
Debian GNU/Linux 7 syzkaller ttyS0

net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   34.345306] ==================================================================
[   34.346200] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   34.346847] Write of size 8 at addr ffff88003dc3b600 by task syzkaller187877/2992
[   34.347381] 
[   34.347500] CPU: 1 PID: 2992 Comm: syzkaller187877 Not tainted 4.13.0-next-20170907+ #17
[   34.348290] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   34.349151] Call Trace:
[   34.349453]  dump_stack+0x194/0x257
[   34.349916]  ? arch_local_irq_restore+0x53/0x53
[   34.350424]  ? show_regs_print_info+0x65/0x65
[   34.350950]  ? lock_timer_base+0x1a3/0x2b0
[   34.351409]  ? detach_if_pending+0x557/0x610
[   34.351754]  print_address_description+0x73/0x250
[   34.352116]  ? detach_if_pending+0x557/0x610
[   34.352419]  kasan_report+0x24e/0x340
[   34.352685]  __asan_report_store8_noabort+0x17/0x20
[   34.353062]  detach_if_pending+0x557/0x610
[   34.353341]  ? trace_raw_output_tick_stop+0x130/0x130
[   34.353667]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   34.353964]  ? lock_timer_base+0x1a3/0x2b0
[   34.354258]  ? lock_timer_base+0x1eb/0x2b0
[   34.354558]  ? __internal_add_timer+0x2d0/0x2d0
[   34.354871]  ? trace_hardirqs_on+0xd/0x10
[   34.355183]  try_to_del_timer_sync+0xa2/0x120
[   34.355527]  ? del_timer+0x130/0x130
[   34.355783]  ? del_timer_sync+0xeb/0x240
[   34.356106]  del_timer_sync+0x18a/0x240
[   34.356384]  tun_free_netdev+0x105/0x1b0
[   34.356666]  ? tun_xdp+0x410/0x410
[   34.356910]  ? cpumask_next+0x24/0x30
[   34.357255]  ? netdev_refcnt_read+0xed/0x150
[   34.357630]  ? tun_xdp+0x410/0x410
[   34.358648]  netdev_run_todo+0x870/0xca0
[   34.358942]  ? do_group_exit+0x149/0x400
[   34.359249]  ? register_netdev+0x30/0x30
[   34.359544]  ? lock_downgrade+0x990/0x990
[   34.359935]  ? trace_hardirqs_on+0xd/0x10
[   34.360287]  ? refcount_sub_and_test+0x115/0x1b0
[   34.360709]  ? refcount_inc+0x50/0x50
[   34.360972]  ? refcount_inc+0x50/0x50
[   34.361290]  ? sk_destruct+0x4c/0x80
[   34.361546]  ? __sk_free+0x5c/0x230
[   34.361799]  ? sk_free+0x2f/0x40
[   34.362112]  ? __tun_detach+0x176/0x1390
[   34.362416]  ? tun_attach+0xf90/0xf90
[   34.362710]  ? do_raw_spin_trylock+0x190/0x190
[   34.363080]  ? locks_remove_file+0x3fa/0x5a0
[   34.363398]  ? fcntl_setlk+0x10d0/0x10d0
[   34.363723]  ? __fsnotify_parent+0xb4/0x3a0
[   34.364033]  ? fsnotify+0x1af0/0x1af0
[   34.364303]  ? __tun_detach+0x1390/0x1390
[   34.364591]  ? __tun_detach+0x1390/0x1390
[   34.364878]  rtnl_unlock+0xe/0x10
[   34.365142]  tun_chr_close+0x49/0x60
[   34.365400]  __fput+0x333/0x7f0
[   34.365633]  ? fput+0x140/0x140
[   34.365863]  ? check_same_owner+0x320/0x320
[   34.366174]  ? _raw_spin_unlock_irq+0x27/0x70
[   34.366487]  ____fput+0x15/0x20
[   34.366717]  task_work_run+0x199/0x270
[   34.366989]  ? task_work_cancel+0x210/0x210
[   34.367301]  ? _raw_spin_unlock+0x22/0x30
[   34.367589]  ? switch_task_namespaces+0x87/0xc0
[   34.367925]  do_exit+0xa52/0x1b40
[   34.368176]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.368522]  ? check_noncircular+0x20/0x20
[   34.368818]  ? __handle_mm_fault+0x587/0x39c0
[   34.369152]  ? mm_update_next_owner+0x930/0x930
[   34.369471]  ? __pmd_alloc+0x4e0/0x4e0
[   34.369747]  ? find_held_lock+0x39/0x1d0
[   34.370045]  ? lock_downgrade+0x990/0x990
[   34.370348]  ? handle_mm_fault+0x410/0x8d0
[   34.370637]  ? down_read_trylock+0xdb/0x170
[   34.370933]  ? __do_page_fault+0x2b8/0xb60
[   34.371239]  ? __handle_mm_fault+0x39c0/0x39c0
[   34.371554]  ? vmacache_find+0x61/0x270
[   34.371837]  ? up_read+0x1a/0x40
[   34.372110]  ? __do_page_fault+0x35b/0xb60
[   34.372422]  ? do_page_fault+0xee/0x720
[   34.372751]  ? __do_page_fault+0xb60/0xb60
[   34.373096]  ? putname+0xf3/0x130
[   34.373368]  do_group_exit+0x149/0x400
[   34.373677]  ? lockdep_sys_exit+0x47/0xf0
[   34.374040]  ? SyS_exit+0x30/0x30
[   34.374295]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.374668]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.375035]  SyS_exit_group+0x1d/0x20
[   34.375315]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   34.375684] RIP: 0033:0x438799
[   34.375931] RSP: 002b:00007fff95dd1ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   34.376537] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000438799
[   34.377118] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   34.377650] RBP: 0000000000000082 R08: 000000000000003c R09: 00000000000000e7
[   34.378181] R10: ffffffffffffffc0 R11: 0000000000000246 R12: 0000000000000001
[   34.378780] R13: 00000000006cc300 R14: 0000000000402290 R15: 0000000000000000
[   34.379742] 
[   34.379861] Allocated by task 2992:
[   34.380120]  save_stack_trace+0x16/0x20
[   34.380423]  save_stack+0x43/0xd0
[   34.380664]  kasan_kmalloc+0xad/0xe0
[   34.380950]  __kmalloc_node+0x47/0x70
[   34.381216]  kvmalloc_node+0x64/0xd0
[   34.381501]  alloc_netdev_mqs+0x16e/0xed0
[   34.381789]  __tun_chr_ioctl+0x12be/0x3d20
[   34.382136]  tun_chr_ioctl+0x2a/0x40
[   34.382448]  do_vfs_ioctl+0x1b1/0x1530
[   34.382717]  SyS_ioctl+0x8f/0xc0
[   34.382966]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   34.383306] 
[   34.383422] Freed by task 2992:
[   34.383657]  save_stack_trace+0x16/0x20
[   34.383976]  save_stack+0x43/0xd0
[   34.384255]  kasan_slab_free+0x71/0xc0
[   34.384524]  kfree+0xca/0x250
[   34.384741]  kvfree+0x36/0x60
[   34.385011]  free_netdev+0x2cf/0x360
[   34.385268]  __tun_chr_ioctl+0x2cf6/0x3d20
[   34.385573]  tun_chr_ioctl+0x2a/0x40
[   34.385843]  do_vfs_ioctl+0x1b1/0x1530
[   34.386124]  SyS_ioctl+0x8f/0xc0
[   34.386396]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   34.386768] 
[   34.386912] The buggy address belongs to the object at ffff88003dc38200
[   34.386912]  which belongs to the cache kmalloc-16384 of size 16384
[   34.387879] The buggy address is located 13312 bytes inside of
[   34.387879]  16384-byte region [ffff88003dc38200, ffff88003dc3c200)
[   34.388838] The buggy address belongs to the page:
[   34.389232] page:ffffea0000f70e00 count:1 mapcount:0 mapping:ffff88003dc38200 index:0x0 compound_mapcount: 0
[   34.389956] flags: 0x100000000008100(slab|head)
[   34.390280] raw: 0100000000008100 ffff88003dc38200 0000000000000000 0000000100000001
[   34.390817] raw: ffffea0000f13620 ffff88003e801c50 ffff88003e802200 0000000000000000
[   34.391351] page dumped because: kasan: bad access detected
[   34.391739] 
[   34.391853] Memory state around the buggy address:
[   34.392194]  ffff88003dc3b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.392708]  ffff88003dc3b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.393225] >ffff88003dc3b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.393766]                    ^
[   34.394041]  ffff88003dc3b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.394544]  ffff88003dc3b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.395086] ==================================================================
[   34.395611] Disabling lock debugging due to kernel taint
[   34.395994] Kernel panic - not syncing: panic_on_warn set ...
[   34.395994] 
[   34.396500] CPU: 1 PID: 2992 Comm: syzkaller187877 Tainted: G    B           4.13.0-next-20170907+ #17
[   34.397146] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   34.397763] Call Trace:
[   34.397941]  dump_stack+0x194/0x257
[   34.398188]  ? arch_local_irq_restore+0x53/0x53
[   34.398505]  ? vprintk_default+0x28/0x30
[   34.398782]  ? detach_if_pending+0x530/0x610
[   34.399081]  panic+0x1e4/0x417
[   34.399299]  ? __warn+0x1d9/0x1d9
[   34.399538]  ? detach_if_pending+0x557/0x610
[   34.399845]  kasan_end_report+0x50/0x50
[   34.400603]  kasan_report+0x137/0x340
[   34.400860]  __asan_report_store8_noabort+0x17/0x20
[   34.401207]  detach_if_pending+0x557/0x610
[   34.401531]  ? trace_raw_output_tick_stop+0x130/0x130
[   34.401881]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   34.402203]  ? lock_timer_base+0x1a3/0x2b0
[   34.402512]  ? lock_timer_base+0x1eb/0x2b0
[   34.402813]  ? __internal_add_timer+0x2d0/0x2d0
[   34.403173]  ? trace_hardirqs_on+0xd/0x10
[   34.403464]  try_to_del_timer_sync+0xa2/0x120
[   34.403777]  ? del_timer+0x130/0x130
[   34.404036]  ? del_timer_sync+0xeb/0x240
[   34.404310]  del_timer_sync+0x18a/0x240
[   34.404589]  tun_free_netdev+0x105/0x1b0
[   34.404863]  ? tun_xdp+0x410/0x410
[   34.405138]  ? cpumask_next+0x24/0x30
[   34.405394]  ? netdev_refcnt_read+0xed/0x150
[   34.405703]  ? tun_xdp+0x410/0x410
[   34.405942]  netdev_run_todo+0x870/0xca0
[   34.406223]  ? do_group_exit+0x149/0x400
[   34.406506]  ? register_netdev+0x30/0x30
[   34.406780]  ? lock_downgrade+0x990/0x990
[   34.407069]  ? trace_hardirqs_on+0xd/0x10
[   34.407353]  ? refcount_sub_and_test+0x115/0x1b0
[   34.407685]  ? refcount_inc+0x50/0x50
[   34.407941]  ? refcount_inc+0x50/0x50
[   34.408235]  ? sk_destruct+0x4c/0x80
[   34.408497]  ? __sk_free+0x5c/0x230
[   34.408747]  ? sk_free+0x2f/0x40
[   34.408974]  ? __tun_detach+0x176/0x1390
[   34.409286]  ? tun_attach+0xf90/0xf90
[   34.409555]  ? do_raw_spin_trylock+0x190/0x190
[   34.409865]  ? locks_remove_file+0x3fa/0x5a0
[   34.410170]  ? fcntl_setlk+0x10d0/0x10d0
[   34.410445]  ? __fsnotify_parent+0xb4/0x3a0
[   34.410768]  ? fsnotify+0x1af0/0x1af0
[   34.411073]  ? __tun_detach+0x1390/0x1390
[   34.411386]  ? __tun_detach+0x1390/0x1390
[   34.411722]  rtnl_unlock+0xe/0x10
[   34.411957]  tun_chr_close+0x49/0x60
[   34.412219]  __fput+0x333/0x7f0
[   34.412445]  ? fput+0x140/0x140
[   34.412681]  ? check_same_owner+0x320/0x320
[   34.412977]  ? _raw_spin_unlock_irq+0x27/0x70
[   34.413296]  ____fput+0x15/0x20
[   34.413520]  task_work_run+0x199/0x270
[   34.413809]  ? task_work_cancel+0x210/0x210
[   34.414140]  ? _raw_spin_unlock+0x22/0x30
[   34.414422]  ? switch_task_namespaces+0x87/0xc0
[   34.414749]  do_exit+0xa52/0x1b40
[   34.414985]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.415358]  ? check_noncircular+0x20/0x20
[   34.415697]  ? __handle_mm_fault+0x587/0x39c0
[   34.416022]  ? mm_update_next_owner+0x930/0x930
[   34.416342]  ? __pmd_alloc+0x4e0/0x4e0
[   34.416642]  ? find_held_lock+0x39/0x1d0
[   34.416977]  ? lock_downgrade+0x990/0x990
[   34.417273]  ? handle_mm_fault+0x410/0x8d0
[   34.417561]  ? down_read_trylock+0xdb/0x170
[   34.417943]  ? __do_page_fault+0x2b8/0xb60
[   34.418237]  ? __handle_mm_fault+0x39c0/0x39c0
[   34.418559]  ? vmacache_find+0x61/0x270
[   34.418861]  ? up_read+0x1a/0x40
[   34.419138]  ? __do_page_fault+0x35b/0xb60
[   34.419428]  ? do_page_fault+0xee/0x720
[   34.419710]  ? __do_page_fault+0xb60/0xb60
[   34.420014]  ? putname+0xf3/0x130
[   34.420281]  do_group_exit+0x149/0x400
[   34.420571]  ? lockdep_sys_exit+0x47/0xf0
[   34.420863]  ? SyS_exit+0x30/0x30
[   34.421109]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.421450]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.422288]  SyS_exit_group+0x1d/0x20
[   34.422562]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   34.422910] RIP: 0033:0x438799
[   34.423154] RSP: 002b:00007fff95dd1ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   34.423826] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000438799
[   34.424358] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   34.424870] RBP: 0000000000000082 R08: 000000000000003c R09: 00000000000000e7
[   34.425374] R10: ffffffffffffffc0 R11: 0000000000000246 R12: 0000000000000001
[   34.425888] R13: 00000000006cc300 R14: 0000000000402290 R15: 0000000000000000
[   34.426510] Dumping ftrace buffer:
[   34.426798]    (ftrace buffer empty)
[   34.427069] Kernel Offset: disabled
[   34.427311] Rebooting in 86400 seconds..