INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-next-kasan-gce-9,10.128.15.241' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [ 34.943358] ==================================================================
[ 34.950786] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[ 34.957772] Write of size 8 at addr ffff8801cdd23688 by task syzkaller056917/2981
[ 34.965363]
[ 34.966973] CPU: 1 PID: 2981 Comm: syzkaller056917 Not tainted 4.14.0-rc2-next-20170926+ #29
[ 34.975514] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 34.984850] Call Trace:
[ 34.987415] dump_stack+0x194/0x257
[ 34.991023] ? arch_local_irq_restore+0x53/0x53
[ 34.995666] ? show_regs_print_info+0x65/0x65
[ 35.000140] ? __kernel_text_address+0xd/0x40
[ 35.004620] ? __internal_add_timer+0x275/0x2d0
[ 35.009266] print_address_description+0x73/0x250
[ 35.014083] ? __internal_add_timer+0x275/0x2d0
[ 35.018727] kasan_report+0x25b/0x340
[ 35.022505] __asan_report_store8_noabort+0x17/0x20
[ 35.027493] __internal_add_timer+0x275/0x2d0
[ 35.031964] ? calc_wheel_index+0x200/0x200
[ 35.036271] mod_timer+0x622/0x15b0
[ 35.039880] ? mod_timer_pending+0x14e0/0x14e0
[ 35.044435] ? __lock_is_held+0xbc/0x140
[ 35.048482] ? __lock_is_held+0xbc/0x140
[ 35.052518] ? __lockdep_init_map+0xe4/0x650
[ 35.056914] ? lockdep_init_map+0x3d/0x70
[ 35.061039] ? rcu_read_lock_sched_held+0x108/0x120
[ 35.066031] ? init_timer_key+0x126/0x3b0
[ 35.070157] ? try_to_del_timer_sync+0x120/0x120
[ 35.074887] ? round_jiffies_up+0xce/0x100
[ 35.079100] ? __round_jiffies_up_relative+0x150/0x150
[ 35.084348] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 35.089252] ? selinux_tun_dev_alloc_security+0x124/0x170
[ 35.094769] __tun_chr_ioctl+0x1b23/0x3d20
[ 35.098986] ? tun_chr_read_iter+0x1e0/0x1e0
[ 35.103376] ? lock_downgrade+0x990/0x990
[ 35.107520] ? trace_event_raw_event_sched_switch+0x770/0x770
[ 35.113375] ? __handle_mm_fault+0x39c0/0x39c0
[ 35.117933] ? tun_chr_compat_ioctl+0x30/0x30
[ 35.122398] tun_chr_ioctl+0x2a/0x40
[ 35.126085] ? tun_chr_ioctl+0x2a/0x40
[ 35.129958] do_vfs_ioctl+0x1b1/0x1530
[ 35.133815] ? _cond_resched+0x14/0x30
[ 35.137679] ? ioctl_preallocate+0x2b0/0x2b0
[ 35.142072] ? selinux_capable+0x40/0x40
[ 35.146109] ? putname+0xf3/0x130
[ 35.149549] ? do_sys_open+0x320/0x6d0
[ 35.153419] ? security_file_ioctl+0x89/0xb0
[ 35.157804] SyS_ioctl+0x8f/0xc0
[ 35.161146] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 35.165875] RIP: 0033:0x443db9
[ 35.169041] RSP: 002b:00007ffe7e6b0808 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 35.176724] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9
[ 35.183964] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000004
[ 35.191205] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
[ 35.198444] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401aa0
[ 35.205685] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000
[ 35.212943]
[ 35.214542] Allocated by task 2981:
[ 35.218141] save_stack_trace+0x16/0x20
[ 35.222086] save_stack+0x43/0xd0
[ 35.225509] kasan_kmalloc+0xad/0xe0
[ 35.229195] __kmalloc_node+0x47/0x70
[ 35.232967] kvmalloc_node+0x64/0xd0
[ 35.236649] alloc_netdev_mqs+0x16d/0xed0
[ 35.240766] __tun_chr_ioctl+0x12be/0x3d20
[ 35.244975] tun_chr_ioctl+0x2a/0x40
[ 35.248659] do_vfs_ioctl+0x1b1/0x1530
[ 35.252516] SyS_ioctl+0x8f/0xc0
[ 35.255850] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 35.260571]
[ 35.262168] Freed by task 2981:
[ 35.265416] save_stack_trace+0x16/0x20
[ 35.269360] save_stack+0x43/0xd0
[ 35.272781] kasan_slab_free+0x71/0xc0
[ 35.276638] kfree+0xca/0x250
[ 35.279712] kvfree+0x36/0x60
[ 35.282789] free_netdev+0x2cf/0x360
[ 35.286474] __tun_chr_ioctl+0x2cf6/0x3d20
[ 35.290677] tun_chr_ioctl+0x2a/0x40
[ 35.294363] do_vfs_ioctl+0x1b1/0x1530
[ 35.298221] SyS_ioctl+0x8f/0xc0
[ 35.301557] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 35.306281]
[ 35.307879] The buggy address belongs to the object at ffff8801cdd20280
[ 35.307879] which belongs to the cache kmalloc-16384 of size 16384
[ 35.320864] The buggy address is located 13320 bytes inside of
[ 35.320864] 16384-byte region [ffff8801cdd20280, ffff8801cdd24280)
[ 35.333059] The buggy address belongs to the page:
[ 35.337964] page:ffffea0007374800 count:1 mapcount:0 mapping:ffff8801cdd20280 index:0x0 compound_mapcount: 0
[ 35.347908] flags: 0x200000000008100(slab|head)
[ 35.352548] raw: 0200000000008100 ffff8801cdd20280 0000000000000000 0000000100000001
[ 35.360398] raw: ffffea0007558a20 ffffea0007372020 ffff8801dac02200 0000000000000000
[ 35.368245] page dumped because: kasan: bad access detected
[ 35.373920]
[ 35.375526] Memory state around the buggy address:
[ 35.380424] ffff8801cdd23580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.387752] ffff8801cdd23600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.395081] >ffff8801cdd23680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.402406] ^
[ 35.406001] ffff8801cdd23700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.413334] ffff8801cdd23780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 35.420684] ==================================================================
[ 35.428028] Disabling lock debugging due to kernel taint
[ 35.433442] Kernel panic - not syncing: panic_on_warn set ...
[ 35.433442]
[ 35.440768] CPU: 1 PID: 2981 Comm: syzkaller056917 Tainted: G B 4.14.0-rc2-next-20170926+ #29
[ 35.450625] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 35.459952] Call Trace:
[ 35.462508] dump_stack+0x194/0x257
[ 35.466102] ? arch_local_irq_restore+0x53/0x53
[ 35.470739] ? vprintk_default+0x28/0x30
[ 35.474771] ? __internal_add_timer+0x1d0/0x2d0
[ 35.479405] panic+0x1e4/0x417
[ 35.482562] ? __warn+0x1d9/0x1d9
[ 35.485987] ? __internal_add_timer+0x275/0x2d0
[ 35.490624] kasan_end_report+0x50/0x50
[ 35.494571] kasan_report+0x144/0x340
[ 35.498340] __asan_report_store8_noabort+0x17/0x20
[ 35.503318] __internal_add_timer+0x275/0x2d0
[ 35.507794] ? calc_wheel_index+0x200/0x200
[ 35.512086] mod_timer+0x622/0x15b0
[ 35.515684] ? mod_timer_pending+0x14e0/0x14e0
[ 35.520232] ? __lock_is_held+0xbc/0x140
[ 35.524270] ? __lock_is_held+0xbc/0x140
[ 35.528298] ? __lockdep_init_map+0xe4/0x650
[ 35.532675] ? lockdep_init_map+0x3d/0x70
[ 35.536791] ? rcu_read_lock_sched_held+0x108/0x120
[ 35.541775] ? init_timer_key+0x126/0x3b0
[ 35.545894] ? try_to_del_timer_sync+0x120/0x120
[ 35.550616] ? round_jiffies_up+0xce/0x100
[ 35.554818] ? __round_jiffies_up_relative+0x150/0x150
[ 35.560060] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 35.564955] ? selinux_tun_dev_alloc_security+0x124/0x170
[ 35.570465] __tun_chr_ioctl+0x1b23/0x3d20
[ 35.574672] ? tun_chr_read_iter+0x1e0/0x1e0
[ 35.579061] ? lock_downgrade+0x990/0x990
[ 35.583189] ? trace_event_raw_event_sched_switch+0x770/0x770
[ 35.589039] ? __handle_mm_fault+0x39c0/0x39c0
[ 35.593588] ? tun_chr_compat_ioctl+0x30/0x30
[ 35.598049] tun_chr_ioctl+0x2a/0x40
[ 35.601728] ? tun_chr_ioctl+0x2a/0x40
[ 35.605581] do_vfs_ioctl+0x1b1/0x1530
[ 35.609435] ? _cond_resched+0x14/0x30
[ 35.613289] ? ioctl_preallocate+0x2b0/0x2b0
[ 35.617666] ? selinux_capable+0x40/0x40
[ 35.621693] ? putname+0xf3/0x130
[ 35.625114] ? do_sys_open+0x320/0x6d0
[ 35.628973] ? security_file_ioctl+0x89/0xb0
[ 35.633349] SyS_ioctl+0x8f/0xc0
[ 35.636687] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 35.641407] RIP: 0033:0x443db9
[ 35.644562] RSP: 002b:00007ffe7e6b0808 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 35.652236] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9
[ 35.659474] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000004
[ 35.666714] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
[ 35.673950] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401aa0
[ 35.681184] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000
[ 35.688468] Dumping ftrace buffer:
[ 35.691975] (ftrace buffer empty)
[ 35.695656] Kernel Offset: disabled
[ 35.699250] Rebooting in 86400 seconds..