Warning: Permanently added '10.128.0.77' (ECDSA) to the list of known hosts.
[   38.297600] random: sshd: uninitialized urandom read (32 bytes read)
[   38.388267] audit: type=1400 audit(1548023181.252:7): avc:  denied  { map } for  pid=1783 comm="syz-executor324" path="/root/syz-executor324284688" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
[   38.621692] ==================================================================
[   38.629134] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450
[   38.635776] Read of size 8 at addr ffff8881d3b713d0 by task syz-executor324/1786
[   38.643536] 
[   38.645148] CPU: 0 PID: 1786 Comm: syz-executor324 Not tainted 4.14.94+ #12
[   38.652218] Call Trace:
[   38.654797]  dump_stack+0xb9/0x10e
[   38.658341]  ? ip_local_deliver+0x43d/0x450
[   38.662644]  print_address_description+0x60/0x226
[   38.667467]  ? ip_local_deliver+0x43d/0x450
[   38.671768]  kasan_report.cold+0x88/0x2a5
[   38.676015]  ? ip_local_deliver+0x43d/0x450
[   38.680316]  ? ip_call_ra_chain+0x540/0x540
[   38.684705]  ? __lock_acquire+0x56a/0x3fa0
[   38.688922]  ? ip_rcv+0x99f/0xf7a
[   38.692364]  ? ip_rcv_finish+0x5c9/0x1490
[   38.696509]  ? ip_rcv+0x9e2/0xf7a
[   38.699942]  ? ip_local_deliver+0x450/0x450
[   38.704244]  ? __lock_acquire+0x56a/0x3fa0
[   38.708459]  ? check_preemption_disabled+0x35/0x1f0
[   38.713454]  ? ip_local_deliver+0x450/0x450
[   38.717774]  ? __netif_receive_skb_core+0x1364/0x2c60
[   38.722944]  ? trace_hardirqs_on+0x10/0x10
[   38.727176]  ? flush_backlog+0x580/0x580
[   38.731234]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   38.736405]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   38.741575]  ? lock_acquire+0x10f/0x380
[   38.745531]  ? __netif_receive_skb+0x55/0x1f0
[   38.750003]  ? __netif_receive_skb+0x55/0x1f0
[   38.754486]  ? netif_receive_skb_internal+0xec/0x5c0
[   38.759566]  ? dev_cpu_dead+0x810/0x810
[   38.763524]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   38.768951]  ? rcu_read_lock_sched_held+0x10a/0x130
[   38.773947]  ? tun_rx_batched.isra.0+0x45d/0x730
[   38.778685]  ? __skb_get_hash_symmetric+0x255/0x620
[   38.783683]  ? tun_chr_read_iter+0x1c0/0x1c0
[   38.788077]  ? tun_get_user+0xc07/0x3790
[   38.792116]  ? __local_bh_enable_ip+0x65/0xc0
[   38.796592]  ? tun_get_user+0xd95/0x3790
[   38.800646]  ? tun_rx_batched.isra.0+0x730/0x730
[   38.805383]  ? debug_mutex_add_waiter+0x60/0x150
[   38.810113]  ? mark_held_locks+0xa6/0xf0
[   38.814150]  ? get_page_from_freelist+0x85e/0x1d60
[   38.819062]  ? preempt_count_add+0xb8/0x180
[   38.823366]  ? __tun_get+0x11c/0x220
[   38.827077]  ? check_preemption_disabled+0x35/0x1f0
[   38.832077]  ? tun_chr_write_iter+0xcf/0x180
[   38.836460]  ? do_iter_readv_writev+0x379/0x580
[   38.841104]  ? clone_verify_area+0x1e0/0x1e0
[   38.845490]  ? avc_policy_seqno+0x5/0x10
[   38.849530]  ? security_file_permission+0x88/0x1e0
[   38.854442]  ? do_iter_write+0x152/0x550
[   38.858485]  ? lock_downgrade+0x5d0/0x5d0
[   38.862641]  ? vfs_writev+0x146/0x2d0
[   38.866434]  ? vfs_iter_write+0xa0/0xa0
[   38.870383]  ? __handle_mm_fault+0x6c5/0x2640
[   38.874859]  ? __fsnotify_inode_delete+0x20/0x20
[   38.879610]  ? __do_page_fault+0x48e/0xb80
[   38.883825]  ? lock_downgrade+0x5d0/0x5d0
[   38.887954]  ? check_preemption_disabled+0x35/0x1f0
[   38.892953]  ? do_writev+0xc9/0x240
[   38.896555]  ? vfs_writev+0x2d0/0x2d0
[   38.900335]  ? do_syscall_64+0x43/0x4b0
[   38.904283]  ? SyS_readv+0x30/0x30
[   38.907799]  ? do_syscall_64+0x19b/0x4b0
[   38.911850]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   38.917201] 
[   38.918806] Allocated by task 1786:
[   38.922428]  kasan_kmalloc.part.0+0x4f/0xd0
[   38.926743]  kmem_cache_alloc+0xd2/0x2d0
[   38.930780]  __build_skb+0x2e/0x2d0
[   38.934383]  build_skb+0x1a/0x1f0
[   38.937812]  tun_get_user+0x248b/0x3790
[   38.941764]  tun_chr_write_iter+0xcf/0x180
[   38.945974]  do_iter_readv_writev+0x379/0x580
[   38.950443]  do_iter_write+0x152/0x550
[   38.954302]  vfs_writev+0x146/0x2d0
[   38.957901]  do_writev+0xc9/0x240
[   38.961329]  do_syscall_64+0x19b/0x4b0
[   38.965186] 
[   38.966805] Freed by task 1786:
[   38.970068]  kasan_slab_free+0xb0/0x190
[   38.974019]  kmem_cache_free+0xc4/0x330
[   38.977972]  kfree_skbmem+0xa0/0x100
[   38.981660]  kfree_skb+0xcd/0x350
[   38.985089]  ip_defrag+0x5f4/0x3b50
[   38.988697]  ip_local_deliver+0x165/0x450
[   38.992823]  ip_rcv_finish+0x5c9/0x1490
[   38.996774]  ip_rcv+0x9e2/0xf7a
[   39.000046]  __netif_receive_skb_core+0x1364/0x2c60
[   39.005055]  __netif_receive_skb+0x55/0x1f0
[   39.009351]  netif_receive_skb_internal+0xec/0x5c0
[   39.014257]  tun_rx_batched.isra.0+0x45d/0x730
[   39.018811]  tun_get_user+0xd95/0x3790
[   39.022675]  tun_chr_write_iter+0xcf/0x180
[   39.026894]  do_iter_readv_writev+0x379/0x580
[   39.031369]  do_iter_write+0x152/0x550
[   39.035281]  vfs_writev+0x146/0x2d0
[   39.038891]  do_writev+0xc9/0x240
[   39.042321]  do_syscall_64+0x19b/0x4b0
[   39.046179] 
[   39.047826] The buggy address belongs to the object at ffff8881d3b713c0
[   39.047826]  which belongs to the cache skbuff_head_cache of size 224
[   39.060976] The buggy address is located 16 bytes inside of
[   39.060976]  224-byte region [ffff8881d3b713c0, ffff8881d3b714a0)
[   39.072746] The buggy address belongs to the page:
[   39.077652] page:ffffea00074edc40 count:1 mapcount:0 mapping:          (null) index:0x0
[   39.085846] flags: 0x4000000000000100(slab)
[   39.090154] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   39.098013] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
[   39.105869] page dumped because: kasan: bad access detected
[   39.111553] 
[   39.113155] Memory state around the buggy address:
[   39.118140]  ffff8881d3b71280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.125500]  ffff8881d3b71300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   39.132835] >ffff8881d3b71380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   39.140167]                                                  ^
[   39.146111]  ffff8881d3b71400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.153446]  ffff8881d3b71480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   39.160783] ==================================================================
[   39.168133] Disabling lock debugging due to kernel taint
[   39.173591] Kernel panic - not syncing: panic_on_warn set ...
[   39.173591] 
[   39.180951] CPU: 0 PID: 1786 Comm: syz-executor324 Tainted: G    B           4.14.94+ #12
[   39.189248] Call Trace:
[   39.191816]  dump_stack+0xb9/0x10e
[   39.195334]  panic+0x1d9/0x3c2
[   39.198501]  ? add_taint.cold+0x16/0x16
[   39.202451]  ? retint_kernel+0x2d/0x2d
[   39.206343]  ? ip_local_deliver+0x43d/0x450
[   39.210642]  kasan_end_report+0x43/0x49
[   39.214590]  kasan_report.cold+0xa4/0x2a5
[   39.218722]  ? ip_local_deliver+0x43d/0x450
[   39.223020]  ? ip_call_ra_chain+0x540/0x540
[   39.227333]  ? __lock_acquire+0x56a/0x3fa0
[   39.231544]  ? ip_rcv+0x99f/0xf7a
[   39.234979]  ? ip_rcv_finish+0x5c9/0x1490
[   39.239109]  ? ip_rcv+0x9e2/0xf7a
[   39.242540]  ? ip_local_deliver+0x450/0x450
[   39.246838]  ? __lock_acquire+0x56a/0x3fa0
[   39.251049]  ? check_preemption_disabled+0x35/0x1f0
[   39.256052]  ? ip_local_deliver+0x450/0x450
[   39.260362]  ? __netif_receive_skb_core+0x1364/0x2c60
[   39.265529]  ? trace_hardirqs_on+0x10/0x10
[   39.269741]  ? flush_backlog+0x580/0x580
[   39.273792]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   39.278963]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   39.284130]  ? lock_acquire+0x10f/0x380
[   39.288107]  ? __netif_receive_skb+0x55/0x1f0
[   39.292584]  ? __netif_receive_skb+0x55/0x1f0
[   39.297061]  ? netif_receive_skb_internal+0xec/0x5c0
[   39.302142]  ? dev_cpu_dead+0x810/0x810
[   39.306094]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   39.311523]  ? rcu_read_lock_sched_held+0x10a/0x130
[   39.316519]  ? tun_rx_batched.isra.0+0x45d/0x730
[   39.321250]  ? __skb_get_hash_symmetric+0x255/0x620
[   39.326258]  ? tun_chr_read_iter+0x1c0/0x1c0
[   39.330661]  ? tun_get_user+0xc07/0x3790
[   39.334701]  ? __local_bh_enable_ip+0x65/0xc0
[   39.339197]  ? tun_get_user+0xd95/0x3790
[   39.343327]  ? tun_rx_batched.isra.0+0x730/0x730
[   39.348064]  ? debug_mutex_add_waiter+0x60/0x150
[   39.352796]  ? mark_held_locks+0xa6/0xf0
[   39.356844]  ? get_page_from_freelist+0x85e/0x1d60
[   39.361750]  ? preempt_count_add+0xb8/0x180
[   39.366050]  ? __tun_get+0x11c/0x220
[   39.369739]  ? check_preemption_disabled+0x35/0x1f0
[   39.374730]  ? tun_chr_write_iter+0xcf/0x180
[   39.379109]  ? do_iter_readv_writev+0x379/0x580
[   39.383749]  ? clone_verify_area+0x1e0/0x1e0
[   39.388131]  ? avc_policy_seqno+0x5/0x10
[   39.392172]  ? security_file_permission+0x88/0x1e0
[   39.397080]  ? do_iter_write+0x152/0x550
[   39.401122]  ? lock_downgrade+0x5d0/0x5d0
[   39.405246]  ? vfs_writev+0x146/0x2d0
[   39.409018]  ? vfs_iter_write+0xa0/0xa0
[   39.412967]  ? __handle_mm_fault+0x6c5/0x2640
[   39.417440]  ? __fsnotify_inode_delete+0x20/0x20
[   39.422199]  ? __do_page_fault+0x48e/0xb80
[   39.426415]  ? lock_downgrade+0x5d0/0x5d0
[   39.430534]  ? check_preemption_disabled+0x35/0x1f0
[   39.435523]  ? do_writev+0xc9/0x240
[   39.439135]  ? vfs_writev+0x2d0/0x2d0
[   39.442913]  ? do_syscall_64+0x43/0x4b0
[   39.446861]  ? SyS_readv+0x30/0x30
[   39.450372]  ? do_syscall_64+0x19b/0x4b0
[   39.454407]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   39.460081] Kernel Offset: 0x1ba00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   39.470982] Rebooting in 86400 seconds..