INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-9,10.128.15.209' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 37.781507] ================================================================== [ 37.788910] BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x15/0x20 [ 37.797626] [ 37.799242] CPU: 1 PID: 3014 Comm: syzkaller549828 Not tainted 4.13.0-rc5+ #39 [ 37.806568] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.815922] Call Trace: [ 37.818484] dump_stack+0x194/0x257 [ 37.822088] ? arch_local_irq_restore+0x53/0x53 [ 37.826730] ? show_regs_print_info+0x65/0x65 [ 37.831194] ? mark_held_locks+0xaf/0x100 [ 37.835322] ? selinux_tun_dev_free_security+0x15/0x20 [ 37.840582] print_address_description+0x73/0x250 [ 37.845397] ? selinux_tun_dev_free_security+0x15/0x20 [ 37.850643] ? selinux_tun_dev_free_security+0x15/0x20 [ 37.855891] kasan_report_double_free+0x55/0x80 [ 37.860533] kasan_slab_free+0xa3/0xc0 [ 37.864393] kfree+0xca/0x250 [ 37.867472] selinux_tun_dev_free_security+0x15/0x20 [ 37.872546] security_tun_dev_free_security+0x48/0x80 [ 37.877717] __tun_chr_ioctl+0x2ce6/0x3d50 [ 37.881934] ? unwind_dump+0x4/0x4c0 [ 37.885639] ? tun_select_queue+0x580/0x580 [ 37.889934] ? putname+0xee/0x130 [ 37.893357] ? save_stack+0xa3/0xd0 [ 37.896957] ? save_stack_trace+0x16/0x20 [ 37.901075] ? save_stack+0x43/0xd0 [ 37.904680] ? kasan_slab_free+0x71/0xc0 [ 37.908720] ? kmem_cache_free+0x77/0x280 [ 37.912837] ? putname+0xee/0x130 [ 37.916273] ? __lock_is_held+0xb6/0x140 [ 37.920336] ? check_same_owner+0x320/0x320 [ 37.924634] ? tun_chr_compat_ioctl+0x30/0x30 [ 37.929120] tun_chr_ioctl+0x2a/0x40 [ 37.932805] ? tun_chr_ioctl+0x2a/0x40 [ 37.936665] do_vfs_ioctl+0x1b1/0x1520 [ 37.940526] ? ioctl_preallocate+0x2b0/0x2b0 [ 37.944905] ? selinux_capable+0x40/0x40 [ 37.948938] ? putname+0xf3/0x130 [ 37.952362] ? do_sys_open+0x320/0x6d0 [ 37.956230] ? security_file_ioctl+0x7d/0xb0 [ 37.960605] ? security_file_ioctl+0x89/0xb0 [ 37.964988] SyS_ioctl+0x8f/0xc0 [ 37.968329] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 37.973054] RIP: 0033:0x443da9 [ 37.976212] RSP: 002b:00007fffc3a0dd58 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 [ 37.983886] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443da9 [ 37.991130] RDX: 0000000020511fd8 RSI: 00000000400454ca RDI: 0000000000000003 [ 37.998386] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 38.005622] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000 [ 38.012861] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000 [ 38.020133] [ 38.021734] Allocated by task 3014: [ 38.025331] save_stack_trace+0x16/0x20 [ 38.029275] save_stack+0x43/0xd0 [ 38.032709] kasan_kmalloc+0xad/0xe0 [ 38.036392] kmem_cache_alloc_trace+0x12f/0x740 [ 38.041031] selinux_tun_dev_alloc_security+0x49/0x170 [ 38.046277] security_tun_dev_alloc_security+0x6d/0xa0 [ 38.051521] __tun_chr_ioctl+0x1730/0x3d50 [ 38.055723] tun_chr_ioctl+0x2a/0x40 [ 38.059407] do_vfs_ioctl+0x1b1/0x1520 [ 38.063263] SyS_ioctl+0x8f/0xc0 [ 38.066613] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 38.071360] [ 38.072955] Freed by task 3014: [ 38.076202] save_stack_trace+0x16/0x20 [ 38.080144] save_stack+0x43/0xd0 [ 38.083563] kasan_slab_free+0x71/0xc0 [ 38.087419] kfree+0xca/0x250 [ 38.090504] selinux_tun_dev_free_security+0x15/0x20 [ 38.095579] security_tun_dev_free_security+0x48/0x80 [ 38.100739] tun_free_netdev+0x13b/0x1b0 [ 38.104773] register_netdevice+0x8d0/0xee0 [ 38.109068] __tun_chr_ioctl+0x1caf/0x3d50 [ 38.113273] tun_chr_ioctl+0x2a/0x40 [ 38.116954] do_vfs_ioctl+0x1b1/0x1520 [ 38.120811] SyS_ioctl+0x8f/0xc0 [ 38.124144] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 38.128872] [ 38.130469] The buggy address belongs to the object at ffff8801d06d4600 [ 38.130469] which belongs to the cache kmalloc-32 of size 32 [ 38.142919] The buggy address is located 0 bytes inside of [ 38.142919] 32-byte region [ffff8801d06d4600, ffff8801d06d4620) [ 38.154508] The buggy address belongs to the page: [ 38.159409] page:ffffea000741b500 count:1 mapcount:0 mapping:ffff8801d06d4000 index:0xffff8801d06d4fc1 [ 38.168831] flags: 0x200000000000100(slab) [ 38.173035] raw: 0200000000000100 ffff8801d06d4000 ffff8801d06d4fc1 000000010000003f [ 38.180883] raw: ffffea0007411d20 ffffea000741b0e0 ffff8801dac001c0 0000000000000000 [ 38.188731] page dumped because: kasan: bad access detected [ 38.194405] [ 38.195999] Memory state around the buggy address: [ 38.200907] ffff8801d06d4500: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 38.208235] ffff8801d06d4580: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 38.215560] >ffff8801d06d4600: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 38.222885] ^ [ 38.226219] ffff8801d06d4680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 38.233546] ffff8801d06d4700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 38.240880] ================================================================== [ 38.248206] Disabling lock debugging due to kernel taint [ 38.253629] Kernel panic - not syncing: panic_on_warn set ... [ 38.253629] [ 38.260964] CPU: 1 PID: 3014 Comm: syzkaller549828 Tainted: G B 4.13.0-rc5+ #39 [ 38.269508] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.278828] Call Trace: [ 38.281390] dump_stack+0x194/0x257 [ 38.284984] ? arch_local_irq_restore+0x53/0x53 [ 38.289620] ? kasan_end_report+0x32/0x50 [ 38.293737] ? lock_downgrade+0x990/0x990 [ 38.297853] panic+0x1e4/0x417 [ 38.301014] ? __warn+0x1d9/0x1d9 [ 38.304442] ? selinux_tun_dev_free_security+0x15/0x20 [ 38.309683] ? selinux_tun_dev_free_security+0x15/0x20 [ 38.314930] kasan_end_report+0x50/0x50 [ 38.318870] kasan_report_double_free+0x72/0x80 [ 38.323521] kasan_slab_free+0xa3/0xc0 [ 38.327381] kfree+0xca/0x250 [ 38.330455] selinux_tun_dev_free_security+0x15/0x20 [ 38.335540] security_tun_dev_free_security+0x48/0x80 [ 38.340716] __tun_chr_ioctl+0x2ce6/0x3d50 [ 38.344917] ? unwind_dump+0x4/0x4c0 [ 38.348602] ? tun_select_queue+0x580/0x580 [ 38.352891] ? putname+0xee/0x130 [ 38.356318] ? save_stack+0xa3/0xd0 [ 38.359915] ? save_stack_trace+0x16/0x20 [ 38.364037] ? save_stack+0x43/0xd0 [ 38.367632] ? kasan_slab_free+0x71/0xc0 [ 38.371658] ? kmem_cache_free+0x77/0x280 [ 38.375771] ? putname+0xee/0x130 [ 38.379194] ? __lock_is_held+0xb6/0x140 [ 38.383232] ? check_same_owner+0x320/0x320 [ 38.387526] ? tun_chr_compat_ioctl+0x30/0x30 [ 38.391989] tun_chr_ioctl+0x2a/0x40 [ 38.395670] ? tun_chr_ioctl+0x2a/0x40 [ 38.399525] do_vfs_ioctl+0x1b1/0x1520 [ 38.403385] ? ioctl_preallocate+0x2b0/0x2b0 [ 38.407770] ? selinux_capable+0x40/0x40 [ 38.411809] ? putname+0xf3/0x130 [ 38.415231] ? do_sys_open+0x320/0x6d0 [ 38.419092] ? security_file_ioctl+0x7d/0xb0 [ 38.423468] ? security_file_ioctl+0x89/0xb0 [ 38.427843] SyS_ioctl+0x8f/0xc0 [ 38.431175] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 38.435895] RIP: 0033:0x443da9 [ 38.439053] RSP: 002b:00007fffc3a0dd58 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 [ 38.446731] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443da9 [ 38.453989] RDX: 0000000020511fd8 RSI: 00000000400454ca RDI: 0000000000000003 [ 38.461236] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 38.468477] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000 [ 38.475737] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000 [ 38.483241] Dumping ftrace buffer: [ 38.486750] (ftrace buffer empty) [ 38.490439] Kernel Offset: disabled [ 38.494036] Rebooting in 86400 seconds..