net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   22.475275] ==================================================================
[   22.475930] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   22.476416] Write of size 8 at addr ffff88003b9ab640 by task syzkaller963482/2974
[   22.476973] 
[   22.477145] CPU: 0 PID: 2974 Comm: syzkaller963482 Not tainted 4.13.0-next-20170905+ #15
[   22.477937] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   22.478678] Call Trace:
[   22.478936]  dump_stack+0x194/0x257
[   22.479208]  ? arch_local_irq_restore+0x53/0x53
[   22.479551]  ? show_regs_print_info+0x65/0x65
[   22.480002]  ? lock_timer_base+0x1a3/0x2b0
[   22.480452]  ? detach_if_pending+0x557/0x610
[   22.480924]  print_address_description+0x73/0x250
[   22.481449]  ? detach_if_pending+0x557/0x610
[   22.481936]  kasan_report+0x24e/0x340
[   22.482441]  __asan_report_store8_noabort+0x17/0x20
[   22.482821]  detach_if_pending+0x557/0x610
[   22.483131]  ? trace_raw_output_tick_stop+0x130/0x130
[   22.483485]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   22.483804]  ? lock_timer_base+0x1a3/0x2b0
[   22.484189]  ? lock_timer_base+0x1eb/0x2b0
[   22.484607]  ? __internal_add_timer+0x2d0/0x2d0
[   22.484931]  ? trace_hardirqs_on+0xd/0x10
[   22.485299]  try_to_del_timer_sync+0xa2/0x120
[   22.485733]  ? del_timer+0x130/0x130
[   22.486093]  ? del_timer_sync+0xeb/0x240
[   22.486475]  del_timer_sync+0x18a/0x240
[   22.486844]  tun_free_netdev+0x105/0x1b0
[   22.487219]  ? tun_xdp+0x410/0x410
[   22.487565]  ? cpumask_next+0x24/0x30
[   22.488000]  ? netdev_refcnt_read+0xed/0x150
[   22.488410]  ? tun_xdp+0x410/0x410
[   22.488738]  netdev_run_todo+0x870/0xca0
[   22.489113]  ? do_group_exit+0x149/0x400
[   22.489472]  ? register_netdev+0x30/0x30
[   22.489853]  ? lock_downgrade+0x990/0x990
[   22.490142]  ? trace_hardirqs_on+0xd/0x10
[   22.490437]  ? refcount_sub_and_test+0x115/0x1b0
[   22.490763]  ? refcount_inc+0x50/0x50
[   22.491028]  ? refcount_inc+0x50/0x50
[   22.491384]  ? sk_destruct+0x4c/0x80
[   22.491725]  ? __sk_free+0x5c/0x230
[   22.492038]  ? sk_free+0x2f/0x40
[   22.492325]  ? __tun_detach+0x176/0x1390
[   22.492977]  ? tun_attach+0xf90/0xf90
[   22.493270]  ? locks_remove_file+0x3fa/0x5a0
[   22.493588]  ? fcntl_setlk+0x10d0/0x10d0
[   22.493930]  ? __fsnotify_parent+0xb4/0x3a0
[   22.494343]  ? fsnotify+0x1af0/0x1af0
[   22.494694]  ? __tun_detach+0x1390/0x1390
[   22.495085]  ? __tun_detach+0x1390/0x1390
[   22.495510]  rtnl_unlock+0xe/0x10
[   22.495843]  tun_chr_close+0x49/0x60
[   22.496199]  __fput+0x333/0x7f0
[   22.496503]  ? fput+0x140/0x140
[   22.496818]  ? check_same_owner+0x320/0x320
[   22.497232]  ____fput+0x15/0x20
[   22.497532]  task_work_run+0x199/0x270
[   22.497899]  ? task_work_cancel+0x210/0x210
[   22.498306]  ? free_nsproxy+0x185/0x1f0
[   22.498670]  ? switch_task_namespaces+0xa2/0xc0
[   22.499112]  do_exit+0xa52/0x1b40
[   22.499434]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   22.499898]  ? trace_hardirqs_on+0xd/0x10
[   22.500204]  ? kvfree+0x3b/0x60
[   22.500437]  ? mm_update_next_owner+0x930/0x930
[   22.500788]  ? rtnl_unlock+0xe/0x10
[   22.501051]  ? __tun_chr_ioctl+0x27a/0x3d20
[   22.501386]  ? tun_chr_read_iter+0x1e0/0x1e0
[   22.501706]  ? lock_downgrade+0x990/0x990
[   22.502027]  ? check_same_owner+0x320/0x320
[   22.502328]  ? __handle_mm_fault+0x39c0/0x39c0
[   22.502640]  ? vmacache_find+0x61/0x270
[   22.502918]  ? tun_chr_compat_ioctl+0x30/0x30
[   22.503239]  ? tun_chr_ioctl+0x2a/0x40
[   22.503507]  ? tun_chr_ioctl+0x2a/0x40
[   22.503774]  ? do_vfs_ioctl+0x492/0x1530
[   22.504073]  ? ioctl_preallocate+0x2b0/0x2b0
[   22.504377]  ? selinux_capable+0x40/0x40
[   22.504660]  ? putname+0xf3/0x130
[   22.504902]  do_group_exit+0x149/0x400
[   22.505201]  ? SyS_exit+0x30/0x30
[   22.505445]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   22.505790]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   22.506132]  SyS_exit_group+0x1d/0x20
[   22.506399]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   22.506723] RIP: 0033:0x43a3f9
[   22.506942] RSP: 002b:00007ffde4a9efc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
[   22.507493] RAX: ffffffffffffffda RBX: 00007ffde4a9f160 RCX: 000000000043a3f9
[   22.507986] RDX: 000000000043a3f9 RSI: 0000000020fbb000 RDI: 0000000000000001
[   22.508640] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   22.509302] R10: 00000000000000fd R11: 0000000000000202 R12: 0000000000000000
[   22.509951] R13: 0000000000402730 R14: 00000000004027c0 R15: 0000000000000000
[   22.510614] 
[   22.510794] Allocated by task 2974:
[   22.511077]  save_stack_trace+0x16/0x20
[   22.511379]  save_stack+0x43/0xd0
[   22.511621]  kasan_kmalloc+0xad/0xe0
[   22.511877]  __kmalloc_node+0x47/0x70
[   22.512154]  kvmalloc_node+0x64/0xd0
[   22.512490]  alloc_netdev_mqs+0x16e/0xed0
[   22.512869]  __tun_chr_ioctl+0x12be/0x3d20
[   22.513218]  tun_chr_ioctl+0x2a/0x40
[   22.513843]  do_vfs_ioctl+0x1b1/0x1530
[   22.514212]  SyS_ioctl+0x8f/0xc0
[   22.514518]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   22.514942] 
[   22.515070] Freed by task 2974:
[   22.515297]  save_stack_trace+0x16/0x20
[   22.515571]  save_stack+0x43/0xd0
[   22.515811]  kasan_slab_free+0x71/0xc0
[   22.516092]  kfree+0xca/0x250
[   22.516297]  kvfree+0x36/0x60
[   22.516513]  free_netdev+0x2cf/0x360
[   22.516765]  __tun_chr_ioctl+0x2cf6/0x3d20
[   22.517061]  tun_chr_ioctl+0x2a/0x40
[   22.517307]  do_vfs_ioctl+0x1b1/0x1530
[   22.517572]  SyS_ioctl+0x8f/0xc0
[   22.517814]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   22.518146] 
[   22.518261] The buggy address belongs to the object at ffff88003b9a8240
[   22.518261]  which belongs to the cache kmalloc-16384 of size 16384
[   22.519136] The buggy address is located 13312 bytes inside of
[   22.519136]  16384-byte region [ffff88003b9a8240, ffff88003b9ac240)
[   22.519944] The buggy address belongs to the page:
[   22.520329] page:ffffea0000ee6a00 count:1 mapcount:0 mapping:ffff88003b9a8240 index:0x0 compound_mapcount: 0
[   22.521230] flags: 0x100000000008100(slab|head)
[   22.521653] raw: 0100000000008100 ffff88003b9a8240 0000000000000000 0000000100000001
[   22.522366] raw: ffffea0000eb0c20 ffff88003e801c50 ffff88003e802200 0000000000000000
[   22.523050] page dumped because: kasan: bad access detected
[   22.523589] 
[   22.523764] Memory state around the buggy address:
[   22.524237]  ffff88003b9ab500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.524858]  ffff88003b9ab580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.525522] >ffff88003b9ab600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.526025]                                            ^
[   22.526390]  ffff88003b9ab680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.526899]  ffff88003b9ab700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.527377] ==================================================================
[   22.527859] Disabling lock debugging due to kernel taint
[   22.528208] Kernel panic - not syncing: panic_on_warn set ...
[   22.528208] 
[   22.528884] CPU: 0 PID: 2974 Comm: syzkaller963482 Tainted: G    B           4.13.0-next-20170905+ #15
[   22.529779] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   22.530634] Call Trace:
[   22.530913]  dump_stack+0x194/0x257
[   22.531284]  ? arch_local_irq_restore+0x53/0x53
[   22.531761]  ? vprintk_default+0x28/0x30
[   22.532198]  ? detach_if_pending+0x530/0x610
[   22.532664]  panic+0x1e4/0x417
[   22.532995]  ? __warn+0x1d9/0x1d9
[   22.533232]  ? detach_if_pending+0x557/0x610
[   22.533533]  kasan_end_report+0x50/0x50
[   22.533803]  kasan_report+0x137/0x340
[   22.534066]  __asan_report_store8_noabort+0x17/0x20
[   22.534407]  detach_if_pending+0x557/0x610
[   22.535039]  ? trace_raw_output_tick_stop+0x130/0x130
[   22.535504]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   22.535836]  ? lock_timer_base+0x1a3/0x2b0
[   22.536178]  ? lock_timer_base+0x1eb/0x2b0
[   22.536497]  ? __internal_add_timer+0x2d0/0x2d0
[   22.536867]  ? trace_hardirqs_on+0xd/0x10
[   22.537173]  try_to_del_timer_sync+0xa2/0x120
[   22.537481]  ? del_timer+0x130/0x130
[   22.537749]  ? del_timer_sync+0xeb/0x240
[   22.538069]  del_timer_sync+0x18a/0x240
[   22.538371]  tun_free_netdev+0x105/0x1b0
[   22.538675]  ? tun_xdp+0x410/0x410
[   22.538932]  ? cpumask_next+0x24/0x30
[   22.539209]  ? netdev_refcnt_read+0xed/0x150
[   22.539512]  ? tun_xdp+0x410/0x410
[   22.539756]  netdev_run_todo+0x870/0xca0
[   22.540036]  ? do_group_exit+0x149/0x400
[   22.540382]  ? register_netdev+0x30/0x30
[   22.540661]  ? lock_downgrade+0x990/0x990
[   22.540973]  ? trace_hardirqs_on+0xd/0x10
[   22.541305]  ? refcount_sub_and_test+0x115/0x1b0
[   22.541630]  ? refcount_inc+0x50/0x50
[   22.541895]  ? refcount_inc+0x50/0x50
[   22.542172]  ? sk_destruct+0x4c/0x80
[   22.542455]  ? __sk_free+0x5c/0x230
[   22.542732]  ? sk_free+0x2f/0x40
[   22.542977]  ? __tun_detach+0x176/0x1390
[   22.543313]  ? tun_attach+0xf90/0xf90
[   22.543605]  ? locks_remove_file+0x3fa/0x5a0
[   22.543905]  ? fcntl_setlk+0x10d0/0x10d0
[   22.544183]  ? __fsnotify_parent+0xb4/0x3a0
[   22.544481]  ? fsnotify+0x1af0/0x1af0
[   22.544744]  ? __tun_detach+0x1390/0x1390
[   22.545028]  ? __tun_detach+0x1390/0x1390
[   22.545337]  rtnl_unlock+0xe/0x10
[   22.545615]  tun_chr_close+0x49/0x60
[   22.545914]  __fput+0x333/0x7f0
[   22.546170]  ? fput+0x140/0x140
[   22.546451]  ? check_same_owner+0x320/0x320
[   22.546777]  ____fput+0x15/0x20
[   22.547003]  task_work_run+0x199/0x270
[   22.547269]  ? task_work_cancel+0x210/0x210
[   22.547560]  ? free_nsproxy+0x185/0x1f0
[   22.547833]  ? switch_task_namespaces+0xa2/0xc0
[   22.548207]  do_exit+0xa52/0x1b40
[   22.548523]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   22.548992]  ? trace_hardirqs_on+0xd/0x10
[   22.549435]  ? kvfree+0x3b/0x60
[   22.549736]  ? mm_update_next_owner+0x930/0x930
[   22.550155]  ? rtnl_unlock+0xe/0x10
[   22.550494]  ? __tun_chr_ioctl+0x27a/0x3d20
[   22.550912]  ? tun_chr_read_iter+0x1e0/0x1e0
[   22.551266]  ? lock_downgrade+0x990/0x990
[   22.551555]  ? check_same_owner+0x320/0x320
[   22.551852]  ? __handle_mm_fault+0x39c0/0x39c0
[   22.552159]  ? vmacache_find+0x61/0x270
[   22.552430]  ? tun_chr_compat_ioctl+0x30/0x30
[   22.552748]  ? tun_chr_ioctl+0x2a/0x40
[   22.553046]  ? tun_chr_ioctl+0x2a/0x40
[   22.553317]  ? do_vfs_ioctl+0x492/0x1530
[   22.553596]  ? ioctl_preallocate+0x2b0/0x2b0
[   22.553954]  ? selinux_capable+0x40/0x40
[   22.554237]  ? putname+0xf3/0x130
[   22.554474]  do_group_exit+0x149/0x400
[   22.554737]  ? SyS_exit+0x30/0x30
[   22.554971]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   22.555307]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   22.555637]  SyS_exit_group+0x1d/0x20
[   22.556133]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   22.556429] RIP: 0033:0x43a3f9
[   22.556642] RSP: 002b:00007ffde4a9efc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
[   22.557161] RAX: ffffffffffffffda RBX: 00007ffde4a9f160 RCX: 000000000043a3f9
[   22.557688] RDX: 000000000043a3f9 RSI: 0000000020fbb000 RDI: 0000000000000001
[   22.558242] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   22.558784] R10: 00000000000000fd R11: 0000000000000202 R12: 0000000000000000
[   22.559317] R13: 0000000000402730 R14: 00000000004027c0 R15: 0000000000000000
[   22.559853] Dumping ftrace buffer:
[   22.560099]    (ftrace buffer empty)
[   22.560421] Kernel Offset: disabled
[   22.560713] Rebooting in 86400 seconds..