INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-mmots-kasan-gce-6,10.128.0.45' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [ 34.263515] ==================================================================
[ 34.270965] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[ 34.277693] Write of size 8 at addr ffff8801ce37b780 by task syzkaller465631/2988
[ 34.285283]
[ 34.286885] CPU: 0 PID: 2988 Comm: syzkaller465631 Not tainted 4.13.0-mm1+ #7
[ 34.294142] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 34.303465] Call Trace:
[ 34.306027] dump_stack+0x194/0x257
[ 34.309638] ? arch_local_irq_restore+0x53/0x53
[ 34.314279] ? show_regs_print_info+0x65/0x65
[ 34.318756] ? lock_timer_base+0x1a3/0x2b0
[ 34.322963] ? detach_if_pending+0x557/0x610
[ 34.327344] print_address_description+0x73/0x250
[ 34.332159] ? detach_if_pending+0x557/0x610
[ 34.336537] kasan_report+0x24e/0x340
[ 34.340311] __asan_report_store8_noabort+0x17/0x20
[ 34.345295] detach_if_pending+0x557/0x610
[ 34.349502] ? trace_raw_output_tick_stop+0x130/0x130
[ 34.354663] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 34.359298] ? lock_timer_base+0x1a3/0x2b0
[ 34.363505] ? lock_timer_base+0x1eb/0x2b0
[ 34.367714] ? __internal_add_timer+0x2d0/0x2d0
[ 34.372354] ? trace_hardirqs_on+0xd/0x10
[ 34.376481] try_to_del_timer_sync+0xa2/0x120
[ 34.380958] ? del_timer+0x130/0x130
[ 34.384653] ? del_timer_sync+0xeb/0x240
[ 34.388690] del_timer_sync+0x18a/0x240
[ 34.392637] tun_free_netdev+0x105/0x1b0
[ 34.396667] ? tun_xdp+0x410/0x410
[ 34.400175] ? cpumask_next+0x24/0x30
[ 34.403949] ? netdev_refcnt_read+0xed/0x150
[ 34.408331] ? tun_xdp+0x410/0x410
[ 34.411841] netdev_run_todo+0x870/0xca0
[ 34.415874] ? do_group_exit+0x149/0x400
[ 34.419910] ? register_netdev+0x30/0x30
[ 34.423946] ? lock_downgrade+0x990/0x990
[ 34.428066] ? trace_hardirqs_on+0xd/0x10
[ 34.432201] ? refcount_sub_and_test+0x115/0x1b0
[ 34.436926] ? refcount_inc+0x50/0x50
[ 34.440694] ? refcount_inc+0x50/0x50
[ 34.444471] ? sk_destruct+0x4c/0x80
[ 34.448154] ? __sk_free+0x5c/0x230
[ 34.451753] ? sk_free+0x2f/0x40
[ 34.455090] ? __tun_detach+0x176/0x1390
[ 34.459131] ? tun_attach+0xf90/0xf90
[ 34.462912] ? locks_remove_file+0x3fa/0x5a0
[ 34.467292] ? fcntl_setlk+0x10d0/0x10d0
[ 34.471326] ? __fsnotify_parent+0xb4/0x3a0
[ 34.475622] ? fsnotify+0x1af0/0x1af0
[ 34.479395] ? __tun_detach+0x1390/0x1390
[ 34.483513] ? __tun_detach+0x1390/0x1390
[ 34.487631] rtnl_unlock+0xe/0x10
[ 34.491055] tun_chr_close+0x49/0x60
[ 34.494741] __fput+0x333/0x7f0
[ 34.497998] ? fput+0x140/0x140
[ 34.501251] ? check_same_owner+0x320/0x320
[ 34.505549] ____fput+0x15/0x20
[ 34.508801] task_work_run+0x199/0x270
[ 34.512662] ? task_work_cancel+0x210/0x210
[ 34.516955] ? free_nsproxy+0x185/0x1f0
[ 34.520902] ? switch_task_namespaces+0xa2/0xc0
[ 34.525545] do_exit+0xa52/0x1b40
[ 34.528970] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 34.533959] ? check_noncircular+0x20/0x20
[ 34.538173] ? mm_update_next_owner+0x930/0x930
[ 34.542816] ? __pmd_alloc+0x4e0/0x4e0
[ 34.546695] ? find_held_lock+0x39/0x1d0
[ 34.550739] ? lock_downgrade+0x990/0x990
[ 34.554881] ? handle_mm_fault+0x410/0x8d0
[ 34.559086] ? down_read_trylock+0xdb/0x170
[ 34.563379] ? __handle_mm_fault+0x39c0/0x39c0
[ 34.567931] ? vmacache_find+0x61/0x270
[ 34.571877] ? vmacache_update+0xfe/0x130
[ 34.576013] ? up_read+0x1a/0x40
[ 34.579360] ? __do_page_fault+0x35b/0xb60
[ 34.583572] ? do_vfs_ioctl+0x492/0x1530
[ 34.587613] ? do_page_fault+0xee/0x720
[ 34.591559] ? __do_page_fault+0xb60/0xb60
[ 34.595768] ? putname+0xf3/0x130
[ 34.599198] do_group_exit+0x149/0x400
[ 34.603056] ? lockdep_sys_exit+0x47/0xf0
[ 34.607173] ? SyS_exit+0x30/0x30
[ 34.610597] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 34.615592] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 34.620322] SyS_exit_group+0x1d/0x20
[ 34.624115] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 34.628847] RIP: 0033:0x445109
[ 34.632007] RSP: 002b:00000000007efe48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[ 34.639687] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445109
[ 34.646928] RDX: 0000000000445109 RSI: 0000000020d8bfd8 RDI: 0000000000000001
[ 34.654167] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[ 34.661409] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000402760
[ 34.668651] R13: 00000000004027f0 R14: 0000000000000000 R15: 0000000000000000
[ 34.675910]
[ 34.677510] Allocated by task 2988:
[ 34.681110] save_stack_trace+0x16/0x20
[ 34.685053] save_stack+0x43/0xd0
[ 34.688477] kasan_kmalloc+0xad/0xe0
[ 34.692162] __kmalloc_node+0x47/0x70
[ 34.695933] kvmalloc_node+0x64/0xd0
[ 34.699616] alloc_netdev_mqs+0x16e/0xed0
[ 34.703733] __tun_chr_ioctl+0x12be/0x3d20
[ 34.707938] tun_chr_ioctl+0x2a/0x40
[ 34.711622] do_vfs_ioctl+0x1b1/0x1530
[ 34.715482] SyS_ioctl+0x8f/0xc0
[ 34.718818] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 34.723542]
[ 34.725141] Freed by task 2988:
[ 34.728389] save_stack_trace+0x16/0x20
[ 34.732331] save_stack+0x43/0xd0
[ 34.735752] kasan_slab_free+0x71/0xc0
[ 34.739607] kfree+0xca/0x250
[ 34.742682] kvfree+0x36/0x60
[ 34.745756] free_netdev+0x2cf/0x360
[ 34.749438] __tun_chr_ioctl+0x2cf6/0x3d20
[ 34.753640] tun_chr_ioctl+0x2a/0x40
[ 34.757320] do_vfs_ioctl+0x1b1/0x1530
[ 34.761176] SyS_ioctl+0x8f/0xc0
[ 34.764511] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 34.769232]
[ 34.770833] The buggy address belongs to the object at ffff8801ce378380
[ 34.770833] which belongs to the cache kmalloc-16384 of size 16384
[ 34.783806] The buggy address is located 13312 bytes inside of
[ 34.783806] 16384-byte region [ffff8801ce378380, ffff8801ce37c380)
[ 34.795997] The buggy address belongs to the page:
[ 34.800896] page:ffffea000738de00 count:1 mapcount:0 mapping:ffff8801ce378380 index:0x0 compound_mapcount: 0
[ 34.810840] flags: 0x200000000008100(slab|head)
[ 34.815490] raw: 0200000000008100 ffff8801ce378380 0000000000000000 0000000100000001
[ 34.823340] raw: ffffea0007398820 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[ 34.831199] page dumped because: kasan: bad access detected
[ 34.836883]
[ 34.838480] Memory state around the buggy address:
[ 34.843378] ffff8801ce37b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 34.850706] ffff8801ce37b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 34.858051] >ffff8801ce37b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 34.865377] ^
[ 34.868714] ffff8801ce37b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 34.876043] ffff8801ce37b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 34.883370] ==================================================================
[ 34.890696] Disabling lock debugging due to kernel taint
[ 34.896111] Kernel panic - not syncing: panic_on_warn set ...
[ 34.896111]
[ 34.903448] CPU: 0 PID: 2988 Comm: syzkaller465631 Tainted: G B 4.13.0-mm1+ #7
[ 34.911912] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 34.921243] Call Trace:
[ 34.923800] dump_stack+0x194/0x257
[ 34.927404] ? arch_local_irq_restore+0x53/0x53
[ 34.932047] ? vprintk_default+0x28/0x30
[ 34.936080] ? detach_if_pending+0x550/0x610
[ 34.940458] panic+0x1e4/0x417
[ 34.943618] ? __warn+0x1d9/0x1d9
[ 34.947045] ? detach_if_pending+0x557/0x610
[ 34.951420] kasan_end_report+0x50/0x50
[ 34.955361] kasan_report+0x137/0x340
[ 34.959135] __asan_report_store8_noabort+0x17/0x20
[ 34.964121] detach_if_pending+0x557/0x610
[ 34.968327] ? trace_raw_output_tick_stop+0x130/0x130
[ 34.973485] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 34.978118] ? lock_timer_base+0x1a3/0x2b0
[ 34.982316] ? lock_timer_base+0x1eb/0x2b0
[ 34.986519] ? __internal_add_timer+0x2d0/0x2d0
[ 34.991160] ? trace_hardirqs_on+0xd/0x10
[ 34.995279] try_to_del_timer_sync+0xa2/0x120
[ 34.999757] ? del_timer+0x130/0x130
[ 35.003440] ? del_timer_sync+0xeb/0x240
[ 35.007475] del_timer_sync+0x18a/0x240
[ 35.011419] tun_free_netdev+0x105/0x1b0
[ 35.015457] ? tun_xdp+0x410/0x410
[ 35.018968] ? cpumask_next+0x24/0x30
[ 35.022737] ? netdev_refcnt_read+0xed/0x150
[ 35.027118] ? tun_xdp+0x410/0x410
[ 35.030625] netdev_run_todo+0x870/0xca0
[ 35.034655] ? do_group_exit+0x149/0x400
[ 35.038685] ? register_netdev+0x30/0x30
[ 35.042713] ? lock_downgrade+0x990/0x990
[ 35.046827] ? trace_hardirqs_on+0xd/0x10
[ 35.050949] ? refcount_sub_and_test+0x115/0x1b0
[ 35.055671] ? refcount_inc+0x50/0x50
[ 35.059435] ? refcount_inc+0x50/0x50
[ 35.063203] ? sk_destruct+0x4c/0x80
[ 35.066892] ? __sk_free+0x5c/0x230
[ 35.070483] ? sk_free+0x2f/0x40
[ 35.073815] ? __tun_detach+0x176/0x1390
[ 35.077847] ? tun_attach+0xf90/0xf90
[ 35.081617] ? locks_remove_file+0x3fa/0x5a0
[ 35.085992] ? fcntl_setlk+0x10d0/0x10d0
[ 35.090022] ? __fsnotify_parent+0xb4/0x3a0
[ 35.094319] ? fsnotify+0x1af0/0x1af0
[ 35.098085] ? __tun_detach+0x1390/0x1390
[ 35.102199] ? __tun_detach+0x1390/0x1390
[ 35.106313] rtnl_unlock+0xe/0x10
[ 35.109728] tun_chr_close+0x49/0x60
[ 35.113408] __fput+0x333/0x7f0
[ 35.116658] ? fput+0x140/0x140
[ 35.119903] ? check_same_owner+0x320/0x320
[ 35.124191] ____fput+0x15/0x20
[ 35.127437] task_work_run+0x199/0x270
[ 35.131292] ? task_work_cancel+0x210/0x210
[ 35.135579] ? free_nsproxy+0x185/0x1f0
[ 35.139518] ? switch_task_namespaces+0xa2/0xc0
[ 35.144155] do_exit+0xa52/0x1b40
[ 35.147573] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 35.152556] ? check_noncircular+0x20/0x20
[ 35.156761] ? mm_update_next_owner+0x930/0x930
[ 35.161395] ? __pmd_alloc+0x4e0/0x4e0
[ 35.165253] ? find_held_lock+0x39/0x1d0
[ 35.169283] ? lock_downgrade+0x990/0x990
[ 35.173417] ? handle_mm_fault+0x410/0x8d0
[ 35.177626] ? down_read_trylock+0xdb/0x170
[ 35.181913] ? __handle_mm_fault+0x39c0/0x39c0
[ 35.186471] ? vmacache_find+0x61/0x270
[ 35.190410] ? vmacache_update+0xfe/0x130
[ 35.194527] ? up_read+0x1a/0x40
[ 35.197868] ? __do_page_fault+0x35b/0xb60
[ 35.202067] ? do_vfs_ioctl+0x492/0x1530
[ 35.206096] ? do_page_fault+0xee/0x720
[ 35.210035] ? __do_page_fault+0xb60/0xb60
[ 35.214234] ? putname+0xf3/0x130
[ 35.217656] do_group_exit+0x149/0x400
[ 35.221509] ? lockdep_sys_exit+0x47/0xf0
[ 35.225620] ? SyS_exit+0x30/0x30
[ 35.229041] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 35.234024] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 35.238744] SyS_exit_group+0x1d/0x20
[ 35.242511] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 35.247229] RIP: 0033:0x445109
[ 35.250382] RSP: 002b:00000000007efe48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[ 35.258053] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445109