INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-5,10.128.0.42' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 43.209367] ================================================================== [ 43.210560] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 [ 43.211502] Write of size 8 at addr ffff8801cf13b708 by task syzkaller546999/2984 [ 43.212514] [ 43.212751] CPU: 1 PID: 2984 Comm: syzkaller546999 Not tainted 4.13.0-rc7-next-20170831+ #12 [ 43.213891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.215163] Call Trace: [ 43.215552] dump_stack+0x194/0x257 [ 43.216056] ? arch_local_irq_restore+0x53/0x53 [ 43.216683] ? show_regs_print_info+0x65/0x65 [ 43.217325] ? __kernel_text_address+0xae/0xe0 [ 43.217978] ? __internal_add_timer+0x275/0x2d0 [ 43.218625] print_address_description+0x73/0x250 [ 43.219275] ? __internal_add_timer+0x275/0x2d0 [ 43.219905] kasan_report+0x24e/0x340 [ 43.220425] __asan_report_store8_noabort+0x17/0x20 [ 43.221095] __internal_add_timer+0x275/0x2d0 [ 43.221701] ? calc_wheel_index+0x200/0x200 [ 43.222293] mod_timer+0x622/0x15b0 [ 43.222818] ? mod_timer_pending+0x14e0/0x14e0 [ 43.223453] ? __lock_is_held+0xbc/0x140 [ 43.224017] ? __lock_is_held+0xbc/0x140 [ 43.224587] ? __lockdep_init_map+0xe4/0x650 [ 43.225184] ? lockdep_init_map+0x3d/0x70 [ 43.225755] ? rcu_read_lock_sched_held+0x108/0x120 [ 43.226427] ? init_timer_key+0x126/0x3b0 [ 43.226994] ? try_to_del_timer_sync+0x120/0x120 [ 43.227649] ? round_jiffies_up+0xce/0x100 [ 43.228221] ? __round_jiffies_up_relative+0x150/0x150 [ 43.229015] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 43.230456] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 43.235981] __tun_chr_ioctl+0x1b23/0x3d20 [ 43.240201] ? tun_chr_read_iter+0x1e0/0x1e0 [ 43.244592] ? lock_downgrade+0x990/0x990 [ 43.248736] ? check_same_owner+0x320/0x320 [ 43.253030] ? __handle_mm_fault+0x39c0/0x39c0 [ 43.257594] ? tun_chr_compat_ioctl+0x30/0x30 [ 43.262068] tun_chr_ioctl+0x2a/0x40 [ 43.265752] ? tun_chr_ioctl+0x2a/0x40 [ 43.269613] do_vfs_ioctl+0x1b1/0x1530 [ 43.273472] ? _cond_resched+0x14/0x30 [ 43.277337] ? ioctl_preallocate+0x2b0/0x2b0 [ 43.281720] ? selinux_capable+0x40/0x40 [ 43.285754] ? putname+0xf3/0x130 [ 43.289183] ? do_sys_open+0x320/0x6d0 [ 43.293054] ? security_file_ioctl+0x7d/0xb0 [ 43.297432] ? security_file_ioctl+0x89/0xb0 [ 43.301815] SyS_ioctl+0x8f/0xc0 [ 43.305159] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 43.309888] RIP: 0033:0x443d99 [ 43.313052] RSP: 002b:00007ffdbfb76328 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 43.320735] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443d99 [ 43.327976] RDX: 000000002068d000 RSI: 00000000400454ca RDI: 0000000000000004 [ 43.335217] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 43.342459] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401a80 [ 43.349703] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000 [ 43.356963] [ 43.358560] Allocated by task 2984: [ 43.362160] save_stack_trace+0x16/0x20 [ 43.366108] save_stack+0x43/0xd0 [ 43.369534] kasan_kmalloc+0xad/0xe0 [ 43.373217] __kmalloc_node+0x47/0x70 [ 43.376986] kvmalloc_node+0x64/0xd0 [ 43.380681] alloc_netdev_mqs+0x16e/0xed0 [ 43.384798] __tun_chr_ioctl+0x12be/0x3d20 [ 43.389001] tun_chr_ioctl+0x2a/0x40 [ 43.392685] do_vfs_ioctl+0x1b1/0x1530 [ 43.396542] SyS_ioctl+0x8f/0xc0 [ 43.399879] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 43.404602] [ 43.406198] Freed by task 2984: [ 43.409449] save_stack_trace+0x16/0x20 [ 43.413393] save_stack+0x43/0xd0 [ 43.416902] kasan_slab_free+0x71/0xc0 [ 43.420764] kfree+0xca/0x250 [ 43.423838] kvfree+0x36/0x60 [ 43.426913] free_netdev+0x2cf/0x360 [ 43.430600] __tun_chr_ioctl+0x2cf6/0x3d20 [ 43.434814] tun_chr_ioctl+0x2a/0x40 [ 43.438496] do_vfs_ioctl+0x1b1/0x1530 [ 43.442353] SyS_ioctl+0x8f/0xc0 [ 43.445689] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 43.450414] [ 43.452015] The buggy address belongs to the object at ffff8801cf138300 [ 43.452015] which belongs to the cache kmalloc-16384 of size 16384 [ 43.464996] The buggy address is located 13320 bytes inside of [ 43.464996] 16384-byte region [ffff8801cf138300, ffff8801cf13c300) [ 43.477188] The buggy address belongs to the page: [ 43.482088] page:ffffea00073c4e00 count:1 mapcount:0 mapping:ffff8801cf138300 index:0x0 compound_mapcount: 0 [ 43.492207] flags: 0x200000000008100(slab|head) [ 43.496848] raw: 0200000000008100 ffff8801cf138300 0000000000000000 0000000100000001 [ 43.504701] raw: ffffea0007554420 ffffea00073af020 ffff8801dac02200 0000000000000000 [ 43.512548] page dumped because: kasan: bad access detected [ 43.518225] [ 43.519823] Memory state around the buggy address: [ 43.524721] ffff8801cf13b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.532053] ffff8801cf13b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.539383] >ffff8801cf13b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.546710] ^ [ 43.550305] ffff8801cf13b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.557648] ffff8801cf13b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.564977] ================================================================== [ 43.572307] Disabling lock debugging due to kernel taint [ 43.577720] Kernel panic - not syncing: panic_on_warn set ... [ 43.577720] [ 43.585047] CPU: 1 PID: 2984 Comm: syzkaller546999 Tainted: G B 4.13.0-rc7-next-20170831+ #12 [ 43.594801] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.604136] Call Trace: [ 43.606692] dump_stack+0x194/0x257 [ 43.610289] ? arch_local_irq_restore+0x53/0x53 [ 43.614925] ? vprintk_default+0x28/0x30 [ 43.618955] ? __internal_add_timer+0x1b0/0x2d0 [ 43.623604] panic+0x1e4/0x417 [ 43.626764] ? __warn+0x1d9/0x1d9 [ 43.630191] ? __internal_add_timer+0x275/0x2d0 [ 43.634828] kasan_end_report+0x50/0x50 [ 43.638765] kasan_report+0x137/0x340 [ 43.642535] __asan_report_store8_noabort+0x17/0x20 [ 43.647516] __internal_add_timer+0x275/0x2d0 [ 43.651978] ? calc_wheel_index+0x200/0x200 [ 43.656273] mod_timer+0x622/0x15b0 [ 43.659871] ? mod_timer_pending+0x14e0/0x14e0 [ 43.664419] ? __lock_is_held+0xbc/0x140 [ 43.668455] ? __lock_is_held+0xbc/0x140 [ 43.672483] ? __lockdep_init_map+0xe4/0x650 [ 43.676856] ? lockdep_init_map+0x3d/0x70 [ 43.680969] ? rcu_read_lock_sched_held+0x108/0x120 [ 43.685950] ? init_timer_key+0x126/0x3b0 [ 43.690066] ? try_to_del_timer_sync+0x120/0x120 [ 43.694789] ? round_jiffies_up+0xce/0x100 [ 43.698992] ? __round_jiffies_up_relative+0x150/0x150 [ 43.704243] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 43.709141] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 43.714648] __tun_chr_ioctl+0x1b23/0x3d20 [ 43.718851] ? tun_chr_read_iter+0x1e0/0x1e0 [ 43.723240] ? lock_downgrade+0x990/0x990 [ 43.727367] ? check_same_owner+0x320/0x320 [ 43.731655] ? __handle_mm_fault+0x39c0/0x39c0 [ 43.736204] ? tun_chr_compat_ioctl+0x30/0x30 [ 43.740663] tun_chr_ioctl+0x2a/0x40 [ 43.744340] ? tun_chr_ioctl+0x2a/0x40 [ 43.748204] do_vfs_ioctl+0x1b1/0x1530 [ 43.752058] ? _cond_resched+0x14/0x30 [ 43.755915] ? ioctl_preallocate+0x2b0/0x2b0 [ 43.760290] ? selinux_capable+0x40/0x40 [ 43.764315] ? putname+0xf3/0x130 [ 43.767735] ? do_sys_open+0x320/0x6d0 [ 43.771592] ? security_file_ioctl+0x7d/0xb0 [ 43.775963] ? security_file_ioctl+0x89/0xb0 [ 43.780339] SyS_ioctl+0x8f/0xc0 [ 43.783676] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 43.788406] RIP: 0033:0x443d99 [ 43.791560] RSP: 002b:00007ffdbfb76328 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 43.799232] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443d99 [ 43.806468] RDX: 000000002068d000 RSI: 00000000400454ca RDI: 0000000000000004 [ 43.813704] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 43.820939] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401a80 [ 43.828174] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000 [ 43.835451] Dumping ftrace buffer: [ 43.838960] (ftrace buffer empty) [ 43.842637] Kernel Offset: disabled [ 43.846231] Rebooting in 86400 seconds..