Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts.
[   40.138809] random: sshd: uninitialized urandom read (32 bytes read)
[   40.234763] audit: type=1400 audit(1569082394.992:7): avc:  denied  { map } for  pid=1791 comm="syz-executor969" path="/root/syz-executor969143898" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
[   41.071116] ==================================================================
[   41.078741] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x19d/0x1f0
[   41.085481] Read of size 2 at addr ffff8881cb032030 by task syz-executor969/1792
[   41.093109] 
[   41.094751] CPU: 0 PID: 1792 Comm: syz-executor969 Not tainted 4.14.145+ #0
[   41.101902] Call Trace:
[   41.104566]  dump_stack+0xca/0x134
[   41.108168]  ? tcp_init_tso_segs+0x19d/0x1f0
[   41.112605]  ? tcp_init_tso_segs+0x19d/0x1f0
[   41.117077]  print_address_description+0x60/0x226
[   41.121927]  ? tcp_init_tso_segs+0x19d/0x1f0
[   41.126431]  ? tcp_init_tso_segs+0x19d/0x1f0
[   41.130945]  __kasan_report.cold+0x1a/0x41
[   41.135184]  ? kvm_guest_cpu_init+0x220/0x220
[   41.139701]  ? tcp_init_tso_segs+0x19d/0x1f0
[   41.144144]  tcp_init_tso_segs+0x19d/0x1f0
[   41.148372]  ? tcp_tso_segs+0x7b/0x1c0
[   41.152257]  tcp_write_xmit+0x15a/0x4730
[   41.156472]  ? memset+0x20/0x40
[   41.159777]  __tcp_push_pending_frames+0xa0/0x230
[   41.164810]  tcp_send_fin+0x154/0xbc0
[   41.168613]  tcp_close+0xc62/0xf40
[   41.172146]  inet_release+0xe9/0x1c0
[   41.175845]  __sock_release+0xd2/0x2c0
[   41.179726]  ? __sock_release+0x2c0/0x2c0
[   41.183867]  sock_close+0x15/0x20
[   41.187308]  __fput+0x25e/0x710
[   41.190583]  task_work_run+0x125/0x1a0
[   41.194475]  do_exit+0x9cb/0x2a20
[   41.198963]  ? mm_update_next_owner+0x610/0x610
[   41.203646]  do_group_exit+0x100/0x2e0
[   41.207528]  SyS_exit_group+0x19/0x20
[   41.211325]  ? do_group_exit+0x2e0/0x2e0
[   41.215395]  do_syscall_64+0x19b/0x520
[   41.219292]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.224815] RIP: 0033:0x440b38
[   41.228015] RSP: 002b:00007fff56097628 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   41.235846] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b38
[   41.243178] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   41.250455] RBP: 00000000004c6fd0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   41.257813] R10: 0000000020000003 R11: 0000000000000246 R12: 0000000000000001
[   41.265155] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000
[   41.272434] 
[   41.274046] Allocated by task 1792:
[   41.277675]  __kasan_kmalloc.part.0+0x53/0xc0
[   41.282362]  kmem_cache_alloc+0xee/0x360
[   41.286490]  __alloc_skb+0xea/0x5c0
[   41.290118]  sk_stream_alloc_skb+0xf4/0x8a0
[   41.294865]  tcp_sendmsg_locked+0xf11/0x2f50
[   41.299333]  tcp_sendmsg+0x2b/0x40
[   41.302859]  inet_sendmsg+0x15b/0x520
[   41.306656]  sock_sendmsg+0xb7/0x100
[   41.310548]  SyS_sendto+0x1de/0x2f0
[   41.314166]  do_syscall_64+0x19b/0x520
[   41.318050]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.323232]  0xffffffffffffffff
[   41.326511] 
[   41.328218] Freed by task 1792:
[   41.331561]  __kasan_slab_free+0x164/0x210
[   41.335906]  kmem_cache_free+0xd7/0x3b0
[   41.339873]  kfree_skbmem+0x84/0x110
[   41.343579]  tcp_remove_empty_skb+0x264/0x320
[   41.348332]  tcp_sendmsg_locked+0x1c09/0x2f50
[   41.352829]  tcp_sendmsg+0x2b/0x40
[   41.356362]  inet_sendmsg+0x15b/0x520
[   41.360850]  sock_sendmsg+0xb7/0x100
[   41.364555]  SyS_sendto+0x1de/0x2f0
[   41.368243]  do_syscall_64+0x19b/0x520
[   41.372133]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.377519]  0xffffffffffffffff
[   41.380797] 
[   41.382418] The buggy address belongs to the object at ffff8881cb032000
[   41.382418]  which belongs to the cache skbuff_fclone_cache of size 456
[   41.397098] The buggy address is located 48 bytes inside of
[   41.397098]  456-byte region [ffff8881cb032000, ffff8881cb0321c8)
[   41.409210] The buggy address belongs to the page:
[   41.414130] page:ffffea00072c0c80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   41.424372] flags: 0x4000000000010200(slab|head)
[   41.429157] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c
[   41.437033] raw: dead000000000100 dead000000000200 ffff8881d6770400 0000000000000000
[   41.444907] page dumped because: kasan: bad access detected
[   41.450694] 
[   41.452301] Memory state around the buggy address:
[   41.457231]  ffff8881cb031f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   41.464576]  ffff8881cb031f80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   41.472260] >ffff8881cb032000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.479604]                                      ^
[   41.484530]  ffff8881cb032080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.492711]  ffff8881cb032100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.500243] ==================================================================
[   41.507698] Disabling lock debugging due to kernel taint
[   41.513283] Kernel panic - not syncing: panic_on_warn set ...
[   41.513283] 
[   41.520939] CPU: 0 PID: 1792 Comm: syz-executor969 Tainted: G    B           4.14.145+ #0
[   41.529257] Call Trace:
[   41.531872]  dump_stack+0xca/0x134
[   41.535399]  panic+0x1ea/0x3d3
[   41.538586]  ? add_taint.cold+0x16/0x16
[   41.542557]  ? tcp_init_tso_segs+0x19d/0x1f0
[   41.547054]  ? ___preempt_schedule+0x16/0x18
[   41.551564]  ? tcp_init_tso_segs+0x19d/0x1f0
[   41.556062]  end_report+0x43/0x49
[   41.559500]  ? tcp_init_tso_segs+0x19d/0x1f0
[   41.564096]  __kasan_report.cold+0xd/0x41
[   41.569310]  ? kvm_guest_cpu_init+0x220/0x220
[   41.574051]  ? tcp_init_tso_segs+0x19d/0x1f0
[   41.578980]  tcp_init_tso_segs+0x19d/0x1f0
[   41.583331]  ? tcp_tso_segs+0x7b/0x1c0
[   41.587224]  tcp_write_xmit+0x15a/0x4730
[   41.591286]  ? memset+0x20/0x40
[   41.594900]  __tcp_push_pending_frames+0xa0/0x230
[   41.599815]  tcp_send_fin+0x154/0xbc0
[   41.603703]  tcp_close+0xc62/0xf40
[   41.607596]  inet_release+0xe9/0x1c0
[   41.611428]  __sock_release+0xd2/0x2c0
[   41.616105]  ? __sock_release+0x2c0/0x2c0
[   41.620507]  sock_close+0x15/0x20
[   41.624305]  __fput+0x25e/0x710
[   41.627591]  task_work_run+0x125/0x1a0
[   41.631486]  do_exit+0x9cb/0x2a20
[   41.634960]  ? mm_update_next_owner+0x610/0x610
[   41.639966]  do_group_exit+0x100/0x2e0
[   41.644014]  SyS_exit_group+0x19/0x20
[   41.647900]  ? do_group_exit+0x2e0/0x2e0
[   41.651980]  do_syscall_64+0x19b/0x520
[   41.655876]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.661093] RIP: 0033:0x440b38
[   41.664294] RSP: 002b:00007fff56097628 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   41.672085] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b38
[   41.679392] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   41.686647] RBP: 00000000004c6fd0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   41.693911] R10: 0000000020000003 R11: 0000000000000246 R12: 0000000000000001
[   41.701175] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000
[   41.709498] Kernel Offset: 0x2aa00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   41.721372] Rebooting in 86400 seconds..