INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-next-kasan-gce-9,10.128.15.241' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   34.943358] ==================================================================
[   34.950786] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[   34.957772] Write of size 8 at addr ffff8801cdd23688 by task syzkaller056917/2981
[   34.965363] 
[   34.966973] CPU: 1 PID: 2981 Comm: syzkaller056917 Not tainted 4.14.0-rc2-next-20170926+ #29
[   34.975514] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.984850] Call Trace:
[   34.987415]  dump_stack+0x194/0x257
[   34.991023]  ? arch_local_irq_restore+0x53/0x53
[   34.995666]  ? show_regs_print_info+0x65/0x65
[   35.000140]  ? __kernel_text_address+0xd/0x40
[   35.004620]  ? __internal_add_timer+0x275/0x2d0
[   35.009266]  print_address_description+0x73/0x250
[   35.014083]  ? __internal_add_timer+0x275/0x2d0
[   35.018727]  kasan_report+0x25b/0x340
[   35.022505]  __asan_report_store8_noabort+0x17/0x20
[   35.027493]  __internal_add_timer+0x275/0x2d0
[   35.031964]  ? calc_wheel_index+0x200/0x200
[   35.036271]  mod_timer+0x622/0x15b0
[   35.039880]  ? mod_timer_pending+0x14e0/0x14e0
[   35.044435]  ? __lock_is_held+0xbc/0x140
[   35.048482]  ? __lock_is_held+0xbc/0x140
[   35.052518]  ? __lockdep_init_map+0xe4/0x650
[   35.056914]  ? lockdep_init_map+0x3d/0x70
[   35.061039]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.066031]  ? init_timer_key+0x126/0x3b0
[   35.070157]  ? try_to_del_timer_sync+0x120/0x120
[   35.074887]  ? round_jiffies_up+0xce/0x100
[   35.079100]  ? __round_jiffies_up_relative+0x150/0x150
[   35.084348]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   35.089252]  ? selinux_tun_dev_alloc_security+0x124/0x170
[   35.094769]  __tun_chr_ioctl+0x1b23/0x3d20
[   35.098986]  ? tun_chr_read_iter+0x1e0/0x1e0
[   35.103376]  ? lock_downgrade+0x990/0x990
[   35.107520]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   35.113375]  ? __handle_mm_fault+0x39c0/0x39c0
[   35.117933]  ? tun_chr_compat_ioctl+0x30/0x30
[   35.122398]  tun_chr_ioctl+0x2a/0x40
[   35.126085]  ? tun_chr_ioctl+0x2a/0x40
[   35.129958]  do_vfs_ioctl+0x1b1/0x1530
[   35.133815]  ? _cond_resched+0x14/0x30
[   35.137679]  ? ioctl_preallocate+0x2b0/0x2b0
[   35.142072]  ? selinux_capable+0x40/0x40
[   35.146109]  ? putname+0xf3/0x130
[   35.149549]  ? do_sys_open+0x320/0x6d0
[   35.153419]  ? security_file_ioctl+0x89/0xb0
[   35.157804]  SyS_ioctl+0x8f/0xc0
[   35.161146]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   35.165875] RIP: 0033:0x443db9
[   35.169041] RSP: 002b:00007ffe7e6b0808 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   35.176724] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9
[   35.183964] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000004
[   35.191205] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
[   35.198444] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401aa0
[   35.205685] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000
[   35.212943] 
[   35.214542] Allocated by task 2981:
[   35.218141]  save_stack_trace+0x16/0x20
[   35.222086]  save_stack+0x43/0xd0
[   35.225509]  kasan_kmalloc+0xad/0xe0
[   35.229195]  __kmalloc_node+0x47/0x70
[   35.232967]  kvmalloc_node+0x64/0xd0
[   35.236649]  alloc_netdev_mqs+0x16d/0xed0
[   35.240766]  __tun_chr_ioctl+0x12be/0x3d20
[   35.244975]  tun_chr_ioctl+0x2a/0x40
[   35.248659]  do_vfs_ioctl+0x1b1/0x1530
[   35.252516]  SyS_ioctl+0x8f/0xc0
[   35.255850]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   35.260571] 
[   35.262168] Freed by task 2981:
[   35.265416]  save_stack_trace+0x16/0x20
[   35.269360]  save_stack+0x43/0xd0
[   35.272781]  kasan_slab_free+0x71/0xc0
[   35.276638]  kfree+0xca/0x250
[   35.279712]  kvfree+0x36/0x60
[   35.282789]  free_netdev+0x2cf/0x360
[   35.286474]  __tun_chr_ioctl+0x2cf6/0x3d20
[   35.290677]  tun_chr_ioctl+0x2a/0x40
[   35.294363]  do_vfs_ioctl+0x1b1/0x1530
[   35.298221]  SyS_ioctl+0x8f/0xc0
[   35.301557]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   35.306281] 
[   35.307879] The buggy address belongs to the object at ffff8801cdd20280
[   35.307879]  which belongs to the cache kmalloc-16384 of size 16384
[   35.320864] The buggy address is located 13320 bytes inside of
[   35.320864]  16384-byte region [ffff8801cdd20280, ffff8801cdd24280)
[   35.333059] The buggy address belongs to the page:
[   35.337964] page:ffffea0007374800 count:1 mapcount:0 mapping:ffff8801cdd20280 index:0x0 compound_mapcount: 0
[   35.347908] flags: 0x200000000008100(slab|head)
[   35.352548] raw: 0200000000008100 ffff8801cdd20280 0000000000000000 0000000100000001
[   35.360398] raw: ffffea0007558a20 ffffea0007372020 ffff8801dac02200 0000000000000000
[   35.368245] page dumped because: kasan: bad access detected
[   35.373920] 
[   35.375526] Memory state around the buggy address:
[   35.380424]  ffff8801cdd23580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.387752]  ffff8801cdd23600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.395081] >ffff8801cdd23680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.402406]                       ^
[   35.406001]  ffff8801cdd23700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.413334]  ffff8801cdd23780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.420684] ==================================================================
[   35.428028] Disabling lock debugging due to kernel taint
[   35.433442] Kernel panic - not syncing: panic_on_warn set ...
[   35.433442] 
[   35.440768] CPU: 1 PID: 2981 Comm: syzkaller056917 Tainted: G    B           4.14.0-rc2-next-20170926+ #29
[   35.450625] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.459952] Call Trace:
[   35.462508]  dump_stack+0x194/0x257
[   35.466102]  ? arch_local_irq_restore+0x53/0x53
[   35.470739]  ? vprintk_default+0x28/0x30
[   35.474771]  ? __internal_add_timer+0x1d0/0x2d0
[   35.479405]  panic+0x1e4/0x417
[   35.482562]  ? __warn+0x1d9/0x1d9
[   35.485987]  ? __internal_add_timer+0x275/0x2d0
[   35.490624]  kasan_end_report+0x50/0x50
[   35.494571]  kasan_report+0x144/0x340
[   35.498340]  __asan_report_store8_noabort+0x17/0x20
[   35.503318]  __internal_add_timer+0x275/0x2d0
[   35.507794]  ? calc_wheel_index+0x200/0x200
[   35.512086]  mod_timer+0x622/0x15b0
[   35.515684]  ? mod_timer_pending+0x14e0/0x14e0
[   35.520232]  ? __lock_is_held+0xbc/0x140
[   35.524270]  ? __lock_is_held+0xbc/0x140
[   35.528298]  ? __lockdep_init_map+0xe4/0x650
[   35.532675]  ? lockdep_init_map+0x3d/0x70
[   35.536791]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.541775]  ? init_timer_key+0x126/0x3b0
[   35.545894]  ? try_to_del_timer_sync+0x120/0x120
[   35.550616]  ? round_jiffies_up+0xce/0x100
[   35.554818]  ? __round_jiffies_up_relative+0x150/0x150
[   35.560060]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   35.564955]  ? selinux_tun_dev_alloc_security+0x124/0x170
[   35.570465]  __tun_chr_ioctl+0x1b23/0x3d20
[   35.574672]  ? tun_chr_read_iter+0x1e0/0x1e0
[   35.579061]  ? lock_downgrade+0x990/0x990
[   35.583189]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   35.589039]  ? __handle_mm_fault+0x39c0/0x39c0
[   35.593588]  ? tun_chr_compat_ioctl+0x30/0x30
[   35.598049]  tun_chr_ioctl+0x2a/0x40
[   35.601728]  ? tun_chr_ioctl+0x2a/0x40
[   35.605581]  do_vfs_ioctl+0x1b1/0x1530
[   35.609435]  ? _cond_resched+0x14/0x30
[   35.613289]  ? ioctl_preallocate+0x2b0/0x2b0
[   35.617666]  ? selinux_capable+0x40/0x40
[   35.621693]  ? putname+0xf3/0x130
[   35.625114]  ? do_sys_open+0x320/0x6d0
[   35.628973]  ? security_file_ioctl+0x89/0xb0
[   35.633349]  SyS_ioctl+0x8f/0xc0
[   35.636687]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   35.641407] RIP: 0033:0x443db9
[   35.644562] RSP: 002b:00007ffe7e6b0808 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   35.652236] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9
[   35.659474] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000004
[   35.666714] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
[   35.673950] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401aa0
[   35.681184] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000
[   35.688468] Dumping ftrace buffer:
[   35.691975]    (ftrace buffer empty)
[   35.695656] Kernel Offset: disabled
[   35.699250] Rebooting in 86400 seconds..