Warning: Permanently added '10.128.10.12' (ECDSA) to the list of known hosts.
[   33.516163] urandom_read: 1 callbacks suppressed
[   33.516168] random: sshd: uninitialized urandom read (32 bytes read)
[   33.620269] audit: type=1400 audit(1546193831.052:8): avc:  denied  { map } for  pid=1783 comm="syz-executor910" path="/root/syz-executor910660043" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
[   33.907254] ==================================================================
[   33.915136] BUG: KASAN: slab-out-of-bounds in tun_net_xmit+0xf18/0x1010
[   33.921881] Read of size 8 at addr ffff8881c6efa650 by task syz-executor910/1786
[   33.929857] 
[   33.931476] CPU: 1 PID: 1786 Comm: syz-executor910 Not tainted 4.14.91+ #30
[   33.938562] Call Trace:
[   33.941142]  dump_stack+0xb9/0x11b
[   33.944676]  print_address_description+0x60/0x22b
[   33.949508]  kasan_report.cold.6+0x11b/0x2dd
[   33.953988]  ? tun_net_xmit+0xf18/0x1010
[   33.958048]  tun_net_xmit+0xf18/0x1010
[   33.961932]  dev_hard_start_xmit+0x191/0x890
[   33.966334]  ? validate_xmit_skb_list+0xd1/0x110
[   33.971082]  sch_direct_xmit+0x280/0x520
[   33.975236]  ? dev_deactivate_queue.constprop.6+0x150/0x150
[   33.980948]  ? lock_acquire+0x10f/0x380
[   33.984920]  ? ip6_finish_output2+0x1136/0x1f90
[   33.989590]  __dev_queue_xmit+0x16fd/0x1f40
[   33.994015]  ? __lock_acquire+0x619/0x4320
[   33.998550]  ? do_xdp_generic+0x40/0x40
[   34.002523]  ? netdev_pick_tx+0x2e0/0x2e0
[   34.006665]  ? ip6_finish_output+0x62e/0xb10
[   34.011138]  ? lock_downgrade+0x560/0x560
[   34.015352]  ? ip6_finish_output+0x62e/0xb10
[   34.019990]  ? ip6_finish_output2+0xc2d/0x1f90
[   34.024582]  ip6_finish_output2+0x1136/0x1f90
[   34.029093]  ? ip6_forward_finish+0x470/0x470
[   34.033883]  ? lock_downgrade+0x560/0x560
[   34.038024]  ? netif_rx_ni+0x300/0x300
[   34.041907]  ? ip6_finish_output+0x62e/0xb10
[   34.046307]  ip6_finish_output+0x62e/0xb10
[   34.050537]  ip6_output+0x1dd/0x680
[   34.054159]  ? __ip6_local_out+0x349/0x580
[   34.058386]  ? ip6_finish_output+0xb10/0xb10
[   34.063142]  ? ip6_fragment+0x2d50/0x2d50
[   34.067424]  ip6_local_out+0x94/0x170
[   34.071366]  ip6_send_skb+0x98/0x2e0
[   34.075073]  udp_v6_send_skb+0x4e3/0xe70
[   34.079142]  udpv6_sendmsg+0x1f07/0x2510
[   34.083815]  ? ip_reply_glue_bits+0xa0/0xa0
[   34.088309]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   34.094492]  ? reacquire_held_locks+0xb5/0x3e0
[   34.099272]  ? release_sock+0x1b/0x1b0
[   34.103163]  ? inet_autobind+0x121/0x180
[   34.107356]  ? inet_sendmsg+0x168/0x540
[   34.111322]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   34.116542]  inet_sendmsg+0x168/0x540
[   34.120350]  ? inet_recvmsg+0x560/0x560
[   34.124314]  sock_sendmsg+0xb5/0x100
[   34.128018]  SyS_sendto+0x211/0x340
[   34.131635]  ? SyS_getpeername+0x280/0x280
[   34.135859]  ? _raw_spin_unlock+0x29/0x40
[   34.140178]  ? __handle_mm_fault+0x6b1/0x25f0
[   34.144705]  ? vm_insert_page+0x6d0/0x6d0
[   34.149003]  ? check_preemption_disabled+0x34/0x1e0
[   34.154137]  ? lock_downgrade+0x560/0x560
[   34.158289]  ? up_read+0x17/0x30
[   34.161646]  ? __do_page_fault+0x64c/0xb60
[   34.166045]  ? do_syscall_64+0x43/0x4b0
[   34.170259]  ? SyS_getpeername+0x280/0x280
[   34.174485]  do_syscall_64+0x19b/0x4b0
[   34.178496]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.183727] RIP: 0033:0x441ba9
[   34.186904] RSP: 002b:00007ffeef0893f8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
[   34.194608] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441ba9
[   34.201964] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[   34.209244] RBP: 0000000000008470 R08: 00000000200001c0 R09: 000000000000001c
[   34.216512] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
[   34.223868] R13: 0000000000402990 R14: 0000000000000000 R15: 0000000000000000
[   34.231149] 
[   34.232764] Allocated by task 1785:
[   34.236485]  kasan_kmalloc.part.1+0x4f/0xd0
[   34.240805]  __kmalloc+0x153/0x340
[   34.244347]  kvmalloc_node+0x42/0xd0
[   34.248048]  tun_device_event+0x450/0xc50
[   34.252184]  notifier_call_chain+0x114/0x1b0
[   34.256609]  call_netdevice_notifiers+0x6e/0xa0
[   34.261513]  dev_ifsioc+0x735/0x840
[   34.265138]  dev_ioctl+0x25f/0xce0
[   34.268670]  sock_do_ioctl+0x92/0xb0
[   34.272373]  sock_ioctl+0x263/0x430
[   34.275993]  do_vfs_ioctl+0x1a0/0x1030
[   34.279871]  SyS_ioctl+0x7e/0xb0
[   34.283246]  do_syscall_64+0x19b/0x4b0
[   34.287124]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.292313] 
[   34.294069] Freed by task 0:
[   34.297070] (stack is not available)
[   34.300775] 
[   34.302400] The buggy address belongs to the object at ffff8881c6efa648
[   34.302400]  which belongs to the cache kmalloc-8 of size 8
[   34.314698] The buggy address is located 0 bytes to the right of
[   34.314698]  8-byte region [ffff8881c6efa648, ffff8881c6efa650)
[   34.326986] The buggy address belongs to the page:
[   34.331910] page:ffffea00071bbe80 count:1 mapcount:0 mapping:          (null) index:0x0
[   34.340049] flags: 0x4000000000000100(slab)
[   34.344370] raw: 4000000000000100 0000000000000000 0000000000000000 0000000180aa00aa
[   34.352363] raw: dead000000000100 dead000000000200 ffff8881da803c00 0000000000000000
[   34.360345] page dumped because: kasan: bad access detected
[   34.366049] 
[   34.367663] Memory state around the buggy address:
[   34.373066]  ffff8881c6efa500: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
[   34.380433]  ffff8881c6efa580: fc fb fc fc fb fc fc fb fc fc fb fc fc 00 fc fc
[   34.387957] >ffff8881c6efa600: 00 fc fc fb fc fc fb fc fc 00 fc fc fc fc fc fc
[   34.395305]                                                  ^
[   34.401411]  ffff8881c6efa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.408770]  ffff8881c6efa700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.416120] ==================================================================
[   34.423619] Disabling lock debugging due to kernel taint
[   34.429080] Kernel panic - not syncing: panic_on_warn set ...
[   34.429080] 
[   34.436434] CPU: 1 PID: 1786 Comm: syz-executor910 Tainted: G    B           4.14.91+ #30
[   34.444886] Call Trace:
[   34.447465]  dump_stack+0xb9/0x11b
[   34.451100]  panic+0x1bf/0x3a2
[   34.454282]  ? add_taint.cold.4+0x16/0x16
[   34.458423]  kasan_end_report+0x43/0x49
[   34.462385]  kasan_report.cold.6+0x77/0x2dd
[   34.466700]  ? tun_net_xmit+0xf18/0x1010
[   34.470758]  tun_net_xmit+0xf18/0x1010
[   34.474636]  dev_hard_start_xmit+0x191/0x890
[   34.479031]  ? validate_xmit_skb_list+0xd1/0x110
[   34.483774]  sch_direct_xmit+0x280/0x520
[   34.487945]  ? dev_deactivate_queue.constprop.6+0x150/0x150
[   34.493764]  ? lock_acquire+0x10f/0x380
[   34.497727]  ? ip6_finish_output2+0x1136/0x1f90
[   34.502391]  __dev_queue_xmit+0x16fd/0x1f40
[   34.506704]  ? __lock_acquire+0x619/0x4320
[   34.510937]  ? do_xdp_generic+0x40/0x40
[   34.514897]  ? netdev_pick_tx+0x2e0/0x2e0
[   34.519621]  ? ip6_finish_output+0x62e/0xb10
[   34.524022]  ? lock_downgrade+0x560/0x560
[   34.528155]  ? ip6_finish_output+0x62e/0xb10
[   34.532548]  ? ip6_finish_output2+0xc2d/0x1f90
[   34.537118]  ip6_finish_output2+0x1136/0x1f90
[   34.541603]  ? ip6_forward_finish+0x470/0x470
[   34.546088]  ? lock_downgrade+0x560/0x560
[   34.550252]  ? netif_rx_ni+0x300/0x300
[   34.554142]  ? ip6_finish_output+0x62e/0xb10
[   34.558689]  ip6_finish_output+0x62e/0xb10
[   34.562926]  ip6_output+0x1dd/0x680
[   34.566541]  ? __ip6_local_out+0x349/0x580
[   34.570765]  ? ip6_finish_output+0xb10/0xb10
[   34.575160]  ? ip6_fragment+0x2d50/0x2d50
[   34.579307]  ip6_local_out+0x94/0x170
[   34.583097]  ip6_send_skb+0x98/0x2e0
[   34.586799]  udp_v6_send_skb+0x4e3/0xe70
[   34.590848]  udpv6_sendmsg+0x1f07/0x2510
[   34.594977]  ? ip_reply_glue_bits+0xa0/0xa0
[   34.599395]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   34.604616]  ? reacquire_held_locks+0xb5/0x3e0
[   34.609192]  ? release_sock+0x1b/0x1b0
[   34.613093]  ? inet_autobind+0x121/0x180
[   34.617144]  ? inet_sendmsg+0x168/0x540
[   34.621103]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   34.626194]  inet_sendmsg+0x168/0x540
[   34.630127]  ? inet_recvmsg+0x560/0x560
[   34.634091]  sock_sendmsg+0xb5/0x100
[   34.637963]  SyS_sendto+0x211/0x340
[   34.641586]  ? SyS_getpeername+0x280/0x280
[   34.645812]  ? _raw_spin_unlock+0x29/0x40
[   34.649950]  ? __handle_mm_fault+0x6b1/0x25f0
[   34.654433]  ? vm_insert_page+0x6d0/0x6d0
[   34.658569]  ? check_preemption_disabled+0x34/0x1e0
[   34.663587]  ? lock_downgrade+0x560/0x560
[   34.667728]  ? up_read+0x17/0x30
[   34.671083]  ? __do_page_fault+0x64c/0xb60
[   34.675305]  ? do_syscall_64+0x43/0x4b0
[   34.679468]  ? SyS_getpeername+0x280/0x280
[   34.683696]  do_syscall_64+0x19b/0x4b0
[   34.687577]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   34.693600] RIP: 0033:0x441ba9
[   34.696867] RSP: 002b:00007ffeef0893f8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
[   34.705048] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441ba9
[   34.712313] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[   34.720002] RBP: 0000000000008470 R08: 00000000200001c0 R09: 000000000000001c
[   34.727525] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
[   34.735036] R13: 0000000000402990 R14: 0000000000000000 R15: 0000000000000000
[   34.742904] Kernel Offset: 0x18200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   34.753826] Rebooting in 86400 seconds..