Warning: Permanently added '10.128.0.40' (ECDSA) to the list of known hosts.
[   31.162322] urandom_read: 1 callbacks suppressed
[   31.162325] random: sshd: uninitialized urandom read (32 bytes read)
[   31.254546] audit: type=1400 audit(1548728427.317:7): avc:  denied  { map } for  pid=1772 comm="syz-executor419" path="/root/syz-executor419159630" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
[   31.510552] ==================================================================
[   31.518058] BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450
[   31.524738] Read of size 8 at addr ffff8881ce045150 by task syz-executor419/1775
[   31.532283] 
[   31.533889] CPU: 0 PID: 1775 Comm: syz-executor419 Not tainted 4.14.96+ #20
[   31.540958] Call Trace:
[   31.543628]  dump_stack+0xb9/0x10e
[   31.547367]  ? ip_local_deliver+0x43d/0x450
[   31.551667]  print_address_description+0x60/0x226
[   31.556501]  ? ip_local_deliver+0x43d/0x450
[   31.560839]  kasan_report.cold+0x88/0x2a5
[   31.564970]  ? ip_local_deliver+0x43d/0x450
[   31.569277]  ? ip_call_ra_chain+0x540/0x540
[   31.573677]  ? __lock_acquire+0x56a/0x3fa0
[   31.577890]  ? ip_rcv+0x99f/0xf7a
[   31.581321]  ? ip_rcv_finish+0x5c9/0x1490
[   31.585545]  ? ip_rcv+0x9e2/0xf7a
[   31.589016]  ? ip_local_deliver+0x450/0x450
[   31.593315]  ? __lock_acquire+0x56a/0x3fa0
[   31.597551]  ? check_preemption_disabled+0x35/0x1f0
[   31.602544]  ? ip_local_deliver+0x450/0x450
[   31.606845]  ? __netif_receive_skb_core+0x1364/0x2c60
[   31.612005]  ? trace_hardirqs_on+0x10/0x10
[   31.616216]  ? flush_backlog+0x580/0x580
[   31.620251]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   31.625495]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   31.630673]  ? lock_acquire+0x10f/0x380
[   31.634696]  ? __netif_receive_skb+0x55/0x1f0
[   31.639304]  ? __netif_receive_skb+0x55/0x1f0
[   31.643779]  ? netif_receive_skb_internal+0xec/0x5c0
[   31.648884]  ? dev_cpu_dead+0x810/0x810
[   31.652975]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   31.658617]  ? rcu_read_lock_sched_held+0x10a/0x130
[   31.663713]  ? tun_rx_batched.isra.0+0x45d/0x730
[   31.668484]  ? __skb_get_hash_symmetric+0x255/0x620
[   31.673572]  ? tun_chr_read_iter+0x1c0/0x1c0
[   31.677971]  ? tun_get_user+0xc07/0x3790
[   31.682085]  ? __local_bh_enable_ip+0x65/0xc0
[   31.686737]  ? tun_get_user+0xd95/0x3790
[   31.690810]  ? tun_rx_batched.isra.0+0x730/0x730
[   31.695556]  ? debug_mutex_wake_waiter+0x1d0/0x370
[   31.700463]  ? mark_held_locks+0xa6/0xf0
[   31.704506]  ? get_page_from_freelist+0x85e/0x1d60
[   31.709512]  ? preempt_count_add+0xb8/0x180
[   31.713858]  ? __tun_get+0x11c/0x220
[   31.717617]  ? check_preemption_disabled+0x35/0x1f0
[   31.722631]  ? tun_chr_write_iter+0xcf/0x180
[   31.727088]  ? do_iter_readv_writev+0x379/0x580
[   31.731799]  ? clone_verify_area+0x1e0/0x1e0
[   31.736296]  ? avc_policy_seqno+0x5/0x10
[   31.740375]  ? security_file_permission+0x88/0x1e0
[   31.745369]  ? do_iter_write+0x152/0x550
[   31.749405]  ? lock_downgrade+0x5d0/0x5d0
[   31.753527]  ? vfs_writev+0x146/0x2d0
[   31.757310]  ? vfs_iter_write+0xa0/0xa0
[   31.761263]  ? __handle_mm_fault+0x6c5/0x2640
[   31.765764]  ? __fsnotify_inode_delete+0x20/0x20
[   31.770636]  ? __do_page_fault+0x48e/0xb80
[   31.774860]  ? lock_downgrade+0x5d0/0x5d0
[   31.779085]  ? check_preemption_disabled+0x35/0x1f0
[   31.784184]  ? do_writev+0xc9/0x240
[   31.787868]  ? vfs_writev+0x2d0/0x2d0
[   31.791661]  ? do_syscall_64+0x43/0x4b0
[   31.795733]  ? SyS_readv+0x30/0x30
[   31.799259]  ? do_syscall_64+0x19b/0x4b0
[   31.803409]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   31.808778] 
[   31.810502] Allocated by task 1775:
[   31.814207]  kasan_kmalloc.part.0+0x4f/0xd0
[   31.818508]  kmem_cache_alloc+0xd2/0x2d0
[   31.822552]  __build_skb+0x2e/0x2d0
[   31.826153]  build_skb+0x1a/0x1f0
[   31.829788]  tun_get_user+0x248b/0x3790
[   31.833806]  tun_chr_write_iter+0xcf/0x180
[   31.838028]  do_iter_readv_writev+0x379/0x580
[   31.842525]  do_iter_write+0x152/0x550
[   31.846401]  vfs_writev+0x146/0x2d0
[   31.850002]  do_writev+0xc9/0x240
[   31.853451]  do_syscall_64+0x19b/0x4b0
[   31.857377] 
[   31.858985] Freed by task 1775:
[   31.862239]  kasan_slab_free+0xb0/0x190
[   31.866336]  kmem_cache_free+0xc4/0x330
[   31.870417]  kfree_skbmem+0xa0/0x100
[   31.874111]  kfree_skb+0xcd/0x350
[   31.877545]  ip_defrag+0x5f4/0x3b50
[   31.881153]  ip_local_deliver+0x165/0x450
[   31.885295]  ip_rcv_finish+0x5c9/0x1490
[   31.889265]  ip_rcv+0x9e2/0xf7a
[   31.892525]  __netif_receive_skb_core+0x1364/0x2c60
[   31.897521]  __netif_receive_skb+0x55/0x1f0
[   31.901819]  netif_receive_skb_internal+0xec/0x5c0
[   31.906924]  tun_rx_batched.isra.0+0x45d/0x730
[   31.911479]  tun_get_user+0xd95/0x3790
[   31.915377]  tun_chr_write_iter+0xcf/0x180
[   31.919585]  do_iter_readv_writev+0x379/0x580
[   31.924066]  do_iter_write+0x152/0x550
[   31.927929]  vfs_writev+0x146/0x2d0
[   31.931533]  do_writev+0xc9/0x240
[   31.934973]  do_syscall_64+0x19b/0x4b0
[   31.938831] 
[   31.940431] The buggy address belongs to the object at ffff8881ce045140
[   31.940431]  which belongs to the cache skbuff_head_cache of size 224
[   31.953793] The buggy address is located 16 bytes inside of
[   31.953793]  224-byte region [ffff8881ce045140, ffff8881ce045220)
[   31.965627] The buggy address belongs to the page:
[   31.970781] page:ffffea0007381140 count:1 mapcount:0 mapping:          (null) index:0x0
[   31.978896] flags: 0x4000000000000100(slab)
[   31.983225] raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
[   31.991191] raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
[   31.999245] page dumped because: kasan: bad access detected
[   32.004935] 
[   32.006570] Memory state around the buggy address:
[   32.011477]  ffff8881ce045000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.018935]  ffff8881ce045080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   32.026267] >ffff8881ce045100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   32.033597]                                                  ^
[   32.039548]  ffff8881ce045180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.047006]  ffff8881ce045200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   32.054345] ==================================================================
[   32.061677] Disabling lock debugging due to kernel taint
[   32.067171] Kernel panic - not syncing: panic_on_warn set ...
[   32.067171] 
[   32.074594] CPU: 0 PID: 1775 Comm: syz-executor419 Tainted: G    B           4.14.96+ #20
[   32.083177] Call Trace:
[   32.085774]  dump_stack+0xb9/0x10e
[   32.089298]  panic+0x1d9/0x3c2
[   32.092470]  ? add_taint.cold+0x16/0x16
[   32.096419]  ? retint_kernel+0x2d/0x2d
[   32.100281]  ? ip_local_deliver+0x43d/0x450
[   32.104574]  kasan_end_report+0x43/0x49
[   32.108827]  kasan_report.cold+0xa4/0x2a5
[   32.112959]  ? ip_local_deliver+0x43d/0x450
[   32.117287]  ? ip_call_ra_chain+0x540/0x540
[   32.121653]  ? __lock_acquire+0x56a/0x3fa0
[   32.125868]  ? ip_rcv+0x99f/0xf7a
[   32.129404]  ? ip_rcv_finish+0x5c9/0x1490
[   32.133638]  ? ip_rcv+0x9e2/0xf7a
[   32.137065]  ? ip_local_deliver+0x450/0x450
[   32.141358]  ? __lock_acquire+0x56a/0x3fa0
[   32.145664]  ? check_preemption_disabled+0x35/0x1f0
[   32.150661]  ? ip_local_deliver+0x450/0x450
[   32.155045]  ? __netif_receive_skb_core+0x1364/0x2c60
[   32.160458]  ? trace_hardirqs_on+0x10/0x10
[   32.164669]  ? flush_backlog+0x580/0x580
[   32.168704]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   32.174067]  ? netif_receive_skb_internal+0x3aa/0x5c0
[   32.179339]  ? lock_acquire+0x10f/0x380
[   32.183295]  ? __netif_receive_skb+0x55/0x1f0
[   32.187813]  ? __netif_receive_skb+0x55/0x1f0
[   32.192378]  ? netif_receive_skb_internal+0xec/0x5c0
[   32.197564]  ? dev_cpu_dead+0x810/0x810
[   32.201534]  ? rcu_lockdep_current_cpu_online+0xed/0x140
[   32.207065]  ? rcu_read_lock_sched_held+0x10a/0x130
[   32.212066]  ? tun_rx_batched.isra.0+0x45d/0x730
[   32.216925]  ? __skb_get_hash_symmetric+0x255/0x620
[   32.221932]  ? tun_chr_read_iter+0x1c0/0x1c0
[   32.226783]  ? tun_get_user+0xc07/0x3790
[   32.230828]  ? __local_bh_enable_ip+0x65/0xc0
[   32.235299]  ? tun_get_user+0xd95/0x3790
[   32.239384]  ? tun_rx_batched.isra.0+0x730/0x730
[   32.244129]  ? debug_mutex_wake_waiter+0x1d0/0x370
[   32.249057]  ? mark_held_locks+0xa6/0xf0
[   32.253093]  ? get_page_from_freelist+0x85e/0x1d60
[   32.258188]  ? preempt_count_add+0xb8/0x180
[   32.262487]  ? __tun_get+0x11c/0x220
[   32.266176]  ? check_preemption_disabled+0x35/0x1f0
[   32.271167]  ? tun_chr_write_iter+0xcf/0x180
[   32.275546]  ? do_iter_readv_writev+0x379/0x580
[   32.280187]  ? clone_verify_area+0x1e0/0x1e0
[   32.284623]  ? avc_policy_seqno+0x5/0x10
[   32.288866]  ? security_file_permission+0x88/0x1e0
[   32.294154]  ? do_iter_write+0x152/0x550
[   32.298200]  ? lock_downgrade+0x5d0/0x5d0
[   32.302333]  ? vfs_writev+0x146/0x2d0
[   32.306156]  ? vfs_iter_write+0xa0/0xa0
[   32.310114]  ? __handle_mm_fault+0x6c5/0x2640
[   32.314694]  ? __fsnotify_inode_delete+0x20/0x20
[   32.319660]  ? __do_page_fault+0x48e/0xb80
[   32.323868]  ? lock_downgrade+0x5d0/0x5d0
[   32.328000]  ? check_preemption_disabled+0x35/0x1f0
[   32.332993]  ? do_writev+0xc9/0x240
[   32.336599]  ? vfs_writev+0x2d0/0x2d0
[   32.340375]  ? do_syscall_64+0x43/0x4b0
[   32.344317]  ? SyS_readv+0x30/0x30
[   32.347863]  ? do_syscall_64+0x19b/0x4b0
[   32.352037]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   32.357770] Kernel Offset: 0x14400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   32.368770] Rebooting in 86400 seconds..