INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-386-1,10.128.0.14' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   47.431309] ==================================================================
[   47.438773] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   47.445498] Write of size 8 at addr ffff8801cf76b740 by task syzkaller654377/2984
[   47.453089] 
[   47.454692] CPU: 0 PID: 2984 Comm: syzkaller654377 Not tainted 4.14.0-rc2+ #20
[   47.462024] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   47.471349] Call Trace:
[   47.473912]  dump_stack+0x194/0x257
[   47.477516]  ? arch_local_irq_restore+0x53/0x53
[   47.482163]  ? show_regs_print_info+0x65/0x65
[   47.486637]  ? lock_timer_base+0x1a3/0x2b0
[   47.490851]  ? detach_if_pending+0x557/0x610
[   47.495927]  print_address_description+0x73/0x250
[   47.500745]  ? detach_if_pending+0x557/0x610
[   47.505126]  kasan_report+0x25b/0x340
[   47.508903]  __asan_report_store8_noabort+0x17/0x20
[   47.513890]  detach_if_pending+0x557/0x610
[   47.518101]  ? trace_raw_output_tick_stop+0x130/0x130
[   47.523270]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   47.527910]  ? lock_timer_base+0x1a3/0x2b0
[   47.532119]  ? lock_timer_base+0x1eb/0x2b0
[   47.536327]  ? __internal_add_timer+0x2d0/0x2d0
[   47.540970]  ? trace_hardirqs_on+0xd/0x10
[   47.545098]  try_to_del_timer_sync+0xa2/0x120
[   47.549566]  ? del_timer+0x130/0x130
[   47.553253]  ? del_timer_sync+0xeb/0x240
[   47.557293]  del_timer_sync+0x18a/0x240
[   47.561252]  tun_free_netdev+0x105/0x1b0
[   47.565284]  ? tun_xdp+0x410/0x410
[   47.568808]  ? cpumask_next+0x24/0x30
[   47.572583]  ? netdev_refcnt_read+0xed/0x150
[   47.576968]  ? tun_xdp+0x410/0x410
[   47.580479]  netdev_run_todo+0x870/0xca0
[   47.584510]  ? do_group_exit+0x149/0x400
[   47.588548]  ? register_netdev+0x30/0x30
[   47.592583]  ? lock_downgrade+0x990/0x990
[   47.596710]  ? trace_hardirqs_on+0xd/0x10
[   47.600850]  ? refcount_sub_and_test+0x115/0x1b0
[   47.605580]  ? refcount_inc+0x50/0x50
[   47.609350]  ? refcount_inc+0x50/0x50
[   47.613126]  ? sk_destruct+0x4c/0x80
[   47.616810]  ? __sk_free+0x5c/0x230
[   47.620414]  ? sk_free+0x2f/0x40
[   47.623757]  ? __tun_detach+0x176/0x1390
[   47.627800]  ? tun_attach+0xf90/0xf90
[   47.631576]  ? do_raw_spin_trylock+0x190/0x190
[   47.636135]  ? locks_remove_file+0x3fa/0x5a0
[   47.640519]  ? fcntl_setlk+0x10d0/0x10d0
[   47.644556]  ? __fsnotify_parent+0xb4/0x3a0
[   47.648851]  ? fsnotify+0x1af0/0x1af0
[   47.652629]  ? __tun_detach+0x1390/0x1390
[   47.656749]  ? __tun_detach+0x1390/0x1390
[   47.660883]  rtnl_unlock+0xe/0x10
[   47.664313]  tun_chr_close+0x49/0x60
[   47.668004]  __fput+0x333/0x7f0
[   47.671263]  ? fput+0x140/0x140
[   47.674525]  ? check_same_owner+0x320/0x320
[   47.678820]  ? _raw_spin_unlock_irq+0x27/0x70
[   47.683293]  ____fput+0x15/0x20
[   47.686545]  task_work_run+0x199/0x270
[   47.690406]  ? task_work_cancel+0x210/0x210
[   47.694699]  ? _raw_spin_unlock+0x22/0x30
[   47.698821]  ? switch_task_namespaces+0x87/0xc0
[   47.703468]  do_exit+0x9d2/0x1af0
[   47.706899]  ? mm_update_next_owner+0x930/0x930
[   47.711541]  ? lock_acquire+0x1d5/0x580
[   47.715485]  ? __handle_mm_fault+0xf07/0x39c0
[   47.719959]  ? lock_release+0xd70/0xd70
[   47.723905]  ? check_noncircular+0x20/0x20
[   47.728112]  ? kvfree+0x3b/0x60
[   47.731370]  ? rtnl_unlock+0xe/0x10
[   47.734973]  ? check_noncircular+0x20/0x20
[   47.739180]  ? __handle_mm_fault+0x587/0x39c0
[   47.743651]  ? __pmd_alloc+0x4e0/0x4e0
[   47.747519]  ? find_held_lock+0x39/0x1d0
[   47.751562]  ? lock_downgrade+0x990/0x990
[   47.755707]  do_group_exit+0x149/0x400
[   47.759564]  ? __handle_mm_fault+0x39c0/0x39c0
[   47.764116]  ? vmacache_find+0x5f/0x280
[   47.768064]  ? SyS_exit+0x30/0x30
[   47.771494]  ? do_fast_syscall_32+0x158/0xf05
[   47.775960]  ? do_group_exit+0x400/0x400
[   47.779991]  SyS_exit_group+0x1d/0x20
[   47.783763]  do_fast_syscall_32+0x3f2/0xf05
[   47.788064]  ? do_int80_syscall_32+0x940/0x940
[   47.792619]  ? kasan_check_read+0x11/0x20
[   47.796739]  ? syscall_return_slowpath+0x510/0x510
[   47.801643]  ? SyS_rt_sigaction+0x94/0x1b0
[   47.805860]  ? lockdep_sys_exit+0x47/0xf0
[   47.809982]  ? retint_user+0x18/0x20
[   47.813671]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   47.818491]  entry_SYSENTER_compat+0x51/0x60
[   47.822870] RIP: 0023:0xf7f5ac79
[   47.826206] RSP: 002b:00000000fff4f2cc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   47.833887] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f1298
[   47.841131] RDX: 0000000000000000 RSI: 00000000080daa78 RDI: 00000000080f12a0
[   47.848370] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   47.855610] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   47.862850] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   47.870109] 
[   47.871710] Allocated by task 2984:
[   47.875310]  save_stack_trace+0x16/0x20
[   47.879257]  save_stack+0x43/0xd0
[   47.882678]  kasan_kmalloc+0xad/0xe0
[   47.886362]  __kmalloc_node+0x47/0x70
[   47.890132]  kvmalloc_node+0x64/0xd0
[   47.893819]  alloc_netdev_mqs+0x16e/0xed0
[   47.897941]  __tun_chr_ioctl+0x12be/0x3d20
[   47.902146]  tun_chr_compat_ioctl+0x29/0x30
[   47.906438]  compat_SyS_ioctl+0x1d7/0x3290
[   47.910645]  do_fast_syscall_32+0x3f2/0xf05
[   47.914937]  entry_SYSENTER_compat+0x51/0x60
[   47.919314] 
[   47.920913] Freed by task 2984:
[   47.924166]  save_stack_trace+0x16/0x20
[   47.928110]  save_stack+0x43/0xd0
[   47.931533]  kasan_slab_free+0x71/0xc0
[   47.935389]  kfree+0xca/0x250
[   47.938466]  kvfree+0x36/0x60
[   47.941542]  free_netdev+0x2cf/0x360
[   47.945223]  __tun_chr_ioctl+0x2cf6/0x3d20
[   47.949427]  tun_chr_compat_ioctl+0x29/0x30
[   47.953719]  compat_SyS_ioctl+0x1d7/0x3290
[   47.957931]  do_fast_syscall_32+0x3f2/0xf05
[   47.962220]  entry_SYSENTER_compat+0x51/0x60
[   47.966595] 
[   47.968197] The buggy address belongs to the object at ffff8801cf768340
[   47.968197]  which belongs to the cache kmalloc-16384 of size 16384
[   47.981168] The buggy address is located 13312 bytes inside of
[   47.981168]  16384-byte region [ffff8801cf768340, ffff8801cf76c340)
[   47.993357] The buggy address belongs to the page:
[   47.998256] page:ffffea00073dda00 count:1 mapcount:0 mapping:ffff8801cf768340 index:0x0 compound_mapcount: 0
[   48.008199] flags: 0x200000000008100(slab|head)
[   48.012849] raw: 0200000000008100 ffff8801cf768340 0000000000000000 0000000100000001
[   48.020700] raw: ffffea0007393a20 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[   48.028547] page dumped because: kasan: bad access detected
[   48.034223] 
[   48.035819] Memory state around the buggy address:
[   48.040719]  ffff8801cf76b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.048047]  ffff8801cf76b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.055376] >ffff8801cf76b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.062703]                                            ^
[   48.068122]  ffff8801cf76b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.075450]  ffff8801cf76b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   48.082776] ==================================================================
[   48.090101] Disabling lock debugging due to kernel taint
[   48.095514] Kernel panic - not syncing: panic_on_warn set ...
[   48.095514] 
[   48.102841] CPU: 0 PID: 2984 Comm: syzkaller654377 Tainted: G    B           4.14.0-rc2+ #20
[   48.111381] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   48.120698] Call Trace:
[   48.123255]  dump_stack+0x194/0x257
[   48.126850]  ? arch_local_irq_restore+0x53/0x53
[   48.131488]  ? vprintk_default+0x28/0x30
[   48.135521]  ? detach_if_pending+0x4d0/0x610
[   48.139899]  panic+0x1e4/0x417
[   48.143058]  ? __warn+0x1d9/0x1d9
[   48.146481]  ? detach_if_pending+0x557/0x610
[   48.150857]  kasan_end_report+0x50/0x50
[   48.154802]  kasan_report+0x144/0x340
[   48.158574]  __asan_report_store8_noabort+0x17/0x20
[   48.163556]  detach_if_pending+0x557/0x610
[   48.167757]  ? trace_raw_output_tick_stop+0x130/0x130
[   48.172918]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   48.177552]  ? lock_timer_base+0x1a3/0x2b0
[   48.181754]  ? lock_timer_base+0x1eb/0x2b0
[   48.185956]  ? __internal_add_timer+0x2d0/0x2d0
[   48.190594]  ? trace_hardirqs_on+0xd/0x10
[   48.194712]  try_to_del_timer_sync+0xa2/0x120
[   48.199180]  ? del_timer+0x130/0x130
[   48.202868]  ? del_timer_sync+0xeb/0x240
[   48.206899]  del_timer_sync+0x18a/0x240
[   48.210842]  tun_free_netdev+0x105/0x1b0
[   48.214868]  ? tun_xdp+0x410/0x410
[   48.218377]  ? cpumask_next+0x24/0x30
[   48.222146]  ? netdev_refcnt_read+0xed/0x150
[   48.226522]  ? tun_xdp+0x410/0x410
[   48.230026]  netdev_run_todo+0x870/0xca0
[   48.234052]  ? do_group_exit+0x149/0x400
[   48.238080]  ? register_netdev+0x30/0x30
[   48.242111]  ? lock_downgrade+0x990/0x990
[   48.246224]  ? trace_hardirqs_on+0xd/0x10
[   48.250347]  ? refcount_sub_and_test+0x115/0x1b0
[   48.255071]  ? refcount_inc+0x50/0x50
[   48.258835]  ? refcount_inc+0x50/0x50
[   48.262604]  ? sk_destruct+0x4c/0x80
[   48.266281]  ? __sk_free+0x5c/0x230
[   48.269877]  ? sk_free+0x2f/0x40
[   48.273211]  ? __tun_detach+0x176/0x1390
[   48.277242]  ? tun_attach+0xf90/0xf90
[   48.281009]  ? do_raw_spin_trylock+0x190/0x190
[   48.285556]  ? locks_remove_file+0x3fa/0x5a0
[   48.289932]  ? fcntl_setlk+0x10d0/0x10d0
[   48.293975]  ? __fsnotify_parent+0xb4/0x3a0
[   48.298261]  ? fsnotify+0x1af0/0x1af0
[   48.302030]  ? __tun_detach+0x1390/0x1390
[   48.306145]  ? __tun_detach+0x1390/0x1390
[   48.310258]  rtnl_unlock+0xe/0x10
[   48.313677]  tun_chr_close+0x49/0x60
[   48.317357]  __fput+0x333/0x7f0
[   48.320602]  ? fput+0x140/0x140
[   48.323855]  ? check_same_owner+0x320/0x320
[   48.328155]  ? _raw_spin_unlock_irq+0x27/0x70
[   48.332625]  ____fput+0x15/0x20
[   48.335872]  task_work_run+0x199/0x270
[   48.339734]  ? task_work_cancel+0x210/0x210
[   48.344021]  ? _raw_spin_unlock+0x22/0x30
[   48.348136]  ? switch_task_namespaces+0x87/0xc0
[   48.352773]  do_exit+0x9d2/0x1af0
[   48.356195]  ? mm_update_next_owner+0x930/0x930
[   48.360836]  ? lock_acquire+0x1d5/0x580
[   48.364775]  ? __handle_mm_fault+0xf07/0x39c0
[   48.369240]  ? lock_release+0xd70/0xd70
[   48.373180]  ? check_noncircular+0x20/0x20
[   48.377382]  ? kvfree+0x3b/0x60
[   48.380630]  ? rtnl_unlock+0xe/0x10
[   48.384223]  ? check_noncircular+0x20/0x20
[   48.388422]  ? __handle_mm_fault+0x587/0x39c0
[   48.392883]  ? __pmd_alloc+0x4e0/0x4e0
[   48.396750]  ? find_held_lock+0x39/0x1d0
[   48.400785]  ? lock_downgrade+0x990/0x990
[   48.404912]  do_group_exit+0x149/0x400
[   48.408764]  ? __handle_mm_fault+0x39c0/0x39c0
[   48.413312]  ? vmacache_find+0x5f/0x280
[   48.417250]  ? SyS_exit+0x30/0x30
[   48.420672]  ? do_fast_syscall_32+0x158/0xf05
[   48.425130]  ? do_group_exit+0x400/0x400
[   48.429156]  SyS_exit_group+0x1d/0x20