INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-1,10.128.0.7' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 39.300528] ================================================================== [ 39.307929] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610 [ 39.314649] Write of size 8 at addr ffff8801cf7fb780 by task syzkaller152936/2984 [ 39.322238] [ 39.323842] CPU: 1 PID: 2984 Comm: syzkaller152936 Not tainted 4.14.0-rc2+ #20 [ 39.331170] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.340503] Call Trace: [ 39.343064] dump_stack+0x194/0x257 [ 39.346664] ? arch_local_irq_restore+0x53/0x53 [ 39.351303] ? show_regs_print_info+0x65/0x65 [ 39.355769] ? lock_timer_base+0x1a3/0x2b0 [ 39.359974] ? detach_if_pending+0x557/0x610 [ 39.364359] print_address_description+0x73/0x250 [ 39.369175] ? detach_if_pending+0x557/0x610 [ 39.373555] kasan_report+0x25b/0x340 [ 39.377330] __asan_report_store8_noabort+0x17/0x20 [ 39.382319] detach_if_pending+0x557/0x610 [ 39.386524] ? trace_raw_output_tick_stop+0x130/0x130 [ 39.391686] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 39.396323] ? lock_timer_base+0x1a3/0x2b0 [ 39.400528] ? lock_timer_base+0x1eb/0x2b0 [ 39.404735] ? __internal_add_timer+0x2d0/0x2d0 [ 39.409383] ? trace_hardirqs_on+0xd/0x10 [ 39.413508] try_to_del_timer_sync+0xa2/0x120 [ 39.417972] ? del_timer+0x130/0x130 [ 39.421656] ? del_timer_sync+0xeb/0x240 [ 39.425693] del_timer_sync+0x18a/0x240 [ 39.429638] tun_free_netdev+0x105/0x1b0 [ 39.433668] ? tun_xdp+0x410/0x410 [ 39.437176] ? cpumask_next+0x24/0x30 [ 39.440948] ? netdev_refcnt_read+0xed/0x150 [ 39.445338] ? tun_xdp+0x410/0x410 [ 39.448847] netdev_run_todo+0x870/0xca0 [ 39.452878] ? do_group_exit+0x149/0x400 [ 39.456912] ? register_netdev+0x30/0x30 [ 39.460946] ? lock_downgrade+0x990/0x990 [ 39.465062] ? trace_hardirqs_on+0xd/0x10 [ 39.469197] ? refcount_sub_and_test+0x115/0x1b0 [ 39.473921] ? refcount_inc+0x50/0x50 [ 39.477692] ? refcount_inc+0x50/0x50 [ 39.481469] ? sk_destruct+0x4c/0x80 [ 39.485154] ? __sk_free+0x5c/0x230 [ 39.488750] ? sk_free+0x2f/0x40 [ 39.492085] ? __tun_detach+0x176/0x1390 [ 39.496127] ? tun_attach+0xf90/0xf90 [ 39.499908] ? locks_remove_file+0x3fa/0x5a0 [ 39.504289] ? fcntl_setlk+0x10d0/0x10d0 [ 39.508329] ? __fsnotify_parent+0xb4/0x3a0 [ 39.512622] ? fsnotify+0x1af0/0x1af0 [ 39.516396] ? __tun_detach+0x1390/0x1390 [ 39.520513] ? __tun_detach+0x1390/0x1390 [ 39.524631] rtnl_unlock+0xe/0x10 [ 39.528053] tun_chr_close+0x49/0x60 [ 39.531741] __fput+0x333/0x7f0 [ 39.534999] ? fput+0x140/0x140 [ 39.538251] ? check_same_owner+0x320/0x320 [ 39.542549] ____fput+0x15/0x20 [ 39.545800] task_work_run+0x199/0x270 [ 39.549660] ? task_work_cancel+0x210/0x210 [ 39.553953] ? free_nsproxy+0x185/0x1f0 [ 39.557897] ? switch_task_namespaces+0xa2/0xc0 [ 39.562538] do_exit+0x9d2/0x1af0 [ 39.565961] ? trace_hardirqs_on+0xd/0x10 [ 39.570089] ? mm_update_next_owner+0x930/0x930 [ 39.574728] ? lock_acquire+0x1d5/0x580 [ 39.578671] ? __handle_mm_fault+0xf07/0x39c0 [ 39.583145] ? lock_release+0xd70/0xd70 [ 39.587092] ? check_noncircular+0x20/0x20 [ 39.591298] ? kvfree+0x3b/0x60 [ 39.594556] ? rtnl_unlock+0xe/0x10 [ 39.598155] ? check_noncircular+0x20/0x20 [ 39.602370] ? __handle_mm_fault+0x587/0x39c0 [ 39.606842] ? __pmd_alloc+0x4e0/0x4e0 [ 39.610712] ? find_held_lock+0x39/0x1d0 [ 39.614754] ? lock_downgrade+0x990/0x990 [ 39.618896] do_group_exit+0x149/0x400 [ 39.622753] ? __handle_mm_fault+0x39c0/0x39c0 [ 39.627305] ? vmacache_find+0x5f/0x280 [ 39.631251] ? SyS_exit+0x30/0x30 [ 39.634681] ? do_fast_syscall_32+0x158/0xf05 [ 39.639152] ? do_group_exit+0x400/0x400 [ 39.643184] SyS_exit_group+0x1d/0x20 [ 39.646953] do_fast_syscall_32+0x3f2/0xf05 [ 39.651476] ? do_int80_syscall_32+0x940/0x940 [ 39.656034] ? lockdep_sys_exit+0x47/0xf0 [ 39.660151] ? syscall_return_slowpath+0x2b3/0x510 [ 39.665051] ? finish_task_switch+0x1aa/0x740 [ 39.669520] ? lockdep_sys_exit+0x47/0xf0 [ 39.673639] ? retint_user+0x18/0x20 [ 39.677327] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.682146] entry_SYSENTER_compat+0x51/0x60 [ 39.686525] RIP: 0023:0xf7f46c79 [ 39.689858] RSP: 002b:000000000820fe2c EFLAGS: 00000202 ORIG_RAX: 00000000000000fc [ 39.697538] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000000000 [ 39.704779] RDX: 0000000000000001 RSI: 0000000020001fd8 RDI: 00000000400454ca [ 39.712019] RBP: 0000000008072cb6 R08: 0000000000000000 R09: 0000000000000000 [ 39.719257] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 39.726498] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 39.733754] [ 39.735352] Allocated by task 2984: [ 39.738951] save_stack_trace+0x16/0x20 [ 39.742895] save_stack+0x43/0xd0 [ 39.746316] kasan_kmalloc+0xad/0xe0 [ 39.749999] __kmalloc_node+0x47/0x70 [ 39.753768] kvmalloc_node+0x64/0xd0 [ 39.757451] alloc_netdev_mqs+0x16e/0xed0 [ 39.761570] __tun_chr_ioctl+0x12be/0x3d20 [ 39.765771] tun_chr_compat_ioctl+0x29/0x30 [ 39.770062] compat_SyS_ioctl+0x1d7/0x3290 [ 39.774263] do_fast_syscall_32+0x3f2/0xf05 [ 39.778553] entry_SYSENTER_compat+0x51/0x60 [ 39.782926] [ 39.784525] Freed by task 2984: [ 39.787772] save_stack_trace+0x16/0x20 [ 39.791723] save_stack+0x43/0xd0 [ 39.795143] kasan_slab_free+0x71/0xc0 [ 39.798999] kfree+0xca/0x250 [ 39.802073] kvfree+0x36/0x60 [ 39.805147] free_netdev+0x2cf/0x360 [ 39.808829] __tun_chr_ioctl+0x2cf6/0x3d20 [ 39.813044] tun_chr_compat_ioctl+0x29/0x30 [ 39.817347] compat_SyS_ioctl+0x1d7/0x3290 [ 39.821552] do_fast_syscall_32+0x3f2/0xf05 [ 39.825849] entry_SYSENTER_compat+0x51/0x60 [ 39.830226] [ 39.831824] The buggy address belongs to the object at ffff8801cf7f8380 [ 39.831824] which belongs to the cache kmalloc-16384 of size 16384 [ 39.844797] The buggy address is located 13312 bytes inside of [ 39.844797] 16384-byte region [ffff8801cf7f8380, ffff8801cf7fc380) [ 39.856985] The buggy address belongs to the page: [ 39.861881] page:ffffea00073dfe00 count:1 mapcount:0 mapping:ffff8801cf7f8380 index:0x0 compound_mapcount: 0 [ 39.871822] flags: 0x200000000008100(slab|head) [ 39.876463] raw: 0200000000008100 ffff8801cf7f8380 0000000000000000 0000000100000001 [ 39.884323] raw: ffffea00073aea20 ffff8801dac01c50 ffff8801dac02200 0000000000000000 [ 39.892183] page dumped because: kasan: bad access detected [ 39.897863] [ 39.899458] Memory state around the buggy address: [ 39.904358] ffff8801cf7fb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.911689] ffff8801cf7fb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.919017] >ffff8801cf7fb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.926346] ^ [ 39.929688] ffff8801cf7fb800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.937019] ffff8801cf7fb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.944359] ================================================================== [ 39.951683] Disabling lock debugging due to kernel taint [ 39.957094] Kernel panic - not syncing: panic_on_warn set ... [ 39.957094] [ 39.964423] CPU: 1 PID: 2984 Comm: syzkaller152936 Tainted: G B 4.14.0-rc2+ #20 [ 39.972959] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.982276] Call Trace: [ 39.984835] dump_stack+0x194/0x257 [ 39.988426] ? arch_local_irq_restore+0x53/0x53 [ 39.993060] ? vprintk_default+0x28/0x30 [ 39.997086] ? detach_if_pending+0x4d0/0x610 [ 40.001460] panic+0x1e4/0x417 [ 40.004616] ? __warn+0x1d9/0x1d9 [ 40.008042] ? detach_if_pending+0x557/0x610 [ 40.012416] kasan_end_report+0x50/0x50 [ 40.016352] kasan_report+0x144/0x340 [ 40.020118] __asan_report_store8_noabort+0x17/0x20 [ 40.025095] detach_if_pending+0x557/0x610 [ 40.029293] ? trace_raw_output_tick_stop+0x130/0x130 [ 40.034449] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 40.039091] ? lock_timer_base+0x1a3/0x2b0 [ 40.043292] ? lock_timer_base+0x1eb/0x2b0 [ 40.047491] ? __internal_add_timer+0x2d0/0x2d0 [ 40.052126] ? trace_hardirqs_on+0xd/0x10 [ 40.056239] try_to_del_timer_sync+0xa2/0x120 [ 40.060695] ? del_timer+0x130/0x130 [ 40.064372] ? del_timer_sync+0xeb/0x240 [ 40.068399] del_timer_sync+0x18a/0x240 [ 40.072338] tun_free_netdev+0x105/0x1b0 [ 40.076364] ? tun_xdp+0x410/0x410 [ 40.079866] ? cpumask_next+0x24/0x30 [ 40.083629] ? netdev_refcnt_read+0xed/0x150 [ 40.088001] ? tun_xdp+0x410/0x410 [ 40.091506] netdev_run_todo+0x870/0xca0 [ 40.095532] ? do_group_exit+0x149/0x400 [ 40.099560] ? register_netdev+0x30/0x30 [ 40.103586] ? lock_downgrade+0x990/0x990 [ 40.107699] ? trace_hardirqs_on+0xd/0x10 [ 40.111826] ? refcount_sub_and_test+0x115/0x1b0 [ 40.116550] ? refcount_inc+0x50/0x50 [ 40.120317] ? refcount_inc+0x50/0x50 [ 40.124084] ? sk_destruct+0x4c/0x80 [ 40.127759] ? __sk_free+0x5c/0x230 [ 40.131349] ? sk_free+0x2f/0x40 [ 40.134676] ? __tun_detach+0x176/0x1390 [ 40.138711] ? tun_attach+0xf90/0xf90 [ 40.142480] ? locks_remove_file+0x3fa/0x5a0 [ 40.146851] ? fcntl_setlk+0x10d0/0x10d0 [ 40.150877] ? __fsnotify_parent+0xb4/0x3a0 [ 40.155162] ? fsnotify+0x1af0/0x1af0 [ 40.158931] ? __tun_detach+0x1390/0x1390 [ 40.163043] ? __tun_detach+0x1390/0x1390 [ 40.167165] rtnl_unlock+0xe/0x10 [ 40.170594] tun_chr_close+0x49/0x60 [ 40.174276] __fput+0x333/0x7f0 [ 40.177524] ? fput+0x140/0x140 [ 40.180769] ? check_same_owner+0x320/0x320 [ 40.185056] ____fput+0x15/0x20 [ 40.188308] task_work_run+0x199/0x270 [ 40.192161] ? task_work_cancel+0x210/0x210 [ 40.196445] ? free_nsproxy+0x185/0x1f0 [ 40.200382] ? switch_task_namespaces+0xa2/0xc0 [ 40.205015] do_exit+0x9d2/0x1af0 [ 40.208433] ? trace_hardirqs_on+0xd/0x10 [ 40.212547] ? mm_update_next_owner+0x930/0x930 [ 40.217180] ? lock_acquire+0x1d5/0x580 [ 40.221117] ? __handle_mm_fault+0xf07/0x39c0 [ 40.225580] ? lock_release+0xd70/0xd70 [ 40.229517] ? check_noncircular+0x20/0x20 [ 40.233715] ? kvfree+0x3b/0x60 [ 40.236961] ? rtnl_unlock+0xe/0x10 [ 40.240552] ? check_noncircular+0x20/0x20 [ 40.244755] ? __handle_mm_fault+0x587/0x39c0 [ 40.249216] ? __pmd_alloc+0x4e0/0x4e0 [ 40.253071] ? find_held_lock+0x39/0x1d0 [ 40.257100] ? lock_downgrade+0x990/0x990 [ 40.261223] do_group_exit+0x149/0x400 [ 40.265072] ? __handle_mm_fault+0x39c0/0x39c0 [ 40.269616] ? vmacache_find+0x5f/0x280 [ 40.273551] ? SyS_exit+0x30/0x30 [ 40.276973] ? do_fast_syscall_32+0x158/0xf05 [ 40.281430] ? do_group_exit+0x400/0x400 [ 40.285454] SyS_exit_group+0x1d/0x20 [ 40.289220] do_fast_syscall_32+0x3f2/0xf05 [ 40.293511] ? do_int80_syscall_32+0x940/0x940 [ 40.298060] ? lockdep_sys_exit+0x47/0xf0