executing program executing program syzkaller login: [ 33.210320] ================================================================== [ 33.211144] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 [ 33.211874] Write of size 8 at addr ffff880069bfb648 by task syzkaller100300/3005 [ 33.212713] [ 33.212959] CPU: 2 PID: 3005 Comm: syzkaller100300 Not tainted 4.13.0-next-20170908+ #18 [ 33.213856] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 33.214652] Call Trace: [ 33.214898] dump_stack+0x194/0x257 [ 33.215185] ? arch_local_irq_restore+0x53/0x53 [ 33.215577] ? show_regs_print_info+0x65/0x65 [ 33.215902] ? __kernel_text_address+0xae/0xe0 [ 33.216341] ? __internal_add_timer+0x275/0x2d0 [ 33.216774] print_address_description+0x73/0x250 [ 33.217253] ? __internal_add_timer+0x275/0x2d0 [ 33.217686] kasan_report+0x24e/0x340 [ 33.218084] __asan_report_store8_noabort+0x17/0x20 [ 33.218869] __internal_add_timer+0x275/0x2d0 [ 33.219345] ? calc_wheel_index+0x200/0x200 [ 33.219753] mod_timer+0x622/0x15b0 [ 33.220162] ? mod_timer_pending+0x14e0/0x14e0 [ 33.220586] ? __lock_is_held+0xbc/0x140 [ 33.220976] ? __lock_is_held+0xbc/0x140 [ 33.221363] ? __lockdep_init_map+0xe4/0x650 [ 33.221777] ? lockdep_init_map+0x3d/0x70 [ 33.222164] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.222521] ? init_timer_key+0x126/0x3b0 [ 33.222825] ? try_to_del_timer_sync+0x120/0x120 [ 33.223351] ? round_jiffies_up+0xce/0x100 [ 33.223746] ? __round_jiffies_up_relative+0x150/0x150 [ 33.224119] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 33.224468] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 33.224873] __tun_chr_ioctl+0x1b23/0x3d20 [ 33.225628] ? tun_chr_read_iter+0x1e0/0x1e0 [ 33.226071] ? lock_downgrade+0x990/0x990 [ 33.226388] ? check_same_owner+0x320/0x320 [ 33.226695] ? __handle_mm_fault+0x39c0/0x39c0 [ 33.227101] ? vmacache_find+0x61/0x270 [ 33.227479] ? tun_chr_compat_ioctl+0x30/0x30 [ 33.227898] tun_chr_ioctl+0x2a/0x40 [ 33.228244] ? tun_chr_ioctl+0x2a/0x40 [ 33.228611] do_vfs_ioctl+0x1b1/0x1530 [ 33.228893] ? ioctl_preallocate+0x2b0/0x2b0 [ 33.229328] ? selinux_capable+0x40/0x40 [ 33.229615] ? putname+0xf3/0x130 [ 33.229860] ? do_sys_open+0x320/0x6d0 [ 33.230148] ? security_file_ioctl+0x7d/0xb0 [ 33.230459] ? security_file_ioctl+0x89/0xb0 [ 33.230780] SyS_ioctl+0x8f/0xc0 [ 33.231033] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 33.231474] RIP: 0033:0x438fd9 [ 33.231702] RSP: 002b:00007fff8f8e1e08 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 33.232396] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000438fd9 [ 33.232948] RDX: 0000000020fbcfd8 RSI: 00000000400454ca RDI: 0000000000000004 [ 33.233627] RBP: 0000000000000082 R08: 00000000000000fd R09: 0000000000000000 [ 33.234299] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 33.234970] R13: 0000000000401c30 R14: 0000000000401cc0 R15: 0000000000000000 [ 33.235656] [ 33.235815] Allocated by task 3005: [ 33.236157] save_stack_trace+0x16/0x20 [ 33.236527] save_stack+0x43/0xd0 [ 33.236851] kasan_kmalloc+0xad/0xe0 [ 33.237211] __kmalloc_node+0x47/0x70 [ 33.237564] kvmalloc_node+0x64/0xd0 [ 33.237832] alloc_netdev_mqs+0x16e/0xed0 [ 33.238128] __tun_chr_ioctl+0x12be/0x3d20 [ 33.238430] tun_chr_ioctl+0x2a/0x40 [ 33.238698] do_vfs_ioctl+0x1b1/0x1530 [ 33.238982] SyS_ioctl+0x8f/0xc0 [ 33.239242] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 33.239575] [ 33.239698] Freed by task 3005: [ 33.239936] save_stack_trace+0x16/0x20 [ 33.240223] save_stack+0x43/0xd0 [ 33.240469] kasan_slab_free+0x71/0xc0 [ 33.240747] kfree+0xca/0x250 [ 33.240979] kvfree+0x36/0x60 [ 33.241224] free_netdev+0x2cf/0x360 [ 33.241492] __tun_chr_ioctl+0x2cf6/0x3d20 [ 33.241792] tun_chr_ioctl+0x2a/0x40 [ 33.242109] do_vfs_ioctl+0x1b1/0x1530 [ 33.242471] SyS_ioctl+0x8f/0xc0 [ 33.242713] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 33.243159] [ 33.243317] The buggy address belongs to the object at ffff880069bf8240 [ 33.243317] which belongs to the cache kmalloc-16384 of size 16384 [ 33.244514] The buggy address is located 13320 bytes inside of [ 33.244514] 16384-byte region [ffff880069bf8240, ffff880069bfc240) [ 33.245639] The buggy address belongs to the page: [ 33.246567] page:ffffea0001a6fe00 count:1 mapcount:0 mapping:ffff880069bf8240 index:0x0 compound_mapcount: 0 [ 33.247492] flags: 0x500000000008100(slab|head) [ 33.247929] raw: 0500000000008100 ffff880069bf8240 0000000000000000 0000000100000001 [ 33.248648] raw: ffffea0001adcc20 ffffea0001a80020 ffff88003e802200 0000000000000000 [ 33.249394] page dumped because: kasan: bad access detected [ 33.249918] [ 33.250074] Memory state around the buggy address: [ 33.250527] ffff880069bfb500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.251197] ffff880069bfb580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.251871] >ffff880069bfb600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.252545] ^ [ 33.253073] ffff880069bfb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.253763] ffff880069bfb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.254437] ================================================================== [ 33.255106] Disabling lock debugging due to kernel taint [ 33.255601] Kernel panic - not syncing: panic_on_warn set ... [ 33.255601] [ 33.256275] CPU: 2 PID: 3005 Comm: syzkaller100300 Tainted: G B 4.13.0-next-20170908+ #18 [ 33.257129] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 33.257855] Call Trace: [ 33.258093] dump_stack+0x194/0x257 [ 33.258407] ? arch_local_irq_restore+0x53/0x53 [ 33.258821] ? vprintk_default+0x28/0x30 [ 33.259163] ? __internal_add_timer+0x270/0x2d0 [ 33.259537] panic+0x1e4/0x417 [ 33.259797] ? __warn+0x1d9/0x1d9 [ 33.260085] ? __internal_add_timer+0x275/0x2d0 [ 33.260463] kasan_end_report+0x50/0x50 [ 33.260786] kasan_report+0x137/0x340 [ 33.261097] __asan_report_store8_noabort+0x17/0x20 [ 33.261533] __internal_add_timer+0x275/0x2d0 [ 33.261916] ? calc_wheel_index+0x200/0x200 [ 33.262291] mod_timer+0x622/0x15b0 [ 33.262600] ? mod_timer_pending+0x14e0/0x14e0 [ 33.262981] ? __lock_is_held+0xbc/0x140 [ 33.263327] ? __lock_is_held+0xbc/0x140 [ 33.263665] ? __lockdep_init_map+0xe4/0x650 [ 33.264034] ? lockdep_init_map+0x3d/0x70 [ 33.264378] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.264792] ? init_timer_key+0x126/0x3b0 [ 33.265133] ? try_to_del_timer_sync+0x120/0x120 [ 33.265512] ? round_jiffies_up+0xce/0x100 [ 33.265845] ? __round_jiffies_up_relative+0x150/0x150 [ 33.266263] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 33.266653] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 33.267095] __tun_chr_ioctl+0x1b23/0x3d20 [ 33.267435] ? tun_chr_read_iter+0x1e0/0x1e0 [ 33.267807] ? lock_downgrade+0x990/0x990 [ 33.268166] ? check_same_owner+0x320/0x320 [ 33.268763] ? __handle_mm_fault+0x39c0/0x39c0 [ 33.269132] ? vmacache_find+0x61/0x270 [ 33.269464] ? tun_chr_compat_ioctl+0x30/0x30 [ 33.269809] tun_chr_ioctl+0x2a/0x40 [ 33.270095] ? tun_chr_ioctl+0x2a/0x40 [ 33.270395] do_vfs_ioctl+0x1b1/0x1530 [ 33.270694] ? ioctl_preallocate+0x2b0/0x2b0 [ 33.271037] ? selinux_capable+0x40/0x40 [ 33.271550] ? putname+0xf3/0x130 [ 33.271865] ? do_sys_open+0x320/0x6d0 [ 33.273220] ? security_file_ioctl+0x7d/0xb0 [ 33.273485] ? security_file_ioctl+0x89/0xb0 [ 33.273744] SyS_ioctl+0x8f/0xc0 [ 33.273946] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 33.274225] RIP: 0033:0x438fd9 [ 33.274411] RSP: 002b:00007fff8f8e1e08 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 33.274855] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000438fd9 [ 33.275275] RDX: 0000000020fbcfd8 RSI: 00000000400454ca RDI: 0000000000000004 [ 33.275695] RBP: 0000000000000082 R08: 00000000000000fd R09: 0000000000000000 [ 33.276118] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 [ 33.276539] R13: 0000000000401c30 R14: 0000000000401cc0 R15: 0000000000000000 [ 33.277053] Dumping ftrace buffer: [ 33.277347] (ftrace buffer empty) [ 33.277694] Kernel Offset: disabled [ 33.278038] Rebooting in 86400 seconds..