Warning: Permanently added '10.128.15.211' (ECDSA) to the list of known hosts.
[   48.814411] random: sshd: uninitialized urandom read (32 bytes read)
[   48.907325] audit: type=1400 audit(1547062924.833:7): avc:  denied  { map } for  pid=1785 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/01/09 19:42:05 parsed 1 programs
[   49.645136] audit: type=1400 audit(1547062925.573:8): avc:  denied  { map } for  pid=1785 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5005 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[   50.255158] random: cc1: uninitialized urandom read (8 bytes read)
2019/01/09 19:42:07 executed programs: 0
[   51.583996] audit: type=1400 audit(1547062927.513:9): avc:  denied  { map } for  pid=1785 comm="syz-execprog" path="/root/syzkaller-shm731214131" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[   53.124363] hrtimer: interrupt took 27445 ns
[   53.193088] syz-executor4 (2473) used greatest stack depth: 24400 bytes left
2019/01/09 19:42:12 executed programs: 46
[   58.146766] ==================================================================
[   58.154226] BUG: KASAN: use-after-free in ip_check_defrag+0x4f5/0x523
[   58.160815] Write of size 4 at addr ffff8881c93d031c by task syz-executor0/3032
[   58.168264] 
[   58.169890] CPU: 1 PID: 3032 Comm: syz-executor0 Not tainted 4.14.92+ #4
[   58.176719] Call Trace:
[   58.179324]  dump_stack+0xb9/0x10e
[   58.182871]  ? ip_check_defrag+0x4f5/0x523
[   58.187104]  print_address_description+0x60/0x226
[   58.191945]  ? ip_check_defrag+0x4f5/0x523
[   58.196180]  kasan_report.cold+0x88/0x2a5
[   58.200334]  ? ip_check_defrag+0x4f5/0x523
[   58.204571]  ? ip_defrag+0x3b50/0x3b50
[   58.208465]  ? mark_held_locks+0xa6/0xf0
[   58.212529]  ? refcount_sub_and_test+0x87/0xf0
[   58.217108]  ? check_preemption_disabled+0x35/0x1f0
[   58.222129]  ? packet_rcv_fanout+0x4d1/0x5e0
[   58.226539]  ? fanout_demux_rollover+0x4d0/0x4d0
[   58.231300]  ? dev_queue_xmit_nit+0x21a/0x960
[   58.235807]  ? __packet_pick_tx_queue+0x70/0x70
[   58.240480]  ? dev_hard_start_xmit+0xa3/0x890
[   58.244980]  ? check_preemption_disabled+0x35/0x1f0
[   58.250014]  ? __dev_queue_xmit+0x11b1/0x1cd0
[   58.254515]  ? trace_hardirqs_on+0x10/0x10
[   58.258763]  ? netdev_pick_tx+0x2e0/0x2e0
[   58.262913]  ? depot_save_stack+0x11d/0x418
[   58.267250]  ? lock_acquire+0x10f/0x380
[   58.271229]  ? ip_finish_output2+0x211/0x12f0
[   58.275772]  ? check_preemption_disabled+0x35/0x1f0
[   58.280804]  ? ip_finish_output2+0xaca/0x12f0
[   58.285309]  ? __alloc_skb+0x105/0x550
[   58.289198]  ? ip_copy_addrs+0xd0/0xd0
[   58.293125]  ? skb_copy_bits+0x4db/0x730
[   58.297288]  ? ip_do_fragment+0xa20/0x1ee0
[   58.301521]  ? ip_copy_addrs+0xd0/0xd0
[   58.305406]  ? ip_do_fragment+0xa20/0x1ee0
[   58.309647]  ? ip_copy_addrs+0xd0/0xd0
[   58.313539]  ? ip_fragment.constprop.0+0x146/0x200
[   58.318474]  ? ip_finish_output+0x7a7/0xc70
[   58.322827]  ? ip_mc_output+0x231/0xbe0
[   58.326828]  ? ip_queue_xmit+0x1a70/0x1a70
[   58.331067]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   58.336535]  ? ip_fragment.constprop.0+0x200/0x200
[   58.341476]  ? dst_release+0xc/0x80
[   58.345108]  ? __ip_make_skb+0xe30/0x1690
[   58.349283]  ? ip_local_out+0x98/0x170
[   58.353183]  ? ip_send_skb+0x3a/0xc0
[   58.356894]  ? ip_push_pending_frames+0x5f/0x80
[   58.361565]  ? raw_sendmsg+0x19de/0x2270
[   58.365638]  ? raw_seq_next+0x80/0x80
[   58.369438]  ? avc_has_perm_noaudit+0x2d0/0x2d0
[   58.374123]  ? trace_hardirqs_on+0x10/0x10
[   58.378374]  ? sock_has_perm+0x1d3/0x260
[   58.382445]  ? __might_fault+0x104/0x1b0
[   58.386535]  ? inet_sendmsg+0x14a/0x510
[   58.390514]  ? inet_recvmsg+0x540/0x540
[   58.394495]  ? sock_sendmsg+0xb7/0x100
[   58.398387]  ? SyS_sendto+0x1de/0x2f0
[   58.402194]  ? SyS_getpeername+0x250/0x250
[   58.406449]  ? put_timespec64+0xbe/0x110
[   58.410996]  ? SyS_clock_gettime+0x7d/0xe0
[   58.415228]  ? do_clock_gettime+0xd0/0xd0
[   58.419395]  ? do_syscall_64+0x43/0x4b0
[   58.423371]  ? SyS_getpeername+0x250/0x250
[   58.427608]  ? do_syscall_64+0x19b/0x4b0
[   58.431678]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   58.437050] 
[   58.438677] Allocated by task 3032:
[   58.442302]  kasan_kmalloc.part.0+0x4f/0xd0
[   58.446625]  kmem_cache_alloc+0xd2/0x2d0
[   58.450682]  skb_clone+0x126/0x310
[   58.454218]  ip_check_defrag+0x2bc/0x523
[   58.458287]  packet_rcv_fanout+0x4d1/0x5e0
[   58.462522]  dev_queue_xmit_nit+0x21a/0x960
[   58.466832] 
[   58.468457] Freed by task 3032:
[   58.471734]  kasan_slab_free+0xb0/0x190
[   58.475709]  kmem_cache_free+0xc4/0x330
[   58.479679]  kfree_skbmem+0xa0/0x100
[   58.483391]  kfree_skb+0xcd/0x350
[   58.486843]  ip_defrag+0x5f4/0x3b50
[   58.490466]  ip_check_defrag+0x39b/0x523
[   58.494522]  packet_rcv_fanout+0x4d1/0x5e0
[   58.498760]  dev_queue_xmit_nit+0x21a/0x960
[   58.503073] 
[   58.504698] The buggy address belongs to the object at ffff8881c93d0280
[   58.504698]  which belongs to the cache skbuff_head_cache of size 224
[   58.517872] The buggy address is located 156 bytes inside of
[   58.517872]  224-byte region [ffff8881c93d0280, ffff8881c93d0360)
[   58.529738] The buggy address belongs to the page:
[   58.534671] page:ffffea000724f400 count:1 mapcount:0 mapping:          (null) index:0x0
[   58.542810] flags: 0x4000000000000100(slab)
[   58.547129] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   58.555027] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
[   58.562915] page dumped because: kasan: bad access detected
[   58.568616] 
[   58.570243] Memory state around the buggy address:
[   58.575171]  ffff8881c93d0200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   58.582525]  ffff8881c93d0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.589881] >ffff8881c93d0300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   58.597261]                             ^
[   58.601403]  ffff8881c93d0380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   58.608783]  ffff8881c93d0400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   58.616136] ==================================================================
[   58.623486] Disabling lock debugging due to kernel taint
[   58.629020] Kernel panic - not syncing: panic_on_warn set ...
[   58.629020] 
[   58.636384] CPU: 1 PID: 3032 Comm: syz-executor0 Tainted: G    B           4.14.92+ #4
[   58.644429] Call Trace:
[   58.647021]  dump_stack+0xb9/0x10e
[   58.650561]  panic+0x1d9/0x3c2
[   58.653759]  ? add_taint.cold+0x16/0x16
[   58.657739]  ? ip_check_defrag+0x4f5/0x523
[   58.661986]  kasan_end_report+0x43/0x49
[   58.665955]  kasan_report.cold+0xa4/0x2a5
[   58.670099]  ? ip_check_defrag+0x4f5/0x523
[   58.674334]  ? ip_defrag+0x3b50/0x3b50
[   58.678246]  ? mark_held_locks+0xa6/0xf0
[   58.682325]  ? refcount_sub_and_test+0x87/0xf0
[   58.686897]  ? check_preemption_disabled+0x35/0x1f0
[   58.691909]  ? packet_rcv_fanout+0x4d1/0x5e0
[   58.696314]  ? fanout_demux_rollover+0x4d0/0x4d0
[   58.701070]  ? dev_queue_xmit_nit+0x21a/0x960
[   58.705563]  ? __packet_pick_tx_queue+0x70/0x70
[   58.710230]  ? dev_hard_start_xmit+0xa3/0x890
[   58.714763]  ? check_preemption_disabled+0x35/0x1f0
[   58.719784]  ? __dev_queue_xmit+0x11b1/0x1cd0
[   58.724280]  ? trace_hardirqs_on+0x10/0x10
[   58.728527]  ? netdev_pick_tx+0x2e0/0x2e0
[   58.732687]  ? depot_save_stack+0x11d/0x418
[   58.737008]  ? lock_acquire+0x10f/0x380
[   58.740974]  ? ip_finish_output2+0x211/0x12f0
[   58.745463]  ? check_preemption_disabled+0x35/0x1f0
[   58.750482]  ? ip_finish_output2+0xaca/0x12f0
[   58.754973]  ? __alloc_skb+0x105/0x550
[   58.758861]  ? ip_copy_addrs+0xd0/0xd0
[   58.762760]  ? skb_copy_bits+0x4db/0x730
[   58.766832]  ? ip_do_fragment+0xa20/0x1ee0
[   58.771081]  ? ip_copy_addrs+0xd0/0xd0
[   58.774966]  ? ip_do_fragment+0xa20/0x1ee0
[   58.779197]  ? ip_copy_addrs+0xd0/0xd0
[   58.783081]  ? ip_fragment.constprop.0+0x146/0x200
[   58.788008]  ? ip_finish_output+0x7a7/0xc70
[   58.792330]  ? ip_mc_output+0x231/0xbe0
[   58.796306]  ? ip_queue_xmit+0x1a70/0x1a70
[   58.800541]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   58.805991]  ? ip_fragment.constprop.0+0x200/0x200
[   58.810916]  ? dst_release+0xc/0x80
[   58.814534]  ? __ip_make_skb+0xe30/0x1690
[   58.818682]  ? ip_local_out+0x98/0x170
[   58.822570]  ? ip_send_skb+0x3a/0xc0
[   58.826290]  ? ip_push_pending_frames+0x5f/0x80
[   58.830959]  ? raw_sendmsg+0x19de/0x2270
[   58.835019]  ? raw_seq_next+0x80/0x80
[   58.838833]  ? avc_has_perm_noaudit+0x2d0/0x2d0
[   58.843499]  ? trace_hardirqs_on+0x10/0x10
[   58.847762]  ? sock_has_perm+0x1d3/0x260
[   58.851822]  ? __might_fault+0x104/0x1b0
[   58.855900]  ? inet_sendmsg+0x14a/0x510
[   58.859873]  ? inet_recvmsg+0x540/0x540
[   58.863850]  ? sock_sendmsg+0xb7/0x100
[   58.867754]  ? SyS_sendto+0x1de/0x2f0
[   58.871549]  ? SyS_getpeername+0x250/0x250
[   58.875792]  ? put_timespec64+0xbe/0x110
[   58.879879]  ? SyS_clock_gettime+0x7d/0xe0
[   58.884108]  ? do_clock_gettime+0xd0/0xd0
[   58.888279]  ? do_syscall_64+0x43/0x4b0
[   58.892264]  ? SyS_getpeername+0x250/0x250
[   58.896497]  ? do_syscall_64+0x19b/0x4b0
[   58.900564]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   58.906216] Kernel Offset: 0xa600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   58.917079] Rebooting in 86400 seconds..