INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-3,10.128.0.13' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 52.846362] ================================================================== [ 52.847508] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610 [ 52.848420] Write of size 8 at addr ffff8801ce1b37c0 by task syzkaller555234/2984 [ 52.849437] [ 52.849676] CPU: 1 PID: 2984 Comm: syzkaller555234 Not tainted 4.14.0-rc4-next-20171009+ #33 [ 52.850826] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.852066] Call Trace: [ 52.852466] dump_stack+0x194/0x257 [ 52.852964] ? arch_local_irq_restore+0x53/0x53 [ 52.853591] ? show_regs_print_info+0x65/0x65 [ 52.854223] ? lock_timer_base+0x1a3/0x2b0 [ 52.854796] ? detach_if_pending+0x557/0x610 [ 52.855395] print_address_description+0x73/0x250 [ 52.856043] ? detach_if_pending+0x557/0x610 [ 52.856637] kasan_report+0x25b/0x340 [ 52.857159] __asan_report_store8_noabort+0x17/0x20 [ 52.857829] detach_if_pending+0x557/0x610 [ 52.858404] ? trace_raw_output_tick_stop+0x130/0x130 [ 52.859102] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 52.859727] ? lock_timer_base+0x1a3/0x2b0 [ 52.860299] ? lock_timer_base+0x1eb/0x2b0 [ 52.860874] ? __internal_add_timer+0x2d0/0x2d0 [ 52.861502] ? trace_hardirqs_on+0xd/0x10 [ 52.862098] try_to_del_timer_sync+0xa2/0x120 [ 52.862701] ? del_timer+0x130/0x130 [ 52.863222] ? del_timer_sync+0xeb/0x240 [ 52.863843] del_timer_sync+0x18a/0x240 [ 52.864484] tun_free_netdev+0x105/0x1b0 [ 52.865034] ? tun_xdp+0x410/0x410 [ 52.865516] ? cpumask_next+0x24/0x30 [ 52.866035] ? netdev_refcnt_read+0xed/0x150 [ 52.866635] netdev_run_todo+0x683/0xae0 [ 52.870677] ? tun_xdp+0x410/0x410 [ 52.874189] ? register_netdev+0x30/0x30 [ 52.878234] ? refcount_inc+0x50/0x50 [ 52.882009] ? refcount_inc+0x50/0x50 [ 52.885790] ? sk_destruct+0x4c/0x80 [ 52.889477] ? __sk_free+0x5c/0x230 [ 52.893076] ? sk_free+0x2f/0x40 [ 52.896416] ? __tun_detach+0x760/0x1570 [ 52.900474] ? locks_remove_file+0x3fa/0x5a0 [ 52.904858] ? fcntl_setlk+0x10d0/0x10d0 [ 52.908902] ? fsnotify+0x1af0/0x1af0 [ 52.912684] ? __tun_detach+0x1570/0x1570 [ 52.916809] rtnl_unlock+0xe/0x10 [ 52.920233] tun_chr_close+0x49/0x60 [ 52.923919] __fput+0x333/0x7f0 [ 52.927177] ? fput+0x140/0x140 [ 52.930434] ? check_same_owner+0x320/0x320 [ 52.934737] ____fput+0x15/0x20 [ 52.937990] task_work_run+0x199/0x270 [ 52.941851] ? task_work_cancel+0x210/0x210 [ 52.946146] ? free_nsproxy+0x185/0x1f0 [ 52.950096] ? switch_task_namespaces+0xa2/0xc0 [ 52.954747] do_exit+0x9c8/0x1b00 [ 52.958179] ? mm_update_next_owner+0x930/0x930 [ 52.962830] ? find_held_lock+0x39/0x1d0 [ 52.966875] ? lock_downgrade+0x990/0x990 [ 52.971017] ? handle_mm_fault+0x410/0x8d0 [ 52.975233] ? __do_page_fault+0x31e/0xd60 [ 52.979443] ? __handle_mm_fault+0x39c0/0x39c0 [ 52.983997] ? vmacache_find+0x5f/0x280 [ 52.987955] ? up_read+0x1a/0x40 [ 52.991313] ? __do_page_fault+0x3d6/0xd60 [ 52.995533] ? mm_fault_error+0x2c0/0x2c0 [ 52.999660] ? do_vfs_ioctl+0x492/0x1530 [ 53.003707] ? do_page_fault+0xee/0x720 [ 53.007662] ? __do_page_fault+0xd60/0xd60 [ 53.011876] ? putname+0xf3/0x130 [ 53.015315] do_group_exit+0x149/0x400 [ 53.019183] ? lockdep_sys_exit+0x47/0xf0 [ 53.023308] ? SyS_exit+0x30/0x30 [ 53.026739] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 53.031735] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.036465] SyS_exit_group+0x1d/0x20 [ 53.040242] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 53.044968] RIP: 0033:0x445109 [ 53.048128] RSP: 002b:00000000007efe48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 53.055812] RAX: ffffffffffffffda RBX: 91fc2ffdbf9ff8df RCX: 0000000000445109 [ 53.063053] RDX: 0000000000445109 RSI: 00000000207cdff1 RDI: 0000000000000001 [ 53.070296] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 53.077537] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000402760 [ 53.084778] R13: 00000000004027f0 R14: 0000000000000000 R15: 0000000000000000 [ 53.092045] [ 53.093646] Allocated by task 2984: [ 53.097246] save_stack+0x43/0xd0 [ 53.100669] kasan_kmalloc+0xad/0xe0 [ 53.104352] __kmalloc_node+0x47/0x70 [ 53.108124] kvmalloc_node+0x64/0xd0 [ 53.111811] alloc_netdev_mqs+0x16d/0xed0 [ 53.115930] __tun_chr_ioctl+0x1386/0x3e40 [ 53.120132] tun_chr_ioctl+0x2a/0x40 [ 53.123816] do_vfs_ioctl+0x1b1/0x1530 [ 53.127671] SyS_ioctl+0x8f/0xc0 [ 53.131007] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 53.135733] [ 53.137330] Freed by task 2984: [ 53.140579] save_stack+0x43/0xd0 [ 53.144001] kasan_slab_free+0x71/0xc0 [ 53.147858] kfree+0xca/0x250 [ 53.150934] kvfree+0x36/0x60 [ 53.154008] free_netdev+0x2cf/0x360 [ 53.157693] __tun_chr_ioctl+0x2df6/0x3e40 [ 53.161896] tun_chr_ioctl+0x2a/0x40 [ 53.165578] do_vfs_ioctl+0x1b1/0x1530 [ 53.169435] SyS_ioctl+0x8f/0xc0 [ 53.172773] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 53.177493] [ 53.179091] The buggy address belongs to the object at ffff8801ce1b03c0 [ 53.179091] which belongs to the cache kmalloc-16384 of size 16384 [ 53.192062] The buggy address is located 13312 bytes inside of [ 53.192062] 16384-byte region [ffff8801ce1b03c0, ffff8801ce1b43c0) [ 53.204248] The buggy address belongs to the page: [ 53.209148] page:ffffea0007386c00 count:1 mapcount:0 mapping:ffff8801ce1b03c0 index:0x0 compound_mapcount: 0 [ 53.219093] flags: 0x200000000008100(slab|head) [ 53.223735] raw: 0200000000008100 ffff8801ce1b03c0 0000000000000000 0000000100000001 [ 53.231588] raw: ffffea0007367620 ffff8801dac01c50 ffff8801dac02200 0000000000000000 [ 53.239438] page dumped because: kasan: bad access detected [ 53.245116] [ 53.246713] Memory state around the buggy address: [ 53.251621] ffff8801ce1b3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.258953] ffff8801ce1b3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.266281] >ffff8801ce1b3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.273608] ^ [ 53.279026] ffff8801ce1b3800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.286357] ffff8801ce1b3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.293685] ================================================================== [ 53.301009] Disabling lock debugging due to kernel taint [ 53.306421] Kernel panic - not syncing: panic_on_warn set ... [ 53.306421] [ 53.313755] CPU: 1 PID: 2984 Comm: syzkaller555234 Tainted: G B 4.14.0-rc4-next-20171009+ #33 [ 53.323594] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.332911] Call Trace: [ 53.335473] dump_stack+0x194/0x257 [ 53.339085] ? arch_local_irq_restore+0x53/0x53 [ 53.343722] ? vprintk_default+0x28/0x30 [ 53.347755] ? detach_if_pending+0x470/0x610 [ 53.352133] panic+0x1e4/0x41c [ 53.355289] ? refcount_error_report+0x214/0x214 [ 53.360018] ? detach_if_pending+0x557/0x610 [ 53.364395] kasan_end_report+0x50/0x50 [ 53.368331] kasan_report+0x144/0x340 [ 53.372099] __asan_report_store8_noabort+0x17/0x20 [ 53.377077] detach_if_pending+0x557/0x610 [ 53.381279] ? trace_raw_output_tick_stop+0x130/0x130 [ 53.386433] ? _raw_spin_lock_irqsave+0x9e/0xc0 [ 53.391063] ? lock_timer_base+0x1a3/0x2b0 [ 53.395262] ? lock_timer_base+0x1eb/0x2b0 [ 53.399461] ? __internal_add_timer+0x2d0/0x2d0 [ 53.404093] ? trace_hardirqs_on+0xd/0x10 [ 53.408210] try_to_del_timer_sync+0xa2/0x120 [ 53.412669] ? del_timer+0x130/0x130 [ 53.416347] ? del_timer_sync+0xeb/0x240 [ 53.420376] del_timer_sync+0x18a/0x240 [ 53.424320] tun_free_netdev+0x105/0x1b0 [ 53.428345] ? tun_xdp+0x410/0x410 [ 53.431849] ? cpumask_next+0x24/0x30 [ 53.435623] ? netdev_refcnt_read+0xed/0x150 [ 53.440005] netdev_run_todo+0x683/0xae0 [ 53.444029] ? tun_xdp+0x410/0x410 [ 53.447535] ? register_netdev+0x30/0x30 [ 53.451562] ? refcount_inc+0x50/0x50 [ 53.455327] ? refcount_inc+0x50/0x50 [ 53.459095] ? sk_destruct+0x4c/0x80 [ 53.462771] ? __sk_free+0x5c/0x230 [ 53.466364] ? sk_free+0x2f/0x40 [ 53.469696] ? __tun_detach+0x760/0x1570 [ 53.473735] ? locks_remove_file+0x3fa/0x5a0 [ 53.478109] ? fcntl_setlk+0x10d0/0x10d0 [ 53.482141] ? fsnotify+0x1af0/0x1af0 [ 53.485910] ? __tun_detach+0x1570/0x1570 [ 53.490022] rtnl_unlock+0xe/0x10 [ 53.493438] tun_chr_close+0x49/0x60 [ 53.497117] __fput+0x333/0x7f0 [ 53.500362] ? fput+0x140/0x140 [ 53.503613] ? check_same_owner+0x320/0x320 [ 53.507901] ____fput+0x15/0x20 [ 53.511145] task_work_run+0x199/0x270 [ 53.514996] ? task_work_cancel+0x210/0x210 [ 53.519284] ? free_nsproxy+0x185/0x1f0 [ 53.523224] ? switch_task_namespaces+0xa2/0xc0 [ 53.527859] do_exit+0x9c8/0x1b00 [ 53.531281] ? mm_update_next_owner+0x930/0x930 [ 53.535918] ? find_held_lock+0x39/0x1d0 [ 53.539948] ? lock_downgrade+0x990/0x990 [ 53.544073] ? handle_mm_fault+0x410/0x8d0 [ 53.548275] ? __do_page_fault+0x31e/0xd60 [ 53.552475] ? __handle_mm_fault+0x39c0/0x39c0 [ 53.557019] ? vmacache_find+0x5f/0x280 [ 53.560964] ? up_read+0x1a/0x40 [ 53.564295] ? __do_page_fault+0x3d6/0xd60 [ 53.568497] ? mm_fault_error+0x2c0/0x2c0 [ 53.572616] ? do_vfs_ioctl+0x492/0x1530 [ 53.576646] ? do_page_fault+0xee/0x720 [ 53.580584] ? __do_page_fault+0xd60/0xd60 [ 53.584784] ? putname+0xf3/0x130 [ 53.588206] do_group_exit+0x149/0x400 [ 53.592057] ? lockdep_sys_exit+0x47/0xf0 [ 53.596168] ? SyS_exit+0x30/0x30 [ 53.599587] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 53.604569] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.609291] SyS_exit_group+0x1d/0x20 [ 53.613059] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 53.617779] RIP: 0033:0x445109 [ 53.620934] RSP: 002b:00000000007efe48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 53.628604] RAX: ffffffffffffffda RBX: 91fc2ffdbf9ff8df RCX: 0000000000445109 [ 53.635838] RDX: 0000000000445109 RSI: 00000000207cdff1 RDI: 0000000000000001 [ 53.643070] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 53.650305] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000402760 [ 53.657540] R13: 00000000004027f0 R14: 0000000000000000 R15: 0000000000000000