INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-upstream-kasan-gce-5,10.128.0.2' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [ 54.024340] ==================================================================
[ 54.025444] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[ 54.026331] Write of size 8 at addr ffff8801cec1b6b8 by task syzkaller223435/2978
[ 54.027327]
[ 54.027559] CPU: 0 PID: 2978 Comm: syzkaller223435 Not tainted 4.14.0-rc5+ #134
[ 54.028532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 54.029753] Call Trace:
[ 54.030110] dump_stack+0x194/0x257
[ 54.030601] ? arch_local_irq_restore+0x53/0x53
[ 54.031221] ? show_regs_print_info+0x65/0x65
[ 54.031821] ? lock_timer_base+0x1a3/0x2b0
[ 54.032389] ? detach_if_pending+0x557/0x610
[ 54.032978] print_address_description+0x73/0x250
[ 54.033621] ? detach_if_pending+0x557/0x610
[ 54.034209] kasan_report+0x25b/0x340
[ 54.034749] __asan_report_store8_noabort+0x17/0x20
[ 54.035414] detach_if_pending+0x557/0x610
[ 54.035984] ? trace_raw_output_tick_stop+0x130/0x130
[ 54.036707] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 54.037327] ? lock_timer_base+0x1a3/0x2b0
[ 54.037893] ? lock_timer_base+0x1eb/0x2b0
[ 54.038464] ? __internal_add_timer+0x2d0/0x2d0
[ 54.039086] ? lock_downgrade+0x990/0x990
[ 54.039668] ? trace_hardirqs_on+0xd/0x10
[ 54.040248] try_to_del_timer_sync+0xa2/0x120
[ 54.040846] ? del_timer+0x130/0x130
[ 54.041346] ? del_timer_sync+0xeb/0x240
[ 54.041924] del_timer_sync+0x18a/0x240
[ 54.042461] tun_free_netdev+0x105/0x1b0
[ 54.043004] ? tun_xdp+0x410/0x410
[ 54.043482] ? cpumask_next+0x24/0x30
[ 54.043996] ? netdev_refcnt_read+0xed/0x150
[ 54.045287] ? tun_xdp+0x410/0x410
[ 54.048793] netdev_run_todo+0x870/0xca0
[ 54.052819] ? do_group_exit+0x149/0x400
[ 54.056848] ? mark_held_locks+0xaf/0x100
[ 54.060962] ? register_netdev+0x30/0x30
[ 54.064991] ? find_held_lock+0x35/0x1d0
[ 54.069031] ? lock_downgrade+0x990/0x990
[ 54.073151] ? refcount_sub_and_test+0x115/0x1b0
[ 54.077872] ? refcount_inc+0x50/0x50
[ 54.081636] ? refcount_inc+0x50/0x50
[ 54.085409] ? sk_destruct+0x4c/0x80
[ 54.089695] ? __sk_free+0x5c/0x230
[ 54.093290] ? sk_free+0x2f/0x40
[ 54.096621] ? __tun_detach+0x176/0x1390
[ 54.100657] ? tun_attach+0xfa0/0xfa0
[ 54.104435] ? locks_remove_file+0x3fa/0x5a0
[ 54.108812] ? fcntl_setlk+0x10c0/0x10c0
[ 54.112840] ? __fsnotify_parent+0xb4/0x3a0
[ 54.117128] ? fsnotify+0x1af0/0x1af0
[ 54.120901] ? __tun_detach+0x1390/0x1390
[ 54.125016] rtnl_unlock+0xe/0x10
[ 54.128433] tun_chr_close+0x49/0x60
[ 54.132112] __fput+0x327/0x7e0
[ 54.135361] ? fput+0x140/0x140
[ 54.138607] ? check_same_owner+0x320/0x320
[ 54.142900] ____fput+0x15/0x20
[ 54.146147] task_work_run+0x199/0x270
[ 54.150001] ? task_work_cancel+0x210/0x210
[ 54.154287] ? free_nsproxy+0x185/0x1f0
[ 54.158225] ? switch_task_namespaces+0xa2/0xc0
[ 54.162863] do_exit+0x9b5/0x1ad0
[ 54.166281] ? kvfree+0x3b/0x60
[ 54.169527] ? mm_update_next_owner+0x930/0x930
[ 54.174161] ? find_held_lock+0x35/0x1d0
[ 54.178195] ? handle_mm_fault+0x248/0x8d0
[ 54.182401] ? find_held_lock+0x35/0x1d0
[ 54.186436] ? __do_page_fault+0x64c/0xd60
[ 54.190636] ? lock_downgrade+0x990/0x990
[ 54.194755] ? handle_mm_fault+0x410/0x8d0
[ 54.198954] ? __do_page_fault+0x31e/0xd60
[ 54.203156] ? __handle_mm_fault+0x39c0/0x39c0
[ 54.207712] ? vmacache_find+0x5f/0x280
[ 54.211667] ? up_read+0x1a/0x40
[ 54.215002] ? __do_page_fault+0x3d6/0xd60
[ 54.219212] ? mm_fault_error+0x2c0/0x2c0
[ 54.223327] ? do_vfs_ioctl+0x486/0x1520
[ 54.227360] ? do_page_fault+0xee/0x720
[ 54.231300] ? __do_page_fault+0xd60/0xd60
[ 54.235502] ? putname+0xf3/0x130
[ 54.238925] do_group_exit+0x149/0x400
[ 54.242779] ? SyS_exit+0x30/0x30
[ 54.246197] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 54.251181] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 54.255903] SyS_exit_group+0x1d/0x20
[ 54.259670] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 54.264389] RIP: 0033:0x445109
[ 54.267543] RSP: 002b:00000000007efe48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[ 54.275215] RAX: ffffffffffffffda RBX: 33290715e7820bc8 RCX: 0000000000445109
[ 54.282452] RDX: 0000000000445109 RSI: 0000000020464000 RDI: 0000000000000001
[ 54.289687] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[ 54.296921] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000402760
[ 54.304161] R13: 00000000004027f0 R14: 0000000000000000 R15: 0000000000000000
[ 54.311413]
[ 54.313006] Allocated by task 2978:
[ 54.316597] save_stack_trace+0x16/0x20
[ 54.320538] save_stack+0x43/0xd0
[ 54.323954] kasan_kmalloc+0xad/0xe0
[ 54.327629] __kmalloc_node+0x47/0x70
[ 54.331394] kvmalloc_node+0x64/0xd0
[ 54.335072] alloc_netdev_mqs+0x16e/0xed0
[ 54.339183] __tun_chr_ioctl+0x12b2/0x3d20
[ 54.343382] tun_chr_ioctl+0x2a/0x40
[ 54.347059] do_vfs_ioctl+0x1b1/0x1520
[ 54.350908] SyS_ioctl+0x8f/0xc0
[ 54.354237] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 54.358955]
[ 54.360545] Freed by task 2978:
[ 54.363789] save_stack_trace+0x16/0x20
[ 54.367727] save_stack+0x43/0xd0
[ 54.371142] kasan_slab_free+0x71/0xc0
[ 54.374993] kfree+0xca/0x250
[ 54.378061] kvfree+0x36/0x60
[ 54.381908] free_netdev+0x2cf/0x360
[ 54.385588] __tun_chr_ioctl+0x2cea/0x3d20
[ 54.389784] tun_chr_ioctl+0x2a/0x40
[ 54.393468] do_vfs_ioctl+0x1b1/0x1520
[ 54.397321] SyS_ioctl+0x8f/0xc0
[ 54.400654] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 54.405371]
[ 54.406964] The buggy address belongs to the object at ffff8801cec18380
[ 54.406964] which belongs to the cache kmalloc-16384 of size 16384
[ 54.419930] The buggy address is located 13112 bytes inside of
[ 54.419930] 16384-byte region [ffff8801cec18380, ffff8801cec1c380)
[ 54.432113] The buggy address belongs to the page:
[ 54.437009] page:ffffea00073b0600 count:1 mapcount:0 mapping:ffff8801cec18380 index:0x0 compound_mapcount: 0
[ 54.446942] flags: 0x200000000008100(slab|head)
[ 54.451577] raw: 0200000000008100 ffff8801cec18380 0000000000000000 0000000100000001
[ 54.459422] raw: ffffea00073d5820 ffff8801dac01c48 ffff8801dac02200 0000000000000000
[ 54.467264] page dumped because: kasan: bad access detected
[ 54.472936]
[ 54.474527] Memory state around the buggy address:
[ 54.479420] ffff8801cec1b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.486764] ffff8801cec1b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.494095] >ffff8801cec1b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.501417] ^
[ 54.506571] ffff8801cec1b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.513893] ffff8801cec1b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.521227] ==================================================================
[ 54.528548] Disabling lock debugging due to kernel taint
[ 54.533962] Kernel panic - not syncing: panic_on_warn set ...
[ 54.533962]
[ 54.541287] CPU: 0 PID: 2978 Comm: syzkaller223435 Tainted: G B 4.14.0-rc5+ #134
[ 54.549911] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 54.559229] Call Trace:
[ 54.561786] dump_stack+0x194/0x257
[ 54.565378] ? arch_local_irq_restore+0x53/0x53
[ 54.570014] ? kasan_end_report+0x32/0x50
[ 54.574127] ? lock_downgrade+0x990/0x990
[ 54.578243] ? detach_if_pending+0x510/0x610
[ 54.582618] panic+0x1e4/0x417
[ 54.585775] ? __warn+0x1d9/0x1d9
[ 54.589198] ? detach_if_pending+0x557/0x610
[ 54.593572] kasan_end_report+0x50/0x50
[ 54.597512] kasan_report+0x144/0x340
[ 54.601278] __asan_report_store8_noabort+0x17/0x20
[ 54.606258] detach_if_pending+0x557/0x610
[ 54.610459] ? trace_raw_output_tick_stop+0x130/0x130
[ 54.615615] ? _raw_spin_lock_irqsave+0x9e/0xc0
[ 54.620245] ? lock_timer_base+0x1a3/0x2b0
[ 54.624445] ? lock_timer_base+0x1eb/0x2b0
[ 54.628647] ? __internal_add_timer+0x2d0/0x2d0
[ 54.633279] ? lock_downgrade+0x990/0x990
[ 54.637391] ? trace_hardirqs_on+0xd/0x10
[ 54.641506] try_to_del_timer_sync+0xa2/0x120
[ 54.645964] ? del_timer+0x130/0x130
[ 54.649644] ? del_timer_sync+0xeb/0x240
[ 54.653674] del_timer_sync+0x18a/0x240
[ 54.657612] tun_free_netdev+0x105/0x1b0
[ 54.661635] ? tun_xdp+0x410/0x410
[ 54.665138] ? cpumask_next+0x24/0x30
[ 54.668902] ? netdev_refcnt_read+0xed/0x150
[ 54.673274] ? tun_xdp+0x410/0x410
[ 54.676777] netdev_run_todo+0x870/0xca0
[ 54.680800] ? do_group_exit+0x149/0x400
[ 54.684826] ? mark_held_locks+0xaf/0x100
[ 54.688939] ? register_netdev+0x30/0x30
[ 54.692965] ? find_held_lock+0x35/0x1d0
[ 54.696995] ? lock_downgrade+0x990/0x990
[ 54.701110] ? refcount_sub_and_test+0x115/0x1b0
[ 54.705829] ? refcount_inc+0x50/0x50
[ 54.709591] ? refcount_inc+0x50/0x50
[ 54.713361] ? sk_destruct+0x4c/0x80
[ 54.717037] ? __sk_free+0x5c/0x230
[ 54.720630] ? sk_free+0x2f/0x40
[ 54.723963] ? __tun_detach+0x176/0x1390
[ 54.727992] ? tun_attach+0xfa0/0xfa0
[ 54.731761] ? locks_remove_file+0x3fa/0x5a0
[ 54.736133] ? fcntl_setlk+0x10c0/0x10c0
[ 54.740158] ? __fsnotify_parent+0xb4/0x3a0
[ 54.744444] ? fsnotify+0x1af0/0x1af0
[ 54.748213] ? __tun_detach+0x1390/0x1390
[ 54.752330] rtnl_unlock+0xe/0x10
[ 54.755745] tun_chr_close+0x49/0x60
[ 54.759422] __fput+0x327/0x7e0
[ 54.762669] ? fput+0x140/0x140
[ 54.765912] ? check_same_owner+0x320/0x320
[ 54.770199] ____fput+0x15/0x20
[ 54.773444] task_work_run+0x199/0x270
[ 54.777299] ? task_work_cancel+0x210/0x210
[ 54.781585] ? free_nsproxy+0x185/0x1f0
[ 54.785524] ? switch_task_namespaces+0xa2/0xc0
[ 54.790156] do_exit+0x9b5/0x1ad0
[ 54.793574] ? kvfree+0x3b/0x60
[ 54.797166] ? mm_update_next_owner+0x930/0x930
[ 54.801797] ? find_held_lock+0x35/0x1d0
[ 54.805825] ? handle_mm_fault+0x248/0x8d0
[ 54.810025] ? find_held_lock+0x35/0x1d0
[ 54.814052] ? __do_page_fault+0x64c/0xd60
[ 54.818249] ? lock_downgrade+0x990/0x990
[ 54.822365] ? handle_mm_fault+0x410/0x8d0
[ 54.826562] ? __do_page_fault+0x31e/0xd60
[ 54.830758] ? __handle_mm_fault+0x39c0/0x39c0
[ 54.835303] ? vmacache_find+0x5f/0x280
[ 54.839243] ? up_read+0x1a/0x40
[ 54.842572] ? __do_page_fault+0x3d6/0xd60
[ 54.846772] ? mm_fault_error+0x2c0/0x2c0
[ 54.850884] ? do_vfs_ioctl+0x486/0x1520
[ 54.854910] ? do_page_fault+0xee/0x720
[ 54.858848] ? __do_page_fault+0xd60/0xd60
[ 54.863045] ? putname+0xf3/0x130
[ 54.866466] do_group_exit+0x149/0x400
[ 54.870317] ? SyS_exit+0x30/0x30
[ 54.873734] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 54.878713] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 54.883433] SyS_exit_group+0x1d/0x20
[ 54.887201] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 54.891920] RIP: 0033:0x445109
[ 54.895073] RSP: 002b:00000000007efe48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[ 54.902744] RAX: ffffffffffffffda RBX: 33290715e7820bc8 RCX: 0000000000445109
[ 54.909977] RDX: 0000000000445109 RSI: 0000000020464000 RDI: 0000000000000001
[ 54.917210] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[ 54.924443] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000402760
[ 54.931677] R13: 00000000004027f0 R14: 0000000000000000 R15: 0000000000000000