Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts.
[   37.499329] random: sshd: uninitialized urandom read (32 bytes read)
[   37.592303] audit: type=1400 audit(1570436217.980:7): avc:  denied  { map } for  pid=1777 comm="syz-executor742" path="/root/syz-executor742637734" dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
[   38.780034] hrtimer: interrupt took 36333 ns
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   39.625582] ==================================================================
[   39.633093] BUG: KASAN: use-after-free in ip6_fragment+0x2d4a/0x2f30
[   39.639590] Read of size 8 at addr ffff8881c57c7118 by task syz-executor742/2396
[   39.647123] 
[   39.648753] CPU: 1 PID: 2396 Comm: syz-executor742 Not tainted 4.14.147+ #0
[   39.655845] Call Trace:
[   39.658437]  dump_stack+0xca/0x134
[   39.661983]  ? ip6_fragment+0x2d4a/0x2f30
[   39.666137]  ? ip6_fragment+0x2d4a/0x2f30
[   39.670312]  print_address_description+0x60/0x226
[   39.675158]  ? ip6_fragment+0x2d4a/0x2f30
[   39.679309]  ? ip6_fragment+0x2d4a/0x2f30
[   39.683461]  __kasan_report.cold+0x1a/0x41
[   39.687703]  ? ip6_fragment+0x2d4a/0x2f30
[   39.691854]  ip6_fragment+0x2d4a/0x2f30
[   39.695848]  ? ip6_forward_finish+0x470/0x470
[   39.700352]  ? lock_downgrade+0x630/0x630
[   39.704500]  ? lock_acquire+0x12b/0x360
[   39.708475]  ? ip6_forward+0x31e0/0x31e0
[   39.712553]  ip6_finish_output+0x66d/0xb40
[   39.716828]  ip6_output+0x1dc/0x680
[   39.720464]  ? ip6_finish_output+0xb40/0xb40
[   39.724866]  ? trace_hardirqs_on_caller+0x37b/0x540
[   39.729872]  ? ip6_fragment+0x2f30/0x2f30
[   39.734008]  ? retint_kernel+0x2d/0x2d
[   39.737901]  ip6_local_out+0x98/0x170
[   39.741688]  ip6_send_skb+0x9b/0x2f0
[   39.745402]  udp_v6_send_skb+0x4e2/0xe80
[   39.749456]  udp_v6_push_pending_frames+0x224/0x330
[   39.754452]  ? udp_v6_send_skb+0xe80/0xe80
[   39.758672]  ? ip_reply_glue_bits+0xa0/0xa0
[   39.762978]  udpv6_sendmsg+0x194b/0x2500
[   39.767025]  ? ip_reply_glue_bits+0xa0/0xa0
[   39.771334]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   39.776415]  ? retint_kernel+0x2d/0x2d
[   39.780286]  ? retint_kernel+0x2d/0x2d
[   39.784153]  ? trace_hardirqs_on_caller+0x37b/0x540
[   39.789154]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   39.793902]  ? retint_kernel+0x2d/0x2d
[   39.797782]  ? inet_sendmsg+0x15b/0x520
[   39.801733]  inet_sendmsg+0x15b/0x520
[   39.805513]  ? inet_recvmsg+0x550/0x550
[   39.809467]  sock_sendmsg+0xb7/0x100
[   39.813162]  SyS_sendto+0x1de/0x2f0
[   39.816767]  ? SyS_getpeername+0x250/0x250
[   39.820999]  ? SyS_futex+0x1c5/0x2c3
[   39.824691]  ? SyS_futex+0x1cf/0x2c3
[   39.828398]  ? do_futex+0x1980/0x1980
[   39.832180]  ? __do_page_fault+0x677/0xbb0
[   39.836398]  ? do_syscall_64+0x43/0x520
[   39.840352]  ? SyS_getpeername+0x250/0x250
[   39.844567]  do_syscall_64+0x19b/0x520
[   39.848439]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   39.853606] RIP: 0033:0x447c79
[   39.856777] RSP: 002b:00007f983ea1bda8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   39.864464] RAX: ffffffffffffffda RBX: 00000000006ddc28 RCX: 0000000000447c79
[   39.871714] RDX: 000000000000ffb3 RSI: 00000000200003c0 RDI: 0000000000000004
[   39.878962] RBP: 00000000006ddc20 R08: 0000000000000000 R09: 0000000000000000
[   39.886223] R10: 0000000004000000 R11: 0000000000000246 R12: 00000000006ddc2c
[   39.893477] R13: 00007ffca1d278ff R14: 00007f983ea1c9c0 R15: 00000000006ddc2c
[   39.900741] 
[   39.902349] Allocated by task 2396:
[   39.905959]  __kasan_kmalloc.part.0+0x53/0xc0
[   39.910433]  kmem_cache_alloc+0xee/0x360
[   39.914471]  dst_alloc+0xe6/0x1a0
[   39.917903]  __ip6_dst_alloc+0x2e/0x50
[   39.921769]  ip6_pol_route+0xfed/0x26d0
[   39.925721]  fib6_rule_lookup+0xdb/0x420
[   39.929762]  ip6_dst_lookup_tail+0xdab/0x16f0
[   39.934238]  ip6_dst_lookup_flow+0xac/0x210
[   39.938537]  ip6_sk_dst_lookup_flow+0x397/0x540
[   39.943182]  udpv6_sendmsg+0x1833/0x2500
[   39.947221]  inet_sendmsg+0x15b/0x520
[   39.951003]  sock_sendmsg+0xb7/0x100
[   39.963203]  SyS_sendto+0x1de/0x2f0
[   39.966818]  do_syscall_64+0x19b/0x520
[   39.970695]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   39.975861]  0xffffffffffffffff
[   39.979127] 
[   39.980733] Freed by task 7:
[   39.983734]  __kasan_slab_free+0x164/0x210
[   39.987944]  kmem_cache_free+0xd7/0x3b0
[   39.991896]  dst_destroy+0x1cc/0x2d0
[   39.995602]  rcu_process_callbacks+0x59f/0xf60
[   40.000181]  __do_softirq+0x234/0x9ec
[   40.003969] 
[   40.005576] The buggy address belongs to the object at ffff8881c57c6fc0
[   40.005576]  which belongs to the cache ip6_dst_cache of size 384
[   40.018471] The buggy address is located 344 bytes inside of
[   40.018471]  384-byte region [ffff8881c57c6fc0, ffff8881c57c7140)
[   40.030320] The buggy address belongs to the page:
[   40.035238] page:ffffea000715f180 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   40.045185] flags: 0x4000000000010200(slab|head)
[   40.049937] raw: 4000000000010200 0000000000000000 0000000000000000 0000000180120012
[   40.057797] raw: dead000000000100 dead000000000200 ffff8881d1947c00 0000000000000000
[   40.065650] page dumped because: kasan: bad access detected
[   40.071335] 
[   40.072942] Memory state around the buggy address:
[   40.077849]  ffff8881c57c7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.085188]  ffff8881c57c7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.092537] >ffff8881c57c7100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   40.099872]                             ^
[   40.104014]  ffff8881c57c7180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.111358]  ffff8881c57c7200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.118700] ==================================================================
executing program
[   40.126042] Disabling lock debugging due to kernel taint
executing program
[   40.236199] Kernel panic - not syncing: panic_on_warn set ...
[   40.236199] 
[   40.243608] CPU: 1 PID: 2396 Comm: syz-executor742 Tainted: G    B           4.14.147+ #0
[   40.251921] Call Trace:
[   40.254517]  dump_stack+0xca/0x134
[   40.258084]  panic+0x1ea/0x3d3
[   40.261273]  ? add_taint.cold+0x16/0x16
[   40.265250]  ? ip6_fragment+0x2d4a/0x2f30
[   40.269397]  ? ___preempt_schedule+0x16/0x18
[   40.273810]  ? ip6_fragment+0x2d4a/0x2f30
[   40.277966]  end_report+0x43/0x49
[   40.281421]  ? ip6_fragment+0x2d4a/0x2f30
[   40.285570]  __kasan_report.cold+0xd/0x41
[   40.289727]  ? ip6_fragment+0x2d4a/0x2f30
[   40.293877]  ip6_fragment+0x2d4a/0x2f30
[   40.297855]  ? ip6_forward_finish+0x470/0x470
[   40.302353]  ? lock_downgrade+0x630/0x630
[   40.306497]  ? lock_acquire+0x12b/0x360
[   40.310468]  ? ip6_forward+0x31e0/0x31e0
[   40.314538]  ip6_finish_output+0x66d/0xb40
[   40.318773]  ip6_output+0x1dc/0x680
[   40.322406]  ? ip6_finish_output+0xb40/0xb40
[   40.326810]  ? trace_hardirqs_on_caller+0x37b/0x540
[   40.331828]  ? ip6_fragment+0x2f30/0x2f30
[   40.335974]  ? retint_kernel+0x2d/0x2d
[   40.339863]  ip6_local_out+0x98/0x170
[   40.343661]  ip6_send_skb+0x9b/0x2f0
[   40.347375]  udp_v6_send_skb+0x4e2/0xe80
[   40.351437]  udp_v6_push_pending_frames+0x224/0x330
[   40.356449]  ? udp_v6_send_skb+0xe80/0xe80
[   40.360687]  ? ip_reply_glue_bits+0xa0/0xa0
[   40.365020]  udpv6_sendmsg+0x194b/0x2500
[   40.369081]  ? ip_reply_glue_bits+0xa0/0xa0
[   40.373413]  ? udp_v6_flush_pending_frames+0xd0/0xd0
[   40.378526]  ? retint_kernel+0x2d/0x2d
[   40.382416]  ? retint_kernel+0x2d/0x2d
[   40.386308]  ? trace_hardirqs_on_caller+0x37b/0x540
[   40.391331]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.396096]  ? retint_kernel+0x2d/0x2d
[   40.399996]  ? inet_sendmsg+0x15b/0x520
[   40.403975]  inet_sendmsg+0x15b/0x520
[   40.407777]  ? inet_recvmsg+0x550/0x550
[   40.411756]  sock_sendmsg+0xb7/0x100
[   40.415478]  SyS_sendto+0x1de/0x2f0
[   40.419111]  ? SyS_getpeername+0x250/0x250
[   40.423356]  ? SyS_futex+0x1c5/0x2c3
[   40.427070]  ? SyS_futex+0x1cf/0x2c3
[   40.430783]  ? do_futex+0x1980/0x1980
[   40.434582]  ? __do_page_fault+0x677/0xbb0
[   40.438813]  ? do_syscall_64+0x43/0x520
[   40.442789]  ? SyS_getpeername+0x250/0x250
[   40.447023]  do_syscall_64+0x19b/0x520
[   40.450907]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   40.456087] RIP: 0033:0x447c79
[   40.459271] RSP: 002b:00007f983ea1bda8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   40.466975] RAX: ffffffffffffffda RBX: 00000000006ddc28 RCX: 0000000000447c79
[   40.474334] RDX: 000000000000ffb3 RSI: 00000000200003c0 RDI: 0000000000000004
[   40.481605] RBP: 00000000006ddc20 R08: 0000000000000000 R09: 0000000000000000
[   40.488876] R10: 0000000004000000 R11: 0000000000000246 R12: 00000000006ddc2c
[   40.496148] R13: 00007ffca1d278ff R14: 00007f983ea1c9c0 R15: 00000000006ddc2c
[   40.504055] Kernel Offset: 0x36c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   40.515127] Rebooting in 86400 seconds..