net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   23.767955] ==================================================================
[   23.768817] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   23.769569] Write of size 8 at addr ffff88003871b840 by task syzkaller649157/3018
[   23.770355] 
[   23.770538] CPU: 1 PID: 3018 Comm: syzkaller649157 Not tainted 4.13.0-next-20170914+ #4
[   23.771352] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   23.773666] Call Trace:
[   23.775924]  dump_stack+0x194/0x257
[   23.778596]  ? arch_local_irq_restore+0x53/0x53
[   23.781250]  ? show_regs_print_info+0x65/0x65
[   23.783255]  ? lock_timer_base+0x1a3/0x2b0
[   23.783614]  ? detach_if_pending+0x557/0x610
[   23.783981]  print_address_description+0x73/0x250
[   23.784419]  ? detach_if_pending+0x557/0x610
[   23.784805]  kasan_report+0x24e/0x340
[   23.785151]  __asan_report_store8_noabort+0x17/0x20
[   23.788855]  detach_if_pending+0x557/0x610
[   23.797677]  ? trace_raw_output_tick_stop+0x130/0x130
[   23.798200]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   23.798694]  ? lock_timer_base+0x1a3/0x2b0
[   23.799178]  ? lock_timer_base+0x1eb/0x2b0
[   23.799632]  ? __internal_add_timer+0x2d0/0x2d0
[   23.800194]  ? trace_hardirqs_on+0xd/0x10
[   23.800649]  try_to_del_timer_sync+0xa2/0x120
[   23.803114]  ? del_timer+0x130/0x130
[   23.803512]  ? del_timer_sync+0xeb/0x240
[   23.803948]  del_timer_sync+0x18a/0x240
[   23.804400]  tun_free_netdev+0x105/0x1b0
[   23.804835]  ? tun_xdp+0x410/0x410
[   23.805247]  ? cpumask_next+0x24/0x30
[   23.805652]  ? netdev_refcnt_read+0xed/0x150
[   23.806148]  ? tun_xdp+0x410/0x410
[   23.806523]  netdev_run_todo+0x870/0xca0
[   23.806954]  ? do_group_exit+0x149/0x400
[   23.807418]  ? register_netdev+0x30/0x30
[   23.807847]  ? lock_downgrade+0x990/0x990
[   23.808316]  ? trace_hardirqs_on+0xd/0x10
[   23.808776]  ? refcount_sub_and_test+0x115/0x1b0
[   23.814634]  ? refcount_inc+0x50/0x50
[   23.815771]  ? refcount_inc+0x50/0x50
[   23.816888]  ? sk_destruct+0x4c/0x80
[   23.817771]  ? __sk_free+0x5c/0x230
[   23.818608]  ? sk_free+0x2f/0x40
[   23.819341]  ? __tun_detach+0x176/0x1390
[   23.820329]  ? tun_attach+0xf90/0xf90
[   23.821115]  ? do_raw_spin_trylock+0x190/0x190
[   23.822069]  ? locks_remove_file+0x3fa/0x5a0
[   23.824078]  ? fcntl_setlk+0x10d0/0x10d0
[   23.824791]  ? __fsnotify_parent+0xb4/0x3a0
[   23.825585]  ? fsnotify+0x1af0/0x1af0
[   23.826330]  ? __tun_detach+0x1390/0x1390
[   23.827152]  ? __tun_detach+0x1390/0x1390
[   23.827854]  rtnl_unlock+0xe/0x10
[   23.828498]  tun_chr_close+0x49/0x60
[   23.828916]  __fput+0x333/0x7f0
[   23.829334]  ? fput+0x140/0x140
[   23.829662]  ? check_same_owner+0x320/0x320
[   23.830266]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.830940]  ____fput+0x15/0x20
[   23.831428]  task_work_run+0x199/0x270
[   23.831840]  ? task_work_cancel+0x210/0x210
[   23.832561]  ? _raw_spin_unlock+0x22/0x30
[   23.833258]  ? switch_task_namespaces+0x87/0xc0
[   23.833987]  do_exit+0xa52/0x1b40
[   23.834585]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.835433]  ? check_noncircular+0x20/0x20
[   23.836093]  ? __handle_mm_fault+0x587/0x39c0
[   23.836848]  ? mm_update_next_owner+0x930/0x930
[   23.837632]  ? __pmd_alloc+0x4e0/0x4e0
[   23.838280]  ? find_held_lock+0x39/0x1d0
[   23.838901]  ? lock_downgrade+0x990/0x990
[   23.839596]  ? handle_mm_fault+0x410/0x8d0
[   23.840265]  ? down_read_trylock+0xdb/0x170
[   23.840908]  ? __do_page_fault+0x2b8/0xb60
[   23.841597]  ? __handle_mm_fault+0x39c0/0x39c0
[   23.842369]  ? vmacache_find+0x61/0x270
[   23.842982]  ? up_read+0x1a/0x40
[   23.845554]  ? __do_page_fault+0x35b/0xb60
[   23.846055]  ? do_page_fault+0xee/0x720
[   23.846523]  ? __do_page_fault+0xb60/0xb60
[   23.846987]  ? putname+0xf3/0x130
[   23.847440]  do_group_exit+0x149/0x400
[   23.847785]  ? lockdep_sys_exit+0x47/0xf0
[   23.848263]  ? SyS_exit+0x30/0x30
[   23.848667]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.849169]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.849727]  SyS_exit_group+0x1d/0x20
[   23.850194]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.850733] RIP: 0033:0x438839
[   23.851131] RSP: 002b:00007ffc4d8eabb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   23.852062] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000438839
[   23.852936] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   23.853797] RBP: 0000000000000082 R08: 000000000000003c R09: 00000000000000e7
[   23.854631] R10: ffffffffffffffc0 R11: 0000000000000246 R12: 0000000000000001
[   23.855470] R13: 00000000006cd300 R14: 0000000000402330 R15: 0000000000000000
[   23.856351] 
[   23.856670] Allocated by task 3018:
[   23.857331]  save_stack_trace+0x16/0x20
[   23.858048]  save_stack+0x43/0xd0
[   23.858669]  kasan_kmalloc+0xad/0xe0
[   23.859318]  __kmalloc_node+0x47/0x70
[   23.859962]  kvmalloc_node+0x64/0xd0
[   23.860687]  alloc_netdev_mqs+0x16e/0xed0
[   23.861387]  __tun_chr_ioctl+0x12be/0x3d20
[   23.862135]  tun_chr_ioctl+0x2a/0x40
[   23.862756]  do_vfs_ioctl+0x1b1/0x1530
[   23.863388]  SyS_ioctl+0x8f/0xc0
[   23.863970]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.864906] 
[   23.866648] Freed by task 3018:
[   23.867254]  save_stack_trace+0x16/0x20
[   23.867891]  save_stack+0x43/0xd0
[   23.868538]  kasan_slab_free+0x71/0xc0
[   23.869220]  kfree+0xca/0x250
[   23.869749]  kvfree+0x36/0x60
[   23.870366]  free_netdev+0x2cf/0x360
[   23.870930]  __tun_chr_ioctl+0x2cf6/0x3d20
[   23.871716]  tun_chr_ioctl+0x2a/0x40
[   23.872443]  do_vfs_ioctl+0x1b1/0x1530
[   23.873076]  SyS_ioctl+0x8f/0xc0
[   23.873671]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.874673] 
[   23.874928] The buggy address belongs to the object at ffff880038718440
[   23.874928]  which belongs to the cache kmalloc-16384 of size 16384
[   23.877142] The buggy address is located 13312 bytes inside of
[   23.877142]  16384-byte region [ffff880038718440, ffff88003871c440)
[   23.879174] The buggy address belongs to the page:
[   23.879985] page:ffffea0000e1c600 count:1 mapcount:0 mapping:ffff880038718440 index:0x0 compound_mapcount: 0
[   23.881818] flags: 0x100000000008100(slab|head)
[   23.882626] raw: 0100000000008100 ffff880038718440 0000000000000000 0000000100000001
[   23.883901] raw: ffffea0000e5e820 ffff88003e801c50 ffff88003e802200 0000000000000000
[   23.885192] page dumped because: kasan: bad access detected
[   23.886230] 
[   23.888579] Memory state around the buggy address:
[   23.889521]  ffff88003871b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.890755]  ffff88003871b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.891988] >ffff88003871b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.893335]                                            ^
[   23.894273]  ffff88003871b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.895472]  ffff88003871b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.896675] ==================================================================
[   23.897858] Disabling lock debugging due to kernel taint
[   23.898749] Kernel panic - not syncing: panic_on_warn set ...
[   23.898749] 
[   23.899921] CPU: 1 PID: 3018 Comm: syzkaller649157 Tainted: G    B           4.13.0-next-20170914+ #4
[   23.901450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   23.902763] Call Trace:
[   23.903172]  dump_stack+0x194/0x257
[   23.903780]  ? arch_local_irq_restore+0x53/0x53
[   23.904532]  ? vprintk_default+0x28/0x30
[   23.905180]  ? detach_if_pending+0x4f0/0x610
[   23.905914]  panic+0x1e4/0x417
[   23.906471]  ? __warn+0x1d9/0x1d9
[   23.907038]  ? detach_if_pending+0x557/0x610
[   23.909504]  kasan_end_report+0x50/0x50
[   23.910142]  kasan_report+0x137/0x340
[   23.910746]  __asan_report_store8_noabort+0x17/0x20
[   23.911560]  detach_if_pending+0x557/0x610
[   23.912238]  ? trace_raw_output_tick_stop+0x130/0x130
[   23.913064]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   23.913801]  ? lock_timer_base+0x1a3/0x2b0
[   23.914549]  ? lock_timer_base+0x1eb/0x2b0
[   23.915225]  ? __internal_add_timer+0x2d0/0x2d0
[   23.915927]  ? trace_hardirqs_on+0xd/0x10
[   23.916591]  try_to_del_timer_sync+0xa2/0x120
[   23.917402]  ? del_timer+0x130/0x130
[   23.917996]  ? del_timer_sync+0xeb/0x240
[   23.918668]  del_timer_sync+0x18a/0x240
[   23.919304]  tun_free_netdev+0x105/0x1b0
[   23.919896]  ? tun_xdp+0x410/0x410
[   23.920458]  ? cpumask_next+0x24/0x30
[   23.921034]  ? netdev_refcnt_read+0xed/0x150
[   23.921707]  ? tun_xdp+0x410/0x410
[   23.922274]  netdev_run_todo+0x870/0xca0
[   23.922887]  ? do_group_exit+0x149/0x400
[   23.923539]  ? register_netdev+0x30/0x30
[   23.924184]  ? lock_downgrade+0x990/0x990
[   23.924788]  ? trace_hardirqs_on+0xd/0x10
[   23.925464]  ? refcount_sub_and_test+0x115/0x1b0
[   23.926207]  ? refcount_inc+0x50/0x50
[   23.926760]  ? refcount_inc+0x50/0x50
[   23.927373]  ? sk_destruct+0x4c/0x80
[   23.927914]  ? __sk_free+0x5c/0x230
[   23.928494]  ? sk_free+0x2f/0x40
[   23.928992]  ? __tun_detach+0x176/0x1390
[   23.931719]  ? tun_attach+0xf90/0xf90
[   23.932426]  ? do_raw_spin_trylock+0x190/0x190
[   23.933189]  ? locks_remove_file+0x3fa/0x5a0
[   23.933966]  ? fcntl_setlk+0x10d0/0x10d0
[   23.934660]  ? __fsnotify_parent+0xb4/0x3a0
[   23.935445]  ? fsnotify+0x1af0/0x1af0
[   23.936138]  ? __tun_detach+0x1390/0x1390
[   23.936830]  ? __tun_detach+0x1390/0x1390
[   23.937597]  rtnl_unlock+0xe/0x10
[   23.938208]  tun_chr_close+0x49/0x60
[   23.938893]  __fput+0x333/0x7f0
[   23.939538]  ? fput+0x140/0x140
[   23.940091]  ? check_same_owner+0x320/0x320
[   23.940775]  ? _raw_spin_unlock_irq+0x27/0x70
[   23.941575]  ____fput+0x15/0x20
[   23.942148]  task_work_run+0x199/0x270
[   23.942785]  ? task_work_cancel+0x210/0x210
[   23.943599]  ? _raw_spin_unlock+0x22/0x30
[   23.944316]  ? switch_task_namespaces+0x87/0xc0
[   23.945179]  do_exit+0xa52/0x1b40
[   23.945771]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.946670]  ? check_noncircular+0x20/0x20
[   23.947375]  ? __handle_mm_fault+0x587/0x39c0
[   23.948158]  ? mm_update_next_owner+0x930/0x930
[   23.948905]  ? __pmd_alloc+0x4e0/0x4e0
[   23.949614]  ? find_held_lock+0x39/0x1d0
[   23.950314]  ? lock_downgrade+0x990/0x990
[   23.951647]  ? handle_mm_fault+0x410/0x8d0
[   23.952291]  ? down_read_trylock+0xdb/0x170
[   23.952931]  ? __do_page_fault+0x2b8/0xb60
[   23.953616]  ? __handle_mm_fault+0x39c0/0x39c0
[   23.954381]  ? vmacache_find+0x61/0x270
[   23.954987]  ? up_read+0x1a/0x40
[   23.955532]  ? __do_page_fault+0x35b/0xb60
[   23.956233]  ? do_page_fault+0xee/0x720
[   23.956864]  ? __do_page_fault+0xb60/0xb60
[   23.957578]  ? putname+0xf3/0x130
[   23.958221]  do_group_exit+0x149/0x400
[   23.959370]  ? lockdep_sys_exit+0x47/0xf0
[   23.960049]  ? SyS_exit+0x30/0x30
[   23.961138]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.961907]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.962662]  SyS_exit_group+0x1d/0x20
[   23.963266]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.963981] RIP: 0033:0x438839
[   23.964505] RSP: 002b:00007ffc4d8eabb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   23.965844] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000438839
[   23.966975] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   23.968088] RBP: 0000000000000082 R08: 000000000000003c R09: 00000000000000e7
[   23.969191] R10: ffffffffffffffc0 R11: 0000000000000246 R12: 0000000000000001
[   23.970281] R13: 00000000006cd300 R14: 0000000000402330 R15: 0000000000000000