INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-next-kasan-gce-5,10.128.0.53' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [ 46.827964] ==================================================================
[ 46.835399] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[ 46.842392] Write of size 8 at addr ffff8801ce69b6c8 by task syzkaller486281/2987
[ 46.849989]
[ 46.851592] CPU: 0 PID: 2987 Comm: syzkaller486281 Not tainted 4.13.0-next-20170906+ #16
[ 46.859790] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 46.869124] Call Trace:
[ 46.871696] dump_stack+0x194/0x257
[ 46.875301] ? arch_local_irq_restore+0x53/0x53
[ 46.879946] ? show_regs_print_info+0x65/0x65
[ 46.884425] ? __internal_add_timer+0x275/0x2d0
[ 46.889067] print_address_description+0x73/0x250
[ 46.893881] ? __internal_add_timer+0x275/0x2d0
[ 46.898525] kasan_report+0x24e/0x340
[ 46.902347] __asan_report_store8_noabort+0x17/0x20
[ 46.907336] __internal_add_timer+0x275/0x2d0
[ 46.911813] ? calc_wheel_index+0x200/0x200
[ 46.916116] mod_timer+0x622/0x15b0
[ 46.919728] ? mod_timer_pending+0x14e0/0x14e0
[ 46.924283] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 46.929272] ? trace_hardirqs_on+0xd/0x10
[ 46.933397] ? _crng_backtrack_protect+0xd9/0x130
[ 46.938225] ? __lock_is_held+0xbc/0x140
[ 46.942262] ? __lockdep_init_map+0xe4/0x650
[ 46.946648] ? lockdep_init_map+0x3d/0x70
[ 46.950768] ? rcu_read_lock_sched_held+0x108/0x120
[ 46.955756] ? init_timer_key+0x126/0x3b0
[ 46.959878] ? try_to_del_timer_sync+0x120/0x120
[ 46.964654] ? round_jiffies_up+0xce/0x100
[ 46.968865] ? __round_jiffies_up_relative+0x150/0x150
[ 46.974113] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 46.979023] __tun_chr_ioctl+0x1b23/0x3d20
[ 46.983240] ? tun_chr_read_iter+0x1e0/0x1e0
[ 46.987638] ? lock_downgrade+0x990/0x990
[ 46.991789] ? check_same_owner+0x320/0x320
[ 46.996088] ? __handle_mm_fault+0x39c0/0x39c0
[ 47.000644] ? vmacache_find+0x61/0x270
[ 47.004636] ? tun_chr_compat_ioctl+0x30/0x30
[ 47.009109] tun_chr_ioctl+0x2a/0x40
[ 47.012795] ? tun_chr_ioctl+0x2a/0x40
[ 47.016659] do_vfs_ioctl+0x1b1/0x1530
[ 47.020534] ? ioctl_preallocate+0x2b0/0x2b0
[ 47.024920] ? selinux_capable+0x40/0x40
[ 47.028963] ? putname+0xf3/0x130
[ 47.032428] ? do_sys_open+0x320/0x6d0
[ 47.036299] ? security_file_ioctl+0x7d/0xb0
[ 47.040681] ? security_file_ioctl+0x89/0xb0
[ 47.045078] SyS_ioctl+0x8f/0xc0
[ 47.048427] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 47.053154] RIP: 0033:0x443db9
[ 47.056315] RSP: 002b:00007ffe4236e988 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[ 47.063999] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9
[ 47.071246] RDX: 0000000020f14fd8 RSI: 00000000400454ca RDI: 0000000000000004
[ 47.079533] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[ 47.086776] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401aa0
[ 47.094016] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000
[ 47.101289]
[ 47.102896] Allocated by task 2987:
[ 47.106498] save_stack_trace+0x16/0x20
[ 47.110454] save_stack+0x43/0xd0
[ 47.113878] kasan_kmalloc+0xad/0xe0
[ 47.117563] __kmalloc_node+0x47/0x70
[ 47.121348] kvmalloc_node+0x64/0xd0
[ 47.125033] alloc_netdev_mqs+0x16e/0xed0
[ 47.129148] __tun_chr_ioctl+0x12be/0x3d20
[ 47.133361] tun_chr_ioctl+0x2a/0x40
[ 47.137045] do_vfs_ioctl+0x1b1/0x1530
[ 47.140903] SyS_ioctl+0x8f/0xc0
[ 47.144240] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 47.148962]
[ 47.150590] Freed by task 2987:
[ 47.153842] save_stack_trace+0x16/0x20
[ 47.157790] save_stack+0x43/0xd0
[ 47.161211] kasan_slab_free+0x71/0xc0
[ 47.165085] kfree+0xca/0x250
[ 47.168160] kvfree+0x36/0x60
[ 47.171238] free_netdev+0x2cf/0x360
[ 47.174922] __tun_chr_ioctl+0x2cf6/0x3d20
[ 47.179131] tun_chr_ioctl+0x2a/0x40
[ 47.182817] do_vfs_ioctl+0x1b1/0x1530
[ 47.186672] SyS_ioctl+0x8f/0xc0
[ 47.190014] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 47.194758]
[ 47.196361] The buggy address belongs to the object at ffff8801ce6982c0
[ 47.196361] which belongs to the cache kmalloc-16384 of size 16384
[ 47.209340] The buggy address is located 13320 bytes inside of
[ 47.209340] 16384-byte region [ffff8801ce6982c0, ffff8801ce69c2c0)
[ 47.221541] The buggy address belongs to the page:
[ 47.226449] page:ffffea000739a600 count:1 mapcount:0 mapping:ffff8801ce6982c0 index:0x0 compound_mapcount: 0
[ 47.236400] flags: 0x200000000008100(slab|head)
[ 47.241045] raw: 0200000000008100 ffff8801ce6982c0 0000000000000000 0000000100000001
[ 47.248910] raw: ffffea000736ac20 ffffea0007399c20 ffff8801dac02200 0000000000000000
[ 47.256760] page dumped because: kasan: bad access detected
[ 47.262440]
[ 47.264040] Memory state around the buggy address:
[ 47.268944] ffff8801ce69b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.276272] ffff8801ce69b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.283602] >ffff8801ce69b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.291043] ^
[ 47.296722] ffff8801ce69b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.304053] ffff8801ce69b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.311388] ==================================================================
[ 47.318717] Disabling lock debugging due to kernel taint
[ 47.324130] Kernel panic - not syncing: panic_on_warn set ...
[ 47.324130]
[ 47.331455] CPU: 0 PID: 2987 Comm: syzkaller486281 Tainted: G B 4.13.0-next-20170906+ #16
[ 47.340867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 47.350192] Call Trace:
[ 47.352751] dump_stack+0x194/0x257
[ 47.356343] ? arch_local_irq_restore+0x53/0x53
[ 47.360979] ? vprintk_default+0x28/0x30
[ 47.365007] ? __internal_add_timer+0x1e0/0x2d0
[ 47.369642] panic+0x1e4/0x417
[ 47.372799] ? __warn+0x1d9/0x1d9
[ 47.376222] ? __internal_add_timer+0x275/0x2d0
[ 47.380859] kasan_end_report+0x50/0x50
[ 47.384851] kasan_report+0x137/0x340
[ 47.388631] __asan_report_store8_noabort+0x17/0x20
[ 47.393613] __internal_add_timer+0x275/0x2d0
[ 47.398076] ? calc_wheel_index+0x200/0x200
[ 47.402366] mod_timer+0x622/0x15b0
[ 47.405961] ? mod_timer_pending+0x14e0/0x14e0
[ 47.410509] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 47.415491] ? trace_hardirqs_on+0xd/0x10
[ 47.419607] ? _crng_backtrack_protect+0xd9/0x130
[ 47.424414] ? __lock_is_held+0xbc/0x140
[ 47.428443] ? __lockdep_init_map+0xe4/0x650
[ 47.432817] ? lockdep_init_map+0x3d/0x70
[ 47.436930] ? rcu_read_lock_sched_held+0x108/0x120
[ 47.441914] ? init_timer_key+0x126/0x3b0
[ 47.446028] ? try_to_del_timer_sync+0x120/0x120
[ 47.450752] ? round_jiffies_up+0xce/0x100
[ 47.454951] ? __round_jiffies_up_relative+0x150/0x150
[ 47.460196] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 47.465100] __tun_chr_ioctl+0x1b23/0x3d20
[ 47.469304] ? tun_chr_read_iter+0x1e0/0x1e0
[ 47.473694] ? lock_downgrade+0x990/0x990
[ 47.477822] ? check_same_owner+0x320/0x320
[ 47.482108] ? __handle_mm_fault+0x39c0/0x39c0
[ 47.486656] ? vmacache_find+0x61/0x270
[ 47.490607] ? tun_chr_compat_ioctl+0x30/0x30
[ 47.495066] tun_chr_ioctl+0x2a/0x40
[ 47.498753] ? tun_chr_ioctl+0x2a/0x40
[ 47.502620] do_vfs_ioctl+0x1b1/0x1530
[ 47.506475] ? ioctl_preallocate+0x2b0/0x2b0
[ 47.510851] ? selinux_capable+0x40/0x40
[ 47.514876] ? putname+0xf3/0x130
[ 47.518296] ? do_sys_open+0x320/0x6d0
[ 47.522155] ? security_file_ioctl+0x7d/0xb0
[ 47.526528] ? security_file_ioctl+0x89/0xb0
[ 47.530903] SyS_ioctl+0x8f/0xc0
[ 47.534240] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 47.538981] RIP: 0033:0x443db9
[ 47.542135] RSP: 002b:00007ffe4236e988 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[ 47.549810] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443db9
[ 47.557047] RDX: 0000000020f14fd8 RSI: 00000000400454ca RDI: 0000000000000004
[ 47.564282] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[ 47.571516] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401aa0
[ 47.578752] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000