INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-0,10.128.15.198' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   21.197564] ==================================================================
[   21.198687] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   21.199641] Write of size 8 at addr ffff8801ce963780 by task syzkaller492956/2979
[   21.200657] 
[   21.200894] CPU: 1 PID: 2979 Comm: syzkaller492956 Not tainted 4.13.0+ #80
[   21.201854] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   21.203076] Call Trace:
[   21.203439]  dump_stack+0x194/0x257
[   21.203936]  ? arch_local_irq_restore+0x53/0x53
[   21.204573]  ? show_regs_print_info+0x65/0x65
[   21.205177]  ? lock_timer_base+0x1a3/0x2b0
[   21.205749]  ? detach_if_pending+0x557/0x610
[   21.206343]  print_address_description+0x73/0x250
[   21.206991]  ? detach_if_pending+0x557/0x610
[   21.207612]  kasan_report+0x24e/0x340
[   21.208131]  __asan_report_store8_noabort+0x17/0x20
[   21.208831]  detach_if_pending+0x557/0x610
[   21.209411]  ? trace_raw_output_tick_stop+0x130/0x130
[   21.210114]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   21.210776]  ? lock_timer_base+0x1a3/0x2b0
[   21.211353]  ? lock_timer_base+0x1eb/0x2b0
[   21.211981]  ? __internal_add_timer+0x2d0/0x2d0
[   21.212615]  ? trace_hardirqs_on+0xd/0x10
[   21.213186]  try_to_del_timer_sync+0xa2/0x120
[   21.213826]  ? del_timer+0x130/0x130
[   21.214335]  ? del_timer_sync+0xeb/0x240
[   21.214897]  del_timer_sync+0x18a/0x240
[   21.215459]  tun_free_netdev+0x105/0x1b0
[   21.216012]  ? tun_xdp+0x410/0x410
[   21.216495]  ? cpumask_next+0x24/0x30
[   21.217016]  ? netdev_refcnt_read+0xed/0x150
[   21.217618]  ? tun_xdp+0x410/0x410
[   21.220642]  netdev_run_todo+0x870/0xca0
[   21.224679]  ? do_group_exit+0x149/0x400
[   21.228725]  ? register_netdev+0x30/0x30
[   21.232764]  ? lock_downgrade+0x990/0x990
[   21.236885]  ? trace_hardirqs_on+0xd/0x10
[   21.241032]  ? refcount_sub_and_test+0x115/0x1b0
[   21.245763]  ? refcount_inc+0x50/0x50
[   21.249539]  ? refcount_inc+0x50/0x50
[   21.253339]  ? sk_destruct+0x4c/0x80
[   21.257029]  ? __sk_free+0x5c/0x230
[   21.260632]  ? sk_free+0x2f/0x40
[   21.263975]  ? __tun_detach+0x176/0x1390
[   21.268030]  ? tun_attach+0xf90/0xf90
[   21.271829]  ? locks_remove_file+0x3fa/0x5a0
[   21.276227]  ? fcntl_setlk+0x10d0/0x10d0
[   21.280268]  ? __fsnotify_parent+0xb4/0x3a0
[   21.284569]  ? fsnotify+0x1af0/0x1af0
[   21.288347]  ? __tun_detach+0x1390/0x1390
[   21.292471]  ? __tun_detach+0x1390/0x1390
[   21.296597]  rtnl_unlock+0xe/0x10
[   21.300023]  tun_chr_close+0x49/0x60
[   21.303714]  __fput+0x333/0x7f0
[   21.306975]  ? fput+0x140/0x140
[   21.310232]  ? check_same_owner+0x320/0x320
[   21.314547]  ____fput+0x15/0x20
[   21.317806]  task_work_run+0x199/0x270
[   21.321673]  ? task_work_cancel+0x210/0x210
[   21.325979]  ? free_nsproxy+0x185/0x1f0
[   21.329930]  ? switch_task_namespaces+0xa2/0xc0
[   21.334579]  do_exit+0xa52/0x1b40
[   21.338009]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   21.343012]  ? check_noncircular+0x20/0x20
[   21.347232]  ? mm_update_next_owner+0x930/0x930
[   21.351885]  ? __pmd_alloc+0x4e0/0x4e0
[   21.355759]  ? find_held_lock+0x39/0x1d0
[   21.359808]  ? lock_downgrade+0x990/0x990
[   21.363955]  ? handle_mm_fault+0x410/0x8d0
[   21.368163]  ? down_read_trylock+0xdb/0x170
[   21.372462]  ? __handle_mm_fault+0x39c0/0x39c0
[   21.377022]  ? vmacache_find+0x61/0x270
[   21.380972]  ? vmacache_update+0xfe/0x130
[   21.385101]  ? up_read+0x1a/0x40
[   21.388450]  ? __do_page_fault+0x35b/0xb60
[   21.392669]  ? do_vfs_ioctl+0x492/0x1530
[   21.396721]  ? do_page_fault+0xee/0x720
[   21.400671]  ? __do_page_fault+0xb60/0xb60
[   21.404881]  ? putname+0xf3/0x130
[   21.408321]  do_group_exit+0x149/0x400
[   21.412186]  ? lockdep_sys_exit+0x47/0xf0
[   21.416309]  ? SyS_exit+0x30/0x30
[   21.419740]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   21.424738]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   21.429473]  SyS_exit_group+0x1d/0x20
[   21.433252]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   21.437992] RIP: 0033:0x445169
[   21.441157] RSP: 002b:00000000007efe48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   21.448844] RAX: ffffffffffffffda RBX: 27ddc276a06efe28 RCX: 0000000000445169
[   21.456107] RDX: 0000000000445169 RSI: 00000000201cb000 RDI: 0000000000000001
[   21.463352] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   21.470595] R10: 0000000000000000 R11: 0000000000000206 R12: 00000000004027c0
[   21.477838] R13: 0000000000402850 R14: 0000000000000000 R15: 0000000000000000
[   21.485107] 
[   21.486709] Allocated by task 2979:
[   21.490315]  save_stack_trace+0x16/0x20
[   21.494264]  save_stack+0x43/0xd0
[   21.497691]  kasan_kmalloc+0xad/0xe0
[   21.501378]  __kmalloc_node+0x47/0x70
[   21.505153]  kvmalloc_node+0x64/0xd0
[   21.508854]  alloc_netdev_mqs+0x16e/0xed0
[   21.512974]  __tun_chr_ioctl+0x12be/0x3d20
[   21.517183]  tun_chr_ioctl+0x2a/0x40
[   21.520870]  do_vfs_ioctl+0x1b1/0x1530
[   21.524729]  SyS_ioctl+0x8f/0xc0
[   21.528068]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   21.532794] 
[   21.534397] Freed by task 2979:
[   21.537650]  save_stack_trace+0x16/0x20
[   21.541598]  save_stack+0x43/0xd0
[   21.545022]  kasan_slab_free+0x71/0xc0
[   21.548884]  kfree+0xca/0x250
[   21.551962]  kvfree+0x36/0x60
[   21.555039]  free_netdev+0x2cf/0x360
[   21.558726]  __tun_chr_ioctl+0x2cf6/0x3d20
[   21.562931]  tun_chr_ioctl+0x2a/0x40
[   21.566616]  do_vfs_ioctl+0x1b1/0x1530
[   21.570489]  SyS_ioctl+0x8f/0xc0
[   21.573829]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   21.578553] 
[   21.580156] The buggy address belongs to the object at ffff8801ce960380
[   21.580156]  which belongs to the cache kmalloc-16384 of size 16384
[   21.593133] The buggy address is located 13312 bytes inside of
[   21.593133]  16384-byte region [ffff8801ce960380, ffff8801ce964380)
[   21.605326] The buggy address belongs to the page:
[   21.610230] page:ffffea00073a5800 count:1 mapcount:0 mapping:ffff8801ce960380 index:0x0 compound_mapcount: 0
[   21.620182] flags: 0x200000000008100(slab|head)
[   21.624828] raw: 0200000000008100 ffff8801ce960380 0000000000000000 0000000100000001
[   21.632682] raw: ffffea000739c220 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[   21.640534] page dumped because: kasan: bad access detected
[   21.646215] 
[   21.647815] Memory state around the buggy address:
[   21.652717]  ffff8801ce963680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.660048]  ffff8801ce963700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.667380] >ffff8801ce963780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.674712]                    ^
[   21.678049]  ffff8801ce963800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.685381]  ffff8801ce963880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.692712] ==================================================================
[   21.700041] Disabling lock debugging due to kernel taint
[   21.705465] Kernel panic - not syncing: panic_on_warn set ...
[   21.705465] 
[   21.712794] CPU: 1 PID: 2979 Comm: syzkaller492956 Tainted: G    B           4.13.0+ #80
[   21.720985] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   21.730304] Call Trace:
[   21.732858]  dump_stack+0x194/0x257
[   21.736455]  ? arch_local_irq_restore+0x53/0x53
[   21.741093]  ? vprintk_default+0x28/0x30
[   21.745124]  ? detach_if_pending+0x4c0/0x610
[   21.749500]  panic+0x1e4/0x417
[   21.752672]  ? __warn+0x1d9/0x1d9
[   21.756130]  ? detach_if_pending+0x557/0x610
[   21.760508]  kasan_end_report+0x50/0x50
[   21.764450]  kasan_report+0x137/0x340
[   21.768221]  __asan_report_store8_noabort+0x17/0x20
[   21.773206]  detach_if_pending+0x557/0x610
[   21.777410]  ? trace_raw_output_tick_stop+0x130/0x130
[   21.782569]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   21.787202]  ? lock_timer_base+0x1a3/0x2b0
[   21.791407]  ? lock_timer_base+0x1eb/0x2b0
[   21.795613]  ? __internal_add_timer+0x2d0/0x2d0
[   21.800255]  ? trace_hardirqs_on+0xd/0x10
[   21.804376]  try_to_del_timer_sync+0xa2/0x120
[   21.808837]  ? del_timer+0x130/0x130
[   21.812518]  ? del_timer_sync+0xeb/0x240
[   21.816552]  del_timer_sync+0x18a/0x240
[   21.820501]  tun_free_netdev+0x105/0x1b0
[   21.824529]  ? tun_xdp+0x410/0x410
[   21.828038]  ? cpumask_next+0x24/0x30
[   21.831811]  ? netdev_refcnt_read+0xed/0x150
[   21.836191]  ? tun_xdp+0x410/0x410
[   21.839701]  netdev_run_todo+0x870/0xca0
[   21.843731]  ? do_group_exit+0x149/0x400
[   21.847764]  ? register_netdev+0x30/0x30
[   21.851796]  ? lock_downgrade+0x990/0x990
[   21.855912]  ? trace_hardirqs_on+0xd/0x10
[   21.860047]  ? refcount_sub_and_test+0x115/0x1b0
[   21.864771]  ? refcount_inc+0x50/0x50
[   21.868537]  ? refcount_inc+0x50/0x50
[   21.872310]  ? sk_destruct+0x4c/0x80
[   21.875991]  ? __sk_free+0x5c/0x230
[   21.879586]  ? sk_free+0x2f/0x40
[   21.882919]  ? __tun_detach+0x176/0x1390
[   21.886956]  ? tun_attach+0xf90/0xf90
[   21.890732]  ? locks_remove_file+0x3fa/0x5a0
[   21.895109]  ? fcntl_setlk+0x10d0/0x10d0
[   21.899141]  ? __fsnotify_parent+0xb4/0x3a0
[   21.903431]  ? fsnotify+0x1af0/0x1af0
[   21.907202]  ? __tun_detach+0x1390/0x1390
[   21.911319]  ? __tun_detach+0x1390/0x1390
[   21.915436]  rtnl_unlock+0xe/0x10
[   21.918855]  tun_chr_close+0x49/0x60
[   21.922536]  __fput+0x333/0x7f0
[   21.925786]  ? fput+0x140/0x140
[   21.929034]  ? check_same_owner+0x320/0x320
[   21.933329]  ____fput+0x15/0x20
[   21.936598]  task_work_run+0x199/0x270
[   21.940458]  ? task_work_cancel+0x210/0x210
[   21.944745]  ? free_nsproxy+0x185/0x1f0
[   21.948690]  ? switch_task_namespaces+0xa2/0xc0
[   21.953334]  do_exit+0xa52/0x1b40
[   21.956754]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   21.961733]  ? check_noncircular+0x20/0x20
[   21.965934]  ? mm_update_next_owner+0x930/0x930
[   21.970569]  ? __pmd_alloc+0x4e0/0x4e0
[   21.974427]  ? find_held_lock+0x39/0x1d0
[   21.978457]  ? lock_downgrade+0x990/0x990
[   21.982579]  ? handle_mm_fault+0x410/0x8d0
[   21.986775]  ? down_read_trylock+0xdb/0x170
[   21.991060]  ? __handle_mm_fault+0x39c0/0x39c0
[   21.995608]  ? vmacache_find+0x61/0x270
[   21.999545]  ? vmacache_update+0xfe/0x130
[   22.003656]  ? up_read+0x1a/0x40
[   22.006988]  ? __do_page_fault+0x35b/0xb60
[   22.011186]  ? do_vfs_ioctl+0x492/0x1530
[   22.015217]  ? do_page_fault+0xee/0x720
[   22.019156]  ? __do_page_fault+0xb60/0xb60
[   22.023353]  ? putname+0xf3/0x130
[   22.026772]  do_group_exit+0x149/0x400
[   22.030621]  ? lockdep_sys_exit+0x47/0xf0
[   22.034732]  ? SyS_exit+0x30/0x30
[   22.038151]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   22.043134]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   22.047854]  SyS_exit_group+0x1d/0x20
[   22.051623]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   22.056349] RIP: 0033:0x445169
[   22.059504] RSP: 002b:00000000007efe48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   22.067175] RAX: ffffffffffffffda RBX: 27ddc276a06efe28 RCX: 0000000000445169
[   22.074410] RDX: 0000000000445169 RSI: 00000000201cb000 RDI: 0000000000000001
[   22.081644] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   22.088879] R10: 0000000000000000 R11: 0000000000000206 R12: 00000000004027c0
[   22.096114] R13: 0000000000402850 R14: 0000000000000000 R15: 0000000000000000