INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-next-kasan-gce-6,10.128.0.28' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   29.823296] ==================================================================
[   29.830722] BUG: KASAN: use-after-free in free_netdev+0x31a/0x360
[   29.836925] Read of size 8 at addr ffff8801ce17afa0 by task syzkaller338011/2982
[   29.844425] 
[   29.846027] CPU: 1 PID: 2982 Comm: syzkaller338011 Not tainted 4.14.0-rc2-next-20170928+ #31
[   29.854570] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.863894] Call Trace:
[   29.866457]  dump_stack+0x194/0x257
[   29.870063]  ? arch_local_irq_restore+0x53/0x53
[   29.874709]  ? show_regs_print_info+0x65/0x65
[   29.879180]  ? __hw_addr_flush+0x1a6/0x2b0
[   29.883387]  ? rcu_pm_notify+0xc0/0xc0
[   29.887248]  ? free_netdev+0x31a/0x360
[   29.891110]  print_address_description+0x73/0x250
[   29.895924]  ? free_netdev+0x31a/0x360
[   29.899783]  kasan_report+0x25b/0x340
[   29.903558]  __asan_report_load8_noabort+0x14/0x20
[   29.908467]  free_netdev+0x31a/0x360
[   29.912156]  ? tun_xdp+0x410/0x410
[   29.915681]  netdev_run_todo+0x935/0xca0
[   29.919720]  ? do_group_exit+0x149/0x400
[   29.923763]  ? register_netdev+0x30/0x30
[   29.927804]  ? lock_downgrade+0x990/0x990
[   29.931928]  ? trace_hardirqs_on+0xd/0x10
[   29.936067]  ? refcount_sub_and_test+0x115/0x1b0
[   29.940799]  ? refcount_inc+0x50/0x50
[   29.944573]  ? refcount_inc+0x50/0x50
[   29.948364]  ? sk_destruct+0x4c/0x80
[   29.952051]  ? __sk_free+0x5c/0x230
[   29.955681]  ? sk_free+0x2f/0x40
[   29.959020]  ? __tun_detach+0x760/0x1570
[   29.963067]  ? tun_attach+0x1070/0x1070
[   29.967031]  ? do_raw_spin_trylock+0x190/0x190
[   29.971588]  ? locks_remove_file+0x3fa/0x5a0
[   29.975973]  ? fcntl_setlk+0x10d0/0x10d0
[   29.980010]  ? __fsnotify_parent+0xb4/0x3a0
[   29.984304]  ? fsnotify+0x1af0/0x1af0
[   29.988080]  ? rcu_note_context_switch+0x710/0x710
[   29.992983]  ? __tun_detach+0x1570/0x1570
[   29.997103]  rtnl_unlock+0xe/0x10
[   30.000525]  tun_chr_close+0x49/0x60
[   30.004210]  __fput+0x333/0x7f0
[   30.007467]  ? fput+0x140/0x140
[   30.010720]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   30.016574]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.021049]  ____fput+0x15/0x20
[   30.024302]  task_work_run+0x199/0x270
[   30.028162]  ? task_work_cancel+0x210/0x210
[   30.032453]  ? _raw_spin_unlock+0x22/0x30
[   30.036572]  ? switch_task_namespaces+0x87/0xc0
[   30.041215]  do_exit+0x9c8/0x1b00
[   30.044646]  ? mm_update_next_owner+0x930/0x930
[   30.049282]  ? rtnl_unlock+0xe/0x10
[   30.052881]  ? __tun_chr_ioctl+0x27a/0x3e40
[   30.057174]  ? unwind_get_return_address+0x34/0xa0
[   30.062082]  ? tun_chr_read_iter+0x1e0/0x1e0
[   30.066465]  ? putname+0xee/0x130
[   30.069890]  ? save_stack+0xa3/0xd0
[   30.073491]  ? save_stack_trace+0x16/0x20
[   30.077609]  ? save_stack+0x43/0xd0
[   30.081205]  ? kasan_slab_free+0x71/0xc0
[   30.085237]  ? kmem_cache_free+0x77/0x280
[   30.089356]  ? putname+0xee/0x130
[   30.092786]  ? __lock_is_held+0xbc/0x140
[   30.096836]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   30.102700]  ? tun_chr_compat_ioctl+0x30/0x30
[   30.107182]  ? tun_chr_ioctl+0x2a/0x40
[   30.111048]  ? tun_chr_ioctl+0x2a/0x40
[   30.114912]  ? do_vfs_ioctl+0x492/0x1530
[   30.118948]  ? _cond_resched+0x14/0x30
[   30.122813]  ? ioctl_preallocate+0x2b0/0x2b0
[   30.127195]  ? selinux_capable+0x40/0x40
[   30.131232]  ? putname+0xf3/0x130
[   30.134663]  do_group_exit+0x149/0x400
[   30.138522]  ? SyS_exit+0x30/0x30
[   30.141947]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.146935]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.151675]  SyS_exit_group+0x1d/0x20
[   30.155448]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   30.160172] RIP: 0033:0x442aa8
[   30.163332] RSP: 002b:00007ffc963e4328 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   30.171014] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000442aa8
[   30.178256] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   30.185496] RBP: 0000000000000086 R08: 00000000000000e7 R09: ffffffffffffffd0
[   30.192738] R10: 0000000000000000 R11: 0000000000000246 R12: 74656e2f7665642f
[   30.199989] R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000
[   30.207257] 
[   30.208855] Allocated by task 2982:
[   30.212459]  save_stack_trace+0x16/0x20
[   30.216402]  save_stack+0x43/0xd0
[   30.219826]  kasan_kmalloc+0xad/0xe0
[   30.223507]  __kmalloc+0x162/0x760
[   30.227017]  sk_prot_alloc+0x101/0x2a0
[   30.230876]  sk_alloc+0x89/0x700
[   30.234211]  tun_chr_open+0xec/0x490
[   30.237898]  misc_open+0x382/0x500
[   30.241410]  chrdev_open+0x257/0x730
[   30.245092]  do_dentry_open+0x67f/0xd70
[   30.249035]  vfs_open+0x107/0x230
[   30.252458]  path_openat+0x1157/0x3520
[   30.256311]  do_filp_open+0x25b/0x3b0
[   30.260079]  do_sys_open+0x502/0x6d0
[   30.263762]  SyS_open+0x2d/0x40
[   30.267011]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   30.271745] 
[   30.273341] Freed by task 2982:
[   30.276592]  save_stack_trace+0x16/0x20
[   30.280534]  save_stack+0x43/0xd0
[   30.283955]  kasan_slab_free+0x71/0xc0
[   30.287813]  kfree+0xca/0x250
[   30.290888]  __sk_destruct+0x74a/0x910
[   30.294746]  sk_destruct+0x47/0x80
[   30.298261]  __sk_free+0x57/0x230
[   30.301685]  sk_free+0x2a/0x40
[   30.304850]  __tun_detach+0x75b/0x1570
[   30.308705]  tun_chr_close+0x44/0x60
[   30.312392]  __fput+0x333/0x7f0
[   30.315640]  ____fput+0x15/0x20
[   30.318893]  task_work_run+0x199/0x270
[   30.322752]  do_exit+0x9c8/0x1b00
[   30.326174]  do_group_exit+0x149/0x400
[   30.330031]  SyS_exit_group+0x1d/0x20
[   30.333808]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   30.338529] 
[   30.340127] The buggy address belongs to the object at ffff8801ce17a980
[   30.340127]  which belongs to the cache kmalloc-4096 of size 4096
[   30.352924] The buggy address is located 1568 bytes inside of
[   30.352924]  4096-byte region [ffff8801ce17a980, ffff8801ce17b980)
[   30.364962] The buggy address belongs to the page:
[   30.369864] page:ffffea0007385e80 count:1 mapcount:0 mapping:ffff8801ce17a980 index:0x0 compound_mapcount: 0
[   30.379806] flags: 0x200000000008100(slab|head)
[   30.384446] raw: 0200000000008100 ffff8801ce17a980 0000000000000000 0000000100000001
[   30.392299] raw: ffffea00073864a0 ffffea0007385fa0 ffff8801dac00dc0 0000000000000000
[   30.400145] page dumped because: kasan: bad access detected
[   30.405820] 
[   30.407417] Memory state around the buggy address:
[   30.412314]  ffff8801ce17ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.419652]  ffff8801ce17af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.426980] >ffff8801ce17af80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.434305]                                ^
[   30.438682]  ffff8801ce17b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.446009]  ffff8801ce17b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.453334] ==================================================================
[   30.460660] Disabling lock debugging due to kernel taint
[   30.466125] Kernel panic - not syncing: panic_on_warn set ...
[   30.466125] 
[   30.473455] CPU: 1 PID: 2982 Comm: syzkaller338011 Tainted: G    B           4.14.0-rc2-next-20170928+ #31
[   30.483208] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.492526] Call Trace:
[   30.495081]  dump_stack+0x194/0x257
[   30.498675]  ? arch_local_irq_restore+0x53/0x53
[   30.503310]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.508305]  ? free_netdev+0x230/0x360
[   30.512160]  panic+0x1e4/0x417
[   30.515318]  ? __warn+0x1d9/0x1d9
[   30.518743]  ? free_netdev+0x31a/0x360
[   30.522595]  kasan_end_report+0x50/0x50
[   30.526532]  kasan_report+0x144/0x340
[   30.530303]  __asan_report_load8_noabort+0x14/0x20
[   30.535198]  free_netdev+0x31a/0x360
[   30.538877]  ? tun_xdp+0x410/0x410
[   30.542383]  netdev_run_todo+0x935/0xca0
[   30.546412]  ? do_group_exit+0x149/0x400
[   30.550799]  ? register_netdev+0x30/0x30
[   30.554827]  ? lock_downgrade+0x990/0x990
[   30.558938]  ? trace_hardirqs_on+0xd/0x10
[   30.563060]  ? refcount_sub_and_test+0x115/0x1b0
[   30.567782]  ? refcount_inc+0x50/0x50
[   30.571547]  ? refcount_inc+0x50/0x50
[   30.575314]  ? sk_destruct+0x4c/0x80
[   30.578990]  ? __sk_free+0x5c/0x230
[   30.582582]  ? sk_free+0x2f/0x40
[   30.585916]  ? __tun_detach+0x760/0x1570
[   30.589946]  ? tun_attach+0x1070/0x1070
[   30.593888]  ? do_raw_spin_trylock+0x190/0x190
[   30.598437]  ? locks_remove_file+0x3fa/0x5a0
[   30.602809]  ? fcntl_setlk+0x10d0/0x10d0
[   30.606838]  ? __fsnotify_parent+0xb4/0x3a0
[   30.611125]  ? fsnotify+0x1af0/0x1af0
[   30.614893]  ? rcu_note_context_switch+0x710/0x710
[   30.619789]  ? __tun_detach+0x1570/0x1570
[   30.623904]  rtnl_unlock+0xe/0x10
[   30.627321]  tun_chr_close+0x49/0x60
[   30.631002]  __fput+0x333/0x7f0
[   30.634438]  ? fput+0x140/0x140
[   30.637711]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   30.643567]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.648030]  ____fput+0x15/0x20
[   30.651276]  task_work_run+0x199/0x270
[   30.655129]  ? task_work_cancel+0x210/0x210
[   30.659426]  ? _raw_spin_unlock+0x22/0x30
[   30.663539]  ? switch_task_namespaces+0x87/0xc0
[   30.668175]  do_exit+0x9c8/0x1b00
[   30.671598]  ? mm_update_next_owner+0x930/0x930
[   30.676233]  ? rtnl_unlock+0xe/0x10
[   30.679827]  ? __tun_chr_ioctl+0x27a/0x3e40
[   30.684114]  ? unwind_get_return_address+0x34/0xa0
[   30.689012]  ? tun_chr_read_iter+0x1e0/0x1e0
[   30.693387]  ? putname+0xee/0x130
[   30.696805]  ? save_stack+0xa3/0xd0
[   30.700396]  ? save_stack_trace+0x16/0x20
[   30.704505]  ? save_stack+0x43/0xd0
[   30.708095]  ? kasan_slab_free+0x71/0xc0
[   30.712119]  ? kmem_cache_free+0x77/0x280
[   30.716229]  ? putname+0xee/0x130
[   30.719652]  ? __lock_is_held+0xbc/0x140
[   30.723688]  ? trace_event_raw_event_sched_switch+0x770/0x770
[   30.729539]  ? tun_chr_compat_ioctl+0x30/0x30
[   30.734000]  ? tun_chr_ioctl+0x2a/0x40
[   30.737850]  ? tun_chr_ioctl+0x2a/0x40
[   30.741704]  ? do_vfs_ioctl+0x492/0x1530
[   30.745730]  ? _cond_resched+0x14/0x30
[   30.749582]  ? ioctl_preallocate+0x2b0/0x2b0
[   30.753956]  ? selinux_capable+0x40/0x40
[   30.757981]  ? putname+0xf3/0x130
[   30.761402]  do_group_exit+0x149/0x400
[   30.765253]  ? SyS_exit+0x30/0x30
[   30.768674]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.773668]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.778390]  SyS_exit_group+0x1d/0x20
[   30.782159]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   30.786883] RIP: 0033:0x442aa8
[   30.790040] RSP: 002b:00007ffc963e4328 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   30.797713] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000442aa8
[   30.804948] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   30.812183] RBP: 0000000000000086 R08: 00000000000000e7 R09: ffffffffffffffd0
[   30.819416] R10: 0000000000000000 R11: 0000000000000246 R12: 74656e2f7665642f