do_page_fault+0xee/0x720
[   23.572549]  ? __do_page_fault+0xb60/0xb60
[   23.572966]  ? putname+0xf3/0x130
[   23.573324]  do_group_exit+0x149/0x400
[   23.573714]  ? lockdep_sys_exit+0x47/0xf0
[   23.574132]  ? SyS_exit+0x30/0x30
[   23.574476]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.574982]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.575596]  SyS_exit_group+0x1d/0x20
[   23.576006]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.576499] RIP: 0033:0x43a069
[   23.576829] RSP: 002b:00007ffd731d45b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   23.577609] RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 000000000043a069
[   23.578322] RDX: 000000000043a069 RSI: 0000000020115000 RDI: 0000000000000001
[   23.579059] RBP: 0000000000000082 R08: 0000000000000000 R09: 00000000ffffffff
[   23.579797] R10: 00000000000000fd R11: 0000000000000206 R12: 0000000000000000
[   23.580652] R13: 00000000004023a0 R14: 0000000000402430 R15: 0000000000000000
[   23.582158] Dumping ftrace buffer:
[   23.584040]    (ftrace buffer empty)
[   23.584505] Kernel Offset: disabled
[   23.585219] Rebooting in 86400 seconds..