INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-1,10.128.0.8' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   40.037313] ==================================================================
[   40.038391] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   40.039305] Write of size 8 at addr ffff8801ce5a3740 by task syzkaller335490/2986
[   40.040306] 
[   40.040543] CPU: 0 PID: 2986 Comm: syzkaller335490 Not tainted 4.13.0-mm1+ #7
[   40.041499] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.042722] Call Trace:
[   40.043085]  dump_stack+0x194/0x257
[   40.043581]  ? arch_local_irq_restore+0x53/0x53
[   40.044248]  ? show_regs_print_info+0x65/0x65
[   40.044854]  ? lock_timer_base+0x1a3/0x2b0
[   40.045426]  ? detach_if_pending+0x557/0x610
[   40.046034]  print_address_description+0x73/0x250
[   40.046682]  ? detach_if_pending+0x557/0x610
[   40.047278]  kasan_report+0x24e/0x340
[   40.047814]  __asan_report_store8_noabort+0x17/0x20
[   40.048484]  detach_if_pending+0x557/0x610
[   40.049118]  ? trace_raw_output_tick_stop+0x130/0x130
[   40.049813]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   40.050437]  ? lock_timer_base+0x1a3/0x2b0
[   40.051009]  ? lock_timer_base+0x1eb/0x2b0
[   40.051584]  ? __internal_add_timer+0x2d0/0x2d0
[   40.052213]  ? trace_hardirqs_on+0xd/0x10
[   40.052782]  try_to_del_timer_sync+0xa2/0x120
[   40.053386]  ? del_timer+0x130/0x130
[   40.053891]  ? del_timer_sync+0xeb/0x240
[   40.054446]  del_timer_sync+0x18a/0x240
[   40.054990]  tun_free_netdev+0x105/0x1b0
[   40.055538]  ? tun_xdp+0x410/0x410
[   40.056018]  ? cpumask_next+0x24/0x30
[   40.056534]  ? netdev_refcnt_read+0xed/0x150
[   40.057132]  ? tun_xdp+0x410/0x410
[   40.057614]  netdev_run_todo+0x870/0xca0
[   40.061656]  ? do_group_exit+0x149/0x400
[   40.065698]  ? register_netdev+0x30/0x30
[   40.069743]  ? lock_downgrade+0x990/0x990
[   40.073865]  ? trace_hardirqs_on+0xd/0x10
[   40.078004]  ? refcount_sub_and_test+0x115/0x1b0
[   40.082736]  ? refcount_inc+0x50/0x50
[   40.086510]  ? refcount_inc+0x50/0x50
[   40.090289]  ? sk_destruct+0x4c/0x80
[   40.093980]  ? __sk_free+0x5c/0x230
[   40.097580]  ? sk_free+0x2f/0x40
[   40.100918]  ? __tun_detach+0x176/0x1390
[   40.104966]  ? tun_attach+0xf90/0xf90
[   40.108746]  ? locks_remove_file+0x3fa/0x5a0
[   40.113126]  ? fcntl_setlk+0x10d0/0x10d0
[   40.117161]  ? __fsnotify_parent+0xb4/0x3a0
[   40.121468]  ? fsnotify+0x1af0/0x1af0
[   40.125246]  ? __tun_detach+0x1390/0x1390
[   40.129363]  ? __tun_detach+0x1390/0x1390
[   40.133482]  rtnl_unlock+0xe/0x10
[   40.136906]  tun_chr_close+0x49/0x60
[   40.140589]  __fput+0x333/0x7f0
[   40.143844]  ? fput+0x140/0x140
[   40.147096]  ? check_same_owner+0x320/0x320
[   40.151393]  ____fput+0x15/0x20
[   40.154643]  task_work_run+0x199/0x270
[   40.158504]  ? task_work_cancel+0x210/0x210
[   40.162802]  ? free_nsproxy+0x185/0x1f0
[   40.166748]  ? switch_task_namespaces+0xa2/0xc0
[   40.171390]  do_exit+0xa52/0x1b40
[   40.174815]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.179800]  ? trace_hardirqs_on+0xd/0x10
[   40.183923]  ? kvfree+0x3b/0x60
[   40.187179]  ? mm_update_next_owner+0x930/0x930
[   40.191819]  ? rtnl_unlock+0xe/0x10
[   40.195417]  ? __tun_chr_ioctl+0x27a/0x3d20
[   40.199717]  ? tun_chr_read_iter+0x1e0/0x1e0
[   40.204106]  ? lock_downgrade+0x990/0x990
[   40.208255]  ? check_same_owner+0x320/0x320
[   40.212552]  ? __handle_mm_fault+0x39c0/0x39c0
[   40.217100]  ? vmacache_find+0x61/0x270
[   40.221048]  ? tun_chr_compat_ioctl+0x30/0x30
[   40.225511]  ? tun_chr_ioctl+0x2a/0x40
[   40.229365]  ? tun_chr_ioctl+0x2a/0x40
[   40.233225]  ? do_vfs_ioctl+0x492/0x1530
[   40.237263]  ? ioctl_preallocate+0x2b0/0x2b0
[   40.241646]  ? selinux_capable+0x40/0x40
[   40.245682]  ? putname+0xf3/0x130
[   40.249111]  do_group_exit+0x149/0x400
[   40.252969]  ? SyS_exit+0x30/0x30
[   40.256395]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.261383]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.266110]  SyS_exit_group+0x1d/0x20
[   40.269880]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   40.274606] RIP: 0033:0x4452f9
[   40.277766] RSP: 002b:00007fff2a64c638 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
[   40.285443] RAX: ffffffffffffffda RBX: 00007fff2a64c670 RCX: 00000000004452f9
[   40.293082] RDX: 00000000004452f9 RSI: 0000000020681000 RDI: 0000000000000001
[   40.300322] RBP: 0000000000000082 R08: 0000000000000000 R09: 00007fff2a64c670
[   40.307560] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000004026a0
[   40.314799] R13: 0000000000402730 R14: 0000000000000000 R15: 0000000000000000
[   40.322058] 
[   40.323655] Allocated by task 2986:
[   40.327262]  save_stack_trace+0x16/0x20
[   40.331212]  save_stack+0x43/0xd0
[   40.334631]  kasan_kmalloc+0xad/0xe0
[   40.338312]  __kmalloc_node+0x47/0x70
[   40.342080]  kvmalloc_node+0x64/0xd0
[   40.345762]  alloc_netdev_mqs+0x16e/0xed0
[   40.349878]  __tun_chr_ioctl+0x12be/0x3d20
[   40.354080]  tun_chr_ioctl+0x2a/0x40
[   40.357765]  do_vfs_ioctl+0x1b1/0x1530
[   40.361619]  SyS_ioctl+0x8f/0xc0
[   40.364955]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   40.369675] 
[   40.371272] Freed by task 2986:
[   40.374520]  save_stack_trace+0x16/0x20
[   40.378462]  save_stack+0x43/0xd0
[   40.381883]  kasan_slab_free+0x71/0xc0
[   40.385739]  kfree+0xca/0x250
[   40.388810]  kvfree+0x36/0x60
[   40.391882]  free_netdev+0x2cf/0x360
[   40.395561]  __tun_chr_ioctl+0x2cf6/0x3d20
[   40.399763]  tun_chr_ioctl+0x2a/0x40
[   40.403442]  do_vfs_ioctl+0x1b1/0x1530
[   40.407297]  SyS_ioctl+0x8f/0xc0
[   40.410636]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   40.415355] 
[   40.416952] The buggy address belongs to the object at ffff8801ce5a0340
[   40.416952]  which belongs to the cache kmalloc-16384 of size 16384
[   40.429922] The buggy address is located 13312 bytes inside of
[   40.429922]  16384-byte region [ffff8801ce5a0340, ffff8801ce5a4340)
[   40.442107] The buggy address belongs to the page:
[   40.447005] page:ffffea0007396800 count:1 mapcount:0 mapping:ffff8801ce5a0340 index:0x0 compound_mapcount: 0
[   40.456947] flags: 0x200000000008100(slab|head)
[   40.461583] raw: 0200000000008100 ffff8801ce5a0340 0000000000000000 0000000100000001
[   40.469438] raw: ffffea0007398020 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[   40.477284] page dumped because: kasan: bad access detected
[   40.482958] 
[   40.484555] Memory state around the buggy address:
[   40.489454]  ffff8801ce5a3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.496781]  ffff8801ce5a3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.504107] >ffff8801ce5a3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.511431]                                            ^
[   40.516853]  ffff8801ce5a3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.524176]  ffff8801ce5a3800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.531507] ==================================================================
[   40.538830] Disabling lock debugging due to kernel taint
[   40.544241] Kernel panic - not syncing: panic_on_warn set ...
[   40.544241] 
[   40.551565] CPU: 0 PID: 2986 Comm: syzkaller335490 Tainted: G    B           4.13.0-mm1+ #7
[   40.560014] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.569330] Call Trace:
[   40.571883]  dump_stack+0x194/0x257
[   40.575473]  ? arch_local_irq_restore+0x53/0x53
[   40.580106]  ? vprintk_default+0x28/0x30
[   40.584131]  ? detach_if_pending+0x550/0x610
[   40.588503]  panic+0x1e4/0x417
[   40.591659]  ? __warn+0x1d9/0x1d9
[   40.595080]  ? detach_if_pending+0x557/0x610
[   40.599451]  kasan_end_report+0x50/0x50
[   40.603386]  kasan_report+0x137/0x340
[   40.607151]  __asan_report_store8_noabort+0x17/0x20
[   40.612128]  detach_if_pending+0x557/0x610
[   40.616327]  ? trace_raw_output_tick_stop+0x130/0x130
[   40.621481]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   40.626122]  ? lock_timer_base+0x1a3/0x2b0
[   40.630318]  ? lock_timer_base+0x1eb/0x2b0
[   40.634515]  ? __internal_add_timer+0x2d0/0x2d0
[   40.639148]  ? trace_hardirqs_on+0xd/0x10
[   40.643263]  try_to_del_timer_sync+0xa2/0x120
[   40.647723]  ? del_timer+0x130/0x130
[   40.651400]  ? del_timer_sync+0xeb/0x240
[   40.655426]  del_timer_sync+0x18a/0x240
[   40.659364]  tun_free_netdev+0x105/0x1b0
[   40.663387]  ? tun_xdp+0x410/0x410
[   40.666890]  ? cpumask_next+0x24/0x30
[   40.670657]  ? netdev_refcnt_read+0xed/0x150
[   40.675027]  ? tun_xdp+0x410/0x410
[   40.678530]  netdev_run_todo+0x870/0xca0
[   40.682554]  ? do_group_exit+0x149/0x400
[   40.686579]  ? register_netdev+0x30/0x30
[   40.690606]  ? lock_downgrade+0x990/0x990
[   40.694716]  ? trace_hardirqs_on+0xd/0x10
[   40.698844]  ? refcount_sub_and_test+0x115/0x1b0
[   40.703564]  ? refcount_inc+0x50/0x50
[   40.707328]  ? refcount_inc+0x50/0x50
[   40.711094]  ? sk_destruct+0x4c/0x80
[   40.714773]  ? __sk_free+0x5c/0x230
[   40.718371]  ? sk_free+0x2f/0x40
[   40.721699]  ? __tun_detach+0x176/0x1390
[   40.725728]  ? tun_attach+0xf90/0xf90
[   40.729497]  ? locks_remove_file+0x3fa/0x5a0
[   40.733867]  ? fcntl_setlk+0x10d0/0x10d0
[   40.737895]  ? __fsnotify_parent+0xb4/0x3a0
[   40.742182]  ? fsnotify+0x1af0/0x1af0
[   40.745948]  ? __tun_detach+0x1390/0x1390
[   40.750061]  ? __tun_detach+0x1390/0x1390
[   40.754172]  rtnl_unlock+0xe/0x10
[   40.757589]  tun_chr_close+0x49/0x60
[   40.761266]  __fput+0x333/0x7f0
[   40.764510]  ? fput+0x140/0x140
[   40.767754]  ? check_same_owner+0x320/0x320
[   40.772040]  ____fput+0x15/0x20
[   40.775283]  task_work_run+0x199/0x270
[   40.779133]  ? task_work_cancel+0x210/0x210
[   40.783425]  ? free_nsproxy+0x185/0x1f0
[   40.787363]  ? switch_task_namespaces+0xa2/0xc0
[   40.791998]  do_exit+0xa52/0x1b40
[   40.795414]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.800400]  ? trace_hardirqs_on+0xd/0x10
[   40.804514]  ? kvfree+0x3b/0x60
[   40.807760]  ? mm_update_next_owner+0x930/0x930
[   40.812391]  ? rtnl_unlock+0xe/0x10
[   40.815980]  ? __tun_chr_ioctl+0x27a/0x3d20
[   40.820270]  ? tun_chr_read_iter+0x1e0/0x1e0
[   40.824649]  ? lock_downgrade+0x990/0x990
[   40.828771]  ? check_same_owner+0x320/0x320
[   40.833054]  ? __handle_mm_fault+0x39c0/0x39c0
[   40.837608]  ? vmacache_find+0x61/0x270
[   40.841548]  ? tun_chr_compat_ioctl+0x30/0x30
[   40.846004]  ? tun_chr_ioctl+0x2a/0x40
[   40.849855]  ? tun_chr_ioctl+0x2a/0x40
[   40.853705]  ? do_vfs_ioctl+0x492/0x1530
[   40.857733]  ? ioctl_preallocate+0x2b0/0x2b0
[   40.862108]  ? selinux_capable+0x40/0x40
[   40.866132]  ? putname+0xf3/0x130
[   40.869551]  do_group_exit+0x149/0x400
[   40.873403]  ? SyS_exit+0x30/0x30
[   40.876828]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.881820]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.886548]  SyS_exit_group+0x1d/0x20
[   40.890313]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   40.895031] RIP: 0033:0x4452f9
[   40.898185] RSP: 002b:00007fff2a64c638 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
[   40.905854] RAX: ffffffffffffffda RBX: 00007fff2a64c670 RCX: 00000000004452f9
[   40.913086] RDX: 00000000004452f9 RSI: 0000000020681000 RDI: 0000000000000001
[   40.920319] RBP: 0000000000000082 R08: 0000000000000000 R09: 00007fff2a64c670
[   40.927560] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000004026a0
[   40.934793] R13: 0000000000402730 R14: 0000000000000000 R15: 0000000000000000