INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-0,10.128.15.223' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   44.610476] ==================================================================
[   44.617944] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[   44.624935] Write of size 8 at addr ffff8801ce713688 by task syzkaller294208/2981
[   44.632525] 
[   44.634129] CPU: 1 PID: 2981 Comm: syzkaller294208 Not tainted 4.13.0-mm1+ #7
[   44.641373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.650699] Call Trace:
[   44.653263]  dump_stack+0x194/0x257
[   44.656867]  ? arch_local_irq_restore+0x53/0x53
[   44.661510]  ? show_regs_print_info+0x65/0x65
[   44.665983]  ? __kernel_text_address+0xae/0xe0
[   44.670536]  ? __internal_add_timer+0x275/0x2d0
[   44.675181]  print_address_description+0x73/0x250
[   44.679996]  ? __internal_add_timer+0x275/0x2d0
[   44.684645]  kasan_report+0x24e/0x340
[   44.688422]  __asan_report_store8_noabort+0x17/0x20
[   44.693411]  __internal_add_timer+0x275/0x2d0
[   44.697883]  ? calc_wheel_index+0x200/0x200
[   44.702190]  mod_timer+0x622/0x15b0
[   44.705800]  ? mod_timer_pending+0x14e0/0x14e0
[   44.710354]  ? __lock_is_held+0xbc/0x140
[   44.714402]  ? __lock_is_held+0xbc/0x140
[   44.718437]  ? __lockdep_init_map+0xe4/0x650
[   44.722819]  ? lockdep_init_map+0x3d/0x70
[   44.726940]  ? rcu_read_lock_sched_held+0x108/0x120
[   44.731927]  ? init_timer_key+0x126/0x3b0
[   44.736050]  ? try_to_del_timer_sync+0x120/0x120
[   44.740780]  ? round_jiffies_up+0xce/0x100
[   44.744989]  ? __round_jiffies_up_relative+0x150/0x150
[   44.750235]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   44.755138]  ? selinux_tun_dev_alloc_security+0x124/0x170
[   44.760656]  __tun_chr_ioctl+0x1b23/0x3d20
[   44.764871]  ? tun_chr_read_iter+0x1e0/0x1e0
[   44.769264]  ? lock_downgrade+0x990/0x990
[   44.773410]  ? check_same_owner+0x320/0x320
[   44.777705]  ? __handle_mm_fault+0x39c0/0x39c0
[   44.782260]  ? vmacache_find+0x61/0x270
[   44.786207]  ? tun_chr_compat_ioctl+0x30/0x30
[   44.790674]  tun_chr_ioctl+0x2a/0x40
[   44.794359]  ? tun_chr_ioctl+0x2a/0x40
[   44.798220]  do_vfs_ioctl+0x1b1/0x1530
[   44.802086]  ? ioctl_preallocate+0x2b0/0x2b0
[   44.806470]  ? selinux_capable+0x40/0x40
[   44.810504]  ? putname+0xf3/0x130
[   44.813933]  ? do_sys_open+0x320/0x6d0
[   44.817803]  ? security_file_ioctl+0x7d/0xb0
[   44.822180]  ? security_file_ioctl+0x89/0xb0
[   44.826570]  SyS_ioctl+0x8f/0xc0
[   44.829943]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   44.834673] RIP: 0033:0x443d69
[   44.837837] RSP: 002b:00007fff8ef268e8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[   44.845522] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443d69
[   44.852764] RDX: 0000000020001000 RSI: 00000000400454ca RDI: 0000000000000004
[   44.860009] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   44.867248] R10: 0000000000000000 R11: 0000000000000202 R12: bc19fa32c7263647
[   44.874493] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000
[   44.881752] 
[   44.883350] Allocated by task 2981:
[   44.886954]  save_stack_trace+0x16/0x20
[   44.890897]  save_stack+0x43/0xd0
[   44.894320]  kasan_kmalloc+0xad/0xe0
[   44.898004]  __kmalloc_node+0x47/0x70
[   44.901774]  kvmalloc_node+0x64/0xd0
[   44.905460]  alloc_netdev_mqs+0x16e/0xed0
[   44.909581]  __tun_chr_ioctl+0x12be/0x3d20
[   44.913784]  tun_chr_ioctl+0x2a/0x40
[   44.917469]  do_vfs_ioctl+0x1b1/0x1530
[   44.921327]  SyS_ioctl+0x8f/0xc0
[   44.924664]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   44.929388] 
[   44.930985] Freed by task 2981:
[   44.934233]  save_stack_trace+0x16/0x20
[   44.938176]  save_stack+0x43/0xd0
[   44.941598]  kasan_slab_free+0x71/0xc0
[   44.945455]  kfree+0xca/0x250
[   44.948531]  kvfree+0x36/0x60
[   44.951609]  free_netdev+0x2cf/0x360
[   44.955293]  __tun_chr_ioctl+0x2cf6/0x3d20
[   44.959496]  tun_chr_ioctl+0x2a/0x40
[   44.963180]  do_vfs_ioctl+0x1b1/0x1530
[   44.967052]  SyS_ioctl+0x8f/0xc0
[   44.970407]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   44.975132] 
[   44.976734] The buggy address belongs to the object at ffff8801ce710280
[   44.976734]  which belongs to the cache kmalloc-16384 of size 16384
[   44.989707] The buggy address is located 13320 bytes inside of
[   44.989707]  16384-byte region [ffff8801ce710280, ffff8801ce714280)
[   45.001896] The buggy address belongs to the page:
[   45.006796] page:ffffea000739c400 count:1 mapcount:0 mapping:ffff8801ce710280 index:0x0 compound_mapcount: 0
[   45.016742] flags: 0x200000000008100(slab|head)
[   45.021385] raw: 0200000000008100 ffff8801ce710280 0000000000000000 0000000100000001
[   45.029238] raw: ffffea0007586620 ffffea0007399a20 ffff8801dac02200 0000000000000000
[   45.037097] page dumped because: kasan: bad access detected
[   45.042775] 
[   45.044371] Memory state around the buggy address:
[   45.049269]  ffff8801ce713580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.056600]  ffff8801ce713600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.063929] >ffff8801ce713680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.071257]                       ^
[   45.074850]  ffff8801ce713700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.082179]  ffff8801ce713780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.089506] ==================================================================
[   45.096833] Disabling lock debugging due to kernel taint
[   45.102246] Kernel panic - not syncing: panic_on_warn set ...
[   45.102246] 
[   45.109576] CPU: 1 PID: 2981 Comm: syzkaller294208 Tainted: G    B           4.13.0-mm1+ #7
[   45.118041] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   45.127360] Call Trace:
[   45.129918]  dump_stack+0x194/0x257
[   45.133514]  ? arch_local_irq_restore+0x53/0x53
[   45.138149]  ? vprintk_default+0x28/0x30
[   45.142179]  ? __internal_add_timer+0x200/0x2d0
[   45.146817]  panic+0x1e4/0x417
[   45.149977]  ? __warn+0x1d9/0x1d9
[   45.153403]  ? __internal_add_timer+0x275/0x2d0
[   45.158039]  kasan_end_report+0x50/0x50
[   45.161977]  kasan_report+0x137/0x340
[   45.165746]  __asan_report_store8_noabort+0x17/0x20
[   45.170726]  __internal_add_timer+0x275/0x2d0
[   45.175186]  ? calc_wheel_index+0x200/0x200
[   45.179482]  mod_timer+0x622/0x15b0
[   45.183079]  ? mod_timer_pending+0x14e0/0x14e0
[   45.187628]  ? __lock_is_held+0xbc/0x140
[   45.191663]  ? __lock_is_held+0xbc/0x140
[   45.195692]  ? __lockdep_init_map+0xe4/0x650
[   45.200074]  ? lockdep_init_map+0x3d/0x70
[   45.204192]  ? rcu_read_lock_sched_held+0x108/0x120
[   45.209174]  ? init_timer_key+0x126/0x3b0
[   45.213289]  ? try_to_del_timer_sync+0x120/0x120
[   45.218015]  ? round_jiffies_up+0xce/0x100
[   45.222217]  ? __round_jiffies_up_relative+0x150/0x150
[   45.227457]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   45.232351]  ? selinux_tun_dev_alloc_security+0x124/0x170
[   45.237859]  __tun_chr_ioctl+0x1b23/0x3d20
[   45.242082]  ? tun_chr_read_iter+0x1e0/0x1e0
[   45.246463]  ? lock_downgrade+0x990/0x990
[   45.250590]  ? check_same_owner+0x320/0x320
[   45.254877]  ? __handle_mm_fault+0x39c0/0x39c0
[   45.259422]  ? vmacache_find+0x61/0x270
[   45.263363]  ? tun_chr_compat_ioctl+0x30/0x30
[   45.267824]  tun_chr_ioctl+0x2a/0x40
[   45.271502]  ? tun_chr_ioctl+0x2a/0x40
[   45.275358]  do_vfs_ioctl+0x1b1/0x1530
[   45.279214]  ? ioctl_preallocate+0x2b0/0x2b0
[   45.283588]  ? selinux_capable+0x40/0x40
[   45.287618]  ? putname+0xf3/0x130
[   45.291037]  ? do_sys_open+0x320/0x6d0
[   45.294894]  ? security_file_ioctl+0x7d/0xb0
[   45.299267]  ? security_file_ioctl+0x89/0xb0
[   45.303642]  SyS_ioctl+0x8f/0xc0
[   45.306978]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   45.311699] RIP: 0033:0x443d69
[   45.314854] RSP: 002b:00007fff8ef268e8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[   45.322526] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443d69
[   45.329763] RDX: 0000000020001000 RSI: 00000000400454ca RDI: 0000000000000004
[   45.336999] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   45.344235] R10: 0000000000000000 R11: 0000000000000202 R12: bc19fa32c7263647
[   45.351475] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000
[   45.358760] Dumping ftrace buffer:
[   45.362268]    (ftrace buffer empty)
[   45.365947] Kernel Offset: disabled
[   45.369542] Rebooting in 86400 seconds..