executing program executing program syzkaller login: [ 27.860817] ================================================================== [ 27.861687] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 [ 27.862324] Write of size 8 at addr ffff8800684fb688 by task syzkaller095943/2996 [ 27.863008] [ 27.863204] CPU: 3 PID: 2996 Comm: syzkaller095943 Not tainted 4.13.0-next-20170908+ #18 [ 27.864091] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 27.864830] Call Trace: [ 27.865072] dump_stack+0x194/0x257 [ 27.865405] ? arch_local_irq_restore+0x53/0x53 [ 27.865828] ? show_regs_print_info+0x65/0x65 [ 27.866239] ? __kernel_text_address+0xae/0xe0 [ 27.866654] ? __internal_add_timer+0x275/0x2d0 [ 27.867477] print_address_description+0x73/0x250 [ 27.867926] ? __internal_add_timer+0x275/0x2d0 [ 27.868346] kasan_report+0x24e/0x340 [ 27.868692] __asan_report_store8_noabort+0x17/0x20 [ 27.869139] __internal_add_timer+0x275/0x2d0 [ 27.869566] ? calc_wheel_index+0x200/0x200 [ 27.869966] mod_timer+0x622/0x15b0 [ 27.870303] ? mod_timer_pending+0x14e0/0x14e0 [ 27.870718] ? __lock_is_held+0xbc/0x140 [ 27.871169] ? __lock_is_held+0xbc/0x140 [ 27.871599] ? __lockdep_init_map+0xe4/0x650 [ 27.871993] ? lockdep_init_map+0x3d/0x70 [ 27.872500] ? rcu_read_lock_sched_held+0x108/0x120 [ 27.872962] ? init_timer_key+0x126/0x3b0 [ 27.873432] ? try_to_del_timer_sync+0x120/0x120 [ 27.873983] ? round_jiffies_up+0xce/0x100 [ 27.874488] ? __round_jiffies_up_relative+0x150/0x150 [ 27.874861] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.875305] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 27.875819] __tun_chr_ioctl+0x1b23/0x3d20 [ 27.876214] ? tun_chr_read_iter+0x1e0/0x1e0 [ 27.876623] ? lock_downgrade+0x990/0x990 [ 27.877020] ? check_same_owner+0x320/0x320 [ 27.877411] ? __handle_mm_fault+0x39c0/0x39c0 [ 27.877826] ? vmacache_find+0x61/0x270 [ 27.878193] ? tun_chr_compat_ioctl+0x30/0x30 [ 27.878608] tun_chr_ioctl+0x2a/0x40 [ 27.878947] ? tun_chr_ioctl+0x2a/0x40 [ 27.879303] do_vfs_ioctl+0x1b1/0x1530 [ 27.879682] ? ioctl_preallocate+0x2b0/0x2b0 [ 27.880080] ? selinux_capable+0x40/0x40 [ 27.880445] ? putname+0xf3/0x130 [ 27.880761] ? do_sys_open+0x320/0x6d0 [ 27.881120] ? security_file_ioctl+0x7d/0xb0 [ 27.881515] ? security_file_ioctl+0x89/0xb0 [ 27.881970] SyS_ioctl+0x8f/0xc0 [ 27.882309] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.882766] RIP: 0033:0x439029 [ 27.883055] RSP: 002b:00007ffe2b5e4898 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 27.883754] RAX: ffffffffffffffda RBX: 00000000006cbac0 RCX: 0000000000439029 [ 27.884407] RDX: 0000000020574000 RSI: 00000000400454ca RDI: 0000000000000004 [ 27.885059] RBP: 0000000000000082 R08: 00000000000000fd R09: 0000000000000000 [ 27.885709] R10: 0000000000000000 R11: 0000000000000202 R12: ffffffffffffffff [ 27.886362] R13: 74656e2f7665642f R14: 0000000000401d10 R15: 0000000000000000 [ 27.887026] [ 27.887179] Allocated by task 2996: [ 27.887515] save_stack_trace+0x16/0x20 [ 27.887872] save_stack+0x43/0xd0 [ 27.888184] kasan_kmalloc+0xad/0xe0 [ 27.888993] __kmalloc_node+0x47/0x70 [ 27.889342] kvmalloc_node+0x64/0xd0 [ 27.889680] alloc_netdev_mqs+0x16e/0xed0 [ 27.890080] __tun_chr_ioctl+0x12be/0x3d20 [ 27.890464] tun_chr_ioctl+0x2a/0x40 [ 27.890803] do_vfs_ioctl+0x1b1/0x1530 [ 27.891178] SyS_ioctl+0x8f/0xc0 [ 27.891501] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.891935] [ 27.892087] Freed by task 2996: [ 27.892387] save_stack_trace+0x16/0x20 [ 27.892800] save_stack+0x43/0xd0 [ 27.893141] kasan_slab_free+0x71/0xc0 [ 27.893508] kfree+0xca/0x250 [ 27.893857] kvfree+0x36/0x60 [ 27.894142] free_netdev+0x2cf/0x360 [ 27.894480] __tun_chr_ioctl+0x2cf6/0x3d20 [ 27.894864] tun_chr_ioctl+0x2a/0x40 [ 27.895204] do_vfs_ioctl+0x1b1/0x1530 [ 27.895565] SyS_ioctl+0x8f/0xc0 [ 27.895873] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.896302] [ 27.896456] The buggy address belongs to the object at ffff8800684f8280 [ 27.896456] which belongs to the cache kmalloc-16384 of size 16384 [ 27.897613] The buggy address is located 13320 bytes inside of [ 27.897613] 16384-byte region [ffff8800684f8280, ffff8800684fc280) [ 27.898712] The buggy address belongs to the page: [ 27.899160] page:ffffea0001a13e00 count:1 mapcount:0 mapping:ffff8800684f8280 index:0x0 compound_mapcount: 0 [ 27.900057] flags: 0x500000000008100(slab|head) [ 27.900476] raw: 0500000000008100 ffff8800684f8280 0000000000000000 0000000100000001 [ 27.901174] raw: ffffea0001a9ca20 ffffea0001a7bc20 ffff88003e802200 0000000000000000 [ 27.901870] page dumped because: kasan: bad access detected [ 27.902379] [ 27.902528] Memory state around the buggy address: [ 27.902969] ffff8800684fb580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.903635] ffff8800684fb600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.904299] >ffff8800684fb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.904959] ^ [ 27.905290] ffff8800684fb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.905952] ffff8800684fb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.906612] ================================================================== [ 27.907274] Disabling lock debugging due to kernel taint [ 27.907763] Kernel panic - not syncing: panic_on_warn set ... [ 27.907763] [ 27.908416] CPU: 3 PID: 2996 Comm: syzkaller095943 Tainted: G B 4.13.0-next-20170908+ #18 [ 27.909249] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 27.910497] Call Trace: [ 27.910735] dump_stack+0x194/0x257 [ 27.911060] ? arch_local_irq_restore+0x53/0x53 [ 27.911475] ? vprintk_default+0x28/0x30 [ 27.911852] ? __internal_add_timer+0x270/0x2d0 [ 27.912263] panic+0x1e4/0x417 [ 27.912548] ? __warn+0x1d9/0x1d9 [ 27.912857] ? __internal_add_timer+0x275/0x2d0 [ 27.913268] kasan_end_report+0x50/0x50 [ 27.913617] kasan_report+0x137/0x340 [ 27.913954] __asan_report_store8_noabort+0x17/0x20 [ 27.914392] __internal_add_timer+0x275/0x2d0 [ 27.914790] ? calc_wheel_index+0x200/0x200 [ 27.915227] mod_timer+0x622/0x15b0 [ 27.915553] ? mod_timer_pending+0x14e0/0x14e0 [ 27.915965] ? __lock_is_held+0xbc/0x140 [ 27.916333] ? __lock_is_held+0xbc/0x140 [ 27.916678] ? __lockdep_init_map+0xe4/0x650 [ 27.917060] ? lockdep_init_map+0x3d/0x70 [ 27.917480] ? rcu_read_lock_sched_held+0x108/0x120 [ 27.918015] ? init_timer_key+0x126/0x3b0 [ 27.918384] ? try_to_del_timer_sync+0x120/0x120 [ 27.918799] ? round_jiffies_up+0xce/0x100 [ 27.919170] ? __round_jiffies_up_relative+0x150/0x150 [ 27.919640] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.920068] ? selinux_tun_dev_alloc_security+0x124/0x170 [ 27.920555] __tun_chr_ioctl+0x1b23/0x3d20 [ 27.920941] ? tun_chr_read_iter+0x1e0/0x1e0 [ 27.921371] ? lock_downgrade+0x990/0x990 [ 27.921746] ? check_same_owner+0x320/0x320 [ 27.922122] ? __handle_mm_fault+0x39c0/0x39c0 [ 27.922629] ? vmacache_find+0x61/0x270 [ 27.922978] ? tun_chr_compat_ioctl+0x30/0x30 [ 27.923407] tun_chr_ioctl+0x2a/0x40 [ 27.923803] ? tun_chr_ioctl+0x2a/0x40 [ 27.924142] do_vfs_ioctl+0x1b1/0x1530 [ 27.924522] ? ioctl_preallocate+0x2b0/0x2b0 [ 27.924922] ? selinux_capable+0x40/0x40 [ 27.925276] ? putname+0xf3/0x130 [ 27.925646] ? do_sys_open+0x320/0x6d0 [ 27.926005] ? security_file_ioctl+0x7d/0xb0 [ 27.926428] ? security_file_ioctl+0x89/0xb0 [ 27.926868] SyS_ioctl+0x8f/0xc0 [ 27.927207] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.927627] RIP: 0033:0x439029 [ 27.927906] RSP: 002b:00007ffe2b5e4898 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 27.928574] RAX: ffffffffffffffda RBX: 00000000006cbac0 RCX: 0000000000439029 [ 27.929202] RDX: 0000000020574000 RSI: 00000000400454ca RDI: 0000000000000004 [ 27.929857] RBP: 0000000000000082 R08: 00000000000000fd R09: 0000000000000000 [ 27.930444] R10: 0000000000000000 R11: 0000000000000202 R12: ffffffffffffffff [ 27.931617] R13: 74656e2f7665642f R14: 0000000000401d10 R15: 0000000000000000 [ 27.932370] Dumping ftrace buffer: [ 27.932707] (ftrace buffer empty) [ 27.933015] Kernel Offset: disabled [ 27.933378] Rebooting in 86400 seconds..