INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-next-kasan-gce-0,10.128.15.232' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   31.284358] ==================================================================
[   31.285623] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[   31.286641] Write of size 8 at addr ffff8801ce373688 by task syzkaller664738/2980
[   31.287722] 
[   31.287962] CPU: 0 PID: 2980 Comm: syzkaller664738 Not tainted 4.14.0-rc2-next-20170928+ #31
[   31.289182] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.290460] Call Trace:
[   31.290820]  dump_stack+0x194/0x257
[   31.291354]  ? arch_local_irq_restore+0x53/0x53
[   31.291982]  ? show_regs_print_info+0x65/0x65
[   31.292615]  ? __kernel_text_address+0xd/0x40
[   31.293242]  ? __internal_add_timer+0x275/0x2d0
[   31.293870]  print_address_description+0x73/0x250
[   31.294521]  ? __internal_add_timer+0x275/0x2d0
[   31.295243]  kasan_report+0x25b/0x340
[   31.295769]  __asan_report_store8_noabort+0x17/0x20
[   31.296440]  __internal_add_timer+0x275/0x2d0
[   31.297048]  ? calc_wheel_index+0x200/0x200
[   31.297640]  mod_timer+0x622/0x15b0
[   31.298142]  ? mod_timer_pending+0x14e0/0x14e0
[   31.298814]  ? __lock_is_held+0xbc/0x140
[   31.299378]  ? __lock_is_held+0xbc/0x140
[   31.299930]  ? __lockdep_init_map+0xe4/0x650
[   31.300537]  ? lockdep_init_map+0x3d/0x70
[   31.301097]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.301835]  ? init_timer_key+0x126/0x3b0
[   31.302396]  ? try_to_del_timer_sync+0x120/0x120
[   31.303038]  ? round_jiffies_up+0xce/0x100
[   31.303610]  ? __round_jiffies_up_relative+0x150/0x150
[   31.304313]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   31.308196]  ? selinux_tun_dev_alloc_security+0x124/0x170
[   31.313716]  __tun_chr_ioctl+0x1beb/0x3e40
[   31.317934]  ? tun_chr_read_iter+0x1e0/0x1e0
[   31.322311]  ? lock_downgrade+0x990/0x990
[   31.326454]  ? handle_mm_fault+0x410/0x8d0
[   31.330659]  ? __do_page_fault+0x31e/0xd60
[   31.334878]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   31.340731]  ? up_read+0x1a/0x40
[   31.344076]  ? tun_chr_compat_ioctl+0x30/0x30
[   31.348544]  tun_chr_ioctl+0x2a/0x40
[   31.352230]  ? tun_chr_ioctl+0x2a/0x40
[   31.356092]  do_vfs_ioctl+0x1b1/0x1530
[   31.359949]  ? _cond_resched+0x14/0x30
[   31.363811]  ? ioctl_preallocate+0x2b0/0x2b0
[   31.368201]  ? selinux_capable+0x40/0x40
[   31.372325]  ? putname+0xf3/0x130
[   31.375753]  ? do_sys_open+0x320/0x6d0
[   31.379623]  ? security_file_ioctl+0x89/0xb0
[   31.384027]  SyS_ioctl+0x8f/0xc0
[   31.387372]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   31.392113] RIP: 0033:0x443d99
[   31.395273] RSP: 002b:00007ffe2b21d618 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   31.402955] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443d99
[   31.410197] RDX: 0000000020284fd8 RSI: 00000000400454ca RDI: 0000000000000004
[   31.417447] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
[   31.424690] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401a80
[   31.431931] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000
[   31.439189] 
[   31.440789] Allocated by task 2980:
[   31.444397]  save_stack_trace+0x16/0x20
[   31.448342]  save_stack+0x43/0xd0
[   31.451764]  kasan_kmalloc+0xad/0xe0
[   31.455448]  __kmalloc_node+0x47/0x70
[   31.459217]  kvmalloc_node+0x64/0xd0
[   31.462900]  alloc_netdev_mqs+0x16d/0xed0
[   31.467015]  __tun_chr_ioctl+0x1386/0x3e40
[   31.471223]  tun_chr_ioctl+0x2a/0x40
[   31.474904]  do_vfs_ioctl+0x1b1/0x1530
[   31.478758]  SyS_ioctl+0x8f/0xc0
[   31.482094]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   31.486817] 
[   31.488412] Freed by task 2980:
[   31.491660]  save_stack_trace+0x16/0x20
[   31.495602]  save_stack+0x43/0xd0
[   31.499026]  kasan_slab_free+0x71/0xc0
[   31.502880]  kfree+0xca/0x250
[   31.505955]  kvfree+0x36/0x60
[   31.509037]  free_netdev+0x2cf/0x360
[   31.512720]  __tun_chr_ioctl+0x2df6/0x3e40
[   31.516932]  tun_chr_ioctl+0x2a/0x40
[   31.520614]  do_vfs_ioctl+0x1b1/0x1530
[   31.524467]  SyS_ioctl+0x8f/0xc0
[   31.527803]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   31.532524] 
[   31.534122] The buggy address belongs to the object at ffff8801ce370280
[   31.534122]  which belongs to the cache kmalloc-16384 of size 16384
[   31.547093] The buggy address is located 13320 bytes inside of
[   31.547093]  16384-byte region [ffff8801ce370280, ffff8801ce374280)
[   31.559281] The buggy address belongs to the page:
[   31.564262] page:ffffea000738dc00 count:1 mapcount:0 mapping:ffff8801ce370280 index:0x0 compound_mapcount: 0
[   31.574214] flags: 0x200000000008100(slab|head)
[   31.578860] raw: 0200000000008100 ffff8801ce370280 0000000000000000 0000000100000001
[   31.586711] raw: ffffea0006fe2220 ffffea0007389c20 ffff8801dac02200 0000000000000000
[   31.594558] page dumped because: kasan: bad access detected
[   31.600233] 
[   31.601831] Memory state around the buggy address:
[   31.606727]  ffff8801ce373580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.614059]  ffff8801ce373600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.621389] >ffff8801ce373680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.628716]                       ^
[   31.632312]  ffff8801ce373700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.639639]  ffff8801ce373780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.646980] ==================================================================
[   31.654308] Disabling lock debugging due to kernel taint
[   31.659722] Kernel panic - not syncing: panic_on_warn set ...
[   31.659722] 
[   31.667046] CPU: 0 PID: 2980 Comm: syzkaller664738 Tainted: G    B           4.14.0-rc2-next-20170928+ #31
[   31.676797] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.686114] Call Trace:
[   31.688669]  dump_stack+0x194/0x257
[   31.692264]  ? arch_local_irq_restore+0x53/0x53
[   31.696899]  ? vprintk_default+0x28/0x30
[   31.700924]  ? __internal_add_timer+0x1e0/0x2d0
[   31.705556]  panic+0x1e4/0x417
[   31.708715]  ? __warn+0x1d9/0x1d9
[   31.712139]  ? __internal_add_timer+0x275/0x2d0
[   31.716771]  kasan_end_report+0x50/0x50
[   31.720717]  kasan_report+0x144/0x340
[   31.724490]  __asan_report_store8_noabort+0x17/0x20
[   31.729472]  __internal_add_timer+0x275/0x2d0
[   31.733940]  ? calc_wheel_index+0x200/0x200
[   31.738233]  mod_timer+0x622/0x15b0
[   31.741828]  ? mod_timer_pending+0x14e0/0x14e0
[   31.746376]  ? __lock_is_held+0xbc/0x140
[   31.750414]  ? __lock_is_held+0xbc/0x140
[   31.754439]  ? __lockdep_init_map+0xe4/0x650
[   31.758812]  ? lockdep_init_map+0x3d/0x70
[   31.762924]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.767902]  ? init_timer_key+0x126/0x3b0
[   31.772014]  ? try_to_del_timer_sync+0x120/0x120
[   31.776737]  ? round_jiffies_up+0xce/0x100
[   31.780933]  ? __round_jiffies_up_relative+0x150/0x150
[   31.786174]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   31.791065]  ? selinux_tun_dev_alloc_security+0x124/0x170
[   31.796569]  __tun_chr_ioctl+0x1beb/0x3e40
[   31.800789]  ? tun_chr_read_iter+0x1e0/0x1e0
[   31.805161]  ? lock_downgrade+0x990/0x990
[   31.809286]  ? handle_mm_fault+0x410/0x8d0
[   31.813484]  ? __do_page_fault+0x31e/0xd60
[   31.817689]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   31.823537]  ? up_read+0x1a/0x40
[   31.826875]  ? tun_chr_compat_ioctl+0x30/0x30
[   31.831334]  tun_chr_ioctl+0x2a/0x40
[   31.835097]  ? tun_chr_ioctl+0x2a/0x40
[   31.839039]  do_vfs_ioctl+0x1b1/0x1530
[   31.842890]  ? _cond_resched+0x14/0x30
[   31.846745]  ? ioctl_preallocate+0x2b0/0x2b0
[   31.851125]  ? selinux_capable+0x40/0x40
[   31.855153]  ? putname+0xf3/0x130
[   31.858573]  ? do_sys_open+0x320/0x6d0
[   31.862439]  ? security_file_ioctl+0x89/0xb0
[   31.866815]  SyS_ioctl+0x8f/0xc0
[   31.870150]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   31.874870] RIP: 0033:0x443d99
[   31.878040] RSP: 002b:00007ffe2b21d618 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   31.885711] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000443d99
[   31.892944] RDX: 0000000020284fd8 RSI: 00000000400454ca RDI: 0000000000000004
[   31.900179] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
[   31.907412] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401a80
[   31.914643] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000
[   31.921918] Dumping ftrace buffer:
[   31.925418]    (ftrace buffer empty)
[   31.929092] Kernel Offset: disabled
[   31.932683] Rebooting in 86400 seconds..