INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-6,10.128.0.46' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 32.487826] ================================================================== [ 32.488928] BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x15/0x20 [ 32.490114] [ 32.490346] CPU: 1 PID: 3038 Comm: syzkaller204064 Not tainted 4.13.0-rc5+ #39 [ 32.491326] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.492554] Call Trace: [ 32.492912] dump_stack+0x194/0x257 [ 32.493405] ? arch_local_irq_restore+0x53/0x53 [ 32.494029] ? show_regs_print_info+0x65/0x65 [ 32.494644] ? mark_held_locks+0xaf/0x100 [ 32.495223] ? selinux_tun_dev_free_security+0x15/0x20 [ 32.495927] print_address_description+0x73/0x250 [ 32.496569] ? selinux_tun_dev_free_security+0x15/0x20 [ 32.497281] ? selinux_tun_dev_free_security+0x15/0x20 [ 32.497981] kasan_report_double_free+0x55/0x80 [ 32.498616] kasan_slab_free+0xa3/0xc0 [ 32.499173] kfree+0xca/0x250 [ 32.499787] selinux_tun_dev_free_security+0x15/0x20 [ 32.500529] security_tun_dev_free_security+0x48/0x80 [ 32.501244] __tun_chr_ioctl+0x2ce6/0x3d50 [ 32.501830] ? tun_select_queue+0x580/0x580 [ 32.502404] ? lock_downgrade+0x990/0x990 [ 32.502976] ? lock_release+0xa40/0xa40 [ 32.503511] ? __lock_is_held+0xb6/0x140 [ 32.504082] ? check_same_owner+0x320/0x320 [ 32.504703] ? handle_mm_fault+0x23e/0x940 [ 32.505273] ? tun_chr_compat_ioctl+0x30/0x30 [ 32.505874] tun_chr_ioctl+0x2a/0x40 [ 32.506379] ? tun_chr_ioctl+0x2a/0x40 [ 32.506907] do_vfs_ioctl+0x1b1/0x1520 [ 32.507453] ? ioctl_preallocate+0x2b0/0x2b0 [ 32.508060] ? selinux_capable+0x40/0x40 [ 32.512092] ? __handle_mm_fault+0x3810/0x3810 [ 32.516641] ? vmacache_find+0x61/0x270 [ 32.520596] ? security_file_ioctl+0x7d/0xb0 [ 32.524969] ? security_file_ioctl+0x89/0xb0 [ 32.529346] SyS_ioctl+0x8f/0xc0 [ 32.532685] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.537407] RIP: 0033:0x449db9 [ 32.540564] RSP: 002b:00007ff3179e4dc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 32.548238] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000449db9 [ 32.555474] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000003 [ 32.562717] RBP: 0000000000000086 R08: 00007ff3179e5700 R09: 00007ff3179e5700 [ 32.569952] R10: 00007ff3179e5700 R11: 0000000000000202 R12: 0000000000000000 [ 32.577190] R13: 00007ffdf5b7cc8f R14: 00007ff3179e59c0 R15: 0000000000000000 [ 32.584450] [ 32.586047] Allocated by task 3038: [ 32.589644] save_stack_trace+0x16/0x20 [ 32.593584] save_stack+0x43/0xd0 [ 32.597011] kasan_kmalloc+0xad/0xe0 [ 32.600691] kmem_cache_alloc_trace+0x12f/0x740 [ 32.605326] selinux_tun_dev_alloc_security+0x49/0x170 [ 32.610572] security_tun_dev_alloc_security+0x6d/0xa0 [ 32.615819] __tun_chr_ioctl+0x1730/0x3d50 [ 32.620027] tun_chr_ioctl+0x2a/0x40 [ 32.623705] do_vfs_ioctl+0x1b1/0x1520 [ 32.627573] SyS_ioctl+0x8f/0xc0 [ 32.630909] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.635635] [ 32.637231] Freed by task 3038: [ 32.640477] save_stack_trace+0x16/0x20 [ 32.644418] save_stack+0x43/0xd0 [ 32.647840] kasan_slab_free+0x71/0xc0 [ 32.651694] kfree+0xca/0x250 [ 32.654765] selinux_tun_dev_free_security+0x15/0x20 [ 32.659832] security_tun_dev_free_security+0x48/0x80 [ 32.664988] tun_free_netdev+0x13b/0x1b0 [ 32.669033] register_netdevice+0x8d0/0xee0 [ 32.673322] __tun_chr_ioctl+0x1caf/0x3d50 [ 32.677519] tun_chr_ioctl+0x2a/0x40 [ 32.681207] do_vfs_ioctl+0x1b1/0x1520 [ 32.685066] SyS_ioctl+0x8f/0xc0 [ 32.688402] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.693123] [ 32.694719] The buggy address belongs to the object at ffff8801d0739040 [ 32.694719] which belongs to the cache kmalloc-32 of size 32 [ 32.707167] The buggy address is located 0 bytes inside of [ 32.707167] 32-byte region [ffff8801d0739040, ffff8801d0739060) [ 32.718748] The buggy address belongs to the page: [ 32.723643] page:ffffea000741ce40 count:1 mapcount:0 mapping:ffff8801d0739000 index:0xffff8801d0739fc1 [ 32.733055] flags: 0x200000000000100(slab) [ 32.737257] raw: 0200000000000100 ffff8801d0739000 ffff8801d0739fc1 000000010000003f [ 32.745101] raw: ffffea0007414120 ffffea000741d420 ffff8801dac001c0 0000000000000000 [ 32.752943] page dumped because: kasan: bad access detected [ 32.758615] [ 32.760206] Memory state around the buggy address: [ 32.765104] ffff8801d0738f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.772428] ffff8801d0738f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.779750] >ffff8801d0739000: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 32.787070] ^ [ 32.792484] ffff8801d0739080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 32.799815] ffff8801d0739100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 32.807136] ================================================================== [ 32.814457] Disabling lock debugging due to kernel taint [ 32.819956] Kernel panic - not syncing: panic_on_warn set ... [ 32.819956] [ 32.827280] CPU: 1 PID: 3038 Comm: syzkaller204064 Tainted: G B 4.13.0-rc5+ #39 [ 32.835903] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.845222] Call Trace: [ 32.847777] dump_stack+0x194/0x257 [ 32.851369] ? arch_local_irq_restore+0x53/0x53 [ 32.856006] ? kasan_end_report+0x32/0x50 [ 32.860121] ? lock_downgrade+0x990/0x990 [ 32.864235] panic+0x1e4/0x417 [ 32.867394] ? __warn+0x1d9/0x1d9 [ 32.870817] ? selinux_tun_dev_free_security+0x15/0x20 [ 32.876062] ? selinux_tun_dev_free_security+0x15/0x20 [ 32.881306] kasan_end_report+0x50/0x50 [ 32.885245] kasan_report_double_free+0x72/0x80 [ 32.889884] kasan_slab_free+0xa3/0xc0 [ 32.893736] kfree+0xca/0x250 [ 32.896814] selinux_tun_dev_free_security+0x15/0x20 [ 32.901887] security_tun_dev_free_security+0x48/0x80 [ 32.907065] __tun_chr_ioctl+0x2ce6/0x3d50 [ 32.911272] ? tun_select_queue+0x580/0x580 [ 32.915559] ? lock_downgrade+0x990/0x990 [ 32.919683] ? lock_release+0xa40/0xa40 [ 32.923634] ? __lock_is_held+0xb6/0x140 [ 32.927671] ? check_same_owner+0x320/0x320 [ 32.931959] ? handle_mm_fault+0x23e/0x940 [ 32.936175] ? tun_chr_compat_ioctl+0x30/0x30 [ 32.940652] tun_chr_ioctl+0x2a/0x40 [ 32.944344] ? tun_chr_ioctl+0x2a/0x40 [ 32.948198] do_vfs_ioctl+0x1b1/0x1520 [ 32.952059] ? ioctl_preallocate+0x2b0/0x2b0 [ 32.956434] ? selinux_capable+0x40/0x40 [ 32.960463] ? __handle_mm_fault+0x3810/0x3810 [ 32.965009] ? vmacache_find+0x61/0x270 [ 32.968954] ? security_file_ioctl+0x7d/0xb0 [ 32.973326] ? security_file_ioctl+0x89/0xb0 [ 32.977706] SyS_ioctl+0x8f/0xc0 [ 32.981042] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.985763] RIP: 0033:0x449db9 [ 32.988917] RSP: 002b:00007ff3179e4dc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 32.996587] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000449db9 [ 33.003822] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000003 [ 33.011075] RBP: 0000000000000086 R08: 00007ff3179e5700 R09: 00007ff3179e5700 [ 33.018316] R10: 00007ff3179e5700 R11: 0000000000000202 R12: 0000000000000000 [ 33.025553] R13: 00007ffdf5b7cc8f R14: 00007ff3179e59c0 R15: 0000000000000000 [ 33.032824] Dumping ftrace buffer: [ 33.036327] (ftrace buffer empty) [ 33.040014] Kernel Offset: disabled [ 33.043607] Rebooting in 86400 seconds..