INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-386-2,10.128.0.28' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   59.112319] ==================================================================
[   59.113482] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[   59.114404] Write of size 8 at addr ffff8801d2103500 by task syzkaller082782/2977
[   59.115420] 
[   59.115656] CPU: 1 PID: 2977 Comm: syzkaller082782 Not tainted 4.14.0-rc4+ #42
[   59.116725] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.117943] Call Trace:
[   59.118304]  dump_stack+0x194/0x257
[   59.118812]  ? arch_local_irq_restore+0x53/0x53
[   59.119441]  ? show_regs_print_info+0x65/0x65
[   59.120058]  ? __kernel_text_address+0xd/0x40
[   59.120665]  ? __internal_add_timer+0x275/0x2d0
[   59.121290]  print_address_description+0x73/0x250
[   59.121935]  ? __internal_add_timer+0x275/0x2d0
[   59.122610]  kasan_report+0x25b/0x340
[   59.123146]  __asan_report_store8_noabort+0x17/0x20
[   59.123812]  __internal_add_timer+0x275/0x2d0
[   59.124415]  ? calc_wheel_index+0x200/0x200
[   59.125060]  mod_timer+0x622/0x15b0
[   59.125557]  ? mod_timer_pending+0x14e0/0x14e0
[   59.126181]  ? __lock_is_held+0xb6/0x140
[   59.126742]  ? __lock_is_held+0xb6/0x140
[   59.127292]  ? __lockdep_init_map+0xe4/0x650
[   59.127885]  ? lockdep_init_map+0x9/0x10
[   59.128429]  ? init_timer_key+0x126/0x3b0
[   59.128987]  ? try_to_del_timer_sync+0x120/0x120
[   59.129624]  ? round_jiffies_up+0xce/0x100
[   59.130202]  ? __round_jiffies_up_relative+0x150/0x150
[   59.130903]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   59.131564]  ? selinux_tun_dev_alloc_security+0x124/0x170
[   59.132308]  __tun_chr_ioctl+0x1b17/0x3d20
[   59.135407]  ? tun_chr_read_iter+0x1e0/0x1e0
[   59.139787]  ? find_held_lock+0x35/0x1d0
[   59.143823]  ? __might_sleep+0x95/0x190
[   59.147763]  ? handle_mm_fault+0x248/0x8d0
[   59.151974]  ? selinux_file_ioctl+0x444/0x690
[   59.156436]  ? __fget_light+0x297/0x380
[   59.160378]  ? selinux_capable+0x40/0x40
[   59.164417]  ? handle_mm_fault+0x410/0x8d0
[   59.168629]  tun_chr_compat_ioctl+0x29/0x30
[   59.172920]  ? tun_chr_compat_ioctl+0x29/0x30
[   59.177384]  compat_SyS_ioctl+0x1d7/0x3290
[   59.181586]  ? up_read+0x1a/0x40
[   59.184922]  ? __tun_chr_ioctl+0x3d20/0x3d20
[   59.189300]  ? do_ioctl+0x60/0x60
[   59.192725]  ? do_fast_syscall_32+0x158/0xf05
[   59.197188]  ? do_ioctl+0x60/0x60
[   59.200612]  do_fast_syscall_32+0x3f2/0xf05
[   59.204909]  ? do_int80_syscall_32+0x940/0x940
[   59.209460]  ? kasan_check_read+0x11/0x20
[   59.213577]  ? syscall_return_slowpath+0x510/0x510
[   59.218478]  ? SyS_rt_sigaction+0x94/0x1b0
[   59.222682]  ? SyS_sigprocmask+0x4b0/0x4b0
[   59.226885]  ? SyS_read+0x184/0x220
[   59.230479]  ? retint_user+0x18/0x20
[   59.234165]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   59.238982]  entry_SYSENTER_compat+0x51/0x60
[   59.243357] RIP: 0023:0xf7fcbc79
[   59.246689] RSP: 002b:00000000ff97f3bc EFLAGS: 00000282 ORIG_RAX: 0000000000000036
[   59.254365] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000400454ca
[   59.261604] RDX: 0000000020ca5fd8 RSI: 00000000080ef00c RDI: 000000000000003f
[   59.268840] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
[   59.276076] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   59.283311] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   59.290564] 
[   59.292157] Allocated by task 2977:
[   59.295752]  save_stack_trace+0x16/0x20
[   59.299694]  save_stack+0x43/0xd0
[   59.303114]  kasan_kmalloc+0xad/0xe0
[   59.306793]  __kmalloc_node+0x47/0x70
[   59.310559]  kvmalloc_node+0x64/0xd0
[   59.314240]  alloc_netdev_mqs+0x16e/0xed0
[   59.318352]  __tun_chr_ioctl+0x12b2/0x3d20
[   59.322551]  tun_chr_compat_ioctl+0x29/0x30
[   59.326837]  compat_SyS_ioctl+0x1d7/0x3290
[   59.331038]  do_fast_syscall_32+0x3f2/0xf05
[   59.335325]  entry_SYSENTER_compat+0x51/0x60
[   59.339696] 
[   59.341290] Freed by task 2977:
[   59.344533]  save_stack_trace+0x16/0x20
[   59.348472]  save_stack+0x43/0xd0
[   59.351888]  kasan_slab_free+0x71/0xc0
[   59.355740]  kfree+0xca/0x250
[   59.358812]  kvfree+0x36/0x60
[   59.361882]  free_netdev+0x2cf/0x360
[   59.365561]  __tun_chr_ioctl+0x2cea/0x3d20
[   59.369760]  tun_chr_compat_ioctl+0x29/0x30
[   59.374047]  compat_SyS_ioctl+0x1d7/0x3290
[   59.378247]  do_fast_syscall_32+0x3f2/0xf05
[   59.382533]  entry_SYSENTER_compat+0x51/0x60
[   59.386902] 
[   59.388497] The buggy address belongs to the object at ffff8801d21001c0
[   59.388497]  which belongs to the cache kmalloc-16384 of size 16384
[   59.401466] The buggy address is located 13120 bytes inside of
[   59.401466]  16384-byte region [ffff8801d21001c0, ffff8801d21041c0)
[   59.413659] The buggy address belongs to the page:
[   59.418557] page:ffffea0007484000 count:1 mapcount:0 mapping:ffff8801d21001c0 index:0x0 compound_mapcount: 0
[   59.428491] flags: 0x200000000008100(slab|head)
[   59.433126] raw: 0200000000008100 ffff8801d21001c0 0000000000000000 0000000100000001
[   59.440973] raw: ffffea000701ba20 ffffea0007477620 ffff8801dac02200 0000000000000000
[   59.448817] page dumped because: kasan: bad access detected
[   59.454490] 
[   59.456085] Memory state around the buggy address:
[   59.460977]  ffff8801d2103400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.468298]  ffff8801d2103480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.475631] >ffff8801d2103500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.482956]                    ^
[   59.486287]  ffff8801d2103580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.493609]  ffff8801d2103600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.500935] ==================================================================
[   59.508268] Disabling lock debugging due to kernel taint
[   59.513681] Kernel panic - not syncing: panic_on_warn set ...
[   59.513681] 
[   59.521007] CPU: 1 PID: 2977 Comm: syzkaller082782 Tainted: G    B           4.14.0-rc4+ #42
[   59.529543] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.538859] Call Trace:
[   59.541414]  dump_stack+0x194/0x257
[   59.545017]  ? arch_local_irq_restore+0x53/0x53
[   59.549650]  ? kasan_end_report+0x32/0x50
[   59.553765]  ? lock_downgrade+0x990/0x990
[   59.557881]  ? __internal_add_timer+0x1c0/0x2d0
[   59.562517]  panic+0x1e4/0x417
[   59.565674]  ? __warn+0x1d9/0x1d9
[   59.569098]  ? __internal_add_timer+0x275/0x2d0
[   59.573731]  kasan_end_report+0x50/0x50
[   59.577670]  kasan_report+0x144/0x340
[   59.581437]  __asan_report_store8_noabort+0x17/0x20
[   59.586416]  __internal_add_timer+0x275/0x2d0
[   59.590877]  ? calc_wheel_index+0x200/0x200
[   59.595168]  mod_timer+0x622/0x15b0
[   59.598763]  ? mod_timer_pending+0x14e0/0x14e0
[   59.603309]  ? __lock_is_held+0xb6/0x140
[   59.607342]  ? __lock_is_held+0xb6/0x140
[   59.611371]  ? __lockdep_init_map+0xe4/0x650
[   59.615745]  ? lockdep_init_map+0x9/0x10
[   59.619780]  ? init_timer_key+0x126/0x3b0
[   59.623895]  ? try_to_del_timer_sync+0x120/0x120
[   59.628619]  ? round_jiffies_up+0xce/0x100
[   59.632817]  ? __round_jiffies_up_relative+0x150/0x150
[   59.638058]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   59.642953]  ? selinux_tun_dev_alloc_security+0x124/0x170
[   59.648458]  __tun_chr_ioctl+0x1b17/0x3d20
[   59.652663]  ? tun_chr_read_iter+0x1e0/0x1e0
[   59.657038]  ? find_held_lock+0x35/0x1d0
[   59.661067]  ? __might_sleep+0x95/0x190
[   59.665005]  ? handle_mm_fault+0x248/0x8d0
[   59.669207]  ? selinux_file_ioctl+0x444/0x690
[   59.673666]  ? __fget_light+0x297/0x380
[   59.677607]  ? selinux_capable+0x40/0x40
[   59.681639]  ? handle_mm_fault+0x410/0x8d0
[   59.685843]  tun_chr_compat_ioctl+0x29/0x30
[   59.690128]  ? tun_chr_compat_ioctl+0x29/0x30
[   59.694590]  compat_SyS_ioctl+0x1d7/0x3290
[   59.698790]  ? up_read+0x1a/0x40
[   59.702120]  ? __tun_chr_ioctl+0x3d20/0x3d20
[   59.706492]  ? do_ioctl+0x60/0x60
[   59.709911]  ? do_fast_syscall_32+0x158/0xf05
[   59.714372]  ? do_ioctl+0x60/0x60
[   59.717791]  do_fast_syscall_32+0x3f2/0xf05
[   59.722080]  ? do_int80_syscall_32+0x940/0x940
[   59.726626]  ? kasan_check_read+0x11/0x20
[   59.730739]  ? syscall_return_slowpath+0x510/0x510
[   59.735635]  ? SyS_rt_sigaction+0x94/0x1b0
[   59.739849]  ? SyS_sigprocmask+0x4b0/0x4b0
[   59.744048]  ? SyS_read+0x184/0x220
[   59.747643]  ? retint_user+0x18/0x20
[   59.751324]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   59.756134]  entry_SYSENTER_compat+0x51/0x60
[   59.760509] RIP: 0023:0xf7fcbc79
[   59.763837] RSP: 002b:00000000ff97f3bc EFLAGS: 00000282 ORIG_RAX: 0000000000000036
[   59.771509] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000400454ca
[   59.778745] RDX: 0000000020ca5fd8 RSI: 00000000080ef00c RDI: 000000000000003f
[   59.785980] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
[   59.793215] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   59.800448] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000