INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-mmots-kasan-gce-9,10.128.15.200' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [ 56.319919] ==================================================================
[ 56.321003] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[ 56.321939] Write of size 8 at addr ffff8801ce203688 by task syzkaller560142/2981
[ 56.322941]
[ 56.323178] CPU: 0 PID: 2981 Comm: syzkaller560142 Not tainted 4.14.0-rc4-mm1+ #16
[ 56.324202] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 56.325439] Call Trace:
[ 56.325802] dump_stack+0x194/0x257
[ 56.326320] ? arch_local_irq_restore+0x53/0x53
[ 56.326961] ? show_regs_print_info+0x65/0x65
[ 56.327584] ? __kernel_text_address+0xd/0x40
[ 56.328188] ? __internal_add_timer+0x275/0x2d0
[ 56.328829] print_address_description+0x73/0x250
[ 56.329480] ? __internal_add_timer+0x275/0x2d0
[ 56.330109] kasan_report+0x25b/0x340
[ 56.330640] __asan_report_store8_noabort+0x17/0x20
[ 56.331313] __internal_add_timer+0x275/0x2d0
[ 56.331940] ? calc_wheel_index+0x200/0x200
[ 56.332535] mod_timer+0x622/0x15b0
[ 56.333037] ? mod_timer_pending+0x14e0/0x14e0
[ 56.333651] ? __lock_is_held+0xbc/0x140
[ 56.334216] ? __lock_is_held+0xbc/0x140
[ 56.334770] ? __lockdep_init_map+0xe4/0x650
[ 56.335366] ? lockdep_init_map+0x3d/0x70
[ 56.335973] ? rcu_read_lock_sched_held+0x108/0x120
[ 56.336643] ? init_timer_key+0x126/0x3b0
[ 56.337206] ? try_to_del_timer_sync+0x120/0x120
[ 56.337885] ? round_jiffies_up+0xce/0x100
[ 56.338455] ? __round_jiffies_up_relative+0x150/0x150
[ 56.339170] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 56.339835] ? selinux_tun_dev_alloc_security+0x124/0x170
[ 56.342515] __tun_chr_ioctl+0x1beb/0x3e40
[ 56.346734] ? tun_chr_read_iter+0x1e0/0x1e0
[ 56.351112] ? lock_downgrade+0x990/0x990
[ 56.355257] ? handle_mm_fault+0x410/0x8d0
[ 56.359464] ? __do_page_fault+0x31e/0xd60
[ 56.363686] ? check_same_owner+0x320/0x320
[ 56.367980] ? up_read+0x1a/0x40
[ 56.371318] ? __do_page_fault+0x3d6/0xd60
[ 56.375528] ? tun_chr_compat_ioctl+0x30/0x30
[ 56.379993] tun_chr_ioctl+0x2a/0x40
[ 56.383677] ? tun_chr_ioctl+0x2a/0x40
[ 56.387540] do_vfs_ioctl+0x1b1/0x1530
[ 56.391408] ? ioctl_preallocate+0x2b0/0x2b0
[ 56.395795] ? selinux_capable+0x40/0x40
[ 56.399833] ? putname+0xf3/0x130
[ 56.403261] ? do_sys_open+0x320/0x6d0
[ 56.407131] ? security_file_ioctl+0x89/0xb0
[ 56.411517] SyS_ioctl+0x8f/0xc0
[ 56.414861] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 56.419676] RIP: 0033:0x443d79
[ 56.422839] RSP: 002b:00007ffdea9a0888 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[ 56.430522] RAX: ffffffffffffffda RBX: dfa3630c4db2da1f RCX: 0000000000443d79
[ 56.437764] RDX: 000000002002dfd8 RSI: 00000000400454ca RDI: 0000000000000004
[ 56.445007] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[ 56.452259] R10: 0000000000000000 R11: 0000000000000202 R12: 5478fff85c2fe97a
[ 56.459528] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000
[ 56.466793]
[ 56.468397] Allocated by task 2981:
[ 56.471999] save_stack+0x43/0xd0
[ 56.475426] kasan_kmalloc+0xad/0xe0
[ 56.479111] __kmalloc_node+0x47/0x70
[ 56.482885] kvmalloc_node+0x64/0xd0
[ 56.486571] alloc_netdev_mqs+0x16d/0xed0
[ 56.490692] __tun_chr_ioctl+0x1386/0x3e40
[ 56.494897] tun_chr_ioctl+0x2a/0x40
[ 56.498587] do_vfs_ioctl+0x1b1/0x1530
[ 56.502450] SyS_ioctl+0x8f/0xc0
[ 56.505789] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 56.510514]
[ 56.512112] Freed by task 2981:
[ 56.515364] save_stack+0x43/0xd0
[ 56.518789] kasan_slab_free+0x71/0xc0
[ 56.522647] kfree+0xca/0x250
[ 56.525724] kvfree+0x36/0x60
[ 56.528803] free_netdev+0x2cf/0x360
[ 56.532488] __tun_chr_ioctl+0x2df6/0x3e40
[ 56.536693] tun_chr_ioctl+0x2a/0x40
[ 56.540394] do_vfs_ioctl+0x1b1/0x1530
[ 56.544252] SyS_ioctl+0x8f/0xc0
[ 56.547594] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 56.552322]
[ 56.553924] The buggy address belongs to the object at ffff8801ce200280
[ 56.553924] which belongs to the cache kmalloc-16384 of size 16384
[ 56.566899] The buggy address is located 13320 bytes inside of
[ 56.566899] 16384-byte region [ffff8801ce200280, ffff8801ce204280)
[ 56.579092] The buggy address belongs to the page:
[ 56.583993] page:ffffea0007388000 count:1 mapcount:0 mapping:ffff8801ce200280 index:0x0 compound_mapcount: 0
[ 56.593940] flags: 0x200000000008100(slab|head)
[ 56.598578] raw: 0200000000008100 ffff8801ce200280 0000000000000000 0000000100000001
[ 56.606430] raw: ffffea0006fe3e20 ffffea0007385220 ffff8801dac02200 0000000000000000
[ 56.614285] page dumped because: kasan: bad access detected
[ 56.619963]
[ 56.621562] Memory state around the buggy address:
[ 56.626465] ffff8801ce203580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.633794] ffff8801ce203600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.641124] >ffff8801ce203680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.648456] ^
[ 56.652055] ffff8801ce203700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.659402] ffff8801ce203780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.666731] ==================================================================
[ 56.674057] Disabling lock debugging due to kernel taint
[ 56.679487] Kernel panic - not syncing: panic_on_warn set ...
[ 56.679487]
[ 56.686813] CPU: 0 PID: 2981 Comm: syzkaller560142 Tainted: G B 4.14.0-rc4-mm1+ #16
[ 56.695783] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 56.705101] Call Trace:
[ 56.707671] dump_stack+0x194/0x257
[ 56.711264] ? arch_local_irq_restore+0x53/0x53
[ 56.715901] ? vprintk_default+0x28/0x30
[ 56.719930] ? __internal_add_timer+0x1f0/0x2d0
[ 56.724564] panic+0x1e4/0x41c
[ 56.727721] ? refcount_error_report+0x214/0x214
[ 56.732450] ? __internal_add_timer+0x275/0x2d0
[ 56.737086] kasan_end_report+0x50/0x50
[ 56.741026] kasan_report+0x144/0x340
[ 56.744797] __asan_report_store8_noabort+0x17/0x20
[ 56.749778] __internal_add_timer+0x275/0x2d0
[ 56.754237] ? calc_wheel_index+0x200/0x200
[ 56.758529] mod_timer+0x622/0x15b0
[ 56.762125] ? mod_timer_pending+0x14e0/0x14e0
[ 56.766673] ? __lock_is_held+0xbc/0x140
[ 56.770707] ? __lock_is_held+0xbc/0x140
[ 56.774736] ? __lockdep_init_map+0xe4/0x650
[ 56.779111] ? lockdep_init_map+0x3d/0x70
[ 56.783235] ? rcu_read_lock_sched_held+0x108/0x120
[ 56.788217] ? init_timer_key+0x126/0x3b0
[ 56.792330] ? try_to_del_timer_sync+0x120/0x120
[ 56.797052] ? round_jiffies_up+0xce/0x100
[ 56.801251] ? __round_jiffies_up_relative+0x150/0x150
[ 56.806494] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 56.811390] ? selinux_tun_dev_alloc_security+0x124/0x170
[ 56.816897] __tun_chr_ioctl+0x1beb/0x3e40
[ 56.821102] ? tun_chr_read_iter+0x1e0/0x1e0
[ 56.825474] ? lock_downgrade+0x990/0x990
[ 56.829617] ? handle_mm_fault+0x410/0x8d0
[ 56.833817] ? __do_page_fault+0x31e/0xd60
[ 56.838022] ? check_same_owner+0x320/0x320
[ 56.842310] ? up_read+0x1a/0x40
[ 56.845642] ? __do_page_fault+0x3d6/0xd60
[ 56.849845] ? tun_chr_compat_ioctl+0x30/0x30
[ 56.854304] tun_chr_ioctl+0x2a/0x40
[ 56.857982] ? tun_chr_ioctl+0x2a/0x40
[ 56.861836] do_vfs_ioctl+0x1b1/0x1530
[ 56.865692] ? ioctl_preallocate+0x2b0/0x2b0
[ 56.870069] ? selinux_capable+0x40/0x40
[ 56.874097] ? putname+0xf3/0x130
[ 56.877519] ? do_sys_open+0x320/0x6d0
[ 56.881379] ? security_file_ioctl+0x89/0xb0
[ 56.885752] SyS_ioctl+0x8f/0xc0
[ 56.889105] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 56.893825] RIP: 0033:0x443d79
[ 56.896978] RSP: 002b:00007ffdea9a0888 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[ 56.904653] RAX: ffffffffffffffda RBX: dfa3630c4db2da1f RCX: 0000000000443d79
[ 56.911899] RDX: 000000002002dfd8 RSI: 00000000400454ca RDI: 0000000000000004
[ 56.919135] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[ 56.926369] R10: 0000000000000000 R11: 0000000000000202 R12: 5478fff85c2fe97a
[ 56.933605] R13: 74656e2f7665642f R14: 0000000000000000 R15: 0000000000000000
[ 56.940885] Dumping ftrace buffer:
[ 56.944390] (ftrace buffer empty)
[ 56.948068] Kernel Offset: disabled
[ 56.951662] Rebooting in 86400 seconds..