Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts.
[   40.943370] random: sshd: uninitialized urandom read (32 bytes read)
[   41.026661] audit: type=1400 audit(1547347008.967:7): avc:  denied  { map } for  pid=1791 comm="syz-executor350" path="/root/syz-executor350229543" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
[   41.281033] ==================================================================
[   41.288545] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450
[   41.295192] Read of size 8 at addr ffff8881d646add0 by task syz-executor350/1794
[   41.302701] 
[   41.304307] CPU: 1 PID: 1794 Comm: syz-executor350 Not tainted 4.14.92+ #5
[   41.311291] Call Trace:
[   41.313857]  dump_stack+0xb9/0x10e
[   41.317376]  ? ip_local_deliver+0x43d/0x450
[   41.321781]  print_address_description+0x60/0x226
[   41.326606]  ? ip_local_deliver+0x43d/0x450
[   41.330904]  kasan_report.cold+0x88/0x2a5
[   41.335037]  ? ip_local_deliver+0x43d/0x450
[   41.339341]  ? ip_call_ra_chain+0x540/0x540
[   41.343644]  ? __lock_acquire+0x56a/0x3fa0
[   41.347864]  ? ip_rcv+0x99f/0xf7a
[   41.351310]  ? ip_rcv_finish+0x5c9/0x1490
[   41.355448]  ? ip_rcv+0x9e2/0xf7a
[   41.358882]  ? ip_local_deliver+0x450/0x450
[   41.363185]  ? __lock_acquire+0x56a/0x3fa0
[   41.367402]  ? check_preemption_disabled+0x35/0x1f0
[   41.372395]  ? ip_local_deliver+0x450/0x450
[   41.376703]  ? __netif_receive_skb_core+0x1364/0x2c60
[   41.381873]  ? trace_hardirqs_on+0x10/0x10
[   41.386140]  ? flush_backlog+0x580/0x580
[   41.390200]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   41.395371]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   41.400549]  ? lock_acquire+0x10f/0x380
[   41.404531]  ? __netif_receive_skb+0x55/0x1f0
[   41.409006]  ? __netif_receive_skb+0x55/0x1f0
[   41.413481]  ? netif_receive_skb_internal+0xec/0x5c0
[   41.418566]  ? dev_cpu_dead+0x810/0x810
[   41.422539]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   41.427967]  ? rcu_read_lock_sched_held+0x10a/0x130
[   41.432963]  ? tun_rx_batched.isra.0+0x45d/0x730
[   41.437698]  ? __skb_get_hash_symmetric+0x255/0x620
[   41.442697]  ? tun_chr_read_iter+0x1c0/0x1c0
[   41.447106]  ? tun_get_user+0xc07/0x3790
[   41.451148]  ? __local_bh_enable_ip+0x65/0xc0
[   41.455630]  ? tun_get_user+0xd95/0x3790
[   41.459679]  ? tun_rx_batched.isra.0+0x730/0x730
[   41.464415]  ? mutex_remove_waiter+0x150/0x440
[   41.468988]  ? mark_held_locks+0xa6/0xf0
[   41.473053]  ? get_page_from_freelist+0x85e/0x1d60
[   41.477959]  ? preempt_count_add+0xb8/0x180
[   41.482269]  ? __tun_get+0x11c/0x220
[   41.485969]  ? check_preemption_disabled+0x35/0x1f0
[   41.490969]  ? tun_chr_write_iter+0xcf/0x180
[   41.495496]  ? do_iter_readv_writev+0x379/0x580
[   41.500176]  ? clone_verify_area+0x1e0/0x1e0
[   41.504650]  ? avc_policy_seqno+0x5/0x10
[   41.508709]  ? security_file_permission+0x88/0x1e0
[   41.513636]  ? do_iter_write+0x152/0x550
[   41.517693]  ? lock_downgrade+0x5d0/0x5d0
[   41.521821]  ? vfs_writev+0x146/0x2d0
[   41.525598]  ? vfs_iter_write+0xa0/0xa0
[   41.529573]  ? __handle_mm_fault+0x6c5/0x2640
[   41.534054]  ? __fsnotify_inode_delete+0x20/0x20
[   41.538792]  ? __do_page_fault+0x48e/0xb80
[   41.543009]  ? lock_downgrade+0x5d0/0x5d0
[   41.547137]  ? check_preemption_disabled+0x35/0x1f0
[   41.552137]  ? do_writev+0xc9/0x240
[   41.555847]  ? vfs_writev+0x2d0/0x2d0
[   41.559628]  ? do_syscall_64+0x43/0x4b0
[   41.563579]  ? SyS_readv+0x30/0x30
[   41.567099]  ? do_syscall_64+0x19b/0x4b0
[   41.571153]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   41.576520] 
[   41.578123] Allocated by task 1794:
[   41.581727]  kasan_kmalloc.part.0+0x4f/0xd0
[   41.586027]  kmem_cache_alloc+0xd2/0x2d0
[   41.590074]  __build_skb+0x2e/0x2d0
[   41.593678]  build_skb+0x1a/0x1f0
[   41.597142]  tun_get_user+0x248b/0x3790
[   41.601092]  tun_chr_write_iter+0xcf/0x180
[   41.605300]  do_iter_readv_writev+0x379/0x580
[   41.609778]  do_iter_write+0x152/0x550
[   41.613642]  vfs_writev+0x146/0x2d0
[   41.617243]  do_writev+0xc9/0x240
[   41.620674]  do_syscall_64+0x19b/0x4b0
[   41.624535] 
[   41.626137] Freed by task 1794:
[   41.629399]  kasan_slab_free+0xb0/0x190
[   41.633346]  kmem_cache_free+0xc4/0x330
[   41.637302]  kfree_skbmem+0xa0/0x100
[   41.640991]  kfree_skb+0xcd/0x350
[   41.644428]  ip_defrag+0x5f4/0x3b50
[   41.648027]  ip_local_deliver+0x165/0x450
[   41.652152]  ip_rcv_finish+0x5c9/0x1490
[   41.656102]  ip_rcv+0x9e2/0xf7a
[   41.659365]  __netif_receive_skb_core+0x1364/0x2c60
[   41.664365]  __netif_receive_skb+0x55/0x1f0
[   41.668661]  netif_receive_skb_internal+0xec/0x5c0
[   41.673565]  tun_rx_batched.isra.0+0x45d/0x730
[   41.678128]  tun_get_user+0xd95/0x3790
[   41.682008]  tun_chr_write_iter+0xcf/0x180
[   41.686219]  do_iter_readv_writev+0x379/0x580
[   41.690690]  do_iter_write+0x152/0x550
[   41.694553]  vfs_writev+0x146/0x2d0
[   41.698155]  do_writev+0xc9/0x240
[   41.701587]  do_syscall_64+0x19b/0x4b0
[   41.705446] 
[   41.707052] The buggy address belongs to the object at ffff8881d646adc0
[   41.707052]  which belongs to the cache skbuff_head_cache of size 224
[   41.720207] The buggy address is located 16 bytes inside of
[   41.720207]  224-byte region [ffff8881d646adc0, ffff8881d646aea0)
[   41.731968] The buggy address belongs to the page:
[   41.736872] page:ffffea0007591a80 count:1 mapcount:0 mapping:          (null) index:0x0
[   41.744993] flags: 0x4000000000000100(slab)
[   41.749300] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   41.757264] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
[   41.765120] page dumped because: kasan: bad access detected
[   41.770801] 
[   41.772421] Memory state around the buggy address:
[   41.777432]  ffff8881d646ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.784782]  ffff8881d646ad00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   41.792134] >ffff8881d646ad80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   41.799477]                                                  ^
[   41.805416]  ffff8881d646ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.812745]  ffff8881d646ae80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   41.820074] ==================================================================
[   41.827402] Disabling lock debugging due to kernel taint
[   41.832845] Kernel panic - not syncing: panic_on_warn set ...
[   41.832845] 
[   41.840307] CPU: 1 PID: 1794 Comm: syz-executor350 Tainted: G    B           4.14.92+ #5
[   41.848638] Call Trace:
[   41.851207]  dump_stack+0xb9/0x10e
[   41.854785]  panic+0x1d9/0x3c2
[   41.857954]  ? add_taint.cold+0x16/0x16
[   41.861899]  ? retint_kernel+0x2d/0x2d
[   41.865760]  ? ip_local_deliver+0x43d/0x450
[   41.870054]  kasan_end_report+0x43/0x49
[   41.874152]  kasan_report.cold+0xa4/0x2a5
[   41.878278]  ? ip_local_deliver+0x43d/0x450
[   41.882586]  ? ip_call_ra_chain+0x540/0x540
[   41.886922]  ? __lock_acquire+0x56a/0x3fa0
[   41.891134]  ? ip_rcv+0x99f/0xf7a
[   41.894561]  ? ip_rcv_finish+0x5c9/0x1490
[   41.898682]  ? ip_rcv+0x9e2/0xf7a
[   41.902107]  ? ip_local_deliver+0x450/0x450
[   41.906405]  ? __lock_acquire+0x56a/0x3fa0
[   41.910617]  ? check_preemption_disabled+0x35/0x1f0
[   41.915607]  ? ip_local_deliver+0x450/0x450
[   41.920023]  ? __netif_receive_skb_core+0x1364/0x2c60
[   41.925204]  ? trace_hardirqs_on+0x10/0x10
[   41.929412]  ? flush_backlog+0x580/0x580
[   41.933450]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   41.938622]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   41.943895]  ? lock_acquire+0x10f/0x380
[   41.947977]  ? __netif_receive_skb+0x55/0x1f0
[   41.952460]  ? __netif_receive_skb+0x55/0x1f0
[   41.956928]  ? netif_receive_skb_internal+0xec/0x5c0
[   41.962010]  ? dev_cpu_dead+0x810/0x810
[   41.965984]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   41.971412]  ? rcu_read_lock_sched_held+0x10a/0x130
[   41.976408]  ? tun_rx_batched.isra.0+0x45d/0x730
[   41.981150]  ? __skb_get_hash_symmetric+0x255/0x620
[   41.986151]  ? tun_chr_read_iter+0x1c0/0x1c0
[   41.990550]  ? tun_get_user+0xc07/0x3790
[   41.994583]  ? __local_bh_enable_ip+0x65/0xc0
[   41.999053]  ? tun_get_user+0xd95/0x3790
[   42.003087]  ? tun_rx_batched.isra.0+0x730/0x730
[   42.007930]  ? mutex_remove_waiter+0x150/0x440
[   42.012602]  ? mark_held_locks+0xa6/0xf0
[   42.016657]  ? get_page_from_freelist+0x85e/0x1d60
[   42.021562]  ? preempt_count_add+0xb8/0x180
[   42.025883]  ? __tun_get+0x11c/0x220
[   42.029589]  ? check_preemption_disabled+0x35/0x1f0
[   42.034578]  ? tun_chr_write_iter+0xcf/0x180
[   42.038960]  ? do_iter_readv_writev+0x379/0x580
[   42.043601]  ? clone_verify_area+0x1e0/0x1e0
[   42.047982]  ? avc_policy_seqno+0x5/0x10
[   42.052055]  ? security_file_permission+0x88/0x1e0
[   42.056956]  ? do_iter_write+0x152/0x550
[   42.060990]  ? lock_downgrade+0x5d0/0x5d0
[   42.065116]  ? vfs_writev+0x146/0x2d0
[   42.068888]  ? vfs_iter_write+0xa0/0xa0
[   42.072848]  ? __handle_mm_fault+0x6c5/0x2640
[   42.077320]  ? __fsnotify_inode_delete+0x20/0x20
[   42.082050]  ? __do_page_fault+0x48e/0xb80
[   42.086254]  ? lock_downgrade+0x5d0/0x5d0
[   42.090373]  ? check_preemption_disabled+0x35/0x1f0
[   42.095372]  ? do_writev+0xc9/0x240
[   42.098969]  ? vfs_writev+0x2d0/0x2d0
[   42.102744]  ? do_syscall_64+0x43/0x4b0
[   42.106690]  ? SyS_readv+0x30/0x30
[   42.110211]  ? do_syscall_64+0x19b/0x4b0
[   42.114249]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   42.119910] Kernel Offset: 0xc600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   42.130717] Rebooting in 86400 seconds..