INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.0.24' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   54.493429] ==================================================================
[   54.500895] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   54.507626] Write of size 8 at addr ffff8801cfcfb780 by task syzkaller428703/2986
[   54.515221] 
[   54.516829] CPU: 0 PID: 2986 Comm: syzkaller428703 Not tainted 4.14.0-rc4+ #38
[   54.524169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   54.533509] Call Trace:
[   54.536085]  dump_stack+0x194/0x257
[   54.539869]  ? arch_local_irq_restore+0x53/0x53
[   54.544518]  ? show_regs_print_info+0x65/0x65
[   54.549001]  ? lock_timer_base+0x1a3/0x2b0
[   54.553219]  ? detach_if_pending+0x557/0x610
[   54.557617]  print_address_description+0x73/0x250
[   54.562437]  ? detach_if_pending+0x557/0x610
[   54.566820]  kasan_report+0x25b/0x340
[   54.570597]  __asan_report_store8_noabort+0x17/0x20
[   54.575588]  detach_if_pending+0x557/0x610
[   54.579798]  ? trace_raw_output_tick_stop+0x130/0x130
[   54.584961]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   54.589601]  ? lock_timer_base+0x1a3/0x2b0
[   54.593809]  ? lock_timer_base+0x1eb/0x2b0
[   54.598022]  ? __internal_add_timer+0x2d0/0x2d0
[   54.602668]  ? trace_hardirqs_on+0xd/0x10
[   54.606797]  try_to_del_timer_sync+0xa2/0x120
[   54.611266]  ? del_timer+0x130/0x130
[   54.615215]  ? del_timer_sync+0xeb/0x240
[   54.619257]  del_timer_sync+0x18a/0x240
[   54.623208]  tun_free_netdev+0x105/0x1b0
[   54.627244]  ? tun_xdp+0x410/0x410
[   54.630754]  ? cpumask_next+0x24/0x30
[   54.634531]  ? netdev_refcnt_read+0xed/0x150
[   54.638914]  ? tun_xdp+0x410/0x410
[   54.642425]  netdev_run_todo+0x870/0xca0
[   54.646459]  ? do_group_exit+0x149/0x400
[   54.650498]  ? register_netdev+0x30/0x30
[   54.654539]  ? do_raw_spin_trylock+0x190/0x190
[   54.659126]  ? refcount_sub_and_test+0x115/0x1b0
[   54.663853]  ? refcount_inc+0x50/0x50
[   54.667624]  ? refcount_inc+0x50/0x50
[   54.671401]  ? sk_destruct+0x4c/0x80
[   54.675096]  ? __sk_free+0x5c/0x230
[   54.678697]  ? sk_free+0x2f/0x40
[   54.682037]  ? __tun_detach+0x176/0x1390
[   54.686081]  ? tun_attach+0xf90/0xf90
[   54.689862]  ? locks_remove_file+0x3fa/0x5a0
[   54.694244]  ? fcntl_setlk+0x10d0/0x10d0
[   54.698280]  ? __fsnotify_parent+0xb4/0x3a0
[   54.702574]  ? fsnotify+0x1af0/0x1af0
[   54.706349]  ? __tun_detach+0x1390/0x1390
[   54.710466]  ? __tun_detach+0x1390/0x1390
[   54.714589]  rtnl_unlock+0xe/0x10
[   54.718015]  tun_chr_close+0x49/0x60
[   54.721701]  __fput+0x333/0x7f0
[   54.724958]  ? fput+0x140/0x140
[   54.728209]  ? check_same_owner+0x320/0x320
[   54.732508]  ____fput+0x15/0x20
[   54.735760]  task_work_run+0x199/0x270
[   54.739623]  ? task_work_cancel+0x210/0x210
[   54.743917]  ? free_nsproxy+0x185/0x1f0
[   54.747863]  ? switch_task_namespaces+0xa2/0xc0
[   54.752506]  do_exit+0x9d2/0x1af0
[   54.755932]  ? trace_hardirqs_on+0xd/0x10
[   54.760058]  ? mm_update_next_owner+0x930/0x930
[   54.764698]  ? mark_held_locks+0xb2/0x100
[   54.768820]  ? kfree+0xe4/0x250
[   54.772074]  ? kvfree+0x36/0x60
[   54.775325]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   54.780312]  ? trace_hardirqs_on+0xd/0x10
[   54.784441]  ? kvfree+0x3b/0x60
[   54.787699]  ? rtnl_unlock+0xe/0x10
[   54.791297]  ? __tun_chr_ioctl+0x27a/0x3d20
[   54.795611]  ? __might_sleep+0x95/0x190
[   54.799555]  ? __fd_install+0x2f7/0x6a0
[   54.803510]  ? selinux_file_ioctl+0x444/0x690
[   54.807974]  ? __fget_light+0x29d/0x390
[   54.811927]  ? putname+0xee/0x130
[   54.815354]  ? putname+0xee/0x130
[   54.818779]  ? rcu_read_lock_sched_held+0x108/0x120
[   54.823772]  ? tun_chr_compat_ioctl+0x29/0x30
[   54.828236]  ? tun_chr_compat_ioctl+0x29/0x30
[   54.832705]  do_group_exit+0x149/0x400
[   54.836563]  ? __tun_chr_ioctl+0x3d20/0x3d20
[   54.840943]  ? SyS_exit+0x30/0x30
[   54.844367]  ? do_ioctl+0x60/0x60
[   54.847796]  ? do_fast_syscall_32+0x158/0xf05
[   54.852263]  ? do_group_exit+0x400/0x400
[   54.856296]  SyS_exit_group+0x1d/0x20
[   54.860067]  do_fast_syscall_32+0x3f2/0xf05
[   54.864366]  ? do_int80_syscall_32+0x940/0x940
[   54.868922]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   54.873651]  ? lockdep_sys_exit+0x47/0xf0
[   54.877771]  ? syscall_return_slowpath+0x2b3/0x510
[   54.882676]  ? sysret32_from_system_call+0x5/0x3b
[   54.887497]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   54.892319]  entry_SYSENTER_compat+0x51/0x60
[   54.896698] RIP: 0023:0xf7f91c79
[   54.900033] RSP: 002b:00000000fffe4a2c EFLAGS: 00000282 ORIG_RAX: 00000000000000fc
[   54.907714] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000fffe4c18
[   54.914955] RDX: 0000000008048dad RSI: 0000000000000036 RDI: 0000000000000004
[   54.922193] RBP: 00000000400454ca R08: 0000000000000000 R09: 0000000000000000
[   54.929432] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   54.936673] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   54.943931] 
[   54.945534] Allocated by task 2986:
[   54.949132]  save_stack_trace+0x16/0x20
[   54.953076]  save_stack+0x43/0xd0
[   54.956513]  kasan_kmalloc+0xad/0xe0
[   54.960198]  __kmalloc_node+0x47/0x70
[   54.963969]  kvmalloc_node+0x64/0xd0
[   54.967654]  alloc_netdev_mqs+0x16e/0xed0
[   54.971772]  __tun_chr_ioctl+0x12be/0x3d20
[   54.975976]  tun_chr_compat_ioctl+0x29/0x30
[   54.980270]  compat_SyS_ioctl+0x1d7/0x3290
[   54.984477]  do_fast_syscall_32+0x3f2/0xf05
[   54.988769]  entry_SYSENTER_compat+0x51/0x60
[   54.993145] 
[   54.994742] Freed by task 2986:
[   54.998003]  save_stack_trace+0x16/0x20
[   55.001946]  save_stack+0x43/0xd0
[   55.005369]  kasan_slab_free+0x71/0xc0
[   55.009225]  kfree+0xca/0x250
[   55.012388]  kvfree+0x36/0x60
[   55.015463]  free_netdev+0x2cf/0x360
[   55.019144]  __tun_chr_ioctl+0x2cf6/0x3d20
[   55.023347]  tun_chr_compat_ioctl+0x29/0x30
[   55.027637]  compat_SyS_ioctl+0x1d7/0x3290
[   55.031841]  do_fast_syscall_32+0x3f2/0xf05
[   55.036132]  entry_SYSENTER_compat+0x51/0x60
[   55.040506] 
[   55.042107] The buggy address belongs to the object at ffff8801cfcf8380
[   55.042107]  which belongs to the cache kmalloc-16384 of size 16384
[   55.055080] The buggy address is located 13312 bytes inside of
[   55.055080]  16384-byte region [ffff8801cfcf8380, ffff8801cfcfc380)
[   55.067270] The buggy address belongs to the page:
[   55.072180] page:ffffea00073f3e00 count:1 mapcount:0 mapping:ffff8801cfcf8380 index:0x0 compound_mapcount: 0
[   55.082126] flags: 0x200000000008100(slab|head)
[   55.086766] raw: 0200000000008100 ffff8801cfcf8380 0000000000000000 0000000100000001
[   55.094618] raw: ffffea0007397c20 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[   55.102467] page dumped because: kasan: bad access detected
[   55.108145] 
[   55.109743] Memory state around the buggy address:
[   55.114642]  ffff8801cfcfb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.121970]  ffff8801cfcfb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.129937] >ffff8801cfcfb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.137274]                    ^
[   55.140609]  ffff8801cfcfb800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.147936]  ffff8801cfcfb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.155263] ==================================================================
[   55.162588] Disabling lock debugging due to kernel taint
[   55.168004] Kernel panic - not syncing: panic_on_warn set ...
[   55.168004] 
[   55.175333] CPU: 0 PID: 2986 Comm: syzkaller428703 Tainted: G    B           4.14.0-rc4+ #38
[   55.183869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   55.193187] Call Trace:
[   55.195751]  dump_stack+0x194/0x257
[   55.199346]  ? arch_local_irq_restore+0x53/0x53
[   55.203999]  ? vprintk_default+0x28/0x30
[   55.208029]  ? detach_if_pending+0x540/0x610
[   55.212404]  panic+0x1e4/0x417
[   55.215560]  ? __warn+0x1d9/0x1d9
[   55.218986]  ? detach_if_pending+0x557/0x610
[   55.223361]  kasan_end_report+0x50/0x50
[   55.227297]  kasan_report+0x144/0x340
[   55.231066]  __asan_report_store8_noabort+0x17/0x20
[   55.236048]  detach_if_pending+0x557/0x610
[   55.240249]  ? trace_raw_output_tick_stop+0x130/0x130
[   55.245408]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   55.250058]  ? lock_timer_base+0x1a3/0x2b0
[   55.254259]  ? lock_timer_base+0x1eb/0x2b0
[   55.258460]  ? __internal_add_timer+0x2d0/0x2d0
[   55.263098]  ? trace_hardirqs_on+0xd/0x10
[   55.267217]  try_to_del_timer_sync+0xa2/0x120
[   55.271678]  ? del_timer+0x130/0x130
[   55.275355]  ? del_timer_sync+0xeb/0x240
[   55.279383]  del_timer_sync+0x18a/0x240
[   55.283326]  tun_free_netdev+0x105/0x1b0
[   55.287352]  ? tun_xdp+0x410/0x410
[   55.290858]  ? cpumask_next+0x24/0x30
[   55.294639]  ? netdev_refcnt_read+0xed/0x150
[   55.299014]  ? tun_xdp+0x410/0x410
[   55.302518]  netdev_run_todo+0x870/0xca0
[   55.306544]  ? do_group_exit+0x149/0x400
[   55.310575]  ? register_netdev+0x30/0x30
[   55.314603]  ? do_raw_spin_trylock+0x190/0x190
[   55.319156]  ? refcount_sub_and_test+0x115/0x1b0
[   55.323877]  ? refcount_inc+0x50/0x50
[   55.327641]  ? refcount_inc+0x50/0x50
[   55.331410]  ? sk_destruct+0x4c/0x80
[   55.335091]  ? __sk_free+0x5c/0x230
[   55.338682]  ? sk_free+0x2f/0x40
[   55.342014]  ? __tun_detach+0x176/0x1390
[   55.346049]  ? tun_attach+0xf90/0xf90
[   55.349821]  ? locks_remove_file+0x3fa/0x5a0
[   55.354198]  ? fcntl_setlk+0x10d0/0x10d0
[   55.358226]  ? __fsnotify_parent+0xb4/0x3a0
[   55.362515]  ? fsnotify+0x1af0/0x1af0
[   55.366282]  ? __tun_detach+0x1390/0x1390
[   55.370394]  ? __tun_detach+0x1390/0x1390
[   55.374507]  rtnl_unlock+0xe/0x10
[   55.377928]  tun_chr_close+0x49/0x60
[   55.381606]  __fput+0x333/0x7f0
[   55.384856]  ? fput+0x140/0x140
[   55.388101]  ? check_same_owner+0x320/0x320
[   55.392394]  ____fput+0x15/0x20
[   55.395638]  task_work_run+0x199/0x270
[   55.399490]  ? task_work_cancel+0x210/0x210
[   55.403786]  ? free_nsproxy+0x185/0x1f0
[   55.407724]  ? switch_task_namespaces+0xa2/0xc0
[   55.412359]  do_exit+0x9d2/0x1af0
[   55.415777]  ? trace_hardirqs_on+0xd/0x10
[   55.419891]  ? mm_update_next_owner+0x930/0x930
[   55.424526]  ? mark_held_locks+0xb2/0x100
[   55.428640]  ? kfree+0xe4/0x250
[   55.431883]  ? kvfree+0x36/0x60
[   55.435127]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   55.440107]  ? trace_hardirqs_on+0xd/0x10
[   55.444221]  ? kvfree+0x3b/0x60
[   55.447470]  ? rtnl_unlock+0xe/0x10
[   55.451060]  ? __tun_chr_ioctl+0x27a/0x3d20
[   55.455357]  ? __might_sleep+0x95/0x190
[   55.459295]  ? __fd_install+0x2f7/0x6a0
[   55.463239]  ? selinux_file_ioctl+0x444/0x690
[   55.467697]  ? __fget_light+0x29d/0x390
[   55.471728]  ? putname+0xee/0x130
[   55.475148]  ? putname+0xee/0x130
[   55.478567]  ? rcu_read_lock_sched_held+0x108/0x120
[   55.483551]  ? tun_chr_compat_ioctl+0x29/0x30
[   55.488008]  ? tun_chr_compat_ioctl+0x29/0x30
[   55.492469]  do_group_exit+0x149/0x400