Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts.
[   28.565200] urandom_read: 1 callbacks suppressed
[   28.565204] random: sshd: uninitialized urandom read (32 bytes read)
[   28.655543] audit: type=1400 audit(1548073801.634:7): avc:  denied  { map } for  pid=1773 comm="syz-executor936" path="/root/syz-executor936224549" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
[   28.921347] ==================================================================
[   28.928869] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450
[   28.935528] Read of size 8 at addr ffff8881c7233790 by task syz-executor936/1776
[   28.943046] 
[   28.944666] CPU: 1 PID: 1776 Comm: syz-executor936 Not tainted 4.14.94+ #12
[   28.951746] Call Trace:
[   28.954374]  dump_stack+0xb9/0x10e
[   28.957907]  ? ip_local_deliver+0x43d/0x450
[   28.962211]  print_address_description+0x60/0x226
[   28.967032]  ? ip_local_deliver+0x43d/0x450
[   28.971330]  kasan_report.cold+0x88/0x2a5
[   28.975459]  ? ip_local_deliver+0x43d/0x450
[   28.979759]  ? ip_call_ra_chain+0x540/0x540
[   28.984063]  ? __lock_acquire+0x56a/0x3fa0
[   28.988305]  ? ip_rcv+0x99f/0xf7a
[   28.991750]  ? ip_rcv_finish+0x5c9/0x1490
[   28.995883]  ? ip_rcv+0x9e2/0xf7a
[   28.999345]  ? ip_local_deliver+0x450/0x450
[   29.003738]  ? __lock_acquire+0x56a/0x3fa0
[   29.007975]  ? check_preemption_disabled+0x35/0x1f0
[   29.012978]  ? ip_local_deliver+0x450/0x450
[   29.017284]  ? __netif_receive_skb_core+0x1364/0x2c60
[   29.022578]  ? trace_hardirqs_on+0x10/0x10
[   29.026809]  ? flush_backlog+0x580/0x580
[   29.030854]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   29.036026]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   29.041204]  ? lock_acquire+0x10f/0x380
[   29.045164]  ? __netif_receive_skb+0x55/0x1f0
[   29.049634]  ? __netif_receive_skb+0x55/0x1f0
[   29.054113]  ? netif_receive_skb_internal+0xec/0x5c0
[   29.059195]  ? dev_cpu_dead+0x810/0x810
[   29.063157]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   29.068588]  ? rcu_read_lock_sched_held+0x10a/0x130
[   29.073582]  ? tun_rx_batched.isra.0+0x45d/0x730
[   29.078316]  ? __skb_get_hash_symmetric+0x255/0x620
[   29.083317]  ? tun_chr_read_iter+0x1c0/0x1c0
[   29.087821]  ? tun_get_user+0xc07/0x3790
[   29.091879]  ? __local_bh_enable_ip+0x65/0xc0
[   29.096375]  ? tun_get_user+0xd95/0x3790
[   29.100544]  ? tun_rx_batched.isra.0+0x730/0x730
[   29.105293]  ? debug_mutex_add_waiter+0x60/0x150
[   29.110033]  ? mark_held_locks+0xa6/0xf0
[   29.114091]  ? get_page_from_freelist+0x85e/0x1d60
[   29.119007]  ? preempt_count_add+0xb8/0x180
[   29.123319]  ? __tun_get+0x11c/0x220
[   29.127016]  ? check_preemption_disabled+0x35/0x1f0
[   29.132018]  ? tun_chr_write_iter+0xcf/0x180
[   29.136424]  ? do_iter_readv_writev+0x379/0x580
[   29.141100]  ? clone_verify_area+0x1e0/0x1e0
[   29.145491]  ? avc_policy_seqno+0x5/0x10
[   29.149536]  ? security_file_permission+0x88/0x1e0
[   29.154450]  ? do_iter_write+0x152/0x550
[   29.158491]  ? lock_downgrade+0x5d0/0x5d0
[   29.162626]  ? vfs_writev+0x146/0x2d0
[   29.166408]  ? vfs_iter_write+0xa0/0xa0
[   29.170480]  ? __handle_mm_fault+0x6c5/0x2640
[   29.174974]  ? __fsnotify_inode_delete+0x20/0x20
[   29.179724]  ? __do_page_fault+0x48e/0xb80
[   29.183941]  ? lock_downgrade+0x5d0/0x5d0
[   29.188079]  ? check_preemption_disabled+0x35/0x1f0
[   29.193092]  ? do_writev+0xc9/0x240
[   29.196696]  ? vfs_writev+0x2d0/0x2d0
[   29.200477]  ? do_syscall_64+0x43/0x4b0
[   29.204431]  ? SyS_readv+0x30/0x30
[   29.207947]  ? do_syscall_64+0x19b/0x4b0
[   29.211989]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.217346] 
[   29.218960] Allocated by task 1776:
[   29.222567]  kasan_kmalloc.part.0+0x4f/0xd0
[   29.226870]  kmem_cache_alloc+0xd2/0x2d0
[   29.230907]  __build_skb+0x2e/0x2d0
[   29.234509]  build_skb+0x1a/0x1f0
[   29.237939]  tun_get_user+0x248b/0x3790
[   29.241890]  tun_chr_write_iter+0xcf/0x180
[   29.246102]  do_iter_readv_writev+0x379/0x580
[   29.250573]  do_iter_write+0x152/0x550
[   29.254433]  vfs_writev+0x146/0x2d0
[   29.258035]  do_writev+0xc9/0x240
[   29.261473]  do_syscall_64+0x19b/0x4b0
[   29.265342] 
[   29.266949] Freed by task 1776:
[   29.270211]  kasan_slab_free+0xb0/0x190
[   29.274166]  kmem_cache_free+0xc4/0x330
[   29.278121]  kfree_skbmem+0xa0/0x100
[   29.281816]  kfree_skb+0xcd/0x350
[   29.285256]  ip_defrag+0x5f4/0x3b50
[   29.288860]  ip_local_deliver+0x165/0x450
[   29.292984]  ip_rcv_finish+0x5c9/0x1490
[   29.296934]  ip_rcv+0x9e2/0xf7a
[   29.300191]  __netif_receive_skb_core+0x1364/0x2c60
[   29.305185]  __netif_receive_skb+0x55/0x1f0
[   29.309609]  netif_receive_skb_internal+0xec/0x5c0
[   29.314540]  tun_rx_batched.isra.0+0x45d/0x730
[   29.319104]  tun_get_user+0xd95/0x3790
[   29.322971]  tun_chr_write_iter+0xcf/0x180
[   29.327190]  do_iter_readv_writev+0x379/0x580
[   29.331666]  do_iter_write+0x152/0x550
[   29.335529]  vfs_writev+0x146/0x2d0
[   29.339133]  do_writev+0xc9/0x240
[   29.342562]  do_syscall_64+0x19b/0x4b0
[   29.346554] 
[   29.348162] The buggy address belongs to the object at ffff8881c7233780
[   29.348162]  which belongs to the cache skbuff_head_cache of size 224
[   29.361319] The buggy address is located 16 bytes inside of
[   29.361319]  224-byte region [ffff8881c7233780, ffff8881c7233860)
[   29.373091] The buggy address belongs to the page:
[   29.378003] page:ffffea00071c8cc0 count:1 mapcount:0 mapping:          (null) index:0x0
[   29.386134] flags: 0x4000000000000100(slab)
[   29.390435] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   29.398296] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
[   29.406152] page dumped because: kasan: bad access detected
[   29.411838] 
[   29.413448] Memory state around the buggy address:
[   29.418353]  ffff8881c7233680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.425689]  ffff8881c7233700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   29.433023] >ffff8881c7233780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.440366]                          ^
[   29.444226]  ffff8881c7233800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   29.451558]  ffff8881c7233880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.458887] ==================================================================
[   29.466664] Disabling lock debugging due to kernel taint
[   29.472119] Kernel panic - not syncing: panic_on_warn set ...
[   29.472119] 
[   29.479469] CPU: 1 PID: 1776 Comm: syz-executor936 Tainted: G    B           4.14.94+ #12
[   29.487759] Call Trace:
[   29.490336]  dump_stack+0xb9/0x10e
[   29.493856]  panic+0x1d9/0x3c2
[   29.497024]  ? add_taint.cold+0x16/0x16
[   29.500984]  ? retint_kernel+0x2d/0x2d
[   29.504849]  ? ip_local_deliver+0x43d/0x450
[   29.509146]  kasan_end_report+0x43/0x49
[   29.513098]  kasan_report.cold+0xa4/0x2a5
[   29.517222]  ? ip_local_deliver+0x43d/0x450
[   29.521522]  ? ip_call_ra_chain+0x540/0x540
[   29.525819]  ? __lock_acquire+0x56a/0x3fa0
[   29.530047]  ? ip_rcv+0x99f/0xf7a
[   29.533475]  ? ip_rcv_finish+0x5c9/0x1490
[   29.537599]  ? ip_rcv+0x9e2/0xf7a
[   29.541038]  ? ip_local_deliver+0x450/0x450
[   29.545342]  ? __lock_acquire+0x56a/0x3fa0
[   29.549560]  ? check_preemption_disabled+0x35/0x1f0
[   29.554550]  ? ip_local_deliver+0x450/0x450
[   29.558855]  ? __netif_receive_skb_core+0x1364/0x2c60
[   29.564018]  ? trace_hardirqs_on+0x10/0x10
[   29.568237]  ? flush_backlog+0x580/0x580
[   29.572276]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   29.577440]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   29.582609]  ? lock_acquire+0x10f/0x380
[   29.586565]  ? __netif_receive_skb+0x55/0x1f0
[   29.591047]  ? __netif_receive_skb+0x55/0x1f0
[   29.595519]  ? netif_receive_skb_internal+0xec/0x5c0
[   29.600597]  ? dev_cpu_dead+0x810/0x810
[   29.604548]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   29.609975]  ? rcu_read_lock_sched_held+0x10a/0x130
[   29.615107]  ? tun_rx_batched.isra.0+0x45d/0x730
[   29.619849]  ? __skb_get_hash_symmetric+0x255/0x620
[   29.624845]  ? tun_chr_read_iter+0x1c0/0x1c0
[   29.629232]  ? tun_get_user+0xc07/0x3790
[   29.633274]  ? __local_bh_enable_ip+0x65/0xc0
[   29.637753]  ? tun_get_user+0xd95/0x3790
[   29.641805]  ? tun_rx_batched.isra.0+0x730/0x730
[   29.646543]  ? debug_mutex_add_waiter+0x60/0x150
[   29.651276]  ? mark_held_locks+0xa6/0xf0
[   29.655313]  ? get_page_from_freelist+0x85e/0x1d60
[   29.660355]  ? preempt_count_add+0xb8/0x180
[   29.664659]  ? __tun_get+0x11c/0x220
[   29.668353]  ? check_preemption_disabled+0x35/0x1f0
[   29.673352]  ? tun_chr_write_iter+0xcf/0x180
[   29.677739]  ? do_iter_readv_writev+0x379/0x580
[   29.682387]  ? clone_verify_area+0x1e0/0x1e0
[   29.686776]  ? avc_policy_seqno+0x5/0x10
[   29.690819]  ? security_file_permission+0x88/0x1e0
[   29.695726]  ? do_iter_write+0x152/0x550
[   29.699772]  ? lock_downgrade+0x5d0/0x5d0
[   29.703904]  ? vfs_writev+0x146/0x2d0
[   29.707682]  ? vfs_iter_write+0xa0/0xa0
[   29.711641]  ? __handle_mm_fault+0x6c5/0x2640
[   29.716124]  ? __fsnotify_inode_delete+0x20/0x20
[   29.720864]  ? __do_page_fault+0x48e/0xb80
[   29.725079]  ? lock_downgrade+0x5d0/0x5d0
[   29.729210]  ? check_preemption_disabled+0x35/0x1f0
[   29.734206]  ? do_writev+0xc9/0x240
[   29.737807]  ? vfs_writev+0x2d0/0x2d0
[   29.741583]  ? do_syscall_64+0x43/0x4b0
[   29.745534]  ? SyS_readv+0x30/0x30
[   29.749052]  ? do_syscall_64+0x19b/0x4b0
[   29.753095]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   29.758832] Kernel Offset: 0x2b800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   29.769735] Rebooting in 86400 seconds..