INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-8,10.128.0.13' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 40.288261] ================================================================== [ 40.289438] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610 [ 40.290339] Write of size 8 at addr ffff8801d1fe36b8 by task syzkaller513010/2990 [ 40.291351] [ 40.291585] CPU: 1 PID: 2990 Comm: syzkaller513010 Not tainted 4.14.0-rc5+ #141 [ 40.292560] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.293778] Call Trace: [ 40.294137] dump_stack+0x194/0x257 [ 40.294629] ? arch_local_irq_restore+0x53/0x53 [ 40.295250] ? show_regs_print_info+0x65/0x65 [ 40.295852] ? lock_timer_base+0x1a3/0x2b0 [ 40.296439] ? detach_if_pending+0x557/0x610 [ 40.297033] print_address_description+0x73/0x250 [ 40.297676] ? detach_if_pending+0x557/0x610 [ 40.298265] kasan_report+0x25b/0x340 [ 40.298779] __asan_report_store8_noabort+0x17/0x20 [ 40.299444] detach_if_pending+0x557/0x610 [ 40.300041] ? trace_raw_output_tick_stop+0x130/0x130 [ 40.300742] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 40.301362] ? lock_timer_base+0x1a3/0x2b0 [ 40.301930] ? lock_timer_base+0x1eb/0x2b0 [ 40.302499] ? __internal_add_timer+0x2d0/0x2d0 [ 40.303128] ? lock_downgrade+0x990/0x990 [ 40.303682] ? trace_hardirqs_on+0xd/0x10 [ 40.304243] try_to_del_timer_sync+0xa2/0x120 [ 40.304853] ? del_timer+0x130/0x130 [ 40.305355] ? del_timer_sync+0xeb/0x240 [ 40.305915] del_timer_sync+0x18a/0x240 [ 40.306454] tun_free_netdev+0x105/0x1b0 [ 40.307001] ? tun_xdp+0x410/0x410 [ 40.307495] ? cpumask_next+0x24/0x30 [ 40.308006] ? netdev_refcnt_read+0xed/0x150 [ 40.309703] ? tun_xdp+0x410/0x410 [ 40.313208] netdev_run_todo+0x870/0xca0 [ 40.317235] ? do_group_exit+0x149/0x400 [ 40.321267] ? mark_held_locks+0xaf/0x100 [ 40.325382] ? register_netdev+0x30/0x30 [ 40.329414] ? find_held_lock+0x35/0x1d0 [ 40.333452] ? lock_downgrade+0x990/0x990 [ 40.337571] ? refcount_sub_and_test+0x115/0x1b0 [ 40.342294] ? refcount_inc+0x50/0x50 [ 40.346061] ? refcount_inc+0x50/0x50 [ 40.349833] ? sk_destruct+0x4c/0x80 [ 40.353515] ? __sk_free+0x5c/0x230 [ 40.357116] ? sk_free+0x2f/0x40 [ 40.360452] ? __tun_detach+0x176/0x1390 [ 40.364491] ? tun_attach+0xfa0/0xfa0 [ 40.368270] ? locks_remove_file+0x3fa/0x5a0 [ 40.372646] ? fcntl_setlk+0x10c0/0x10c0 [ 40.376678] ? __fsnotify_parent+0xb4/0x3a0 [ 40.380969] ? fsnotify+0x1af0/0x1af0 [ 40.384743] ? __tun_detach+0x1390/0x1390 [ 40.388858] rtnl_unlock+0xe/0x10 [ 40.392279] tun_chr_close+0x49/0x60 [ 40.395962] __fput+0x327/0x7e0 [ 40.399215] ? fput+0x140/0x140 [ 40.402465] ? check_same_owner+0x320/0x320 [ 40.406757] ____fput+0x15/0x20 [ 40.410003] task_work_run+0x199/0x270 [ 40.413859] ? task_work_cancel+0x210/0x210 [ 40.418147] ? free_nsproxy+0x185/0x1f0 [ 40.422090] ? switch_task_namespaces+0xa2/0xc0 [ 40.426731] do_exit+0x9b5/0x1ad0 [ 40.430153] ? kvfree+0x3b/0x60 [ 40.433402] ? mm_update_next_owner+0x930/0x930 [ 40.438037] ? rtnl_unlock+0xe/0x10 [ 40.441629] ? __tun_chr_ioctl+0x27a/0x3d20 [ 40.445925] ? tun_chr_read_iter+0x1e0/0x1e0 [ 40.450300] ? find_held_lock+0x35/0x1d0 [ 40.454337] ? __do_page_fault+0x64c/0xd60 [ 40.458537] ? lock_downgrade+0x990/0x990 [ 40.462660] ? handle_mm_fault+0x410/0x8d0 [ 40.466872] ? check_same_owner+0x320/0x320 [ 40.471156] ? up_read+0x1a/0x40 [ 40.474491] ? __do_page_fault+0x3d6/0xd60 [ 40.478694] ? tun_chr_compat_ioctl+0x30/0x30 [ 40.483155] ? tun_chr_ioctl+0x2a/0x40 [ 40.487008] ? tun_chr_ioctl+0x2a/0x40 [ 40.490863] ? do_vfs_ioctl+0x486/0x1520 [ 40.494896] ? ioctl_preallocate+0x2b0/0x2b0 [ 40.499274] ? selinux_capable+0x40/0x40 [ 40.503303] ? putname+0xf3/0x130 [ 40.506728] do_group_exit+0x149/0x400 [ 40.510584] ? SyS_exit+0x30/0x30 [ 40.514004] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.518987] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.523712] SyS_exit_group+0x1d/0x20 [ 40.527483] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 40.532202] RIP: 0033:0x445259 [ 40.535358] RSP: 002b:00007fff60285d48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 40.543032] RAX: ffffffffffffffda RBX: 00007fff60285d80 RCX: 0000000000445259 [ 40.550266] RDX: 0000000000445259 RSI: 0000000020fbcfd8 RDI: 0000000000000001 [ 40.557501] RBP: 0000000000000082 R08: 00007fff60285d80 R09: 00007fff60285d80 [ 40.564736] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000402600 [ 40.571971] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000 [ 40.579224] [ 40.580818] Allocated by task 2990: [ 40.584411] save_stack_trace+0x16/0x20 [ 40.588352] save_stack+0x43/0xd0 [ 40.591770] kasan_kmalloc+0xad/0xe0 [ 40.595449] __kmalloc_node+0x47/0x70 [ 40.599213] kvmalloc_node+0x64/0xd0 [ 40.602895] alloc_netdev_mqs+0x16e/0xed0 [ 40.607009] __tun_chr_ioctl+0x12b2/0x3d20 [ 40.611208] tun_chr_ioctl+0x2a/0x40 [ 40.614886] do_vfs_ioctl+0x1b1/0x1520 [ 40.618736] SyS_ioctl+0x8f/0xc0 [ 40.622068] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 40.626785] [ 40.628378] Freed by task 2990: [ 40.631623] save_stack_trace+0x16/0x20 [ 40.635562] save_stack+0x43/0xd0 [ 40.638978] kasan_slab_free+0x71/0xc0 [ 40.642831] kfree+0xca/0x250 [ 40.645903] kvfree+0x36/0x60 [ 40.648972] free_netdev+0x2cf/0x360 [ 40.652650] __tun_chr_ioctl+0x2cea/0x3d20 [ 40.656848] tun_chr_ioctl+0x2a/0x40 [ 40.660527] do_vfs_ioctl+0x1b1/0x1520 [ 40.664378] SyS_ioctl+0x8f/0xc0 [ 40.667709] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 40.672425] [ 40.674021] The buggy address belongs to the object at ffff8801d1fe0380 [ 40.674021] which belongs to the cache kmalloc-16384 of size 16384 [ 40.686988] The buggy address is located 13112 bytes inside of [ 40.686988] 16384-byte region [ffff8801d1fe0380, ffff8801d1fe4380) [ 40.699171] The buggy address belongs to the page: [ 40.704068] page:ffffea000747f800 count:1 mapcount:0 mapping:ffff8801d1fe0380 index:0x0 compound_mapcount: 0 [ 40.714002] flags: 0x200000000008100(slab|head) [ 40.718637] raw: 0200000000008100 ffff8801d1fe0380 0000000000000000 0000000100000001 [ 40.726481] raw: ffffea000745b820 ffff8801dac01c48 ffff8801dac02200 0000000000000000 [ 40.734324] page dumped because: kasan: bad access detected [ 40.739996] [ 40.741589] Memory state around the buggy address: [ 40.746484] ffff8801d1fe3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.753807] ffff8801d1fe3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.761129] >ffff8801d1fe3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.768449] ^ [ 40.773604] ffff8801d1fe3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.780927] ffff8801d1fe3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.788249] ================================================================== [ 40.795569] Disabling lock debugging due to kernel taint [ 40.800983] Kernel panic - not syncing: panic_on_warn set ... [ 40.800983] [ 40.808310] CPU: 1 PID: 2990 Comm: syzkaller513010 Tainted: G B 4.14.0-rc5+ #141 [ 40.816934] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.826249] Call Trace: [ 40.828806] dump_stack+0x194/0x257 [ 40.832400] ? arch_local_irq_restore+0x53/0x53 [ 40.837033] ? kasan_end_report+0x32/0x50 [ 40.841146] ? lock_downgrade+0x990/0x990 [ 40.845261] ? detach_if_pending+0x540/0x610 [ 40.849636] panic+0x1e4/0x417 [ 40.852793] ? __warn+0x1d9/0x1d9 [ 40.856214] ? detach_if_pending+0x557/0x610 [ 40.860587] kasan_end_report+0x50/0x50 [ 40.864526] kasan_report+0x144/0x340 [ 40.868293] __asan_report_store8_noabort+0x17/0x20 [ 40.873273] detach_if_pending+0x557/0x610 [ 40.877473] ? trace_raw_output_tick_stop+0x130/0x130 [ 40.882627] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 40.887259] ? lock_timer_base+0x1a3/0x2b0 [ 40.891455] ? lock_timer_base+0x1eb/0x2b0 [ 40.895657] ? __internal_add_timer+0x2d0/0x2d0 [ 40.900288] ? lock_downgrade+0x990/0x990 [ 40.904401] ? trace_hardirqs_on+0xd/0x10 [ 40.908517] try_to_del_timer_sync+0xa2/0x120 [ 40.912977] ? del_timer+0x130/0x130 [ 40.916656] ? del_timer_sync+0xeb/0x240 [ 40.920685] del_timer_sync+0x18a/0x240 [ 40.924624] tun_free_netdev+0x105/0x1b0 [ 40.928649] ? tun_xdp+0x410/0x410 [ 40.932153] ? cpumask_next+0x24/0x30 [ 40.935919] ? netdev_refcnt_read+0xed/0x150 [ 40.940295] ? tun_xdp+0x410/0x410 [ 40.943799] netdev_run_todo+0x870/0xca0 [ 40.947826] ? do_group_exit+0x149/0x400 [ 40.951851] ? mark_held_locks+0xaf/0x100 [ 40.955962] ? register_netdev+0x30/0x30 [ 40.959986] ? find_held_lock+0x35/0x1d0 [ 40.964015] ? lock_downgrade+0x990/0x990 [ 40.968131] ? refcount_sub_and_test+0x115/0x1b0 [ 40.972851] ? refcount_inc+0x50/0x50 [ 40.976615] ? refcount_inc+0x50/0x50 [ 40.980380] ? sk_destruct+0x4c/0x80 [ 40.984060] ? __sk_free+0x5c/0x230 [ 40.987650] ? sk_free+0x2f/0x40 [ 40.990980] ? __tun_detach+0x176/0x1390 [ 40.995011] ? tun_attach+0xfa0/0xfa0 [ 40.998779] ? locks_remove_file+0x3fa/0x5a0 [ 41.003152] ? fcntl_setlk+0x10c0/0x10c0 [ 41.007180] ? __fsnotify_parent+0xb4/0x3a0 [ 41.011467] ? fsnotify+0x1af0/0x1af0 [ 41.015233] ? __tun_detach+0x1390/0x1390 [ 41.019347] rtnl_unlock+0xe/0x10 [ 41.022761] tun_chr_close+0x49/0x60 [ 41.026439] __fput+0x327/0x7e0 [ 41.029685] ? fput+0x140/0x140 [ 41.032932] ? check_same_owner+0x320/0x320 [ 41.037219] ____fput+0x15/0x20 [ 41.040464] task_work_run+0x199/0x270 [ 41.044318] ? task_work_cancel+0x210/0x210 [ 41.048605] ? free_nsproxy+0x185/0x1f0 [ 41.052545] ? switch_task_namespaces+0xa2/0xc0 [ 41.057189] do_exit+0x9b5/0x1ad0 [ 41.060608] ? kvfree+0x3b/0x60 [ 41.063854] ? mm_update_next_owner+0x930/0x930 [ 41.068486] ? rtnl_unlock+0xe/0x10 [ 41.072076] ? __tun_chr_ioctl+0x27a/0x3d20 [ 41.076368] ? tun_chr_read_iter+0x1e0/0x1e0 [ 41.080741] ? find_held_lock+0x35/0x1d0 [ 41.084770] ? __do_page_fault+0x64c/0xd60 [ 41.088970] ? lock_downgrade+0x990/0x990 [ 41.093086] ? handle_mm_fault+0x410/0x8d0 [ 41.097290] ? check_same_owner+0x320/0x320 [ 41.101575] ? up_read+0x1a/0x40 [ 41.104905] ? __do_page_fault+0x3d6/0xd60 [ 41.109105] ? tun_chr_compat_ioctl+0x30/0x30 [ 41.113562] ? tun_chr_ioctl+0x2a/0x40 [ 41.117414] ? tun_chr_ioctl+0x2a/0x40 [ 41.121266] ? do_vfs_ioctl+0x486/0x1520 [ 41.125295] ? ioctl_preallocate+0x2b0/0x2b0 [ 41.129671] ? selinux_capable+0x40/0x40 [ 41.133697] ? putname+0xf3/0x130 [ 41.137117] do_group_exit+0x149/0x400 [ 41.140972] ? SyS_exit+0x30/0x30 [ 41.144396] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.149383] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.154105] SyS_exit_group+0x1d/0x20 [ 41.157871] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.162591] RIP: 0033:0x445259 [ 41.165745] RSP: 002b:00007fff60285d48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 41.173417] RAX: ffffffffffffffda RBX: 00007fff60285d80 RCX: 0000000000445259 [ 41.180652] RDX: 0000000000445259 RSI: 0000000020fbcfd8 RDI: 0000000000000001 [ 41.187886] RBP: 0000000000000082 R08: 00007fff60285d80 R09: 00007fff60285d80 [ 41.195118] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000402600 [ 41.202353] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000