Debian GNU/Linux 7 syzkaller ttyS0 executing program executing program syzkaller login: [ 19.818426] ================================================================== [ 19.819129] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 [ 19.819712] Write of size 8 at addr ffff88003e31b648 by task syzkaller359245/2980 [ 19.820595] [ 19.820781] CPU: 0 PID: 2980 Comm: syzkaller359245 Not tainted 4.13.0-next-20170908+ #18 [ 19.821634] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 19.822485] Call Trace: [ 19.822763] dump_stack+0x194/0x257 [ 19.823159] ? arch_local_irq_restore+0x53/0x53 [ 19.823661] ? show_regs_print_info+0x65/0x65 [ 19.824159] ? __kernel_text_address+0xae/0xe0 [ 19.824640] ? __internal_add_timer+0x275/0x2d0 [ 19.825342] print_address_description+0x73/0x250 [ 19.825857] ? __internal_add_timer+0x275/0x2d0 [ 19.826378] kasan_report+0x24e/0x340 [ 19.826802] __asan_report_store8_noabort+0x17/0x20 [ 19.827342] __internal_add_timer+0x275/0x2d0 [ 19.827880] ? calc_wheel_index+0x200/0x200 [ 19.828417] mod_timer+0x622/0x15b0 [ 19.828809] ? mod_timer_pending+0x14e0/0x14e0 [ 19.829314] ? __lock_is_held+0xbc/0x140 [ 19.829758] ? __lock_is_held+0xbc/0x140 [ 19.830172] ? __lockdep_init_map+0xe4/0x650 [ 19.830587] ? lockdep_init_map+0x3d/0x70 [ 19.830869] ? rcu_read_lock_sched_held+0x108/0x120 [ 19.831210] ? init_timer_key+0x126/0x3b0 [ 19.831523] ? try_to_del_timer_sync+0x120/0x120 [ 19.831853] ? round_jiffies_up+0xce/0x100 [ 19.832146] ? __round_jiffies_up_relative+0x150/0x150 [ 19.832528] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 19.832869] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 19.833254] __tun_chr_ioctl+0x1b23/0x3d20 [ 19.833568] ? tun_chr_read_iter+0x1e0/0x1e0 [ 19.833880] ? lock_downgrade+0x990/0x990 [ 19.834189] ? check_same_owner+0x320/0x320 [ 19.834503] ? __handle_mm_fault+0x39c0/0x39c0 [ 19.834818] ? vmacache_find+0x61/0x270 [ 19.835097] ? tun_chr_compat_ioctl+0x30/0x30 [ 19.835417] tun_chr_ioctl+0x2a/0x40 [ 19.835696] ? tun_chr_ioctl+0x2a/0x40 [ 19.835968] do_vfs_ioctl+0x1b1/0x1530 [ 19.836244] ? ioctl_preallocate+0x2b0/0x2b0 [ 19.836607] ? selinux_capable+0x40/0x40 [ 19.836893] ? putname+0xf3/0x130 [ 19.837238] ? do_sys_open+0x320/0x6d0 [ 19.837661] ? security_file_ioctl+0x7d/0xb0 [ 19.838132] ? security_file_ioctl+0x89/0xb0 [ 19.838584] SyS_ioctl+0x8f/0xc0 [ 19.838972] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 19.839471] RIP: 0033:0x439039 [ 19.839813] RSP: 002b:00007ffe15f88fa8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 19.840626] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000439039 [ 19.841377] RDX: 0000000020115000 RSI: 00000000400454ca RDI: 0000000000000004 [ 19.841959] RBP: 0000000000000082 R08: 00000000000000fd R09: 0000000000000000 [ 19.842479] R10: 0000000000000000 R11: 0000000000000206 R12: 80dad83d153a7117 [ 19.843156] R13: 74656e2f7665642f R14: 0000000000401d20 R15: 0000000000000000 [ 19.843851] [ 19.843973] Allocated by task 2980: [ 19.844238] save_stack_trace+0x16/0x20 [ 19.844536] save_stack+0x43/0xd0 [ 19.844773] kasan_kmalloc+0xad/0xe0 [ 19.845034] __kmalloc_node+0x47/0x70 [ 19.845302] kvmalloc_node+0x64/0xd0 [ 19.845576] alloc_netdev_mqs+0x16e/0xed0 [ 19.845861] __tun_chr_ioctl+0x12be/0x3d20 [ 19.846586] tun_chr_ioctl+0x2a/0x40 [ 19.846846] do_vfs_ioctl+0x1b1/0x1530 [ 19.847117] SyS_ioctl+0x8f/0xc0 [ 19.847350] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 19.847850] [ 19.848002] Freed by task 2980: [ 19.848327] save_stack_trace+0x16/0x20 [ 19.848716] save_stack+0x43/0xd0 [ 19.849028] kasan_slab_free+0x71/0xc0 [ 19.849393] kfree+0xca/0x250 [ 19.849664] kvfree+0x36/0x60 [ 19.849948] free_netdev+0x2cf/0x360 [ 19.850360] __tun_chr_ioctl+0x2cf6/0x3d20 [ 19.850812] tun_chr_ioctl+0x2a/0x40 [ 19.851198] do_vfs_ioctl+0x1b1/0x1530 [ 19.851622] SyS_ioctl+0x8f/0xc0 [ 19.851983] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 19.852684] [ 19.852864] The buggy address belongs to the object at ffff88003e318240 [ 19.852864] which belongs to the cache kmalloc-16384 of size 16384 [ 19.854045] The buggy address is located 13320 bytes inside of [ 19.854045] 16384-byte region [ffff88003e318240, ffff88003e31c240) [ 19.855325] The buggy address belongs to the page: [ 19.855888] page:ffffea0000f8c600 count:1 mapcount:0 mapping:ffff88003e318240 index:0x0 compound_mapcount: 0 [ 19.856987] flags: 0x100000000008100(slab|head) [ 19.857506] raw: 0100000000008100 ffff88003e318240 0000000000000000 0000000100000001 [ 19.858326] raw: ffffea0000eac820 ffffea0000f7a420 ffff88003e802200 0000000000000000 [ 19.859087] page dumped because: kasan: bad access detected [ 19.859492] [ 19.859605] Memory state around the buggy address: [ 19.859944] ffff88003e31b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.860472] ffff88003e31b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.860982] >ffff88003e31b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.861504] ^ [ 19.861859] ffff88003e31b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.862290] ffff88003e31b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.862729] ================================================================== [ 19.863155] Disabling lock debugging due to kernel taint [ 19.863484] Kernel panic - not syncing: panic_on_warn set ... [ 19.863484] [ 19.864053] CPU: 0 PID: 2980 Comm: syzkaller359245 Tainted: G B 4.13.0-next-20170908+ #18 [ 19.864950] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 19.865626] Call Trace: [ 19.865809] dump_stack+0x194/0x257 [ 19.866056] ? arch_local_irq_restore+0x53/0x53 [ 19.866358] ? vprintk_default+0x28/0x30 [ 19.866648] ? __internal_add_timer+0x270/0x2d0 [ 19.866968] panic+0x1e4/0x417 [ 19.867811] ? __warn+0x1d9/0x1d9 [ 19.868068] ? __internal_add_timer+0x275/0x2d0 [ 19.868392] kasan_end_report+0x50/0x50 [ 19.868724] kasan_report+0x137/0x340 [ 19.868988] __asan_report_store8_noabort+0x17/0x20 [ 19.869359] __internal_add_timer+0x275/0x2d0 [ 19.869686] ? calc_wheel_index+0x200/0x200 [ 19.870006] mod_timer+0x622/0x15b0 [ 19.870332] ? mod_timer_pending+0x14e0/0x14e0 [ 19.870736] ? __lock_is_held+0xbc/0x140 [ 19.871021] ? __lock_is_held+0xbc/0x140 [ 19.871301] ? __lockdep_init_map+0xe4/0x650 [ 19.871665] ? lockdep_init_map+0x3d/0x70 [ 19.872032] ? rcu_read_lock_sched_held+0x108/0x120 [ 19.872471] ? init_timer_key+0x126/0x3b0 [ 19.872772] ? try_to_del_timer_sync+0x120/0x120 [ 19.873202] ? round_jiffies_up+0xce/0x100 [ 19.873507] ? __round_jiffies_up_relative+0x150/0x150 [ 19.873867] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 19.874314] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 19.874861] __tun_chr_ioctl+0x1b23/0x3d20 [ 19.875235] ? tun_chr_read_iter+0x1e0/0x1e0 [ 19.875542] ? lock_downgrade+0x990/0x990 [ 19.875837] ? check_same_owner+0x320/0x320 [ 19.876138] ? __handle_mm_fault+0x39c0/0x39c0 [ 19.876451] ? vmacache_find+0x61/0x270 [ 19.876724] ? tun_chr_compat_ioctl+0x30/0x30 [ 19.877030] tun_chr_ioctl+0x2a/0x40 [ 19.877285] ? tun_chr_ioctl+0x2a/0x40 [ 19.877555] do_vfs_ioctl+0x1b1/0x1530 [ 19.877824] ? ioctl_preallocate+0x2b0/0x2b0 [ 19.878200] ? selinux_capable+0x40/0x40 [ 19.878564] ? putname+0xf3/0x130 [ 19.878874] ? do_sys_open+0x320/0x6d0 [ 19.879226] ? security_file_ioctl+0x7d/0xb0 [ 19.879618] ? security_file_ioctl+0x89/0xb0 [ 19.880038] SyS_ioctl+0x8f/0xc0 [ 19.880342] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 19.880763] RIP: 0033:0x439039 [ 19.881046] RSP: 002b:00007ffe15f88fa8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 19.881730] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000439039 [ 19.882374] RDX: 0000000020115000 RSI: 00000000400454ca RDI: 0000000000000004 [ 19.883013] RBP: 0000000000000082 R08: 00000000000000fd R09: 0000000000000000 [ 19.883703] R10: 0000000000000000 R11: 0000000000000206 R12: 80dad83d153a7117 [ 19.884394] R13: 74656e2f7665642f R14: 0000000000401d20 R15: 0000000000000000