INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-386-0,10.128.15.206' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   41.474071] ==================================================================
[   41.475192] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[   41.476120] Write of size 8 at addr ffff8801ce08b6c8 by task syzkaller805892/2982
[   41.477121] 
[   41.477358] CPU: 1 PID: 2982 Comm: syzkaller805892 Not tainted 4.14.0-rc2+ #20
[   41.478406] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.479648] Call Trace:
[   41.480012]  dump_stack+0x194/0x257
[   41.480508]  ? arch_local_irq_restore+0x53/0x53
[   41.481136]  ? show_regs_print_info+0x65/0x65
[   41.481765]  ? __internal_add_timer+0x275/0x2d0
[   41.482412]  print_address_description+0x73/0x250
[   41.483061]  ? __internal_add_timer+0x275/0x2d0
[   41.483689]  kasan_report+0x25b/0x340
[   41.484212]  __asan_report_store8_noabort+0x17/0x20
[   41.484895]  __internal_add_timer+0x275/0x2d0
[   41.485504]  ? calc_wheel_index+0x200/0x200
[   41.486100]  mod_timer+0x622/0x15b0
[   41.486603]  ? mod_timer_pending+0x14e0/0x14e0
[   41.487220]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   41.487893]  ? trace_hardirqs_on+0xd/0x10
[   41.488461]  ? _crng_backtrack_protect+0xd9/0x130
[   41.489153]  ? __lock_is_held+0xbc/0x140
[   41.489705]  ? __lockdep_init_map+0xe4/0x650
[   41.490302]  ? lockdep_init_map+0x3d/0x70
[   41.490866]  ? rcu_read_lock_sched_held+0x108/0x120
[   41.491536]  ? init_timer_key+0x126/0x3b0
[   41.492103]  ? try_to_del_timer_sync+0x120/0x120
[   41.492744]  ? round_jiffies_up+0xce/0x100
[   41.493320]  ? __round_jiffies_up_relative+0x150/0x150
[   41.494024]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   41.494695]  __tun_chr_ioctl+0x1b23/0x3d20
[   41.498913]  ? tun_chr_read_iter+0x1e0/0x1e0
[   41.503310]  ? __might_sleep+0x95/0x190
[   41.507266]  ? __fd_install+0x2f7/0x6a0
[   41.511226]  ? selinux_file_ioctl+0x444/0x690
[   41.515694]  ? __fget_light+0x29d/0x390
[   41.519645]  ? selinux_capable+0x40/0x40
[   41.523687]  ? putname+0xee/0x130
[   41.527115]  ? putname+0xee/0x130
[   41.530546]  ? rcu_read_lock_sched_held+0x108/0x120
[   41.535543]  tun_chr_compat_ioctl+0x29/0x30
[   41.539836]  ? tun_chr_compat_ioctl+0x29/0x30
[   41.544305]  compat_SyS_ioctl+0x1d7/0x3290
[   41.548515]  ? __tun_chr_ioctl+0x3d20/0x3d20
[   41.552898]  ? do_ioctl+0x60/0x60
[   41.556329]  ? do_fast_syscall_32+0x158/0xf05
[   41.560803]  ? do_ioctl+0x60/0x60
[   41.564232]  do_fast_syscall_32+0x3f2/0xf05
[   41.568534]  ? do_int80_syscall_32+0x940/0x940
[   41.573091]  ? kasan_check_read+0x11/0x20
[   41.577213]  ? syscall_return_slowpath+0x510/0x510
[   41.582115]  ? SyS_rt_sigaction+0x94/0x1b0
[   41.586328]  ? sysret32_from_system_call+0x5/0x3b
[   41.591161]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   41.595984]  entry_SYSENTER_compat+0x51/0x60
[   41.600363] RIP: 0023:0xf7f0ac79
[   41.603698] RSP: 002b:00000000ffc5a8fc EFLAGS: 00000282 ORIG_RAX: 0000000000000036
[   41.611388] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000400454ca
[   41.618639] RDX: 0000000020000fd8 RSI: 00000000080ef00c RDI: 000000000000003f
[   41.625883] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
[   41.633125] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   41.640368] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   41.647628] 
[   41.649232] Allocated by task 2982:
[   41.652832]  save_stack_trace+0x16/0x20
[   41.656776]  save_stack+0x43/0xd0
[   41.660198]  kasan_kmalloc+0xad/0xe0
[   41.663888]  __kmalloc_node+0x47/0x70
[   41.667660]  kvmalloc_node+0x64/0xd0
[   41.671348]  alloc_netdev_mqs+0x16e/0xed0
[   41.675468]  __tun_chr_ioctl+0x12be/0x3d20
[   41.679672]  tun_chr_compat_ioctl+0x29/0x30
[   41.683964]  compat_SyS_ioctl+0x1d7/0x3290
[   41.688171]  do_fast_syscall_32+0x3f2/0xf05
[   41.692474]  entry_SYSENTER_compat+0x51/0x60
[   41.696850] 
[   41.698449] Freed by task 2982:
[   41.701701]  save_stack_trace+0x16/0x20
[   41.705648]  save_stack+0x43/0xd0
[   41.709070]  kasan_slab_free+0x71/0xc0
[   41.712927]  kfree+0xca/0x250
[   41.716003]  kvfree+0x36/0x60
[   41.719079]  free_netdev+0x2cf/0x360
[   41.722766]  __tun_chr_ioctl+0x2cf6/0x3d20
[   41.726973]  tun_chr_compat_ioctl+0x29/0x30
[   41.731266]  compat_SyS_ioctl+0x1d7/0x3290
[   41.735480]  do_fast_syscall_32+0x3f2/0xf05
[   41.739773]  entry_SYSENTER_compat+0x51/0x60
[   41.744156] 
[   41.745759] The buggy address belongs to the object at ffff8801ce0882c0
[   41.745759]  which belongs to the cache kmalloc-16384 of size 16384
[   41.758733] The buggy address is located 13320 bytes inside of
[   41.758733]  16384-byte region [ffff8801ce0882c0, ffff8801ce08c2c0)
[   41.770925] The buggy address belongs to the page:
[   41.775826] page:ffffea0007382200 count:1 mapcount:0 mapping:ffff8801ce0882c0 index:0x0 compound_mapcount: 0
[   41.785772] flags: 0x200000000008100(slab|head)
[   41.790424] raw: 0200000000008100 ffff8801ce0882c0 0000000000000000 0000000100000001
[   41.798288] raw: ffffea0007554e20 ffffea000739a620 ffff8801dac02200 0000000000000000
[   41.806138] page dumped because: kasan: bad access detected
[   41.811825] 
[   41.813422] Memory state around the buggy address:
[   41.818330]  ffff8801ce08b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.825660]  ffff8801ce08b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.832998] >ffff8801ce08b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.840327]                                               ^
[   41.846008]  ffff8801ce08b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.853359]  ffff8801ce08b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.860691] ==================================================================
[   41.868019] Disabling lock debugging due to kernel taint
[   41.873440] Kernel panic - not syncing: panic_on_warn set ...
[   41.873440] 
[   41.880776] CPU: 1 PID: 2982 Comm: syzkaller805892 Tainted: G    B           4.14.0-rc2+ #20
[   41.889320] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.898639] Call Trace:
[   41.901200]  dump_stack+0x194/0x257
[   41.904805]  ? arch_local_irq_restore+0x53/0x53
[   41.909443]  ? vprintk_default+0x28/0x30
[   41.913473]  ? __internal_add_timer+0x180/0x2d0
[   41.918107]  panic+0x1e4/0x417
[   41.921265]  ? __warn+0x1d9/0x1d9
[   41.924692]  ? __internal_add_timer+0x275/0x2d0
[   41.929333]  kasan_end_report+0x50/0x50
[   41.933272]  kasan_report+0x144/0x340
[   41.937051]  __asan_report_store8_noabort+0x17/0x20
[   41.942031]  __internal_add_timer+0x275/0x2d0
[   41.946496]  ? calc_wheel_index+0x200/0x200
[   41.950791]  mod_timer+0x622/0x15b0
[   41.954389]  ? mod_timer_pending+0x14e0/0x14e0
[   41.958945]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   41.963926]  ? trace_hardirqs_on+0xd/0x10
[   41.968042]  ? _crng_backtrack_protect+0xd9/0x130
[   41.972854]  ? __lock_is_held+0xbc/0x140
[   41.976882]  ? __lockdep_init_map+0xe4/0x650
[   41.981256]  ? lockdep_init_map+0x3d/0x70
[   41.985371]  ? rcu_read_lock_sched_held+0x108/0x120
[   41.990360]  ? init_timer_key+0x126/0x3b0
[   41.994475]  ? try_to_del_timer_sync+0x120/0x120
[   41.999202]  ? round_jiffies_up+0xce/0x100
[   42.003401]  ? __round_jiffies_up_relative+0x150/0x150
[   42.008644]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   42.013541]  __tun_chr_ioctl+0x1b23/0x3d20
[   42.017746]  ? tun_chr_read_iter+0x1e0/0x1e0
[   42.022586]  ? __might_sleep+0x95/0x190
[   42.026535]  ? __fd_install+0x2f7/0x6a0
[   42.030479]  ? selinux_file_ioctl+0x444/0x690
[   42.034938]  ? __fget_light+0x29d/0x390
[   42.038887]  ? selinux_capable+0x40/0x40
[   42.042923]  ? putname+0xee/0x130
[   42.046346]  ? putname+0xee/0x130
[   42.049768]  ? rcu_read_lock_sched_held+0x108/0x120
[   42.054767]  tun_chr_compat_ioctl+0x29/0x30
[   42.059061]  ? tun_chr_compat_ioctl+0x29/0x30
[   42.063531]  compat_SyS_ioctl+0x1d7/0x3290
[   42.067737]  ? __tun_chr_ioctl+0x3d20/0x3d20
[   42.072111]  ? do_ioctl+0x60/0x60
[   42.075537]  ? do_fast_syscall_32+0x158/0xf05
[   42.080004]  ? do_ioctl+0x60/0x60
[   42.083425]  do_fast_syscall_32+0x3f2/0xf05
[   42.087716]  ? do_int80_syscall_32+0x940/0x940
[   42.092266]  ? kasan_check_read+0x11/0x20
[   42.096380]  ? syscall_return_slowpath+0x510/0x510
[   42.101275]  ? SyS_rt_sigaction+0x94/0x1b0
[   42.105484]  ? sysret32_from_system_call+0x5/0x3b
[   42.110295]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   42.115107]  entry_SYSENTER_compat+0x51/0x60
[   42.119479] RIP: 0023:0xf7f0ac79
[   42.122807] RSP: 002b:00000000ffc5a8fc EFLAGS: 00000282 ORIG_RAX: 0000000000000036
[   42.130479] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000400454ca
[   42.137716] RDX: 0000000020000fd8 RSI: 00000000080ef00c RDI: 000000000000003f
[   42.144952] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
[   42.152190] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   42.159431] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   42.167025] Dumping ftrace buffer:
[   42.170531]    (ftrace buffer empty)
[   42.174207] Kernel Offset: disabled
[   42.177804] Rebooting in 86400 seconds..