INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-next-kasan-gce-5,10.128.0.53' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   46.827964] ==================================================================
[   46.835399] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[   46.842392] Write of size 8 at addr ffff8801ce69b6c8 by task syzkaller486281/2987
[   46.849989] 
[   46.851592] CPU: 0 PID: 2987 Comm: syzkaller486281 Not tainted 4.13.0-next-20170906+ #16
[   46.859790] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   46.869124] Call Trace:
[   46.871696]  dump_stack+0x194/0x257
[   46.875301]  ? arch_local_irq_restore+0x53/0x53
[   46.879946]  ? show_regs_print_info+0x65/0x65
[   46.884425]  ? __internal_add_timer+0x275/0x2d0
[   46.889067]  print_address_description+0x73/0x250
[   46.893881]  ? __internal_add_timer+0x275/0x2d0
[   46.898525]  kasan_report+0x24e/0x340
[   46.902347]  __asan_report_store8_noabort+0x17/0x20
[   46.907336]  __internal_add_timer+0x275/0x2d0
[   46.911813]  ? calc_wheel_index+0x200/0x200
[   46.916116]  mod_timer+0x622/0x15b0
[   46.919728]  ? mod_timer_pending+0x14e0/0x14e0
[   46.924283]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   46.929272]  ? trace_hardirqs_on+0xd/0x10
[   46.933397]  ? _crng_backtrack_protect+0xd9/0x130
[   46.938225]  ? __lock_is_held+0xbc/0x140
[   46.942262]  ? __lockdep_init_map+0xe4/0x650
[   46.946648]  ? lockdep_init_map+0x3d/0x70
[   46.950768]  ? rcu_read_lock_sched_held+0x108/0x120
[   46.955756]  ? init_timer_key+0x126/0x3b0
[   46.959878]  ? try_to_del_timer_sync+0x120/0x120
[   46.964654]  ? round_jiffies_up+0xce/0x100
[   46.968865]  ? __round_jiffies_up_relative+0x150/0x150
[   46.974113]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   46.979023]  __tun_chr_ioctl+0x1b23/0x3d20
[   46.983240]  ? tun_chr_read_iter+0x1e0/0x1e0
[   46.987638]  ? lock_downgrade+0x990/0x990
[   46.991789]  ? check_same_owner+0x320/0x320
[   46.996088]  ? __handle_mm_fault+0x39c0/0x39c0
[   47.000644]  ? vmacache_find+0x61/0x270
[   47.004636]  ? tun_chr_compat_ioctl+0x30/0x30
[   47.009109]  tun_chr_ioctl+0x2a/0x40
[   47.012795]  ? tun_chr_ioctl+0x2a/0x40
[   47.016659]  do_vfs_ioctl+0x1b1/0x1530
[   47.020534]  ? ioctl_preallocate+0x2b0/0x2b0
[   47.024920]  ? selinux_capable+0x40/0x40
[   47.028963]  ? putname+0xf3/0x130
[   47.032428]  ? do_sys_open+0x320/0x6d0
[   47.036299]  ? security_file_ioctl+0x7d/0xb0
[   47.040681]  ? security_file_ioctl+0x89/0xb0
[   47.045078]  SyS_ioctl+0x8f/0xc0
[   47.048427]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   47.053154] RIP: 0033:0x443db9
[   47.056315] RSP: 002b:00007ffe4236e988 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[   47.063999] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9
[   47.071246] RDX: 0000000020f14fd8 RSI: 00000000400454ca RDI: 0000000000000004
[   47.079533] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   47.086776] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401aa0
[   47.094016] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000
[   47.101289] 
[   47.102896] Allocated by task 2987:
[   47.106498]  save_stack_trace+0x16/0x20
[   47.110454]  save_stack+0x43/0xd0
[   47.113878]  kasan_kmalloc+0xad/0xe0
[   47.117563]  __kmalloc_node+0x47/0x70
[   47.121348]  kvmalloc_node+0x64/0xd0
[   47.125033]  alloc_netdev_mqs+0x16e/0xed0
[   47.129148]  __tun_chr_ioctl+0x12be/0x3d20
[   47.133361]  tun_chr_ioctl+0x2a/0x40
[   47.137045]  do_vfs_ioctl+0x1b1/0x1530
[   47.140903]  SyS_ioctl+0x8f/0xc0
[   47.144240]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   47.148962] 
[   47.150590] Freed by task 2987:
[   47.153842]  save_stack_trace+0x16/0x20
[   47.157790]  save_stack+0x43/0xd0
[   47.161211]  kasan_slab_free+0x71/0xc0
[   47.165085]  kfree+0xca/0x250
[   47.168160]  kvfree+0x36/0x60
[   47.171238]  free_netdev+0x2cf/0x360
[   47.174922]  __tun_chr_ioctl+0x2cf6/0x3d20
[   47.179131]  tun_chr_ioctl+0x2a/0x40
[   47.182817]  do_vfs_ioctl+0x1b1/0x1530
[   47.186672]  SyS_ioctl+0x8f/0xc0
[   47.190014]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   47.194758] 
[   47.196361] The buggy address belongs to the object at ffff8801ce6982c0
[   47.196361]  which belongs to the cache kmalloc-16384 of size 16384
[   47.209340] The buggy address is located 13320 bytes inside of
[   47.209340]  16384-byte region [ffff8801ce6982c0, ffff8801ce69c2c0)
[   47.221541] The buggy address belongs to the page:
[   47.226449] page:ffffea000739a600 count:1 mapcount:0 mapping:ffff8801ce6982c0 index:0x0 compound_mapcount: 0
[   47.236400] flags: 0x200000000008100(slab|head)
[   47.241045] raw: 0200000000008100 ffff8801ce6982c0 0000000000000000 0000000100000001
[   47.248910] raw: ffffea000736ac20 ffffea0007399c20 ffff8801dac02200 0000000000000000
[   47.256760] page dumped because: kasan: bad access detected
[   47.262440] 
[   47.264040] Memory state around the buggy address:
[   47.268944]  ffff8801ce69b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.276272]  ffff8801ce69b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.283602] >ffff8801ce69b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.291043]                                               ^
[   47.296722]  ffff8801ce69b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.304053]  ffff8801ce69b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   47.311388] ==================================================================
[   47.318717] Disabling lock debugging due to kernel taint
[   47.324130] Kernel panic - not syncing: panic_on_warn set ...
[   47.324130] 
[   47.331455] CPU: 0 PID: 2987 Comm: syzkaller486281 Tainted: G    B           4.13.0-next-20170906+ #16
[   47.340867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.350192] Call Trace:
[   47.352751]  dump_stack+0x194/0x257
[   47.356343]  ? arch_local_irq_restore+0x53/0x53
[   47.360979]  ? vprintk_default+0x28/0x30
[   47.365007]  ? __internal_add_timer+0x1e0/0x2d0
[   47.369642]  panic+0x1e4/0x417
[   47.372799]  ? __warn+0x1d9/0x1d9
[   47.376222]  ? __internal_add_timer+0x275/0x2d0
[   47.380859]  kasan_end_report+0x50/0x50
[   47.384851]  kasan_report+0x137/0x340
[   47.388631]  __asan_report_store8_noabort+0x17/0x20
[   47.393613]  __internal_add_timer+0x275/0x2d0
[   47.398076]  ? calc_wheel_index+0x200/0x200
[   47.402366]  mod_timer+0x622/0x15b0
[   47.405961]  ? mod_timer_pending+0x14e0/0x14e0
[   47.410509]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   47.415491]  ? trace_hardirqs_on+0xd/0x10
[   47.419607]  ? _crng_backtrack_protect+0xd9/0x130
[   47.424414]  ? __lock_is_held+0xbc/0x140
[   47.428443]  ? __lockdep_init_map+0xe4/0x650
[   47.432817]  ? lockdep_init_map+0x3d/0x70
[   47.436930]  ? rcu_read_lock_sched_held+0x108/0x120
[   47.441914]  ? init_timer_key+0x126/0x3b0
[   47.446028]  ? try_to_del_timer_sync+0x120/0x120
[   47.450752]  ? round_jiffies_up+0xce/0x100
[   47.454951]  ? __round_jiffies_up_relative+0x150/0x150
[   47.460196]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   47.465100]  __tun_chr_ioctl+0x1b23/0x3d20
[   47.469304]  ? tun_chr_read_iter+0x1e0/0x1e0
[   47.473694]  ? lock_downgrade+0x990/0x990
[   47.477822]  ? check_same_owner+0x320/0x320
[   47.482108]  ? __handle_mm_fault+0x39c0/0x39c0
[   47.486656]  ? vmacache_find+0x61/0x270
[   47.490607]  ? tun_chr_compat_ioctl+0x30/0x30
[   47.495066]  tun_chr_ioctl+0x2a/0x40
[   47.498753]  ? tun_chr_ioctl+0x2a/0x40
[   47.502620]  do_vfs_ioctl+0x1b1/0x1530
[   47.506475]  ? ioctl_preallocate+0x2b0/0x2b0
[   47.510851]  ? selinux_capable+0x40/0x40
[   47.514876]  ? putname+0xf3/0x130
[   47.518296]  ? do_sys_open+0x320/0x6d0
[   47.522155]  ? security_file_ioctl+0x7d/0xb0
[   47.526528]  ? security_file_ioctl+0x89/0xb0
[   47.530903]  SyS_ioctl+0x8f/0xc0
[   47.534240]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   47.538981] RIP: 0033:0x443db9
[   47.542135] RSP: 002b:00007ffe4236e988 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[   47.549810] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9
[   47.557047] RDX: 0000000020f14fd8 RSI: 00000000400454ca RDI: 0000000000000004
[   47.564282] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   47.571516] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401aa0
[   47.578752] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000