==================================================================
BUG: KASAN: use-after-free in enqueue_timer include/linux/list.h:673 [inline]
BUG: KASAN: use-after-free in __mod_timer kernel/time/timer.c:1021 [inline]
BUG: KASAN: use-after-free in mod_timer+0x11d3/0x15b0 kernel/time/timer.c:1071
Write of size 8 at addr ffff88005689b748 by task kworker/2:2/1648

CPU: 2 PID: 1648 Comm: kworker/2:2 Not tainted 4.13.0-next-20170908+ #18
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: pm pm_runtime_work
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'.
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x24e/0x340 mm/kasan/report.c:409
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435
 enqueue_timer include/linux/list.h:673 [inline]
 __mod_timer kernel/time/timer.c:1021 [inline]
 mod_timer+0x11d3/0x15b0 kernel/time/timer.c:1071
 rpm_suspend+0x126b/0x1610 drivers/base/power/runtime.c:533
 __pm_runtime_suspend+0x5b/0xf0 drivers/base/power/runtime.c:1009
 pm_runtime_autosuspend include/linux/pm_runtime.h:195 [inline]
 usb_runtime_idle+0x2f/0x40 drivers/usb/core/driver.c:1889
 __rpm_callback+0x338/0xab0 drivers/base/power/runtime.c:334
 rpm_idle+0x632/0xac0 drivers/base/power/runtime.c:426
netlink: 17 bytes leftover after parsing attributes in process `syz-executor0'.
 pm_runtime_work+0x144/0x170 drivers/base/power/runtime.c:874
 process_one_work+0xbfa/0x1bd0 kernel/workqueue.c:2119
 worker_thread+0x223/0x1860 kernel/workqueue.c:2253
 kthread+0x39c/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Allocated by task 6500:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node+0x47/0x70 mm/slab.c:3696
 kmalloc_node include/linux/slab.h:535 [inline]
 kvmalloc_node+0x64/0xd0 mm/util.c:397
 kvmalloc include/linux/mm.h:529 [inline]
 kvzalloc include/linux/mm.h:537 [inline]
 alloc_netdev_mqs+0x16e/0xed0 net/core/dev.c:8011
 tun_set_iff drivers/net/tun.c:2022 [inline]
 __tun_chr_ioctl+0x12be/0x3d20 drivers/net/tun.c:2276
 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2521
 vfs_ioctl fs/ioctl.c:45 [inline]
 do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
 SYSC_ioctl fs/ioctl.c:700 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
 entry_SYSCALL_64_fastpath+0x1f/0xbe

Freed by task 6500:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xca/0x250 mm/slab.c:3820
 kvfree+0x36/0x60 mm/util.c:416
 netdev_freemem net/core/dev.c:7963 [inline]
 free_netdev+0x2cf/0x360 net/core/dev.c:8125
 tun_set_iff drivers/net/tun.c:2105 [inline]
 __tun_chr_ioctl+0x2cf6/0x3d20 drivers/net/tun.c:2276
 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2521
 vfs_ioctl fs/ioctl.c:45 [inline]
 do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
 SYSC_ioctl fs/ioctl.c:700 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
 entry_SYSCALL_64_fastpath+0x1f/0xbe

The buggy address belongs to the object at ffff880056898340
 which belongs to the cache kmalloc-16384 of size 16384
The buggy address is located 13320 bytes inside of
 16384-byte region [ffff880056898340, ffff88005689c340)
The buggy address belongs to the page:
page:ffffea00015a2600 count:1 mapcount:0 mapping:ffff880056898340 index:0x0 compound_mapcount: 0
flags: 0x500000000008100(slab|head)
raw: 0500000000008100 ffff880056898340 0000000000000000 0000000100000001
raw: ffffea0001513820 ffffea00015a5820 ffff88003e802200 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88005689b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88005689b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88005689b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff88005689b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88005689b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================