syzbot

BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:673 [inline]
BUG: KASAN: use-after-free in enqueue_timer kernel/time/timer.c:520 [inline]
BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 kernel/time/timer.c:531
Write of size 8 at addr ffff8801d27b3600 by task syzkaller319675/2997

CPU: 1 PID: 2997 Comm: syzkaller319675 Not tainted 4.14.0-rc5+ #52
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435
 hlist_add_head include/linux/list.h:673 [inline]
 enqueue_timer kernel/time/timer.c:520 [inline]
 __internal_add_timer+0x275/0x2d0 kernel/time/timer.c:531
 internal_add_timer kernel/time/timer.c:573 [inline]
 __mod_timer kernel/time/timer.c:1024 [inline]
 mod_timer+0x622/0x15b0 kernel/time/timer.c:1071
 tun_flow_init drivers/net/tun.c:1098 [inline]
 tun_set_iff drivers/net/tun.c:2060 [inline]
 __tun_chr_ioctl+0x1b17/0x3d20 drivers/net/tun.c:2278
 tun_chr_compat_ioctl+0x29/0x30 drivers/net/tun.c:2551
 C_SYSC_ioctl fs/compat_ioctl.c:1593 [inline]
 compat_SyS_ioctl+0x1d7/0x3290 fs/compat_ioctl.c:1540
 do_syscall_32_irqs_on arch/x86/entry/common.c:329 [inline]
 do_fast_syscall_32+0x3f2/0xf05 arch/x86/entry/common.c:391
 entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124
RIP: 0023:0xf7fb1c79
RSP: 002b:00000000ffdfb76c EFLAGS: 00000282 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000400454ca
RDX: 00000000209fa000 RSI: 00000000080ef00c RDI: 000000000000003f
RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 2997:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node+0x47/0x70 mm/slab.c:3696
 kmalloc_node include/linux/slab.h:535 [inline]
 kvmalloc_node+0x64/0xd0 mm/util.c:397
 kvmalloc include/linux/mm.h:529 [inline]
 kvzalloc include/linux/mm.h:537 [inline]
 alloc_netdev_mqs+0x16e/0xed0 net/core/dev.c:8023
 tun_set_iff drivers/net/tun.c:2024 [inline]
 __tun_chr_ioctl+0x12b2/0x3d20 drivers/net/tun.c:2278
 tun_chr_compat_ioctl+0x29/0x30 drivers/net/tun.c:2551
 C_SYSC_ioctl fs/compat_ioctl.c:1593 [inline]
 compat_SyS_ioctl+0x1d7/0x3290 fs/compat_ioctl.c:1540
 do_syscall_32_irqs_on arch/x86/entry/common.c:329 [inline]
 do_fast_syscall_32+0x3f2/0xf05 arch/x86/entry/common.c:391
 entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124

Freed by task 2997:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xca/0x250 mm/slab.c:3820
 kvfree+0x36/0x60 mm/util.c:416
 netdev_freemem net/core/dev.c:7975 [inline]
 free_netdev+0x2cf/0x360 net/core/dev.c:8137
 tun_set_iff drivers/net/tun.c:2107 [inline]
 __tun_chr_ioctl+0x2cea/0x3d20 drivers/net/tun.c:2278
 tun_chr_compat_ioctl+0x29/0x30 drivers/net/tun.c:2551
 C_SYSC_ioctl fs/compat_ioctl.c:1593 [inline]
 compat_SyS_ioctl+0x1d7/0x3290 fs/compat_ioctl.c:1540
 do_syscall_32_irqs_on arch/x86/entry/common.c:329 [inline]
 do_fast_syscall_32+0x3f2/0xf05 arch/x86/entry/common.c:391
 entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124

The buggy address belongs to the object at ffff8801d27b02c0
 which belongs to the cache kmalloc-16384 of size 16384
The buggy address is located 13120 bytes inside of
 16384-byte region [ffff8801d27b02c0, ffff8801d27b42c0)
The buggy address belongs to the page:
page:ffffea000749ec00 count:1 mapcount:0 mapping:ffff8801d27b02c0 index:0x0 compound_mapcount: 0
flags: 0x200000000008100(slab|head)
raw: 0200000000008100 ffff8801d27b02c0 0000000000000000 0000000100000001
raw: ffffea0007659020 ffffea00074cc220 ffff8801dac02200 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d27b3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d27b3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801d27b3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8801d27b3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d27b3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================