net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   24.020235] ==================================================================
[   24.021222] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   24.021942] Write of size 8 at addr ffff88006c353880 by task syzkaller190246/3007
[   24.022625] 
[   24.022748] CPU: 2 PID: 3007 Comm: syzkaller190246 Not tainted 4.13.0-next-20170906+ #16
[   24.023471] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   24.024325] Call Trace:
[   24.024614]  dump_stack+0x194/0x257
[   24.025325]  ? arch_local_irq_restore+0x53/0x53
[   24.025914]  ? show_regs_print_info+0x65/0x65
[   24.026555]  ? lock_timer_base+0x1a3/0x2b0
[   24.027012]  ? detach_if_pending+0x557/0x610
[   24.027569]  print_address_description+0x73/0x250
[   24.028109]  ? detach_if_pending+0x557/0x610
[   24.028614]  kasan_report+0x24e/0x340
[   24.029101]  __asan_report_store8_noabort+0x17/0x20
[   24.029657]  detach_if_pending+0x557/0x610
[   24.030109]  ? trace_raw_output_tick_stop+0x130/0x130
[   24.030651]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   24.031322]  ? lock_timer_base+0x1a3/0x2b0
[   24.031751]  ? lock_timer_base+0x1eb/0x2b0
[   24.032252]  ? __internal_add_timer+0x2d0/0x2d0
[   24.032747]  ? trace_hardirqs_on+0xd/0x10
[   24.033083]  try_to_del_timer_sync+0xa2/0x120
[   24.033497]  ? del_timer+0x130/0x130
[   24.033878]  ? del_timer_sync+0xeb/0x240
[   24.034180]  del_timer_sync+0x18a/0x240
[   24.034464]  tun_free_netdev+0x105/0x1b0
[   24.034871]  ? tun_xdp+0x410/0x410
[   24.035166]  ? cpumask_next+0x24/0x30
[   24.035525]  ? netdev_refcnt_read+0xed/0x150
[   24.035906]  ? tun_xdp+0x410/0x410
[   24.036173]  netdev_run_todo+0x870/0xca0
[   24.036479]  ? do_group_exit+0x149/0x400
[   24.036796]  ? register_netdev+0x30/0x30
[   24.037177]  ? lock_downgrade+0x990/0x990
[   24.037561]  ? trace_hardirqs_on+0xd/0x10
[   24.037871]  ? refcount_sub_and_test+0x115/0x1b0
[   24.038217]  ? refcount_inc+0x50/0x50
[   24.038573]  ? refcount_inc+0x50/0x50
[   24.038849]  ? sk_destruct+0x4c/0x80
[   24.039147]  ? __sk_free+0x5c/0x230
[   24.039485]  ? sk_free+0x2f/0x40
[   24.039799]  ? __tun_detach+0x176/0x1390
[   24.040647]  ? tun_attach+0xf90/0xf90
[   24.041008]  ? locks_remove_file+0x3fa/0x5a0
[   24.041422]  ? fcntl_setlk+0x10d0/0x10d0
[   24.041803]  ? __fsnotify_parent+0xb4/0x3a0
[   24.042212]  ? fsnotify+0x1af0/0x1af0
[   24.042571]  ? __tun_detach+0x1390/0x1390
[   24.042959]  ? __tun_detach+0x1390/0x1390
[   24.043345]  rtnl_unlock+0xe/0x10
[   24.043667]  tun_chr_close+0x49/0x60
[   24.044015]  __fput+0x333/0x7f0
[   24.044326]  ? fput+0x140/0x140
[   24.044634]  ? check_same_owner+0x320/0x320
[   24.045043]  ____fput+0x15/0x20
[   24.045352]  task_work_run+0x199/0x270
[   24.045716]  ? task_work_cancel+0x210/0x210
[   24.046122]  ? free_nsproxy+0x185/0x1f0
[   24.046495]  ? switch_task_namespaces+0xa2/0xc0
[   24.046929]  do_exit+0xa52/0x1b40
[   24.047254]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.047717]  ? trace_hardirqs_on+0xd/0x10
[   24.048109]  ? kvfree+0x3b/0x60
[   24.048417]  ? mm_update_next_owner+0x930/0x930
[   24.048847]  ? rtnl_unlock+0xe/0x10
[   24.049178]  ? __tun_chr_ioctl+0x27a/0x3d20
[   24.049583]  ? tun_chr_read_iter+0x1e0/0x1e0
[   24.049997]  ? lock_downgrade+0x990/0x990
[   24.050409]  ? check_same_owner+0x320/0x320
[   24.050806]  ? __handle_mm_fault+0x39c0/0x39c0
[   24.051217]  ? vmacache_find+0x61/0x270
[   24.051596]  ? tun_chr_compat_ioctl+0x30/0x30
[   24.052011]  ? tun_chr_ioctl+0x2a/0x40
[   24.052371]  ? tun_chr_ioctl+0x2a/0x40
[   24.052734]  ? do_vfs_ioctl+0x492/0x1530
[   24.053115]  ? ioctl_preallocate+0x2b0/0x2b0
[   24.053526]  ? selinux_capable+0x40/0x40
[   24.053904]  ? putname+0xf3/0x130
[   24.054236]  do_group_exit+0x149/0x400
[   24.054595]  ? SyS_exit+0x30/0x30
[   24.054915]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.055377]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   24.055816]  SyS_exit_group+0x1d/0x20
[   24.056170]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   24.056587] RIP: 0033:0x43a509
[   24.056882] RSP: 002b:00007ffd8ab7e8a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
[   24.057586] RAX: ffffffffffffffda RBX: 00007ffd8ab7ea40 RCX: 000000000043a509
[   24.058253] RDX: 000000000043a509 RSI: 0000000020661fd8 RDI: 0000000000000001
[   24.058916] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   24.059581] R10: 00000000000000fd R11: 0000000000000202 R12: 0000000000000000
[   24.060248] R13: 0000000000402840 R14: 00000000004028d0 R15: 0000000000000000
[   24.060929] 
[   24.061084] Allocated by task 3007:
[   24.061943]  save_stack_trace+0x16/0x20
[   24.062283]  save_stack+0x43/0xd0
[   24.062631]  kasan_kmalloc+0xad/0xe0
[   24.062907]  __kmalloc_node+0x47/0x70
[   24.063180]  kvmalloc_node+0x64/0xd0
[   24.063440]  alloc_netdev_mqs+0x16e/0xed0
[   24.063822]  __tun_chr_ioctl+0x12be/0x3d20
[   24.064308]  tun_chr_ioctl+0x2a/0x40
[   24.064793]  do_vfs_ioctl+0x1b1/0x1530
[   24.065255]  SyS_ioctl+0x8f/0xc0
[   24.065691]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   24.066227] 
[   24.066449] Freed by task 3007:
[   24.066787]  save_stack_trace+0x16/0x20
[   24.067181]  save_stack+0x43/0xd0
[   24.067542]  kasan_slab_free+0x71/0xc0
[   24.067939]  kfree+0xca/0x250
[   24.068243]  kvfree+0x36/0x60
[   24.068593]  free_netdev+0x2cf/0x360
[   24.069166]  __tun_chr_ioctl+0x2cf6/0x3d20
[   24.069574]  tun_chr_ioctl+0x2a/0x40
[   24.069947]  do_vfs_ioctl+0x1b1/0x1530
[   24.070384]  SyS_ioctl+0x8f/0xc0
[   24.070737]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   24.071197] 
[   24.071385] The buggy address belongs to the object at ffff88006c350480
[   24.071385]  which belongs to the cache kmalloc-16384 of size 16384
[   24.072616] The buggy address is located 13312 bytes inside of
[   24.072616]  16384-byte region [ffff88006c350480, ffff88006c354480)
[   24.073765] The buggy address belongs to the page:
[   24.074240] page:ffffea0001b0d400 count:1 mapcount:0 mapping:ffff88006c350480 index:0x0 compound_mapcount: 0
[   24.075198] flags: 0x500000000008100(slab|head)
[   24.075671] raw: 0500000000008100 ffff88006c350480 0000000000000000 0000000100000001
[   24.076441] raw: ffffea0001adc820 ffff88006d800c50 ffff88003e802200 0000000000000000
[   24.077204] page dumped because: kasan: bad access detected
[   24.077738] 
[   24.077908] Memory state around the buggy address:
[   24.078394]  ffff88006c353780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.079084]  ffff88006c353800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.079794] >ffff88006c353880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.080484]                    ^
[   24.080905]  ffff88006c353900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.081643]  ffff88006c353980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.082414] ==================================================================
[   24.084142] Disabling lock debugging due to kernel taint
[   24.084814] Kernel panic - not syncing: panic_on_warn set ...
[   24.084814] 
[   24.085764] CPU: 2 PID: 3007 Comm: syzkaller190246 Tainted: G    B           4.13.0-next-20170906+ #16
[   24.086756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   24.087540] Call Trace:
[   24.087798]  dump_stack+0x194/0x257
[   24.088278]  ? arch_local_irq_restore+0x53/0x53
[   24.088856]  ? vprintk_default+0x28/0x30
[   24.089348]  ? detach_if_pending+0x530/0x610
[   24.089926]  panic+0x1e4/0x417
[   24.090360]  ? __warn+0x1d9/0x1d9
[   24.090839]  ? detach_if_pending+0x557/0x610
[   24.091261]  kasan_end_report+0x50/0x50
[   24.091636]  kasan_report+0x137/0x340
[   24.091988]  __asan_report_store8_noabort+0x17/0x20
[   24.092446]  detach_if_pending+0x557/0x610
[   24.092831]  ? trace_raw_output_tick_stop+0x130/0x130
[   24.093302]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   24.093723]  ? lock_timer_base+0x1a3/0x2b0
[   24.094112]  ? lock_timer_base+0x1eb/0x2b0
[   24.094571]  ? __internal_add_timer+0x2d0/0x2d0
[   24.095154]  ? trace_hardirqs_on+0xd/0x10
[   24.095674]  try_to_del_timer_sync+0xa2/0x120
[   24.096232]  ? del_timer+0x130/0x130
[   24.096678]  ? del_timer_sync+0xeb/0x240
[   24.097185]  del_timer_sync+0x18a/0x240
[   24.097669]  tun_free_netdev+0x105/0x1b0
[   24.098197]  ? tun_xdp+0x410/0x410
[   24.098529]  ? cpumask_next+0x24/0x30
[   24.098879]  ? netdev_refcnt_read+0xed/0x150
[   24.099279]  ? tun_xdp+0x410/0x410
[   24.099599]  netdev_run_todo+0x870/0xca0
[   24.099967]  ? do_group_exit+0x149/0x400
[   24.100339]  ? register_netdev+0x30/0x30
[   24.100713]  ? lock_downgrade+0x990/0x990
[   24.101090]  ? trace_hardirqs_on+0xd/0x10
[   24.101478]  ? refcount_sub_and_test+0x115/0x1b0
[   24.101912]  ? refcount_inc+0x50/0x50
[   24.102286]  ? refcount_inc+0x50/0x50
[   24.102643]  ? sk_destruct+0x4c/0x80
[   24.102986]  ? __sk_free+0x5c/0x230
[   24.103324]  ? sk_free+0x2f/0x40
[   24.103626]  ? __tun_detach+0x176/0x1390
[   24.104008]  ? tun_attach+0xf90/0xf90
[   24.104698]  ? locks_remove_file+0x3fa/0x5a0
[   24.105066]  ? fcntl_setlk+0x10d0/0x10d0
[   24.105408]  ? __fsnotify_parent+0xb4/0x3a0
[   24.105814]  ? fsnotify+0x1af0/0x1af0
[   24.106185]  ? __tun_detach+0x1390/0x1390
[   24.106569]  ? __tun_detach+0x1390/0x1390
[   24.106953]  rtnl_unlock+0xe/0x10
[   24.107273]  tun_chr_close+0x49/0x60
[   24.107615]  __fput+0x333/0x7f0
[   24.107921]  ? fput+0x140/0x140
[   24.108224]  ? check_same_owner+0x320/0x320
[   24.108625]  ____fput+0x15/0x20
[   24.108930]  task_work_run+0x199/0x270
[   24.109290]  ? task_work_cancel+0x210/0x210
[   24.109690]  ? free_nsproxy+0x185/0x1f0
[   24.110057]  ? switch_task_namespaces+0xa2/0xc0
[   24.110495]  do_exit+0xa52/0x1b40
[   24.110856]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.111313]  ? trace_hardirqs_on+0xd/0x10
[   24.111694]  ? kvfree+0x3b/0x60
[   24.111997]  ? mm_update_next_owner+0x930/0x930
[   24.112429]  ? rtnl_unlock+0xe/0x10
[   24.112802]  ? __tun_chr_ioctl+0x27a/0x3d20
[   24.113200]  ? tun_chr_read_iter+0x1e0/0x1e0
[   24.113612]  ? lock_downgrade+0x990/0x990
[   24.114002]  ? check_same_owner+0x320/0x320
[   24.114400]  ? __handle_mm_fault+0x39c0/0x39c0
[   24.114823]  ? vmacache_find+0x61/0x270
[   24.115188]  ? tun_chr_compat_ioctl+0x30/0x30
[   24.115600]  ? tun_chr_ioctl+0x2a/0x40
[   24.115956]  ? tun_chr_ioctl+0x2a/0x40
[   24.116314]  ? do_vfs_ioctl+0x492/0x1530
[   24.116690]  ? ioctl_preallocate+0x2b0/0x2b0
[   24.117114]  ? selinux_capable+0x40/0x40
[   24.117500]  ? putname+0xf3/0x130
[   24.117819]  do_group_exit+0x149/0x400
[   24.118178]  ? SyS_exit+0x30/0x30
[   24.118497]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.118958]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   24.119387]  SyS_exit_group+0x1d/0x20
[   24.119739]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   24.120178] RIP: 0033:0x43a509
[   24.120468] RSP: 002b:00007ffd8ab7e8a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
[   24.121178] RAX: ffffffffffffffda RBX: 00007ffd8ab7ea40 RCX: 000000000043a509
[   24.121840] RDX: 000000000043a509 RSI: 0000000020661fd8 RDI: 0000000000000001
[   24.122501] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
[   24.123166] R10: 00000000000000fd R11: 0000000000000202 R12: 0000000000000000
[   24.123836] R13: 0000000000402840 R14: 00000000004028d0 R15: 0000000000000000
[   24.125856] Dumping ftrace buffer:
[   24.126191]    (ftrace buffer empty)
[   24.126532] Kernel Offset: disabled
[   24.126875] Rebooting in 86400 seconds..