INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-next-kasan-gce-7,10.128.0.41' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   37.231828] ==================================================================
[   37.239675] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   37.246413] Write of size 8 at addr ffff8801ceb5b780 by task syzkaller228982/2983
[   37.254022] 
[   37.255633] CPU: 0 PID: 2983 Comm: syzkaller228982 Not tainted 4.13.0-next-20170907+ #17
[   37.263830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.273158] Call Trace:
[   37.275727]  dump_stack+0x194/0x257
[   37.279341]  ? arch_local_irq_restore+0x53/0x53
[   37.283990]  ? show_regs_print_info+0x65/0x65
[   37.288476]  ? lock_timer_base+0x1a3/0x2b0
[   37.292705]  ? detach_if_pending+0x557/0x610
[   37.297100]  print_address_description+0x73/0x250
[   37.301917]  ? detach_if_pending+0x557/0x610
[   37.306320]  kasan_report+0x24e/0x340
[   37.310098]  __asan_report_store8_noabort+0x17/0x20
[   37.315094]  detach_if_pending+0x557/0x610
[   37.319304]  ? trace_raw_output_tick_stop+0x130/0x130
[   37.324479]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   37.329132]  ? lock_timer_base+0x1a3/0x2b0
[   37.333343]  ? lock_timer_base+0x1eb/0x2b0
[   37.337551]  ? __internal_add_timer+0x2d0/0x2d0
[   37.342206]  ? trace_hardirqs_on+0xd/0x10
[   37.346381]  try_to_del_timer_sync+0xa2/0x120
[   37.350860]  ? del_timer+0x130/0x130
[   37.354554]  ? del_timer_sync+0xeb/0x240
[   37.358593]  del_timer_sync+0x18a/0x240
[   37.362548]  tun_free_netdev+0x105/0x1b0
[   37.366582]  ? tun_xdp+0x410/0x410
[   37.370097]  ? cpumask_next+0x24/0x30
[   37.373870]  ? netdev_refcnt_read+0xed/0x150
[   37.378599]  ? tun_xdp+0x410/0x410
[   37.382112]  netdev_run_todo+0x870/0xca0
[   37.386154]  ? do_group_exit+0x149/0x400
[   37.390237]  ? register_netdev+0x30/0x30
[   37.394297]  ? lock_downgrade+0x990/0x990
[   37.398441]  ? trace_hardirqs_on+0xd/0x10
[   37.402612]  ? refcount_sub_and_test+0x115/0x1b0
[   37.407361]  ? refcount_inc+0x50/0x50
[   37.411140]  ? refcount_inc+0x50/0x50
[   37.414920]  ? sk_destruct+0x4c/0x80
[   37.418639]  ? __sk_free+0x5c/0x230
[   37.422271]  ? sk_free+0x2f/0x40
[   37.425612]  ? __tun_detach+0x176/0x1390
[   37.429659]  ? tun_attach+0xf90/0xf90
[   37.433440]  ? locks_remove_file+0x3fa/0x5a0
[   37.437820]  ? fcntl_setlk+0x10d0/0x10d0
[   37.441866]  ? __fsnotify_parent+0xb4/0x3a0
[   37.446159]  ? fsnotify+0x1af0/0x1af0
[   37.449935]  ? __tun_detach+0x1390/0x1390
[   37.454068]  ? __tun_detach+0x1390/0x1390
[   37.458206]  rtnl_unlock+0xe/0x10
[   37.461638]  tun_chr_close+0x49/0x60
[   37.465321]  __fput+0x333/0x7f0
[   37.468581]  ? fput+0x140/0x140
[   37.471846]  ? check_same_owner+0x320/0x320
[   37.476163]  ____fput+0x15/0x20
[   37.479434]  task_work_run+0x199/0x270
[   37.483314]  ? task_work_cancel+0x210/0x210
[   37.487620]  ? free_nsproxy+0x185/0x1f0
[   37.491586]  ? switch_task_namespaces+0xa2/0xc0
[   37.496253]  do_exit+0xa52/0x1b40
[   37.499693]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   37.504699]  ? check_noncircular+0x20/0x20
[   37.508916]  ? mm_update_next_owner+0x930/0x930
[   37.513558]  ? __pmd_alloc+0x4e0/0x4e0
[   37.517444]  ? find_held_lock+0x39/0x1d0
[   37.521512]  ? lock_downgrade+0x990/0x990
[   37.525673]  ? handle_mm_fault+0x410/0x8d0
[   37.529885]  ? down_read_trylock+0xdb/0x170
[   37.534182]  ? __handle_mm_fault+0x39c0/0x39c0
[   37.538748]  ? vmacache_find+0x61/0x270
[   37.542694]  ? vmacache_update+0xfe/0x130
[   37.546826]  ? up_read+0x1a/0x40
[   37.550172]  ? __do_page_fault+0x35b/0xb60
[   37.554389]  ? do_vfs_ioctl+0x492/0x1530
[   37.558433]  ? do_page_fault+0xee/0x720
[   37.562379]  ? __do_page_fault+0xb60/0xb60
[   37.566596]  ? putname+0xf3/0x130
[   37.570043]  do_group_exit+0x149/0x400
[   37.573903]  ? lockdep_sys_exit+0x47/0xf0
[   37.578033]  ? SyS_exit+0x30/0x30
[   37.581467]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   37.586471]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   37.591208]  SyS_exit_group+0x1d/0x20
[   37.595012]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   37.599758] RIP: 0033:0x444dc9
[   37.602929] RSP: 002b:00007ffd3bca2338 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
[   37.610651] RAX: ffffffffffffffda RBX: 00007ffd3bca2380 RCX: 0000000000444dc9
[   37.617900] RDX: 0000000000444dc9 RSI: 0000000020906fd8 RDI: 0000000000000001
[   37.625153] RBP: 0000000000000082 R08: 0000000000000000 R09: 00007ffd3bca2380
[   37.632934] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000402170
[   37.640201] R13: 0000000000402200 R14: 0000000000000000 R15: 0000000000000000
[   37.647470] 
[   37.649073] Allocated by task 2983:
[   37.652710]  save_stack_trace+0x16/0x20
[   37.656677]  save_stack+0x43/0xd0
[   37.660111]  kasan_kmalloc+0xad/0xe0
[   37.663805]  __kmalloc_node+0x47/0x70
[   37.667589]  kvmalloc_node+0x64/0xd0
[   37.671475]  alloc_netdev_mqs+0x16e/0xed0
[   37.675627]  __tun_chr_ioctl+0x12be/0x3d20
[   37.679850]  tun_chr_ioctl+0x2a/0x40
[   37.683553]  do_vfs_ioctl+0x1b1/0x1530
[   37.687432]  SyS_ioctl+0x8f/0xc0
[   37.690784]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   37.695520] 
[   37.697131] Freed by task 2983:
[   37.700400]  save_stack_trace+0x16/0x20
[   37.704364]  save_stack+0x43/0xd0
[   37.707816]  kasan_slab_free+0x71/0xc0
[   37.711687]  kfree+0xca/0x250
[   37.714797]  kvfree+0x36/0x60
[   37.717893]  free_netdev+0x2cf/0x360
[   37.721589]  __tun_chr_ioctl+0x2cf6/0x3d20
[   37.725797]  tun_chr_ioctl+0x2a/0x40
[   37.730189]  do_vfs_ioctl+0x1b1/0x1530
[   37.734060]  SyS_ioctl+0x8f/0xc0
[   37.737414]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   37.742146] 
[   37.743748] The buggy address belongs to the object at ffff8801ceb58380
[   37.743748]  which belongs to the cache kmalloc-16384 of size 16384
[   37.756731] The buggy address is located 13312 bytes inside of
[   37.756731]  16384-byte region [ffff8801ceb58380, ffff8801ceb5c380)
[   37.768928] The buggy address belongs to the page:
[   37.773830] page:ffffea00073ad600 count:1 mapcount:0 mapping:ffff8801ceb58380 index:0x0 compound_mapcount: 0
[   37.783794] flags: 0x200000000008100(slab|head)
[   37.788453] raw: 0200000000008100 ffff8801ceb58380 0000000000000000 0000000100000001
[   37.796320] raw: ffffea00073cf020 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[   37.804196] page dumped because: kasan: bad access detected
[   37.809891] 
[   37.811491] Memory state around the buggy address:
[   37.816397]  ffff8801ceb5b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.823736]  ffff8801ceb5b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.831076] >ffff8801ceb5b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.838416]                    ^
[   37.841772]  ffff8801ceb5b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.849128]  ffff8801ceb5b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.856475] ==================================================================
[   37.863815] Disabling lock debugging due to kernel taint
[   37.869242] Kernel panic - not syncing: panic_on_warn set ...
[   37.869242] 
[   37.876586] CPU: 0 PID: 2983 Comm: syzkaller228982 Tainted: G    B           4.13.0-next-20170907+ #17
[   37.886013] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.895332] Call Trace:
[   37.897891]  dump_stack+0x194/0x257
[   37.901485]  ? arch_local_irq_restore+0x53/0x53
[   37.906135]  ? vprintk_default+0x28/0x30
[   37.910181]  ? detach_if_pending+0x530/0x610
[   37.914577]  panic+0x1e4/0x417
[   37.917760]  ? __warn+0x1d9/0x1d9
[   37.921211]  ? detach_if_pending+0x557/0x610
[   37.925612]  kasan_end_report+0x50/0x50
[   37.929570]  kasan_report+0x137/0x340
[   37.933357]  __asan_report_store8_noabort+0x17/0x20
[   37.938444]  detach_if_pending+0x557/0x610
[   37.942665]  ? trace_raw_output_tick_stop+0x130/0x130
[   37.947836]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   37.952483]  ? lock_timer_base+0x1a3/0x2b0
[   37.956697]  ? lock_timer_base+0x1eb/0x2b0
[   37.960898]  ? __internal_add_timer+0x2d0/0x2d0
[   37.965537]  ? trace_hardirqs_on+0xd/0x10
[   37.969661]  try_to_del_timer_sync+0xa2/0x120
[   37.974125]  ? del_timer+0x130/0x130
[   37.977807]  ? del_timer_sync+0xeb/0x240
[   37.981926]  del_timer_sync+0x18a/0x240
[   37.985874]  tun_free_netdev+0x105/0x1b0
[   37.989913]  ? tun_xdp+0x410/0x410
[   37.993422]  ? cpumask_next+0x24/0x30
[   37.997193]  ? netdev_refcnt_read+0xed/0x150
[   38.001570]  ? tun_xdp+0x410/0x410
[   38.005082]  netdev_run_todo+0x870/0xca0
[   38.009109]  ? do_group_exit+0x149/0x400
[   38.013139]  ? register_netdev+0x30/0x30
[   38.017255]  ? lock_downgrade+0x990/0x990
[   38.021376]  ? trace_hardirqs_on+0xd/0x10
[   38.025623]  ? refcount_sub_and_test+0x115/0x1b0
[   38.030354]  ? refcount_inc+0x50/0x50
[   38.034124]  ? refcount_inc+0x50/0x50
[   38.037905]  ? sk_destruct+0x4c/0x80
[   38.041601]  ? __sk_free+0x5c/0x230
[   38.045207]  ? sk_free+0x2f/0x40
[   38.048538]  ? __tun_detach+0x176/0x1390
[   38.052570]  ? tun_attach+0xf90/0xf90
[   38.056347]  ? locks_remove_file+0x3fa/0x5a0
[   38.060743]  ? fcntl_setlk+0x10d0/0x10d0
[   38.064891]  ? __fsnotify_parent+0xb4/0x3a0
[   38.069203]  ? fsnotify+0x1af0/0x1af0
[   38.073002]  ? __tun_detach+0x1390/0x1390
[   38.077220]  ? __tun_detach+0x1390/0x1390
[   38.081387]  rtnl_unlock+0xe/0x10
[   38.084834]  tun_chr_close+0x49/0x60
[   38.088530]  __fput+0x333/0x7f0
[   38.091785]  ? fput+0x140/0x140
[   38.095040]  ? check_same_owner+0x320/0x320
[   38.099348]  ____fput+0x15/0x20
[   38.102614]  task_work_run+0x199/0x270
[   38.106468]  ? task_work_cancel+0x210/0x210
[   38.110764]  ? free_nsproxy+0x185/0x1f0
[   38.114702]  ? switch_task_namespaces+0xa2/0xc0
[   38.119344]  do_exit+0xa52/0x1b40
[   38.122764]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   38.127762]  ? check_noncircular+0x20/0x20
[   38.131966]  ? mm_update_next_owner+0x930/0x930
[   38.136626]  ? __pmd_alloc+0x4e0/0x4e0
[   38.140506]  ? find_held_lock+0x39/0x1d0
[   38.144551]  ? lock_downgrade+0x990/0x990
[   38.148683]  ? handle_mm_fault+0x410/0x8d0
[   38.152885]  ? down_read_trylock+0xdb/0x170
[   38.157170]  ? __handle_mm_fault+0x39c0/0x39c0
[   38.161732]  ? vmacache_find+0x61/0x270
[   38.165685]  ? vmacache_update+0xfe/0x130
[   38.169811]  ? up_read+0x1a/0x40
[   38.173151]  ? __do_page_fault+0x35b/0xb60
[   38.177356]  ? do_vfs_ioctl+0x492/0x1530
[   38.181400]  ? do_page_fault+0xee/0x720
[   38.185364]  ? __do_page_fault+0xb60/0xb60
[   38.189595]  ? putname+0xf3/0x130
[   38.193034]  do_group_exit+0x149/0x400
[   38.196912]  ? lockdep_sys_exit+0x47/0xf0
[   38.201035]  ? SyS_exit+0x30/0x30
[   38.204469]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   38.209468]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   38.214211]  SyS_exit_group+0x1d/0x20
[   38.218005]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   38.222739] RIP: 0033:0x444dc9
[   38.225908] RSP: 002b:00007ffd3bca2338 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7