INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.15.223' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   31.069594] ==================================================================
[   31.077041] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[   31.084025] Write of size 8 at addr ffff8801d01d36c8 by task syzkaller345207/2984
[   31.091616] 
[   31.093218] CPU: 1 PID: 2984 Comm: syzkaller345207 Not tainted 4.14.0-rc2+ #20
[   31.100548] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.109876] Call Trace:
[   31.112438]  dump_stack+0x194/0x257
[   31.116040]  ? arch_local_irq_restore+0x53/0x53
[   31.120681]  ? show_regs_print_info+0x65/0x65
[   31.125157]  ? __internal_add_timer+0x275/0x2d0
[   31.129801]  print_address_description+0x73/0x250
[   31.134626]  ? __internal_add_timer+0x275/0x2d0
[   31.139268]  kasan_report+0x25b/0x340
[   31.143046]  __asan_report_store8_noabort+0x17/0x20
[   31.148034]  __internal_add_timer+0x275/0x2d0
[   31.152504]  ? calc_wheel_index+0x200/0x200
[   31.156808]  mod_timer+0x622/0x15b0
[   31.160415]  ? mod_timer_pending+0x14e0/0x14e0
[   31.164969]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.169958]  ? trace_hardirqs_on+0xd/0x10
[   31.174082]  ? _crng_backtrack_protect+0xd9/0x130
[   31.178903]  ? __lock_is_held+0xbc/0x140
[   31.182940]  ? __lockdep_init_map+0xe4/0x650
[   31.187324]  ? lockdep_init_map+0x3d/0x70
[   31.191443]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.196430]  ? init_timer_key+0x126/0x3b0
[   31.200555]  ? try_to_del_timer_sync+0x120/0x120
[   31.205284]  ? round_jiffies_up+0xce/0x100
[   31.209489]  ? __round_jiffies_up_relative+0x150/0x150
[   31.214749]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   31.219669]  __tun_chr_ioctl+0x1b23/0x3d20
[   31.223884]  ? tun_chr_read_iter+0x1e0/0x1e0
[   31.228267]  ? __pmd_alloc+0x4e0/0x4e0
[   31.232133]  ? __might_sleep+0x95/0x190
[   31.236089]  ? selinux_file_ioctl+0x444/0x690
[   31.240556]  ? __fget_light+0x29d/0x390
[   31.244502]  ? selinux_capable+0x40/0x40
[   31.248554]  tun_chr_compat_ioctl+0x29/0x30
[   31.252848]  ? tun_chr_compat_ioctl+0x29/0x30
[   31.257317]  compat_SyS_ioctl+0x1d7/0x3290
[   31.261524]  ? __handle_mm_fault+0x39c0/0x39c0
[   31.266076]  ? __tun_chr_ioctl+0x3d20/0x3d20
[   31.270457]  ? do_ioctl+0x60/0x60
[   31.273885]  ? do_fast_syscall_32+0x158/0xf05
[   31.278355]  ? do_ioctl+0x60/0x60
[   31.281781]  do_fast_syscall_32+0x3f2/0xf05
[   31.286079]  ? do_int80_syscall_32+0x940/0x940
[   31.290635]  ? kasan_check_read+0x11/0x20
[   31.294756]  ? syscall_return_slowpath+0x510/0x510
[   31.299660]  ? SyS_rt_sigaction+0x94/0x1b0
[   31.303869]  ? lockdep_sys_exit+0x47/0xf0
[   31.307990]  ? retint_user+0x18/0x20
[   31.311681]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.316502]  entry_SYSENTER_compat+0x51/0x60
[   31.320880] RIP: 0023:0xf7f79c79
[   31.324214] RSP: 002b:00000000ffeca85c EFLAGS: 00000282 ORIG_RAX: 0000000000000036
[   31.331913] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000400454ca
[   31.339157] RDX: 0000000020c1efd8 RSI: 00000000080ef00c RDI: 000000000000003f
[   31.346399] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
[   31.353642] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   31.360893] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   31.368162] 
[   31.369762] Allocated by task 2984:
[   31.373361]  save_stack_trace+0x16/0x20
[   31.377306]  save_stack+0x43/0xd0
[   31.380730]  kasan_kmalloc+0xad/0xe0
[   31.384414]  __kmalloc_node+0x47/0x70
[   31.388184]  kvmalloc_node+0x64/0xd0
[   31.391872]  alloc_netdev_mqs+0x16e/0xed0
[   31.395990]  __tun_chr_ioctl+0x12be/0x3d20
[   31.400195]  tun_chr_compat_ioctl+0x29/0x30
[   31.404487]  compat_SyS_ioctl+0x1d7/0x3290
[   31.408701]  do_fast_syscall_32+0x3f2/0xf05
[   31.412995]  entry_SYSENTER_compat+0x51/0x60
[   31.417371] 
[   31.418967] Freed by task 2984:
[   31.422215]  save_stack_trace+0x16/0x20
[   31.426160]  save_stack+0x43/0xd0
[   31.429582]  kasan_slab_free+0x71/0xc0
[   31.433443]  kfree+0xca/0x250
[   31.436521]  kvfree+0x36/0x60
[   31.439599]  free_netdev+0x2cf/0x360
[   31.443282]  __tun_chr_ioctl+0x2cf6/0x3d20
[   31.447487]  tun_chr_compat_ioctl+0x29/0x30
[   31.451779]  compat_SyS_ioctl+0x1d7/0x3290
[   31.455982]  do_fast_syscall_32+0x3f2/0xf05
[   31.460272]  entry_SYSENTER_compat+0x51/0x60
[   31.464649] 
[   31.466247] The buggy address belongs to the object at ffff8801d01d02c0
[   31.466247]  which belongs to the cache kmalloc-16384 of size 16384
[   31.479217] The buggy address is located 13320 bytes inside of
[   31.479217]  16384-byte region [ffff8801d01d02c0, ffff8801d01d42c0)
[   31.491405] The buggy address belongs to the page:
[   31.496303] page:ffffea0007407400 count:1 mapcount:0 mapping:ffff8801d01d02c0 index:0x0 compound_mapcount: 0
[   31.506247] flags: 0x200000000008100(slab|head)
[   31.510888] raw: 0200000000008100 ffff8801d01d02c0 0000000000000000 0000000100000001
[   31.518749] raw: ffffea000756d620 ffffea000739d620 ffff8801dac02200 0000000000000000
[   31.526599] page dumped because: kasan: bad access detected
[   31.532275] 
[   31.533873] Memory state around the buggy address:
[   31.538772]  ffff8801d01d3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.546099]  ffff8801d01d3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.553428] >ffff8801d01d3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.560756]                                               ^
[   31.566436]  ffff8801d01d3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.573764]  ffff8801d01d3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.581099] ==================================================================
[   31.588432] Disabling lock debugging due to kernel taint
[   31.593848] Kernel panic - not syncing: panic_on_warn set ...
[   31.593848] 
[   31.601175] CPU: 1 PID: 2984 Comm: syzkaller345207 Tainted: G    B           4.14.0-rc2+ #20
[   31.609711] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.619028] Call Trace:
[   31.621588]  dump_stack+0x194/0x257
[   31.625181]  ? arch_local_irq_restore+0x53/0x53
[   31.629815]  ? vprintk_default+0x28/0x30
[   31.633842]  ? __internal_add_timer+0x180/0x2d0
[   31.638476]  panic+0x1e4/0x417
[   31.641635]  ? __warn+0x1d9/0x1d9
[   31.645060]  ? __internal_add_timer+0x275/0x2d0
[   31.649696]  kasan_end_report+0x50/0x50
[   31.653635]  kasan_report+0x144/0x340
[   31.657401]  __asan_report_store8_noabort+0x17/0x20
[   31.662381]  __internal_add_timer+0x275/0x2d0
[   31.666843]  ? calc_wheel_index+0x200/0x200
[   31.671135]  mod_timer+0x622/0x15b0
[   31.674731]  ? mod_timer_pending+0x14e0/0x14e0
[   31.679277]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.684258]  ? trace_hardirqs_on+0xd/0x10
[   31.688374]  ? _crng_backtrack_protect+0xd9/0x130
[   31.693186]  ? __lock_is_held+0xbc/0x140
[   31.697215]  ? __lockdep_init_map+0xe4/0x650
[   31.701592]  ? lockdep_init_map+0x3d/0x70
[   31.705705]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.710684]  ? init_timer_key+0x126/0x3b0
[   31.714799]  ? try_to_del_timer_sync+0x120/0x120
[   31.719519]  ? round_jiffies_up+0xce/0x100
[   31.723717]  ? __round_jiffies_up_relative+0x150/0x150
[   31.728957]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   31.733855]  __tun_chr_ioctl+0x1b23/0x3d20
[   31.738063]  ? tun_chr_read_iter+0x1e0/0x1e0
[   31.742439]  ? __pmd_alloc+0x4e0/0x4e0
[   31.746293]  ? __might_sleep+0x95/0x190
[   31.750238]  ? selinux_file_ioctl+0x444/0x690
[   31.754702]  ? __fget_light+0x29d/0x390
[   31.758640]  ? selinux_capable+0x40/0x40
[   31.762676]  tun_chr_compat_ioctl+0x29/0x30
[   31.766961]  ? tun_chr_compat_ioctl+0x29/0x30
[   31.771423]  compat_SyS_ioctl+0x1d7/0x3290
[   31.775631]  ? __handle_mm_fault+0x39c0/0x39c0
[   31.780176]  ? __tun_chr_ioctl+0x3d20/0x3d20
[   31.784552]  ? do_ioctl+0x60/0x60
[   31.787973]  ? do_fast_syscall_32+0x158/0xf05
[   31.792435]  ? do_ioctl+0x60/0x60
[   31.795853]  do_fast_syscall_32+0x3f2/0xf05
[   31.800145]  ? do_int80_syscall_32+0x940/0x940
[   31.804693]  ? kasan_check_read+0x11/0x20
[   31.808808]  ? syscall_return_slowpath+0x510/0x510
[   31.813703]  ? SyS_rt_sigaction+0x94/0x1b0
[   31.817904]  ? lockdep_sys_exit+0x47/0xf0
[   31.822018]  ? retint_user+0x18/0x20
[   31.825699]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.830509]  entry_SYSENTER_compat+0x51/0x60
[   31.834882] RIP: 0023:0xf7f79c79
[   31.838211] RSP: 002b:00000000ffeca85c EFLAGS: 00000282 ORIG_RAX: 0000000000000036
[   31.845884] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000400454ca
[   31.853120] RDX: 0000000020c1efd8 RSI: 00000000080ef00c RDI: 000000000000003f
[   31.860356] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
[   31.867593] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   31.874828] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   31.882107] Dumping ftrace buffer:
[   31.885615]    (ftrace buffer empty)
[   31.889292] Kernel Offset: disabled
[   31.892885] Rebooting in 86400 seconds..