executing program executing program syzkaller login: [ 27.310423] ================================================================== [ 27.311873] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 [ 27.313339] Write of size 8 at addr ffff88006c49b688 by task syzkaller874715/2996 [ 27.314673] [ 27.314955] CPU: 3 PID: 2996 Comm: syzkaller874715 Not tainted 4.13.0-rc7-next-20170901+ #13 [ 27.316282] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 27.317608] Call Trace: [ 27.318014] dump_stack+0x194/0x257 [ 27.318647] ? arch_local_irq_restore+0x53/0x53 [ 27.319424] ? show_regs_print_info+0x65/0x65 [ 27.320199] ? __kernel_text_address+0xae/0xe0 [ 27.320960] ? __internal_add_timer+0x275/0x2d0 [ 27.321741] print_address_description+0x73/0x250 [ 27.322533] ? __internal_add_timer+0x275/0x2d0 [ 27.323094] kasan_report+0x24e/0x340 [ 27.323700] __asan_report_store8_noabort+0x17/0x20 [ 27.324935] __internal_add_timer+0x275/0x2d0 [ 27.325743] ? calc_wheel_index+0x200/0x200 [ 27.326417] mod_timer+0x622/0x15b0 [ 27.326963] ? mod_timer_pending+0x14e0/0x14e0 [ 27.327720] ? __lock_is_held+0xbc/0x140 [ 27.328390] ? __lock_is_held+0xbc/0x140 [ 27.329029] ? __lockdep_init_map+0xe4/0x650 [ 27.329722] ? lockdep_init_map+0x3d/0x70 [ 27.330375] ? rcu_read_lock_sched_held+0x108/0x120 [ 27.331213] ? init_timer_key+0x126/0x3b0 [ 27.331889] ? try_to_del_timer_sync+0x120/0x120 [ 27.332670] ? round_jiffies_up+0xce/0x100 [ 27.333532] ? __round_jiffies_up_relative+0x150/0x150 [ 27.334606] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.335183] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 27.335749] __tun_chr_ioctl+0x1b23/0x3d20 [ 27.336157] ? tun_chr_read_iter+0x1e0/0x1e0 [ 27.336620] ? lock_downgrade+0x990/0x990 [ 27.337095] ? check_same_owner+0x320/0x320 [ 27.337548] ? __handle_mm_fault+0x39c0/0x39c0 [ 27.338025] ? vmacache_find+0x61/0x270 [ 27.338458] ? tun_chr_compat_ioctl+0x30/0x30 [ 27.338929] tun_chr_ioctl+0x2a/0x40 [ 27.339335] ? tun_chr_ioctl+0x2a/0x40 [ 27.339747] do_vfs_ioctl+0x1b1/0x1530 [ 27.340153] ? _cond_resched+0x14/0x30 [ 27.340573] ? ioctl_preallocate+0x2b0/0x2b0 [ 27.341039] ? selinux_capable+0x40/0x40 [ 27.341469] ? putname+0xf3/0x130 [ 27.341833] ? do_sys_open+0x320/0x6d0 [ 27.342255] ? security_file_ioctl+0x7d/0xb0 [ 27.342718] ? security_file_ioctl+0x89/0xb0 [ 27.343189] SyS_ioctl+0x8f/0xc0 [ 27.343559] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.344068] RIP: 0033:0x439059 [ 27.344315] RSP: 002b:00007fffc54d06e8 EFLAGS: 00000207 ORIG_RAX: 0000000000000010 [ 27.346758] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000439059 [ 27.347902] RDX: 0000000020074000 RSI: 00000000400454ca RDI: 0000000000000006 [ 27.349728] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 27.350924] R10: 00000000000000fd R11: 0000000000000207 R12: e756701d2c7e9737 [ 27.352334] R13: 74656e2f7665642f R14: 0000000000401d40 R15: 0000000000000000 [ 27.353566] [ 27.353739] Allocated by task 2996: [ 27.354147] save_stack_trace+0x16/0x20 [ 27.354687] save_stack+0x43/0xd0 [ 27.355345] kasan_kmalloc+0xad/0xe0 [ 27.355975] __kmalloc_node+0x47/0x70 [ 27.356585] kvmalloc_node+0x64/0xd0 [ 27.357189] alloc_netdev_mqs+0x16e/0xed0 [ 27.357870] __tun_chr_ioctl+0x12be/0x3d20 [ 27.358539] tun_chr_ioctl+0x2a/0x40 [ 27.359127] do_vfs_ioctl+0x1b1/0x1530 [ 27.359748] SyS_ioctl+0x8f/0xc0 [ 27.360264] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.361006] [ 27.361259] Freed by task 2996: [ 27.361781] save_stack_trace+0x16/0x20 [ 27.362434] save_stack+0x43/0xd0 [ 27.363099] kasan_slab_free+0x71/0xc0 [ 27.363650] kfree+0xca/0x250 [ 27.364207] kvfree+0x36/0x60 [ 27.364561] free_netdev+0x2cf/0x360 [ 27.365189] __tun_chr_ioctl+0x2cf6/0x3d20 [ 27.366954] tun_chr_ioctl+0x2a/0x40 [ 27.367661] do_vfs_ioctl+0x1b1/0x1530 [ 27.368548] SyS_ioctl+0x8f/0xc0 [ 27.369117] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.370037] [ 27.370388] The buggy address belongs to the object at ffff88006c498280 [ 27.370388] which belongs to the cache kmalloc-16384 of size 16384 [ 27.372455] The buggy address is located 13320 bytes inside of [ 27.372455] 16384-byte region [ffff88006c498280, ffff88006c49c280) [ 27.374367] The buggy address belongs to the page: [ 27.375172] page:ffffea0001b12600 count:1 mapcount:0 mapping:ffff88006c498280 index:0x0 compound_mapcount: 0 [ 27.376804] flags: 0x500000000008100(slab|head) [ 27.377581] raw: 0500000000008100 ffff88006c498280 0000000000000000 0000000100000001 [ 27.379225] raw: ffffea0001a83c20 ffffea0001a1e020 ffff88003e802200 0000000000000000 [ 27.382777] page dumped because: kasan: bad access detected [ 27.383631] [ 27.383897] Memory state around the buggy address: [ 27.384720] ffff88006c49b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.385976] ffff88006c49b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.388447] >ffff88006c49b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.389611] ^ [ 27.390166] ffff88006c49b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.391276] ffff88006c49b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.392300] ================================================================== [ 27.393566] Disabling lock debugging due to kernel taint [ 27.394289] Kernel panic - not syncing: panic_on_warn set ... [ 27.394289] [ 27.395280] CPU: 3 PID: 2996 Comm: syzkaller874715 Tainted: G B 4.13.0-rc7-next-20170901+ #13 [ 27.396996] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 27.398427] Call Trace: [ 27.398825] dump_stack+0x194/0x257 [ 27.399222] ? arch_local_irq_restore+0x53/0x53 [ 27.399911] ? vprintk_default+0x28/0x30 [ 27.400663] ? __internal_add_timer+0x190/0x2d0 [ 27.401573] panic+0x1e4/0x417 [ 27.402185] ? __warn+0x1d9/0x1d9 [ 27.402594] ? __internal_add_timer+0x275/0x2d0 [ 27.403293] kasan_end_report+0x50/0x50 [ 27.403831] kasan_report+0x137/0x340 [ 27.404361] __asan_report_store8_noabort+0x17/0x20 [ 27.405116] __internal_add_timer+0x275/0x2d0 [ 27.405858] ? calc_wheel_index+0x200/0x200 [ 27.406645] mod_timer+0x622/0x15b0 [ 27.407260] ? mod_timer_pending+0x14e0/0x14e0 [ 27.407928] ? __lock_is_held+0xbc/0x140 [ 27.409243] ? __lock_is_held+0xbc/0x140 [ 27.410048] ? __lockdep_init_map+0xe4/0x650 [ 27.410593] ? lockdep_init_map+0x3d/0x70 [ 27.411044] ? rcu_read_lock_sched_held+0x108/0x120 [ 27.411585] ? init_timer_key+0x126/0x3b0 [ 27.412074] ? try_to_del_timer_sync+0x120/0x120 [ 27.412800] ? round_jiffies_up+0xce/0x100 [ 27.413399] ? __round_jiffies_up_relative+0x150/0x150 [ 27.414133] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.414905] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 27.416033] __tun_chr_ioctl+0x1b23/0x3d20 [ 27.416726] ? tun_chr_read_iter+0x1e0/0x1e0 [ 27.417394] ? lock_downgrade+0x990/0x990 [ 27.417844] ? check_same_owner+0x320/0x320 [ 27.418294] ? __handle_mm_fault+0x39c0/0x39c0 [ 27.418769] ? vmacache_find+0x61/0x270 [ 27.419154] ? tun_chr_compat_ioctl+0x30/0x30 [ 27.419768] tun_chr_ioctl+0x2a/0x40 [ 27.420499] ? tun_chr_ioctl+0x2a/0x40 [ 27.420990] do_vfs_ioctl+0x1b1/0x1530 [ 27.421399] ? _cond_resched+0x14/0x30 [ 27.421820] ? ioctl_preallocate+0x2b0/0x2b0 [ 27.422248] ? selinux_capable+0x40/0x40 [ 27.422687] ? putname+0xf3/0x130 [ 27.423060] ? do_sys_open+0x320/0x6d0 [ 27.423489] ? security_file_ioctl+0x7d/0xb0 [ 27.424053] ? security_file_ioctl+0x89/0xb0 [ 27.424537] SyS_ioctl+0x8f/0xc0 [ 27.424904] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.425852] RIP: 0033:0x439059 [ 27.426474] RSP: 002b:00007fffc54d06e8 EFLAGS: 00000207 ORIG_RAX: 0000000000000010 [ 27.427554] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000439059 [ 27.428511] RDX: 0000000020074000 RSI: 00000000400454ca RDI: 0000000000000006 [ 27.430771] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 27.431774] R10: 00000000000000fd R11: 0000000000000207 R12: e756701d2c7e9737 [ 27.432506] R13: 74656e2f7665642f R14: 0000000000401d40 R15: 0000000000000000 [ 27.433251] Dumping ftrace buffer: [ 27.433670] (ftrace buffer empty) [ 27.434004] Kernel Offset: disabled [ 27.434345] Rebooting in 86400 seconds..