INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-9,10.128.0.35' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [   30.444996] ==================================================================
[   30.452417] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0
[   30.459407] Write of size 8 at addr ffff8801ce60b6c8 by task syzkaller094110/2981
[   30.467000] 
[   30.468602] CPU: 1 PID: 2981 Comm: syzkaller094110 Not tainted 4.13.0-mm1+ #7
[   30.475842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.485172] Call Trace:
[   30.487736]  dump_stack+0x194/0x257
[   30.491352]  ? arch_local_irq_restore+0x53/0x53
[   30.495991]  ? show_regs_print_info+0x65/0x65
[   30.500460]  ? __kernel_text_address+0xae/0xe0
[   30.505015]  ? __internal_add_timer+0x275/0x2d0
[   30.509656]  print_address_description+0x73/0x250
[   30.514471]  ? __internal_add_timer+0x275/0x2d0
[   30.519109]  kasan_report+0x24e/0x340
[   30.522885]  __asan_report_store8_noabort+0x17/0x20
[   30.527871]  __internal_add_timer+0x275/0x2d0
[   30.532337]  ? calc_wheel_index+0x200/0x200
[   30.536639]  mod_timer+0x622/0x15b0
[   30.540245]  ? mod_timer_pending+0x14e0/0x14e0
[   30.544797]  ? __lock_is_held+0xbc/0x140
[   30.548845]  ? __lock_is_held+0xbc/0x140
[   30.552881]  ? __lockdep_init_map+0xe4/0x650
[   30.557262]  ? lockdep_init_map+0x3d/0x70
[   30.561385]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.566372]  ? init_timer_key+0x126/0x3b0
[   30.570491]  ? try_to_del_timer_sync+0x120/0x120
[   30.575220]  ? round_jiffies_up+0xce/0x100
[   30.579424]  ? __round_jiffies_up_relative+0x150/0x150
[   30.584671]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   30.589570]  ? selinux_tun_dev_alloc_security+0x124/0x170
[   30.595107]  __tun_chr_ioctl+0x1b23/0x3d20
[   30.599321]  ? tun_chr_read_iter+0x1e0/0x1e0
[   30.603713]  ? lock_downgrade+0x990/0x990
[   30.607859]  ? check_same_owner+0x320/0x320
[   30.612154]  ? __handle_mm_fault+0x39c0/0x39c0
[   30.616706]  ? vmacache_find+0x61/0x270
[   30.620656]  ? tun_chr_compat_ioctl+0x30/0x30
[   30.625127]  tun_chr_ioctl+0x2a/0x40
[   30.628813]  ? tun_chr_ioctl+0x2a/0x40
[   30.632679]  do_vfs_ioctl+0x1b1/0x1530
[   30.636553]  ? ioctl_preallocate+0x2b0/0x2b0
[   30.640937]  ? selinux_capable+0x40/0x40
[   30.644973]  ? putname+0xf3/0x130
[   30.648400]  ? do_sys_open+0x320/0x6d0
[   30.652272]  ? security_file_ioctl+0x7d/0xb0
[   30.656657]  ? security_file_ioctl+0x89/0xb0
[   30.661043]  SyS_ioctl+0x8f/0xc0
[   30.664389]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   30.669116] RIP: 0033:0x443da9
[   30.672282] RSP: 002b:00007ffef58661e8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[   30.679965] RAX: ffffffffffffffda RBX: 00000000006d4d80 RCX: 0000000000443da9
[   30.687209] RDX: 0000000020574000 RSI: 00000000400454ca RDI: 0000000000000004
[   30.694457] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   30.701697] R10: 0000000000000000 R11: 0000000000000202 R12: 74656e2f7665642f
[   30.708953] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000
[   30.716212] 
[   30.717813] Allocated by task 2981:
[   30.721415]  save_stack_trace+0x16/0x20
[   30.725363]  save_stack+0x43/0xd0
[   30.728787]  kasan_kmalloc+0xad/0xe0
[   30.732469]  __kmalloc_node+0x47/0x70
[   30.736239]  kvmalloc_node+0x64/0xd0
[   30.739926]  alloc_netdev_mqs+0x16e/0xed0
[   30.744043]  __tun_chr_ioctl+0x12be/0x3d20
[   30.748244]  tun_chr_ioctl+0x2a/0x40
[   30.751930]  do_vfs_ioctl+0x1b1/0x1530
[   30.755786]  SyS_ioctl+0x8f/0xc0
[   30.759123]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   30.763846] 
[   30.765446] Freed by task 2981:
[   30.768696]  save_stack_trace+0x16/0x20
[   30.772639]  save_stack+0x43/0xd0
[   30.776061]  kasan_slab_free+0x71/0xc0
[   30.779917]  kfree+0xca/0x250
[   30.782991]  kvfree+0x36/0x60
[   30.786065]  free_netdev+0x2cf/0x360
[   30.789749]  __tun_chr_ioctl+0x2cf6/0x3d20
[   30.793952]  tun_chr_ioctl+0x2a/0x40
[   30.797634]  do_vfs_ioctl+0x1b1/0x1530
[   30.801491]  SyS_ioctl+0x8f/0xc0
[   30.804830]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   30.809553] 
[   30.811153] The buggy address belongs to the object at ffff8801ce6082c0
[   30.811153]  which belongs to the cache kmalloc-16384 of size 16384
[   30.824129] The buggy address is located 13320 bytes inside of
[   30.824129]  16384-byte region [ffff8801ce6082c0, ffff8801ce60c2c0)
[   30.836323] The buggy address belongs to the page:
[   30.841223] page:ffffea0007398200 count:1 mapcount:0 mapping:ffff8801ce6082c0 index:0x0 compound_mapcount: 0
[   30.851168] flags: 0x200000000008100(slab|head)
[   30.855811] raw: 0200000000008100 ffff8801ce6082c0 0000000000000000 0000000100000001
[   30.863662] raw: ffffea000756fe20 ffffea0007390e20 ffff8801dac02200 0000000000000000
[   30.871510] page dumped because: kasan: bad access detected
[   30.877200] 
[   30.878798] Memory state around the buggy address:
[   30.883699]  ffff8801ce60b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.891035]  ffff8801ce60b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.898364] >ffff8801ce60b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.905693]                                               ^
[   30.911383]  ffff8801ce60b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.918715]  ffff8801ce60b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.926041] ==================================================================
[   30.933367] Disabling lock debugging due to kernel taint
[   30.938780] Kernel panic - not syncing: panic_on_warn set ...
[   30.938780] 
[   30.946106] CPU: 1 PID: 2981 Comm: syzkaller094110 Tainted: G    B           4.13.0-mm1+ #7
[   30.954556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.963873] Call Trace:
[   30.966427]  dump_stack+0x194/0x257
[   30.970027]  ? arch_local_irq_restore+0x53/0x53
[   30.974660]  ? vprintk_default+0x28/0x30
[   30.978688]  ? __internal_add_timer+0x200/0x2d0
[   30.983323]  panic+0x1e4/0x417
[   30.986480]  ? __warn+0x1d9/0x1d9
[   30.989906]  ? __internal_add_timer+0x275/0x2d0
[   30.994542]  kasan_end_report+0x50/0x50
[   30.998479]  kasan_report+0x137/0x340
[   31.002249]  __asan_report_store8_noabort+0x17/0x20
[   31.007230]  __internal_add_timer+0x275/0x2d0
[   31.011690]  ? calc_wheel_index+0x200/0x200
[   31.015983]  mod_timer+0x622/0x15b0
[   31.019580]  ? mod_timer_pending+0x14e0/0x14e0
[   31.024127]  ? __lock_is_held+0xbc/0x140
[   31.028161]  ? __lock_is_held+0xbc/0x140
[   31.032189]  ? __lockdep_init_map+0xe4/0x650
[   31.036564]  ? lockdep_init_map+0x3d/0x70
[   31.040676]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.045656]  ? init_timer_key+0x126/0x3b0
[   31.049769]  ? try_to_del_timer_sync+0x120/0x120
[   31.054488]  ? round_jiffies_up+0xce/0x100
[   31.058687]  ? __round_jiffies_up_relative+0x150/0x150
[   31.063933]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   31.068828]  ? selinux_tun_dev_alloc_security+0x124/0x170
[   31.074332]  __tun_chr_ioctl+0x1b23/0x3d20
[   31.078536]  ? tun_chr_read_iter+0x1e0/0x1e0
[   31.082917]  ? lock_downgrade+0x990/0x990
[   31.087042]  ? check_same_owner+0x320/0x320
[   31.091330]  ? __handle_mm_fault+0x39c0/0x39c0
[   31.095878]  ? vmacache_find+0x61/0x270
[   31.099816]  ? tun_chr_compat_ioctl+0x30/0x30
[   31.104283]  tun_chr_ioctl+0x2a/0x40
[   31.107962]  ? tun_chr_ioctl+0x2a/0x40
[   31.111818]  do_vfs_ioctl+0x1b1/0x1530
[   31.115677]  ? ioctl_preallocate+0x2b0/0x2b0
[   31.120053]  ? selinux_capable+0x40/0x40
[   31.124082]  ? putname+0xf3/0x130
[   31.127502]  ? do_sys_open+0x320/0x6d0
[   31.131445]  ? security_file_ioctl+0x7d/0xb0
[   31.135815]  ? security_file_ioctl+0x89/0xb0
[   31.140189]  SyS_ioctl+0x8f/0xc0
[   31.143525]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   31.148243] RIP: 0033:0x443da9
[   31.151400] RSP: 002b:00007ffef58661e8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[   31.159074] RAX: ffffffffffffffda RBX: 00000000006d4d80 RCX: 0000000000443da9
[   31.166312] RDX: 0000000020574000 RSI: 00000000400454ca RDI: 0000000000000004
[   31.173557] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   31.180795] R10: 0000000000000000 R11: 0000000000000202 R12: 74656e2f7665642f
[   31.188031] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000
[   31.195312] Dumping ftrace buffer:
[   31.198817]    (ftrace buffer empty)
[   31.202493] Kernel Offset: disabled
[   31.206094] Rebooting in 86400 seconds..