INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-kasan-gce-1,10.128.15.199' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz0.accept_dad = 0
net.ipv6.conf.syz0.router_solicitations = 0
executing program
syzkaller login: [   56.563275] ==================================================================
[   56.570715] BUG: KASAN: use-after-free in detach_if_pending+0x557/0x610
[   56.577440] Write of size 8 at addr ffff8801ce013780 by task syzkaller577219/2990
[   56.585028] 
[   56.586631] CPU: 0 PID: 2990 Comm: syzkaller577219 Not tainted 4.14.0-rc4+ #126
[   56.594046] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   56.603372] Call Trace:
[   56.605933]  dump_stack+0x194/0x257
[   56.609536]  ? arch_local_irq_restore+0x53/0x53
[   56.614180]  ? show_regs_print_info+0x65/0x65
[   56.618652]  ? lock_timer_base+0x1a3/0x2b0
[   56.622863]  ? detach_if_pending+0x557/0x610
[   56.627245]  print_address_description+0x73/0x250
[   56.632060]  ? detach_if_pending+0x557/0x610
[   56.636441]  kasan_report+0x25b/0x340
[   56.640219]  __asan_report_store8_noabort+0x17/0x20
[   56.645205]  detach_if_pending+0x557/0x610
[   56.649413]  ? trace_raw_output_tick_stop+0x130/0x130
[   56.654575]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   56.659211]  ? lock_timer_base+0x1a3/0x2b0
[   56.663420]  ? lock_timer_base+0x1eb/0x2b0
[   56.667628]  ? __internal_add_timer+0x2d0/0x2d0
[   56.672270]  ? trace_hardirqs_on+0xd/0x10
[   56.676395]  try_to_del_timer_sync+0xa2/0x120
[   56.680862]  ? del_timer+0x130/0x130
[   56.684549]  ? del_timer_sync+0xeb/0x240
[   56.688587]  del_timer_sync+0x18a/0x240
[   56.692537]  tun_free_netdev+0x105/0x1b0
[   56.696569]  ? tun_xdp+0x410/0x410
[   56.700079]  ? cpumask_next+0x24/0x30
[   56.703854]  ? netdev_refcnt_read+0xed/0x150
[   56.708236]  ? tun_xdp+0x410/0x410
[   56.711749]  netdev_run_todo+0x870/0xca0
[   56.715789]  ? do_group_exit+0x149/0x400
[   56.719833]  ? register_netdev+0x30/0x30
[   56.723866]  ? lock_downgrade+0x990/0x990
[   56.727987]  ? trace_hardirqs_on+0xd/0x10
[   56.732125]  ? refcount_sub_and_test+0x115/0x1b0
[   56.736852]  ? refcount_inc+0x50/0x50
[   56.740624]  ? refcount_inc+0x50/0x50
[   56.744401]  ? sk_destruct+0x4c/0x80
[   56.748085]  ? __sk_free+0x5c/0x230
[   56.751684]  ? sk_free+0x2f/0x40
[   56.755021]  ? __tun_detach+0x176/0x1390
[   56.759064]  ? tun_attach+0xf90/0xf90
[   56.762840]  ? do_raw_spin_trylock+0x190/0x190
[   56.767396]  ? locks_remove_file+0x3fa/0x5a0
[   56.771778]  ? fcntl_setlk+0x10d0/0x10d0
[   56.775811]  ? __fsnotify_parent+0xb4/0x3a0
[   56.780108]  ? fsnotify+0x1af0/0x1af0
[   56.783891]  ? __tun_detach+0x1390/0x1390
[   56.788013]  rtnl_unlock+0xe/0x10
[   56.791450]  tun_chr_close+0x49/0x60
[   56.795137]  __fput+0x333/0x7f0
[   56.798401]  ? fput+0x140/0x140
[   56.801656]  ? check_same_owner+0x320/0x320
[   56.805947]  ? _raw_spin_unlock_irq+0x27/0x70
[   56.810418]  ____fput+0x15/0x20
[   56.813670]  task_work_run+0x199/0x270
[   56.817553]  ? task_work_cancel+0x210/0x210
[   56.821854]  ? _raw_spin_unlock+0x22/0x30
[   56.825973]  ? switch_task_namespaces+0x87/0xc0
[   56.830618]  do_exit+0x9d2/0x1af0
[   56.834048]  ? mm_update_next_owner+0x930/0x930
[   56.838689]  ? find_held_lock+0x39/0x1d0
[   56.842732]  ? lock_downgrade+0x990/0x990
[   56.846875]  ? handle_mm_fault+0x410/0x8d0
[   56.851081]  ? __do_page_fault+0x31e/0xd60
[   56.855285]  ? __handle_mm_fault+0x39c0/0x39c0
[   56.859837]  ? vmacache_find+0x5f/0x280
[   56.863790]  ? up_read+0x1a/0x40
[   56.867142]  ? __do_page_fault+0x3d6/0xd60
[   56.871359]  ? mm_fault_error+0x2c0/0x2c0
[   56.875481]  ? do_vfs_ioctl+0x492/0x1530
[   56.879520]  ? do_page_fault+0xee/0x720
[   56.883467]  ? __do_page_fault+0xd60/0xd60
[   56.887673]  ? putname+0xf3/0x130
[   56.891120]  do_group_exit+0x149/0x400
[   56.894979]  ? lockdep_sys_exit+0x47/0xf0
[   56.899098]  ? SyS_exit+0x30/0x30
[   56.902522]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   56.907512]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   56.912243]  SyS_exit_group+0x1d/0x20
[   56.916032]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   56.920761] RIP: 0033:0x4435f8
[   56.923921] RSP: 002b:00007ffe1c82c928 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   56.931602] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004435f8
[   56.938842] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   56.946083] RBP: 0000000000000086 R08: 00000000000000e7 R09: ffffffffffffffd0
[   56.953323] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   56.960563] R13: 00000000006d6180 R14: 0000000000000000 R15: 0000000000000000
[   56.967819] 
[   56.969419] Allocated by task 2990:
[   56.973018]  save_stack_trace+0x16/0x20
[   56.976961]  save_stack+0x43/0xd0
[   56.980382]  kasan_kmalloc+0xad/0xe0
[   56.984066]  __kmalloc_node+0x47/0x70
[   56.987838]  kvmalloc_node+0x64/0xd0
[   56.991520]  alloc_netdev_mqs+0x16e/0xed0
[   56.995638]  __tun_chr_ioctl+0x12be/0x3d20
[   56.999839]  tun_chr_ioctl+0x2a/0x40
[   57.003521]  do_vfs_ioctl+0x1b1/0x1530
[   57.007376]  SyS_ioctl+0x8f/0xc0
[   57.010713]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   57.015436] 
[   57.017034] Freed by task 2990:
[   57.020282]  save_stack_trace+0x16/0x20
[   57.024226]  save_stack+0x43/0xd0
[   57.027648]  kasan_slab_free+0x71/0xc0
[   57.031503]  kfree+0xca/0x250
[   57.034578]  kvfree+0x36/0x60
[   57.037654]  free_netdev+0x2cf/0x360
[   57.041336]  __tun_chr_ioctl+0x2cf6/0x3d20
[   57.045539]  tun_chr_ioctl+0x2a/0x40
[   57.049222]  do_vfs_ioctl+0x1b1/0x1530
[   57.053077]  SyS_ioctl+0x8f/0xc0
[   57.056429]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   57.061156] 
[   57.062758] The buggy address belongs to the object at ffff8801ce010380
[   57.062758]  which belongs to the cache kmalloc-16384 of size 16384
[   57.075732] The buggy address is located 13312 bytes inside of
[   57.075732]  16384-byte region [ffff8801ce010380, ffff8801ce014380)
[   57.087922] The buggy address belongs to the page:
[   57.092825] page:ffffea0007380400 count:1 mapcount:0 mapping:ffff8801ce010380 index:0x0 compound_mapcount: 0
[   57.102785] flags: 0x200000000008100(slab|head)
[   57.107428] raw: 0200000000008100 ffff8801ce010380 0000000000000000 0000000100000001
[   57.115278] raw: ffffea0007359820 ffff8801dac01c50 ffff8801dac02200 0000000000000000
[   57.123125] page dumped because: kasan: bad access detected
[   57.128803] 
[   57.130400] Memory state around the buggy address:
[   57.135298]  ffff8801ce013680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.142624]  ffff8801ce013700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.149952] >ffff8801ce013780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.157280]                    ^
[   57.160613]  ffff8801ce013800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.167941]  ffff8801ce013880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.175265] ==================================================================
[   57.182589] Disabling lock debugging due to kernel taint
[   57.188001] Kernel panic - not syncing: panic_on_warn set ...
[   57.188001] 
[   57.195326] CPU: 0 PID: 2990 Comm: syzkaller577219 Tainted: G    B           4.14.0-rc4+ #126
[   57.203954] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.213272] Call Trace:
[   57.215829]  dump_stack+0x194/0x257
[   57.219432]  ? arch_local_irq_restore+0x53/0x53
[   57.224066]  ? vprintk_default+0x28/0x30
[   57.228094]  ? detach_if_pending+0x540/0x610
[   57.232469]  panic+0x1e4/0x417
[   57.235625]  ? __warn+0x1d9/0x1d9
[   57.239050]  ? detach_if_pending+0x557/0x610
[   57.243422]  kasan_end_report+0x50/0x50
[   57.247360]  kasan_report+0x144/0x340
[   57.251127]  __asan_report_store8_noabort+0x17/0x20
[   57.256105]  detach_if_pending+0x557/0x610
[   57.260307]  ? trace_raw_output_tick_stop+0x130/0x130
[   57.265463]  ? _raw_spin_lock_irqsave+0x9e/0xc0
[   57.270098]  ? lock_timer_base+0x1a3/0x2b0
[   57.274299]  ? lock_timer_base+0x1eb/0x2b0
[   57.278501]  ? __internal_add_timer+0x2d0/0x2d0
[   57.283147]  ? trace_hardirqs_on+0xd/0x10
[   57.287264]  try_to_del_timer_sync+0xa2/0x120
[   57.291725]  ? del_timer+0x130/0x130
[   57.295405]  ? del_timer_sync+0xeb/0x240
[   57.299433]  del_timer_sync+0x18a/0x240
[   57.303379]  tun_free_netdev+0x105/0x1b0
[   57.307404]  ? tun_xdp+0x410/0x410
[   57.310910]  ? cpumask_next+0x24/0x30
[   57.314676]  ? netdev_refcnt_read+0xed/0x150
[   57.319049]  ? tun_xdp+0x410/0x410
[   57.322556]  netdev_run_todo+0x870/0xca0
[   57.326580]  ? do_group_exit+0x149/0x400
[   57.330608]  ? register_netdev+0x30/0x30
[   57.334636]  ? lock_downgrade+0x990/0x990
[   57.338749]  ? trace_hardirqs_on+0xd/0x10
[   57.342869]  ? refcount_sub_and_test+0x115/0x1b0
[   57.347590]  ? refcount_inc+0x50/0x50
[   57.351355]  ? refcount_inc+0x50/0x50
[   57.355123]  ? sk_destruct+0x4c/0x80
[   57.358801]  ? __sk_free+0x5c/0x230
[   57.362392]  ? sk_free+0x2f/0x40
[   57.365722]  ? __tun_detach+0x176/0x1390
[   57.369754]  ? tun_attach+0xf90/0xf90
[   57.373520]  ? do_raw_spin_trylock+0x190/0x190
[   57.378069]  ? locks_remove_file+0x3fa/0x5a0
[   57.382444]  ? fcntl_setlk+0x10d0/0x10d0
[   57.386470]  ? __fsnotify_parent+0xb4/0x3a0
[   57.390757]  ? fsnotify+0x1af0/0x1af0
[   57.394529]  ? __tun_detach+0x1390/0x1390
[   57.398642]  rtnl_unlock+0xe/0x10
[   57.402062]  tun_chr_close+0x49/0x60
[   57.405742]  __fput+0x333/0x7f0
[   57.408989]  ? fput+0x140/0x140
[   57.412237]  ? check_same_owner+0x320/0x320
[   57.416526]  ? _raw_spin_unlock_irq+0x27/0x70
[   57.420990]  ____fput+0x15/0x20
[   57.424234]  task_work_run+0x199/0x270
[   57.428087]  ? task_work_cancel+0x210/0x210
[   57.432372]  ? _raw_spin_unlock+0x22/0x30
[   57.436485]  ? switch_task_namespaces+0x87/0xc0
[   57.441120]  do_exit+0x9d2/0x1af0
[   57.444541]  ? mm_update_next_owner+0x930/0x930
[   57.449173]  ? find_held_lock+0x39/0x1d0
[   57.453204]  ? lock_downgrade+0x990/0x990
[   57.457326]  ? handle_mm_fault+0x410/0x8d0
[   57.461525]  ? __do_page_fault+0x31e/0xd60
[   57.465724]  ? __handle_mm_fault+0x39c0/0x39c0
[   57.470269]  ? vmacache_find+0x5f/0x280
[   57.474213]  ? up_read+0x1a/0x40
[   57.477543]  ? __do_page_fault+0x3d6/0xd60
[   57.481747]  ? mm_fault_error+0x2c0/0x2c0
[   57.485860]  ? do_vfs_ioctl+0x492/0x1530
[   57.489889]  ? do_page_fault+0xee/0x720
[   57.493828]  ? __do_page_fault+0xd60/0xd60
[   57.498027]  ? putname+0xf3/0x130
[   57.501448]  do_group_exit+0x149/0x400
[   57.505299]  ? lockdep_sys_exit+0x47/0xf0
[   57.509410]  ? SyS_exit+0x30/0x30
[   57.512828]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   57.517809]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   57.522530]  SyS_exit_group+0x1d/0x20
[   57.526295]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   57.531015] RIP: 0033:0x4435f8
[   57.534171] RSP: 002b:00007ffe1c82c928 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   57.541843] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004435f8
[   57.549085] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   57.556319] RBP: 0000000000000086 R08: 00000000000000e7 R09: ffffffffffffffd0