INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-2,10.128.0.51' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 41.629945] ================================================================== [ 41.631148] BUG: KASAN: use-after-free in __internal_add_timer+0x275/0x2d0 [ 41.632089] Write of size 8 at addr ffff8801d1fa3600 by task syzkaller154827/2985 [ 41.633090] [ 41.633329] CPU: 1 PID: 2985 Comm: syzkaller154827 Not tainted 4.14.0-rc5+ #50 [ 41.634306] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.635529] Call Trace: [ 41.635893] dump_stack+0x194/0x257 [ 41.636392] ? arch_local_irq_restore+0x53/0x53 [ 41.637017] ? show_regs_print_info+0x65/0x65 [ 41.637663] ? __kernel_text_address+0xd/0x40 [ 41.638316] ? __internal_add_timer+0x275/0x2d0 [ 41.638964] print_address_description+0x73/0x250 [ 41.639610] ? __internal_add_timer+0x275/0x2d0 [ 41.640245] kasan_report+0x25b/0x340 [ 41.640765] __asan_report_store8_noabort+0x17/0x20 [ 41.641433] __internal_add_timer+0x275/0x2d0 [ 41.642039] ? calc_wheel_index+0x200/0x200 [ 41.642644] mod_timer+0x622/0x15b0 [ 41.643146] ? mod_timer_pending+0x14e0/0x14e0 [ 41.643761] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.644727] ? trace_hardirqs_on+0xd/0x10 [ 41.645291] ? _crng_backtrack_protect+0xd9/0x130 [ 41.645945] ? __lock_is_held+0xb6/0x140 [ 41.646510] ? __lockdep_init_map+0xe4/0x650 [ 41.647108] ? lockdep_init_map+0x9/0x10 [ 41.647654] ? init_timer_key+0x126/0x3b0 [ 41.648229] ? try_to_del_timer_sync+0x120/0x120 [ 41.648867] ? round_jiffies_up+0xce/0x100 [ 41.649453] ? __round_jiffies_up_relative+0x150/0x150 [ 41.650345] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.655272] __tun_chr_ioctl+0x1b17/0x3d20 [ 41.659508] ? tun_chr_read_iter+0x1e0/0x1e0 [ 41.663897] ? find_held_lock+0x35/0x1d0 [ 41.667942] ? __might_sleep+0x95/0x190 [ 41.671890] ? handle_mm_fault+0x248/0x8d0 [ 41.676111] ? selinux_file_ioctl+0x444/0x690 [ 41.680577] ? __fget_light+0x297/0x380 [ 41.684523] ? selinux_capable+0x40/0x40 [ 41.688564] ? handle_mm_fault+0x410/0x8d0 [ 41.692777] tun_chr_compat_ioctl+0x29/0x30 [ 41.697079] ? tun_chr_compat_ioctl+0x29/0x30 [ 41.701551] compat_SyS_ioctl+0x1d7/0x3290 [ 41.705757] ? up_read+0x1a/0x40 [ 41.709095] ? __tun_chr_ioctl+0x3d20/0x3d20 [ 41.713480] ? do_ioctl+0x60/0x60 [ 41.716909] ? do_fast_syscall_32+0x158/0xf05 [ 41.721381] ? do_ioctl+0x60/0x60 [ 41.724806] do_fast_syscall_32+0x3f2/0xf05 [ 41.729109] ? do_int80_syscall_32+0x940/0x940 [ 41.733664] ? kasan_check_read+0x11/0x20 [ 41.737783] ? syscall_return_slowpath+0x510/0x510 [ 41.742689] ? SyS_rt_sigaction+0x94/0x1b0 [ 41.746898] ? SyS_sigprocmask+0x4b0/0x4b0 [ 41.751110] ? SyS_read+0x184/0x220 [ 41.754715] ? retint_user+0x18/0x20 [ 41.758407] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.763229] entry_SYSENTER_compat+0x51/0x60 [ 41.767611] RIP: 0023:0xf7f27c79 [ 41.770949] RSP: 002b:00000000fffebdfc EFLAGS: 00000207 ORIG_RAX: 0000000000000036 [ 41.778630] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000400454ca [ 41.785871] RDX: 0000000020927fd8 RSI: 0000000000000037 RDI: 0000000000000005 [ 41.793118] RBP: 0000000000000406 R08: 0000000000000000 R09: 0000000000000000 [ 41.800366] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 41.807606] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 41.814867] [ 41.816466] Allocated by task 2985: [ 41.820071] save_stack_trace+0x16/0x20 [ 41.824019] save_stack+0x43/0xd0 [ 41.827444] kasan_kmalloc+0xad/0xe0 [ 41.831130] __kmalloc_node+0x47/0x70 [ 41.834902] kvmalloc_node+0x64/0xd0 [ 41.838588] alloc_netdev_mqs+0x16e/0xed0 [ 41.842707] __tun_chr_ioctl+0x12b2/0x3d20 [ 41.846910] tun_chr_compat_ioctl+0x29/0x30 [ 41.851204] compat_SyS_ioctl+0x1d7/0x3290 [ 41.855412] do_fast_syscall_32+0x3f2/0xf05 [ 41.859707] entry_SYSENTER_compat+0x51/0x60 [ 41.864081] [ 41.865680] Freed by task 2985: [ 41.868928] save_stack_trace+0x16/0x20 [ 41.872873] save_stack+0x43/0xd0 [ 41.876294] kasan_slab_free+0x71/0xc0 [ 41.880148] kfree+0xca/0x250 [ 41.883223] kvfree+0x36/0x60 [ 41.886299] free_netdev+0x2cf/0x360 [ 41.889981] __tun_chr_ioctl+0x2cea/0x3d20 [ 41.894183] tun_chr_compat_ioctl+0x29/0x30 [ 41.898474] compat_SyS_ioctl+0x1d7/0x3290 [ 41.902680] do_fast_syscall_32+0x3f2/0xf05 [ 41.906973] entry_SYSENTER_compat+0x51/0x60 [ 41.911348] [ 41.912947] The buggy address belongs to the object at ffff8801d1fa02c0 [ 41.912947] which belongs to the cache kmalloc-16384 of size 16384 [ 41.925924] The buggy address is located 13120 bytes inside of [ 41.925924] 16384-byte region [ffff8801d1fa02c0, ffff8801d1fa42c0) [ 41.938114] The buggy address belongs to the page: [ 41.943017] page:ffffea000747e800 count:1 mapcount:0 mapping:ffff8801d1fa02c0 index:0x0 compound_mapcount: 0 [ 41.952958] flags: 0x200000000008100(slab|head) [ 41.957597] raw: 0200000000008100 ffff8801d1fa02c0 0000000000000000 0000000100000001 [ 41.965448] raw: ffffea0007642820 ffffea000747b020 ffff8801dac02200 0000000000000000 [ 41.973292] page dumped because: kasan: bad access detected [ 41.978968] [ 41.980562] Memory state around the buggy address: [ 41.985459] ffff8801d1fa3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.992785] ffff8801d1fa3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.000112] >ffff8801d1fa3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.007437] ^ [ 42.010773] ffff8801d1fa3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.018101] ffff8801d1fa3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.025426] ================================================================== [ 42.032751] Disabling lock debugging due to kernel taint [ 42.038169] Kernel panic - not syncing: panic_on_warn set ... [ 42.038169] [ 42.045500] CPU: 1 PID: 2985 Comm: syzkaller154827 Tainted: G B 4.14.0-rc5+ #50 [ 42.054038] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.063360] Call Trace: [ 42.065924] dump_stack+0x194/0x257 [ 42.069521] ? arch_local_irq_restore+0x53/0x53 [ 42.074159] ? kasan_end_report+0x32/0x50 [ 42.078280] ? lock_downgrade+0x990/0x990 [ 42.082401] ? __internal_add_timer+0x1d0/0x2d0 [ 42.087041] panic+0x1e4/0x417 [ 42.090201] ? __warn+0x1d9/0x1d9 [ 42.093651] ? __internal_add_timer+0x275/0x2d0 [ 42.098288] kasan_end_report+0x50/0x50 [ 42.102230] kasan_report+0x144/0x340 [ 42.105998] __asan_report_store8_noabort+0x17/0x20 [ 42.110980] __internal_add_timer+0x275/0x2d0 [ 42.115444] ? calc_wheel_index+0x200/0x200 [ 42.119739] mod_timer+0x622/0x15b0 [ 42.123337] ? mod_timer_pending+0x14e0/0x14e0 [ 42.127886] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 42.132868] ? trace_hardirqs_on+0xd/0x10 [ 42.136986] ? _crng_backtrack_protect+0xd9/0x130 [ 42.141797] ? __lock_is_held+0xb6/0x140 [ 42.145826] ? __lockdep_init_map+0xe4/0x650 [ 42.150201] ? lockdep_init_map+0x9/0x10 [ 42.154229] ? init_timer_key+0x126/0x3b0 [ 42.158344] ? try_to_del_timer_sync+0x120/0x120 [ 42.163072] ? round_jiffies_up+0xce/0x100 [ 42.167274] ? __round_jiffies_up_relative+0x150/0x150 [ 42.172520] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 42.177421] __tun_chr_ioctl+0x1b17/0x3d20 [ 42.181626] ? tun_chr_read_iter+0x1e0/0x1e0 [ 42.186003] ? find_held_lock+0x35/0x1d0 [ 42.190039] ? __might_sleep+0x95/0x190 [ 42.193980] ? handle_mm_fault+0x248/0x8d0 [ 42.198185] ? selinux_file_ioctl+0x444/0x690 [ 42.202647] ? __fget_light+0x297/0x380 [ 42.206588] ? selinux_capable+0x40/0x40 [ 42.210627] ? handle_mm_fault+0x410/0x8d0 [ 42.214831] tun_chr_compat_ioctl+0x29/0x30 [ 42.219121] ? tun_chr_compat_ioctl+0x29/0x30 [ 42.223585] compat_SyS_ioctl+0x1d7/0x3290 [ 42.227787] ? up_read+0x1a/0x40 [ 42.231120] ? __tun_chr_ioctl+0x3d20/0x3d20 [ 42.235498] ? do_ioctl+0x60/0x60 [ 42.238924] ? do_fast_syscall_32+0x158/0xf05 [ 42.243387] ? do_ioctl+0x60/0x60 [ 42.246806] do_fast_syscall_32+0x3f2/0xf05 [ 42.251100] ? do_int80_syscall_32+0x940/0x940 [ 42.255652] ? kasan_check_read+0x11/0x20 [ 42.259781] ? syscall_return_slowpath+0x510/0x510 [ 42.264694] ? SyS_rt_sigaction+0x94/0x1b0 [ 42.268896] ? SyS_sigprocmask+0x4b0/0x4b0 [ 42.273099] ? SyS_read+0x184/0x220 [ 42.276695] ? retint_user+0x18/0x20 [ 42.280379] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.285192] entry_SYSENTER_compat+0x51/0x60 [ 42.289566] RIP: 0023:0xf7f27c79 [ 42.292897] RSP: 002b:00000000fffebdfc EFLAGS: 00000207 ORIG_RAX: 0000000000000036 [ 42.300572] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000400454ca [ 42.307812] RDX: 0000000020927fd8 RSI: 0000000000000037 RDI: 0000000000000005 [ 42.315053] RBP: 0000000000000406 R08: 0000000000000000 R09: 0000000000000000 [ 42.322293] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 42.329530] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 42.337170] Dumping ftrace buffer: [ 42.340681] (ftrace buffer empty) [ 42.344359] Kernel Offset: disabled [ 42.347955] Rebooting in 86400 seconds..