INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-kasan-gce-386-1,10.128.0.59' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [ 30.083594] ==================================================================
[ 30.084728] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[ 30.085654] Write of size 8 at addr ffff8801ce07b688 by task syzkaller469729/2985
[ 30.086656]
[ 30.086928] CPU: 0 PID: 2985 Comm: syzkaller469729 Not tainted 4.14.0-rc2+ #20
[ 30.087916] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 30.089141] Call Trace:
[ 30.089520] dump_stack+0x194/0x257
[ 30.090017] ? arch_local_irq_restore+0x53/0x53
[ 30.090643] ? show_regs_print_info+0x65/0x65
[ 30.091250] ? __kernel_text_address+0xd/0x40
[ 30.091887] ? __internal_add_timer+0x275/0x2d0
[ 30.092516] print_address_description+0x73/0x250
[ 30.093165] ? __internal_add_timer+0x275/0x2d0
[ 30.093808] kasan_report+0x25b/0x340
[ 30.094328] __asan_report_store8_noabort+0x17/0x20
[ 30.095000] __internal_add_timer+0x275/0x2d0
[ 30.095609] ? calc_wheel_index+0x200/0x200
[ 30.096203] mod_timer+0x622/0x15b0
[ 30.096706] ? mod_timer_pending+0x14e0/0x14e0
[ 30.097322] ? __lock_is_held+0xbc/0x140
[ 30.097886] ? __lock_is_held+0xbc/0x140
[ 30.098439] ? __lockdep_init_map+0xe4/0x650
[ 30.099035] ? lockdep_init_map+0x3d/0x70
[ 30.099596] ? rcu_read_lock_sched_held+0x108/0x120
[ 30.100266] ? init_timer_key+0x126/0x3b0
[ 30.100828] ? try_to_del_timer_sync+0x120/0x120
[ 30.101467] ? round_jiffies_up+0xce/0x100
[ 30.102038] ? __round_jiffies_up_relative+0x150/0x150
[ 30.102742] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 30.103404] ? selinux_tun_dev_alloc_security+0x124/0x170
[ 30.104150] __tun_chr_ioctl+0x1b23/0x3d20
[ 30.108368] ? tun_chr_read_iter+0x1e0/0x1e0
[ 30.112749] ? __pmd_alloc+0x4e0/0x4e0
[ 30.116613] ? __might_sleep+0x95/0x190
[ 30.120566] ? selinux_file_ioctl+0x444/0x690
[ 30.125032] ? __fget_light+0x29d/0x390
[ 30.128978] ? selinux_capable+0x40/0x40
[ 30.133029] tun_chr_compat_ioctl+0x29/0x30
[ 30.137323] ? tun_chr_compat_ioctl+0x29/0x30
[ 30.141796] compat_SyS_ioctl+0x1d7/0x3290
[ 30.146002] ? __handle_mm_fault+0x39c0/0x39c0
[ 30.150554] ? __tun_chr_ioctl+0x3d20/0x3d20
[ 30.154951] ? do_ioctl+0x60/0x60
[ 30.158380] ? do_fast_syscall_32+0x158/0xf05
[ 30.162852] ? do_ioctl+0x60/0x60
[ 30.166279] do_fast_syscall_32+0x3f2/0xf05
[ 30.170582] ? do_int80_syscall_32+0x940/0x940
[ 30.175137] ? kasan_check_read+0x11/0x20
[ 30.179258] ? syscall_return_slowpath+0x510/0x510
[ 30.184159] ? SyS_rt_sigaction+0x94/0x1b0
[ 30.188370] ? lockdep_sys_exit+0x47/0xf0
[ 30.192490] ? retint_user+0x18/0x20
[ 30.196178] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 30.201001] entry_SYSENTER_compat+0x51/0x60
[ 30.205382] RIP: 0023:0xf7f0fc79
[ 30.208720] RSP: 002b:00000000ffd896ec EFLAGS: 00000286 ORIG_RAX: 0000000000000036
[ 30.216402] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000400454ca
[ 30.223642] RDX: 00000000201a9fd8 RSI: 00000000080ef00c RDI: 000000000000003f
[ 30.230885] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
[ 30.238139] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 30.245380] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 30.252648]
[ 30.254247] Allocated by task 2985:
[ 30.257847] save_stack_trace+0x16/0x20
[ 30.261795] save_stack+0x43/0xd0
[ 30.265217] kasan_kmalloc+0xad/0xe0
[ 30.268900] __kmalloc_node+0x47/0x70
[ 30.272874] kvmalloc_node+0x64/0xd0
[ 30.276559] alloc_netdev_mqs+0x16e/0xed0
[ 30.280677] __tun_chr_ioctl+0x12be/0x3d20
[ 30.284880] tun_chr_compat_ioctl+0x29/0x30
[ 30.289171] compat_SyS_ioctl+0x1d7/0x3290
[ 30.293383] do_fast_syscall_32+0x3f2/0xf05
[ 30.297705] entry_SYSENTER_compat+0x51/0x60
[ 30.302080]
[ 30.303679] Freed by task 2985:
[ 30.306929] save_stack_trace+0x16/0x20
[ 30.310877] save_stack+0x43/0xd0
[ 30.314299] kasan_slab_free+0x71/0xc0
[ 30.318154] kfree+0xca/0x250
[ 30.321229] kvfree+0x36/0x60
[ 30.324306] free_netdev+0x2cf/0x360
[ 30.327990] __tun_chr_ioctl+0x2cf6/0x3d20
[ 30.332192] tun_chr_compat_ioctl+0x29/0x30
[ 30.336482] compat_SyS_ioctl+0x1d7/0x3290
[ 30.340688] do_fast_syscall_32+0x3f2/0xf05
[ 30.344978] entry_SYSENTER_compat+0x51/0x60
[ 30.349356]
[ 30.350957] The buggy address belongs to the object at ffff8801ce078280
[ 30.350957] which belongs to the cache kmalloc-16384 of size 16384
[ 30.363928] The buggy address is located 13320 bytes inside of
[ 30.363928] 16384-byte region [ffff8801ce078280, ffff8801ce07c280)
[ 30.376116] The buggy address belongs to the page:
[ 30.381018] page:ffffea0007381e00 count:1 mapcount:0 mapping:ffff8801ce078280 index:0x0 compound_mapcount: 0
[ 30.390973] flags: 0x200000000008100(slab|head)
[ 30.395615] raw: 0200000000008100 ffff8801ce078280 0000000000000000 0000000100000001
[ 30.403465] raw: ffffea0006fe8a20 ffffea000738f020 ffff8801dac02200 0000000000000000
[ 30.411314] page dumped because: kasan: bad access detected
[ 30.416990]
[ 30.418589] Memory state around the buggy address:
[ 30.423490] ffff8801ce07b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.430822] ffff8801ce07b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.438150] >ffff8801ce07b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.445475] ^
[ 30.449070] ffff8801ce07b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.456398] ffff8801ce07b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.463727] ==================================================================
[ 30.471055] Disabling lock debugging due to kernel taint
[ 30.476468] Kernel panic - not syncing: panic_on_warn set ...
[ 30.476468]
[ 30.483798] CPU: 0 PID: 2985 Comm: syzkaller469729 Tainted: G B 4.14.0-rc2+ #20
[ 30.492341] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 30.501660] Call Trace:
[ 30.504215] dump_stack+0x194/0x257
[ 30.507808] ? arch_local_irq_restore+0x53/0x53
[ 30.512446] ? vprintk_default+0x28/0x30
[ 30.516474] ? __internal_add_timer+0x180/0x2d0
[ 30.521107] panic+0x1e4/0x417
[ 30.524266] ? __warn+0x1d9/0x1d9
[ 30.527691] ? __internal_add_timer+0x275/0x2d0
[ 30.532325] kasan_end_report+0x50/0x50
[ 30.536263] kasan_report+0x144/0x340
[ 30.540032] __asan_report_store8_noabort+0x17/0x20
[ 30.545010] __internal_add_timer+0x275/0x2d0
[ 30.549471] ? calc_wheel_index+0x200/0x200
[ 30.553763] mod_timer+0x622/0x15b0
[ 30.557360] ? mod_timer_pending+0x14e0/0x14e0
[ 30.561905] ? __lock_is_held+0xbc/0x140
[ 30.565938] ? __lock_is_held+0xbc/0x140
[ 30.569964] ? __lockdep_init_map+0xe4/0x650
[ 30.574340] ? lockdep_init_map+0x3d/0x70
[ 30.578454] ? rcu_read_lock_sched_held+0x108/0x120
[ 30.583435] ? init_timer_key+0x126/0x3b0
[ 30.587550] ? try_to_del_timer_sync+0x120/0x120
[ 30.592284] ? round_jiffies_up+0xce/0x100
[ 30.596484] ? __round_jiffies_up_relative+0x150/0x150
[ 30.601728] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 30.606622] ? selinux_tun_dev_alloc_security+0x124/0x170
[ 30.612126] __tun_chr_ioctl+0x1b23/0x3d20
[ 30.616334] ? tun_chr_read_iter+0x1e0/0x1e0
[ 30.620709] ? __pmd_alloc+0x4e0/0x4e0
[ 30.624566] ? __might_sleep+0x95/0x190
[ 30.628509] ? selinux_file_ioctl+0x444/0x690
[ 30.632967] ? __fget_light+0x29d/0x390
[ 30.636904] ? selinux_capable+0x40/0x40
[ 30.640941] tun_chr_compat_ioctl+0x29/0x30
[ 30.645225] ? tun_chr_compat_ioctl+0x29/0x30
[ 30.649687] compat_SyS_ioctl+0x1d7/0x3290
[ 30.653884] ? __handle_mm_fault+0x39c0/0x39c0
[ 30.658429] ? __tun_chr_ioctl+0x3d20/0x3d20
[ 30.662806] ? do_ioctl+0x60/0x60
[ 30.666230] ? do_fast_syscall_32+0x158/0xf05
[ 30.670690] ? do_ioctl+0x60/0x60
[ 30.674109] do_fast_syscall_32+0x3f2/0xf05
[ 30.678399] ? do_int80_syscall_32+0x940/0x940
[ 30.682946] ? kasan_check_read+0x11/0x20
[ 30.687062] ? syscall_return_slowpath+0x510/0x510
[ 30.691955] ? SyS_rt_sigaction+0x94/0x1b0
[ 30.696155] ? lockdep_sys_exit+0x47/0xf0
[ 30.700268] ? retint_user+0x18/0x20
[ 30.703947] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 30.708759] entry_SYSENTER_compat+0x51/0x60
[ 30.713132] RIP: 0023:0xf7f0fc79
[ 30.716460] RSP: 002b:00000000ffd896ec EFLAGS: 00000286 ORIG_RAX: 0000000000000036
[ 30.724129] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000400454ca
[ 30.731365] RDX: 00000000201a9fd8 RSI: 00000000080ef00c RDI: 000000000000003f
[ 30.738598] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
[ 30.745831] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 30.753064] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 30.760346] Dumping ftrace buffer:
[ 30.763850] (ftrace buffer empty)
[ 30.767526] Kernel Offset: disabled
[ 30.771119] Rebooting in 86400 seconds..