INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-0,10.128.15.205' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 28.429259] ================================================================== [ 28.430386] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610 [ 28.431291] Write of size 8 at addr ffff8801ce0fb740 by task syzkaller275368/2985 [ 28.432291] [ 28.432527] CPU: 0 PID: 2985 Comm: syzkaller275368 Not tainted 4.14.0-rc2+ #20 [ 28.433539] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.434775] Call Trace: [ 28.435138] dump_stack+0x194/0x257 [ 28.435634] ? arch_local_irq_restore+0x53/0x53 [ 28.436261] ? show_regs_print_info+0x65/0x65 [ 28.436871] ? lock_timer_base+0x1a3/0x2b0 [ 28.437462] ? detach_if_pending+0x557/0x610 [ 28.438059] print_address_description+0x73/0x250 [ 28.438710] ? detach_if_pending+0x557/0x610 [ 28.439303] kasan_report+0x25b/0x340 [ 28.439824] __asan_report_store8_noabort+0x17/0x20 [ 28.440530] detach_if_pending+0x557/0x610 [ 28.441140] ? trace_raw_output_tick_stop+0x130/0x130 [ 28.441892] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 28.442518] ? lock_timer_base+0x1a3/0x2b0 [ 28.443089] ? lock_timer_base+0x1eb/0x2b0 [ 28.443680] ? __internal_add_timer+0x2d0/0x2d0 [ 28.444309] ? trace_hardirqs_on+0xd/0x10 [ 28.444880] try_to_del_timer_sync+0xa2/0x120 [ 28.445531] ? del_timer+0x130/0x130 [ 28.446039] ? del_timer_sync+0xeb/0x240 [ 28.446595] del_timer_sync+0x18a/0x240 [ 28.447138] tun_free_netdev+0x105/0x1b0 [ 28.447698] ? tun_xdp+0x410/0x410 [ 28.448181] ? cpumask_next+0x24/0x30 [ 28.448702] ? netdev_refcnt_read+0xed/0x150 [ 28.449312] ? tun_xdp+0x410/0x410 [ 28.452255] netdev_run_todo+0x870/0xca0 [ 28.456296] ? do_group_exit+0x149/0x400 [ 28.460342] ? register_netdev+0x30/0x30 [ 28.464383] ? lock_downgrade+0x990/0x990 [ 28.468507] ? trace_hardirqs_on+0xd/0x10 [ 28.472656] ? refcount_sub_and_test+0x115/0x1b0 [ 28.477392] ? refcount_inc+0x50/0x50 [ 28.481168] ? refcount_inc+0x50/0x50 [ 28.484946] ? sk_destruct+0x4c/0x80 [ 28.488635] ? __sk_free+0x5c/0x230 [ 28.492235] ? sk_free+0x2f/0x40 [ 28.495576] ? __tun_detach+0x176/0x1390 [ 28.499623] ? tun_attach+0xf90/0xf90 [ 28.503405] ? do_raw_spin_trylock+0x190/0x190 [ 28.507963] ? locks_remove_file+0x3fa/0x5a0 [ 28.512346] ? fcntl_setlk+0x10d0/0x10d0 [ 28.516380] ? __fsnotify_parent+0xb4/0x3a0 [ 28.520685] ? fsnotify+0x1af0/0x1af0 [ 28.524462] ? __tun_detach+0x1390/0x1390 [ 28.528582] ? __tun_detach+0x1390/0x1390 [ 28.532704] rtnl_unlock+0xe/0x10 [ 28.536137] tun_chr_close+0x49/0x60 [ 28.539834] __fput+0x333/0x7f0 [ 28.543093] ? fput+0x140/0x140 [ 28.546346] ? check_same_owner+0x320/0x320 [ 28.550648] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.555125] ____fput+0x15/0x20 [ 28.558377] task_work_run+0x199/0x270 [ 28.562242] ? task_work_cancel+0x210/0x210 [ 28.566537] ? _raw_spin_unlock+0x22/0x30 [ 28.570657] ? switch_task_namespaces+0x87/0xc0 [ 28.575306] do_exit+0x9d2/0x1af0 [ 28.578737] ? mm_update_next_owner+0x930/0x930 [ 28.583382] ? lock_acquire+0x1d5/0x580 [ 28.587332] ? __handle_mm_fault+0xf07/0x39c0 [ 28.591808] ? lock_release+0xd70/0xd70 [ 28.595753] ? check_noncircular+0x20/0x20 [ 28.599963] ? kvfree+0x3b/0x60 [ 28.603223] ? rtnl_unlock+0xe/0x10 [ 28.606824] ? check_noncircular+0x20/0x20 [ 28.611033] ? __handle_mm_fault+0x587/0x39c0 [ 28.615506] ? __pmd_alloc+0x4e0/0x4e0 [ 28.619377] ? find_held_lock+0x39/0x1d0 [ 28.623422] ? lock_downgrade+0x990/0x990 [ 28.627566] do_group_exit+0x149/0x400 [ 28.631424] ? __handle_mm_fault+0x39c0/0x39c0 [ 28.635979] ? vmacache_find+0x5f/0x280 [ 28.639928] ? SyS_exit+0x30/0x30 [ 28.643360] ? do_fast_syscall_32+0x158/0xf05 [ 28.647826] ? do_group_exit+0x400/0x400 [ 28.651861] SyS_exit_group+0x1d/0x20 [ 28.655633] do_fast_syscall_32+0x3f2/0xf05 [ 28.659932] ? do_int80_syscall_32+0x940/0x940 [ 28.664485] ? kasan_check_read+0x11/0x20 [ 28.668618] ? syscall_return_slowpath+0x510/0x510 [ 28.673520] ? SyS_rt_sigaction+0x94/0x1b0 [ 28.677727] ? lockdep_sys_exit+0x47/0xf0 [ 28.681844] ? retint_user+0x18/0x20 [ 28.685535] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.690357] entry_SYSENTER_compat+0x51/0x60 [ 28.694735] RIP: 0023:0xf7f5cc79 [ 28.698071] RSP: 002b:00000000fff7b7bc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc [ 28.705751] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f2298 [ 28.712991] RDX: 0000000000000000 RSI: 00000000080db878 RDI: 00000000080f22a0 [ 28.720232] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 28.727472] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 28.734711] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 28.741973] [ 28.743573] Allocated by task 2985: [ 28.747175] save_stack_trace+0x16/0x20 [ 28.751120] save_stack+0x43/0xd0 [ 28.754544] kasan_kmalloc+0xad/0xe0 [ 28.758227] __kmalloc_node+0x47/0x70 [ 28.761998] kvmalloc_node+0x64/0xd0 [ 28.765684] alloc_netdev_mqs+0x16e/0xed0 [ 28.769803] __tun_chr_ioctl+0x12be/0x3d20 [ 28.774008] tun_chr_compat_ioctl+0x29/0x30 [ 28.778297] compat_SyS_ioctl+0x1d7/0x3290 [ 28.782503] do_fast_syscall_32+0x3f2/0xf05 [ 28.786796] entry_SYSENTER_compat+0x51/0x60 [ 28.791173] [ 28.792770] Freed by task 2985: [ 28.796021] save_stack_trace+0x16/0x20 [ 28.799972] save_stack+0x43/0xd0 [ 28.803393] kasan_slab_free+0x71/0xc0 [ 28.807249] kfree+0xca/0x250 [ 28.810322] kvfree+0x36/0x60 [ 28.813408] free_netdev+0x2cf/0x360 [ 28.817093] __tun_chr_ioctl+0x2cf6/0x3d20 [ 28.821296] tun_chr_compat_ioctl+0x29/0x30 [ 28.825587] compat_SyS_ioctl+0x1d7/0x3290 [ 28.829792] do_fast_syscall_32+0x3f2/0xf05 [ 28.834085] entry_SYSENTER_compat+0x51/0x60 [ 28.838460] [ 28.840063] The buggy address belongs to the object at ffff8801ce0f8340 [ 28.840063] which belongs to the cache kmalloc-16384 of size 16384 [ 28.853038] The buggy address is located 13312 bytes inside of [ 28.853038] 16384-byte region [ffff8801ce0f8340, ffff8801ce0fc340) [ 28.865229] The buggy address belongs to the page: [ 28.870129] page:ffffea0007383e00 count:1 mapcount:0 mapping:ffff8801ce0f8340 index:0x0 compound_mapcount: 0 [ 28.880073] flags: 0x200000000008100(slab|head) [ 28.884714] raw: 0200000000008100 ffff8801ce0f8340 0000000000000000 0000000100000001 [ 28.892564] raw: ffffea0007320e20 ffff8801dac01c50 ffff8801dac02200 0000000000000000 [ 28.900411] page dumped because: kasan: bad access detected [ 28.906088] [ 28.907687] Memory state around the buggy address: [ 28.912586] ffff8801ce0fb600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.919916] ffff8801ce0fb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.927245] >ffff8801ce0fb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.934572] ^ [ 28.940001] ffff8801ce0fb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.947327] ffff8801ce0fb800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.954655] ================================================================== [ 28.961983] Disabling lock debugging due to kernel taint [ 28.967398] Kernel panic - not syncing: panic_on_warn set ... [ 28.967398] [ 28.974724] CPU: 0 PID: 2985 Comm: syzkaller275368 Tainted: G B 4.14.0-rc2+ #20 [ 28.983265] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.992584] Call Trace: [ 28.995141] dump_stack+0x194/0x257 [ 28.998735] ? arch_local_irq_restore+0x53/0x53 [ 29.003370] ? vprintk_default+0x28/0x30 [ 29.007401] ? detach_if_pending+0x4d0/0x610 [ 29.011776] panic+0x1e4/0x417 [ 29.014934] ? __warn+0x1d9/0x1d9 [ 29.018361] ? detach_if_pending+0x557/0x610 [ 29.022734] kasan_end_report+0x50/0x50 [ 29.026673] kasan_report+0x144/0x340 [ 29.030440] __asan_report_store8_noabort+0x17/0x20 [ 29.035422] detach_if_pending+0x557/0x610 [ 29.039623] ? trace_raw_output_tick_stop+0x130/0x130 [ 29.044780] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 29.049414] ? lock_timer_base+0x1a3/0x2b0 [ 29.053612] ? lock_timer_base+0x1eb/0x2b0 [ 29.057811] ? __internal_add_timer+0x2d0/0x2d0 [ 29.062446] ? trace_hardirqs_on+0xd/0x10 [ 29.066564] try_to_del_timer_sync+0xa2/0x120 [ 29.071023] ? del_timer+0x130/0x130 [ 29.074703] ? del_timer_sync+0xeb/0x240 [ 29.078732] del_timer_sync+0x18a/0x240 [ 29.082673] tun_free_netdev+0x105/0x1b0 [ 29.086700] ? tun_xdp+0x410/0x410 [ 29.090204] ? cpumask_next+0x24/0x30 [ 29.093970] ? netdev_refcnt_read+0xed/0x150 [ 29.098346] ? tun_xdp+0x410/0x410 [ 29.101851] netdev_run_todo+0x870/0xca0 [ 29.105880] ? do_group_exit+0x149/0x400 [ 29.109908] ? register_netdev+0x30/0x30 [ 29.113945] ? lock_downgrade+0x990/0x990 [ 29.118059] ? trace_hardirqs_on+0xd/0x10 [ 29.122184] ? refcount_sub_and_test+0x115/0x1b0 [ 29.126905] ? refcount_inc+0x50/0x50 [ 29.130671] ? refcount_inc+0x50/0x50 [ 29.134438] ? sk_destruct+0x4c/0x80 [ 29.138119] ? __sk_free+0x5c/0x230 [ 29.141710] ? sk_free+0x2f/0x40 [ 29.145041] ? __tun_detach+0x176/0x1390 [ 29.149072] ? tun_attach+0xf90/0xf90 [ 29.152838] ? do_raw_spin_trylock+0x190/0x190 [ 29.157388] ? locks_remove_file+0x3fa/0x5a0 [ 29.161763] ? fcntl_setlk+0x10d0/0x10d0 [ 29.165788] ? __fsnotify_parent+0xb4/0x3a0 [ 29.170076] ? fsnotify+0x1af0/0x1af0 [ 29.173842] ? __tun_detach+0x1390/0x1390 [ 29.177954] ? __tun_detach+0x1390/0x1390 [ 29.182067] rtnl_unlock+0xe/0x10 [ 29.185486] tun_chr_close+0x49/0x60 [ 29.189165] __fput+0x333/0x7f0 [ 29.192413] ? fput+0x140/0x140 [ 29.195658] ? check_same_owner+0x320/0x320 [ 29.199943] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.204414] ____fput+0x15/0x20 [ 29.207659] task_work_run+0x199/0x270 [ 29.211513] ? task_work_cancel+0x210/0x210 [ 29.215798] ? _raw_spin_unlock+0x22/0x30 [ 29.219911] ? switch_task_namespaces+0x87/0xc0 [ 29.224549] do_exit+0x9d2/0x1af0 [ 29.227970] ? mm_update_next_owner+0x930/0x930 [ 29.232605] ? lock_acquire+0x1d5/0x580 [ 29.236542] ? __handle_mm_fault+0xf07/0x39c0 [ 29.241006] ? lock_release+0xd70/0xd70 [ 29.244944] ? check_noncircular+0x20/0x20 [ 29.249146] ? kvfree+0x3b/0x60 [ 29.252394] ? rtnl_unlock+0xe/0x10 [ 29.255989] ? check_noncircular+0x20/0x20 [ 29.260191] ? __handle_mm_fault+0x587/0x39c0 [ 29.264654] ? __pmd_alloc+0x4e0/0x4e0 [ 29.268512] ? find_held_lock+0x39/0x1d0 [ 29.272542] ? lock_downgrade+0x990/0x990 [ 29.276669] do_group_exit+0x149/0x400 [ 29.280520] ? __handle_mm_fault+0x39c0/0x39c0 [ 29.285068] ? vmacache_find+0x5f/0x280 [ 29.289011] ? SyS_exit+0x30/0x30 [ 29.292431] ? do_fast_syscall_32+0x158/0xf05 [ 29.296889] ? do_group_exit+0x400/0x400 [ 29.300930] SyS_exit_group+0x1d/0x20 [ 29.304696] do_fast_syscall_32+0x3f2/0xf05 [ 29.308985] ? do_int80_syscall_32+0x940/0x940 [ 29.313533] ? kasan_check_read+0x11/0x20 [ 29.317646] ? syscall_return_slowpath+0x510/0x510 [ 29.322541] ? SyS_rt_sigaction+0x94/0x1b0 [ 29.326743] ? lockdep_sys_exit+0x47/0xf0 [ 29.330857] ? retint_user+0x18/0x20 [ 29.334541] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.339353] entry_SYSENTER_compat+0x51/0x60 [ 29.343728] RIP: 0023:0xf7f5cc79 [ 29.347058] RSP: 002b:00000000fff7b7bc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc [ 29.354729] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f2298 [ 29.361967] RDX: 0000000000000000 RSI: 00000000080db878 RDI: 00000000080f22a0 [ 29.369201] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 29.376440] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 29.383676] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000