Debian GNU/Linux 7 syzkaller ttyS0

net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   37.939386] ==================================================================
[   37.940360] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   37.941049] Write of size 8 at addr ffff88006ae2b680 by task syzkaller048766/2979
[   37.941602] 
[   37.941738] CPU: 2 PID: 2979 Comm: syzkaller048766 Not tainted 4.13.0-next-20170905+ #15
[   37.942375] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   37.943000] Call Trace:
[   37.943209]  dump_stack+0x194/0x257
[   37.943499]  ? arch_local_irq_restore+0x53/0x53
[   37.943848]  ? show_regs_print_info+0x65/0x65
[   37.944303]  ? lock_timer_base+0x1a3/0x2b0
[   37.945054]  ? detach_if_pending+0x557/0x610
[   37.945928]  print_address_description+0x73/0x250
[   37.946898]  ? detach_if_pending+0x557/0x610
[   37.947782]  kasan_report+0x24e/0x340
[   37.948515]  __asan_report_store8_noabort+0x17/0x20
[   37.949495]  detach_if_pending+0x557/0x610
[   37.950386]  ? trace_raw_output_tick_stop+0x130/0x130
[   37.951441]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   37.952366]  ? lock_timer_base+0x1a3/0x2b0
[   37.954518]  ? lock_timer_base+0x1eb/0x2b0
[   37.955351]  ? __internal_add_timer+0x2d0/0x2d0
[   37.956291]  ? trace_hardirqs_on+0xd/0x10
[   37.957159]  try_to_del_timer_sync+0xa2/0x120
[   37.958068]  ? del_timer+0x130/0x130
[   37.958827]  ? del_timer_sync+0xeb/0x240
[   37.959671]  del_timer_sync+0x18a/0x240
[   37.960481]  tun_free_netdev+0x105/0x1b0
[   37.961299]  ? tun_xdp+0x410/0x410
[   37.962000]  ? cpumask_next+0x24/0x30
[   37.962764]  ? netdev_refcnt_read+0xed/0x150
[   37.963652]  ? tun_xdp+0x410/0x410
[   37.964366]  netdev_run_todo+0x870/0xca0
[   37.965196]  ? do_group_exit+0x149/0x400
[   37.966016]  ? register_netdev+0x30/0x30
[   37.966831]  ? lock_downgrade+0x990/0x990
[   37.967663]  ? trace_hardirqs_on+0xd/0x10
[   37.968523]  ? refcount_sub_and_test+0x115/0x1b0
[   37.969486]  ? refcount_inc+0x50/0x50
[   37.970277]  ? refcount_inc+0x50/0x50
[   37.971047]  ? sk_destruct+0x4c/0x80
[   37.971797]  ? __sk_free+0x5c/0x230
[   37.972554]  ? sk_free+0x2f/0x40
[   37.973216]  ? __tun_detach+0x176/0x1390
[   37.974907]  ? tun_attach+0xf90/0xf90
[   37.975682]  ? do_raw_spin_trylock+0x190/0x190
[   37.976416]  ? locks_remove_file+0x3fa/0x5a0
[   37.977356]  ? fcntl_setlk+0x10d0/0x10d0
[   37.978222]  ? __fsnotify_parent+0xb4/0x3a0
[   37.979139]  ? fsnotify+0x1af0/0x1af0
[   37.979944]  ? __tun_detach+0x1390/0x1390
[   37.980828]  ? __tun_detach+0x1390/0x1390
[   37.981715]  rtnl_unlock+0xe/0x10
[   37.982436]  tun_chr_close+0x49/0x60
[   37.983206]  __fput+0x333/0x7f0
[   37.983915]  ? fput+0x140/0x140
[   37.984615]  ? check_same_owner+0x320/0x320
[   37.985512]  ? _raw_spin_unlock_irq+0x27/0x70
[   37.986423]  ____fput+0x15/0x20
[   37.987084]  task_work_run+0x199/0x270
[   37.987866]  ? task_work_cancel+0x210/0x210
[   37.988742]  ? _raw_spin_unlock+0x22/0x30
[   37.989594]  ? switch_task_namespaces+0x87/0xc0
[   37.990587]  do_exit+0xa52/0x1b40
[   37.991285]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   37.992293]  ? check_noncircular+0x20/0x20
[   37.993159]  ? __handle_mm_fault+0x587/0x39c0
[   37.994061]  ? mm_update_next_owner+0x930/0x930
[   37.995571]  ? __pmd_alloc+0x4e0/0x4e0
[   37.996373]  ? find_held_lock+0x39/0x1d0
[   37.997256]  ? lock_downgrade+0x990/0x990
[   37.998150]  ? handle_mm_fault+0x4a2/0x860
[   37.999028]  ? down_read_trylock+0xdb/0x170
[   37.999919]  ? __handle_mm_fault+0x39c0/0x39c0
[   38.000873]  ? vmacache_find+0x61/0x270
[   38.001711]  ? up_read+0x1a/0x40
[   38.002415]  ? __do_page_fault+0x35b/0xb60
[   38.003368]  ? do_page_fault+0xee/0x720
[   38.004256]  ? __do_page_fault+0xb60/0xb60
[   38.005157]  ? putname+0xf3/0x130
[   38.005900]  do_group_exit+0x149/0x400
[   38.006701]  ? lockdep_sys_exit+0x47/0xf0
[   38.007563]  ? SyS_exit+0x30/0x30
[   38.008281]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   38.009329]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   38.010131]  SyS_exit_group+0x1d/0x20
[   38.010511]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   38.010978] RIP: 0033:0x438db9
[   38.011302] RSP: 002b:00007fffa2853f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   38.012069] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000438db9
[   38.012951] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   38.014183] RBP: 0000000000000082 R08: 000000000000003c R09: 00000000000000e7
[   38.015460] R10: ffffffffffffffcc R11: 0000000000000246 R12: 0000000000000001
[   38.017271] R13: 00000000006cc300 R14: 00000000004028b0 R15: 0000000000000000
[   38.018363] 
[   38.018614] Allocated by task 2979:
[   38.019166]  save_stack_trace+0x16/0x20
[   38.019761]  save_stack+0x43/0xd0
[   38.020308]  kasan_kmalloc+0xad/0xe0
[   38.020885]  __kmalloc_node+0x47/0x70
[   38.021464]  kvmalloc_node+0x64/0xd0
[   38.021974]  alloc_netdev_mqs+0x16e/0xed0
[   38.022613]  __tun_chr_ioctl+0x12be/0x3d20
[   38.023255]  tun_chr_ioctl+0x2a/0x40
[   38.023822]  do_vfs_ioctl+0x1b1/0x1530
[   38.024403]  SyS_ioctl+0x8f/0xc0
[   38.025036]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   38.025956] 
[   38.026268] Freed by task 2979:
[   38.026874]  save_stack_trace+0x16/0x20
[   38.027651]  save_stack+0x43/0xd0
[   38.028320]  kasan_slab_free+0x71/0xc0
[   38.029113]  kfree+0xca/0x250
[   38.029738]  kvfree+0x36/0x60
[   38.030363]  free_netdev+0x2cf/0x360
[   38.031137]  __tun_chr_ioctl+0x2cf6/0x3d20
[   38.032028]  tun_chr_ioctl+0x2a/0x40
[   38.032468]  do_vfs_ioctl+0x1b1/0x1530
[   38.032872]  SyS_ioctl+0x8f/0xc0
[   38.033294]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   38.033776] 
[   38.033948] The buggy address belongs to the object at ffff88006ae28280
[   38.033948]  which belongs to the cache kmalloc-16384 of size 16384
[   38.035361] The buggy address is located 13312 bytes inside of
[   38.035361]  16384-byte region [ffff88006ae28280, ffff88006ae2c280)
[   38.036657] The buggy address belongs to the page:
[   38.037240] page:ffffea0001ab8a00 count:1 mapcount:0 mapping:ffff88006ae28280 index:0x0 compound_mapcount: 0
[   38.038776] flags: 0x500000000008100(slab|head)
[   38.039317] raw: 0500000000008100 ffff88006ae28280 0000000000000000 0000000100000001
[   38.040163] raw: ffffea0001a10c20 ffff88006d800c50 ffff88003e802200 0000000000000000
[   38.040978] page dumped because: kasan: bad access detected
[   38.041659] 
[   38.041831] Memory state around the buggy address:
[   38.042399]  ffff88006ae2b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.043213]  ffff88006ae2b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.043949] >ffff88006ae2b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.044758]                    ^
[   38.045182]  ffff88006ae2b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.045910]  ffff88006ae2b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.046694] ==================================================================
[   38.047496] Disabling lock debugging due to kernel taint
[   38.048080] Kernel panic - not syncing: panic_on_warn set ...
[   38.048080] 
[   38.048853] CPU: 2 PID: 2979 Comm: syzkaller048766 Tainted: G    B           4.13.0-next-20170905+ #15
[   38.049853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   38.050713] Call Trace:
[   38.050977]  dump_stack+0x194/0x257
[   38.051410]  ? arch_local_irq_restore+0x53/0x53
[   38.051866]  ? vprintk_default+0x28/0x30
[   38.052324]  ? detach_if_pending+0x530/0x610
[   38.052781]  panic+0x1e4/0x417
[   38.053168]  ? __warn+0x1d9/0x1d9
[   38.053528]  ? detach_if_pending+0x557/0x610
[   38.053957]  kasan_end_report+0x50/0x50
[   38.054399]  kasan_report+0x137/0x340
[   38.054796]  __asan_report_store8_noabort+0x17/0x20
[   38.055345]  detach_if_pending+0x557/0x610
[   38.055775]  ? trace_raw_output_tick_stop+0x130/0x130
[   38.056350]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   38.056835]  ? lock_timer_base+0x1a3/0x2b0
[   38.057326]  ? lock_timer_base+0x1eb/0x2b0
[   38.057756]  ? __internal_add_timer+0x2d0/0x2d0
[   38.058272]  ? trace_hardirqs_on+0xd/0x10
[   38.059098]  try_to_del_timer_sync+0xa2/0x120
[   38.059557]  ? del_timer+0x130/0x130
[   38.059934]  ? del_timer_sync+0xeb/0x240
[   38.060392]  del_timer_sync+0x18a/0x240
[   38.060824]  tun_free_netdev+0x105/0x1b0
[   38.061307]  ? tun_xdp+0x410/0x410
[   38.061667]  ? cpumask_next+0x24/0x30
[   38.062085]  ? netdev_refcnt_read+0xed/0x150
[   38.062529]  ? tun_xdp+0x410/0x410
[   38.062886]  netdev_run_todo+0x870/0xca0
[   38.063324]  ? do_group_exit+0x149/0x400
[   38.063735]  ? register_netdev+0x30/0x30
[   38.064184]  ? lock_downgrade+0x990/0x990
[   38.064610]  ? trace_hardirqs_on+0xd/0x10
[   38.065084]  ? refcount_sub_and_test+0x115/0x1b0
[   38.065581]  ? refcount_inc+0x50/0x50
[   38.065966]  ? refcount_inc+0x50/0x50
[   38.066383]  ? sk_destruct+0x4c/0x80
[   38.066764]  ? __sk_free+0x5c/0x230
[   38.067168]  ? sk_free+0x2f/0x40
[   38.067513]  ? __tun_detach+0x176/0x1390
[   38.067928]  ? tun_attach+0xf90/0xf90
[   38.068364]  ? do_raw_spin_trylock+0x190/0x190
[   38.068841]  ? locks_remove_file+0x3fa/0x5a0
[   38.069343]  ? fcntl_setlk+0x10d0/0x10d0
[   38.069751]  ? __fsnotify_parent+0xb4/0x3a0
[   38.070236]  ? fsnotify+0x1af0/0x1af0
[   38.070635]  ? __tun_detach+0x1390/0x1390
[   38.071050]  ? __tun_detach+0x1390/0x1390
[   38.071481]  rtnl_unlock+0xe/0x10
[   38.071828]  tun_chr_close+0x49/0x60
[   38.072216]  __fput+0x333/0x7f0
[   38.072559]  ? fput+0x140/0x140
[   38.072883]  ? check_same_owner+0x320/0x320
[   38.073354]  ? _raw_spin_unlock_irq+0x27/0x70
[   38.073793]  ____fput+0x15/0x20
[   38.074129]  task_work_run+0x199/0x270
[   38.074511]  ? task_work_cancel+0x210/0x210
[   38.074931]  ? _raw_spin_unlock+0x22/0x30
[   38.075354]  ? switch_task_namespaces+0x87/0xc0
[   38.075812]  do_exit+0xa52/0x1b40
[   38.076167]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   38.076675]  ? check_noncircular+0x20/0x20
[   38.077137]  ? __handle_mm_fault+0x587/0x39c0
[   38.077585]  ? mm_update_next_owner+0x930/0x930
[   38.078048]  ? __pmd_alloc+0x4e0/0x4e0
[   38.078455]  ? find_held_lock+0x39/0x1d0
[   38.078866]  ? lock_downgrade+0x990/0x990
[   38.079305]  ? handle_mm_fault+0x4a2/0x860
[   38.079723]  ? down_read_trylock+0xdb/0x170
[   38.080165]  ? __handle_mm_fault+0x39c0/0x39c0
[   38.080604]  ? vmacache_find+0x61/0x270
[   38.081334]  ? up_read+0x1a/0x40
[   38.081686]  ? __do_page_fault+0x35b/0xb60
[   38.082011]  ? do_page_fault+0xee/0x720
[   38.082314]  ? __do_page_fault+0xb60/0xb60
[   38.082617]  ? putname+0xf3/0x130
[   38.082891]  do_group_exit+0x149/0x400
[   38.083207]  ? lockdep_sys_exit+0x47/0xf0
[   38.083499]  ? SyS_exit+0x30/0x30
[   38.083751]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   38.084160]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   38.084507]  SyS_exit_group+0x1d/0x20
[   38.084888]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   38.085412] RIP: 0033:0x438db9
[   38.085722] RSP: 002b:00007fffa2853f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   38.086425] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000438db9
[   38.087159] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   38.087878] RBP: 0000000000000082 R08: 000000000000003c R09: 00000000000000e7
[   38.088659] R10: ffffffffffffffcc R11: 0000000000000246 R12: 0000000000000001
[   38.089491] R13: 00000000006cc300 R14: 00000000004028b0 R15: 0000000000000000
[   38.090378] Dumping ftrace buffer:
[   38.090728]    (ftrace buffer empty)
[   38.091100] Kernel Offset: disabled
[   38.091459] Rebooting in 86400 seconds..