INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-next-kasan-gce-7,10.128.0.58' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [ 29.856548] ==================================================================
[ 29.864018] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[ 29.870764] Write of size 8 at addr ffff8801ce1eb7c0 by task syzkaller649459/2982
[ 29.878370]
[ 29.879977] CPU: 1 PID: 2982 Comm: syzkaller649459 Not tainted 4.13.0-next-20170906+ #16
[ 29.888179] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 29.897512] Call Trace:
[ 29.900081] dump_stack+0x194/0x257
[ 29.903691] ? arch_local_irq_restore+0x53/0x53
[ 29.908334] ? show_regs_print_info+0x65/0x65
[ 29.912803] ? lock_timer_base+0x1a3/0x2b0
[ 29.917012] ? detach_if_pending+0x557/0x610
[ 29.921396] print_address_description+0x73/0x250
[ 29.926215] ? detach_if_pending+0x557/0x610
[ 29.930605] kasan_report+0x24e/0x340
[ 29.934385] __asan_report_store8_noabort+0x17/0x20
[ 29.939375] detach_if_pending+0x557/0x610
[ 29.943584] ? trace_raw_output_tick_stop+0x130/0x130
[ 29.948751] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 29.953400] ? lock_timer_base+0x1a3/0x2b0
[ 29.957606] ? lock_timer_base+0x1eb/0x2b0
[ 29.961817] ? __internal_add_timer+0x2d0/0x2d0
[ 29.966462] ? trace_hardirqs_on+0xd/0x10
[ 29.970599] try_to_del_timer_sync+0xa2/0x120
[ 29.975067] ? del_timer+0x130/0x130
[ 29.978755] ? del_timer_sync+0xeb/0x240
[ 29.982884] del_timer_sync+0x18a/0x240
[ 29.987011] tun_free_netdev+0x105/0x1b0
[ 29.991058] ? tun_xdp+0x410/0x410
[ 29.994570] ? cpumask_next+0x24/0x30
[ 29.998352] ? netdev_refcnt_read+0xed/0x150
[ 30.002746] ? tun_xdp+0x410/0x410
[ 30.006434] netdev_run_todo+0x870/0xca0
[ 30.010471] ? do_group_exit+0x149/0x400
[ 30.014517] ? register_netdev+0x30/0x30
[ 30.018557] ? lock_downgrade+0x990/0x990
[ 30.022678] ? trace_hardirqs_on+0xd/0x10
[ 30.026816] ? refcount_sub_and_test+0x115/0x1b0
[ 30.031546] ? refcount_inc+0x50/0x50
[ 30.035319] ? refcount_inc+0x50/0x50
[ 30.039095] ? sk_destruct+0x4c/0x80
[ 30.042789] ? __sk_free+0x5c/0x230
[ 30.046391] ? sk_free+0x2f/0x40
[ 30.049738] ? __tun_detach+0x176/0x1390
[ 30.053781] ? tun_attach+0xf90/0xf90
[ 30.057559] ? do_raw_spin_trylock+0x190/0x190
[ 30.062117] ? locks_remove_file+0x3fa/0x5a0
[ 30.066500] ? fcntl_setlk+0x10d0/0x10d0
[ 30.070536] ? __fsnotify_parent+0xb4/0x3a0
[ 30.074833] ? fsnotify+0x1af0/0x1af0
[ 30.078611] ? __tun_detach+0x1390/0x1390
[ 30.082732] ? __tun_detach+0x1390/0x1390
[ 30.086853] rtnl_unlock+0xe/0x10
[ 30.090278] tun_chr_close+0x49/0x60
[ 30.093966] __fput+0x333/0x7f0
[ 30.097235] ? fput+0x140/0x140
[ 30.100492] ? check_same_owner+0x320/0x320
[ 30.104877] ? _raw_spin_unlock_irq+0x27/0x70
[ 30.109358] ____fput+0x15/0x20
[ 30.112622] task_work_run+0x199/0x270
[ 30.116492] ? task_work_cancel+0x210/0x210
[ 30.120788] ? _raw_spin_unlock+0x22/0x30
[ 30.124909] ? switch_task_namespaces+0x87/0xc0
[ 30.129556] do_exit+0xa52/0x1b40
[ 30.132993] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 30.137986] ? check_noncircular+0x20/0x20
[ 30.142202] ? mm_update_next_owner+0x930/0x930
[ 30.146858] ? __pmd_alloc+0x4e0/0x4e0
[ 30.150727] ? find_held_lock+0x39/0x1d0
[ 30.154772] ? lock_downgrade+0x990/0x990
[ 30.158914] ? handle_mm_fault+0x4a2/0x860
[ 30.163119] ? down_read_trylock+0xdb/0x170
[ 30.167415] ? __handle_mm_fault+0x39c0/0x39c0
[ 30.171971] ? vmacache_find+0x61/0x270
[ 30.175926] ? up_read+0x1a/0x40
[ 30.179267] ? __do_page_fault+0x35b/0xb60
[ 30.183484] ? do_vfs_ioctl+0x492/0x1530
[ 30.187529] ? do_page_fault+0xee/0x720
[ 30.191482] ? __do_page_fault+0xb60/0xb60
[ 30.195693] ? putname+0xf3/0x130
[ 30.199126] do_group_exit+0x149/0x400
[ 30.202986] ? lockdep_sys_exit+0x47/0xf0
[ 30.207104] ? SyS_exit+0x30/0x30
[ 30.210531] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 30.215523] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 30.220255] SyS_exit_group+0x1d/0x20
[ 30.224030] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 30.228757] RIP: 0033:0x443ad8
[ 30.231917] RSP: 002b:00007ffd80f2ac28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 30.239604] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000443ad8
[ 30.246850] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[ 30.254095] RBP: 0000000000000082 R08: 00000000000000e7 R09: ffffffffffffffd4
[ 30.261339] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 30.268583] R13: 00000000006d6180 R14: 0000000000000000 R15: 0000000000000000
[ 30.275855]
[ 30.277455] Allocated by task 2982:
[ 30.281065] save_stack_trace+0x16/0x20
[ 30.285012] save_stack+0x43/0xd0
[ 30.288436] kasan_kmalloc+0xad/0xe0
[ 30.292121] __kmalloc_node+0x47/0x70
[ 30.295890] kvmalloc_node+0x64/0xd0
[ 30.299574] alloc_netdev_mqs+0x16e/0xed0
[ 30.303692] __tun_chr_ioctl+0x12be/0x3d20
[ 30.307897] tun_chr_ioctl+0x2a/0x40
[ 30.311584] do_vfs_ioctl+0x1b1/0x1530
[ 30.315442] SyS_ioctl+0x8f/0xc0
[ 30.318783] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 30.323508]
[ 30.325107] Freed by task 2982:
[ 30.328357] save_stack_trace+0x16/0x20
[ 30.332302] save_stack+0x43/0xd0
[ 30.335725] kasan_slab_free+0x71/0xc0
[ 30.339580] kfree+0xca/0x250
[ 30.342656] kvfree+0x36/0x60
[ 30.345732] free_netdev+0x2cf/0x360
[ 30.349431] __tun_chr_ioctl+0x2cf6/0x3d20
[ 30.353643] tun_chr_ioctl+0x2a/0x40
[ 30.357340] do_vfs_ioctl+0x1b1/0x1530
[ 30.361197] SyS_ioctl+0x8f/0xc0
[ 30.364536] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 30.369260]
[ 30.370859] The buggy address belongs to the object at ffff8801ce1e83c0
[ 30.370859] which belongs to the cache kmalloc-16384 of size 16384
[ 30.383832] The buggy address is located 13312 bytes inside of
[ 30.383832] 16384-byte region [ffff8801ce1e83c0, ffff8801ce1ec3c0)
[ 30.396021] The buggy address belongs to the page:
[ 30.400922] page:ffffea0007387a00 count:1 mapcount:0 mapping:ffff8801ce1e83c0 index:0x0 compound_mapcount: 0
[ 30.410883] flags: 0x200000000008100(slab|head)
[ 30.415524] raw: 0200000000008100 ffff8801ce1e83c0 0000000000000000 0000000100000001
[ 30.423377] raw: ffffea0007378220 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[ 30.431225] page dumped because: kasan: bad access detected
[ 30.436905]
[ 30.438503] Memory state around the buggy address:
[ 30.443402] ffff8801ce1eb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.450818] ffff8801ce1eb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.458145] >ffff8801ce1eb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.465475] ^
[ 30.470981] ffff8801ce1eb800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.478308] ffff8801ce1eb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 30.485635] ==================================================================
[ 30.492961] Disabling lock debugging due to kernel taint
[ 30.498376] Kernel panic - not syncing: panic_on_warn set ...
[ 30.498376]
[ 30.505703] CPU: 1 PID: 2982 Comm: syzkaller649459 Tainted: G B 4.13.0-next-20170906+ #16
[ 30.515109] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 30.524434] Call Trace:
[ 30.526989] dump_stack+0x194/0x257
[ 30.530583] ? arch_local_irq_restore+0x53/0x53
[ 30.535218] ? vprintk_default+0x28/0x30
[ 30.539247] ? detach_if_pending+0x530/0x610
[ 30.543623] panic+0x1e4/0x417
[ 30.546784] ? __warn+0x1d9/0x1d9
[ 30.550211] ? detach_if_pending+0x557/0x610
[ 30.554586] kasan_end_report+0x50/0x50
[ 30.558525] kasan_report+0x137/0x340
[ 30.562295] __asan_report_store8_noabort+0x17/0x20
[ 30.567275] detach_if_pending+0x557/0x610
[ 30.571480] ? trace_raw_output_tick_stop+0x130/0x130
[ 30.576655] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 30.581289] ? lock_timer_base+0x1a3/0x2b0
[ 30.585490] ? lock_timer_base+0x1eb/0x2b0
[ 30.589692] ? __internal_add_timer+0x2d0/0x2d0
[ 30.594332] ? trace_hardirqs_on+0xd/0x10
[ 30.598451] try_to_del_timer_sync+0xa2/0x120
[ 30.602925] ? del_timer+0x130/0x130
[ 30.606606] ? del_timer_sync+0xeb/0x240
[ 30.610634] del_timer_sync+0x18a/0x240
[ 30.614575] tun_free_netdev+0x105/0x1b0
[ 30.618601] ? tun_xdp+0x410/0x410
[ 30.622108] ? cpumask_next+0x24/0x30
[ 30.625881] ? netdev_refcnt_read+0xed/0x150
[ 30.630259] ? tun_xdp+0x410/0x410
[ 30.633765] netdev_run_todo+0x870/0xca0
[ 30.637789] ? do_group_exit+0x149/0x400
[ 30.641820] ? register_netdev+0x30/0x30
[ 30.645861] ? lock_downgrade+0x990/0x990
[ 30.649974] ? trace_hardirqs_on+0xd/0x10
[ 30.654097] ? refcount_sub_and_test+0x115/0x1b0
[ 30.658819] ? refcount_inc+0x50/0x50
[ 30.662585] ? refcount_inc+0x50/0x50
[ 30.666354] ? sk_destruct+0x4c/0x80
[ 30.670033] ? __sk_free+0x5c/0x230
[ 30.673627] ? sk_free+0x2f/0x40
[ 30.676960] ? __tun_detach+0x176/0x1390
[ 30.680992] ? tun_attach+0xf90/0xf90
[ 30.684761] ? do_raw_spin_trylock+0x190/0x190
[ 30.689311] ? locks_remove_file+0x3fa/0x5a0
[ 30.693690] ? fcntl_setlk+0x10d0/0x10d0
[ 30.697727] ? __fsnotify_parent+0xb4/0x3a0
[ 30.702016] ? fsnotify+0x1af0/0x1af0
[ 30.705786] ? __tun_detach+0x1390/0x1390
[ 30.709899] ? __tun_detach+0x1390/0x1390
[ 30.714016] rtnl_unlock+0xe/0x10
[ 30.717435] tun_chr_close+0x49/0x60
[ 30.721116] __fput+0x333/0x7f0
[ 30.724363] ? fput+0x140/0x140
[ 30.727622] ? check_same_owner+0x320/0x320
[ 30.731922] ? _raw_spin_unlock_irq+0x27/0x70
[ 30.736389] ____fput+0x15/0x20
[ 30.739638] task_work_run+0x199/0x270
[ 30.743496] ? task_work_cancel+0x210/0x210
[ 30.747785] ? _raw_spin_unlock+0x22/0x30
[ 30.751912] ? switch_task_namespaces+0x87/0xc0
[ 30.756726] do_exit+0xa52/0x1b40
[ 30.760147] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 30.765132] ? check_noncircular+0x20/0x20
[ 30.769339] ? mm_update_next_owner+0x930/0x930
[ 30.773990] ? __pmd_alloc+0x4e0/0x4e0
[ 30.777848] ? find_held_lock+0x39/0x1d0
[ 30.781880] ? lock_downgrade+0x990/0x990
[ 30.786006] ? handle_mm_fault+0x4a2/0x860
[ 30.790207] ? down_read_trylock+0xdb/0x170
[ 30.794495] ? __handle_mm_fault+0x39c0/0x39c0
[ 30.799044] ? vmacache_find+0x61/0x270
[ 30.802989] ? up_read+0x1a/0x40
[ 30.806322] ? __do_page_fault+0x35b/0xb60
[ 30.810523] ? do_vfs_ioctl+0x492/0x1530
[ 30.814554] ? do_page_fault+0xee/0x720
[ 30.818495] ? __do_page_fault+0xb60/0xb60
[ 30.822695] ? putname+0xf3/0x130
[ 30.826118] do_group_exit+0x149/0x400
[ 30.829972] ? lockdep_sys_exit+0x47/0xf0
[ 30.834084] ? SyS_exit+0x30/0x30
[ 30.837504] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 30.842499] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 30.847223] SyS_exit_group+0x1d/0x20
[ 30.850994] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 30.855715] RIP: 0033:0x443ad8