INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-next-kasan-gce-3,10.128.0.17' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [ 32.858327] ==================================================================
[ 32.865738] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[ 32.872463] Write of size 8 at addr ffff8801cd4eb740 by task syzkaller755397/2986
[ 32.880048]
[ 32.881649] CPU: 1 PID: 2986 Comm: syzkaller755397 Not tainted 4.13.0-next-20170915+ #23
[ 32.889844] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 32.899170] Call Trace:
[ 32.901733] dump_stack+0x194/0x257
[ 32.905336] ? arch_local_irq_restore+0x53/0x53
[ 32.909979] ? show_regs_print_info+0x65/0x65
[ 32.914448] ? lock_timer_base+0x1a3/0x2b0
[ 32.918654] ? detach_if_pending+0x557/0x610
[ 32.923033] print_address_description+0x73/0x250
[ 32.927844] ? detach_if_pending+0x557/0x610
[ 32.932223] kasan_report+0x24e/0x340
[ 32.935999] __asan_report_store8_noabort+0x17/0x20
[ 32.940985] detach_if_pending+0x557/0x610
[ 32.945193] ? trace_raw_output_tick_stop+0x130/0x130
[ 32.950354] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 32.954988] ? lock_timer_base+0x1a3/0x2b0
[ 32.959191] ? lock_timer_base+0x1eb/0x2b0
[ 32.963397] ? __internal_add_timer+0x2d0/0x2d0
[ 32.968038] ? trace_hardirqs_on+0xd/0x10
[ 32.972177] try_to_del_timer_sync+0xa2/0x120
[ 32.976645] ? del_timer+0x130/0x130
[ 32.980332] ? del_timer_sync+0xeb/0x240
[ 32.984371] del_timer_sync+0x18a/0x240
[ 32.988320] tun_free_netdev+0x105/0x1b0
[ 32.992352] ? tun_xdp+0x410/0x410
[ 32.995863] ? cpumask_next+0x24/0x30
[ 32.999635] ? netdev_refcnt_read+0xed/0x150
[ 33.004016] ? tun_xdp+0x410/0x410
[ 33.007527] netdev_run_todo+0x870/0xca0
[ 33.011560] ? do_group_exit+0x149/0x400
[ 33.015596] ? register_netdev+0x30/0x30
[ 33.019632] ? lock_downgrade+0x990/0x990
[ 33.023759] ? trace_hardirqs_on+0xd/0x10
[ 33.027899] ? refcount_sub_and_test+0x115/0x1b0
[ 33.032622] ? refcount_inc+0x50/0x50
[ 33.036393] ? refcount_inc+0x50/0x50
[ 33.040167] ? sk_destruct+0x4c/0x80
[ 33.043851] ? __sk_free+0x5c/0x230
[ 33.047451] ? sk_free+0x2f/0x40
[ 33.050785] ? __tun_detach+0x176/0x1390
[ 33.054828] ? tun_attach+0xf90/0xf90
[ 33.058608] ? locks_remove_file+0x3fa/0x5a0
[ 33.062996] ? fcntl_setlk+0x10d0/0x10d0
[ 33.067028] ? __fsnotify_parent+0xb4/0x3a0
[ 33.071322] ? fsnotify+0x1af0/0x1af0
[ 33.075095] ? __tun_detach+0x1390/0x1390
[ 33.079768] ? __tun_detach+0x1390/0x1390
[ 33.083888] rtnl_unlock+0xe/0x10
[ 33.087310] tun_chr_close+0x49/0x60
[ 33.090993] __fput+0x333/0x7f0
[ 33.094247] ? fput+0x140/0x140
[ 33.097496] ? check_same_owner+0x320/0x320
[ 33.101794] ____fput+0x15/0x20
[ 33.105050] task_work_run+0x199/0x270
[ 33.108912] ? task_work_cancel+0x210/0x210
[ 33.113209] ? free_nsproxy+0x185/0x1f0
[ 33.117154] ? switch_task_namespaces+0xa2/0xc0
[ 33.121796] do_exit+0xa52/0x1b40
[ 33.125220] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 33.130208] ? check_noncircular+0x20/0x20
[ 33.134419] ? mm_update_next_owner+0x930/0x930
[ 33.139058] ? __pmd_alloc+0x4e0/0x4e0
[ 33.142926] ? find_held_lock+0x39/0x1d0
[ 33.146968] ? lock_downgrade+0x990/0x990
[ 33.151108] ? handle_mm_fault+0x410/0x8d0
[ 33.155310] ? down_read_trylock+0xdb/0x170
[ 33.159603] ? __handle_mm_fault+0x39c0/0x39c0
[ 33.164154] ? vmacache_find+0x61/0x270
[ 33.168095] ? vmacache_update+0xfe/0x130
[ 33.172217] ? up_read+0x1a/0x40
[ 33.175554] ? __do_page_fault+0x35b/0xb60
[ 33.179755] ? do_vfs_ioctl+0x492/0x1530
[ 33.183793] ? do_page_fault+0xee/0x720
[ 33.187738] ? __do_page_fault+0xb60/0xb60
[ 33.191941] ? putname+0xf3/0x130
[ 33.195369] do_group_exit+0x149/0x400
[ 33.199232] ? lockdep_sys_exit+0x47/0xf0
[ 33.203351] ? SyS_exit+0x30/0x30
[ 33.206778] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 33.211765] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 33.216494] SyS_exit_group+0x1d/0x20
[ 33.220265] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 33.224990] RIP: 0033:0x444db9
[ 33.228156] RSP: 002b:00007ffe19bc6f48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[ 33.235834] RAX: ffffffffffffffda RBX: 00007ffe19bc6f90 RCX: 0000000000444db9
[ 33.243073] RDX: 0000000000444db9 RSI: 0000000020927fd8 RDI: 0000000000000001
[ 33.250313] RBP: 0000000000000082 R08: 0000000000000000 R09: 00007ffe19bc6f90
[ 33.257551] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000402160
[ 33.264788] R13: 00000000004021f0 R14: 0000000000000000 R15: 0000000000000000
[ 33.272043]
[ 33.273639] Allocated by task 2986:
[ 33.277235] save_stack_trace+0x16/0x20
[ 33.281179] save_stack+0x43/0xd0
[ 33.284600] kasan_kmalloc+0xad/0xe0
[ 33.288281] __kmalloc_node+0x47/0x70
[ 33.292051] kvmalloc_node+0x64/0xd0
[ 33.295733] alloc_netdev_mqs+0x16e/0xed0
[ 33.299858] __tun_chr_ioctl+0x12be/0x3d20
[ 33.304058] tun_chr_ioctl+0x2a/0x40
[ 33.307739] do_vfs_ioctl+0x1b1/0x1530
[ 33.311593] SyS_ioctl+0x8f/0xc0
[ 33.314926] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 33.319645]
[ 33.321240] Freed by task 2986:
[ 33.324488] save_stack_trace+0x16/0x20
[ 33.328430] save_stack+0x43/0xd0
[ 33.331850] kasan_slab_free+0x71/0xc0
[ 33.335706] kfree+0xca/0x250
[ 33.338778] kvfree+0x36/0x60
[ 33.341852] free_netdev+0x2cf/0x360
[ 33.345534] __tun_chr_ioctl+0x2cf6/0x3d20
[ 33.349738] tun_chr_ioctl+0x2a/0x40
[ 33.353418] do_vfs_ioctl+0x1b1/0x1530
[ 33.357271] SyS_ioctl+0x8f/0xc0
[ 33.360605] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 33.365323]
[ 33.366921] The buggy address belongs to the object at ffff8801cd4e8340
[ 33.366921] which belongs to the cache kmalloc-16384 of size 16384
[ 33.379889] The buggy address is located 13312 bytes inside of
[ 33.379889] 16384-byte region [ffff8801cd4e8340, ffff8801cd4ec340)
[ 33.392075] The buggy address belongs to the page:
[ 33.396972] page:ffffea0007353a00 count:1 mapcount:0 mapping:ffff8801cd4e8340 index:0x0 compound_mapcount: 0
[ 33.406913] flags: 0x200000000008100(slab|head)
[ 33.411551] raw: 0200000000008100 ffff8801cd4e8340 0000000000000000 0000000100000001
[ 33.419399] raw: ffffea000737cc20 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[ 33.427245] page dumped because: kasan: bad access detected
[ 33.432921]
[ 33.434515] Memory state around the buggy address:
[ 33.439409] ffff8801cd4eb600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.446734] ffff8801cd4eb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.454061] >ffff8801cd4eb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.461384] ^
[ 33.466799] ffff8801cd4eb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.474125] ffff8801cd4eb800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 33.481449] ==================================================================
[ 33.488773] Disabling lock debugging due to kernel taint
[ 33.494185] Kernel panic - not syncing: panic_on_warn set ...
[ 33.494185]
[ 33.501509] CPU: 1 PID: 2986 Comm: syzkaller755397 Tainted: G B 4.13.0-next-20170915+ #23
[ 33.510914] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 33.520229] Call Trace:
[ 33.522790] dump_stack+0x194/0x257
[ 33.526385] ? arch_local_irq_restore+0x53/0x53
[ 33.531019] ? vprintk_default+0x28/0x30
[ 33.535045] ? detach_if_pending+0x510/0x610
[ 33.539417] panic+0x1e4/0x417
[ 33.542574] ? __warn+0x1d9/0x1d9
[ 33.545996] ? detach_if_pending+0x557/0x610
[ 33.550366] kasan_end_report+0x50/0x50
[ 33.554302] kasan_report+0x137/0x340
[ 33.558067] __asan_report_store8_noabort+0x17/0x20
[ 33.563046] detach_if_pending+0x557/0x610
[ 33.567245] ? trace_raw_output_tick_stop+0x130/0x130
[ 33.572398] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 33.577028] ? lock_timer_base+0x1a3/0x2b0
[ 33.581224] ? lock_timer_base+0x1eb/0x2b0
[ 33.585422] ? __internal_add_timer+0x2d0/0x2d0
[ 33.590054] ? trace_hardirqs_on+0xd/0x10
[ 33.594167] try_to_del_timer_sync+0xa2/0x120
[ 33.598624] ? del_timer+0x130/0x130
[ 33.602300] ? del_timer_sync+0xeb/0x240
[ 33.606328] del_timer_sync+0x18a/0x240
[ 33.610266] tun_free_netdev+0x105/0x1b0
[ 33.614288] ? tun_xdp+0x410/0x410
[ 33.617789] ? cpumask_next+0x24/0x30
[ 33.621553] ? netdev_refcnt_read+0xed/0x150
[ 33.625923] ? tun_xdp+0x410/0x410
[ 33.629424] netdev_run_todo+0x870/0xca0
[ 33.633448] ? do_group_exit+0x149/0x400
[ 33.637473] ? register_netdev+0x30/0x30
[ 33.641498] ? lock_downgrade+0x990/0x990
[ 33.645609] ? trace_hardirqs_on+0xd/0x10
[ 33.649729] ? refcount_sub_and_test+0x115/0x1b0
[ 33.654447] ? refcount_inc+0x50/0x50
[ 33.658210] ? refcount_inc+0x50/0x50
[ 33.661977] ? sk_destruct+0x4c/0x80
[ 33.665658] ? __sk_free+0x5c/0x230
[ 33.669250] ? sk_free+0x2f/0x40
[ 33.672580] ? __tun_detach+0x176/0x1390
[ 33.676610] ? tun_attach+0xf90/0xf90
[ 33.680378] ? locks_remove_file+0x3fa/0x5a0
[ 33.684751] ? fcntl_setlk+0x10d0/0x10d0
[ 33.688778] ? __fsnotify_parent+0xb4/0x3a0
[ 33.693062] ? fsnotify+0x1af0/0x1af0
[ 33.696829] ? __tun_detach+0x1390/0x1390
[ 33.700942] ? __tun_detach+0x1390/0x1390
[ 33.705053] rtnl_unlock+0xe/0x10
[ 33.708468] tun_chr_close+0x49/0x60
[ 33.712144] __fput+0x333/0x7f0
[ 33.715391] ? fput+0x140/0x140
[ 33.718637] ? check_same_owner+0x320/0x320
[ 33.722924] ____fput+0x15/0x20
[ 33.726166] task_work_run+0x199/0x270
[ 33.730018] ? task_work_cancel+0x210/0x210
[ 33.734302] ? free_nsproxy+0x185/0x1f0
[ 33.738248] ? switch_task_namespaces+0xa2/0xc0
[ 33.742885] do_exit+0xa52/0x1b40
[ 33.746302] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 33.751282] ? check_noncircular+0x20/0x20
[ 33.755484] ? mm_update_next_owner+0x930/0x930
[ 33.760114] ? __pmd_alloc+0x4e0/0x4e0
[ 33.763972] ? find_held_lock+0x39/0x1d0
[ 33.768002] ? lock_downgrade+0x990/0x990
[ 33.772122] ? handle_mm_fault+0x410/0x8d0
[ 33.776320] ? down_read_trylock+0xdb/0x170
[ 33.780603] ? __handle_mm_fault+0x39c0/0x39c0
[ 33.785148] ? vmacache_find+0x61/0x270
[ 33.789084] ? vmacache_update+0xfe/0x130
[ 33.793208] ? up_read+0x1a/0x40
[ 33.796538] ? __do_page_fault+0x35b/0xb60
[ 33.800734] ? do_vfs_ioctl+0x492/0x1530
[ 33.804763] ? do_page_fault+0xee/0x720
[ 33.808700] ? __do_page_fault+0xb60/0xb60
[ 33.812898] ? putname+0xf3/0x130
[ 33.816323] do_group_exit+0x149/0x400
[ 33.820175] ? lockdep_sys_exit+0x47/0xf0
[ 33.824284] ? SyS_exit+0x30/0x30
[ 33.827705] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 33.832685] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 33.837411] SyS_exit_group+0x1d/0x20
[ 33.841175] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 33.845892] RIP: 0033:0x444db9
[ 33.849045] RSP: 002b:00007ffe19bc6f48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7