INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-1,10.128.0.12' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 51.005301] ================================================================== [ 51.006444] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610 [ 51.007353] Write of size 8 at addr ffff8801cdc237c0 by task syzkaller351710/2981 [ 51.008408] [ 51.008647] CPU: 0 PID: 2981 Comm: syzkaller351710 Not tainted 4.14.0-rc2+ #21 [ 51.009624] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.010896] Call Trace: [ 51.011258] dump_stack+0x194/0x257 [ 51.011757] ? arch_local_irq_restore+0x53/0x53 [ 51.012383] ? show_regs_print_info+0x65/0x65 [ 51.012991] ? lock_timer_base+0x1a3/0x2b0 [ 51.013564] ? detach_if_pending+0x557/0x610 [ 51.014160] print_address_description+0x73/0x250 [ 51.014808] ? detach_if_pending+0x557/0x610 [ 51.015412] kasan_report+0x25b/0x340 [ 51.015939] __asan_report_store8_noabort+0x17/0x20 [ 51.016608] detach_if_pending+0x557/0x610 [ 51.017181] ? trace_raw_output_tick_stop+0x130/0x130 [ 51.017876] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 51.018498] ? lock_timer_base+0x1a3/0x2b0 [ 51.019071] ? lock_timer_base+0x1eb/0x2b0 [ 51.019657] ? __internal_add_timer+0x2d0/0x2d0 [ 51.020287] ? trace_hardirqs_on+0xd/0x10 [ 51.020855] try_to_del_timer_sync+0xa2/0x120 [ 51.021458] ? del_timer+0x130/0x130 [ 51.021962] ? del_timer_sync+0xeb/0x240 [ 51.022518] del_timer_sync+0x18a/0x240 [ 51.023057] tun_free_netdev+0x105/0x1b0 [ 51.023604] ? tun_xdp+0x410/0x410 [ 51.024087] ? cpumask_next+0x24/0x30 [ 51.024605] ? netdev_refcnt_read+0xed/0x150 [ 51.025210] ? tun_xdp+0x410/0x410 [ 51.027006] netdev_run_todo+0x870/0xca0 [ 51.031038] ? do_group_exit+0x149/0x400 [ 51.035075] ? register_netdev+0x30/0x30 [ 51.039111] ? lock_downgrade+0x990/0x990 [ 51.043233] ? trace_hardirqs_on+0xd/0x10 [ 51.047369] ? refcount_sub_and_test+0x115/0x1b0 [ 51.052097] ? refcount_inc+0x50/0x50 [ 51.055870] ? refcount_inc+0x50/0x50 [ 51.059645] ? sk_destruct+0x4c/0x80 [ 51.063330] ? __sk_free+0x5c/0x230 [ 51.066932] ? sk_free+0x2f/0x40 [ 51.070271] ? __tun_detach+0x176/0x1390 [ 51.074316] ? tun_attach+0xf90/0xf90 [ 51.078098] ? locks_remove_file+0x3fa/0x5a0 [ 51.082479] ? fcntl_setlk+0x10d0/0x10d0 [ 51.086518] ? __fsnotify_parent+0xb4/0x3a0 [ 51.090812] ? fsnotify+0x1af0/0x1af0 [ 51.094585] ? __tun_detach+0x1390/0x1390 [ 51.098706] ? __tun_detach+0x1390/0x1390 [ 51.102825] rtnl_unlock+0xe/0x10 [ 51.106247] tun_chr_close+0x49/0x60 [ 51.109938] __fput+0x333/0x7f0 [ 51.113204] ? fput+0x140/0x140 [ 51.116469] ? check_same_owner+0x320/0x320 [ 51.120767] ____fput+0x15/0x20 [ 51.124019] task_work_run+0x199/0x270 [ 51.127879] ? task_work_cancel+0x210/0x210 [ 51.132173] ? free_nsproxy+0x185/0x1f0 [ 51.136119] ? switch_task_namespaces+0xa2/0xc0 [ 51.140762] do_exit+0x9d2/0x1af0 [ 51.144184] ? __handle_mm_fault+0xf07/0x39c0 [ 51.148655] ? mm_update_next_owner+0x930/0x930 [ 51.153292] ? lock_release+0xd70/0xd70 [ 51.157251] ? check_noncircular+0x20/0x20 [ 51.161456] ? kfree+0xe4/0x250 [ 51.164705] ? kvfree+0x36/0x60 [ 51.167958] ? trace_hardirqs_on+0xd/0x10 [ 51.172078] ? check_noncircular+0x20/0x20 [ 51.176285] ? __handle_mm_fault+0x587/0x39c0 [ 51.180754] ? __pmd_alloc+0x4e0/0x4e0 [ 51.184622] ? find_held_lock+0x39/0x1d0 [ 51.188663] ? lock_downgrade+0x990/0x990 [ 51.192807] ? handle_mm_fault+0x410/0x8d0 [ 51.197008] ? down_read_trylock+0xdb/0x170 [ 51.201299] ? __do_page_fault+0x31e/0xd60 [ 51.205512] ? __handle_mm_fault+0x39c0/0x39c0 [ 51.210062] ? vmacache_find+0x5f/0x280 [ 51.214006] ? vmacache_update+0xfe/0x130 [ 51.218131] do_group_exit+0x149/0x400 [ 51.221988] ? __do_page_fault+0x3d6/0xd60 [ 51.226196] ? __tun_chr_ioctl+0x3d20/0x3d20 [ 51.230578] ? SyS_exit+0x30/0x30 [ 51.234010] ? do_fast_syscall_32+0x158/0xf05 [ 51.238474] ? do_group_exit+0x400/0x400 [ 51.242506] SyS_exit_group+0x1d/0x20 [ 51.246278] do_fast_syscall_32+0x3f2/0xf05 [ 51.250576] ? do_int80_syscall_32+0x940/0x940 [ 51.255131] ? lockdep_sys_exit+0x47/0xf0 [ 51.259249] ? syscall_return_slowpath+0x2b3/0x510 [ 51.264144] ? finish_task_switch+0x1aa/0x740 [ 51.268611] ? lockdep_sys_exit+0x47/0xf0 [ 51.272740] ? retint_user+0x18/0x20 [ 51.276447] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.281280] entry_SYSENTER_compat+0x51/0x60 [ 51.285656] RIP: 0023:0xf7f33c79 [ 51.288989] RSP: 002b:000000000820fe2c EFLAGS: 00000202 ORIG_RAX: 00000000000000fc [ 51.296670] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000000000 [ 51.303908] RDX: 0000000000000001 RSI: 000000002049afd8 RDI: 00000000400454ca [ 51.311147] RBP: 0000000008072cb6 R08: 0000000000000000 R09: 0000000000000000 [ 51.318384] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 51.325623] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 51.332880] [ 51.334480] Allocated by task 2981: [ 51.338078] save_stack_trace+0x16/0x20 [ 51.342022] save_stack+0x43/0xd0 [ 51.345442] kasan_kmalloc+0xad/0xe0 [ 51.349123] __kmalloc_node+0x47/0x70 [ 51.352890] kvmalloc_node+0x64/0xd0 [ 51.356572] alloc_netdev_mqs+0x16e/0xed0 [ 51.360695] __tun_chr_ioctl+0x12be/0x3d20 [ 51.364897] tun_chr_compat_ioctl+0x29/0x30 [ 51.369189] compat_SyS_ioctl+0x1d7/0x3290 [ 51.373393] do_fast_syscall_32+0x3f2/0xf05 [ 51.377681] entry_SYSENTER_compat+0x51/0x60 [ 51.382053] [ 51.383647] Freed by task 2981: [ 51.386894] save_stack_trace+0x16/0x20 [ 51.390834] save_stack+0x43/0xd0 [ 51.394253] kasan_slab_free+0x71/0xc0 [ 51.398107] kfree+0xca/0x250 [ 51.401182] kvfree+0x36/0x60 [ 51.404257] free_netdev+0x2cf/0x360 [ 51.407939] __tun_chr_ioctl+0x2cf6/0x3d20 [ 51.412142] tun_chr_compat_ioctl+0x29/0x30 [ 51.416432] compat_SyS_ioctl+0x1d7/0x3290 [ 51.420635] do_fast_syscall_32+0x3f2/0xf05 [ 51.424922] entry_SYSENTER_compat+0x51/0x60 [ 51.429296] [ 51.430895] The buggy address belongs to the object at ffff8801cdc203c0 [ 51.430895] which belongs to the cache kmalloc-16384 of size 16384 [ 51.443872] The buggy address is located 13312 bytes inside of [ 51.443872] 16384-byte region [ffff8801cdc203c0, ffff8801cdc243c0) [ 51.456063] The buggy address belongs to the page: [ 51.460963] page:ffffea0007370800 count:1 mapcount:0 mapping:ffff8801cdc203c0 index:0x0 compound_mapcount: 0 [ 51.470904] flags: 0x200000000008100(slab|head) [ 51.475541] raw: 0200000000008100 ffff8801cdc203c0 0000000000000000 0000000100000001 [ 51.483388] raw: ffffea000739fe20 ffff8801dac01c50 ffff8801dac02200 0000000000000000 [ 51.491232] page dumped because: kasan: bad access detected [ 51.496907] [ 51.498501] Memory state around the buggy address: [ 51.503398] ffff8801cdc23680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.510722] ffff8801cdc23700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.518051] >ffff8801cdc23780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.525375] ^ [ 51.530792] ffff8801cdc23800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.538117] ffff8801cdc23880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.545441] ================================================================== [ 51.552764] Disabling lock debugging due to kernel taint [ 51.558176] Kernel panic - not syncing: panic_on_warn set ... [ 51.558176] [ 51.565510] CPU: 0 PID: 2981 Comm: syzkaller351710 Tainted: G B 4.14.0-rc2+ #21 [ 51.574048] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.583363] Call Trace: [ 51.585916] dump_stack+0x194/0x257 [ 51.589508] ? arch_local_irq_restore+0x53/0x53 [ 51.594141] ? vprintk_default+0x28/0x30 [ 51.598170] ? detach_if_pending+0x500/0x610 [ 51.602543] panic+0x1e4/0x417 [ 51.605700] ? __warn+0x1d9/0x1d9 [ 51.609123] ? detach_if_pending+0x557/0x610 [ 51.613495] kasan_end_report+0x50/0x50 [ 51.617431] kasan_report+0x144/0x340 [ 51.621195] __asan_report_store8_noabort+0x17/0x20 [ 51.626176] detach_if_pending+0x557/0x610 [ 51.630377] ? trace_raw_output_tick_stop+0x130/0x130 [ 51.635532] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 51.640163] ? lock_timer_base+0x1a3/0x2b0 [ 51.644361] ? lock_timer_base+0x1eb/0x2b0 [ 51.648561] ? __internal_add_timer+0x2d0/0x2d0 [ 51.653193] ? trace_hardirqs_on+0xd/0x10 [ 51.657308] try_to_del_timer_sync+0xa2/0x120 [ 51.661764] ? del_timer+0x130/0x130 [ 51.665441] ? del_timer_sync+0xeb/0x240 [ 51.669476] del_timer_sync+0x18a/0x240 [ 51.673414] tun_free_netdev+0x105/0x1b0 [ 51.677437] ? tun_xdp+0x410/0x410 [ 51.680937] ? cpumask_next+0x24/0x30 [ 51.684701] ? netdev_refcnt_read+0xed/0x150 [ 51.689075] ? tun_xdp+0x410/0x410 [ 51.692577] netdev_run_todo+0x870/0xca0 [ 51.696602] ? do_group_exit+0x149/0x400 [ 51.700631] ? register_netdev+0x30/0x30 [ 51.704656] ? lock_downgrade+0x990/0x990 [ 51.708768] ? trace_hardirqs_on+0xd/0x10 [ 51.712891] ? refcount_sub_and_test+0x115/0x1b0 [ 51.717626] ? refcount_inc+0x50/0x50 [ 51.721389] ? refcount_inc+0x50/0x50 [ 51.725155] ? sk_destruct+0x4c/0x80 [ 51.728835] ? __sk_free+0x5c/0x230 [ 51.732425] ? sk_free+0x2f/0x40 [ 51.735754] ? __tun_detach+0x176/0x1390 [ 51.739783] ? tun_attach+0xf90/0xf90 [ 51.743550] ? locks_remove_file+0x3fa/0x5a0 [ 51.747924] ? fcntl_setlk+0x10d0/0x10d0 [ 51.751949] ? __fsnotify_parent+0xb4/0x3a0 [ 51.756233] ? fsnotify+0x1af0/0x1af0 [ 51.759998] ? __tun_detach+0x1390/0x1390 [ 51.764108] ? __tun_detach+0x1390/0x1390 [ 51.768220] rtnl_unlock+0xe/0x10 [ 51.771635] tun_chr_close+0x49/0x60 [ 51.775314] __fput+0x333/0x7f0 [ 51.778560] ? fput+0x140/0x140 [ 51.781805] ? check_same_owner+0x320/0x320 [ 51.786090] ____fput+0x15/0x20 [ 51.789334] task_work_run+0x199/0x270 [ 51.793186] ? task_work_cancel+0x210/0x210 [ 51.797470] ? free_nsproxy+0x185/0x1f0 [ 51.801416] ? switch_task_namespaces+0xa2/0xc0 [ 51.806051] do_exit+0x9d2/0x1af0 [ 51.809469] ? __handle_mm_fault+0xf07/0x39c0 [ 51.813928] ? mm_update_next_owner+0x930/0x930 [ 51.818560] ? lock_release+0xd70/0xd70 [ 51.822497] ? check_noncircular+0x20/0x20 [ 51.826695] ? kfree+0xe4/0x250 [ 51.829942] ? kvfree+0x36/0x60 [ 51.833187] ? trace_hardirqs_on+0xd/0x10 [ 51.837300] ? check_noncircular+0x20/0x20 [ 51.841498] ? __handle_mm_fault+0x587/0x39c0 [ 51.845960] ? __pmd_alloc+0x4e0/0x4e0 [ 51.849818] ? find_held_lock+0x39/0x1d0 [ 51.853847] ? lock_downgrade+0x990/0x990 [ 51.857970] ? handle_mm_fault+0x410/0x8d0 [ 51.862178] ? down_read_trylock+0xdb/0x170 [ 51.866462] ? __do_page_fault+0x31e/0xd60 [ 51.870662] ? __handle_mm_fault+0x39c0/0x39c0 [ 51.875209] ? vmacache_find+0x5f/0x280 [ 51.879147] ? vmacache_update+0xfe/0x130 [ 51.883264] do_group_exit+0x149/0x400 [ 51.887114] ? __do_page_fault+0x3d6/0xd60 [ 51.891317] ? __tun_chr_ioctl+0x3d20/0x3d20 [ 51.895690] ? SyS_exit+0x30/0x30 [ 51.899110] ? do_fast_syscall_32+0x158/0xf05 [ 51.903568] ? do_group_exit+0x400/0x400 [ 51.907599] SyS_exit_group+0x1d/0x20 [ 51.911362] do_fast_syscall_32+0x3f2/0xf05 [ 51.915650] ? do_int80_syscall_32+0x940/0x940 [ 51.920200] ? lockdep_sys_exit+0x47/0xf0 [ 51.924311] ? syscall_return_slowpath+0x2b3/0x510 [ 51.929203] ? finish_task_switch+0x1aa/0x740 [ 51.933662] ? lockdep_sys_exit+0x47/0xf0 [ 51.937775] ? retint_user+0x18/0x20 [ 51.941457] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.946266] entry_SYSENTER_compat+0x51/0x60 [ 51.950636] RIP: 0023:0xf7f33c79 [ 51.953964] RSP: 002b:000000000820fe2c EFLAGS: 00000202 ORIG_RAX: 00000000000000fc [ 51.961634] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000000000 [ 51.968867] RDX: 0000000000000001 RSI: 000000002049afd8 RDI: 00000000400454ca [ 51.976100] RBP: 0000000008072cb6 R08: 0000000000000000 R09: 0000000000000000 [ 51.983331] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 51.990565] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000