INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-6,10.128.15.195' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 32.208829] ================================================================== [ 32.209962] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 [ 32.210882] Write of size 8 at addr ffff8801d18f3540 by task syzkaller393539/3001 [ 32.211879] [ 32.212123] CPU: 1 PID: 3001 Comm: syzkaller393539 Not tainted 4.13.0-rc6+ #47 [ 32.213107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.214342] Call Trace: [ 32.214697] dump_stack+0x194/0x257 [ 32.215187] ? arch_local_irq_restore+0x53/0x53 [ 32.215810] ? show_regs_print_info+0x65/0x65 [ 32.216416] ? __internal_add_timer+0x275/0x2d0 [ 32.217041] print_address_description+0x73/0x250 [ 32.217684] ? __internal_add_timer+0x275/0x2d0 [ 32.218305] kasan_report+0x24e/0x340 [ 32.218819] __asan_report_store8_noabort+0x17/0x20 [ 32.219488] __internal_add_timer+0x275/0x2d0 [ 32.220113] ? calc_wheel_index+0x200/0x200 [ 32.220699] mod_timer+0x6e8/0xf40 [ 32.221219] ? mod_timer_pending+0xe80/0xe80 [ 32.221809] ? __lock_is_held+0xb6/0x140 [ 32.222358] ? lockdep_init_map+0xe4/0x650 [ 32.222930] ? try_to_del_timer_sync+0x120/0x120 [ 32.223564] ? round_jiffies_up+0xce/0x100 [ 32.224132] ? __round_jiffies_up_relative+0x150/0x150 [ 32.224833] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 32.225548] __tun_chr_ioctl+0x1b20/0x3d60 [ 32.226111] ? unwind_dump+0x4/0x4c0 [ 32.226619] ? tun_select_queue+0x580/0x580 [ 32.227197] ? check_noncircular+0x20/0x20 [ 32.227811] ? save_stack+0xa3/0xd0 [ 32.228302] ? __handle_mm_fault+0x577/0x3860 [ 32.228898] ? check_noncircular+0x20/0x20 [ 32.229467] ? check_noncircular+0x20/0x20 [ 32.233666] ? __pmd_alloc+0x4e0/0x4e0 [ 32.237536] ? check_same_owner+0x320/0x320 [ 32.241822] ? handle_mm_fault+0x23e/0x860 [ 32.246027] ? tun_chr_compat_ioctl+0x30/0x30 [ 32.250489] tun_chr_ioctl+0x2a/0x40 [ 32.254168] ? tun_chr_ioctl+0x2a/0x40 [ 32.258024] do_vfs_ioctl+0x1b1/0x1520 [ 32.261882] ? ioctl_preallocate+0x2b0/0x2b0 [ 32.266260] ? selinux_capable+0x40/0x40 [ 32.270290] ? __handle_mm_fault+0x3860/0x3860 [ 32.274849] ? security_file_ioctl+0x7d/0xb0 [ 32.279226] ? security_file_ioctl+0x89/0xb0 [ 32.283623] SyS_ioctl+0x8f/0xc0 [ 32.286962] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.291683] RIP: 0033:0x443db9 [ 32.294840] RSP: 002b:00007fff4322bc28 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 32.302513] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9 [ 32.309750] RDX: 00000000201dd000 RSI: 00000000400454ca RDI: 0000000000000004 [ 32.316985] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 32.324221] R10: 0000000000000000 R11: 0000000000000202 R12: 25714a93c956672f [ 32.331459] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000 [ 32.338713] [ 32.340305] Allocated by task 3001: [ 32.343905] save_stack_trace+0x16/0x20 [ 32.347845] save_stack+0x43/0xd0 [ 32.351262] kasan_kmalloc+0xad/0xe0 [ 32.354939] __kmalloc_node+0x47/0x70 [ 32.358705] kvmalloc_node+0x64/0xd0 [ 32.362385] alloc_netdev_mqs+0x16e/0xed0 [ 32.366593] __tun_chr_ioctl+0x12b2/0x3d60 [ 32.370792] tun_chr_ioctl+0x2a/0x40 [ 32.374471] do_vfs_ioctl+0x1b1/0x1520 [ 32.378325] SyS_ioctl+0x8f/0xc0 [ 32.381659] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.386376] [ 32.387969] Freed by task 3001: [ 32.391212] save_stack_trace+0x16/0x20 [ 32.395150] save_stack+0x43/0xd0 [ 32.398570] kasan_slab_free+0x71/0xc0 [ 32.402424] kfree+0xca/0x250 [ 32.405495] kvfree+0x36/0x60 [ 32.408568] free_netdev+0x2cf/0x360 [ 32.412251] __tun_chr_ioctl+0x2d24/0x3d60 [ 32.416452] tun_chr_ioctl+0x2a/0x40 [ 32.420132] do_vfs_ioctl+0x1b1/0x1520 [ 32.423985] SyS_ioctl+0x8f/0xc0 [ 32.427319] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.432037] [ 32.433631] The buggy address belongs to the object at ffff8801d18f0200 [ 32.433631] which belongs to the cache kmalloc-16384 of size 16384 [ 32.446601] The buggy address is located 13120 bytes inside of [ 32.446601] 16384-byte region [ffff8801d18f0200, ffff8801d18f4200) [ 32.458786] The buggy address belongs to the page: [ 32.463681] page:ffffea0007463c00 count:1 mapcount:0 mapping:ffff8801d18f0200 index:0x0 compound_mapcount: 0 [ 32.473618] flags: 0x200000000008100(slab|head) [ 32.478285] raw: 0200000000008100 ffff8801d18f0200 0000000000000000 0000000100000001 [ 32.486135] raw: ffffea000712f020 ffffea00073f7c20 ffff8801dac02200 0000000000000000 [ 32.493978] page dumped because: kasan: bad access detected [ 32.499654] [ 32.501246] Memory state around the buggy address: [ 32.506143] ffff8801d18f3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.513475] ffff8801d18f3480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.520801] >ffff8801d18f3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.528124] ^ [ 32.533540] ffff8801d18f3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.540875] ffff8801d18f3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.548198] ================================================================== [ 32.555520] Disabling lock debugging due to kernel taint [ 32.560937] Kernel panic - not syncing: panic_on_warn set ... [ 32.560937] [ 32.568265] CPU: 1 PID: 3001 Comm: syzkaller393539 Tainted: G B 4.13.0-rc6+ #47 [ 32.576801] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.586122] Call Trace: [ 32.588678] dump_stack+0x194/0x257 [ 32.592272] ? arch_local_irq_restore+0x53/0x53 [ 32.596906] ? kasan_end_report+0x32/0x50 [ 32.601020] ? lock_downgrade+0x990/0x990 [ 32.605136] ? __internal_add_timer+0x250/0x2d0 [ 32.609770] panic+0x1e4/0x417 [ 32.612940] ? __warn+0x1d9/0x1d9 [ 32.616363] ? __internal_add_timer+0x275/0x2d0 [ 32.620994] kasan_end_report+0x50/0x50 [ 32.624933] kasan_report+0x137/0x340 [ 32.628703] __asan_report_store8_noabort+0x17/0x20 [ 32.633686] __internal_add_timer+0x275/0x2d0 [ 32.638160] ? calc_wheel_index+0x200/0x200 [ 32.642453] mod_timer+0x6e8/0xf40 [ 32.645958] ? mod_timer_pending+0xe80/0xe80 [ 32.650331] ? __lock_is_held+0xb6/0x140 [ 32.654358] ? lockdep_init_map+0xe4/0x650 [ 32.658561] ? try_to_del_timer_sync+0x120/0x120 [ 32.663283] ? round_jiffies_up+0xce/0x100 [ 32.667482] ? __round_jiffies_up_relative+0x150/0x150 [ 32.672723] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 32.677633] __tun_chr_ioctl+0x1b20/0x3d60 [ 32.681832] ? unwind_dump+0x4/0x4c0 [ 32.685515] ? tun_select_queue+0x580/0x580 [ 32.689803] ? check_noncircular+0x20/0x20 [ 32.694001] ? save_stack+0xa3/0xd0 [ 32.697598] ? __handle_mm_fault+0x577/0x3860 [ 32.702059] ? check_noncircular+0x20/0x20 [ 32.706273] ? check_noncircular+0x20/0x20 [ 32.710496] ? __pmd_alloc+0x4e0/0x4e0 [ 32.714361] ? check_same_owner+0x320/0x320 [ 32.718651] ? handle_mm_fault+0x23e/0x860 [ 32.722857] ? tun_chr_compat_ioctl+0x30/0x30 [ 32.727320] tun_chr_ioctl+0x2a/0x40 [ 32.730999] ? tun_chr_ioctl+0x2a/0x40 [ 32.734850] do_vfs_ioctl+0x1b1/0x1520 [ 32.738704] ? ioctl_preallocate+0x2b0/0x2b0 [ 32.743081] ? selinux_capable+0x40/0x40 [ 32.747110] ? __handle_mm_fault+0x3860/0x3860 [ 32.751678] ? security_file_ioctl+0x7d/0xb0 [ 32.756051] ? security_file_ioctl+0x89/0xb0 [ 32.760427] SyS_ioctl+0x8f/0xc0 [ 32.763764] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.768484] RIP: 0033:0x443db9 [ 32.771638] RSP: 002b:00007fff4322bc28 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 32.779309] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9 [ 32.786544] RDX: 00000000201dd000 RSI: 00000000400454ca RDI: 0000000000000004 [ 32.793778] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 32.801013] R10: 0000000000000000 R11: 0000000000000202 R12: 25714a93c956672f [ 32.808250] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000