Warning: Permanently added '10.128.0.117' (ECDSA) to the list of known hosts.
[   38.186966] random: sshd: uninitialized urandom read (32 bytes read)
[   38.301486] audit: type=1400 audit(1569029097.026:36): avc:  denied  { map } for  pid=6898 comm="syz-executor431" path="/root/syz-executor431263248" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   38.530946] IPVS: ftp: loaded support on port[0] = 21
[   39.395558] chnl_net:caif_netlink_parms(): no params data found
[   39.424523] bridge0: port 1(bridge_slave_0) entered blocking state
[   39.431237] bridge0: port 1(bridge_slave_0) entered disabled state
[   39.438740] device bridge_slave_0 entered promiscuous mode
[   39.445932] bridge0: port 2(bridge_slave_1) entered blocking state
[   39.452903] bridge0: port 2(bridge_slave_1) entered disabled state
[   39.459773] device bridge_slave_1 entered promiscuous mode
[   39.473942] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   39.482787] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   39.497714] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   39.505035] team0: Port device team_slave_0 added
[   39.510567] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   39.517550] team0: Port device team_slave_1 added
[   39.522818] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   39.529949] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   39.582077] device hsr_slave_0 entered promiscuous mode
[   39.620492] device hsr_slave_1 entered promiscuous mode
[   39.690560] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   39.697721] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   39.710707] bridge0: port 2(bridge_slave_1) entered blocking state
[   39.717117] bridge0: port 2(bridge_slave_1) entered forwarding state
[   39.724028] bridge0: port 1(bridge_slave_0) entered blocking state
[   39.730553] bridge0: port 1(bridge_slave_0) entered forwarding state
[   39.761735] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   39.768045] 8021q: adding VLAN 0 to HW filter on device bond0
[   39.777614] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   39.786708] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   39.805080] bridge0: port 1(bridge_slave_0) entered disabled state
[   39.812817] bridge0: port 2(bridge_slave_1) entered disabled state
[   39.824043] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   39.830281] 8021q: adding VLAN 0 to HW filter on device team0
[   39.840489] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   39.848300] bridge0: port 1(bridge_slave_0) entered blocking state
[   39.854821] bridge0: port 1(bridge_slave_0) entered forwarding state
[   39.864597] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   39.872598] bridge0: port 2(bridge_slave_1) entered blocking state
[   39.879110] bridge0: port 2(bridge_slave_1) entered forwarding state
[   39.893053] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   39.900989] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   39.909235] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   39.920420] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   39.930832] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   39.942236] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   39.948266] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   39.955977] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
executing program
[   39.968121] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[   39.977794] 8021q: adding VLAN 0 to HW filter on device batadv0
[   40.131258] ==================================================================
[   40.138767] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200
[   40.145600] Read of size 2 at addr ffff888091e35a70 by task syz-executor431/6899
[   40.153119] 
[   40.154778] CPU: 1 PID: 6899 Comm: syz-executor431 Not tainted 4.14.145 #0
[   40.161945] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.171583] Call Trace:
[   40.174164]  dump_stack+0x138/0x197
[   40.177798]  ? tcp_init_tso_segs+0x1ae/0x200
[   40.182194]  print_address_description.cold+0x7c/0x1dc
[   40.187457]  ? tcp_init_tso_segs+0x1ae/0x200
[   40.191867]  kasan_report.cold+0xa9/0x2af
[   40.196013]  __asan_report_load2_noabort+0x14/0x20
[   40.200930]  tcp_init_tso_segs+0x1ae/0x200
[   40.205144]  ? tcp_tso_segs+0x7d/0x1c0
[   40.209015]  tcp_write_xmit+0x15e/0x4960
[   40.213058]  ? tcp_v4_md5_lookup+0x23/0x30
[   40.217292]  ? tcp_established_options+0x2c5/0x420
[   40.222204]  ? tcp_current_mss+0x1dc/0x2f0
[   40.226418]  ? __alloc_skb+0x3ee/0x500
[   40.230297]  __tcp_push_pending_frames+0xa6/0x260
[   40.235116]  tcp_send_fin+0x17e/0xc40
[   40.238992]  tcp_close+0xcc8/0xfb0
[   40.243788]  ? __sock_release+0x89/0x2b0
[   40.247843]  ? ip_mc_drop_socket+0x1d6/0x230
[   40.252896]  inet_release+0xec/0x1c0
[   40.256624]  __sock_release+0xce/0x2b0
[   40.260503]  ? __sock_release+0x2b0/0x2b0
[   40.264648]  sock_close+0x1b/0x30
[   40.268086]  __fput+0x275/0x7a0
[   40.271348]  ____fput+0x16/0x20
[   40.274617]  task_work_run+0x114/0x190
[   40.278494]  do_exit+0x7df/0x2c10
[   40.281933]  ? mm_update_next_owner+0x5d0/0x5d0
[   40.286582]  ? up_read+0x1a/0x40
[   40.290421]  ? __do_page_fault+0x358/0xb80
[   40.294664]  do_group_exit+0x111/0x330
[   40.298657]  SyS_exit_group+0x1d/0x20
[   40.302531]  ? do_group_exit+0x330/0x330
[   40.306590]  do_syscall_64+0x1e8/0x640
[   40.310466]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.315299]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.320482] RIP: 0033:0x440b48
[   40.323650] RSP: 002b:00007ffc5eeeeb58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   40.331336] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b48
[   40.338598] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   40.345854] RBP: 00000000004c6fd0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   40.353104] R10: 0000000020000800 R11: 0000000000000246 R12: 0000000000000001
[   40.360357] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000
[   40.367798] 
[   40.369410] Allocated by task 6899:
[   40.373019]  save_stack_trace+0x16/0x20
[   40.376971]  save_stack+0x45/0xd0
[   40.380413]  kasan_kmalloc+0xce/0xf0
[   40.384102]  kasan_slab_alloc+0xf/0x20
[   40.387986]  kmem_cache_alloc_node+0x144/0x780
[   40.392768]  __alloc_skb+0x9c/0x500
[   40.396389]  sk_stream_alloc_skb+0xb3/0x780
[   40.400923]  tcp_sendmsg_locked+0xf61/0x3200
[   40.405331]  tcp_sendmsg+0x30/0x50
[   40.408865]  inet_sendmsg+0x122/0x500
[   40.412713]  sock_sendmsg+0xce/0x110
[   40.416435]  SYSC_sendto+0x206/0x310
[   40.420171]  SyS_sendto+0x40/0x50
[   40.423845]  do_syscall_64+0x1e8/0x640
[   40.428124]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.433310] 
[   40.434922] Freed by task 6899:
[   40.438196]  save_stack_trace+0x16/0x20
[   40.442153]  save_stack+0x45/0xd0
[   40.445678]  kasan_slab_free+0x75/0xc0
[   40.449544]  kmem_cache_free+0x83/0x2b0
[   40.453515]  kfree_skbmem+0x8d/0x120
[   40.457217]  __kfree_skb+0x1e/0x30
[   40.460755]  tcp_remove_empty_skb.part.0+0x231/0x2e0
[   40.465848]  tcp_sendmsg_locked+0x1ced/0x3200
[   40.470322]  tcp_sendmsg+0x30/0x50
[   40.474063]  inet_sendmsg+0x122/0x500
[   40.477899]  sock_sendmsg+0xce/0x110
[   40.481603]  SYSC_sendto+0x206/0x310
[   40.485323]  SyS_sendto+0x40/0x50
[   40.488756]  do_syscall_64+0x1e8/0x640
[   40.492625]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.497801] 
[   40.499412] The buggy address belongs to the object at ffff888091e35a40
[   40.499412]  which belongs to the cache skbuff_fclone_cache of size 472
[   40.512917] The buggy address is located 48 bytes inside of
[   40.512917]  472-byte region [ffff888091e35a40, ffff888091e35c18)
[   40.524689] The buggy address belongs to the page:
[   40.529594] page:ffffea0002478d40 count:1 mapcount:0 mapping:ffff888091e35040 index:0x0
[   40.537722] flags: 0x1fffc0000000100(slab)
[   40.541935] raw: 01fffc0000000100 ffff888091e35040 0000000000000000 0000000100000006
[   40.549794] raw: ffffea00022c6e20 ffff8880a9e80e48 ffff8880a9e81d80 0000000000000000
[   40.557756] page dumped because: kasan: bad access detected
[   40.563490] 
[   40.565095] Memory state around the buggy address:
[   40.570002]  ffff888091e35900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.577347]  ffff888091e35980: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.584684] >ffff888091e35a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   40.592028]                                                              ^
[   40.599027]  ffff888091e35a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.606385]  ffff888091e35b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.613735] ==================================================================
[   40.621085] Disabling lock debugging due to kernel taint
[   40.629380] Kernel panic - not syncing: panic_on_warn set ...
[   40.629380] 
[   40.636778] CPU: 1 PID: 6899 Comm: syz-executor431 Tainted: G    B           4.14.145 #0
[   40.644989] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.654434] Call Trace:
[   40.657013]  dump_stack+0x138/0x197
[   40.660619]  ? tcp_init_tso_segs+0x1ae/0x200
[   40.665010]  panic+0x1f2/0x426
[   40.668180]  ? add_taint.cold+0x16/0x16
[   40.672140]  ? ___preempt_schedule+0x16/0x18
[   40.676530]  kasan_end_report+0x47/0x4f
[   40.680478]  kasan_report.cold+0x130/0x2af
[   40.684689]  __asan_report_load2_noabort+0x14/0x20
[   40.689693]  tcp_init_tso_segs+0x1ae/0x200
[   40.693916]  ? tcp_tso_segs+0x7d/0x1c0
[   40.697786]  tcp_write_xmit+0x15e/0x4960
[   40.701834]  ? tcp_v4_md5_lookup+0x23/0x30
[   40.706044]  ? tcp_established_options+0x2c5/0x420
[   40.710957]  ? tcp_current_mss+0x1dc/0x2f0
[   40.715183]  ? __alloc_skb+0x3ee/0x500
[   40.719056]  __tcp_push_pending_frames+0xa6/0x260
[   40.723879]  tcp_send_fin+0x17e/0xc40
[   40.727746]  tcp_close+0xcc8/0xfb0
[   40.731783]  ? __sock_release+0x89/0x2b0
[   40.735911]  ? ip_mc_drop_socket+0x1d6/0x230
[   40.740311]  inet_release+0xec/0x1c0
[   40.744099]  __sock_release+0xce/0x2b0
[   40.747961]  ? __sock_release+0x2b0/0x2b0
[   40.752083]  sock_close+0x1b/0x30
[   40.755526]  __fput+0x275/0x7a0
[   40.758790]  ____fput+0x16/0x20
[   40.762048]  task_work_run+0x114/0x190
[   40.765909]  do_exit+0x7df/0x2c10
[   40.769342]  ? mm_update_next_owner+0x5d0/0x5d0
[   40.773998]  ? up_read+0x1a/0x40
[   40.777357]  ? __do_page_fault+0x358/0xb80
[   40.781608]  do_group_exit+0x111/0x330
[   40.785513]  SyS_exit_group+0x1d/0x20
[   40.789315]  ? do_group_exit+0x330/0x330
[   40.793369]  do_syscall_64+0x1e8/0x640
[   40.797247]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.802075]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.807241] RIP: 0033:0x440b48
[   40.810410] RSP: 002b:00007ffc5eeeeb58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   40.818091] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b48
[   40.825347] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   40.832914] RBP: 00000000004c6fd0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   40.840255] R10: 0000000020000800 R11: 0000000000000246 R12: 0000000000000001
[   40.847514] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000
[   40.856423] Kernel Offset: disabled
[   40.860061] Rebooting in 86400 seconds..