INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-mmots-kasan-gce-4,10.128.15.199' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   31.193333] ==================================================================
[   31.200796] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   31.207520] Write of size 8 at addr ffff8801ce61b780 by task syzkaller485619/2986
[   31.215130] 
[   31.216736] CPU: 0 PID: 2986 Comm: syzkaller485619 Not tainted 4.14.0-rc2-mm1+ #10
[   31.224413] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.233738] Call Trace:
[   31.236306]  dump_stack+0x194/0x257
[   31.239912]  ? arch_local_irq_restore+0x53/0x53
[   31.244554]  ? show_regs_print_info+0x65/0x65
[   31.249025]  ? lock_timer_base+0x1a3/0x2b0
[   31.253235]  ? detach_if_pending+0x557/0x610
[   31.257618]  print_address_description+0x73/0x250
[   31.262434]  ? detach_if_pending+0x557/0x610
[   31.266815]  kasan_report+0x25b/0x340
[   31.270594]  __asan_report_store8_noabort+0x17/0x20
[   31.275584]  detach_if_pending+0x557/0x610
[   31.279795]  ? trace_raw_output_tick_stop+0x130/0x130
[   31.284960]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   31.289598]  ? lock_timer_base+0x1a3/0x2b0
[   31.293809]  ? lock_timer_base+0x1eb/0x2b0
[   31.298021]  ? __internal_add_timer+0x2d0/0x2d0
[   31.302665]  ? trace_hardirqs_on+0xd/0x10
[   31.306795]  try_to_del_timer_sync+0xa2/0x120
[   31.311262]  ? del_timer+0x130/0x130
[   31.314947]  ? del_timer_sync+0xeb/0x240
[   31.318984]  del_timer_sync+0x18a/0x240
[   31.322935]  tun_free_netdev+0x105/0x1b0
[   31.326972]  ? tun_xdp+0x410/0x410
[   31.330486]  ? cpumask_next+0x24/0x30
[   31.334262]  ? netdev_refcnt_read+0xed/0x150
[   31.338646]  ? tun_xdp+0x410/0x410
[   31.342158]  netdev_run_todo+0x870/0xca0
[   31.346192]  ? do_group_exit+0x149/0x400
[   31.350232]  ? register_netdev+0x30/0x30
[   31.354269]  ? lock_downgrade+0x990/0x990
[   31.358391]  ? trace_hardirqs_on+0xd/0x10
[   31.362531]  ? refcount_sub_and_test+0x115/0x1b0
[   31.367261]  ? refcount_inc+0x50/0x50
[   31.371032]  ? refcount_inc+0x50/0x50
[   31.374817]  ? sk_destruct+0x4c/0x80
[   31.378500]  ? __sk_free+0x5c/0x230
[   31.382098]  ? sk_free+0x2f/0x40
[   31.385436]  ? __tun_detach+0x760/0x1570
[   31.389481]  ? tun_attach+0x1070/0x1070
[   31.393439]  ? locks_remove_file+0x3fa/0x5a0
[   31.397826]  ? fcntl_setlk+0x10d0/0x10d0
[   31.401866]  ? __fsnotify_parent+0xb4/0x3a0
[   31.406160]  ? fsnotify+0x1af0/0x1af0
[   31.409936]  ? rcu_note_context_switch+0x710/0x710
[   31.414843]  ? __tun_detach+0x1570/0x1570
[   31.418967]  rtnl_unlock+0xe/0x10
[   31.422391]  tun_chr_close+0x49/0x60
[   31.426078]  __fput+0x333/0x7f0
[   31.429335]  ? fput+0x140/0x140
[   31.432588]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   31.438451]  ____fput+0x15/0x20
[   31.441713]  task_work_run+0x199/0x270
[   31.445580]  ? task_work_cancel+0x210/0x210
[   31.449876]  ? free_nsproxy+0x185/0x1f0
[   31.453824]  ? switch_task_namespaces+0xa2/0xc0
[   31.458473]  do_exit+0x9c8/0x1b00
[   31.461907]  ? mm_update_next_owner+0x930/0x930
[   31.466552]  ? find_held_lock+0x39/0x1d0
[   31.470596]  ? lock_downgrade+0x990/0x990
[   31.474739]  ? handle_mm_fault+0x410/0x8d0
[   31.478948]  ? __do_page_fault+0x31e/0xd60
[   31.483154]  ? __handle_mm_fault+0x39c0/0x39c0
[   31.487715]  ? vmacache_find+0x5f/0x280
[   31.491671]  ? up_read+0x1a/0x40
[   31.495009]  ? __do_page_fault+0x3d6/0xd60
[   31.499224]  ? mm_fault_error+0x2c0/0x2c0
[   31.503343]  ? do_vfs_ioctl+0x492/0x1530
[   31.507375]  ? _cond_resched+0x14/0x30
[   31.511245]  ? do_page_fault+0xee/0x720
[   31.515195]  ? __do_page_fault+0xd60/0xd60
[   31.519405]  ? putname+0xf3/0x130
[   31.522837]  do_group_exit+0x149/0x400
[   31.526697]  ? lockdep_sys_exit+0x47/0xf0
[   31.530818]  ? SyS_exit+0x30/0x30
[   31.534244]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.539241]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.543972]  SyS_exit_group+0x1d/0x20
[   31.547747]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   31.552471] RIP: 0033:0x445139
[   31.555632] RSP: 002b:00000000007efe48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   31.563315] RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 0000000000445139
[   31.570559] RDX: 0000000000445139 RSI: 0000000020c63fd8 RDI: 0000000000000001
[   31.577799] RBP: 0000000000000086 R08: 0000000000000000 R09: 00000000ffffffff
[   31.585039] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000402790
[   31.592278] R13: 0000000000402820 R14: 0000000000000000 R15: 0000000000000000
[   31.599537] 
[   31.601146] Allocated by task 2986:
[   31.604754]  save_stack_trace+0x16/0x20
[   31.608704]  save_stack+0x43/0xd0
[   31.612127]  kasan_kmalloc+0xad/0xe0
[   31.615811]  __kmalloc_node+0x47/0x70
[   31.619584]  kvmalloc_node+0x64/0xd0
[   31.623268]  alloc_netdev_mqs+0x16d/0xed0
[   31.627386]  __tun_chr_ioctl+0x1386/0x3e40
[   31.631588]  tun_chr_ioctl+0x2a/0x40
[   31.635270]  do_vfs_ioctl+0x1b1/0x1530
[   31.639125]  SyS_ioctl+0x8f/0xc0
[   31.642466]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   31.647187] 
[   31.648785] Freed by task 2986:
[   31.652037]  save_stack_trace+0x16/0x20
[   31.655979]  save_stack+0x43/0xd0
[   31.659401]  kasan_slab_free+0x71/0xc0
[   31.663256]  kfree+0xca/0x250
[   31.666332]  kvfree+0x36/0x60
[   31.669407]  free_netdev+0x2cf/0x360
[   31.673089]  __tun_chr_ioctl+0x2df6/0x3e40
[   31.677291]  tun_chr_ioctl+0x2a/0x40
[   31.680974]  do_vfs_ioctl+0x1b1/0x1530
[   31.684830]  SyS_ioctl+0x8f/0xc0
[   31.688177]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   31.692899] 
[   31.694497] The buggy address belongs to the object at ffff8801ce618380
[   31.694497]  which belongs to the cache kmalloc-16384 of size 16384
[   31.707470] The buggy address is located 13312 bytes inside of
[   31.707470]  16384-byte region [ffff8801ce618380, ffff8801ce61c380)
[   31.719661] The buggy address belongs to the page:
[   31.724559] page:ffffea0007398600 count:1 mapcount:0 mapping:ffff8801ce618380 index:0x0 compound_mapcount: 0
[   31.734513] flags: 0x200000000008100(slab|head)
[   31.739152] raw: 0200000000008100 ffff8801ce618380 0000000000000000 0000000100000001
[   31.747005] raw: ffffea000737b220 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[   31.754852] page dumped because: kasan: bad access detected
[   31.760528] 
[   31.762124] Memory state around the buggy address:
[   31.767020]  ffff8801ce61b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.774348]  ffff8801ce61b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.781677] >ffff8801ce61b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.789001]                    ^
[   31.792335]  ffff8801ce61b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.799663]  ffff8801ce61b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.806988] ==================================================================
[   31.814313] Disabling lock debugging due to kernel taint
[   31.819730] Kernel panic - not syncing: panic_on_warn set ...
[   31.819730] 
[   31.827057] CPU: 0 PID: 2986 Comm: syzkaller485619 Tainted: G    B           4.14.0-rc2-mm1+ #10
[   31.835943] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.845262] Call Trace:
[   31.847820]  dump_stack+0x194/0x257
[   31.851414]  ? arch_local_irq_restore+0x53/0x53
[   31.856059]  ? vprintk_default+0x28/0x30
[   31.860089]  ? detach_if_pending+0x4d0/0x610
[   31.864466]  panic+0x1e4/0x417
[   31.867623]  ? __warn+0x1d9/0x1d9
[   31.871049]  ? detach_if_pending+0x557/0x610
[   31.875425]  kasan_end_report+0x50/0x50
[   31.879361]  kasan_report+0x144/0x340
[   31.883129]  __asan_report_store8_noabort+0x17/0x20
[   31.888107]  detach_if_pending+0x557/0x610
[   31.892309]  ? trace_raw_output_tick_stop+0x130/0x130
[   31.897463]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   31.902095]  ? lock_timer_base+0x1a3/0x2b0
[   31.906295]  ? lock_timer_base+0x1eb/0x2b0
[   31.910496]  ? __internal_add_timer+0x2d0/0x2d0
[   31.915134]  ? trace_hardirqs_on+0xd/0x10
[   31.919249]  try_to_del_timer_sync+0xa2/0x120
[   31.923707]  ? del_timer+0x130/0x130
[   31.927384]  ? del_timer_sync+0xeb/0x240
[   31.931413]  del_timer_sync+0x18a/0x240
[   31.935357]  tun_free_netdev+0x105/0x1b0
[   31.939383]  ? tun_xdp+0x410/0x410
[   31.942888]  ? cpumask_next+0x24/0x30
[   31.946655]  ? netdev_refcnt_read+0xed/0x150
[   31.951030]  ? tun_xdp+0x410/0x410
[   31.954534]  netdev_run_todo+0x870/0xca0
[   31.958558]  ? do_group_exit+0x149/0x400
[   31.962587]  ? register_netdev+0x30/0x30
[   31.966613]  ? lock_downgrade+0x990/0x990
[   31.970728]  ? trace_hardirqs_on+0xd/0x10
[   31.974856]  ? refcount_sub_and_test+0x115/0x1b0
[   31.979576]  ? refcount_inc+0x50/0x50
[   31.983340]  ? refcount_inc+0x50/0x50
[   31.987111]  ? sk_destruct+0x4c/0x80
[   31.990798]  ? __sk_free+0x5c/0x230
[   31.994391]  ? sk_free+0x2f/0x40
[   31.997720]  ? __tun_detach+0x760/0x1570
[   32.001750]  ? tun_attach+0x1070/0x1070
[   32.005695]  ? locks_remove_file+0x3fa/0x5a0
[   32.010070]  ? fcntl_setlk+0x10d0/0x10d0
[   32.014099]  ? __fsnotify_parent+0xb4/0x3a0
[   32.018385]  ? fsnotify+0x1af0/0x1af0
[   32.022151]  ? rcu_note_context_switch+0x710/0x710
[   32.027046]  ? __tun_detach+0x1570/0x1570
[   32.031159]  rtnl_unlock+0xe/0x10
[   32.034575]  tun_chr_close+0x49/0x60
[   32.038253]  __fput+0x333/0x7f0
[   32.041502]  ? fput+0x140/0x140
[   32.044750]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   32.050602]  ____fput+0x15/0x20
[   32.053852]  task_work_run+0x199/0x270
[   32.057705]  ? task_work_cancel+0x210/0x210
[   32.061991]  ? free_nsproxy+0x185/0x1f0
[   32.065930]  ? switch_task_namespaces+0xa2/0xc0
[   32.070564]  do_exit+0x9c8/0x1b00
[   32.073987]  ? mm_update_next_owner+0x930/0x930
[   32.078624]  ? find_held_lock+0x39/0x1d0
[   32.082655]  ? lock_downgrade+0x990/0x990
[   32.086780]  ? handle_mm_fault+0x410/0x8d0
[   32.090983]  ? __do_page_fault+0x31e/0xd60
[   32.095182]  ? __handle_mm_fault+0x39c0/0x39c0
[   32.099726]  ? vmacache_find+0x5f/0x280
[   32.103670]  ? up_read+0x1a/0x40
[   32.107002]  ? __do_page_fault+0x3d6/0xd60
[   32.111206]  ? mm_fault_error+0x2c0/0x2c0
[   32.115319]  ? do_vfs_ioctl+0x492/0x1530
[   32.119344]  ? _cond_resched+0x14/0x30
[   32.123198]  ? do_page_fault+0xee/0x720
[   32.127137]  ? __do_page_fault+0xd60/0xd60
[   32.131337]  ? putname+0xf3/0x130
[   32.134759]  do_group_exit+0x149/0x400
[   32.138612]  ? lockdep_sys_exit+0x47/0xf0
[   32.142724]  ? SyS_exit+0x30/0x30
[   32.146143]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.151128]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.155850]  SyS_exit_group+0x1d/0x20
[   32.159617]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   32.164340] RIP: 0033:0x445139
[   32.167493] RSP: 002b:00000000007efe48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   32.175167] RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 0000000000445139
[   32.182400] RDX: 0000000000445139 RSI: 0000000020c63fd8 RDI: 0000000000000001
[   32.189635] RBP: 0000000000000086 R08: 0000000000000000 R09: 00000000ffffffff