INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-386-0,10.128.0.10' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   43.179519] ==================================================================
[   43.186934] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   43.193660] Write of size 8 at addr ffff8801cde5b7c0 by task syzkaller686949/2984
[   43.201248] 
[   43.202850] CPU: 1 PID: 2984 Comm: syzkaller686949 Not tainted 4.14.0-rc2+ #20
[   43.210180] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.219502] Call Trace:
[   43.222062]  dump_stack+0x194/0x257
[   43.225666]  ? arch_local_irq_restore+0x53/0x53
[   43.230310]  ? show_regs_print_info+0x65/0x65
[   43.234781]  ? lock_timer_base+0x1a3/0x2b0
[   43.238989]  ? detach_if_pending+0x557/0x610
[   43.243374]  print_address_description+0x73/0x250
[   43.248190]  ? detach_if_pending+0x557/0x610
[   43.252572]  kasan_report+0x25b/0x340
[   43.256347]  __asan_report_store8_noabort+0x17/0x20
[   43.261333]  detach_if_pending+0x557/0x610
[   43.265541]  ? trace_raw_output_tick_stop+0x130/0x130
[   43.270701]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   43.275339]  ? lock_timer_base+0x1a3/0x2b0
[   43.279543]  ? lock_timer_base+0x1eb/0x2b0
[   43.283751]  ? __internal_add_timer+0x2d0/0x2d0
[   43.288410]  ? trace_hardirqs_on+0xd/0x10
[   43.292536]  try_to_del_timer_sync+0xa2/0x120
[   43.297003]  ? del_timer+0x130/0x130
[   43.300692]  ? del_timer_sync+0xeb/0x240
[   43.304730]  del_timer_sync+0x18a/0x240
[   43.308677]  tun_free_netdev+0x105/0x1b0
[   43.312720]  ? tun_xdp+0x410/0x410
[   43.316236]  ? cpumask_next+0x24/0x30
[   43.320010]  ? netdev_refcnt_read+0xed/0x150
[   43.324393]  ? tun_xdp+0x410/0x410
[   43.327903]  netdev_run_todo+0x870/0xca0
[   43.331936]  ? do_group_exit+0x149/0x400
[   43.335979]  ? register_netdev+0x30/0x30
[   43.340013]  ? lock_downgrade+0x990/0x990
[   43.344132]  ? trace_hardirqs_on+0xd/0x10
[   43.348276]  ? refcount_sub_and_test+0x115/0x1b0
[   43.353000]  ? refcount_inc+0x50/0x50
[   43.356769]  ? refcount_inc+0x50/0x50
[   43.360544]  ? sk_destruct+0x4c/0x80
[   43.364225]  ? __sk_free+0x5c/0x230
[   43.367822]  ? sk_free+0x2f/0x40
[   43.371164]  ? __tun_detach+0x176/0x1390
[   43.375206]  ? tun_attach+0xf90/0xf90
[   43.378988]  ? locks_remove_file+0x3fa/0x5a0
[   43.383367]  ? fcntl_setlk+0x10d0/0x10d0
[   43.387401]  ? __fsnotify_parent+0xb4/0x3a0
[   43.391694]  ? fsnotify+0x1af0/0x1af0
[   43.395468]  ? __tun_detach+0x1390/0x1390
[   43.399584]  ? __tun_detach+0x1390/0x1390
[   43.403700]  rtnl_unlock+0xe/0x10
[   43.407122]  tun_chr_close+0x49/0x60
[   43.410808]  __fput+0x333/0x7f0
[   43.414061]  ? fput+0x140/0x140
[   43.417321]  ? check_same_owner+0x320/0x320
[   43.421621]  ____fput+0x15/0x20
[   43.424881]  task_work_run+0x199/0x270
[   43.428742]  ? task_work_cancel+0x210/0x210
[   43.433036]  ? free_nsproxy+0x185/0x1f0
[   43.436983]  ? switch_task_namespaces+0xa2/0xc0
[   43.441628]  do_exit+0x9d2/0x1af0
[   43.445050]  ? trace_hardirqs_on+0xd/0x10
[   43.449171]  ? mm_update_next_owner+0x930/0x930
[   43.453811]  ? lock_acquire+0x1d5/0x580
[   43.457754]  ? __handle_mm_fault+0xf07/0x39c0
[   43.462224]  ? lock_release+0xd70/0xd70
[   43.466168]  ? check_noncircular+0x20/0x20
[   43.470376]  ? kvfree+0x3b/0x60
[   43.473630]  ? rtnl_unlock+0xe/0x10
[   43.477228]  ? check_noncircular+0x20/0x20
[   43.481435]  ? __handle_mm_fault+0x587/0x39c0
[   43.485906]  ? __pmd_alloc+0x4e0/0x4e0
[   43.489773]  ? find_held_lock+0x39/0x1d0
[   43.493814]  ? lock_downgrade+0x990/0x990
[   43.497960]  do_group_exit+0x149/0x400
[   43.501815]  ? __handle_mm_fault+0x39c0/0x39c0
[   43.506367]  ? vmacache_find+0x5f/0x280
[   43.510311]  ? SyS_exit+0x30/0x30
[   43.513739]  ? do_fast_syscall_32+0x158/0xf05
[   43.518204]  ? do_group_exit+0x400/0x400
[   43.522233]  SyS_exit_group+0x1d/0x20
[   43.526002]  do_fast_syscall_32+0x3f2/0xf05
[   43.530301]  ? do_int80_syscall_32+0x940/0x940
[   43.534858]  ? lockdep_sys_exit+0x47/0xf0
[   43.538975]  ? syscall_return_slowpath+0x2b3/0x510
[   43.543871]  ? finish_task_switch+0x1aa/0x740
[   43.548338]  ? lockdep_sys_exit+0x47/0xf0
[   43.552458]  ? retint_user+0x18/0x20
[   43.556146]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.560969]  entry_SYSENTER_compat+0x51/0x60
[   43.565347] RIP: 0023:0xf7f81c79
[   43.568686] RSP: 002b:000000000820fe2c EFLAGS: 00000202 ORIG_RAX: 00000000000000fc
[   43.576364] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000000000
[   43.583777] RDX: 0000000000000001 RSI: 0000000020c12000 RDI: 00000000400454ca
[   43.591024] RBP: 0000000008072cd6 R08: 0000000000000000 R09: 0000000000000000
[   43.598263] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   43.605502] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   43.612758] 
[   43.614353] Allocated by task 2984:
[   43.617951]  save_stack_trace+0x16/0x20
[   43.621893]  save_stack+0x43/0xd0
[   43.625316]  kasan_kmalloc+0xad/0xe0
[   43.628996]  __kmalloc_node+0x47/0x70
[   43.632762]  kvmalloc_node+0x64/0xd0
[   43.636442]  alloc_netdev_mqs+0x16e/0xed0
[   43.640556]  __tun_chr_ioctl+0x12be/0x3d20
[   43.644756]  tun_chr_compat_ioctl+0x29/0x30
[   43.649044]  compat_SyS_ioctl+0x1d7/0x3290
[   43.653253]  do_fast_syscall_32+0x3f2/0xf05
[   43.657544]  entry_SYSENTER_compat+0x51/0x60
[   43.661922] 
[   43.663517] Freed by task 2984:
[   43.666765]  save_stack_trace+0x16/0x20
[   43.670706]  save_stack+0x43/0xd0
[   43.674126]  kasan_slab_free+0x71/0xc0
[   43.677980]  kfree+0xca/0x250
[   43.681052]  kvfree+0x36/0x60
[   43.684132]  free_netdev+0x2cf/0x360
[   43.687821]  __tun_chr_ioctl+0x2cf6/0x3d20
[   43.692025]  tun_chr_compat_ioctl+0x29/0x30
[   43.696314]  compat_SyS_ioctl+0x1d7/0x3290
[   43.700515]  do_fast_syscall_32+0x3f2/0xf05
[   43.704801]  entry_SYSENTER_compat+0x51/0x60
[   43.709177] 
[   43.710773] The buggy address belongs to the object at ffff8801cde583c0
[   43.710773]  which belongs to the cache kmalloc-16384 of size 16384
[   43.723742] The buggy address is located 13312 bytes inside of
[   43.723742]  16384-byte region [ffff8801cde583c0, ffff8801cde5c3c0)
[   43.735927] The buggy address belongs to the page:
[   43.740826] page:ffffea0007379600 count:1 mapcount:0 mapping:ffff8801cde583c0 index:0x0 compound_mapcount: 0
[   43.750766] flags: 0x200000000008100(slab|head)
[   43.755402] raw: 0200000000008100 ffff8801cde583c0 0000000000000000 0000000100000001
[   43.763251] raw: ffffea0007388c20 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[   43.771095] page dumped because: kasan: bad access detected
[   43.776770] 
[   43.778364] Memory state around the buggy address:
[   43.783263]  ffff8801cde5b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.790598]  ffff8801cde5b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.797924] >ffff8801cde5b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.805248]                                            ^
[   43.810662]  ffff8801cde5b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.817987]  ffff8801cde5b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.825311] ==================================================================
[   43.832635] Disabling lock debugging due to kernel taint
[   43.838045] Kernel panic - not syncing: panic_on_warn set ...
[   43.838045] 
[   43.845369] CPU: 1 PID: 2984 Comm: syzkaller686949 Tainted: G    B           4.14.0-rc2+ #20
[   43.853904] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.863221] Call Trace:
[   43.865772]  dump_stack+0x194/0x257
[   43.869363]  ? arch_local_irq_restore+0x53/0x53
[   43.873997]  ? vprintk_default+0x28/0x30
[   43.878025]  ? detach_if_pending+0x4d0/0x610
[   43.882396]  panic+0x1e4/0x417
[   43.885551]  ? __warn+0x1d9/0x1d9
[   43.888974]  ? detach_if_pending+0x557/0x610
[   43.893355]  kasan_end_report+0x50/0x50
[   43.897291]  kasan_report+0x144/0x340
[   43.901070]  __asan_report_store8_noabort+0x17/0x20
[   43.906047]  detach_if_pending+0x557/0x610
[   43.910245]  ? trace_raw_output_tick_stop+0x130/0x130
[   43.915401]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   43.920031]  ? lock_timer_base+0x1a3/0x2b0
[   43.924230]  ? lock_timer_base+0x1eb/0x2b0
[   43.928430]  ? __internal_add_timer+0x2d0/0x2d0
[   43.933063]  ? trace_hardirqs_on+0xd/0x10
[   43.937187]  try_to_del_timer_sync+0xa2/0x120
[   43.941643]  ? del_timer+0x130/0x130
[   43.945320]  ? del_timer_sync+0xeb/0x240
[   43.949357]  del_timer_sync+0x18a/0x240
[   43.953298]  tun_free_netdev+0x105/0x1b0
[   43.957320]  ? tun_xdp+0x410/0x410
[   43.960829]  ? cpumask_next+0x24/0x30
[   43.964595]  ? netdev_refcnt_read+0xed/0x150
[   43.968969]  ? tun_xdp+0x410/0x410
[   43.972474]  netdev_run_todo+0x870/0xca0
[   43.976844]  ? do_group_exit+0x149/0x400
[   43.981308]  ? register_netdev+0x30/0x30
[   43.985335]  ? lock_downgrade+0x990/0x990
[   43.989453]  ? trace_hardirqs_on+0xd/0x10
[   43.993574]  ? refcount_sub_and_test+0x115/0x1b0
[   43.998293]  ? refcount_inc+0x50/0x50
[   44.002056]  ? refcount_inc+0x50/0x50
[   44.005823]  ? sk_destruct+0x4c/0x80
[   44.009499]  ? __sk_free+0x5c/0x230
[   44.013089]  ? sk_free+0x2f/0x40
[   44.016420]  ? __tun_detach+0x176/0x1390
[   44.020457]  ? tun_attach+0xf90/0xf90
[   44.024226]  ? locks_remove_file+0x3fa/0x5a0
[   44.028603]  ? fcntl_setlk+0x10d0/0x10d0
[   44.032631]  ? __fsnotify_parent+0xb4/0x3a0
[   44.036917]  ? fsnotify+0x1af0/0x1af0
[   44.040682]  ? __tun_detach+0x1390/0x1390
[   44.044798]  ? __tun_detach+0x1390/0x1390
[   44.048910]  rtnl_unlock+0xe/0x10
[   44.052327]  tun_chr_close+0x49/0x60
[   44.056004]  __fput+0x333/0x7f0
[   44.059254]  ? fput+0x140/0x140
[   44.062497]  ? check_same_owner+0x320/0x320
[   44.066783]  ____fput+0x15/0x20
[   44.070026]  task_work_run+0x199/0x270
[   44.073879]  ? task_work_cancel+0x210/0x210
[   44.078166]  ? free_nsproxy+0x185/0x1f0
[   44.082106]  ? switch_task_namespaces+0xa2/0xc0
[   44.086740]  do_exit+0x9d2/0x1af0
[   44.090156]  ? trace_hardirqs_on+0xd/0x10
[   44.094270]  ? mm_update_next_owner+0x930/0x930
[   44.098902]  ? lock_acquire+0x1d5/0x580
[   44.102839]  ? __handle_mm_fault+0xf07/0x39c0
[   44.107299]  ? lock_release+0xd70/0xd70
[   44.111233]  ? check_noncircular+0x20/0x20
[   44.115435]  ? kvfree+0x3b/0x60
[   44.118686]  ? rtnl_unlock+0xe/0x10
[   44.122277]  ? check_noncircular+0x20/0x20
[   44.126492]  ? __handle_mm_fault+0x587/0x39c0
[   44.130955]  ? __pmd_alloc+0x4e0/0x4e0
[   44.134810]  ? find_held_lock+0x39/0x1d0
[   44.138839]  ? lock_downgrade+0x990/0x990
[   44.142961]  do_group_exit+0x149/0x400
[   44.146810]  ? __handle_mm_fault+0x39c0/0x39c0
[   44.151353]  ? vmacache_find+0x5f/0x280
[   44.155291]  ? SyS_exit+0x30/0x30
[   44.158719]  ? do_fast_syscall_32+0x158/0xf05
[   44.163176]  ? do_group_exit+0x400/0x400
[   44.167199]  SyS_exit_group+0x1d/0x20
[   44.170964]  do_fast_syscall_32+0x3f2/0xf05
[   44.175255]  ? do_int80_syscall_32+0x940/0x940
[   44.179801]  ? lockdep_sys_exit+0x47/0xf0