net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 27.636075] ================================================================== [ 27.637005] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610 [ 27.637750] Write of size 8 at addr ffff8800690fb780 by task syzkaller366432/2987 [ 27.638587] [ 27.638782] CPU: 2 PID: 2987 Comm: syzkaller366432 Not tainted 4.13.0-rc7-next-20170901+ #13 [ 27.639737] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 27.640654] Call Trace: [ 27.641008] dump_stack+0x194/0x257 [ 27.641427] ? arch_local_irq_restore+0x53/0x53 [ 27.641954] ? show_regs_print_info+0x65/0x65 [ 27.642533] ? lock_timer_base+0x1a3/0x2b0 [ 27.643017] ? detach_if_pending+0x557/0x610 [ 27.643527] print_address_description+0x73/0x250 [ 27.644059] ? detach_if_pending+0x557/0x610 [ 27.644568] kasan_report+0x24e/0x340 [ 27.645035] __asan_report_store8_noabort+0x17/0x20 [ 27.645599] detach_if_pending+0x557/0x610 [ 27.646073] ? trace_raw_output_tick_stop+0x130/0x130 [ 27.646668] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 27.647194] ? lock_timer_base+0x1a3/0x2b0 [ 27.647629] ? lock_timer_base+0x1eb/0x2b0 [ 27.648370] ? __internal_add_timer+0x2d0/0x2d0 [ 27.648915] ? trace_hardirqs_on+0xd/0x10 [ 27.649466] try_to_del_timer_sync+0xa2/0x120 [ 27.649970] ? del_timer+0x130/0x130 [ 27.650477] ? del_timer_sync+0xeb/0x240 [ 27.650945] del_timer_sync+0x18a/0x240 [ 27.651479] tun_free_netdev+0x105/0x1b0 [ 27.651947] ? tun_xdp+0x410/0x410 [ 27.652539] ? cpumask_next+0x24/0x30 [ 27.652963] ? netdev_refcnt_read+0xed/0x150 [ 27.653536] ? tun_xdp+0x410/0x410 [ 27.653930] netdev_run_todo+0x870/0xca0 [ 27.654451] ? do_group_exit+0x149/0x400 [ 27.654911] ? register_netdev+0x30/0x30 [ 27.655431] ? lock_downgrade+0x990/0x990 [ 27.655897] ? trace_hardirqs_on+0xd/0x10 [ 27.656475] ? refcount_sub_and_test+0x115/0x1b0 [ 27.656993] ? refcount_inc+0x50/0x50 [ 27.657475] ? refcount_inc+0x50/0x50 [ 27.657895] ? sk_destruct+0x4c/0x80 [ 27.658366] ? __sk_free+0x5c/0x230 [ 27.658776] ? sk_free+0x2f/0x40 [ 27.659286] ? __tun_detach+0x176/0x1390 [ 27.659753] ? tun_attach+0xf90/0xf90 [ 27.660276] ? locks_remove_file+0x3fa/0x5a0 [ 27.660792] ? fcntl_setlk+0x10d0/0x10d0 [ 27.661314] ? __fsnotify_parent+0xb4/0x3a0 [ 27.661778] ? fsnotify+0x1af0/0x1af0 [ 27.662592] ? rcu_note_context_switch+0x710/0x710 [ 27.664118] ? __tun_detach+0x1390/0x1390 [ 27.664945] ? __tun_detach+0x1390/0x1390 [ 27.666221] rtnl_unlock+0xe/0x10 [ 27.667359] tun_chr_close+0x49/0x60 [ 27.668903] __fput+0x333/0x7f0 [ 27.670675] ? fput+0x140/0x140 [ 27.671451] ? check_same_owner+0x320/0x320 [ 27.672394] ____fput+0x15/0x20 [ 27.673177] task_work_run+0x199/0x270 [ 27.673945] ? task_work_cancel+0x210/0x210 [ 27.674873] ? free_nsproxy+0x185/0x1f0 [ 27.675735] ? switch_task_namespaces+0xa2/0xc0 [ 27.676821] do_exit+0xa52/0x1b40 [ 27.677532] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.678590] ? trace_hardirqs_on+0xd/0x10 [ 27.679568] ? kvfree+0x3b/0x60 [ 27.680353] ? mm_update_next_owner+0x930/0x930 [ 27.681398] ? rtnl_unlock+0xe/0x10 [ 27.682291] ? __tun_chr_ioctl+0x27a/0x3d20 [ 27.683267] ? tun_chr_read_iter+0x1e0/0x1e0 [ 27.683849] ? lock_downgrade+0x990/0x990 [ 27.684490] ? check_same_owner+0x320/0x320 [ 27.685129] ? __handle_mm_fault+0x39c0/0x39c0 [ 27.685759] ? vmacache_find+0x61/0x270 [ 27.686617] ? tun_chr_compat_ioctl+0x30/0x30 [ 27.687527] ? tun_chr_ioctl+0x2a/0x40 [ 27.688281] ? tun_chr_ioctl+0x2a/0x40 [ 27.688712] ? do_vfs_ioctl+0x492/0x1530 [ 27.689225] ? _cond_resched+0x14/0x30 [ 27.689670] ? ioctl_preallocate+0x2b0/0x2b0 [ 27.691235] ? selinux_capable+0x40/0x40 [ 27.691741] ? putname+0xf3/0x130 [ 27.692215] do_group_exit+0x149/0x400 [ 27.693112] ? SyS_exit+0x30/0x30 [ 27.693876] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.695012] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.695648] SyS_exit_group+0x1d/0x20 [ 27.696059] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.696566] RIP: 0033:0x43a5b9 [ 27.696933] RSP: 002b:00007ffe30796618 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 27.697735] RAX: ffffffffffffffda RBX: 00007ffe307967b0 RCX: 000000000043a5b9 [ 27.698501] RDX: 000000000043a5b9 RSI: 00000000207dcfd8 RDI: 0000000000000001 [ 27.699273] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 27.700017] R10: 00000000000000fd R11: 0000000000000202 R12: 0000000000000000 [ 27.700697] R13: 0000000000402890 R14: 0000000000402920 R15: 0000000000000000 [ 27.701759] [ 27.701994] Allocated by task 2987: [ 27.702513] save_stack_trace+0x16/0x20 [ 27.703115] save_stack+0x43/0xd0 [ 27.703627] kasan_kmalloc+0xad/0xe0 [ 27.704181] __kmalloc_node+0x47/0x70 [ 27.704732] kvmalloc_node+0x64/0xd0 [ 27.705295] alloc_netdev_mqs+0x16e/0xed0 [ 27.705929] __tun_chr_ioctl+0x12be/0x3d20 [ 27.706563] tun_chr_ioctl+0x2a/0x40 [ 27.707101] do_vfs_ioctl+0x1b1/0x1530 [ 27.707657] SyS_ioctl+0x8f/0xc0 [ 27.708138] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.708806] [ 27.709038] Freed by task 2987: [ 27.709500] save_stack_trace+0x16/0x20 [ 27.710187] save_stack+0x43/0xd0 [ 27.710776] kasan_slab_free+0x71/0xc0 [ 27.711345] kfree+0xca/0x250 [ 27.712090] kvfree+0x36/0x60 [ 27.712521] free_netdev+0x2cf/0x360 [ 27.713060] __tun_chr_ioctl+0x2cf6/0x3d20 [ 27.713671] tun_chr_ioctl+0x2a/0x40 [ 27.714206] do_vfs_ioctl+0x1b1/0x1530 [ 27.714761] SyS_ioctl+0x8f/0xc0 [ 27.715257] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.715998] [ 27.716242] The buggy address belongs to the object at ffff8800690f8380 [ 27.716242] which belongs to the cache kmalloc-16384 of size 16384 [ 27.718125] The buggy address is located 13312 bytes inside of [ 27.718125] 16384-byte region [ffff8800690f8380, ffff8800690fc380) [ 27.719856] The buggy address belongs to the page: [ 27.720559] page:ffffea0001a43e00 count:1 mapcount:0 mapping:ffff8800690f8380 index:0x0 compound_mapcount: 0 [ 27.722295] flags: 0x500000000008100(slab|head) [ 27.723485] raw: 0500000000008100 ffff8800690f8380 0000000000000000 0000000100000001 [ 27.725349] raw: ffffea0001a6c020 ffff88006d800c50 ffff88003e802200 0000000000000000 [ 27.726797] page dumped because: kasan: bad access detected [ 27.727549] [ 27.727729] Memory state around the buggy address: [ 27.728259] ffff8800690fb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.728953] ffff8800690fb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.729717] >ffff8800690fb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.730480] ^ [ 27.730722] ffff8800690fb800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.731476] ffff8800690fb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.732258] ================================================================== [ 27.732947] Disabling lock debugging due to kernel taint [ 27.733747] Kernel panic - not syncing: panic_on_warn set ... [ 27.733747] [ 27.734472] CPU: 2 PID: 2987 Comm: syzkaller366432 Tainted: G B 4.13.0-rc7-next-20170901+ #13 [ 27.735552] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 27.736369] Call Trace: [ 27.736623] dump_stack+0x194/0x257 [ 27.736997] ? arch_local_irq_restore+0x53/0x53 [ 27.737504] ? vprintk_default+0x28/0x30 [ 27.737940] ? detach_if_pending+0x4e0/0x610 [ 27.738449] panic+0x1e4/0x417 [ 27.738833] ? __warn+0x1d9/0x1d9 [ 27.739291] ? detach_if_pending+0x557/0x610 [ 27.739733] kasan_end_report+0x50/0x50 [ 27.740208] kasan_report+0x137/0x340 [ 27.740588] __asan_report_store8_noabort+0x17/0x20 [ 27.741165] detach_if_pending+0x557/0x610 [ 27.741559] ? trace_raw_output_tick_stop+0x130/0x130 [ 27.741931] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 27.742326] ? lock_timer_base+0x1a3/0x2b0 [ 27.742642] ? lock_timer_base+0x1eb/0x2b0 [ 27.742968] ? __internal_add_timer+0x2d0/0x2d0 [ 27.743418] ? trace_hardirqs_on+0xd/0x10 [ 27.743725] try_to_del_timer_sync+0xa2/0x120 [ 27.744080] ? del_timer+0x130/0x130 [ 27.744390] ? del_timer_sync+0xeb/0x240 [ 27.744688] del_timer_sync+0x18a/0x240 [ 27.745010] tun_free_netdev+0x105/0x1b0 [ 27.745332] ? tun_xdp+0x410/0x410 [ 27.745598] ? cpumask_next+0x24/0x30 [ 27.745886] ? netdev_refcnt_read+0xed/0x150 [ 27.746275] ? tun_xdp+0x410/0x410 [ 27.746544] netdev_run_todo+0x870/0xca0 [ 27.746834] ? do_group_exit+0x149/0x400 [ 27.747166] ? register_netdev+0x30/0x30 [ 27.747465] ? lock_downgrade+0x990/0x990 [ 27.747761] ? trace_hardirqs_on+0xd/0x10 [ 27.748100] ? refcount_sub_and_test+0x115/0x1b0 [ 27.748568] ? refcount_inc+0x50/0x50 [ 27.748925] ? refcount_inc+0x50/0x50 [ 27.749321] ? sk_destruct+0x4c/0x80 [ 27.749668] ? __sk_free+0x5c/0x230 [ 27.750007] ? sk_free+0x2f/0x40 [ 27.750367] ? __tun_detach+0x176/0x1390 [ 27.750751] ? tun_attach+0xf90/0xf90 [ 27.751155] ? locks_remove_file+0x3fa/0x5a0 [ 27.751560] ? fcntl_setlk+0x10d0/0x10d0 [ 27.751934] ? __fsnotify_parent+0xb4/0x3a0 [ 27.752382] ? fsnotify+0x1af0/0x1af0 [ 27.752744] ? rcu_note_context_switch+0x710/0x710 [ 27.753272] ? __tun_detach+0x1390/0x1390 [ 27.753700] ? __tun_detach+0x1390/0x1390 [ 27.754385] rtnl_unlock+0xe/0x10 [ 27.754702] tun_chr_close+0x49/0x60 [ 27.755093] __fput+0x333/0x7f0 [ 27.755303] ? fput+0x140/0x140 [ 27.755674] ? check_same_owner+0x320/0x320 [ 27.756068] ____fput+0x15/0x20 [ 27.756417] task_work_run+0x199/0x270 [ 27.756837] ? task_work_cancel+0x210/0x210 [ 27.757337] ? free_nsproxy+0x185/0x1f0 [ 27.757755] ? switch_task_namespaces+0xa2/0xc0 [ 27.758204] do_exit+0xa52/0x1b40 [ 27.758505] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.759017] ? trace_hardirqs_on+0xd/0x10 [ 27.759506] ? kvfree+0x3b/0x60 [ 27.759802] ? mm_update_next_owner+0x930/0x930 [ 27.760317] ? rtnl_unlock+0xe/0x10 [ 27.760663] ? __tun_chr_ioctl+0x27a/0x3d20 [ 27.761137] ? tun_chr_read_iter+0x1e0/0x1e0 [ 27.761570] ? lock_downgrade+0x990/0x990 [ 27.761993] ? check_same_owner+0x320/0x320 [ 27.762532] ? __handle_mm_fault+0x39c0/0x39c0 [ 27.762974] ? vmacache_find+0x61/0x270 [ 27.763422] ? tun_chr_compat_ioctl+0x30/0x30 [ 27.763869] ? tun_chr_ioctl+0x2a/0x40 [ 27.764298] ? tun_chr_ioctl+0x2a/0x40 [ 27.764675] ? do_vfs_ioctl+0x492/0x1530 [ 27.765130] ? _cond_resched+0x14/0x30 [ 27.765501] ? ioctl_preallocate+0x2b0/0x2b0 [ 27.765922] ? selinux_capable+0x40/0x40 [ 27.766355] ? putname+0xf3/0x130 [ 27.766683] do_group_exit+0x149/0x400 [ 27.767101] ? SyS_exit+0x30/0x30 [ 27.767427] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.767901] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.768399] SyS_exit_group+0x1d/0x20 [ 27.768773] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 27.769264] RIP: 0033:0x43a5b9 [ 27.769564] RSP: 002b:00007ffe30796618 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 27.770328] RAX: ffffffffffffffda RBX: 00007ffe307967b0 RCX: 000000000043a5b9 [ 27.771013] RDX: 000000000043a5b9 RSI: 00000000207dcfd8 RDI: 0000000000000001 [ 27.771748] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 27.772487] R10: 00000000000000fd R11: 0000000000000202 R12: 0000000000000000 [ 27.773204] R13: 0000000000402890 R14: 0000000000402920 R15: 0000000000000000 [ 27.776824] Dumping ftrace buffer: [ 27.777162] (ftrace buffer empty) [ 27.777513] Kernel Offset: disabled [ 27.777840] Rebooting in 86400 seconds..