INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-next-kasan-gce-0,10.128.15.232' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [ 31.284358] ==================================================================
[ 31.285623] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[ 31.286641] Write of size 8 at addr ffff8801ce373688 by task syzkaller664738/2980
[ 31.287722]
[ 31.287962] CPU: 0 PID: 2980 Comm: syzkaller664738 Not tainted 4.14.0-rc2-next-20170928+ #31
[ 31.289182] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 31.290460] Call Trace:
[ 31.290820] dump_stack+0x194/0x257
[ 31.291354] ? arch_local_irq_restore+0x53/0x53
[ 31.291982] ? show_regs_print_info+0x65/0x65
[ 31.292615] ? __kernel_text_address+0xd/0x40
[ 31.293242] ? __internal_add_timer+0x275/0x2d0
[ 31.293870] print_address_description+0x73/0x250
[ 31.294521] ? __internal_add_timer+0x275/0x2d0
[ 31.295243] kasan_report+0x25b/0x340
[ 31.295769] __asan_report_store8_noabort+0x17/0x20
[ 31.296440] __internal_add_timer+0x275/0x2d0
[ 31.297048] ? calc_wheel_index+0x200/0x200
[ 31.297640] mod_timer+0x622/0x15b0
[ 31.298142] ? mod_timer_pending+0x14e0/0x14e0
[ 31.298814] ? __lock_is_held+0xbc/0x140
[ 31.299378] ? __lock_is_held+0xbc/0x140
[ 31.299930] ? __lockdep_init_map+0xe4/0x650
[ 31.300537] ? lockdep_init_map+0x3d/0x70
[ 31.301097] ? rcu_read_lock_sched_held+0x108/0x120
[ 31.301835] ? init_timer_key+0x126/0x3b0
[ 31.302396] ? try_to_del_timer_sync+0x120/0x120
[ 31.303038] ? round_jiffies_up+0xce/0x100
[ 31.303610] ? __round_jiffies_up_relative+0x150/0x150
[ 31.304313] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 31.308196] ? selinux_tun_dev_alloc_security+0x124/0x170
[ 31.313716] __tun_chr_ioctl+0x1beb/0x3e40
[ 31.317934] ? tun_chr_read_iter+0x1e0/0x1e0
[ 31.322311] ? lock_downgrade+0x990/0x990
[ 31.326454] ? handle_mm_fault+0x410/0x8d0
[ 31.330659] ? __do_page_fault+0x31e/0xd60
[ 31.334878] ? trace_event_raw_event_sched_switch+0x770/0x770
[ 31.340731] ? up_read+0x1a/0x40
[ 31.344076] ? tun_chr_compat_ioctl+0x30/0x30
[ 31.348544] tun_chr_ioctl+0x2a/0x40
[ 31.352230] ? tun_chr_ioctl+0x2a/0x40
[ 31.356092] do_vfs_ioctl+0x1b1/0x1530
[ 31.359949] ? _cond_resched+0x14/0x30
[ 31.363811] ? ioctl_preallocate+0x2b0/0x2b0
[ 31.368201] ? selinux_capable+0x40/0x40
[ 31.372325] ? putname+0xf3/0x130
[ 31.375753] ? do_sys_open+0x320/0x6d0
[ 31.379623] ? security_file_ioctl+0x89/0xb0
[ 31.384027] SyS_ioctl+0x8f/0xc0
[ 31.387372] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 31.392113] RIP: 0033:0x443d99
[ 31.395273] RSP: 002b:00007ffe2b21d618 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 31.402955] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443d99
[ 31.410197] RDX: 0000000020284fd8 RSI: 00000000400454ca RDI: 0000000000000004
[ 31.417447] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
[ 31.424690] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401a80
[ 31.431931] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000
[ 31.439189]
[ 31.440789] Allocated by task 2980:
[ 31.444397] save_stack_trace+0x16/0x20
[ 31.448342] save_stack+0x43/0xd0
[ 31.451764] kasan_kmalloc+0xad/0xe0
[ 31.455448] __kmalloc_node+0x47/0x70
[ 31.459217] kvmalloc_node+0x64/0xd0
[ 31.462900] alloc_netdev_mqs+0x16d/0xed0
[ 31.467015] __tun_chr_ioctl+0x1386/0x3e40
[ 31.471223] tun_chr_ioctl+0x2a/0x40
[ 31.474904] do_vfs_ioctl+0x1b1/0x1530
[ 31.478758] SyS_ioctl+0x8f/0xc0
[ 31.482094] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 31.486817]
[ 31.488412] Freed by task 2980:
[ 31.491660] save_stack_trace+0x16/0x20
[ 31.495602] save_stack+0x43/0xd0
[ 31.499026] kasan_slab_free+0x71/0xc0
[ 31.502880] kfree+0xca/0x250
[ 31.505955] kvfree+0x36/0x60
[ 31.509037] free_netdev+0x2cf/0x360
[ 31.512720] __tun_chr_ioctl+0x2df6/0x3e40
[ 31.516932] tun_chr_ioctl+0x2a/0x40
[ 31.520614] do_vfs_ioctl+0x1b1/0x1530
[ 31.524467] SyS_ioctl+0x8f/0xc0
[ 31.527803] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 31.532524]
[ 31.534122] The buggy address belongs to the object at ffff8801ce370280
[ 31.534122] which belongs to the cache kmalloc-16384 of size 16384
[ 31.547093] The buggy address is located 13320 bytes inside of
[ 31.547093] 16384-byte region [ffff8801ce370280, ffff8801ce374280)
[ 31.559281] The buggy address belongs to the page:
[ 31.564262] page:ffffea000738dc00 count:1 mapcount:0 mapping:ffff8801ce370280 index:0x0 compound_mapcount: 0
[ 31.574214] flags: 0x200000000008100(slab|head)
[ 31.578860] raw: 0200000000008100 ffff8801ce370280 0000000000000000 0000000100000001
[ 31.586711] raw: ffffea0006fe2220 ffffea0007389c20 ffff8801dac02200 0000000000000000
[ 31.594558] page dumped because: kasan: bad access detected
[ 31.600233]
[ 31.601831] Memory state around the buggy address:
[ 31.606727] ffff8801ce373580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.614059] ffff8801ce373600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.621389] >ffff8801ce373680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.628716] ^
[ 31.632312] ffff8801ce373700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.639639] ffff8801ce373780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.646980] ==================================================================
[ 31.654308] Disabling lock debugging due to kernel taint
[ 31.659722] Kernel panic - not syncing: panic_on_warn set ...
[ 31.659722]
[ 31.667046] CPU: 0 PID: 2980 Comm: syzkaller664738 Tainted: G B 4.14.0-rc2-next-20170928+ #31
[ 31.676797] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 31.686114] Call Trace:
[ 31.688669] dump_stack+0x194/0x257
[ 31.692264] ? arch_local_irq_restore+0x53/0x53
[ 31.696899] ? vprintk_default+0x28/0x30
[ 31.700924] ? __internal_add_timer+0x1e0/0x2d0
[ 31.705556] panic+0x1e4/0x417
[ 31.708715] ? __warn+0x1d9/0x1d9
[ 31.712139] ? __internal_add_timer+0x275/0x2d0
[ 31.716771] kasan_end_report+0x50/0x50
[ 31.720717] kasan_report+0x144/0x340
[ 31.724490] __asan_report_store8_noabort+0x17/0x20
[ 31.729472] __internal_add_timer+0x275/0x2d0
[ 31.733940] ? calc_wheel_index+0x200/0x200
[ 31.738233] mod_timer+0x622/0x15b0
[ 31.741828] ? mod_timer_pending+0x14e0/0x14e0
[ 31.746376] ? __lock_is_held+0xbc/0x140
[ 31.750414] ? __lock_is_held+0xbc/0x140
[ 31.754439] ? __lockdep_init_map+0xe4/0x650
[ 31.758812] ? lockdep_init_map+0x3d/0x70
[ 31.762924] ? rcu_read_lock_sched_held+0x108/0x120
[ 31.767902] ? init_timer_key+0x126/0x3b0
[ 31.772014] ? try_to_del_timer_sync+0x120/0x120
[ 31.776737] ? round_jiffies_up+0xce/0x100
[ 31.780933] ? __round_jiffies_up_relative+0x150/0x150
[ 31.786174] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 31.791065] ? selinux_tun_dev_alloc_security+0x124/0x170
[ 31.796569] __tun_chr_ioctl+0x1beb/0x3e40
[ 31.800789] ? tun_chr_read_iter+0x1e0/0x1e0
[ 31.805161] ? lock_downgrade+0x990/0x990
[ 31.809286] ? handle_mm_fault+0x410/0x8d0
[ 31.813484] ? __do_page_fault+0x31e/0xd60
[ 31.817689] ? trace_event_raw_event_sched_switch+0x770/0x770
[ 31.823537] ? up_read+0x1a/0x40
[ 31.826875] ? tun_chr_compat_ioctl+0x30/0x30
[ 31.831334] tun_chr_ioctl+0x2a/0x40
[ 31.835097] ? tun_chr_ioctl+0x2a/0x40
[ 31.839039] do_vfs_ioctl+0x1b1/0x1530
[ 31.842890] ? _cond_resched+0x14/0x30
[ 31.846745] ? ioctl_preallocate+0x2b0/0x2b0
[ 31.851125] ? selinux_capable+0x40/0x40
[ 31.855153] ? putname+0xf3/0x130
[ 31.858573] ? do_sys_open+0x320/0x6d0
[ 31.862439] ? security_file_ioctl+0x89/0xb0
[ 31.866815] SyS_ioctl+0x8f/0xc0
[ 31.870150] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 31.874870] RIP: 0033:0x443d99
[ 31.878040] RSP: 002b:00007ffe2b21d618 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 31.885711] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443d99
[ 31.892944] RDX: 0000000020284fd8 RSI: 00000000400454ca RDI: 0000000000000004
[ 31.900179] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
[ 31.907412] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401a80
[ 31.914643] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000
[ 31.921918] Dumping ftrace buffer:
[ 31.925418] (ftrace buffer empty)
[ 31.929092] Kernel Offset: disabled
[ 31.932683] Rebooting in 86400 seconds..