INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-1,10.128.0.46' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 40.724892] ================================================================== [ 40.732338] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 [ 40.739321] Write of size 8 at addr ffff8801ce72b6c8 by task syzkaller276223/2984 [ 40.746908] [ 40.748510] CPU: 1 PID: 2984 Comm: syzkaller276223 Not tainted 4.14.0-rc2+ #19 [ 40.755835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.765160] Call Trace: [ 40.767719] dump_stack+0x194/0x257 [ 40.771319] ? arch_local_irq_restore+0x53/0x53 [ 40.775959] ? show_regs_print_info+0x65/0x65 [ 40.780430] ? __internal_add_timer+0x275/0x2d0 [ 40.785074] print_address_description+0x73/0x250 [ 40.789888] ? __internal_add_timer+0x275/0x2d0 [ 40.794527] kasan_report+0x25b/0x340 [ 40.798301] __asan_report_store8_noabort+0x17/0x20 [ 40.803286] __internal_add_timer+0x275/0x2d0 [ 40.807753] ? calc_wheel_index+0x200/0x200 [ 40.812058] mod_timer+0x622/0x15b0 [ 40.815665] ? mod_timer_pending+0x14e0/0x14e0 [ 40.820218] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.825206] ? trace_hardirqs_on+0xd/0x10 [ 40.829328] ? _crng_backtrack_protect+0xd9/0x130 [ 40.834148] ? __lock_is_held+0xbc/0x140 [ 40.838182] ? __lockdep_init_map+0xe4/0x650 [ 40.842564] ? lockdep_init_map+0x3d/0x70 [ 40.846685] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.851669] ? init_timer_key+0x126/0x3b0 [ 40.855787] ? try_to_del_timer_sync+0x120/0x120 [ 40.860515] ? round_jiffies_up+0xce/0x100 [ 40.864721] ? __round_jiffies_up_relative+0x150/0x150 [ 40.869966] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 40.874875] __tun_chr_ioctl+0x1b23/0x3d20 [ 40.879091] ? tun_chr_read_iter+0x1e0/0x1e0 [ 40.883471] ? __pmd_alloc+0x4e0/0x4e0 [ 40.887336] ? __might_sleep+0x95/0x190 [ 40.891291] ? selinux_file_ioctl+0x444/0x690 [ 40.895755] ? __fget_light+0x29d/0x390 [ 40.899702] ? selinux_capable+0x40/0x40 [ 40.903753] tun_chr_compat_ioctl+0x29/0x30 [ 40.908044] ? tun_chr_compat_ioctl+0x29/0x30 [ 40.912517] compat_SyS_ioctl+0x1d7/0x3290 [ 40.916721] ? __handle_mm_fault+0x39c0/0x39c0 [ 40.921272] ? __tun_chr_ioctl+0x3d20/0x3d20 [ 40.925651] ? do_ioctl+0x60/0x60 [ 40.929079] ? do_fast_syscall_32+0x158/0xf05 [ 40.933548] ? do_ioctl+0x60/0x60 [ 40.936972] do_fast_syscall_32+0x3f2/0xf05 [ 40.941269] ? do_int80_syscall_32+0x940/0x940 [ 40.945823] ? kasan_check_read+0x11/0x20 [ 40.949952] ? syscall_return_slowpath+0x510/0x510 [ 40.954853] ? SyS_rt_sigaction+0x94/0x1b0 [ 40.959066] ? lockdep_sys_exit+0x47/0xf0 [ 40.963183] ? retint_user+0x18/0x20 [ 40.966871] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.971691] entry_SYSENTER_compat+0x51/0x60 [ 40.976068] RIP: 0023:0xf7f02c79 [ 40.979402] RSP: 002b:00000000ffd7dd7c EFLAGS: 00000207 ORIG_RAX: 0000000000000036 [ 40.987082] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000400454ca [ 40.994579] RDX: 0000000020822000 RSI: 0000000000000037 RDI: 0000000000000005 [ 41.001818] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 41.009060] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 41.016313] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 41.023570] [ 41.025167] Allocated by task 2984: [ 41.028765] save_stack_trace+0x16/0x20 [ 41.032710] save_stack+0x43/0xd0 [ 41.036133] kasan_kmalloc+0xad/0xe0 [ 41.039817] __kmalloc_node+0x47/0x70 [ 41.043587] kvmalloc_node+0x64/0xd0 [ 41.047270] alloc_netdev_mqs+0x16e/0xed0 [ 41.051386] __tun_chr_ioctl+0x12be/0x3d20 [ 41.055588] tun_chr_compat_ioctl+0x29/0x30 [ 41.059876] compat_SyS_ioctl+0x1d7/0x3290 [ 41.064081] do_fast_syscall_32+0x3f2/0xf05 [ 41.068373] entry_SYSENTER_compat+0x51/0x60 [ 41.072747] [ 41.074344] Freed by task 2984: [ 41.077591] save_stack_trace+0x16/0x20 [ 41.081532] save_stack+0x43/0xd0 [ 41.084954] kasan_slab_free+0x71/0xc0 [ 41.088810] kfree+0xca/0x250 [ 41.091883] kvfree+0x36/0x60 [ 41.094957] free_netdev+0x2cf/0x360 [ 41.098637] __tun_chr_ioctl+0x2cf6/0x3d20 [ 41.102839] tun_chr_compat_ioctl+0x29/0x30 [ 41.107130] compat_SyS_ioctl+0x1d7/0x3290 [ 41.111332] do_fast_syscall_32+0x3f2/0xf05 [ 41.115619] entry_SYSENTER_compat+0x51/0x60 [ 41.119993] [ 41.121591] The buggy address belongs to the object at ffff8801ce7282c0 [ 41.121591] which belongs to the cache kmalloc-16384 of size 16384 [ 41.134571] The buggy address is located 13320 bytes inside of [ 41.134571] 16384-byte region [ffff8801ce7282c0, ffff8801ce72c2c0) [ 41.146756] The buggy address belongs to the page: [ 41.151654] page:ffffea000739ca00 count:1 mapcount:0 mapping:ffff8801ce7282c0 index:0x0 compound_mapcount: 0 [ 41.161596] flags: 0x200000000008100(slab|head) [ 41.166236] raw: 0200000000008100 ffff8801ce7282c0 0000000000000000 0000000100000001 [ 41.174085] raw: ffffea0006fe4220 ffffea0007380c20 ffff8801dac02200 0000000000000000 [ 41.181933] page dumped because: kasan: bad access detected [ 41.187609] [ 41.189205] Memory state around the buggy address: [ 41.194104] ffff8801ce72b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.201439] ffff8801ce72b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.208764] >ffff8801ce72b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.216091] ^ [ 41.221768] ffff8801ce72b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.229095] ffff8801ce72b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.236419] ================================================================== [ 41.243742] Disabling lock debugging due to kernel taint [ 41.249156] Kernel panic - not syncing: panic_on_warn set ... [ 41.249156] [ 41.256479] CPU: 1 PID: 2984 Comm: syzkaller276223 Tainted: G B 4.14.0-rc2+ #19 [ 41.265015] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.274333] Call Trace: [ 41.276885] dump_stack+0x194/0x257 [ 41.280478] ? arch_local_irq_restore+0x53/0x53 [ 41.285114] ? vprintk_default+0x28/0x30 [ 41.289144] ? __internal_add_timer+0x180/0x2d0 [ 41.293778] panic+0x1e4/0x417 [ 41.296934] ? __warn+0x1d9/0x1d9 [ 41.300356] ? __internal_add_timer+0x275/0x2d0 [ 41.304987] kasan_end_report+0x50/0x50 [ 41.308923] kasan_report+0x144/0x340 [ 41.312689] __asan_report_store8_noabort+0x17/0x20 [ 41.317666] __internal_add_timer+0x275/0x2d0 [ 41.322126] ? calc_wheel_index+0x200/0x200 [ 41.326418] mod_timer+0x622/0x15b0 [ 41.330014] ? mod_timer_pending+0x14e0/0x14e0 [ 41.334561] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.339541] ? trace_hardirqs_on+0xd/0x10 [ 41.343654] ? _crng_backtrack_protect+0xd9/0x130 [ 41.348465] ? __lock_is_held+0xbc/0x140 [ 41.352491] ? __lockdep_init_map+0xe4/0x650 [ 41.356863] ? lockdep_init_map+0x3d/0x70 [ 41.360975] ? rcu_read_lock_sched_held+0x108/0x120 [ 41.365953] ? init_timer_key+0x126/0x3b0 [ 41.370068] ? try_to_del_timer_sync+0x120/0x120 [ 41.374789] ? round_jiffies_up+0xce/0x100 [ 41.378989] ? __round_jiffies_up_relative+0x150/0x150 [ 41.384228] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.389125] __tun_chr_ioctl+0x1b23/0x3d20 [ 41.393329] ? tun_chr_read_iter+0x1e0/0x1e0 [ 41.397701] ? __pmd_alloc+0x4e0/0x4e0 [ 41.401557] ? __might_sleep+0x95/0x190 [ 41.405502] ? selinux_file_ioctl+0x444/0x690 [ 41.409959] ? __fget_light+0x29d/0x390 [ 41.413898] ? selinux_capable+0x40/0x40 [ 41.417933] tun_chr_compat_ioctl+0x29/0x30 [ 41.422217] ? tun_chr_compat_ioctl+0x29/0x30 [ 41.426678] compat_SyS_ioctl+0x1d7/0x3290 [ 41.430875] ? __handle_mm_fault+0x39c0/0x39c0 [ 41.435419] ? __tun_chr_ioctl+0x3d20/0x3d20 [ 41.439792] ? do_ioctl+0x60/0x60 [ 41.443212] ? do_fast_syscall_32+0x158/0xf05 [ 41.447672] ? do_ioctl+0x60/0x60 [ 41.451093] do_fast_syscall_32+0x3f2/0xf05 [ 41.455381] ? do_int80_syscall_32+0x940/0x940 [ 41.459927] ? kasan_check_read+0x11/0x20 [ 41.464040] ? syscall_return_slowpath+0x510/0x510 [ 41.468935] ? SyS_rt_sigaction+0x94/0x1b0 [ 41.473137] ? lockdep_sys_exit+0x47/0xf0 [ 41.477249] ? retint_user+0x18/0x20 [ 41.480928] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.485736] entry_SYSENTER_compat+0x51/0x60 [ 41.490111] RIP: 0023:0xf7f02c79 [ 41.493437] RSP: 002b:00000000ffd7dd7c EFLAGS: 00000207 ORIG_RAX: 0000000000000036 [ 41.501110] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000400454ca [ 41.508344] RDX: 0000000020822000 RSI: 0000000000000037 RDI: 0000000000000005 [ 41.515577] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 41.522809] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 41.530044] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 41.537320] Dumping ftrace buffer: [ 41.540825] (ftrace buffer empty) [ 41.544499] Kernel Offset: disabled [ 41.548094] Rebooting in 86400 seconds..