INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-1,10.128.15.226' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   22.643446] ==================================================================
[   22.650904] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   22.657654] Write of size 8 at addr ffff8801ccd0b740 by task syzkaller907255/2983
[   22.665246] 
[   22.666853] CPU: 1 PID: 2983 Comm: syzkaller907255 Not tainted 4.14.0-rc2+ #111
[   22.674270] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   22.683598] Call Trace:
[   22.686162]  dump_stack+0x194/0x257
[   22.689771]  ? arch_local_irq_restore+0x53/0x53
[   22.694416]  ? show_regs_print_info+0x65/0x65
[   22.698888]  ? lock_timer_base+0x1a3/0x2b0
[   22.703102]  ? detach_if_pending+0x557/0x610
[   22.707488]  print_address_description+0x73/0x250
[   22.712306]  ? detach_if_pending+0x557/0x610
[   22.716691]  kasan_report+0x25b/0x340
[   22.720473]  __asan_report_store8_noabort+0x17/0x20
[   22.725465]  detach_if_pending+0x557/0x610
[   22.729679]  ? trace_raw_output_tick_stop+0x130/0x130
[   22.734870]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   22.739514]  ? lock_timer_base+0x1a3/0x2b0
[   22.743724]  ? lock_timer_base+0x1eb/0x2b0
[   22.747942]  ? __internal_add_timer+0x2d0/0x2d0
[   22.752590]  ? trace_hardirqs_on+0xd/0x10
[   22.756723]  try_to_del_timer_sync+0xa2/0x120
[   22.761194]  ? del_timer+0x130/0x130
[   22.764888]  ? del_timer_sync+0xeb/0x240
[   22.768937]  del_timer_sync+0x18a/0x240
[   22.772892]  tun_free_netdev+0x105/0x1b0
[   22.776933]  ? tun_xdp+0x410/0x410
[   22.780448]  ? cpumask_next+0x24/0x30
[   22.784227]  ? netdev_refcnt_read+0xed/0x150
[   22.788615]  ? tun_xdp+0x410/0x410
[   22.792130]  netdev_run_todo+0x870/0xca0
[   22.796166]  ? do_group_exit+0x149/0x400
[   22.800209]  ? register_netdev+0x30/0x30
[   22.804249]  ? lock_downgrade+0x990/0x990
[   22.808372]  ? trace_hardirqs_on+0xd/0x10
[   22.812522]  ? refcount_sub_and_test+0x115/0x1b0
[   22.817254]  ? refcount_inc+0x50/0x50
[   22.821031]  ? refcount_inc+0x50/0x50
[   22.824814]  ? sk_destruct+0x4c/0x80
[   22.828503]  ? __sk_free+0x5c/0x230
[   22.832124]  ? sk_free+0x2f/0x40
[   22.835469]  ? __tun_detach+0x176/0x1390
[   22.839519]  ? tun_attach+0xf90/0xf90
[   22.843303]  ? locks_remove_file+0x3fa/0x5a0
[   22.847692]  ? fcntl_setlk+0x10d0/0x10d0
[   22.851730]  ? __fsnotify_parent+0xb4/0x3a0
[   22.856025]  ? fsnotify+0x1af0/0x1af0
[   22.859805]  ? __tun_detach+0x1390/0x1390
[   22.863926]  rtnl_unlock+0xe/0x10
[   22.867349]  tun_chr_close+0x49/0x60
[   22.871033]  __fput+0x333/0x7f0
[   22.874289]  ? fput+0x140/0x140
[   22.877541]  ? check_same_owner+0x320/0x320
[   22.881847]  ____fput+0x15/0x20
[   22.885105]  task_work_run+0x199/0x270
[   22.888970]  ? task_work_cancel+0x210/0x210
[   22.893266]  ? free_nsproxy+0x185/0x1f0
[   22.897215]  ? switch_task_namespaces+0xa2/0xc0
[   22.901866]  do_exit+0x9d2/0x1af0
[   22.905297]  ? mm_update_next_owner+0x930/0x930
[   22.909940]  ? find_held_lock+0x39/0x1d0
[   22.913984]  ? lock_downgrade+0x990/0x990
[   22.918126]  ? handle_mm_fault+0x410/0x8d0
[   22.922329]  ? __do_page_fault+0x31e/0xd60
[   22.926534]  ? __handle_mm_fault+0x39c0/0x39c0
[   22.931085]  ? vmacache_find+0x5f/0x280
[   22.935037]  ? up_read+0x1a/0x40
[   22.938376]  ? __do_page_fault+0x3d6/0xd60
[   22.942590]  ? mm_fault_error+0x2c0/0x2c0
[   22.946711]  ? do_vfs_ioctl+0x492/0x1530
[   22.950751]  ? do_page_fault+0xee/0x720
[   22.954699]  ? __do_page_fault+0xd60/0xd60
[   22.958904]  ? putname+0xf3/0x130
[   22.962333]  do_group_exit+0x149/0x400
[   22.966192]  ? lockdep_sys_exit+0x47/0xf0
[   22.970309]  ? SyS_exit+0x30/0x30
[   22.973735]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   22.978725]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   22.983454]  SyS_exit_group+0x1d/0x20
[   22.987228]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   22.991954] RIP: 0033:0x444db9
[   22.995114] RSP: 002b:00007fff30bbdce8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   23.002803] RAX: ffffffffffffffda RBX: 00007fff30bbdd30 RCX: 0000000000444db9
[   23.010044] RDX: 0000000000444db9 RSI: 0000000020927fd8 RDI: 0000000000000001
[   23.017283] RBP: 0000000000000086 R08: 0000000000000000 R09: 00007fff30bbdd30
[   23.024522] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000402160
[   23.031763] R13: 00000000004021f0 R14: 0000000000000000 R15: 0000000000000000
[   23.039020] 
[   23.040620] Allocated by task 2983:
[   23.044217]  save_stack_trace+0x16/0x20
[   23.048160]  save_stack+0x43/0xd0
[   23.051581]  kasan_kmalloc+0xad/0xe0
[   23.055264]  __kmalloc_node+0x47/0x70
[   23.059041]  kvmalloc_node+0x64/0xd0
[   23.062726]  alloc_netdev_mqs+0x16e/0xed0
[   23.066844]  __tun_chr_ioctl+0x12be/0x3d20
[   23.071047]  tun_chr_ioctl+0x2a/0x40
[   23.074730]  do_vfs_ioctl+0x1b1/0x1530
[   23.078586]  SyS_ioctl+0x8f/0xc0
[   23.081921]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.086642] 
[   23.088239] Freed by task 2983:
[   23.091491]  save_stack_trace+0x16/0x20
[   23.095434]  save_stack+0x43/0xd0
[   23.098857]  kasan_slab_free+0x71/0xc0
[   23.102713]  kfree+0xca/0x250
[   23.105912]  kvfree+0x36/0x60
[   23.108996]  free_netdev+0x2cf/0x360
[   23.112681]  __tun_chr_ioctl+0x2cf6/0x3d20
[   23.116914]  tun_chr_ioctl+0x2a/0x40
[   23.120599]  do_vfs_ioctl+0x1b1/0x1530
[   23.124456]  SyS_ioctl+0x8f/0xc0
[   23.127794]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.132520] 
[   23.134121] The buggy address belongs to the object at ffff8801ccd08340
[   23.134121]  which belongs to the cache kmalloc-16384 of size 16384
[   23.147095] The buggy address is located 13312 bytes inside of
[   23.147095]  16384-byte region [ffff8801ccd08340, ffff8801ccd0c340)
[   23.159284] The buggy address belongs to the page:
[   23.164183] page:ffffea0007334200 count:1 mapcount:0 mapping:ffff8801ccd08340 index:0x0 compound_mapcount: 0
[   23.174127] flags: 0x200000000008100(slab|head)
[   23.178767] raw: 0200000000008100 ffff8801ccd08340 0000000000000000 0000000100000001
[   23.186617] raw: ffffea0007330820 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[   23.194465] page dumped because: kasan: bad access detected
[   23.200143] 
[   23.201741] Memory state around the buggy address:
[   23.206639]  ffff8801ccd0b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.213977]  ffff8801ccd0b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.221314] >ffff8801ccd0b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.228641]                                            ^
[   23.234059]  ffff8801ccd0b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.241388]  ffff8801ccd0b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.248714] ==================================================================
[   23.256040] Disabling lock debugging due to kernel taint
[   23.261455] Kernel panic - not syncing: panic_on_warn set ...
[   23.261455] 
[   23.268784] CPU: 1 PID: 2983 Comm: syzkaller907255 Tainted: G    B           4.14.0-rc2+ #111
[   23.277406] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.286723] Call Trace:
[   23.289279]  dump_stack+0x194/0x257
[   23.293221]  ? arch_local_irq_restore+0x53/0x53
[   23.297857]  ? vprintk_default+0x28/0x30
[   23.301883]  ? detach_if_pending+0x500/0x610
[   23.306257]  panic+0x1e4/0x417
[   23.309414]  ? __warn+0x1d9/0x1d9
[   23.312839]  ? detach_if_pending+0x557/0x610
[   23.317211]  kasan_end_report+0x50/0x50
[   23.321148]  kasan_report+0x144/0x340
[   23.324916]  __asan_report_store8_noabort+0x17/0x20
[   23.329894]  detach_if_pending+0x557/0x610
[   23.334095]  ? trace_raw_output_tick_stop+0x130/0x130
[   23.339250]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   23.343881]  ? lock_timer_base+0x1a3/0x2b0
[   23.348080]  ? lock_timer_base+0x1eb/0x2b0
[   23.352280]  ? __internal_add_timer+0x2d0/0x2d0
[   23.356914]  ? trace_hardirqs_on+0xd/0x10
[   23.361031]  try_to_del_timer_sync+0xa2/0x120
[   23.365492]  ? del_timer+0x130/0x130
[   23.369171]  ? del_timer_sync+0xeb/0x240
[   23.373199]  del_timer_sync+0x18a/0x240
[   23.377139]  tun_free_netdev+0x105/0x1b0
[   23.381164]  ? tun_xdp+0x410/0x410
[   23.384671]  ? cpumask_next+0x24/0x30
[   23.388818]  ? netdev_refcnt_read+0xed/0x150
[   23.393193]  ? tun_xdp+0x410/0x410
[   23.396698]  netdev_run_todo+0x870/0xca0
[   23.400724]  ? do_group_exit+0x149/0x400
[   23.404752]  ? register_netdev+0x30/0x30
[   23.408781]  ? lock_downgrade+0x990/0x990
[   23.412894]  ? trace_hardirqs_on+0xd/0x10
[   23.417020]  ? refcount_sub_and_test+0x115/0x1b0
[   23.421740]  ? refcount_inc+0x50/0x50
[   23.425506]  ? refcount_inc+0x50/0x50
[   23.429277]  ? sk_destruct+0x4c/0x80
[   23.432954]  ? __sk_free+0x5c/0x230
[   23.436547]  ? sk_free+0x2f/0x40
[   23.439877]  ? __tun_detach+0x176/0x1390
[   23.443908]  ? tun_attach+0xf90/0xf90
[   23.447681]  ? locks_remove_file+0x3fa/0x5a0
[   23.452056]  ? fcntl_setlk+0x10d0/0x10d0
[   23.456083]  ? __fsnotify_parent+0xb4/0x3a0
[   23.460370]  ? fsnotify+0x1af0/0x1af0
[   23.464140]  ? __tun_detach+0x1390/0x1390
[   23.468253]  rtnl_unlock+0xe/0x10
[   23.471673]  tun_chr_close+0x49/0x60
[   23.475352]  __fput+0x333/0x7f0
[   23.478601]  ? fput+0x140/0x140
[   23.481846]  ? check_same_owner+0x320/0x320
[   23.486135]  ____fput+0x15/0x20
[   23.489379]  task_work_run+0x199/0x270
[   23.493233]  ? task_work_cancel+0x210/0x210
[   23.497518]  ? free_nsproxy+0x185/0x1f0
[   23.501459]  ? switch_task_namespaces+0xa2/0xc0
[   23.506094]  do_exit+0x9d2/0x1af0
[   23.509514]  ? mm_update_next_owner+0x930/0x930
[   23.514147]  ? find_held_lock+0x39/0x1d0
[   23.518178]  ? lock_downgrade+0x990/0x990
[   23.522302]  ? handle_mm_fault+0x410/0x8d0
[   23.526502]  ? __do_page_fault+0x31e/0xd60
[   23.530702]  ? __handle_mm_fault+0x39c0/0x39c0
[   23.535249]  ? vmacache_find+0x5f/0x280
[   23.539190]  ? up_read+0x1a/0x40
[   23.542520]  ? __do_page_fault+0x3d6/0xd60
[   23.546722]  ? mm_fault_error+0x2c0/0x2c0
[   23.550836]  ? do_vfs_ioctl+0x492/0x1530
[   23.554866]  ? do_page_fault+0xee/0x720
[   23.558814]  ? __do_page_fault+0xd60/0xd60
[   23.563014]  ? putname+0xf3/0x130
[   23.566438]  do_group_exit+0x149/0x400
[   23.570297]  ? lockdep_sys_exit+0x47/0xf0
[   23.574410]  ? SyS_exit+0x30/0x30
[   23.577828]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.582822]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.587545]  SyS_exit_group+0x1d/0x20
[   23.591312]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   23.596032] RIP: 0033:0x444db9
[   23.599191] RSP: 002b:00007fff30bbdce8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   23.606862] RAX: ffffffffffffffda RBX: 00007fff30bbdd30 RCX: 0000000000444db9
[   23.614096] RDX: 0000000000444db9 RSI: 0000000020927fd8 RDI: 0000000000000001
[   23.621331] RBP: 0000000000000086 R08: 0000000000000000 R09: 00007fff30bbdd30
[   23.628566] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000402160
[   23.635800] R13: 00000000004021f0 R14: 0000000000000000 R15: 0000000000000000